Xinzhiyuan Report Editor: Run Haoshan [New Zhiyuan Introduction] The iPhone has exposed the "most complex" hardware-level vulnerability in history! Hackers can obtain all sensitive data with just one iMessage without the user noticing. The chain involved in the entire vulnerabili

2023-12-29 17:36:04 entertainment 1902℃

New Zhiyuan Report

Editor ：run so sleepy

[New Zhiyuan Introduction] iphone exposed the "most complex" hardware-level vulnerability in history! Hackers can obtain all sensitive data with just one iMessage, and users will not notice anything. The chain involved in the entire vulnerability was extremely complex, and Karpathy exclaimed: It is not something ordinary people can do.

Recently, Kaspersky researchers discovered that hackers left a very hidden backdoor in thousands of iPhones over four years.

can directly obtain the highest level of root permissions on iPhone through this hardware-level backdoor. To successfully exploit this backdoor, one must have a very comprehensive and detailed understanding of the underlying mechanisms of Apple products.

so much so that the Kaspersky researcher who discovered this vulnerability said, "It is impossible to imagine how this vulnerability was accidentally discovered." In his opinion, it is almost impossible for anyone other than Apple and ARM to know about this vulnerability.

Spyware can use this sophisticated vulnerability to transmit microphone recordings, photos, geolocation and other sensitive data to an attacker-controlled server.

Although a reboot closes the vulnerability, an attacker can reopen the vulnerability simply by sending new malicious iMessage text to the device after it reboots. During

, no user operation is required at all, and no clues will be left, making it very hidden.

In this regard, OpenAI scientist Andrej Karpathy said: This is undoubtedly the most complex attack chain we have seen so far.

Xinzhiyuan Report Editor: Run Haoshan [New Zhiyuan Introduction] The iPhone has exposed the 'most complex' hardware-level vulnerability in history! Hackers can obtain all sensitive data with just one iMessage without the user noticing. The chain involved in the entire vulnerabili - Lujuba

In this regard, Karpathy believes that this is no longer the scope of individual behavior, but should be a national level behavior.

A netizen who claimed that he still uses a Palm phone replied: "This is the reason why I insist on using a Palm phone."

Some netizens even lamented: "If you successfully annoy someone with such technical capabilities and resources, People, maybe the last thing you need to worry about is the data in your phone."

Currently, Apple has fixed this core security vulnerability on October 25, 2023.

"Operation Triangulation" attack chain

The researcher who discovered this vulnerability called it "operation triangulation".

- An attacker sends a malicious attachment via iMessage, and the application opens this vulnerability without the user noticing.

- This attachment exploits a remote code execution vulnerability (cve-2023-41990) in an undisclosed adjust truetype font command known only to Apple. This directive has been around since the early nineties and was removed in a recent update.

- During the attack, it used an advanced programming technique called "return/jump-oriented programming" and used multiple stages of code written in the nsexpression/nspredicate query language that modified javascriptcore library environment to execute a privilege escalation exploit written in JavaScript.

- This JavaScript exploit has been specially processed to make it almost unreadable, while also minimizing its size. However, it still contains approximately 11,000 lines of code. These codes are mainly used to analyze and manipulate javascriptcore and kernel memory.

- It also takes advantage of a debugging function dollarvm ($vm) of javascriptcore. Through this function, the attacker can manipulate the memory of javascriptcore in the script and call the system's native api function.

- This attack tool is designed to be compatible with both old and new iPhone models, and for newer devices, it includes a technique for bypassing the Pointer Authentication Code (PAC), which allows the attack to be effective against the latest devices.

- It achieves user-level read and write control of all physical memory of the device by exploiting an integer overflow vulnerability (cve-2023-32434) in the xnu memory mapping system calls (mach_make_memory_entry and vm_map).

- This tool also uses hardware memory mapped I/O (MMIO) registers to circumvent the Page Protection Layer (PPL), an issue that has been mitigated in CVE-2023-38606.

- After all vulnerabilities are exploited, the JavaScript vulnerability can be used to control the device at will, including deploying spyware. However, the attacker chose to: (a) start the imagent process and inject code to remove traces of exploitation; (b) run the safari process in incognito mode and guide to the web page containing the next stage of content.

- This webpage has a script embedded in it that can confirm the identity of the victim. Once the verification is passed, the next stage of the attack code will be loaded: the Safari vulnerability.

- safari vulnerability executes shellcode through cve-2023-32435.

- This shellcode further executes another kernel-level vulnerability, also exploiting CVE-2023-32434 and CVE-2023-38606. It's huge in size and functionality, but very different from kernel exploits written in JavaScript. All they share is part of the code related to the above exploits. However, much of its code is also focused on parsing and manipulating kernel memory.

- This vulnerability ultimately gains root privileges and proceeds to other stages, allowing spyware to be loaded.

Xinzhiyuan Report Editor: Run Haoshan [New Zhiyuan Introduction] The iPhone has exposed the 'most complex' hardware-level vulnerability in history! Hackers can obtain all sensitive data with just one iMessage without the user noticing. The chain involved in the entire vulnerabili - Lujuba

The mysterious vulnerability

The focus of discussion is a security vulnerability that has been fixed, numbered cve-2023-38606.

The new generation of iPhone has added additional security protection measures at the hardware level, specifically designed to protect sensitive areas in the kernel memory.

Even if an attacker is able to read and write kernel memory, such as this attack using the CVE-2023-32434 vulnerability, this protection prevents them from taking full control of the device.

Researchers found that in order to circumvent this hardware protection, attackers took advantage of another hardware feature in Apple's own designed SoC.

To put it simply, the attacker's method is as follows: while bypassing the hardware protection, they write the data, target address and hash value of the data to some unknown hardware registers in the chip that are not used by the firmware. , to write data to a specific physical address.

Researchers speculate that this unknown hardware feature is likely designed for debugging or testing by Apple engineers or factories, or was included accidentally. Because the firmware does not use this feature, researchers have no idea how attackers know and exploit this feature.

Xinzhiyuan Report Editor: Run Haoshan [New Zhiyuan Introduction] The iPhone has exposed the 'most complex' hardware-level vulnerability in history! Hackers can obtain all sensitive data with just one iMessage without the user noticing. The chain involved in the entire vulnerabili - Lujuba

Technical details

In a system on a chip, soc, various peripherals may provide special hardware registers for use by the central processing unit (CPU) to control these peripherals.

To achieve this, these hardware registers are mapped into memory that the CPU can access. This method is called "memory-mapped I/O (mmio)".

In Apple products, such as iPhone, Mac and other devices, the mmio address range of peripheral devices is stored in a special file format called "devicetree".

These device tree files can be extracted from the firmware and their contents can be viewed using the dt (devicetree) tool.

mmio storage example in the device tree

For example, in this screenshot, you can see the starting address (0x210f00000) and size (0x50000) of the acc-impl mmio range of cpu0.

While delving into the vulnerabilities used in the "operation triangulation" attack, researchers unexpectedly discovered that most of the mmio addresses used by attackers to bypass hardware-level kernel memory protection were not defined in the device tree. The vulnerability

specifically targets Apple SOCs from A12 to A16, attacking the mysterious mmio register block located at 0x206040000, 0x206140000 and 0x206150000.

This inspired the researchers’ curiosity and made a series of attempts. I searched through the device tree files and firmware files of various devices, but couldn't find any clues.

This puzzles researchers. Why are these mmio addresses used by attackers not used in the firmware? How did the attacker discover these addresses? Which peripheral devices do these mmio addresses belong to?

Afterwards the researchers decided to see if there were other known mmio addresses near these unknown mmio blocks. This time, he finally found some valuable information.

is in the information of the device tree entry of gfx-asc, which is the coprocessor of the gpu. Data dump of gfx-asc entry in

device tree

It contains two mmio (memory-mapped I/O) memory mapped ranges: 0x206400000–0x20646c000 and 0x206050000–0x206050008.

gfx-asc Correlation between mmio range and address used by the vulnerability

To be more precise, this vulnerability uses the following unknown addresses: 0x206040000, 0x206140008, 0x206140108, 0x206150020, 0x206150040 and 0x20 6150048.

researchers found that most of these addresses are located in the middle of the two gfx-asc memory regions, while the remaining one is near the start of the first gfx-asc region.

This implies that all these memory mapped input output (mmio) registers are most likely co-processors belonging to the graphics processing unit (gpu)!

The researchers then conducted a deeper analysis of the vulnerability and discovered further evidence.

During the initialization process, the vulnerability first writes to some memory mapped input and output (mmio) registers located at specific addresses of each SoC.

if (cpuid == 0x8765edea): # cpufamily_arm_everest_sawtooth (a16)base = 0x23b700408command = 0x1f0023ff
elif (cpuid == 0xda33d83d): # cpufamily_arm_avalanche_blizzard (a15)base = 0x23b7003c8command = 0x1f0023ff
elif (c puid == 0x1b588bb3): # cpufamily_arm_firestorm_icestorm (a14)base = 0x23b7003d0command = 0x1f0023ff
elif (cpuid == 0x462504d2): # cpufamily_arm_lightning_thunder (a13)base = 0x23b080390command = 0x1f0003ff 
elif (cpuid == 0x07d34b9f): # cpufamily_arm_vortex_tempest (a12)base = 0x23b080388command = 0x1f0003ff
if ((~read_dword(base) 0xf) != 0): write_dword(base, command)while(true):if ((~read_dword(base) 0xf) == 0):break

pseudocode of the gfx power manager control code in the vulnerability

Assistance in the device tree and the tool pmgr developed by siguza Next, the researchers found that all these addresses correspond to the mmio (memory-mapped input/output) range where the gfx register in the power manager is located.

Finally, a third confirmation came when the researchers tried to access the registers in these unknown areas.The coprocessor of

gpu reported an error almost immediately, displaying the message: "gfx serror exception class=0x2f (serror interrupt), il=1, iss=0 – power(1)".

In this way, the researchers confirmed that all these unknown mmio registers, which were used for exploits, indeed belong to the GPU's co-processor.

This prompted the researcher to delve deeper into the firmware, which was also written using the ARM architecture and was unencrypted, but he did not find any information related to these registers in the firmware.

He decided to take a closer look at how the vulnerability manipulated these unknown mmio registers. Of all the registers, 0x206040000 is particularly noticeable because it is in a separate mmio block from all the other registers.

It is only manipulated during the initialization and end phases of the vulnerability: it is the first register to be set during the initialization process and the last one during the end phase.

Based on the researcher’s experience, it is obvious that this register is used either to enable/disable the hardware functionality exploited by the vulnerability, or for interrupt control. The

researcher began following clues to the outage, and before long, he not only identified the unknown register 0x206040000, but also discovered what exactly the address range 0x206000000–0x206050000 mapped to. Shown below are the results of reverse engineering the vulnerable code that the researchers were able to identify.

def ml_dbgwrap_halt_cpu():
value = read_qword(0x206040000)
if ((value 0x90000000) != 0 ):return
write_qword(0x206040000, value | 0x80000000)
while (true):if ((read_qword(0x206 040000) 0x10000000) != 0):break
def ml_dbgwrap_unhalt_cpu():
value = read_qword(0x206040000)
value = (value 0xffffffff2ffffffff) | 0x40000000 2write_qword(0x206040000, value)
while (true):if ((read_qword(0x206040000) 0x10000000) == 0):break

successfully converted the previous pseudocode into The ml_dbgwrap_halt_cpu function matches the function of the same name in the dbgwrap.c file of the xnu source code. This file contains code for controlling the arm coresight mmio debug registers of the main CPU. The

source code shows that there are four mmio areas related to coresight, which are ed, cti, pmu and utt. Each region occupies 0x10000 bytes and is immediately adjacent to each other. The

ml_dbgwrap_halt_cpu function takes advantage of the utt area. Unlike the other three areas, utt does not come from arm, but is a proprietary feature added by Apple specifically for convenience. Each core of the

main CPU has its own coresight mmio debug register block, but unlike the GPU coprocessors, their addresses can be found in the device tree.

Another interesting discovery is that the vulnerability author(s) know how to exploit Apple's proprietary utt area to restart the CPU, and this part of the code is not included in the xnu source code. It is reasonable to speculate that this operation is likely to be obtained through experiments.

However, it is impossible to discover through experiments the attacker's operations on the registers in the second unknown area. The researchers are not sure what blocks of mmio debug registers are there, and if these registers are not used by the firmware, how an attacker discovered their use is a mystery.

Now, let’s focus on the other unknown registers exploited.

New Zhiyuan Report

Editor ：run so sleepy

[New Zhiyuan Introduction] iphone exposed the "most complex" hardware-level vulnerability in history! Hackers can obtain all sensitive data with just one iMessage, and users will not notice anything. The chain involved in the entire vulnerability was extremely complex, and Karpathy exclaimed: It is not something ordinary people can do.

Recently, Kaspersky researchers discovered that hackers left a very hidden backdoor in thousands of iPhones over four years.

can directly obtain the highest level of root permissions on iPhone through this hardware-level backdoor. To successfully exploit this backdoor, one must have a very comprehensive and detailed understanding of the underlying mechanisms of Apple products.

so much so that the Kaspersky researcher who discovered this vulnerability said, "It is impossible to imagine how this vulnerability was accidentally discovered." In his opinion, it is almost impossible for anyone other than Apple and ARM to know about this vulnerability.

Spyware can use this sophisticated vulnerability to transmit microphone recordings, photos, geolocation and other sensitive data to an attacker-controlled server.

Although a reboot closes the vulnerability, an attacker can reopen the vulnerability simply by sending new malicious iMessage text to the device after it reboots. During

, no user operation is required at all, and no clues will be left, making it very hidden.

In this regard, OpenAI scientist Andrej Karpathy said: This is undoubtedly the most complex attack chain we have seen so far.

Xinzhiyuan Report Editor: Run Haoshan [New Zhiyuan Introduction] The iPhone has exposed the 'most complex' hardware-level vulnerability in history! Hackers can obtain all sensitive data with just one iMessage without the user noticing. The chain involved in the entire vulnerabili - Lujuba

In this regard, Karpathy believes that this is no longer the scope of individual behavior, but should be a national level behavior.

A netizen who claimed that he still uses a Palm phone replied: "This is the reason why I insist on using a Palm phone."

Some netizens even lamented: "If you successfully annoy someone with such technical capabilities and resources, People, maybe the last thing you need to worry about is the data in your phone."

Currently, Apple has fixed this core security vulnerability on October 25, 2023.

"Operation Triangulation" attack chain

The researcher who discovered this vulnerability called it "operation triangulation".

- An attacker sends a malicious attachment via iMessage, and the application opens this vulnerability without the user noticing.

- This attachment exploits a remote code execution vulnerability (cve-2023-41990) in an undisclosed adjust truetype font command known only to Apple. This directive has been around since the early nineties and was removed in a recent update.

- During the attack, it used an advanced programming technique called "return/jump-oriented programming" and used multiple stages of code written in the nsexpression/nspredicate query language that modified javascriptcore library environment to execute a privilege escalation exploit written in JavaScript.

- This JavaScript exploit has been specially processed to make it almost unreadable, while also minimizing its size. However, it still contains approximately 11,000 lines of code. These codes are mainly used to analyze and manipulate javascriptcore and kernel memory.

- It also takes advantage of a debugging function dollarvm ($vm) of javascriptcore. Through this function, the attacker can manipulate the memory of javascriptcore in the script and call the system's native api function.

- This attack tool is designed to be compatible with both old and new iPhone models, and for newer devices, it includes a technique for bypassing the Pointer Authentication Code (PAC), which allows the attack to be effective against the latest devices.

- It achieves user-level read and write control of all physical memory of the device by exploiting an integer overflow vulnerability (cve-2023-32434) in the xnu memory mapping system calls (mach_make_memory_entry and vm_map).

- This tool also uses hardware memory mapped I/O (MMIO) registers to circumvent the Page Protection Layer (PPL), an issue that has been mitigated in CVE-2023-38606.

- After all vulnerabilities are exploited, the JavaScript vulnerability can be used to control the device at will, including deploying spyware. However, the attacker chose to: (a) start the imagent process and inject code to remove traces of exploitation; (b) run the safari process in incognito mode and guide to the web page containing the next stage of content.

- This webpage has a script embedded in it that can confirm the identity of the victim. Once the verification is passed, the next stage of the attack code will be loaded: the Safari vulnerability.

- safari vulnerability executes shellcode through cve-2023-32435.

- This shellcode further executes another kernel-level vulnerability, also exploiting CVE-2023-32434 and CVE-2023-38606. It's huge in size and functionality, but very different from kernel exploits written in JavaScript. All they share is part of the code related to the above exploits. However, much of its code is also focused on parsing and manipulating kernel memory.

- This vulnerability ultimately gains root privileges and proceeds to other stages, allowing spyware to be loaded.

Xinzhiyuan Report Editor: Run Haoshan [New Zhiyuan Introduction] The iPhone has exposed the 'most complex' hardware-level vulnerability in history! Hackers can obtain all sensitive data with just one iMessage without the user noticing. The chain involved in the entire vulnerabili - Lujuba

The mysterious vulnerability

The focus of discussion is a security vulnerability that has been fixed, numbered cve-2023-38606.

The new generation of iPhone has added additional security protection measures at the hardware level, specifically designed to protect sensitive areas in the kernel memory.

Even if an attacker is able to read and write kernel memory, such as this attack using the CVE-2023-32434 vulnerability, this protection prevents them from taking full control of the device.

Researchers found that in order to circumvent this hardware protection, attackers took advantage of another hardware feature in Apple's own designed SoC.

To put it simply, the attacker's method is as follows: while bypassing the hardware protection, they write the data, target address and hash value of the data to some unknown hardware registers in the chip that are not used by the firmware. , to write data to a specific physical address.

Researchers speculate that this unknown hardware feature is likely designed for debugging or testing by Apple engineers or factories, or was included accidentally. Because the firmware does not use this feature, researchers have no idea how attackers know and exploit this feature.

Xinzhiyuan Report Editor: Run Haoshan [New Zhiyuan Introduction] The iPhone has exposed the 'most complex' hardware-level vulnerability in history! Hackers can obtain all sensitive data with just one iMessage without the user noticing. The chain involved in the entire vulnerabili - Lujuba

Technical details

In a system on a chip, soc, various peripherals may provide special hardware registers for use by the central processing unit (CPU) to control these peripherals.

To achieve this, these hardware registers are mapped into memory that the CPU can access. This method is called "memory-mapped I/O (mmio)".

In Apple products, such as iPhone, Mac and other devices, the mmio address range of peripheral devices is stored in a special file format called "devicetree".

These device tree files can be extracted from the firmware and their contents can be viewed using the dt (devicetree) tool.

mmio storage example in the device tree

For example, in this screenshot, you can see the starting address (0x210f00000) and size (0x50000) of the acc-impl mmio range of cpu0.

While delving into the vulnerabilities used in the "operation triangulation" attack, researchers unexpectedly discovered that most of the mmio addresses used by attackers to bypass hardware-level kernel memory protection were not defined in the device tree. The vulnerability

specifically targets Apple SOCs from A12 to A16, attacking the mysterious mmio register block located at 0x206040000, 0x206140000 and 0x206150000.

This inspired the researchers’ curiosity and made a series of attempts. I searched through the device tree files and firmware files of various devices, but couldn't find any clues.

This puzzles researchers. Why are these mmio addresses used by attackers not used in the firmware? How did the attacker discover these addresses? Which peripheral devices do these mmio addresses belong to?

Afterwards the researchers decided to see if there were other known mmio addresses near these unknown mmio blocks. This time, he finally found some valuable information.

is in the information of the device tree entry of gfx-asc, which is the coprocessor of the gpu. Data dump of gfx-asc entry in

device tree

It contains two mmio (memory-mapped I/O) memory mapped ranges: 0x206400000–0x20646c000 and 0x206050000–0x206050008.

gfx-asc Correlation between mmio range and address used by the vulnerability

To be more precise, this vulnerability uses the following unknown addresses: 0x206040000, 0x206140008, 0x206140108, 0x206150020, 0x206150040 and 0x20 6150048.

researchers found that most of these addresses are located in the middle of the two gfx-asc memory regions, while the remaining one is near the start of the first gfx-asc region.

This implies that all these memory mapped input output (mmio) registers are most likely co-processors belonging to the graphics processing unit (gpu)!

The researchers then conducted a deeper analysis of the vulnerability and discovered further evidence.

During the initialization process, the vulnerability first writes to some memory mapped input and output (mmio) registers located at specific addresses of each SoC.

if (cpuid == 0x8765edea): # cpufamily_arm_everest_sawtooth (a16)base = 0x23b700408command = 0x1f0023ff
elif (cpuid == 0xda33d83d): # cpufamily_arm_avalanche_blizzard (a15)base = 0x23b7003c8command = 0x1f0023ff
elif (c puid == 0x1b588bb3): # cpufamily_arm_firestorm_icestorm (a14)base = 0x23b7003d0command = 0x1f0023ff
elif (cpuid == 0x462504d2): # cpufamily_arm_lightning_thunder (a13)base = 0x23b080390command = 0x1f0003ff 
elif (cpuid == 0x07d34b9f): # cpufamily_arm_vortex_tempest (a12)base = 0x23b080388command = 0x1f0003ff
if ((~read_dword(base) 0xf) != 0): write_dword(base, command)while(true):if ((~read_dword(base) 0xf) == 0):break

pseudocode of the gfx power manager control code in the vulnerability

Assistance in the device tree and the tool pmgr developed by siguza Next, the researchers found that all these addresses correspond to the mmio (memory-mapped input/output) range where the gfx register in the power manager is located.

Finally, a third confirmation came when the researchers tried to access the registers in these unknown areas.The coprocessor of

gpu reported an error almost immediately, displaying the message: "gfx serror exception class=0x2f (serror interrupt), il=1, iss=0 – power(1)".

In this way, the researchers confirmed that all these unknown mmio registers, which were used for exploits, indeed belong to the GPU's co-processor.

This prompted the researcher to delve deeper into the firmware, which was also written using the ARM architecture and was unencrypted, but he did not find any information related to these registers in the firmware.

He decided to take a closer look at how the vulnerability manipulated these unknown mmio registers. Of all the registers, 0x206040000 is particularly noticeable because it is in a separate mmio block from all the other registers.

It is only manipulated during the initialization and end phases of the vulnerability: it is the first register to be set during the initialization process and the last one during the end phase.

Based on the researcher’s experience, it is obvious that this register is used either to enable/disable the hardware functionality exploited by the vulnerability, or for interrupt control. The

researcher began following clues to the outage, and before long, he not only identified the unknown register 0x206040000, but also discovered what exactly the address range 0x206000000–0x206050000 mapped to. Shown below are the results of reverse engineering the vulnerable code that the researchers were able to identify.

def ml_dbgwrap_halt_cpu():
value = read_qword(0x206040000)
if ((value 0x90000000) != 0 ):return
write_qword(0x206040000, value | 0x80000000)
while (true):if ((read_qword(0x206 040000) 0x10000000) != 0):break
def ml_dbgwrap_unhalt_cpu():
value = read_qword(0x206040000)
value = (value 0xffffffff2ffffffff) | 0x40000000 2write_qword(0x206040000, value)
while (true):if ((read_qword(0x206040000) 0x10000000) == 0):break

successfully converted the previous pseudocode into The ml_dbgwrap_halt_cpu function matches the function of the same name in the dbgwrap.c file of the xnu source code. This file contains code for controlling the arm coresight mmio debug registers of the main CPU. The

source code shows that there are four mmio areas related to coresight, which are ed, cti, pmu and utt. Each region occupies 0x10000 bytes and is immediately adjacent to each other. The

ml_dbgwrap_halt_cpu function takes advantage of the utt area. Unlike the other three areas, utt does not come from arm, but is a proprietary feature added by Apple specifically for convenience. Each core of the

main CPU has its own coresight mmio debug register block, but unlike the GPU coprocessors, their addresses can be found in the device tree.

Another interesting discovery is that the vulnerability author(s) know how to exploit Apple's proprietary utt area to restart the CPU, and this part of the code is not included in the xnu source code. It is reasonable to speculate that this operation is likely to be obtained through experiments.

However, it is impossible to discover through experiments the attacker's operations on the registers in the second unknown area. The researchers are not sure what blocks of mmio debug registers are there, and if these registers are not used by the firmware, how an attacker discovered their use is a mystery.

Now, let’s focus on the other unknown registers exploited.

def dma_ctrl_1():
ctrl = 0x206140108
value = read_qword(ctrl)write_qword(ctrl , value | 0x8000000000000001)sleep(1)
while ((~read_qword(ctrl) 0x8000000000000001) != 0):sleep(1)
def dma_ctrl_2(flag): 
ctrl = 0x206140008
value = read_qword(ctrl)
if (flag): if ((value 0x1000000000000000) == 0):value = value | 0x1000000000000000 write_qword(ctrl, value)else:if ((value 0x100000000000 0000) != 0):value = value ~0x1000000000000000 write_qword(ctrl, value)
def dma_ctrl_3(value):
ctrl = 0x206140108
value = value | 0x8000000000000000
write_qword(ctrl, read_qword(ctrl) value)
while ((read_qword(ctrl) 0 x8000000000000001) != 0):sleep(1)
def dma_init(original_value_0x206140108):
dma_ctrl_1()dma_ctrl_2(false)dma_ctrl_3(original_value_0x206140108) 3
def dma_done(original_value_0x206140108):
dma_ctrl_1()dma_ctrl_2(true)dma_ctrl_3(original_ value_0x206140108)

if (cpuid == 0x8765edea): # cpufamily_arm_everest_sawtooth (a16)i = 8mask = 0x7ffffff
elif (cpuid == 0xda33d83d): # cpufamily_arm_avalanche_blizzard (a15)i = 8mask = 0x3fffff
 elif (cpuid == 0x1b588bb3): # cpufamily_arm_firestorm_icestorm (a14)i = 0x28mask = 0x3ffffff
elif (cpuid == 0x46250 4d2): # cpufamily_arm_lightning_thunder (a13)i = 0x28mask = 0x3ffffff
elif (cpuid == 0x07d34b9f): # cpufamily_arm_vortex_tempest (a12)i = 0x28mask = 0x3ffffff
 dma_init(original_value_0x206140108)
hash1 = calculate_hash(data)hash2 = calculate_hash(data+0x20)
hash2_write_ qword(0x206150040, 0x2000000 | (phys_addr 0x3fc0))
pos = 0while (pos 0x40):write_qword(0x206150048, read_qword(data + pos))pos += 8
phys_addr_upper = ((((phys_addr 14) mask) 18) 0x3ffffffff ffff)value = phys_addr_upper | (hash1 i) | (hash2 50) | 0x1fwrite_qword( 0x206150048, value)
dma_done(original_value_0x206140108)

 As long as the operation is correct, the hardware will perform a direct memory access (dma) operation and write the data to the specified memory address.

 Taking advantage of this hardware feature, attackers can bypass the page protection layer (ppl), mainly to modify page table entries.  In addition, it can modify the data in the protected __ppldata section. Although the vulnerability was not used to modify kernel code, in one test conducted by the researchers, an instruction within the __text_exec section of the kernel was successfully modified and triggered an "undefined kernel instruction" showing the expected address and value. "mistake.

 This situation only occurred once, and other attempts resulted in amcc errors. Regarding that successful attempt, the researcher has some ideas. In the future, the researcher plans to study it in depth, because he believes that it will be very useful to turn a vulnerability originally used for attacks into a positive use, such as enabling kernel debugging on new iPhones. Significant.

 After discussing all the work related to mmio (memory-mapped i/o) registers, let's now focus on the last topic: the calculation method of hash values. The specific algorithm is as follows.

sbox = [0x007, 0x00b, 0x00d, 0x013, 0x00e, 0x015, 0x01f, 0x016,0x019, 0x023, 0x02f, 0x0 37, 0x04f, 0x01a, 0x025, 0x043, 0x03b, 0x057, 0x08f, 0x01c, 0x026, 0x029, 0x03d, 0x045 ,0x05b, 0x083, 0x097, 0x03e, 0x05d, 0x09b, 0x067, 0x117,0x02a, 0x031, 0x046, 0x049, 0x085, 0x103, 0x0 5e, 0x09d,0x06b, 0x0a7, 0x11b, 0x217, 0x09e, 0x06d, 0x0ab, 0x0c7, 0x127 , 0x02c, 0x032, 0x04a, 0x051, 0x086, 0x089, 0x105,0x203, 0x06e, 0x0ad, 0x12b, 0x147, 0x227, 0x034, 0x04c, 20x052, 0x076, 0x08a, 0x091, 0x0ae, 0x106, 0x109, 0x0d3,0x12d, 0x205 , 0x22b, 0x247, 0x07a, 0x0d5, 0x153, 0x22d, 0x038, 0x054, 0x08c, 0x092, 0x061, 0x10a, 0x111, 0x206,0x 209, 0x07c, 0x0ba, 0x0d6, 0x155, 0x193, 0x253, 0x28b,0x307, 0x0bc, 0x0da , 0x156, 0x255, 0x293, 0x30b, 0x058,0x094, 0x062, 0x10c, 0x112, 0x0a1, 0x20a, 0x211, 0x0dc, 0x196, 0x 199, 0x256, 0x165, 0x259, 0x263, 0x30d, 0x313,0x098, 0x064, 0x114, 0x0a2 , 0x15c, 0x0ea, 0x20c, 0x0c1,0x121, 0x212, 0x166, 0x19a, 0x299, 0x265, 0x2a3, 0x315,0x0ec, 0x1a6, 0x29a , 0x266, 0x1a9, 0x269, 0x319, 0x2c3, 0x323, 0x068, 0x0a4, 0x118, 0x0c2 , 0x122, 0x214, 0x141,0x221, 0x0f4, 0x16c, 0x1aa, 0x2a9, 0x325, 0x343, 0x0f8,0x174, 0x1ac, 0x2aa, 0x32 6, 0x329, 0x345, 0x383, 0x070,0x0a8, 0x0c4, 0x124, 0x218, 0x142, 0x222 , 0x181, 0x241, 0x178, 0x2ac, 0x32a, 0x2d1, 0x0b0, 0x0c8, 0x128, 0x144,0x1b8, 0x224, 0x1d4, 0x182, 0x2 42, 0x2d2, 0x32c, 0x281,0x351, 0x389, 0x1d8, 0x2d4, 0x352, 0x38a, 0x391 , 0x0d0,0x130, 0x148, 0x228, 0x184, 0x244, 0x282, 0x301, 0x1e4, 0x2d8, 0x354, 0x38c, 0x392, 0x1e8, 0x 2e4, 0x358, 0x394,0x362, 0x3a1, 0x150, 0x230, 0x188, 0x248, 0x284, 0x302 ,0x1f0, 0x2e8, 0x364, 0x398, 0x3a2, 0x0e0, 0x190, 0x250,0x2f0, 0x288, 0x368, 0x304, 0x3a4, 0x370, 0x3 a8, 0x3c4, 0x160, 0x290, 0x308, 0x3b0, 0x3c8, 0x3d0, 0x1a0, 0x260,0x310 , 0x1c0, 0x2a0, 0x3e0, 0x2c0, 0x320, 0x340, 0x380]
def calculate_hash(buffer):
acc = 0for i in range(8):pos = i * 4value = read_dword(buffer + pos)for j in range(32) ;  as you can see this is a customization algorithm, the calculation of its hash value relies on a predefined sbox table (sbox table). He tried searching for it in the vast library of binaries, but found nothing. 
 You may have noticed that this hash is not particularly secure since it is only 20 bits (10 bits calculated twice), but as long as no one knows how to calculate and apply it, it is sufficient. This approach is best described as "security by obscurity." 
 If an attacker is not using this hardware feature and there is no guidance in the firmware on how to use it, how could they possibly discover and exploit it? 
 researchers did another test. He discovered that the m1 chip built into the mac also had this unknown hardware feature.Then, he conducted an experiment using the powerful m1n1 tool. 
 This tool has a trace_range function that can track all accesses to the specified mmio register range. Use it to monitor activities in the memory range from 0x206110000 to 0x206400000, but the results show that macos does not use these registers. 
 The GPU coprocessor involved this time appeared for the first time in Apple's SOC only recently. Researchers doubt this hardware feature had any purpose in previous retail firmware. 
 Nonetheless, the possibility cannot be ruled out that it may have been accidentally leaked in a specific firmware update or release of the xnu source code and then removed. 
 Researchers originally hoped to explore what was hidden in the second unknown area through the fix for this vulnerability in iOS 16.6. Eventually we did find out how Apple fixed the issue, but they made the fix deliberately hard to understand. 
 Apple prevents this vulnerability from being exploited by adding the mmio ranges 0x206000000–0x206050000 and 0x206110000–0x206400000 to pmap-io-ranges in the device tree. 
xnu uses the information here to determine whether to allow the mapping of certain physical addresses. All documented entries are labeled with a label name that clearly states the purpose of these memory ranges. 
Example of entries stored in pmap-io-ranges
 Here, pcie refers to "peripheral component interconnect express", dart is "device address resolution table (device address resolution table)", dapf Stands for "device address filter", and so on. 
 Listed below are the tag names of the exploited memory areas. These tags stand out in the list. 
 Area entry for exploiting the vulnerability 
 "Security by obscurity" is not safe 

 As you can see, this vulnerability is unusual. We don't know how the attacker learned to exploit this unknown hardware feature, nor what it was originally used to do. What. 
 I'm not even sure if it was developed by Apple or if it's caused by a third-party component like arm coresight. 
 But the vulnerability illustrates the fact that as long as there are hardware features that can bypass security protection, no matter how advanced hardware security measures are, they will become useless in the face of savvy attackers. 
 Hardware security often relies on "security through obscurity". Compared with software, hardware is more difficult to reverse engineer and analyze. 
 But this method itself is flawed, because all secrets will eventually be revealed. Systems that rely on "obscure security" for maintenance can never be truly secure. 
 Reference: 
https://arstechnica.com/security/2023/12/exploit-used-in-mass-iphone-infection-campaign-targeted-secret-hardware-feature/
https://securelist.com/operation- triangulation-the-last-hardware-mystery/111669/

 Taking advantage of this hardware feature, attackers can bypass the page protection layer (ppl), mainly to modify page table entries.  In addition, it can modify the data in the protected __ppldata section. Although the vulnerability was not used to modify kernel code, in one test conducted by the researchers, an instruction within the __text_exec section of the kernel was successfully modified and triggered an "undefined kernel instruction" showing the expected address and value. "mistake.

 This situation only occurred once, and other attempts resulted in amcc errors. Regarding that successful attempt, the researcher has some ideas. In the future, the researcher plans to study it in depth, because he believes that it will be very useful to turn a vulnerability originally used for attacks into a positive use, such as enabling kernel debugging on new iPhones. Significant.

 After discussing all the work related to mmio (memory-mapped i/o) registers, let's now focus on the last topic: the calculation method of hash values. The specific algorithm is as follows.

sbox = [0x007, 0x00b, 0x00d, 0x013, 0x00e, 0x015, 0x01f, 0x016,0x019, 0x023, 0x02f, 0x0 37, 0x04f, 0x01a, 0x025, 0x043, 0x03b, 0x057, 0x08f, 0x01c, 0x026, 0x029, 0x03d, 0x045 ,0x05b, 0x083, 0x097, 0x03e, 0x05d, 0x09b, 0x067, 0x117,0x02a, 0x031, 0x046, 0x049, 0x085, 0x103, 0x0 5e, 0x09d,0x06b, 0x0a7, 0x11b, 0x217, 0x09e, 0x06d, 0x0ab, 0x0c7, 0x127 , 0x02c, 0x032, 0x04a, 0x051, 0x086, 0x089, 0x105,0x203, 0x06e, 0x0ad, 0x12b, 0x147, 0x227, 0x034, 0x04c, 20x052, 0x076, 0x08a, 0x091, 0x0ae, 0x106, 0x109, 0x0d3,0x12d, 0x205 , 0x22b, 0x247, 0x07a, 0x0d5, 0x153, 0x22d, 0x038, 0x054, 0x08c, 0x092, 0x061, 0x10a, 0x111, 0x206,0x 209, 0x07c, 0x0ba, 0x0d6, 0x155, 0x193, 0x253, 0x28b,0x307, 0x0bc, 0x0da , 0x156, 0x255, 0x293, 0x30b, 0x058,0x094, 0x062, 0x10c, 0x112, 0x0a1, 0x20a, 0x211, 0x0dc, 0x196, 0x 199, 0x256, 0x165, 0x259, 0x263, 0x30d, 0x313,0x098, 0x064, 0x114, 0x0a2 , 0x15c, 0x0ea, 0x20c, 0x0c1,0x121, 0x212, 0x166, 0x19a, 0x299, 0x265, 0x2a3, 0x315,0x0ec, 0x1a6, 0x29a , 0x266, 0x1a9, 0x269, 0x319, 0x2c3, 0x323, 0x068, 0x0a4, 0x118, 0x0c2 , 0x122, 0x214, 0x141,0x221, 0x0f4, 0x16c, 0x1aa, 0x2a9, 0x325, 0x343, 0x0f8,0x174, 0x1ac, 0x2aa, 0x32 6, 0x329, 0x345, 0x383, 0x070,0x0a8, 0x0c4, 0x124, 0x218, 0x142, 0x222 , 0x181, 0x241, 0x178, 0x2ac, 0x32a, 0x2d1, 0x0b0, 0x0c8, 0x128, 0x144,0x1b8, 0x224, 0x1d4, 0x182, 0x2 42, 0x2d2, 0x32c, 0x281,0x351, 0x389, 0x1d8, 0x2d4, 0x352, 0x38a, 0x391 , 0x0d0,0x130, 0x148, 0x228, 0x184, 0x244, 0x282, 0x301, 0x1e4, 0x2d8, 0x354, 0x38c, 0x392, 0x1e8, 0x 2e4, 0x358, 0x394,0x362, 0x3a1, 0x150, 0x230, 0x188, 0x248, 0x284, 0x302 ,0x1f0, 0x2e8, 0x364, 0x398, 0x3a2, 0x0e0, 0x190, 0x250,0x2f0, 0x288, 0x368, 0x304, 0x3a4, 0x370, 0x3 a8, 0x3c4, 0x160, 0x290, 0x308, 0x3b0, 0x3c8, 0x3d0, 0x1a0, 0x260,0x310 , 0x1c0, 0x2a0, 0x3e0, 0x2c0, 0x320, 0x340, 0x380]
def calculate_hash(buffer):
acc = 0for i in range(8):pos = i * 4value = read_dword(buffer + pos)for j in range(32) ;  as you can see this is a customization algorithm, the calculation of its hash value relies on a predefined sbox table (sbox table). He tried searching for it in the vast library of binaries, but found nothing. 
 You may have noticed that this hash is not particularly secure since it is only 20 bits (10 bits calculated twice), but as long as no one knows how to calculate and apply it, it is sufficient. This approach is best described as "security by obscurity." 
 If an attacker is not using this hardware feature and there is no guidance in the firmware on how to use it, how could they possibly discover and exploit it? 
 researchers did another test. He discovered that the m1 chip built into the mac also had this unknown hardware feature.Then, he conducted an experiment using the powerful m1n1 tool. 
 This tool has a trace_range function that can track all accesses to the specified mmio register range. Use it to monitor activities in the memory range from 0x206110000 to 0x206400000, but the results show that macos does not use these registers. 
 The GPU coprocessor involved this time appeared for the first time in Apple's SOC only recently. Researchers doubt this hardware feature had any purpose in previous retail firmware. 
 Nonetheless, the possibility cannot be ruled out that it may have been accidentally leaked in a specific firmware update or release of the xnu source code and then removed. 
 Researchers originally hoped to explore what was hidden in the second unknown area through the fix for this vulnerability in iOS 16.6. Eventually we did find out how Apple fixed the issue, but they made the fix deliberately hard to understand. 
 Apple prevents this vulnerability from being exploited by adding the mmio ranges 0x206000000–0x206050000 and 0x206110000–0x206400000 to pmap-io-ranges in the device tree. 
xnu uses the information here to determine whether to allow the mapping of certain physical addresses. All documented entries are labeled with a label name that clearly states the purpose of these memory ranges. 
Example of entries stored in pmap-io-ranges
 Here, pcie refers to "peripheral component interconnect express", dart is "device address resolution table (device address resolution table)", dapf Stands for "device address filter", and so on. 
 Listed below are the tag names of the exploited memory areas. These tags stand out in the list. 
 Area entry for exploiting the vulnerability 
 "Security by obscurity" is not safe 

 As you can see, this vulnerability is unusual. We don't know how the attacker learned to exploit this unknown hardware feature, nor what it was originally used to do. What. 
 I'm not even sure if it was developed by Apple or if it's caused by a third-party component like arm coresight. 
 But the vulnerability illustrates the fact that as long as there are hardware features that can bypass security protection, no matter how advanced hardware security measures are, they will become useless in the face of savvy attackers. 
 Hardware security often relies on "security through obscurity". Compared with software, hardware is more difficult to reverse engineer and analyze. 
 But this method itself is flawed, because all secrets will eventually be revealed. Systems that rely on "obscure security" for maintenance can never be truly secure. 
 Reference: 
https://arstechnica.com/security/2023/12/exploit-used-in-mass-iphone-infection-campaign-targeted-secret-hardware-feature/
https://securelist.com/operation- triangulation-the-last-hardware-mystery/111669/



                    
                         Tags：
                        entertainment
                    

                    
                        
                            Prev post：
                             Live Broadcast, December 29th. At the pre-match press conference against Brighton, Tottenham coach Postkoglu teased team star Son Heung-min who is about to participate in the Asian Cup. In the 2015 Asian Cup final, the Australian team led by Postkoglu defeated South Korea 2-1 to                         
                        
                            Next post：
                             The editor of this article spoils the news: Isaac. Reprinting without authorization is strictly prohibited. Anyone found to have plagiarized will file a complaint across the entire network. The 27-year-old TVB actress and new generation artist Chen Jiahui officially signed a mana                        
                    

                                            
                        
                            Video about Xinzhiyuan Report Editor: Run Haoshan [New Zhiyuan Introduction] The iPhone has exposed the "most complex" hardware-level vulnerability in history! Hackers can obtain all sensitive data with just one iMessage without the user noticing. The chain involved in the entire vulnerabili
                            
                                                                    
    
        
            
            
            9:15
        
    
    
        霸總跟首富的妻子在車庫幽會，霸總還上手摸胸，激情畫面全程被狗仔拍下 💕中國電視劇 Chinese Drama #最佳情侶 #李多海 #周覓
    
                                                                    
    
        
            
            
            1:31
        
    
    
        Aerosol Valve Part Multi-station Progressive Stamping Unit
    
                                                                    
    
        
            
            
            0:27
        
    
    
        1-5L Automatic can sealing machine-China Yatai Packaging Technology Co., Ltd.
    
                                                                    
    
        
            
            
            0:10
        
    
    
        GT4B30 Automatic can sealing machine-China Zhongyuan Printing Iron Metal Can Factory
    
                                                                    
    
        
            
            
            0:52
        
    
    
        Automatic Square can manufacturing machine-Pingyang, Wenzhou, China
    
                                                                    
    
        
            
            
            0:20
        
    
    
        Automatic Can Sealing Machine-China Harbin Xinzhiyuan Can Factory
    
                                                                    
    
        
            
            
            0:56
        
    
    
        Automatic Conical Pail Production Line-China Jintai Can Co., Ltd. Branch Factory-Jinhong Can
    
                                                                    
    
        
            
            
            0:16
        
    
    
        can making machine manufacturers-Beer Can Automatic Line-Qingdao Beiqi, China
    
                                                                    
    
        
            
            
            0:16
        
    
    
        China Mountain Tourist Attractions YUNMEN MOUNTAIN WATERFALLS #mountains #waterfall #scenery
    
                                                                    
    
        
            
            
            9:59
        
    
    
        Can Sealing Machine series
    
                                                            
                        
                    
                    

                    
                        entertainment News
                        
                                                            
                                    
                                        
                                            
                                        
                                    
                                    
                                        In the turmoil of the entertainment industry, the emotional lives of celebrities are like soap operas with ups and downs, which always affect the hearts of the public. Recently, the news that Lan Zhenglong and his ex-wife Zhou Youting were dating and reunited has once again heate
                                    
                                
                                                            
                                    
                                        
                                            
                                        
                                    
                                    
                                        Lu Yuxiao is considered a relatively low-key one among 95. The new drama "Alley People" is on the air but has not been on any hot searches. Her quiet and retro temperament is very similar to Yu Aoi, the former originator of the forest style. Tranquility and gentleness are the sur
                                    
                                
                                                            
                                    
                                        
                                            
                                        
                                    
                                    
                                        We really need to call the police! Can anyone take charge of the makeup team of this costume drama? Let’s not talk about the previous uniform “super unibrow + death false eyelashes + shocking lying silkworm”. It was hard to escape from the Korean aesthetic that made people laugh.
                                    
                                
                                                            
                                    
                                        
                                            
                                        
                                    
                                    
                                        On November 13, the 2024 China Golden Rooster and Hundred Flowers Film Festival opened at the Minnan Grand Theater in Xiamen, Fujian. The stage design of the opening ceremony incorporates the concept of "movies are the art of light and shadow", using 9,000 CNC lamp beads to displ
                                    
                                
                                                            
                                    
                                        
                                            
                                        
                                    
                                    
                                        You Xu, the founder of leading mukbang IP Langweixian, was found guilty of job embezzlement and was sentenced to 8 years in prison and fined 1 million.      You Xu is the stage name, and his real name is You Caimei. He is the founder of Langweixian IP and one of the investors beh
                                    
                                
                                                            
                                    
                                        
                                            
                                        
                                    
                                    
                                        Recently, a set of beautiful photos of Louisa Mak, the "Ten Best Hong Kong Miss", caused an uproar on the Internet, not only because of the enviable sweet life after her marriage with her husband Keith, but also because of her relationship with her former husband "Old enemy" Pang
                                    
                                
                                                            
                                    
                                        
                                            
                                        
                                    
                                    
                                        Cultural/entertainment urban romance dramas have always been loved by the audience. Recently, a new urban romance drama "Laughter" was broadcast on the screen. It has only been broadcast for 7 days, and the drama has received praise from many viewers. , some viewers said that the
                                    
                                
                                                            
                                    
                                        
                                            
                                        
                                    
                                    
                                        Time is about to enter 2025, but I fell into the pit of The Voice in 2018 and haven’t climbed out yet. I’m very grateful that The Voice didn’t use excessive filters at that time, which allowed me to see a relatively real Li Jian, with bags under his eyes, nasolabial folds, and a 
                                    
                                
                                                            
                                    
                                        
                                            
                                        
                                    
                                    
                                        The waves behind the Yangtze River push the waves ahead, and the new generation is better than the old! The NBA is a star-making league, and stars are their core assets! Within a few days of the start of the new season, the three generations of old, middle and young stars in the 
                                    
                                
                                                            
                                    
                                        
                                            
                                        
                                    
                                    
                                        Copywriter | Thirteen Editor | Soda Water If you ask which type of domestic drama is the most classic in the domestic drama market?      Some people say it is an urban drama, while others say it is a period drama.      But if you ask me, it’s a spy drama.      The former "Latent"
                                    
                                
                                                    
                    

                    

                    
                        entertainment Video
                        
                                                            
    
        
            
            
            2:51
        
    
    
        SoftBank Fund Looks to Invest in Chinese AI Giant SenseTime
    
                                                            
    
        
            
            
            8:30
        
    
    
        Harris vows to encourage innovation of digital assets during NYC fundraiser: CNBC Crypto World
    
                                                            
    
        
            
            
            23:03
        
    
    
        Volatile US markets: What happens next? | Money Talks podcast
    
                                                            
    
        
            
            
            4:30
        
    
    
        Apple iPhone revenues expected to deflate further in 2023, says Bernstein's Toni Sacconaghi
    
                                                            
    
        
            
            
            4:40
        
    
    
        The attitude towards wealth creation in China has changed, says Rockefeller's Ruchir Sharma
    
                                                            
    
        
            
            
            24:54
        
    
    
        (Is the Future) Made in China?
    
                                                            
    
        
            
            
            6:04
        
    
    
        Voice artists sue tech company for 'stealing their voices' | BBC News
    
                                                            
    
        
            
            
            6:55
        
    
    
        Kai-Fu Lee Says China Innovative With Apps That Don't Exist in U.S.
    
                                                            
    
        
            
            
            1:41
        
    
    
        Fineprint: Chinese AI company files $1.4 billion lawsuit against Apple | World News
    
                                                            
    
        
            
            
            4:47
        
    
    
        Steve Wozniak Reacts to Apple's New AI Tools



            
                
                    Hots
                    
                                                    
    
        
            
        
    
    
        Changjiang Daily Wuhan Client News on November 13th At 20:15 on November 13th, Air China flight CA8212 will fly from Beijing Capital International Airport to Wuhan Tianhe Airport; at 21:30 that night, this C919 will fly to Air China Flight CA8215 traveled from Wuhan Tianhe Airpor
    
                                                    
    
        
            
        
    
    
        China News Service, Baku, Azerbaijan, November 13 (Reporter Chen Tianhao and Lin Mengnan) "In the face of climate change, in the face of animals whose habitats have been destroyed, in the face of endangered species, we need to start taking action today!" A 15-year-old from China 
    
                                                    
    
        
            
        
    
    
        The TV series "Enemy" mainly tells the story of the old and new generations of national security who still persist in protecting national security. Starring Liao Fan, Kai Tai, Zhu Zhu and other actors, everyone saw a very exciting work. A new generation of young police officers f
    
                                                    
    
        
            
        
    
    
        Daily reporter: Chen Ting Daily editor: Wenduo On the evening of November 12, Sun Art Retail (HK06808, stock price HK$2.09, market value HK$19.938 billion) released its interim performance report for the first half of the fiscal year (as of September 30, 2024) . According to the 
    
                                                    
    
        
            
        
    
    
        Denzel Washington, who is loved by many movie fans, recently expressed his intention to retire while promoting his new film "Gladiator 2" in an interview with the media. At the same time, the Oscar-winning actor who is about to turn 70 also officially announced his retirement. Pr
    
                                                    
    
        
            
        
    
    
        Ever since Goo Junye and Big S got married, his reputation has been on a roller coaster, plummeting. From being the "original father of the Korean Wave" to being a "soft rice boy", netizens have made complaints one after another. Many people have accused him of being taken care o
    
                                                    
    
        
            
        
    
    
        Unexpectedly, as the fourth season of "Goodbye Lover" continued to air, Yang Zi was upstaged by Mai Lin, and Mai Lin also suffered a reputation collapse.      At the beginning of the show, the loving state of Li Xingliang and Mai Lin made people mistakenly think that they were no
    
                                                    
    
        
            
        
    
    
        For drama fans, every finale is like a grand farewell.      The ups and downs of fate, joys and sorrows of the characters in the play make the audience deeply involved, laughing loudly and crying wildly together.      Like "Good Reunion."      Deng Haiyang succeeded....
    
                                                    
    
        
            
        
    
    
        The crime movie "Money Fortress" recently released the ultimate poster of the "Desire for the World" version.      The film will be officially unveiled on November 22, but as more and more materials are exposed, the audience's appetite for it is also increasing step by step.     
    
                                                    
    
        
            
        
    
    
        According to The Paper, recently, Coco Lee’s cemetery in Shimenfeng Memorial Park in Wuhan was exposed to be overgrown with weeds and flowers in a mess, which made many fans heartbroken. They came out to complain for her and demanded that it be restored to its original appearance
    
                                            
                

                
                    Latest
                    
                                                    On November 13, Li Ziqi updated again. She posted a video of making Shu Brocade. She posted a message saying, "I wanted to send a blessing to everyone, so I sang this song; because I wanted to sing this song, I made a velvet flower blooming on the Sichuan brocade; I wish every fr
                                2024-11-13 13:52:05
                            
                                                    Sun Art Retail (06808.HK), which was "hammered" by e-commerce, fell into a vortex of huge losses in fiscal year 2024. In fiscal year 2025, Sun Art Retail officially announced a "return" strategy, which is to focus on product strength and price competitiveness, develop multiple fo
                                2024-11-13 16:24:04
                            
                                                    On November 13, Li Ziqi released her third video after her return. In the video, she played and sang Faye Wong's "Ruishi" and expressed her blessings to everyone. Later, Li Ziqi posted a short composition in the comment area to express her gratitude. Li Ziqi said: I always feel t
                                2024-11-13 14:55:07
                            
                                                    On November 12, some netizens encountered Wei Daxun in the emergency room of the hospital. On November 13, Wei Daxun's fan club issued a post in response to the matter, saying that Wei Daxun's face was scratched by a prop during the filming of the action scene last night, and he 
                                2024-11-13 22:06:03
                            
                                                    The American "People" magazine has just announced that John Krasinski, the creator and star of the hit movie "A Quiet Place", has been selected as the "Sexiest Man Alive" in 2024, but the night before On the "Late Show with Stephen Colbert" broadcast at 11:35, he had already been
                                2024-11-13 19:09:04
                            
                                                    On November 13, the entertainment industry was completely blown away by a set of beautiful photos of Angelababy.      angelababy has not been in business for a long time. I don’t know what happened this time, but I posted several photos in a row at night.      Each photo is full 
                                2024-11-13 14:21:05
                            
                                                    On November 13, the Education Bureau of the Hong Kong SAR Government issued an announcement that the Hong Kong Observatory will change the Gale or Storm Signal No. 8 at 23:10 on the 13th and maintain it until at least 10 a.m. on the 14th for all morning and full-time schools. Cla
                                2024-11-13 22:10:04
                            
                                                    China News Service, Baku, Azerbaijan, November 13 (Reporter Chen Tianhao and Lin Mengnan) "In the face of climate change, in the face of animals whose habitats have been destroyed, in the face of endangered species, we need to start taking action today!" A 15-year-old from China 
                                2024-11-13 14:51:10
                            
                                                    Unexpectedly, as the fourth season of "Goodbye Lover" continued to air, Yang Zi was upstaged by Mai Lin, and Mai Lin also suffered a reputation collapse.      At the beginning of the show, the loving state of Li Xingliang and Mai Lin made people mistakenly think that they were no
                                2024-11-13 22:05:04
                            
                                                    Since the founding of the People's Republic of China, crosstalk art has moved from "setting up stalls on the ground" to the palace of art, and has undergone tremendous changes: the performance venue has changed from teahouses to theaters and even stadiums, and the way of apprecia
                                2024-11-13 22:01:05
                            
                                            
                

                
     Label List 
    
                    neidi
                    hanguo
                    news
                    movie
                    starnews
                    entertainment
                    original
                    shows
                    gossip
                    facialmask
                    cartoon
            

                
                    Random
                    
                                                    
    
        
            
        
    
    
        It has been more than a year since the death of singer Coco Lee, but no one expected that a year later, Coco Lee's cemetery would become a hot topic because it was messy and unattended. Immediately afterwards, various revelations came one after another, making people suspect that
    
                                                    
    
        
            
        
    
    
        The reason why the Warriors have reached this stage is that they have achieved a record of nine wins and two losses, and they are among the top three in the Western Conference. The final analysis is because these new players of the Warriors performed very well and they brought ne
    
                                                    
    
        
            
        
    
    
        The train of development of the times is moving forward rapidly, and the youth stories of college students are constantly updated. Pursuing interesting souls and enriching life labels, being able to sing, dance, act in dramas, and take photos... are no longer enough to describe t
    
                                                    
    
        
            
        
    
    
        Over the past week, the newly elected President of the United States, Trump, has been staying at Mar-a-Lago in Florida. There are no rallies, press conferences or speeches, but he is earning enough attention from the outside world by rapidly advancing government appointments and 
    
                                                    
    
        
            
        
    
    
        Today, produced by CCTV, Beijing iQiyi Technology Co., Ltd., Huanrui Century (Dongyang) Film and Television Media Co., Ltd., Horgos Maisong Culture Media Co., Ltd., Chongqing Satellite TV Media Co., Ltd., Chongqing Yinlong Film and Television Co., Ltd. Company, co-produced by Hor
    
                                                    
    
        
            
        
    
    
        "Eternal Night Star" is a hit, and the main actors Yu Shuxin, Ding Yuxi, Zhu Xudan, and Yang Shize are so popular. In addition to caring about the emotional progress and plot direction of the protagonists in the play, the audience also does not intend to let go of the actors them
    
                                                    
    
        
            
        
    
    
        "Light and Shadow Stories by the Canal" and a series of public welfare screenings of light and shadow films around us will be held in November and December, nourishing the heart with the warmth of light and shadow.      The event was jointly organized by the Propaganda Department
    
                                                    
    
        
            
        
    
    
        When the online anchor broadcast live on a short video platform, he "slashed people live" with a kitchen knife, attracting tens of thousands of netizens to watch. However, this is a farce written and directed by the anchor. Recently, the police in Yuexi County, Liangshan Prefectu
    
                                                    
    
        
            
        
    
    
        From November 5 to 10, 2024, the 7th China International Import Expo (hereinafter referred to as the "CIIE") was grandly held at the Shanghai National Convention and Exhibition Center. French GL events (hereinafter referred to as "GL events"), with the theme of "Global vision, lo
    
                                                    
    
        
            
        
    
    
        Li Ziqi is finally back after 4 years. On November 12th, Li Ziqi’s account was updated on all platforms, "Carving Paint to Hidden Flowers, Carving Purple Qi from the East!" 》This matter quickly became the top trending topic on Weibo. Li Ziqi wrote on Weibo: This lacquer video is



    
    
        
            
                Copyright © 2024 Lujuba The resources of this site come from the Internet
                The content of this site is for reference only, and is not used as real historical data. Please identify the authenticity and accuracy of the information by yourself. If there is a need, please refer to the official history guidance! For copyright issues, please contact the webmaster to delete!