
Remotely dump memory with no interaction on iPhone 11 Pro (fixed in iOS 13.3.1) - notRobot
https://bugs.chromium.org/p/project-zero/issues/detail?id=1982
======
saagarjha
> The physical memory dumping is abusing the fact that on iOS the physmap
> region, which provides direct virtual mappings of large parts of device
> physical memory is larger than the random ASLR shift which is applied to it.
> It's almost 4GB in size, but its virtual address only varies by around 1GB,
> leading to kernel virtual addresses which are always mapped and which
> provide a window in to device physical memory.

Not the first time Apple has messed up ASLR because the thing that they’re
sliding has gotten too large…

------
kristopher
This also affected MacBooks and was fixed in MacOS 10.15.3

iOS: [https://support.apple.com/en-us/HT210918](https://support.apple.com/en-
us/HT210918) MacOS: [https://support.apple.com/en-
us/HT210919](https://support.apple.com/en-us/HT210919)

------
koolba
Does this work if AirDrop is disabled but Bluetooth is on?

How about if just AirDrop is off?

------
DangerousPie
Maybe it would be good to change the title to say `(fixed in iOS 13.3.1)`
instead of `(iOS 13.3)`, to make it clear that this is not a zero day.

~~~
notRobot
HN title character limit didn't allow me to.

~~~
dang
I've squeezed it in there now at the cost of a little ungrammaticalness.

(Submitted title was "PoC remotely dump memory with no user interaction on
iPhone 11 Pro (iOS 13.3)".)

~~~
sixstringtheory
I still see only 13.3, not 13.3.1... could do this:

> Remotely dump memory w/o user interaction on iPhone 11 Pro (fixed iOS
> 13.3.1)

~~~
dang
Thanks, I missed that. I've moved things around a bit.

