Full Disclosure mailing list archives

TITLE:
APPLE'S A17 PRO SILICON FLAW: SHARED I²C4 BUS BETWEEN SECURE ENCLAVE AND DIGITIZER CAUSES CASCADING SYSTEM FAILURE

SUMMARY:
This report discloses a CRITICAL HARDWARE FLAW in Apple’s A17 Pro chip (D84AP), affecting retail iPhone 15 Pro Max 
devices. The flaw results from a SHARED I²C4 BUS used by TWO CRITICAL SUBSYSTEMS:

- THE SECURE ENCLAVE PROCESSOR (SPU) – responsible for cryptographic operations and secure boot
- THE DIGITIZER CONTROLLER – responsible for all touchscreen input

When electrical instability or degradation affects the I²C4 line, BOTH SUBSYSTEMS FAIL SIMULTANEOUSLY during early 
boot. The result is a device that cannot securely initialize and becomes unresponsive to touch input.

THIS ISSUE HAS BEEN OBSERVED IN THE WILD on production hardware under standard usage conditions.

THE VENDOR (APPLE) HAS BEEN NOTIFIED, BUT HAS NOT RESPONDED AS OF THE TIME OF THIS DISCLOSURE.

PROOF OF OBSERVATION:
- VIDEO EVIDENCE: https://ia600206.us.archive.org/1/items/a-17-flaw-log-evidence/A17%20Flaw%20Log%20evidence%20.mov
- FULL DISCLOSURE DETAILS & ARTIFACTS: https://github.com/JGoyd/Apple-Silicon-A17-Flaw

SERIAL LOG OUTPUT DURING FAILURE:
AppleSPU::_handleReadyReport, serviceName (arc-eeprom-i2c)
Couldn't alloc class "AppleSPULogDriver"
IOHIDEventDriver: Invalid digitizer transducer

TECHNICAL ROOT CAUSE:
The A17 Pro System-on-Chip connects BOTH the Secure Enclave and the Digitizer Controller to the SAME I²C4 BUS. This 
creates a SHARED FAILURE DOMAIN.

If the bus becomes electrically unstable (due to power events, signal interference, or physical degradation), both 
components fail to initialize:

- THE SPU REMAINS LOCKED IN SECUREROM, breaking Face ID, secure keybag access, and device encryption
- THE DIGITIZER CONTROLLER RETURNS INVALID DATA, disabling all touch input

There is NO FAULT ISOLATION, NO REDUNDANCY, and NO FAILSAFE PATH in the early boot chain to mitigate this design flaw.

This is a SILICON-LEVEL VULNERABILITY. It is NOT caused by firmware, and CANNOT be fixed through software updates.

IMPACT:
- SECURITY: Secure Enclave fails; all cryptographic functions are temporarily lost
- USABILITY: Touchscreen becomes non-functional; user input is lost
- FORENSICS: Early boot logs are PRUNED by Apple’s logging system ("rose"), ERASING evidence of the failure before 
diagnostic capture
- VALIDATION: The flaw was CONFIRMED ON A NON-TAMPERED RETAIL DEVICE using standard teardown and analysis tools

RECOMMENDATIONS:

HARDWARE CHANGES:
- ISOLATE critical subsystems like the SPU and digitizer onto SEPARATE COMMUNICATION BUSES
- ADD REDUNDANT EEPROM ACCESS PATHS to ensure SPU can recover independently
- IMPLEMENT EARLY BUS HEALTH CHECKS AND FAULT HANDLING within SecureROM

DIAGNOSTIC IMPROVEMENTS:
- DELAY LOG ROTATION during early boot stages to preserve crash evidence
- SURFACE I²C HEALTH DATA to sysdiagnose and developer-accessible logs

CONCLUSION:
This is a HIGH-SEVERITY HARDWARE DESIGN FLAW present in Apple's A17 Pro chip architecture. A shared I²C4 bus introduces 
a SINGLE POINT OF FAILURE across two critical systems — the Secure Enclave and touchscreen input — leading to 
simultaneous failure under realistic, observable conditions.

THE FLAW IS:
- CONFIRMED IN THE WILD
- INHERENT TO THE PHYSICAL CHIP LAYOUT
- AFFECTING SHIPPING iPHONE 15 PRO MAX UNITS

APPLE HAS BEEN PRIVATELY NOTIFIED BUT HAS NOT YET RESPONDED.

This public disclosure is made in the interest of transparency, user safety, and secure hardware design practices.

- Joseph Goydish II
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• Apple’s A17 Pro Chip: Critical Flaw Causes Dual Subsystem Failure & Forensic Log Loss Joseph Goydish II via Fulldisclosure (Sep 08)