Page 1 of 1

checkm8 Question(s)

PostPosted: Tue Nov 05, 2019 5:23 pm
by frankmarco1
So I have been doing a "deep dive" into the checkm8 exploit and was wondering if anyone might be able to answer a question that I have not been able to figure out.

In the file "checkm8.py" every processor type has an associated "constants_usb" and "constants_checkm8" list as well as various ROP gadgets with hardcoded addresses.
For example looking at the "t8015" the "constants_checkm8" has an item "gUSBDescriptors" @ 0x180008528.
When looking at the dumped SecureROM in IDA (or Ghidra) these addresses align correctly with the associated behavior for iBoot-3332.0.0.1.23

Can anyone explain how these addresses were determined without access to the SecureROM ?
Sure, after the fact using checkm8 to dump the SecureROM they can be located, but before being able to dump the SecureRom how would axi0mX or anyone been able to find them?
Is there something I am missing or a tool that previously dumped the SecureROM that I am unaware of?

Thanks in advance!

Re: checkm8 Question(s)

PostPosted: Thu Nov 07, 2019 4:33 pm
by scknight
My guess is initials access is found with either virtualization tools like Corellium or dev fused devices that then allow JTAG access.

Re: checkm8 Question(s)

PostPosted: Thu Nov 14, 2019 7:39 am
by morpheus
Definitely dev fused. Corellium wouldn't be of help here.