Share this page!

john Profile picture
Twitter logo
15 Oct, 3 tweets, 3 min read
Here are few more details/thoughts of mine about Stark, Parrot and their relation with modern Apple Watch interfacing

@zhuowei found out that Stark is ST60A3, a wireless USB chip used since Series 6

And I posses 2 boards that know (and can handle?) these technologies...
First of all, I've already showcased Koko

Today I'm also disclosing few new details about Needle:

It's not recognized by Astris, but it provides VCP interface with a menu similar to Koko's - with "parrot" and "stark" commands

(Thanks @_cc999 for both)

Now we know what Stark is

But what's Parrot? There's a probe called "ParrotSWD", which has been supported by Astris for quite a while. And more than a year ago I heard a rumor that it's a wireless probe!

It all (slowly) comes together, doesn't it?

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with john

john Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @nyan_satan

john Profile picture
15 Jun
Here is another little thread of mine about Tatsu Auth Debug - this time we’ll sniff whatever happens between Astris and the Apple’s server

As always read on your own risk!
To understand what’s going on here, it’s highly recommended to read the first part

By default Astris wants to connect to https:// gs.apple.com :443 (public TSS, spaces are used so Twitter won’t short it), but we can override it by modifying “TatsuServer” field in astris_prefs.plist which is located at ~/Library/Application Support/Astris
Read 16 tweets
john Profile picture
9 Jun
As promised, here’s my little thread with (bad) ruminations of mine about Tatsu Auth Debug and KIS or Why Those Keys & Dumps Are So Valuable

Important: I have never touched any of the devices mentioned below myself. So I can only interpret the data their actual owners sent me…
…thus, the information in this thread may turn out partially or completely WRONG. Proceed with reading on your own risk!
So a certain source of prototypes contacted me to ask help with A14 prototypes - they couldn’t JTAG into them. Astris was showing standard error message telling that debugging is not supported
Read 21 tweets
john Profile picture
29 May
Here is my little thread about yet another bug I found in A6 bootrom (and probably any other that boots from H2FMI PPN NAND)

As always, absolutely useless on its own
Look at this picture. The bootrom has just read LLB from a bootpage and is now ready to create a Memz structure out of it. Address - 0x10000000, size - 0x24C00, flags - IMAGE_OPTION_LOCAL_STORAGE
Since the size was 0x24C00, we expect to see nothing on range of 0x10024C00 - 0x10060000 (the end of load area), right? Wrong!
Read 19 tweets
john Profile picture
5 Jul 20
As promised, here’s my little thread about my experience of repairing 1st-gen KongSWD (all-white)
Although that’s most likely not your case if you got such a cable, but I did manage to break firmware on mine completely. So let’s start with restoring it
Both generations of Kong make use of NXP LPC1768 MCU (Cortex-M3) (along with Xilinx Spartan 6 FPGA, by the way), that can be reflashed over SWD Image
Read 18 tweets
john Profile picture
5 Feb 20
Here is my little thread about bugs I’ve found in Image3 parsers of various SecureROMs (well, A4 and A6)

None of them are exploitable, but all of them can cause a crash and/or denial-of-service

Why am I posting this? Just for lulz and from hopelessness

Image
1) memsetting the whole address space

That’s only for A4 (and maybe lower)

Back in February 2019, someone told me about “SHSH tag length underflow”, that allows “arbitrary memset”. The person failed to tell me which ROM it’s for
But for A4 ROM I found something similar. Look at this line of code:

github.com/NyanSatan/Imag… Image
Read 23 tweets
john Profile picture
8 Oct 19
@chronic 1/ there’s no such bootloader as BSS, there’s iBSS (iBoot Single Stage) instead

2/ LLB cannot enter recovery mode, it enters DFU-like mode

3/ boot-command upgrade makes it boot new iBEC, not iBSS

4/ SecureROM versions do NOT match iBoot version at the time of device release
@chronic 5/ there’s console on production iBoot too, although very limited

6/ there’re more iBoot flags than he shows

7/ demotion to 01 is enough to get JTAG (I’d even say SWD). Demotion of Security status isn’t even possible according to @s1guza

@chronic @s1guza 8/8 limera1n isn’t the only bootrom exploit of the past times. There also were Pwnage 1/2, steaks4uce, 24kpwn, SHAtter and alloc8

That was just brief view, by the way
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @nyan_satan has new unrolls!

Check out other threads from @nyan_satan!

Read all threads by @nyan_satan

:(