Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
john Profile picture
john
@nyan_satan
demonic beast from another era (with F20.0) | https://t.co/W7w9FmL4Fd
Brielle Harrison Profile picture Ali Darwash Profile picture 2 subscribed
Jul 2, 2022 16 tweets 5 min read
Here is my little thread of real bad ruminations about KIS - Kanzi In System - a debug probe embedded right into a device since A14

Seriously, read it with great caution, and don’t blindly trust it at all costs! Image I once mentioned KIS in my old thread about debug auth mechanism. But back then I thought it’s just a new debugging protocol soon-to-replace SWD in Apple devices

Dec 20, 2021 4 tweets 4 min read
@Lexa66216298 @a1exdandy Но ведь это было сделано не для того, чтобы обойти активацию

В любом случае, для вашей проблемы должно быть полно решений в интернете - все они основаны на данном эксплойте. Их создатели очень любят донаты, а делиться почему-то не любят @Lexa66216298 @a1exdandy Хотя не, вру. Два каких-то бездаря таки расщедрились на целых 3К USD (один из бездарей, кстати, делал софт для решения вашей проблемы)

Хотите знать, куда я потратил свою часть приза?
Jun 15, 2021 16 tweets 5 min read
Here is another little thread of mine about Tatsu Auth Debug - this time we’ll sniff whatever happens between Astris and the Apple’s server

As always read on your own risk! Image To understand what’s going on here, it’s highly recommended to read the first part

Jun 9, 2021 21 tweets 5 min read
As promised, here’s my little thread with (bad) ruminations of mine about Tatsu Auth Debug and KIS or Why Those Keys & Dumps Are So Valuable

Important: I have never touched any of the devices mentioned below myself. So I can only interpret the data their actual owners sent me… Image …thus, the information in this thread may turn out partially or completely WRONG. Proceed with reading on your own risk!
May 29, 2021 19 tweets 4 min read
Here is my little thread about yet another bug I found in A6 bootrom (and probably any other that boots from H2FMI PPN NAND)

As always, absolutely useless on its own Look at this picture. The bootrom has just read LLB from a bootpage and is now ready to create a Memz structure out of it. Address - 0x10000000, size - 0x24C00, flags - IMAGE_OPTION_LOCAL_STORAGE
Jul 5, 2020 18 tweets 6 min read
As promised, here’s my little thread about my experience of repairing 1st-gen KongSWD (all-white)
Although that’s most likely not your case if you got such a cable, but I did manage to break firmware on mine completely. So let’s start with restoring it
Feb 5, 2020 23 tweets 7 min read
Here is my little thread about bugs I’ve found in Image3 parsers of various SecureROMs (well, A4 and A6)

None of them are exploitable, but all of them can cause a crash and/or denial-of-service

Why am I posting this? Just for lulz and from hopelessness

Image 1) memsetting the whole address space

That’s only for A4 (and maybe lower)

Back in February 2019, someone told me about “SHSH tag length underflow”, that allows “arbitrary memset”. The person failed to tell me which ROM it’s for
Oct 8, 2019 4 tweets 3 min read
@chronic 1/ there’s no such bootloader as BSS, there’s iBSS (iBoot Single Stage) instead

2/ LLB cannot enter recovery mode, it enters DFU-like mode

3/ boot-command upgrade makes it boot new iBEC, not iBSS

4/ SecureROM versions do NOT match iBoot version at the time of device release @chronic 5/ there’s console on production iBoot too, although very limited

6/ there’re more iBoot flags than he shows

7/ demotion to 01 is enough to get JTAG (I’d even say SWD). Demotion of Security status isn’t even possible according to @s1guza

Aug 17, 2019 17 tweets 3 min read
Here is my little thread about Power NVRAM — another persistent key-value storage, located right on PMU chip. Only talking about iBoot context Modifying certain key there allows to enable debug UART on any boot loader (including DFU ones) very early and without touching normal NVRAM

Jul 27, 2019 20 tweets 6 min read
Here is my little thread about Lightning video adapters – also known as Haywire – which are actually computers that feature Apple Secure Boot and run Darwin kernel There’re 2 kinds of Haywire:

1. Lightning Digital AV Adapter (b137ap/iAccy1,1) – Lightning to HDMI adapter, supports both video and audio
Jan 31, 2019 29 tweets 7 min read
I was planning to keep this knowledge private, but damn it. This is a thread about Apple SWD cables, some things they can do and how to use them For now I only have got KongSWD, so everything below applies to this type of cable first of all