Share this page!

john Profile picture
Twitter logo
29 Sep 19, 3 tweets, 2 min read
There's a bug in A6 SecureROM in Image3 parser, that allows both tethered and untethered code execution. @iH8sn0w found it back in 2015. I tried to find it too, decompiled most of the Image3 stack in that ROM, but couldn't find anything useful, only memory leak and other nonsense
With release of #checkm8 by @axi0mX and forthcoming release of something else, I guess it's absolutely pointless to continue any research on this matter, so I'm publishing all the decompilations along with IDB and SecureROM/SRAM dumps

github.com/NyanSatan/Imag…
Freeing A6 devices was kind of a primary concern of my life, and now I don't even know what to do next

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with john

john Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @nyan_satan

john Profile picture
5 Feb 20
Here is my little thread about bugs I’ve found in Image3 parsers of various SecureROMs (well, A4 and A6)

None of them are exploitable, but all of them can cause a crash and/or denial-of-service

Why am I posting this? Just for lulz and from hopelessness

Image
1) memsetting the whole address space

That’s only for A4 (and maybe lower)

Back in February 2019, someone told me about “SHSH tag length underflow”, that allows “arbitrary memset”. The person failed to tell me which ROM it’s for
But for A4 ROM I found something similar. Look at this line of code:

github.com/NyanSatan/Imag… Image
Read 23 tweets
john Profile picture
17 Aug 19
Here is my little thread about Power NVRAM — another persistent key-value storage, located right on PMU chip. Only talking about iBoot context
Modifying certain key there allows to enable debug UART on any boot loader (including DFU ones) very early and without touching normal NVRAM

Both keys and values are unsigned 8-bit integers

Now let’s talk about known keys and values for them:
Read 17 tweets
john Profile picture
27 Jul 19
Here is my little thread about Lightning video adapters – also known as Haywire – which are actually computers that feature Apple Secure Boot and run Darwin kernel
There’re 2 kinds of Haywire:

1. Lightning Digital AV Adapter (b137ap/iAccy1,1) – Lightning to HDMI adapter, supports both video and audio
2. Lightning to VGA Adapter (b165ap/iAccy1,2) – doesn’t support audio output for obvious reason
Read 20 tweets
john Profile picture
31 Jan 19
I was planning to keep this knowledge private, but damn it. This is a thread about Apple SWD cables, some things they can do and how to use them
For now I only have got KongSWD, so everything below applies to this type of cable first of all
f you’re reading this thread, you’ve most likely seen many photos with these weird Apple internal cables posted here, on Twitter, — Gorilla, Kong, Kanzi, Chimp, Flamingo, etc.

Read 29 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @nyan_satan has new unrolls!

Check out other threads from @nyan_satan!

Read all threads by @nyan_satan