I came to this post anticipating a nostalgic trip about some ancient DRM and a stupidly simple way to break it.
Got confused when it was about Apple phone OS.
It was weird to see people from the jailbreak scene (easily recognisable because they all have names l1ke th1s) in such an exploit... turns out SecureROM is also something from iPhone
Is that the same Cellebrite?
While we're here, is there anything I can use to remove the alphanumeric passcode from an iPad 4 (A6X chipset, no Secure Enclave) that I've forgotten the password to?
Out of these retries, at least 1/N correct passcode attempts are needed, so such tools are close to useless if your care about retrieving your data with factory wipe enabled.
Also DFU is not the world's best protocol, I am surprised Apple didn't just roll their own. It isn't exactly hard to replace DFU with something simpler that gets the job done.
This same heuristic can be applied all across the HN front page with good results.
I was part of a team that rolled our own firmware update mechanism at Microsoft . (I didn't work on the replacement myself, the engineer sitting next to me did.)
And deeply embedded USB stacks w/o a heap aren't exactly uncommon, considering malloc is forbidden in a large % of firmware.
Nothing to do with idiot engineers or the task being hard. They could be idiots _and_ the task easy. Some things just don't need to be done.
As has been well documented, while Apple the organization may have practically unlimited resources, specific teams within Apple do not, so a lot of stuff is sort of "if it ain't broke" mode until the CADT model kicks in and they do a total rewrite and close all the old bugs.
One slide says for some roms:
No crash is triggered whatsoever as the ROM is deterministic enough that the buffer is reallocated in the same place every time upon USB stack initialization.
We aren't looking at the code, but "deterministic reallocation" or just static storage class? Seems like dynamic memory allocation was introduced recently into this rom. And why is a good question.