john

Here we go! ! ! ! BE EXTREMELY CAREFUL - I'M NOT RESPONSIBLE FOR ANY DAMAGE SUCH EXPERIMENTS MIGHT CAUSE ! ! !pic.twitter.com/tHDRIEy2QL

Managed to connect to AppleTV3,2' debug UART (the one with A5 Rev B, aka single core A5, aka S5L8947X, aka H4I) Done via test points on the MLB. Tried to find SWD ones too, but failed If anyone cares for UART ones' positions - I can sharepic.twitter.com/DOypGKk5xH

Finally managed to JTAG into first-rev A5 (S5L8940X, CPRV 00)! For some unobvious reason GorillaSWD - the 30-pin probe - totally ignores it, while KanziSWD - the Lightning probe - happily works (via ARM Cortex Debug 10-pin connector and with quite old FW - 0.19)pic.twitter.com/5fTb1BUuLg

Another *interesting* housing, this time for 5S Its engraving is scratched, but still looks very much real. If you try hard enough, you can decode the barcode - “SNC0724240100F” C0724240100F isn’t a valid SN and I saw it before Although it’s fake, I’ll rebuild my Proto2 in itpic.twitter.com/KhI3D0aL0f

Now I've got the both colors of the fake iPhone 5 prototype housings, which were made by someone many years ago The serial C39FW006F4KN dates to 2011 week 25, which clearly doesn't match with EVT2 boards you can usually find in such housing (running 10A316 and etc.)pic.twitter.com/o93WJs6ZxJ

Now we know what Stark is But what's Parrot? There's a probe called "ParrotSWD", which has been supported by Astris for quite a while. And more than a year ago I heard a rumor that it's a wireless probe! It all (slowly) comes together, doesn't it?pic.twitter.com/2p2K50K5Af

First of all, I've already showcased Koko Today I'm also disclosing few new details about Needle: It's not recognized by Astris, but it provides VCP interface with a menu similar to Koko's - with "parrot" and "stark" commands (Thanks @_cc999 for both) https://twitter.com/nyan_satan/status/1434916033203212292 …pic.twitter.com/Anxqsgo1W4

First ever SEP key decrypted with Anya! N131bAP 8.1b3 19R5559e CB9076B542287EB5F20CD40DD8DC1B471FC06050E221491C61AD3BE717EFD95A2F4589A3C3BF77ED7A5CE9A8E79C25A9 By the way, I'm looking for someone with last-rev A12 00 device, let me know if you have one and are willing to help!pic.twitter.com/81BBlJVPav

Update: apparently UDT (aka USB-C Diagnostic Tool) isn't that useless as I initially thought - with proper (read - old) FW it actually can be useful Now I can see UART output out of my iPad Air 4 and even some curses in Astris related to debug auth https://twitter.com/nyan_satan/status/1442811459269021698 …pic.twitter.com/1LBfr78xsx

Just got new cables - Koba, Chimp and USB-C Diagnostic Tool Huge thanks to @1nsane_dev for helping me to acquire them!pic.twitter.com/7Mvk2EiEuA

My current conclusion - Koko isn't a full-fledged Astris probe - the Astris error message (the tweet 1), as well as unusually tiny MCU and firmware allude that. It's rather a support board for the actual probes Thanks to @_cc999 for the sample! Bonus - Apple's thoughts on this:pic.twitter.com/XNVjoiAu1t

Apparently Koko is a glorified board for Watch [Series 6] fixtures Look at a board of a Series 4/5 one - all 6 big TPs go straight to Lightning connector (except for power). Power goes through a chip with "DZAC" on its' marking (the chip lowers voltage to ~4.5V). Same on Kokopic.twitter.com/MjUhuJADnU

Koko - something that's recognized by Astris and has a console available over ARM Cortex Debug 10-pin port (apparently just UART though) which allows controlling whatever called Stark and Parrot And that's where the facts end but my wild guesses begin...pic.twitter.com/E8vMoYZdsP

…and initially I thought of it as a sort of a barrier to be called after IOAccessoryPortTransmitData(), but apparently it can only lead to this panic Also the library function appears to be not used anywhere in the systempic.twitter.com/T4WbEXlIZK

It appears you can make Haywire output its debug UART through male Lightning So I *ported* a full chain to boot Haywire to custom firmware via an iOS device: checkm8 (+the bootkit) iRecovery Patched firmware +my own creation called iap_link for interacting with accessory UARTpic.twitter.com/4y6Yv8f2T7