Profile picture
Giulio Zompetti
@1nsane_dev
, 10 tweets, 5 min read Read on Twitter
@axi0mX’s #checkm8 is out and let’s you debug your device (up to A11).

But how is this done?
Here is a little thread on dumping the bootrom (SecureROM) on demoted devices with Apple’s official tools.

1/ connect the cable using the correct lighting orientation and launch astris
2/ select the CPU you want to work on (in this case, we’ll select CPU0) and halt it.

As result, astris will provide the output containing the selected CPU’s registers with their content.
We can now use the debugger to copy the content from the memory region
3/ use the command ‘save’ followed by the destination filename on the host, the address of the SecureROM and the size of the desired region to be copied (512kb are enough)
4/ you should now have your file saved into the destination you entered in the command.
Note, in case you didn’t specify a path along with the filename, astris will save the file into your currently working directory. Find it and open it (HEX) and you should see it as follows:
5/ You can easily find Probes and software on Twitter. As a reference, you can check this post for Apple’s official softwares (which work only with their own probes). Otherwise check bonobo as an alternative.

6/ Debugger like Kong and Kanzi (as well as SNR, with some little patching on an astris daemon) can work absolutely good for any supported lightning device. I recommend to install Tigris Tools (15A) from the previous link if you have one of these.

7/ You can find useful informations about this technology in this thread below. For what my little experience makes possible, feel free to ask any detail and I’ll do my best to help you out.

8/ I used a development device to dump the SecureROM as an example of astris usage, note that the probe is not required to achieve this with the exploit publicly released, as you can use a normal lightning cable.
9/ here is an example of astris view before and after demotion. #checkm8 enabled successfully the debugging and the devices now expose AP to JTAG
10/ (and final) if you are looking for refurbished probes for an accessible price feel free to DM me
#checkm8
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Giulio Zompetti
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#checkm8

Related threads

Profile picture
Dr. Nyri A Bakkalian (浪人歴史家)
@riversidewings
#Thread My talk last night with @OutlawHistorian has inspired me, so-- here is a #japanesehistory thread about ashigaru, as an introduction for those who haven't heard the term before.

This is a beloved topic of mine, because as you'll see, it's a grey area in Japanese history.
So. "Samurai" is a catch-all term used more in the west than in Japanese. These terms vary, but the short answer is that samurai were low ranking members of the warrior caste, and warriors in general were called bushi. All samurai are bushi, but only some bushi are samurai.
Ashigaru 足軽 is spelled "foot-light." Different clans and regions used terms differently, of course, but generally speaking, ashigaru are a gray area. They were part of feudal armies and part of lordly retinues in the Edo period (1600-1868), but were they bushi?

Hmmm...
Read 12 tweets
Profile picture
Lisa Braun
@nyan_satan
Here is my little thread about Power NVRAM — another persistent key-value storage, located right on PMU chip. Only talking about iBoot context
Modifying certain key there allows to enable debug UART on any boot loader (including DFU ones) very early and without touching normal NVRAM

Both keys and values are unsigned 8-bit integers

Now let’s talk about known keys and values for them:
Read 17 tweets
Profile picture
William ∞ DocFX
@innersonics
Let’s make a #thread about what @zeevs posted and proposed a few hours ago in the #PHP #internals.
There was a little confusion about what was proposed, despite his words being quite clear. This is going to be VERY long, for I have no idea how to sum up things. ¯\_(ツ)_/¯
🔽🔽🔽
@zeevs First, let’s rewind the timelines a little, and have a look at history. I hate the past and history, but as pure facts, it sometimes is needed.
@zeevs PHP emerged in its raw, primitive form, circa 1994. It’s now 25 years old. The first idea was to get rid of CGI backends, crashing segfaults, maintenance nightmare, not suited for a web world. All that in the form of scripts, parsed through a slower but safer interpreter.
Read 67 tweets
Profile picture
Lisa Braun
@nyan_satan
Here is my little thread about Lightning video adapters – also known as Haywire – which are actually computers that feature Apple Secure Boot and run Darwin kernel
There’re 2 kinds of Haywire:

1. Lightning Digital AV Adapter (b137ap/iAccy1,1) – Lightning to HDMI adapter, supports both video and audio
2. Lightning to VGA Adapter (b165ap/iAccy1,2) – doesn’t support audio output for obvious reason
Read 20 tweets
Profile picture
Joe Were
@jaydabliu
Here’s a little thread of my highlights traveling in Africa... some solo, some group travels and most of them by road from Nairobi...
Let’s first head down South from Kenya to South Africa... first time was in a 2001 Subaru Legacy (and everyone we met on the way was like, “will it make it?”... there’s this preconceived notion that you need a fully kitted out big 4x4 to do the trip
After being on the highway from Kenya to South Africa the first go-around, some of the places visited did require getting off the beaten path. So the next time I used a 2010 Nissan Xtrail... I call her “Misty”. We have been on many adventures together
Read 30 tweets
Profile picture
Carla-Jean
@CarlaJeanStokes
A quick break from #BlackHistoryMonth to talk about the #LunarNewYear - I did a similar search for Chinese representations in Canadian official war photographs, and found 10 results. Here's a little #thread about them -
(Photograph is: Chinese Labour Battalions in France celebrating the Chinese New Year on February 11, 1918. William Rider-Rider, LAC MIKAN 3396797) #warphotos
Rider-Rider took four additional photographs by that same title. They're LAC MIKAN 3396798 - 6801. This is neg # O-2447
Read 17 tweets

Trending hashtags

#Peace #Coconuts #khasoggi #FinancialCrash #CNH #WhitePeopleCannotDoRight #Erdogan #EnjoyingClassicalMusic #FromTheSouth #LGBTQunite #NATO #Turkish #AEI #Pompeo #UnitedStates #WILD #Malaysia #Democracy #Love #TooManyWhitePeople #Pork #enforcement #NBC #sorghum #MarieColvin
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!