checkm8 Question(s)

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

checkm8 Question(s)

Postby frankmarco1 » Tue Nov 05, 2019 5:23 pm

So I have been doing a "deep dive" into the checkm8 exploit and was wondering if anyone might be able to answer a question that I have not been able to figure out.

In the file "checkm8.py" every processor type has an associated "constants_usb" and "constants_checkm8" list as well as various ROP gadgets with hardcoded addresses.
For example looking at the "t8015" the "constants_checkm8" has an item "gUSBDescriptors" @ 0x180008528.
When looking at the dumped SecureROM in IDA (or Ghidra) these addresses align correctly with the associated behavior for iBoot-3332.0.0.1.23

Can anyone explain how these addresses were determined without access to the SecureROM ?
Sure, after the fact using checkm8 to dump the SecureROM they can be located, but before being able to dump the SecureRom how would axi0mX or anyone been able to find them?
Is there something I am missing or a tool that previously dumped the SecureROM that I am unaware of?

Thanks in advance!
frankmarco1
 
Posts: 2
Joined: Fri Jun 07, 2019 4:30 pm

Re: checkm8 Question(s)

Postby scknight » Thu Nov 07, 2019 4:33 pm

My guess is initials access is found with either virtualization tools like Corellium or dev fused devices that then allow JTAG access.
scknight
 
Posts: 57
Joined: Thu Nov 10, 2016 1:01 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest

cron