john
@nyan_satan
Followers
17K
Following
1K
Media
425
Statuses
4K
demonic beast from another era (with F20.0) | https://t.co/W7w9FmL4Fd
Joined October 2015
Here's my little article about (almost) everything I know about Apple Lightning and related technologies: Tristar, Hydra, HiFive, SDQ, IDBUS and etc. Read on your own risk!.
35
184
739
Name a bigger downgrade. 10 years ago on this day Apple Inc. took away the thing I love the most. Skeuomorphism. They say time heals, but in my case it only gets worse…
515
873
13K
Here is my little thread about Lightning video adapters – also known as Haywire – which are actually computers that feature Apple Secure Boot and run Darwin kernel
69
2K
6K
DON'T NEED MONEY, DON'T NEED FAME.I JUST WANT TO PUBLISH KEYS. iPhone16,1_17.5.1_21F90_Restore/sep-firmware.d83.RELEASE.im4p. bf116f90847533d87d5599693c9c90a7b4acc89a767c96ec52ae3707b5c5d460ea1f8b5e778aa156801d4db6846028f0
47
400
4K
I was planning to keep this knowledge private, but damn it. This is a thread about Apple SWD cables, some things they can do and how to use them
7
194
529
Finally jailbroke my dualbooted iOS 10.3.3. Cydia works unreliably currently, but this is matter of additional kernel patches. At least it finally doesn’t crash immediately
38
136
512
In response to a popular demand, here is DOOM running on Apple Lightning to HDMI dongle.
8
98
437
Thanks to Apple Inc. for no longer encrypting iBoot! Here is something that might encourage them to do the same with SEPOS:. iPhone16,1_18.0_22A5316j/sep-firmware.d83.RELEASE.im4p. 9cec21e7cfc72ab6b6ecaac042fca58edececa79512041ccb3b06acc1dd9141989dd176e9e708498ef557dc98edb744a
2
38
365
@DylangerDaly No, it’s much easier and at the same time much darker - I have got some prototype Apple devices that have unlocked JTAG.
2
4
343
Haywire itself doesn’t store any firmware (well, except for SecureROM), so iOS has to upload it every time. Firmware bundle for it is very tiny, around 25MB uncompressed. Shipped as preinstalled asset with iOS and/or can be downloaded. That’s how its folder structure looks like:
3
28
309
iPhone16,1_17.5.1_21F90_Restore/sep-patches.d83.im4p. ff2c9b511dddc4e937ee77d6f41ad58bf0f67d4312e4deb9a25431df2899c637ece35e25e77ddaa0b7bd02b1853514be.
4
10
310
Virtualization.framework is a pretty dope thing once you know how to cook it. But still pity to see that the most interesting functions are hidden under private methods and entitlements (custom ROMs/debug/iBoot UART/etc.). If there’s any demand, I can publish sample code and docs
25
38
304
I'LL NEVER SOFTEN MY GRIP. iPhone16,1_17.5.1_21F90_Restore/iBoot.d83.RELEASE.im4p. 4D722B1DE7F88EEAF995C39036913B17BF20791EF3099162E3948562D92ADE011294AD62B4C0E2CCA1D023CC5AAA4A90
11
26
301
Let’s destroy this metal shell with pliers. These copper dots are test points - some of them must be UART and SWD (both are unavailable over Lightning):
4
24
252
Yet another cursed internal device from Apple Inc. A144bAP - PCIe card, seemingly network, with… Apple T2 SoC!. Unfortunately, I don’t have anything to put it into for now, but AFAIK it runs iBoot at the very least and has SDOM 02
11
21
259
First ever SEP key decrypted with Anya!. N131bAP 8.1b3 19R5559e.CB9076B542287EB5F20CD40DD8DC1B471FC06050E221491C61AD3BE717EFD95A2F4589A3C3BF77ED7A5CE9A8E79C25A9. By the way, I'm looking for someone with last-rev A12 00 device, let me know if you have one and are willing to help!
17
32
233
There's a bug in A6 SecureROM in Image3 parser, that allows both tethered and untethered code execution. @iH8sn0w found it back in 2015. I tried to find it too, decompiled most of the Image3 stack in that ROM, but couldn't find anything useful, only memory leak and other nonsense.
4
38
222
There’re 2 kinds of Haywire:. 1. Lightning Digital AV Adapter (b137ap/iAccy1,1) – Lightning to HDMI adapter, supports both video and audio
1
21
219
Scheme of connection:. GND -> GND.L0p -> D+.L0n -> D-.ID1 (ACC_PWR1) -> VCC. Please note that iPhone gives it 3.3V originally, but USB has 5V. Not sure if it’s a good idea, but it works. Anyway don't blame me if you break something
4
14
210
Both support up to 1080p video output according to Apple and make use of the same SoC – S5L8747. Its part number is H9TKNNN2GD and according to The iPhone Wiki it has 256MB of RAM. Not much else is known about it.
1
18
211
My b137 met the same faith, so we can disassemble it. Here is how it looks like without its plastic closure:
2
19
203
Here is my little thread about yet another bug I found in A6 bootrom (and probably any other that boots from H2FMI PPN NAND). As always, absolutely useless on its own
6
20
206
Unfortunately, these adapters are of terrible quality. HDMI adapter got 2 out 5 stars on US Apple Store web-site and reviews are all like this one:
6
18
201
It’s not commonly known apparently, but Raspberry Pi Pico implementation of A5 checkm8 mentioned on Reddit some time ago - picom8 - actually works!. A bit unstable sometimes, but it does!.
4
18
216
Finally created a proper main page for my website. Now you can easily find all of my articles, guides and Twitter threads gathered in one place.
4
22
198
USB-C Diagnostic Doom. 4 bytes patch, 32 bits CRC fix, 0 hardware modifications, same result
I recently found that it is possible to convert the Apple "USB-C Diagnostic Tool" (available for any AASP to purchase) into the device it's based on, the "Chimp" USB-C debugging probe! Here's a quick video on what needs to be done. #appleinternal
4
17
193
Unlike for all other devices since iOS 5, iBSS for Haywire features Recovery mode with interactive shell and used to boot kernel cache sent over USB (along with DeviceTree and ramdisk, of course).
2
21
185
Looking for iOS-devices' metrics (not just schematics). Already got iPhone 5, iPad 4, iPad mini 1G. If you got anything else, please let me know
10
20
172
iPhone8,4 (S8003) 12.3b4 16F5148a . -iv A3F7B4B49878D87B1C5E167FB80323FD -k F8661E1D857A8F51A78D4EC13EF88DF05FCC41CF7624007CA33D718CEF908216
6
26
187
Posting a messy guide about building Apple iBoot from the leaked source I wrote few months ago. It was never properly finished. Also it’s kind of new website design, so if it turns to a mess in your browser — you have been warned.
5
54
184
2. Lightning to VGA Adapter (b165ap/iAccy1,2) – doesn’t support audio output for obvious reason
3
13
175
iPad4,1 12.2b2 16E5191d iBoot. -iv c8ef5c9de919365ac389fc17ff9cba96 -k 900544d97b16a68ff2c438dd1b5c3e09b13d98d1330938f7b4744ad6ec074665
6
18
176
Wrote a grubby decoder of Apple SDQ protocol (used in Lightning) for DSView
8
19
176
Hayboard DEV2 – a Haywire connection board. Do anyone need these (soldered not that ugly, of course)?
24
14
166
You can easily connect Haywire to PC because it’s basically an USB device. All you need to get to accomplish is Lightning and micro-USB female breakout boards and few connecting wires:
3
13
159
Firmware is pre-signed and doesn’t require any personalization. APTicket is although used, but yet static, i.e. isn’t bound to any ECID and nonce.
3
14
161
AppleTV3,2 (Apple TV 3 2013) debug TPs - now with both UART and SWD. ! ! ! BE EXTREMELY CAREFUL - I’M NOT RESPONSIBLE FOR ANY DAMAGE EXPERIMENTING WITH THESE THINGS MIGHT CAUSE ! ! !
3
24
163
iBoot-99 - the very first iBoot version known outside of Apple - booted on a real hardware. Obviously, no display and no NAND
4
7
158
checkm8_bootkit - a little program of mine that allows booting an iBSS on some cursed platforms with no patch to ipwndfu:. S5L8747X - Haywire.S5L8947X - Apple TV 3 (3,2). If anyone needs this, I can publish with minor improvements. (thanks to @1nsane_dev for this *insane* iBSS!)
8
23
157
Flashing iOS 6.1.3 bootchain over iOS 9.3.5’ on n94ap — untethered, without restore. Might be useful for #derebusantiquis
7
22
145
JTAGging my iPhone 16 Pro Max (latest hardware with USB-C) with GorillaSWD (ancient 30-pin probe), don’t mind if I do?
6
6
161
The absolutely best device ever!. N78 PROTO1. Produced in the very beginning of 2012. Runs Sundance10A219.iPodtouchFactoryOS (iBoot-1470). Apparently has a faulty Tristar, but still I managed to get USB and charging. Huge thanks to @MrWhite128 for providing me with this unit!
2
13
144
Implemented SDQ protocol using STM32 once again - this time in slave mode. This allows me to pretend to be whatever Lightning accessory - in this case DCSD UART cable!
7
21
146
Dualbooted iOS 7.1, 8.4.1, 9.3.3 and 10.0b1 on n41ap. All with no-effaceable-storage. Nothing special really, posting just for a record
12
17
148
Managed to enable debug-uarts on every kind of iBoot without any patches, so it works even with signed bootchain.
9
16
148
Here is my little thread of real bad ruminations about KIS - Kanzi In System - a debug probe embedded right into a device since A14. Seriously, read it with great caution, and don’t blindly trust it at all costs!
6
26
146
iPod touch 2. For real, it’s an N72 dev board, produced in April 2008. For some unobvious reason, it doesn’t have an iBoot-based SecureROM, instead it has a Samsung bootrom you could usually find in first generation iPhones or non-iOS iPods
8
18
140
Well, well, well… what the heck?!. It appears, you can connect USB-C iPads to an external display using good old Lightning video adapters (aka Haywire), if you try hard enough
7
16
138
As promised, here’s my little thread with (bad) ruminations of mine about Tatsu Auth Debug and KIS or Why Those Keys & Dumps Are So Valuable. Important: I have never touched any of the devices mentioned below myself. So I can only interpret the data their actual owners sent me…
1
17
137
Here is my tiny thread about something exciting that I’ve been sitting on for a quite some time now:. Early T6020 SecureROM dump!. This thread contains some details that I noticed in those 15 minutes I bothered to analyze it (so read on your own risk!)
4
7
141
iBSS’es Image3 has weird previously unknown tag ‘RAND’, that contains 64-bit integer and some padding. I couldn’t find what this tag means even in the leaked iBoot source code. Also it always has only one KBAG
2
11
133
Impossible hack on the edge of insane to get UART & SWD out of this impossibly stupid Apple Watch adapter. (Potentially dangerous, don't try at home!)
8
12
135
Apple Lightning (cont.) - serial number reading. Explains what happens inside of Serial Number Reader app, why some old SNRs randomly stopped working as actual SNRs and what we can try to do about it. As always, read on your own risk!.
7
19
135
Had nothing to do this night, so here we go:. Lightning Digital AV Adapter (aka Haywire, B137AP) with patched iBoot loaded + DEVELOPMENT kernel with /bin/sh running
5
13
134
According to the leaked iBoot source code, Haywire has SPI NOR, but even if production ones actually have it, it doesn’t seem to be formatted, because “saveenv” iBoot commands fails
2
9
130
Designed a little standalone board to connect Haywire (and some other accessories too, I guess) to computer
5
6
130
Its SecureROM (iBoot-1413.8 for latest chip revision) is known to be dumped using hardware tricks at least by one person. I asked that person for the dump, but obviously was refused. According to the person, this ROM is very much like A6 one.
1
8
126
I dumped the S5L8900 bootrom few weeks ago. Not a great achievement, I know, but it was quite tricky to do it. This ROM is very different than newer ones, not even called “SecureROM”
7
8
129
Freeing A6 devices was kind of a primary concern of my life, and now I don't even know what to do next.
12
5
122
N71mAP 14.0b2 18A5319i SEPOS. 0ac3b2984fd7607918702b87be490634025b10050fb479f5abb8132fa7a08a3b08455aa2875ab1b0706cac5edf304354
8
13
115
Created a little kit to decrypt KBAGs with JTAGable prototype devices (newer ones - A12+) in easy and fast manner:. Basically, you need JTAG only for initial setup and after that it's plain USB. SEP eta son. Thanks to @axi0mX for the idea of replacing handle_interface_request()!
8
22
120
N18EVTa - iPod touch 3 with an unreleased camera. It has an early revision of the SoC with an early version of SecureROM - iBoot-359.4 - which still has 24kpwn and alloc8 bugs, though they are not exploitable on this device. Huge thanks to @1nsane_dev for gifting this unit!
3
8
125
iPad3,3 8.2b5 12D5480a iBoot.-iv c5e19387af402d9f7c7f94ff55b558d0 -k 6536ced63d7db1bcb2c239fd8e40bc9b90a5c75b6731153b9e28125358dc482f
7
19
111
N142bAP (Watch5,12) 7.1b1 18R5552f SEPOS . 668a4ec73c4b8c6f35e57c0815476bf4f593d248c232f16de2d0957cf9641c3c049028e37687939db35dee3766483658
7
8
113
Apple Watch Series 10 (Apple S9/S10/T8310/Caicos) in taDFU mode:. SDOM:01 CPID:8310 CPRV:11 CPFM:03 SCEP:01 BDID:12 ECID:XXXXXXXXXXXXXXXX IBFL:3C SIKA:00 SRTG:[iBoot-8104.0.0.400.32]
2
11
116
D53pAP 14.5b7 18E5198a. iBoot:.46926BE7C9525380FA64E3AACFD550F38A1F9943A24CE0AE0D623869380E6DAA0A7EAA1EA99833C5E2AF9C21B368B79F. iBootData:.39E224F04C0F88F61EE1501ED6687092D3F8A4407A16A5CAA27DDA346C8391B9B904F509514FFD8DE32094ADB225EF5A
3
17
111
Apparently it’s not commonly known, but you actually can run good ole OS X Mavericks on a Mac mini (Late 2014) which was released with Yosemite already. Requires a few tricks, but nothing complex. If there’s any demand, I can release a tutorial + software to simplify the process
11
4
115
Dualboots of iOS 7 with pre-LwVM iOS versions are actually possible!
5
29
106
Here is my checkm8 rewrite for some cursed platforms such as Apple Lightning video adapters and Apple TV 3 (with single-core A5). It *should* work on modern macOS and even iOS, but as usual - no guarantees, try it on your own risk and etc.
5
14
113
Implemented SDQ protocol on STM32 blue pill. That’s a big step forward to a Hayboard that will support both Lightning orientations
3
8
109
Memory map:. 0x20000000-0x20020000 - ROM (128 KB).0x22000000-0x22020000 - SRAM (128 KB) (iBSS works from here).0x8000000-0x18000000 - SDRAM (256 MB).
2
8
107
A6 DEBUG-fused SecureROM built from the leaked source code. (Yes, it prints to UART)
4
8
106
iPhone7,1 12.2b2 16E5191d iBoot. -iv c7f8e518dbc56bac9f330b301e3b1ccf -k 9cd1e1b5f0f16ebcf30f84900dc5ba3d70a84cd6f162bba6b51a09b0cd844b12
6
17
107
Finally managed to fix my old 1st-gen Kong (all-white)!. From a useless cable with a dead FW to a fully working probe that can provide power, USB, UART and SWD. Wouldn't be possible without help from @iRazGAr and @chiptunext . If anyone's interested, I can make an article/thread
13
8
104
0x08000000-0x0B000000 - Load area (48 MB).0x0B000000-0x0DF00000 - Kernel (47 MB).0x0DF00000-0x0E000000 - Device tree (1 MB).0x0E000000-0x11000000 - Ramdisk (48 MB).
1
8
103
I updated checkm8_bootkit to support the rest of Apple A5 family by the way, also added demotion and KBAG decryption options.
1
25
109
0x11000000-0x17F00000 - Heap (111 MB).0x17F00000-0x17FFC000 - iBoot (unused) (1008 kB).0x17FFC000-0x18000000 - Panic (16kB).
1
6
99
It appears you can make Haywire output its debug UART through male Lightning . So I *ported* a full chain to boot Haywire to custom firmware via an iOS device:. checkm8 (+the bootkit).iRecovery.Patched firmware. my own creation called iap_link for interacting with accessory UART
2
6
102