After an entire day of what seemed like good news following the announcement of a KTRR bypass, new information shared on Mastodon by security researcher Hector Martin appears to have even Dopamine developer Lars Fröder second-guessing its usefulness for jailbreaking.
The breakthroughs discussed during the 37c3 conference on Wednesday are still so fresh that much of what we’re still learning is developing information. That said, the facts are due to change rapidly as we learn more about it and other security researchers share their insights, which appears to be happening here.
According to Martin’s long spiel on Mastodon, the “hash” that the Kaspersky team thought they were seeing could more likely be a an ECC code instead of a hash.
Martin believes that this is a cache RAM debug register that could be getting written to the cache as opposed to the actual kernel memory. In a post shared to X (formerly Twitter) by Fröder concerning these findings, he acknowledges that the so-called “KTRR bypass” may be unusable for jailbreaking because of this fact.
Kaspersky security researcher Boris Larin entered the chat on Mastodon as well, responding to Martin’s findings with “Thanks a lot for your comment, I believe you are right.”
Both Larin and Martin exchanged a few comments with one another, and it seems Larin is due to update their security research with Martin’s newfangled information soon.
But despite what seems like a big let down in the initial commentary, Martin does spin the other way leaving us with something positive. “This whole thing is a PPL bypass,” he said. “As long as PPL doesn’t let you map the problem MMIO ranges you’re good.”
This underscores the fact that we now have a PPL bypass that works on iOS & iPadOS 16.5.1 and lower, which could be beneficial for jailbreaking. Where it gets stickier is with newer iOS & iPadOS firmware.
As for newer firmware, Martin continues: “The question is, how many more of these fun bypasses are left undiscovered? The GPU is a *huge* amount of hardware and firmware.”
A good question indeed… and if discovered, could any of them benefit our community?
As of now, the already challenging situation has just become even muddier. It remains to be seen if any components of the attack chain discussed at 37c3 will contribute to the creation of a jailbreak or not, as most experts are still keeping quiet or just haven’t had the chance to view the information and comment on it yet.
It will indeed be interesting to see what happens now. For the most part, we’ll need to wait for an official writeup before anyone can attempt going hands-on with it to confirm its usefulness for certain.
As always, your friends at iDB will continue to monitor the situation and report as any new information becomes available.