[edelbitter]

Since this can only underflow and some written bits are not attacker-chosen, does this not imply that the patchable part of the software could reliably detect this just in time and panic on suspected USB DMA corruption? Where is the catch?

[auguzanellato]

The exploit grants arbitrary code execution, it can just fix up the telltale signs of the USB DMA corruption before jumping to an updatable part of the boot flow

[edelbitter]

Ah, the exploit is all done before that!

[Retr0id]

The exploit happens before any patchable software is running, it's not called ROM for nothing.