{"id":4032,"date":"2025-12-30T12:28:25","date_gmt":"2025-12-30T03:28:25","guid":{"rendered":"https:\/\/h4ck.kr\/?p=4032"},"modified":"2025-12-30T13:12:35","modified_gmt":"2025-12-30T04:12:35","slug":"tamarine%ec%9c%bc%eb%a1%9c-%ec%95%84%ec%9d%b4%ed%8f%b0-%ec%95%84%ec%9d%b4%ed%8c%a8%eb%93%9c-jtag%eb%94%94%eb%b2%84%ea%b9%85-%ec%8b%9c%eb%a6%ac%ec%96%bc-%eb%a1%9c%ea%b7%b8-%ec%b6%9c%eb%a0%a5%ed%95%b4","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=4032","title":{"rendered":"Tamarine\uc73c\ub85c \uc544\uc774\ud3f0\/\uc544\uc774\ud328\ub4dc JTAG\ub514\ubc84\uae45 \/ \uc2dc\ub9ac\uc5bc \ub85c\uadf8 \ucd9c\ub825\ud574\ubcf4\uae30"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">\uc900\ube44\ubb3c<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\ub77c\uc988\ubca0\ub9ac\ud30c\uc774 Pico \ud540\ud5e4\ub354 \ub0a9\ub55c <a href=\"https:\/\/smartstore.naver.com\/plumkit\/products\/9524875363\">(\uad6c\ub9e4\ub9c1\ud06c)<\/a><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"212\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image-1024x212.png\" alt=\"\" class=\"wp-image-4033\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image-1024x212.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image-300x62.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image-768x159.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image.png 1264w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>1.5mm \uc77c\uc790 \ub4dc\ub77c\uc774\ubc84<\/li>\n\n\n\n<li>APPLE-LM-BO-V2A Apple Lightning Male connector breakout board (<a href=\"https:\/\/www.elabguy.com\/datasheet\/APPLE-LM-BO-V2A%20Rev1.0.pdf\">DataSheet<\/a>, <a href=\"https:\/\/www.elabguy.com\/drawing\/APPLE-LM-BO-V2A%20Drawing%20Rev1.0.pdf\">Drawing<\/a>, <a href=\"http:\/\/elabbay.com\/products\/apple-lm-bo-v1a-apple-lightning-male-connector-breakout-board\">\uad6c\ub9e4\ub9c1\ud06c<\/a>), \uc5ec\uae30\uc11c \ud544\uc790\ub294 \ub458\uc911\uc5d0 \ub450\ubc88\uc9f8\uc758 \ucd08\ub85d\uc0c9 male connector \ub2ec\ub9b0 \uc81c\ud488 \uc0ac\uc6a9.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"762\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image-2-1024x762.png\" alt=\"\" class=\"wp-image-4035\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image-2-1024x762.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image-2-300x223.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image-2-768x571.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image-2.png 1218w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li> \ub9c8\uc774\ud06c\ub85c5\ud540 to USB \ucf00\uc774\ube14 (\ub77c\uc988\ubca0\ub9ac\ud30c\uc774 \ud53c\ucf54\ub97c PC\uc5d0 \uc5f0\uacb0\ud560 \uc6a9\ub3c4\ub85c \uc4f0\uc784)<\/li>\n\n\n\n<li>\uc544\ub450\uc774\ub178 \uc554\/\uc554 \uc810\ud37c \ucf00\uc774\ube14 8\uac1c<\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">\uc870\ub9bd \uc644\uc131 \uc0ac\uc9c4<\/h1>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"1024\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_9563-3.HEIC-768x1024.jpg\" alt=\"\" class=\"wp-image-4037\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_9563-3.HEIC-768x1024.jpg 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_9563-3.HEIC-225x300.jpg 225w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_9563-3.HEIC-1152x1536.jpg 1152w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_9563-3.HEIC-1536x2048.jpg 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_9563-3.HEIC-scaled.jpg 1920w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">Pico\uc6a9 SDK \/ tamarin(\uad6c\ubc84\uc804) \ud38c\uc6e8\uc5b4 \ucef4\ud30c\uc77c<\/h1>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook tamarin % cd ~\/Desktop\n\nseo@seos-macbook Desktop % mkdir\n\nseo@seos-macbook Desktop % mkdir iphone_jtag\n\nseo@seos-macbook Desktop % cd iphone_jtag\n\nseo@seos-macbook iphone_jtag % mkdir -p tamarin\n\nseo@seos-macbook iphone_jtag % cd $_\n\nseo@seos-macbook tamarin % git clone &lt;https:\/\/github.com\/raspberrypi\/pico-sdk.git>\nCloning into 'pico-sdk'...\n...\n\ncd pico-sdk; git submodule update --init\n\nseo@seos-macbook pico-sdk % export PICO_SDK_PATH=$(pwd) \n\nseo@seos-macbook pico-sdk % cd ..\/\n\nseo@seos-macbook tamarin % git clone &lt;https:\/\/github.com\/stacksmashing\/tamarin-firmware.git>; cd $(basename $_ .git)\nCloning into 'tamarin-firmware'...\n...\n\ncd tamarin-firmware\n\nseo@seos-macbook tamarin-firmware % mkdir build; cd $_\n\nseo@seos-macbook build % cmake ..\n\nseo@seos-macbook build % make -j$(nproc)\n[  0%] Creating directories for 'pioasmBuild'\n...\n[100%] Built target tamarin_firmware\nseo@seos-macbook build % \n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>tamarin_firmware.uf2<\/code> \ud30c\uc77c\uc774 \uc0dd\uc131\ub410\ub294\uc9c0 \ud655\uc778<\/strong><\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook build % ls -la\ntotal 5208\ndrwxr-xr-x  22 seo  staff     704 Dec 29 19:54 .\ndrwxr-xr-x  23 seo  staff     736 Dec 29 19:53 ..\n-rw-r--r--   1 seo  staff   30069 Dec 29 19:54 CMakeCache.txt\n-rw-r--r--   1 seo  staff   15734 Dec 29 19:54 CMakeDoxyfile.in\n-rw-r--r--   1 seo  staff   21594 Dec 29 19:54 CMakeDoxygenDefaults.cmake\ndrwxr-xr-x  18 seo  staff     576 Dec 29 19:54 CMakeFiles\n-rw-r--r--   1 seo  staff  195244 Dec 29 19:54 Makefile\n-rw-r--r--   1 seo  staff    2270 Dec 29 19:54 cmake_install.cmake\ndrwxr-xr-x   3 seo  staff      96 Dec 29 19:54 generated\n-rw-r--r--   1 seo  staff    3051 Dec 29 19:54 lightning_rx.pio.h\n-rw-r--r--   1 seo  staff    3079 Dec 29 19:54 lightning_tx.pio.h\ndrwxr-xr-x   8 seo  staff     256 Dec 29 19:54 pico-sdk\n-rw-r--r--   1 seo  staff      60 Dec 29 19:54 pico_flash_region.ld\ndrwxr-xr-x  11 seo  staff     352 Dec 29 19:54 pioasm\ndrwxr-xr-x   3 seo  staff      96 Dec 29 19:54 pioasm-install\n-rw-r--r--   1 seo  staff    1746 Dec 29 19:54 probe.pio.h\n-rwxr-xr-x   1 seo  staff   42068 Dec 29 19:54 tamarin_firmware.bin\n-rw-r--r--   1 seo  staff  738759 Dec 29 19:54 tamarin_firmware.dis\n-rwxr-xr-x   1 seo  staff  832920 Dec 29 19:54 tamarin_firmware.elf\n-rw-r--r--   1 seo  staff  545393 Dec 29 19:54 tamarin_firmware.elf.map\n-rw-r--r--   1 seo  staff  118382 Dec 29 19:54 tamarin_firmware.hex\n**-rw-r--r--   1 seo  staff   84480 Dec 29 19:54 tamarin_firmware.uf2**\n<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Pico \ubcf4\ub4dc\uc5d0 tamarin \ud38c\uc6e8\uc5b4 \uc5c5\ub85c\ub4dc<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Pico \ubcf4\ub4dc\ub97c \ud38c\uc6e8\uc5b4 \uc5c5\ub85c\ub4dc \ubaa8\ub4dc\ub85c \uc9c4\uc785\ubc29\ubc95<ul><li><strong>BOOTSEL \ubc84\ud2bc \ub204\ub978 \uc0c1\ud0dc\uc5d0\uc11c USB \uc5f0\uacb0<\/strong><\/li><\/ul><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"744\" height=\"660\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.03.20-PM.png\" alt=\"\" class=\"wp-image-4040\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.03.20-PM.png 744w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.03.20-PM-300x266.png 300w\" sizes=\"auto, (max-width: 744px) 100vw, 744px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>picotool info<\/code> \uba85\ub839\uc5b4\ub85c USB \uc5f0\uacb0 \ud655\uc778 (picotool\uc740 brew\ub85c \uc124\uce58 \uac00\ub2a5\ud568)<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook tamarin-firmware % picotool info\nProgram Information\n name:          tamarin_firmware\n features:      UART stdin \/ stdout\n binary start:  0x10000000\n binary end:    0x1000946c\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tamarin \ud38c\uc6e8\uc5b4 \uc5c5\ub85c\ub4dc<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook build % pwd\n\/Users\/seo\/Desktop\/iphone_jtag\/tamarin\/tamarin-firmware\/build\n\nseo@seos-macbook build % picotool load -v .\/tamarin_firmware.uf2 -f\nLoading into Flash:   [==============================]  100%\nVerifying Flash:      [==============================]  100%\n  OK\nseo@seo\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>USB \uc7ac\uc5f0\uacb0 \ud6c4 Tamarine Cable \uc5f0\uacb0\ub410\ub294\uc9c0 \ud655\uc778 <img decoding=\"async\" src=\"attachment:fc25bd8f-a8b5-4af3-a1eb-d91f43460cbe:Screenshot_2025-12-29_at_8.11.35_PM.png\" alt=\"Screenshot 2025-12-29 at 8.11.35\u202fPM.png\"><\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">DCSD \ubaa8\ub4dc\ub85c \uc2dc\ub9ac\uc5bc \ub85c\uadf8 \ud655\uc778\ud558\uae30<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\ud658\uacbd: \uc544\uc774\ud328\ub4dc 7\uc138\ub300 \/ iPadOS 15.0 (turdus_merula\ub85c tethered-downgrade\ub41c \uc0c1\ud0dc)<\/li>\n\n\n\n<li>USB-A 8\ud540 \uc77c\ubc18 \ucf00\uc774\ube14\uc5d0 \uae30\uae30 \uc5f0\uacb0<\/li>\n\n\n\n<li>tamarin \ubaa8\ub4dc \uc124\uc815<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/bin\/zsh\nminicom -D \/dev\/tty.usbmodem313371 -b 115200\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DCSD \ubaa8\ub4dc 2\ubc88 \uc124\uc815<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"687\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.11.35-PM-1024x687.png\" alt=\"\" class=\"wp-image-4041\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.11.35-PM-1024x687.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.11.35-PM-300x201.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.11.35-PM-768x515.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.11.35-PM.png 1384w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc0c8 \ud130\ubbf8\ub110 \ud0ed \uc5f4\uae30<\/li>\n\n\n\n<li>bootx \ubb38\uc790\uc5f4\uc744 \uc784\uc758\ub85c \ubc14\uc774\ub108\ub9ac \ud328\uce58\ud574\uc11c \ucd5c\uc885\uc801\uc73c\ub85c \ubd80\ud305\uc774 \ub418\uc9c0 \uc54a\ub3c4\ub85d \ub9cc\ub4e4\uace0, pongo \ubaa8\ub4dc\ub85c \uc9c4\uc785 (\ub9cc\uc57d, untethered-downgrade\ud55c \uc0c1\ud0dc\ub77c\uba74 \u2192 \uc0dd\ub7b5\ud558\uace0 \ubc14\ub85c \ub2e4\uc74c \ub2e8\uacc4\ub85c \ub118\uc5b4\uac08 \uc218 \uc788\uc74c)<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook turdus_m3rula_1.1_b0ea3ee7_macos % cat 150-boot-pongo.sh\n#!\/bin\/zsh\n.\/bin\/turdusra1n_patched -t \/Users\/seo\/Desktop\/turdus_m3rula_1.1_b0ea3ee7_macos\/image4\/[ECID_REDACTED]-iPad7\\\\,11-15.0-iBoot.img4  -i \/Users\/seo\/Desktop\/turdus_m3rula_1.1_b0ea3ee7_macos\/image4\/[ECID_REDACTED]-iPad7\\\\,11-signed-SEP.img4  -p \/Users\/seo\/Desktop\/turdus_m3rula_1.1_b0ea3ee7_macos\/image4\/[ECID_REDACTED]-iPad7\\\\,11-15.0-SEP.im4p\n\nseo@seos-macbook turdus_m3rula_1.1_b0ea3ee7_macos % .\/150-boot-pongo.sh\nturdusra1n 0.2.0-6aafc6eb (usb backend: IOKit)\n- &lt;Log> Waiting for recovery or DFU mode device\n- &lt;Log> Found DFU mode device\n- &lt;Log> checkm8 reset stage\n- &lt;Log> Found DFU mode device\n- &lt;Log> checkm8 setup stage\n- &lt;Log> Entered initial checkm8 state after 9 steps\n- &lt;Log> Stalled input endpoint after 1 steps\n- &lt;Log> Found DFU mode device\n- &lt;Log> checkm8 trigger stage\n- &lt;Log> Checkmate?\n- &lt;Log> Detected pwned DFU mode device\n- &lt;Log> Sending boot image\n- &lt;Log> boot image sent\n- &lt;Log> Found download mode device\n- &lt;Log> Sending pongo image\n- &lt;Log> Found pongo mode device\n- &lt;Log> Sent sep_racer (1211608 bytes)\n- &lt;Log> Sent modload msg\n- &lt;Log> Sent sepfw (1439122 bytes)\n- &lt;Log> Sent sepfw msg\n- &lt;Log> Sent sep (1255758 bytes)\n- &lt;Log> Sent sep msg\n- &lt;Log> Sent sep_flag msg\n- &lt;Log> Sent pwn_seprom msg\n- &lt;Log> Sent kpf_tethered (92248 bytes)\n- &lt;Log> Sent modload msg\n- &lt;Log> Sent kpf msg\n- &lt;Log> Sent bootux\n<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"1024\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_0259.HEIC-768x1024.jpg\" alt=\"\" class=\"wp-image-4043\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_0259.HEIC-768x1024.jpg 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_0259.HEIC-225x300.jpg 225w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_0259.HEIC-1152x1536.jpg 1152w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_0259.HEIC-1536x2048.jpg 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_0259.HEIC-scaled.jpg 1920w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc0c8 \ud130\ubbf8\ub110 \uc5f4\uae30<\/li>\n\n\n\n<li><a href=\"http:\/\/serial.sh\">serial.sh<\/a> \uc2e4\ud589<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/bin\/zsh\nminicom -D \/dev\/tty.usbmodem313374 -b 115200\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>palera1n \ud0c8\uc625 \ubc0f boot-args\uc5d0 &#8220;<code>serial=3 debug=0x14e<\/code>\u201d \ucd94\uac00<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook turdus_m3rula_1.1_b0ea3ee7_macos % .\/palera1n-macos-arm64 -l -v -e \"serial=3 debug=0x14e\"\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>USB-A 8\ud540 \uc77c\ubc18 \ucf00\uc774\ube14 \uc5f0\uacb0\uc744 \ud574\uc81c\ud558\uace0, \uc7ac\ube68\ub9ac \ube0c\ub808\uc774\ud06c\uc544\uc6c3 \ubcf4\ub4dc\uc5d0 \uc5f0\uacb0<\/li>\n\n\n\n<li>\uc774\uc81c\ubd80\ud130\ub294 <a href=\"http:\/\/serial.sh\">serial.sh<\/a> \uc2e4\ud589\ud55c \ud130\ubbf8\ub110 \ucc3d\uc5d0\uc11c \ub85c\uadf8 \ud655\uc778 \uac00\ub2a5<\/li>\n\n\n\n<li>iBoot<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"614\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-9.01.59-PM-1024x614.png\" alt=\"\" class=\"wp-image-4046\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-9.01.59-PM-1024x614.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-9.01.59-PM-300x180.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-9.01.59-PM-768x461.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-9.01.59-PM-1536x921.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-9.01.59-PM-2048x1229.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Booting\u2026<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"614\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.47.25-PM-1024x614.png\" alt=\"\" class=\"wp-image-4045\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.47.25-PM-1024x614.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.47.25-PM-300x180.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.47.25-PM-768x461.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.47.25-PM-1536x921.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.47.25-PM-2048x1229.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">JTAG \ubaa8\ub4dc\ub85c SecureRom \ub514\ubc84\uae45<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\ud658\uacbd: \uc544\uc774\ud3f08 \/ iOS 14.4.2<\/li>\n\n\n\n<li>\uba38\uc2e0: \uc778\ud154 \ub9e5 \uce74\ub0a0\ub9ac\ub098 10.15.2<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">OpenOCD \ube4c\ub4dc \ubc0f \ud658\uacbd \uc124\uce58<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>UTM \uac00\uc0c1\uba38\uc2e0\uc5d0\uc11c \uc791\uc5c5 \/ Ubuntu 24.04 Server arm64<\/li>\n\n\n\n<li>\ube4c\ub4dc \ubc0f \ucef4\ud30c\uc77c<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seo:~\/iphone_jtag$  git clone &lt;https:\/\/github.com\/tihmstar\/openocd>\nCloning into 'openocd'...\n...\n\nseo@seo:~\/iphone_jtag\/openocd$ cd openocd\n\nseo@seo:~\/iphone_jtag\/openocd$ git submodule update --init\n\nseo@seo:~\/iphone_jtag\/openocd$ .\/bootstrap\n\nseo@seo:~\/iphone_jtag\/openocd$ .\/configure --enable-tamarin\n\nseo@seo:~\/iphone_jtag\/openocd$ make -j$(nproc)\nMakefile:5524: warning: overriding commands for target `check-recursive'\n...\n\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\ucef4\ud30c\uc77c\ub41c \ubc14\uc774\ub108\ub9ac \uc0dd\uc131 \ud655\uc778<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook openocd % file src\/openocd\nsrc\/openocd: Mach-O 64-bit executable arm64\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc790\uae30 AP\uce69\uc5d0 \ub9de\ub294 cfg \ub2e4\uc6b4\ub85c\ub4dc \/ \uc124\uc815 \uac00\uc838\uc624\uae30<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook openocd % wget &lt;https:\/\/github.com\/lambdaconcept\/bonobo-configs\/raw\/refs\/heads\/master\/t8015.cfg>\n\nseo@seos-macbook openocd % cp -r .\/tcl\/target .\n<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">SecureRom \ub514\ubc84\uae45 \ubc0f \uc774\ubbf8\uc9c0 \ub364\ud504<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>USB-A 8\ud540 \uc77c\ubc18 \ucf00\uc774\ube14\uc5d0 \uae30\uae30 \uc5f0\uacb0<\/li>\n\n\n\n<li>minicom\uc5d0\uc11c tamarin \ubaa8\ub4dc \uc124\uc815<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/bin\/zsh\nsudo minicom -D \/dev\/tty.usbmodem313371 -b 115200\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>JTAG mode 1\ubc88\uc73c\ub85c \uc124\uc815<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">...\nGood morning!\n\n1: JTAG mode\n2: DCSD mode\n3: Reset device\n4: Reset and enter DFU mode (iPhone X and up only)\n5: Reenumerate\n\nF: Force JTAG mode without sending command\nJ: Force SPAM-JTAG mode without sending command\nR: Reset Tamarin cable\nS: SPAM mode (Apple Watch UART)\nU: Go into firmware update mode\n> 1\nEnabling JTAG mode.\nRestarting enumeration!\nDone restarting enumeration!\nTristar request received: 74 00 02 1F\nDCSD mode active.\nConnect to the second serial port of the\nTamarin Cable to access the monitor.\nJTAG mode active, ID pin in Hi-Z.\nYou can now connect with an SWD debugger.\nGood morning!\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Demotion<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook turdus_m3rula_1.1_b0ea3ee7_macos % .\/palera1n-macos-arm64 -d -l\n...\n - [12\/30\/25 01:15:20] &lt;Verbose>: DFU mode device found\n - [12\/30\/25 01:15:20] &lt;Info>: Checking if device is ready\n - [12\/30\/25 01:15:20] &lt;Verbose>: Attempting to perform checkm8 on 8015 11\n - [12\/30\/25 01:15:20] &lt;Info>: Setting up the exploit\n - [12\/30\/25 01:15:20] &lt;Verbose>: == checkm8 setup stage ==\n - [12\/30\/25 01:15:20] &lt;Verbose>: Entered initial checkm8 state after 1 steps\n - [12\/30\/25 01:15:20] &lt;Verbose>: Stalled input endpoint after 1 steps\n - [12\/30\/25 01:15:20] &lt;Verbose>: DFU mode device found\n - [12\/30\/25 01:15:20] &lt;Verbose>: == checkm8 trigger stage ==\n - [12\/30\/25 01:15:20] &lt;Info>: Checkmate!\n - [12\/30\/25 01:15:20] &lt;Verbose>: Device should now be demoted\n - [12\/30\/25 01:15:20] &lt;Verbose>: DFU mode device disconnected\n - [12\/30\/25 01:15:20] &lt;Verbose>: DFU mode device found\n - [12\/30\/25 01:15:20] &lt;Info>: Demoted device waiting for debugger\n - [12\/30\/25 01:15:20] &lt;Verbose>: Skipping demoted 8015 11\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc544\uc774\ud3f0 \ucf00\uc774\ube14 \ubd84\ub9ac \ubc0f Tamarine \ucf00\uc774\ube14\ub85c \uc7ac\uc5f0\uacb0 \/ Tamarine cable \uc5f0\uacb0<\/li>\n\n\n\n<li>OpenOCD\ub85c \uc5f0\uacb0<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">.\/src\/openocd -f tcl\/interface\/tamarin.cfg -f t8015.cfg -c \"bindto 0.0.0.0\" \n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>telnet\uc73c\ub85c \uc81c\uc5b4 \uc778\ud130\ud398\uc774\uc2a4\uc5d0 \uc811\uadfc \ubc0f halt \uc218\ud589<\/li>\n\n\n\n<li><code>telnet 127.0.0.1 4444<\/code><\/li>\n\n\n\n<li><code>targets iphone.ecore0<\/code><\/li>\n\n\n\n<li><code>halt<\/code><\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook openocd % telnet 127.0.0.1 4444\nTrying 127.0.0.1...\nConnected to 127.0.0.1.\nEscape character is '^]'.\nOpen On-Chip Debugger\n> targets\n    TargetName         Type       Endian TapName            State       \n--  ------------------ ---------- ------ ------------------ ------------\n 0  iphone.dbg         mem_ap     little iphone.cpu         running\n 1  iphone.mem         mem_ap     little iphone.cpu         running\n 2  iphone.ecore0      aarch64    little iphone.cpu         running\n 3  iphone.ecore1      aarch64    little iphone.cpu         poweroff\n 4  iphone.ecore2      aarch64    little iphone.cpu         poweroff\n 5  iphone.ecore3      aarch64    little iphone.cpu         poweroff\n 6  iphone.pcore0      aarch64    little iphone.cpu         poweroff\n 7  iphone.pcore1      aarch64    little iphone.cpu         poweroff\n 8* iphone.sep         aarch64    little iphone.cpu         unknown\n\n> targets iphone.ecore0\n> halt\nTimeout waiting for target iphone.ecore0 halt\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>halt<\/code> \uc218\ud589\uc2dc <code>Timeout waiting for\u2026<\/code> \uc5d0\ub7ec \ucd9c\ub825\uc2dc\uc5d0 minicom \ucc3d\uc5d0\uc11c <code>F: Force JTAG mode without sending command,<\/code> \uc989 F\ubaa8\ub4dc\ub85c tamarin \ubaa8\ub4dc \uc124\uc815.<\/li>\n\n\n\n<li>\uc774\ud6c4\uc5d4 \uc81c\ub300\ub85c halt \ub428 <code>target halted in AArch64 state due to debug-request, current mode: EL1T cpsr: 0x800002c4 pc: 0x100000568 MMU: enabled, D-Cache: enabled, I-Cache: enabled<\/code><\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook openocd_tihmstar % sudo .\/src\/openocd -f tcl\/interface\/tamarin.cfg -f t8015.cfg\nOpen On-Chip Debugger 0.10.0+dev-gd91b411c (2025-12-29-23:11)\nLicensed under GNU GPL v2\nFor bug reports, read\n\t&lt;http:\/\/openocd.org\/doc\/doxygen\/bugs.html>\nInfo : only one transport option; autoselect 'swd'\nWarn : Transport \"swd\" was already selected\nadapter speed: 1000 kHz\n\nWarn : Interface already configured, ignoring\nWarn : Transport \"swd\" was already selected\nInfo : clock speed 10000 kHz\nInfo : SWD DPIDR 0x03000067\nError: iphone.ecore0: missing UTT configuration, halt may not work\nInfo : iphone.ecore0: hardware has 2 breakpoints, 3 watchpoints\nError: iphone.ecore1: missing UTT configuration, halt may not work\nError: iphone.ecore1 powered down!\nError: iphone.ecore2: missing UTT configuration, halt may not work\nError: iphone.ecore2 powered down!\nError: iphone.ecore3: missing UTT configuration, halt may not work\nError: iphone.ecore3 powered down!\nError: iphone.pcore0: missing UTT configuration, halt may not work\nError: iphone.pcore0 powered down!\nError: iphone.pcore1: missing UTT configuration, halt may not work\nError: iphone.pcore1 powered down!\nError: iphone.sep: missing UTT configuration, halt may not work\nInfo : Listening on port 3333 for gdb connections\nInfo : Listening on port 3334 for gdb connections\nInfo : Listening on port 3335 for gdb connections\nInfo : Listening on port 3336 for gdb connections\nInfo : Listening on port 3337 for gdb connections\nInfo : Listening on port 3338 for gdb connections\nInfo : Listening on port 3339 for gdb connections\nInfo : Listening on port 6666 for tcl connections\nInfo : Listening on port 4444 for telnet connections\nInfo : accepting 'telnet' connection on tcp\/4444\nError: Timeout waiting for target iphone.ecore0 halt\n\nInfo : iphone.ecore0 cluster 0 core 0 multi core\ntarget halted in AArch64 state due to debug-request, current mode: EL1T\ncpsr: 0x800002c4 pc: 0x100000568\nMMU: enabled, D-Cache: enabled, I-Cache: enabled\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\ub514\ubc84\uac70 \uc5f0\uacb0<\/li>\n\n\n\n<li><code>lldb<\/code><\/li>\n\n\n\n<li><code>gdb-remote 3333<\/code><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"614\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.15.54-AM-1-1024x614.png\" alt=\"\" class=\"wp-image-4048\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.15.54-AM-1-1024x614.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.15.54-AM-1-300x180.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.15.54-AM-1-768x461.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.15.54-AM-1-1536x921.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.15.54-AM-1-2048x1229.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SecureRom \uc774\ubbf8\uc9c0 \ub364\ud504<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">(lldb) memory read --binary --outfile .\/dump.bin --force 0x100000000 0x100020000\n131072 bytes written to 'dump.bin'\n<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"618\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.26.16-AM-1024x618.png\" alt=\"\" class=\"wp-image-4049\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.26.16-AM-1024x618.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.26.16-AM-300x181.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.26.16-AM-768x464.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.26.16-AM-1536x927.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.26.16-AM-2048x1236.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">\ucee4\ub110 \ub514\ubc84\uae45 (\uc2e4\ud328)<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">\uc544\uc774\ub514\uc5b4\u2026<\/h2>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">(lldb) p\/x 0x207 &amp; 0xfffffffe\n(unsigned int) 0x00000206\n\/\/ Demote \uc124\uc815 \uc804 \uac12\uc5d0\uc11c 0xfffffffe AND \uc5f0\uc0b0\ud55c\uac8c \ubc14\ub85c 0x206\uc784.\n\n(lldb) x\/wx 0x2352BC000\n0x2352bc000: 0x00000206\n(lldb) x\/gx 0x2352BC000\n0x2352bc000: 0x2200000000000206\n\/\/ A11\uce69 \uae30\uc900 demotion_reg \uc8fc\uc18c\ub294 0x2352BC000.\n\/\/ &lt;https:\/\/github.com\/axi0mX\/ipwndfu\/blob\/master\/device_platform.py>\n\npongoOS> peek 0x2352BC000\n0x2352bc000: 207 (7 2 0 0)\n\/\/ \uae30\uc874 \uac12 (Demote \uc548\ub428)\npongoOS> peek 0x2352BC004\n0x2352bc004: 22000000 (0 0 0 22)\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>gaster\uc5d0\uc11c demotion flag \uac74\ub4dc\ub9b0\ub2e4\uc74c, \ucee4\uc2a4\ud140 \ubd80\ud2b8\ub85c\ub354\uc640 \ucee4\ub110 \uc62c\ub9ac\uace0 \ud558\uba74 \ub420\uc9c0\ub3c4?<\/li>\n\n\n\n<li>\ub2e8, ramdisk \uc258 \ubd80\ud305\uc0c1\ud0dc\ub85c \uc9c4\uc785\ud574\uc57c\ub428. SEP \ud328\ub2c9 \ubc1c\uc0dd \uac00\ub2a5\uc131 \uc788\uc74c.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">\uc2dc\ud589\ucc29\uc624<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>demotion flag\ub97c pongoOS shell\uc5d0\uc11c \uac74\ub4dc\ub9b4\ub824\uace0 \ud588\uc73c\ub098 \uc548\ub410\uc74c.<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">pongoOS> poke 0x2352BC000 206\nwriting 206 @ 0x2352bc000\npongoOS> poke 0x2352BC000 0x206\nwriting 206 @ 0x2352bc000\npongoOS> peek 0x2352BC000\n0x2352bc000: 207 (7 2 0 0)\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Checkra1n 0.1337.x\uc5d0\uc11c \uc2dc\ub3c4: demote \uc131\uacf5<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">pongoOS> fuse demote\npongoOS> peek 0x2352BC000\n0x2352bc000: 206 (6 2 0 0)\n\n\/\/\ubd80\ud305\nbootx\n\n... \uc774\ud6c4 \ubd80\ud305\uc740 \uc2e4\ud328\n\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>gaster\uc5d0\uc11c demotion \uc774\ud6c4\uc5d0 SSHRD_Script\ub85c \ub7a8\ub514\uc2a4\ud06c \ubd80\ud305\ud560\ub824\uace0 \ud5c0\uc73c\ub098\u2026 \uc2e4\ud328<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"cpp\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">static bool\ngaster_demote(usb_handle_t *handle, const uint8_t *src, uint8_t *dst, size_t len) {\n\tstruct {\n\t\tuint32_t magic_0, magic_1, func, pad, r[8];\n\t} exec_cmd_armv7;\n\tuint8_t data[DFU_MAX_TRANSFER_SZ], *response;\n\tstruct {\n\t\tuint64_t magic, func, x[8];\n\t} exec_cmd;\n\tuint32_t r_armv7;\n\tsize_t data_sz;\n\tuint64_t r;\n\n\tif(cpid == 0x8015) {\n\t\texec_cmd.magic = EXEC_MAGIC;\n\t\texec_cmd.func = 0x10000F804;\t\/\/STR X1, [X0]; RET;\n\t\texec_cmd.x[0] = 0x2352BC000;\t\/\/write where?\n\t\texec_cmd.x[1] = 0x2200000000000207;\t\/\/write what!\n\t\texec_cmd.x[2] = 0;\n\t\texec_cmd.x[3] = 0;\n\t\texec_cmd.x[4] = 0;\n\t\texec_cmd.x[5] = 0;\n\t\texec_cmd.x[6] = 0;\n\t\tmemcpy(data, &amp;exec_cmd, sizeof(exec_cmd) - sizeof(r));\n\t\tdata_sz = sizeof(exec_cmd) - sizeof(r);\n\t\tmemcpy(data + data_sz, src, len);\n\t\tdata_sz += len;\n\t}\n\tif(gaster_command(handle, data, data_sz, &amp;response, len + 2 * sizeof(r))) {\n\t\tmemcpy(&amp;r, response, sizeof(r));\n\t\tif(r != DONE_MAGIC) {\n\t\t\tfree(response);\n\t\t\treturn false;\n\t\t}\n\t\tmemcpy(&amp;r, response + sizeof(r), sizeof(r));\n\t\tif((uint32_t)r != 0) {\n\t\t\tfree(response);\n\t\t\treturn false;\n\t\t}\n\t\tmemcpy(dst, response + 2 * sizeof(r), len);\n\t\tfree(response);\n\t\treturn true;\n\t}\n\treturn false;\n}\n\n...\n} else if(argc == 2 &amp;&amp; strcmp(argv[1], \"pwn\") == 0) {\n\t\tif(gaster_checkm8(&amp;handle)) {\n\t\t\tuint8_t idk[AES_BLOCK_SZ + AES_KEY_SZ_BYTES_256];\n\t\t\tprintf(\"gaster_demote ret = %d\\\\n\", gaster_demote(&amp;handle, idk, idk, sizeof(idk)));\n\t\t\tret = 0;\n\t\t}\n...\n<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook SSHRD_Script % .\/Darwin\/irecovery -f sshramdisk\/iBSS.img4\n[==================================================] 100.0%\n<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook Darwin % .\/irecovery -s\n> \n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc6d0\ud588\ub358 \uc608\uc0c1 \uacb0\uacfc<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook Darwin % .\/irecovery -s\n96ede82803e085b:365\n\n=======================================\n::\n:: iBoot for d20, Copyright 2007-2020, Apple Inc.\n::\n::\tRemote boot, Board 0xa (d201ap)\/Rev 0xf\n::\n::\tBUILD_TAG: iBoot-6723.80.19\n::\n::\tBUILD_STYLE: RELEASE\n...\n<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\uc0dd\uac01 \uc815\ub9ac<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc77c\ubc18 \ucf00\uc774\ube14\uacfc DCSD\/JTAG \ucf00\uc774\ube14\uc744 \ub9e4\ubc88 \ubd84\ub9ac\ud574\uc11c \uc0ac\uc6a9\ud558\ub294\ub370 \uc788\uc5b4\uc11c \ucee4\ub110 \ub514\ubc84\uae45\uc740 \ube44\ud6a8\uc728\uc801.\n<ul class=\"wp-block-list\">\n<li>\uc720\uc800\ud658\uacbd\uc5d0\uc11c \ub7a8\ub514\uc2a4\ud06c \ubaa8\ub4dc\uc5d0\uc11c \uc775\uc2a4\ud50c\ub85c\uc787 \ud504\ub85c\uadf8\ub7a8\uc744 \uc2e4\ud589\uc2dc\ud0ac\ub824\uba74 \uc77c\ubc18 \ucf00\uc774\ube14\ub85c \uc5f0\uacb0\ud574\uc11c \uc258 \uba85\ub839\uc5b4\ub97c \uc785\ub825\ud574\uc57c\ud560\ud150\ub370, \ucee4\ub110 \ub514\ubc84\uae45\uc744 \ud560\ub824\uba74 \ub2e4\uc2dc DCSD\/JTAG \ucf00\uc774\ube14\ub85c \uc5f0\uacb0\uc2dc\ucf1c\uc57c\ub418\ub2c8 \ubd88\ud3b8\ud568.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>iOS 12.x~14.x\ub294 KTRW\ub85c \uc544\uc774\ud3f08 \ucee4\ub110 \ub514\ubc84\uae45<\/li>\n\n\n\n<li>QEMUAppleSilicon\uc73c\ub85c \uac00\uc0c1 \uc544\uc774\ud3f011 iOS 14.0b5 \ucee4\ub110 \ub514\ubc84\uae45\ub3c4 \uac00\ub2a5<\/li>\n\n\n\n<li>iOS 15.x+\uc758 \uacbd\uc6b0, macOS 12.0.1+\ub85c \ub300\uccb4\ud558\uc5ec \ucee4\ub110 \ub514\ubc84\uae45 &#8211; super-tart\ub85c \ub77c\uc774\ube0c \ucee4\ub110 \ub514\ubc84\uae45\ud558\ub294 \ubc29\ubc95\uc774 \uc88b\uc744\ub4ef (macOS 12.0.1+)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\uc900\ube44\ubb3c \uc870\ub9bd \uc644\uc131 \uc0ac\uc9c4 Pico\uc6a9 SDK \/ tamarin(\uad6c\ubc84\uc804) \ud38c\uc6e8\uc5b4 \ucef4\ud30c\uc77c Pico \ubcf4\ub4dc\uc5d0 tamarin \ud38c\uc6e8\uc5b4 \uc5c5\ub85c\ub4dc DCSD \ubaa8\ub4dc\ub85c \uc2dc\ub9ac\uc5bc \ub85c\uadf8 \ud655\uc778\ud558\uae30 JTAG \ubaa8\ub4dc\ub85c SecureRom \ub514\ubc84\uae45 OpenOCD \ube4c\ub4dc \ubc0f \ud658\uacbd \uc124\uce58 SecureRom \ub514\ubc84\uae45 \ubc0f \uc774\ubbf8\uc9c0 \ub364\ud504 \ucee4\ub110 \ub514\ubc84\uae45 (\uc2e4\ud328) \uc544\uc774\ub514\uc5b4\u2026 \uc2dc\ud589\ucc29\uc624 \uc0dd\uac01 \uc815\ub9ac<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[72],"tags":[11,12,13,25],"class_list":["post-4032","post","type-post","status-publish","format-standard","hentry","category-realworld","tag-ios","tag-ios-kernel","tag-macos","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/4032","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4032"}],"version-history":[{"count":5,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/4032\/revisions"}],"predecessor-version":[{"id":4052,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/4032\/revisions\/4052"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4032"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4032"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4032"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}