Alexey Kovrizhnykh

@travisgoodspeed @h0t_max @offzone_moscow Voltage glitch is not required

@h0t_max @a1exdandy @offzone_moscow I can follow the power-on-reset trick in the third variant and that the UART peripheral is used with DMA to dump Flash during the race window. Without a recording of the lecture, I'm not quite sure whether this requires a voltage glitch or the glitch was ultimately not required.

Amazing research on vulnerabilities in GD32 chips - "GigaVulnerability: GD32 Security Protection bypass" a1exdandy.me/slides/offzone… by @a1exdandy on @offzone_moscow

For those who asked, a nice alternative for #ghidra by my colleague @TheJokiv github.com/DSecurity/efiS… @MarcoFigueroa , please check this out :)

Here is the PoC: github.com/a1exdandy/chec…

Now ported on S5L8940X and S5L8945X as well Thanks to @nyan_satan for support and testing! PoC will be available tomorrow

Successfully ported checkm8 to S5L8942X using Arduino with MAX3421E-based USB host shield Many thanks to @nyan_satan for debugging on iPad mini 1 EPVT and testing on production devices PoC will be available soon

@haiyuidesu Thank you! :3

Happy (late) Birthday @a1exdandy !♪(๑ᴖ◡ᴖ๑)♪

Thanks to @a1exdandy the port of #checkm8 to C/C++ (github.com/pgarba/King/) has support for the iPhone 6. He also figured out why libusb didn't work on windows so thank him for finally having #checkm8 support on windows 🙏👌

@Trinczz @mosk_i Hello! I think yes, I did it with a slightly modified King github.com/pgarba/King

@mosk_i @a1exdandy Hi, but it possible to use this method on Windows?

@a1exdandy has also added CPID:7000 (iPhone 6) and CPID:8000 (The other 6s) #checkm8 support! Instructions here: gist.github.com/a1exdandy/ec3d… Great work =)

@iAdam1n Wrong CPRV in my patch, try this gist.githubusercontent.com/a1exdandy/ae3f…

@a1exdandy Hey I got an issue.

Thanks to @a1exdandy, there is now #checkm8 support for the 6s! I modified his patch slightly to work on CPID:8000 instead of 8003 as I have an 8000 6s. Expect cool things in the near future ;)

@BarisUlasCukur Yep, it should work I think

#checkm8 for s8003 (iPhone 6s) (as patch file) gist.github.com/a1exdandy/ec3d…

@ThermalDOE @synackuk @nyan_satan Yep, habr.com/ru/company/dse… (Russian version only)

#checkm8 for Haywire Only a memory dump is checked, there may be problems with other functionality SecureROM of Haywire also in repo, enjoy! github.com/a1exdandy/ipwn… Thanks to @nyan_satan for usefull thread about Haywire

Added S5L8747 & S5L8947 & S7002 & T8004 SecureROMs to securerom.fun Thanks to @a1exdandy for the S5L8747 ROM and thanks to @a1exdandy and @chiptunext for the S7002 ROM

Apple Watch S0 Bootrom successfully dumped! Big thx for @a1exdandy and @axi0mX eta son

@synackuk @nyan_satan Yes, the article will be about that. I will publish it after the New Year holidays

@a1exdandy @nyan_satan Well, that probably answers my question. I was wondering specifically how you ported checkm8 to haywire without an SROM dump, but if you were able to dump it somehow I would love to be able to replicate that for A5

@synackuk @nyan_satan What exectly? By the way, I plan to publish an article on how it was originally possible to dump SecureROM of Haywire with checkm8 without knowing the pointers to any functions or data. It will be next year

@a1exdandy @nyan_satan damn, can you perhaps explain how you did this?

@nyan_satan GID key fixed, thank you

@a1exdandy HAX: change AES options constants to 0x200 and 0x201 respectively to get decryption/encryption working (checked only GID decryption though)