Giulio Zompetti+ Your Authors @1nsane_dev arm64e and RE student #ACMT #CCIE Sep. 28, 2019 2 min read + Your Authors

@axi0mX’s #checkm8 is out and let’s you debug your device (up to A11).

But how is this done?
Here is a little thread on dumping the bootrom (SecureROM) on demoted devices with Apple’s official tools.

1/ connect the cable using the correct lighting orientation and launch astris

2/ select the CPU you want to work on (in this case, we’ll select CPU0) and halt it.

As result, astris will provide the output containing the selected CPU’s registers with their content.
We can now use the debugger to copy the content from the memory region

3/ use the command ‘save’ followed by the destination filename on the host, the address of the SecureROM and the size of the desired region to be copied (512kb are enough)

4/ you should now have your file saved into the destination you entered in the command.
Note, in case you didn’t specify a path along with the filename, astris will save the file into your currently working directory. Find it and open it (HEX) and you should see it as follows:

5/ You can easily find Probes and software on Twitter. As a reference, you can check this post for Apple’s official softwares (which work only with their own probes). Otherwise check bonobo as an alternative.

6/ Debugger like Kong and Kanzi (as well as SNR, with some little patching on an astris daemon) can work absolutely good for any supported lightning device. I recommend to install Tigris Tools (15A) from the previous link if you have one of these.

7/ You can find useful informations about this technology in this thread below. For what my little experience makes possible, feel free to ask any detail and I’ll do my best to help you out.

8/ I used a development device to dump the SecureROM as an example of astris usage, note that the probe is not required to achieve this with the exploit publicly released, as you can use a normal lightning cable.

9/ here is an example of astris view before and after demotion. #checkm8 enabled successfully the debugging and the devices now expose AP to JTAG

10/ (and final) if you are looking for refurbished probes for an accessible price feel free to DM me

You can follow @1nsane_dev.


Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Sign up.

Since you’re here...

... we’re asking visitors like you to make a contribution to support this independent project. In these uncertain times, access to information is vital. Threader gets 1,000,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Your financial support will help two developers to keep working on this app. Everyone’s contribution, big or small, is so valuable. Support Threader by becoming premium or by donating on PayPal. Thank you.

Follow Threader