If I'm reading this right, glitching the I2C bus prevents the Secure Enclave from booting. It seems the device recovers from this itself 'Although the device recovered and remained operable', maybe the Secure Enclave reboots itself after seeing a fault in the I2C?
No evidence of any security issue is presented. Though it's certainly wanted to drum it as something major 'This is a high-severity, unpatchable design flaw'.
The device "recovering" while entering debug mode on production hardware is the security issue.
Fuses are supposed to prevent that. They don’t. That’s the flaw.
This isn't just a bug... it's a hardware-level oversight that can cause iPhones to silently fail during boot, leaving no logs, no recovery mode, and no forensic trace.
The flaw is triggered by abrupt power loss (e.g. during brownouts or unstable charging), preventing the secure world and logging subsystems from initializing. Confirmed it on real A17 Pro device.
Curious if others can reproduce this, or if similar behavior exists in M-series chips.
Shared resources isn't a "hardware bug." It's a design choice.
I2C is always vulnerable to one device locking up the bus-- indeed almost all buses are. But it's intended to be a bus hooking up multiple pieces of hardware.
This is an interesting phenomenon-- source account is 100% dubious Apple "bug reports" and then we have another completely new account choosing to misinterpret the dubious report (which isn't really security related despite involving a security component) as a critical vulnerability. The cited reports all ring like they're written by a LLM.
True.. I2C lockups are a known limitation, not a bug. But this isn’t about bus contention.
The issue is that debug logic is active on production-fused silicon, despite dev-fused = 0 and debug = 0x0. That’s a hardware trust failure, not a design trade-off.
Fuses are supposed to make debug paths unreachable—but they’re not. That’s the problem.
Long press hard reboot should rectify that if the device isn't severely damaged in a way that causes permanent instability on I2C4. And if it is, then welcome to board level repair, here's your introductory can of pickled suffering.
Now, if you could use that to pwn SEP? Or boot into a custom ROM, checkm8 style? That would be something. But I see zero evidence of this being exploitable in any way.
If debug logic can be reactivated... even briefly, even locally; then all bets are off for things like firmware extraction, secure boot bypass, or SEP fault analysis.
- SPU is not a processor, it's a generic term that encompasses multiple coprocessors.
- The log lines don't even mention the Secure Enclave Processor (SEP).
- Each line of log output is its own thing and there is no reason to think they have anything to do with each other.
- Those are not specifically serial logs. It is possible to get the same logs over serial, but only with a development unit, Security Research Device, or jailbreak.
But the issue isn't about parsing log semantics...
It's that a production device entered a state where normally fused-off debug logic became accessible. That shouldn’t be possible, regardless of how the logs were captured or named.
Get off the slop generator for a moment and look up who ‘comex is. Then stop submitting AI slop articles to this site (and better yet, stop writing them at all). If you really care about security research for Apple platforms, learn how to do it properly and find your own bugs instead of posting clearly bogus content.
Yes, it’s a security flaw, because debug logic is active on production hardware that should have it permanently fused off.
Worse, the system prunes logs aggressively, erasing the very diagnostic history that could expose this behavior. So not only is debug logic unintentionally enabled, the evidence is self-erasing.
Just watched the log video in the report... it's legit.
These are not ephemeral or misinterpreted logs... they’re hard evidence that SecureROM and HAL subsystems are exposing debug logic in production mode. That shouldn't be possible unless the chip itself is violating its own trust enforcement model.
If this behavior is reproducible across multiple production devices, it's a class of vulnerability that Apple cannot patch in software. We're talking about a silicon-level debug bypass that persists without jailbreak, unsigned code, or tampering.
Strongly recommend pulling logs from known-good A16/A17 Pro devices and look for those same entries.
No evidence of any security issue is presented. Though it's certainly wanted to drum it as something major 'This is a high-severity, unpatchable design flaw'.