Physical Read/Write (physrw)
physrw = reading/writing directly to physical memory addresses. This is the most powerful primitive β it bypasses all virtual memory protections, kernel permission checks, and (on older iOS) even PPL.
Why physrw Is the Most Powerful
Virtual R/W (kread/kwrite):
β Read/write kernel virtual addresses
β Limited by page table permissions
β Cannot modify PPL-protected pages
β Cannot modify page tables directly
Physical R/W (physrw):
β Read/write ANY physical address
β Bypass page table permissions
β Can modify page tables β change mappings
β Can map MMIO registers β access hardware
β Pre-SPTM: can modify PPL-protected pages
How to Achieve physrw
Via Physical Use-After-Free (PUAF)
Step 1: Trigger PUAF
- Exploit a VM bug β physical page P freed but still mapped into the process
- Process still has virtual mapping VA β PA_P
Step 2: Controlled reallocation
- Kernel reallocates PA_P for another purpose
- If PA_P becomes an L3 page table:
βββ Process reading/writing VA = reading/writing page table entries!
Step 3: Page table manipulation
- Write new PTEs pointing to arbitrary physical addresses
- Access via new virtual mappings β physrw!
VA_exploit βββ PA_P (now L3 page table)
β
βββ Modify PTE[0] β PA_target
β
βββ Access VA_new β PA_target (arbitrary physical access)
PUAF Methods (from kfd)
| Method | Mechanism | iOS versions |
|---|---|---|
physpuppet |
Exploit physical page lifecycle bug | iOS 14-15 |
smith |
Exploit VM copy-on-write bug | iOS 14-16 |
landa |
Exploit VM subsystem race | iOS 15-16 |
Via Kernel Virtual R/W + Page Table Walk
If you have kread/kwrite (but not physrw):
1. kread the TTBR1_EL1 value (or a known kernel symbol)
2. Walk L1 β L2 β L3 page tables using kread
3. Modify L3 PTE using kwrite β add a new mapping
4. Access the new mapping β physrw
But PPL/SPTM prevents modifying page tables via kwrite:
- PPL: page table pages are in a PPL-protected region
- SPTM: page table modifications must go through SPTM (EL2)
β Need a PPL/SPTM bypass first
Detailed physrw Workflow
Step 1: Identify Physical Memory Layout
Use physrw to read:
- iBoot parameters β physical memory ranges
- Device tree β hardware layout
- Kernel static region β kernel code/data physical addresses
Step 2: Map All Interesting Regions
Create PTE entries for:
- Entire DRAM β full physical memory access
- MMIO registers β hardware control
- Kernel page tables β modify any mapping
Step 3: From physrw to Full Control
physrw + page table control:
βββ Modify kernel code protection β write to __TEXT
β (blocked by KTRR/CTRR on modern devices)
βββ Modify kernel data β same as kwrite but unconstrained
βββ Access hardware registers β direct hardware control
βββ Modify TrustCache β code signing bypass
SPTM Impact (iOS 17+)
Pre-SPTM (iOS β€16):
PUAF β physrw β modify page tables β full control
β Works on all devices
Post-SPTM (iOS 17+, A15+):
PUAF still possible but:
β User pages CANNOT become kernel pages (until reboot)
β Page table modifications MUST go through SPTM (EL2)
β SPTM tracks page types β prevents type changes
β PUAF only useful for userβuser attacks (less powerful)
β Need an SPTM vulnerability for full physrw
Resources
- kfd Project β PUAF implementations
- Alfie CG β Trigon β deterministic physrw
- Project Zero β The Core of Apple is PPL β page table attacks