{"id":4032,"date":"2025-12-30T12:28:25","date_gmt":"2025-12-30T03:28:25","guid":{"rendered":"https:\/\/h4ck.kr\/?p=4032"},"modified":"2025-12-30T13:12:35","modified_gmt":"2025-12-30T04:12:35","slug":"tamarine%ec%9c%bc%eb%a1%9c-%ec%95%84%ec%9d%b4%ed%8f%b0-%ec%95%84%ec%9d%b4%ed%8c%a8%eb%93%9c-jtag%eb%94%94%eb%b2%84%ea%b9%85-%ec%8b%9c%eb%a6%ac%ec%96%bc-%eb%a1%9c%ea%b7%b8-%ec%b6%9c%eb%a0%a5%ed%95%b4","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=4032","title":{"rendered":"Tamarine\uc73c\ub85c \uc544\uc774\ud3f0\/\uc544\uc774\ud328\ub4dc JTAG\ub514\ubc84\uae45 \/ \uc2dc\ub9ac\uc5bc \ub85c\uadf8 \ucd9c\ub825\ud574\ubcf4\uae30"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">\uc900\ube44\ubb3c<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\ub77c\uc988\ubca0\ub9ac\ud30c\uc774 Pico \ud540\ud5e4\ub354 \ub0a9\ub55c <a href=\"https:\/\/smartstore.naver.com\/plumkit\/products\/9524875363\">(\uad6c\ub9e4\ub9c1\ud06c)<\/a><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"212\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image-1024x212.png\" alt=\"\" class=\"wp-image-4033\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image-1024x212.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image-300x62.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image-768x159.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image.png 1264w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>1.5mm \uc77c\uc790 \ub4dc\ub77c\uc774\ubc84<\/li>\n\n\n\n<li>APPLE-LM-BO-V2A Apple Lightning Male connector breakout board (<a href=\"https:\/\/www.elabguy.com\/datasheet\/APPLE-LM-BO-V2A%20Rev1.0.pdf\">DataSheet<\/a>, <a href=\"https:\/\/www.elabguy.com\/drawing\/APPLE-LM-BO-V2A%20Drawing%20Rev1.0.pdf\">Drawing<\/a>, <a href=\"http:\/\/elabbay.com\/products\/apple-lm-bo-v1a-apple-lightning-male-connector-breakout-board\">\uad6c\ub9e4\ub9c1\ud06c<\/a>), \uc5ec\uae30\uc11c \ud544\uc790\ub294 \ub458\uc911\uc5d0 \ub450\ubc88\uc9f8\uc758 \ucd08\ub85d\uc0c9 male connector \ub2ec\ub9b0 \uc81c\ud488 \uc0ac\uc6a9.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"762\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image-2-1024x762.png\" alt=\"\" class=\"wp-image-4035\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image-2-1024x762.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image-2-300x223.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image-2-768x571.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/image-2.png 1218w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li> \ub9c8\uc774\ud06c\ub85c5\ud540 to USB \ucf00\uc774\ube14 (\ub77c\uc988\ubca0\ub9ac\ud30c\uc774 \ud53c\ucf54\ub97c PC\uc5d0 \uc5f0\uacb0\ud560 \uc6a9\ub3c4\ub85c \uc4f0\uc784)<\/li>\n\n\n\n<li>\uc544\ub450\uc774\ub178 \uc554\/\uc554 \uc810\ud37c \ucf00\uc774\ube14 8\uac1c<\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">\uc870\ub9bd \uc644\uc131 \uc0ac\uc9c4<\/h1>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"1024\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_9563-3.HEIC-768x1024.jpg\" alt=\"\" class=\"wp-image-4037\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_9563-3.HEIC-768x1024.jpg 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_9563-3.HEIC-225x300.jpg 225w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_9563-3.HEIC-1152x1536.jpg 1152w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_9563-3.HEIC-1536x2048.jpg 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_9563-3.HEIC-scaled.jpg 1920w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">Pico\uc6a9 SDK \/ tamarin(\uad6c\ubc84\uc804) \ud38c\uc6e8\uc5b4 \ucef4\ud30c\uc77c<\/h1>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook tamarin % cd ~\/Desktop\n\nseo@seos-macbook Desktop % mkdir\n\nseo@seos-macbook Desktop % mkdir iphone_jtag\n\nseo@seos-macbook Desktop % cd iphone_jtag\n\nseo@seos-macbook iphone_jtag % mkdir -p tamarin\n\nseo@seos-macbook iphone_jtag % cd $_\n\nseo@seos-macbook tamarin % git clone &lt;https:\/\/github.com\/raspberrypi\/pico-sdk.git>\nCloning into 'pico-sdk'...\n...\n\ncd pico-sdk; git submodule update --init\n\nseo@seos-macbook pico-sdk % export PICO_SDK_PATH=$(pwd) \n\nseo@seos-macbook pico-sdk % cd ..\/\n\nseo@seos-macbook tamarin % git clone &lt;https:\/\/github.com\/stacksmashing\/tamarin-firmware.git>; cd $(basename $_ .git)\nCloning into 'tamarin-firmware'...\n...\n\ncd tamarin-firmware\n\nseo@seos-macbook tamarin-firmware % mkdir build; cd $_\n\nseo@seos-macbook build % cmake ..\n\nseo@seos-macbook build % make -j$(nproc)\n[  0%] Creating directories for 'pioasmBuild'\n...\n[100%] Built target tamarin_firmware\nseo@seos-macbook build % \n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>tamarin_firmware.uf2<\/code> \ud30c\uc77c\uc774 \uc0dd\uc131\ub410\ub294\uc9c0 \ud655\uc778<\/strong><\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook build % ls -la\ntotal 5208\ndrwxr-xr-x  22 seo  staff     704 Dec 29 19:54 .\ndrwxr-xr-x  23 seo  staff     736 Dec 29 19:53 ..\n-rw-r--r--   1 seo  staff   30069 Dec 29 19:54 CMakeCache.txt\n-rw-r--r--   1 seo  staff   15734 Dec 29 19:54 CMakeDoxyfile.in\n-rw-r--r--   1 seo  staff   21594 Dec 29 19:54 CMakeDoxygenDefaults.cmake\ndrwxr-xr-x  18 seo  staff     576 Dec 29 19:54 CMakeFiles\n-rw-r--r--   1 seo  staff  195244 Dec 29 19:54 Makefile\n-rw-r--r--   1 seo  staff    2270 Dec 29 19:54 cmake_install.cmake\ndrwxr-xr-x   3 seo  staff      96 Dec 29 19:54 generated\n-rw-r--r--   1 seo  staff    3051 Dec 29 19:54 lightning_rx.pio.h\n-rw-r--r--   1 seo  staff    3079 Dec 29 19:54 lightning_tx.pio.h\ndrwxr-xr-x   8 seo  staff     256 Dec 29 19:54 pico-sdk\n-rw-r--r--   1 seo  staff      60 Dec 29 19:54 pico_flash_region.ld\ndrwxr-xr-x  11 seo  staff     352 Dec 29 19:54 pioasm\ndrwxr-xr-x   3 seo  staff      96 Dec 29 19:54 pioasm-install\n-rw-r--r--   1 seo  staff    1746 Dec 29 19:54 probe.pio.h\n-rwxr-xr-x   1 seo  staff   42068 Dec 29 19:54 tamarin_firmware.bin\n-rw-r--r--   1 seo  staff  738759 Dec 29 19:54 tamarin_firmware.dis\n-rwxr-xr-x   1 seo  staff  832920 Dec 29 19:54 tamarin_firmware.elf\n-rw-r--r--   1 seo  staff  545393 Dec 29 19:54 tamarin_firmware.elf.map\n-rw-r--r--   1 seo  staff  118382 Dec 29 19:54 tamarin_firmware.hex\n**-rw-r--r--   1 seo  staff   84480 Dec 29 19:54 tamarin_firmware.uf2**\n<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Pico \ubcf4\ub4dc\uc5d0 tamarin \ud38c\uc6e8\uc5b4 \uc5c5\ub85c\ub4dc<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Pico \ubcf4\ub4dc\ub97c \ud38c\uc6e8\uc5b4 \uc5c5\ub85c\ub4dc \ubaa8\ub4dc\ub85c \uc9c4\uc785\ubc29\ubc95<ul><li><strong>BOOTSEL \ubc84\ud2bc \ub204\ub978 \uc0c1\ud0dc\uc5d0\uc11c USB \uc5f0\uacb0<\/strong><\/li><\/ul><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"744\" height=\"660\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.03.20-PM.png\" alt=\"\" class=\"wp-image-4040\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.03.20-PM.png 744w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.03.20-PM-300x266.png 300w\" sizes=\"auto, (max-width: 744px) 100vw, 744px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>picotool info<\/code> \uba85\ub839\uc5b4\ub85c USB \uc5f0\uacb0 \ud655\uc778 (picotool\uc740 brew\ub85c \uc124\uce58 \uac00\ub2a5\ud568)<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook tamarin-firmware % picotool info\nProgram Information\n name:          tamarin_firmware\n features:      UART stdin \/ stdout\n binary start:  0x10000000\n binary end:    0x1000946c\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tamarin \ud38c\uc6e8\uc5b4 \uc5c5\ub85c\ub4dc<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook build % pwd\n\/Users\/seo\/Desktop\/iphone_jtag\/tamarin\/tamarin-firmware\/build\n\nseo@seos-macbook build % picotool load -v .\/tamarin_firmware.uf2 -f\nLoading into Flash:   [==============================]  100%\nVerifying Flash:      [==============================]  100%\n  OK\nseo@seo\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>USB \uc7ac\uc5f0\uacb0 \ud6c4 Tamarine Cable \uc5f0\uacb0\ub410\ub294\uc9c0 \ud655\uc778 <img decoding=\"async\" src=\"attachment:fc25bd8f-a8b5-4af3-a1eb-d91f43460cbe:Screenshot_2025-12-29_at_8.11.35_PM.png\" alt=\"Screenshot 2025-12-29 at 8.11.35\u202fPM.png\"><\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">DCSD \ubaa8\ub4dc\ub85c \uc2dc\ub9ac\uc5bc \ub85c\uadf8 \ud655\uc778\ud558\uae30<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\ud658\uacbd: \uc544\uc774\ud328\ub4dc 7\uc138\ub300 \/ iPadOS 15.0 (turdus_merula\ub85c tethered-downgrade\ub41c \uc0c1\ud0dc)<\/li>\n\n\n\n<li>USB-A 8\ud540 \uc77c\ubc18 \ucf00\uc774\ube14\uc5d0 \uae30\uae30 \uc5f0\uacb0<\/li>\n\n\n\n<li>tamarin \ubaa8\ub4dc \uc124\uc815<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/bin\/zsh\nminicom -D \/dev\/tty.usbmodem313371 -b 115200\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DCSD \ubaa8\ub4dc 2\ubc88 \uc124\uc815<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"687\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.11.35-PM-1024x687.png\" alt=\"\" class=\"wp-image-4041\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.11.35-PM-1024x687.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.11.35-PM-300x201.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.11.35-PM-768x515.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.11.35-PM.png 1384w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc0c8 \ud130\ubbf8\ub110 \ud0ed \uc5f4\uae30<\/li>\n\n\n\n<li>bootx \ubb38\uc790\uc5f4\uc744 \uc784\uc758\ub85c \ubc14\uc774\ub108\ub9ac \ud328\uce58\ud574\uc11c \ucd5c\uc885\uc801\uc73c\ub85c \ubd80\ud305\uc774 \ub418\uc9c0 \uc54a\ub3c4\ub85d \ub9cc\ub4e4\uace0, pongo \ubaa8\ub4dc\ub85c \uc9c4\uc785 (\ub9cc\uc57d, untethered-downgrade\ud55c \uc0c1\ud0dc\ub77c\uba74 \u2192 \uc0dd\ub7b5\ud558\uace0 \ubc14\ub85c \ub2e4\uc74c \ub2e8\uacc4\ub85c \ub118\uc5b4\uac08 \uc218 \uc788\uc74c)<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook turdus_m3rula_1.1_b0ea3ee7_macos % cat 150-boot-pongo.sh\n#!\/bin\/zsh\n.\/bin\/turdusra1n_patched -t \/Users\/seo\/Desktop\/turdus_m3rula_1.1_b0ea3ee7_macos\/image4\/[ECID_REDACTED]-iPad7\\\\,11-15.0-iBoot.img4  -i \/Users\/seo\/Desktop\/turdus_m3rula_1.1_b0ea3ee7_macos\/image4\/[ECID_REDACTED]-iPad7\\\\,11-signed-SEP.img4  -p \/Users\/seo\/Desktop\/turdus_m3rula_1.1_b0ea3ee7_macos\/image4\/[ECID_REDACTED]-iPad7\\\\,11-15.0-SEP.im4p\n\nseo@seos-macbook turdus_m3rula_1.1_b0ea3ee7_macos % .\/150-boot-pongo.sh\nturdusra1n 0.2.0-6aafc6eb (usb backend: IOKit)\n- &lt;Log> Waiting for recovery or DFU mode device\n- &lt;Log> Found DFU mode device\n- &lt;Log> checkm8 reset stage\n- &lt;Log> Found DFU mode device\n- &lt;Log> checkm8 setup stage\n- &lt;Log> Entered initial checkm8 state after 9 steps\n- &lt;Log> Stalled input endpoint after 1 steps\n- &lt;Log> Found DFU mode device\n- &lt;Log> checkm8 trigger stage\n- &lt;Log> Checkmate?\n- &lt;Log> Detected pwned DFU mode device\n- &lt;Log> Sending boot image\n- &lt;Log> boot image sent\n- &lt;Log> Found download mode device\n- &lt;Log> Sending pongo image\n- &lt;Log> Found pongo mode device\n- &lt;Log> Sent sep_racer (1211608 bytes)\n- &lt;Log> Sent modload msg\n- &lt;Log> Sent sepfw (1439122 bytes)\n- &lt;Log> Sent sepfw msg\n- &lt;Log> Sent sep (1255758 bytes)\n- &lt;Log> Sent sep msg\n- &lt;Log> Sent sep_flag msg\n- &lt;Log> Sent pwn_seprom msg\n- &lt;Log> Sent kpf_tethered (92248 bytes)\n- &lt;Log> Sent modload msg\n- &lt;Log> Sent kpf msg\n- &lt;Log> Sent bootux\n<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"1024\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_0259.HEIC-768x1024.jpg\" alt=\"\" class=\"wp-image-4043\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_0259.HEIC-768x1024.jpg 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_0259.HEIC-225x300.jpg 225w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_0259.HEIC-1152x1536.jpg 1152w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_0259.HEIC-1536x2048.jpg 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/IMG_0259.HEIC-scaled.jpg 1920w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc0c8 \ud130\ubbf8\ub110 \uc5f4\uae30<\/li>\n\n\n\n<li><a href=\"http:\/\/serial.sh\">serial.sh<\/a> \uc2e4\ud589<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/bin\/zsh\nminicom -D \/dev\/tty.usbmodem313374 -b 115200\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>palera1n \ud0c8\uc625 \ubc0f boot-args\uc5d0 &#8220;<code>serial=3 debug=0x14e<\/code>\u201d \ucd94\uac00<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook turdus_m3rula_1.1_b0ea3ee7_macos % .\/palera1n-macos-arm64 -l -v -e \"serial=3 debug=0x14e\"\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>USB-A 8\ud540 \uc77c\ubc18 \ucf00\uc774\ube14 \uc5f0\uacb0\uc744 \ud574\uc81c\ud558\uace0, \uc7ac\ube68\ub9ac \ube0c\ub808\uc774\ud06c\uc544\uc6c3 \ubcf4\ub4dc\uc5d0 \uc5f0\uacb0<\/li>\n\n\n\n<li>\uc774\uc81c\ubd80\ud130\ub294 <a href=\"http:\/\/serial.sh\">serial.sh<\/a> \uc2e4\ud589\ud55c \ud130\ubbf8\ub110 \ucc3d\uc5d0\uc11c \ub85c\uadf8 \ud655\uc778 \uac00\ub2a5<\/li>\n\n\n\n<li>iBoot<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"614\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-9.01.59-PM-1024x614.png\" alt=\"\" class=\"wp-image-4046\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-9.01.59-PM-1024x614.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-9.01.59-PM-300x180.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-9.01.59-PM-768x461.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-9.01.59-PM-1536x921.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-9.01.59-PM-2048x1229.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Booting\u2026<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"614\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.47.25-PM-1024x614.png\" alt=\"\" class=\"wp-image-4045\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.47.25-PM-1024x614.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.47.25-PM-300x180.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.47.25-PM-768x461.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.47.25-PM-1536x921.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-29-at-8.47.25-PM-2048x1229.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">JTAG \ubaa8\ub4dc\ub85c SecureRom \ub514\ubc84\uae45<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\ud658\uacbd: \uc544\uc774\ud3f08 \/ iOS 14.4.2<\/li>\n\n\n\n<li>\uba38\uc2e0: \uc778\ud154 \ub9e5 \uce74\ub0a0\ub9ac\ub098 10.15.2<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">OpenOCD \ube4c\ub4dc \ubc0f \ud658\uacbd \uc124\uce58<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>UTM \uac00\uc0c1\uba38\uc2e0\uc5d0\uc11c \uc791\uc5c5 \/ Ubuntu 24.04 Server arm64<\/li>\n\n\n\n<li>\ube4c\ub4dc \ubc0f \ucef4\ud30c\uc77c<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seo:~\/iphone_jtag$  git clone &lt;https:\/\/github.com\/tihmstar\/openocd>\nCloning into 'openocd'...\n...\n\nseo@seo:~\/iphone_jtag\/openocd$ cd openocd\n\nseo@seo:~\/iphone_jtag\/openocd$ git submodule update --init\n\nseo@seo:~\/iphone_jtag\/openocd$ .\/bootstrap\n\nseo@seo:~\/iphone_jtag\/openocd$ .\/configure --enable-tamarin\n\nseo@seo:~\/iphone_jtag\/openocd$ make -j$(nproc)\nMakefile:5524: warning: overriding commands for target `check-recursive'\n...\n\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\ucef4\ud30c\uc77c\ub41c \ubc14\uc774\ub108\ub9ac \uc0dd\uc131 \ud655\uc778<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook openocd % file src\/openocd\nsrc\/openocd: Mach-O 64-bit executable arm64\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc790\uae30 AP\uce69\uc5d0 \ub9de\ub294 cfg \ub2e4\uc6b4\ub85c\ub4dc \/ \uc124\uc815 \uac00\uc838\uc624\uae30<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook openocd % wget &lt;https:\/\/github.com\/lambdaconcept\/bonobo-configs\/raw\/refs\/heads\/master\/t8015.cfg>\n\nseo@seos-macbook openocd % cp -r .\/tcl\/target .\n<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">SecureRom \ub514\ubc84\uae45 \ubc0f \uc774\ubbf8\uc9c0 \ub364\ud504<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>USB-A 8\ud540 \uc77c\ubc18 \ucf00\uc774\ube14\uc5d0 \uae30\uae30 \uc5f0\uacb0<\/li>\n\n\n\n<li>minicom\uc5d0\uc11c tamarin \ubaa8\ub4dc \uc124\uc815<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/bin\/zsh\nsudo minicom -D \/dev\/tty.usbmodem313371 -b 115200\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>JTAG mode 1\ubc88\uc73c\ub85c \uc124\uc815<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">...\nGood morning!\n\n1: JTAG mode\n2: DCSD mode\n3: Reset device\n4: Reset and enter DFU mode (iPhone X and up only)\n5: Reenumerate\n\nF: Force JTAG mode without sending command\nJ: Force SPAM-JTAG mode without sending command\nR: Reset Tamarin cable\nS: SPAM mode (Apple Watch UART)\nU: Go into firmware update mode\n> 1\nEnabling JTAG mode.\nRestarting enumeration!\nDone restarting enumeration!\nTristar request received: 74 00 02 1F\nDCSD mode active.\nConnect to the second serial port of the\nTamarin Cable to access the monitor.\nJTAG mode active, ID pin in Hi-Z.\nYou can now connect with an SWD debugger.\nGood morning!\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Demotion<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook turdus_m3rula_1.1_b0ea3ee7_macos % .\/palera1n-macos-arm64 -d -l\n...\n - [12\/30\/25 01:15:20] &lt;Verbose>: DFU mode device found\n - [12\/30\/25 01:15:20] &lt;Info>: Checking if device is ready\n - [12\/30\/25 01:15:20] &lt;Verbose>: Attempting to perform checkm8 on 8015 11\n - [12\/30\/25 01:15:20] &lt;Info>: Setting up the exploit\n - [12\/30\/25 01:15:20] &lt;Verbose>: == checkm8 setup stage ==\n - [12\/30\/25 01:15:20] &lt;Verbose>: Entered initial checkm8 state after 1 steps\n - [12\/30\/25 01:15:20] &lt;Verbose>: Stalled input endpoint after 1 steps\n - [12\/30\/25 01:15:20] &lt;Verbose>: DFU mode device found\n - [12\/30\/25 01:15:20] &lt;Verbose>: == checkm8 trigger stage ==\n - [12\/30\/25 01:15:20] &lt;Info>: Checkmate!\n - [12\/30\/25 01:15:20] &lt;Verbose>: Device should now be demoted\n - [12\/30\/25 01:15:20] &lt;Verbose>: DFU mode device disconnected\n - [12\/30\/25 01:15:20] &lt;Verbose>: DFU mode device found\n - [12\/30\/25 01:15:20] &lt;Info>: Demoted device waiting for debugger\n - [12\/30\/25 01:15:20] &lt;Verbose>: Skipping demoted 8015 11\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc544\uc774\ud3f0 \ucf00\uc774\ube14 \ubd84\ub9ac \ubc0f Tamarine \ucf00\uc774\ube14\ub85c \uc7ac\uc5f0\uacb0 \/ Tamarine cable \uc5f0\uacb0<\/li>\n\n\n\n<li>OpenOCD\ub85c \uc5f0\uacb0<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">.\/src\/openocd -f tcl\/interface\/tamarin.cfg -f t8015.cfg -c \"bindto 0.0.0.0\" \n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>telnet\uc73c\ub85c \uc81c\uc5b4 \uc778\ud130\ud398\uc774\uc2a4\uc5d0 \uc811\uadfc \ubc0f halt \uc218\ud589<\/li>\n\n\n\n<li><code>telnet 127.0.0.1 4444<\/code><\/li>\n\n\n\n<li><code>targets iphone.ecore0<\/code><\/li>\n\n\n\n<li><code>halt<\/code><\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook openocd % telnet 127.0.0.1 4444\nTrying 127.0.0.1...\nConnected to 127.0.0.1.\nEscape character is '^]'.\nOpen On-Chip Debugger\n> targets\n    TargetName         Type       Endian TapName            State       \n--  ------------------ ---------- ------ ------------------ ------------\n 0  iphone.dbg         mem_ap     little iphone.cpu         running\n 1  iphone.mem         mem_ap     little iphone.cpu         running\n 2  iphone.ecore0      aarch64    little iphone.cpu         running\n 3  iphone.ecore1      aarch64    little iphone.cpu         poweroff\n 4  iphone.ecore2      aarch64    little iphone.cpu         poweroff\n 5  iphone.ecore3      aarch64    little iphone.cpu         poweroff\n 6  iphone.pcore0      aarch64    little iphone.cpu         poweroff\n 7  iphone.pcore1      aarch64    little iphone.cpu         poweroff\n 8* iphone.sep         aarch64    little iphone.cpu         unknown\n\n> targets iphone.ecore0\n> halt\nTimeout waiting for target iphone.ecore0 halt\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>halt<\/code> \uc218\ud589\uc2dc <code>Timeout waiting for\u2026<\/code> \uc5d0\ub7ec \ucd9c\ub825\uc2dc\uc5d0 minicom \ucc3d\uc5d0\uc11c <code>F: Force JTAG mode without sending command,<\/code> \uc989 F\ubaa8\ub4dc\ub85c tamarin \ubaa8\ub4dc \uc124\uc815.<\/li>\n\n\n\n<li>\uc774\ud6c4\uc5d4 \uc81c\ub300\ub85c halt \ub428 <code>target halted in AArch64 state due to debug-request, current mode: EL1T cpsr: 0x800002c4 pc: 0x100000568 MMU: enabled, D-Cache: enabled, I-Cache: enabled<\/code><\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook openocd_tihmstar % sudo .\/src\/openocd -f tcl\/interface\/tamarin.cfg -f t8015.cfg\nOpen On-Chip Debugger 0.10.0+dev-gd91b411c (2025-12-29-23:11)\nLicensed under GNU GPL v2\nFor bug reports, read\n\t&lt;http:\/\/openocd.org\/doc\/doxygen\/bugs.html>\nInfo : only one transport option; autoselect 'swd'\nWarn : Transport \"swd\" was already selected\nadapter speed: 1000 kHz\n\nWarn : Interface already configured, ignoring\nWarn : Transport \"swd\" was already selected\nInfo : clock speed 10000 kHz\nInfo : SWD DPIDR 0x03000067\nError: iphone.ecore0: missing UTT configuration, halt may not work\nInfo : iphone.ecore0: hardware has 2 breakpoints, 3 watchpoints\nError: iphone.ecore1: missing UTT configuration, halt may not work\nError: iphone.ecore1 powered down!\nError: iphone.ecore2: missing UTT configuration, halt may not work\nError: iphone.ecore2 powered down!\nError: iphone.ecore3: missing UTT configuration, halt may not work\nError: iphone.ecore3 powered down!\nError: iphone.pcore0: missing UTT configuration, halt may not work\nError: iphone.pcore0 powered down!\nError: iphone.pcore1: missing UTT configuration, halt may not work\nError: iphone.pcore1 powered down!\nError: iphone.sep: missing UTT configuration, halt may not work\nInfo : Listening on port 3333 for gdb connections\nInfo : Listening on port 3334 for gdb connections\nInfo : Listening on port 3335 for gdb connections\nInfo : Listening on port 3336 for gdb connections\nInfo : Listening on port 3337 for gdb connections\nInfo : Listening on port 3338 for gdb connections\nInfo : Listening on port 3339 for gdb connections\nInfo : Listening on port 6666 for tcl connections\nInfo : Listening on port 4444 for telnet connections\nInfo : accepting 'telnet' connection on tcp\/4444\nError: Timeout waiting for target iphone.ecore0 halt\n\nInfo : iphone.ecore0 cluster 0 core 0 multi core\ntarget halted in AArch64 state due to debug-request, current mode: EL1T\ncpsr: 0x800002c4 pc: 0x100000568\nMMU: enabled, D-Cache: enabled, I-Cache: enabled\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\ub514\ubc84\uac70 \uc5f0\uacb0<\/li>\n\n\n\n<li><code>lldb<\/code><\/li>\n\n\n\n<li><code>gdb-remote 3333<\/code><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"614\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.15.54-AM-1-1024x614.png\" alt=\"\" class=\"wp-image-4048\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.15.54-AM-1-1024x614.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.15.54-AM-1-300x180.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.15.54-AM-1-768x461.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.15.54-AM-1-1536x921.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.15.54-AM-1-2048x1229.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SecureRom \uc774\ubbf8\uc9c0 \ub364\ud504<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">(lldb) memory read --binary --outfile .\/dump.bin --force 0x100000000 0x100020000\n131072 bytes written to 'dump.bin'\n<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"618\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.26.16-AM-1024x618.png\" alt=\"\" class=\"wp-image-4049\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.26.16-AM-1024x618.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.26.16-AM-300x181.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.26.16-AM-768x464.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.26.16-AM-1536x927.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/12\/Screenshot-2025-12-30-at-3.26.16-AM-2048x1236.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">\ucee4\ub110 \ub514\ubc84\uae45 (\uc2e4\ud328)<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">\uc544\uc774\ub514\uc5b4\u2026<\/h2>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">(lldb) p\/x 0x207 &amp; 0xfffffffe\n(unsigned int) 0x00000206\n\/\/ Demote \uc124\uc815 \uc804 \uac12\uc5d0\uc11c 0xfffffffe AND \uc5f0\uc0b0\ud55c\uac8c \ubc14\ub85c 0x206\uc784.\n\n(lldb) x\/wx 0x2352BC000\n0x2352bc000: 0x00000206\n(lldb) x\/gx 0x2352BC000\n0x2352bc000: 0x2200000000000206\n\/\/ A11\uce69 \uae30\uc900 demotion_reg \uc8fc\uc18c\ub294 0x2352BC000.\n\/\/ &lt;https:\/\/github.com\/axi0mX\/ipwndfu\/blob\/master\/device_platform.py>\n\npongoOS> peek 0x2352BC000\n0x2352bc000: 207 (7 2 0 0)\n\/\/ \uae30\uc874 \uac12 (Demote \uc548\ub428)\npongoOS> peek 0x2352BC004\n0x2352bc004: 22000000 (0 0 0 22)\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>gaster\uc5d0\uc11c demotion flag \uac74\ub4dc\ub9b0\ub2e4\uc74c, \ucee4\uc2a4\ud140 \ubd80\ud2b8\ub85c\ub354\uc640 \ucee4\ub110 \uc62c\ub9ac\uace0 \ud558\uba74 \ub420\uc9c0\ub3c4?<\/li>\n\n\n\n<li>\ub2e8, ramdisk \uc258 \ubd80\ud305\uc0c1\ud0dc\ub85c \uc9c4\uc785\ud574\uc57c\ub428. SEP \ud328\ub2c9 \ubc1c\uc0dd \uac00\ub2a5\uc131 \uc788\uc74c.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">\uc2dc\ud589\ucc29\uc624<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>demotion flag\ub97c pongoOS shell\uc5d0\uc11c \uac74\ub4dc\ub9b4\ub824\uace0 \ud588\uc73c\ub098 \uc548\ub410\uc74c.<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">pongoOS> poke 0x2352BC000 206\nwriting 206 @ 0x2352bc000\npongoOS> poke 0x2352BC000 0x206\nwriting 206 @ 0x2352bc000\npongoOS> peek 0x2352BC000\n0x2352bc000: 207 (7 2 0 0)\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Checkra1n 0.1337.x\uc5d0\uc11c \uc2dc\ub3c4: demote \uc131\uacf5<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">pongoOS> fuse demote\npongoOS> peek 0x2352BC000\n0x2352bc000: 206 (6 2 0 0)\n\n\/\/\ubd80\ud305\nbootx\n\n... \uc774\ud6c4 \ubd80\ud305\uc740 \uc2e4\ud328\n\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>gaster\uc5d0\uc11c demotion \uc774\ud6c4\uc5d0 SSHRD_Script\ub85c \ub7a8\ub514\uc2a4\ud06c \ubd80\ud305\ud560\ub824\uace0 \ud5c0\uc73c\ub098\u2026 \uc2e4\ud328<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"cpp\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">static bool\ngaster_demote(usb_handle_t *handle, const uint8_t *src, uint8_t *dst, size_t len) {\n\tstruct {\n\t\tuint32_t magic_0, magic_1, func, pad, r[8];\n\t} exec_cmd_armv7;\n\tuint8_t data[DFU_MAX_TRANSFER_SZ], *response;\n\tstruct {\n\t\tuint64_t magic, func, x[8];\n\t} exec_cmd;\n\tuint32_t r_armv7;\n\tsize_t data_sz;\n\tuint64_t r;\n\n\tif(cpid == 0x8015) {\n\t\texec_cmd.magic = EXEC_MAGIC;\n\t\texec_cmd.func = 0x10000F804;\t\/\/STR X1, [X0]; RET;\n\t\texec_cmd.x[0] = 0x2352BC000;\t\/\/write where?\n\t\texec_cmd.x[1] = 0x2200000000000207;\t\/\/write what!\n\t\texec_cmd.x[2] = 0;\n\t\texec_cmd.x[3] = 0;\n\t\texec_cmd.x[4] = 0;\n\t\texec_cmd.x[5] = 0;\n\t\texec_cmd.x[6] = 0;\n\t\tmemcpy(data, &amp;exec_cmd, sizeof(exec_cmd) - sizeof(r));\n\t\tdata_sz = sizeof(exec_cmd) - sizeof(r);\n\t\tmemcpy(data + data_sz, src, len);\n\t\tdata_sz += len;\n\t}\n\tif(gaster_command(handle, data, data_sz, &amp;response, len + 2 * sizeof(r))) {\n\t\tmemcpy(&amp;r, response, sizeof(r));\n\t\tif(r != DONE_MAGIC) {\n\t\t\tfree(response);\n\t\t\treturn false;\n\t\t}\n\t\tmemcpy(&amp;r, response + sizeof(r), sizeof(r));\n\t\tif((uint32_t)r != 0) {\n\t\t\tfree(response);\n\t\t\treturn false;\n\t\t}\n\t\tmemcpy(dst, response + 2 * sizeof(r), len);\n\t\tfree(response);\n\t\treturn true;\n\t}\n\treturn false;\n}\n\n...\n} else if(argc == 2 &amp;&amp; strcmp(argv[1], \"pwn\") == 0) {\n\t\tif(gaster_checkm8(&amp;handle)) {\n\t\t\tuint8_t idk[AES_BLOCK_SZ + AES_KEY_SZ_BYTES_256];\n\t\t\tprintf(\"gaster_demote ret = %d\\\\n\", gaster_demote(&amp;handle, idk, idk, sizeof(idk)));\n\t\t\tret = 0;\n\t\t}\n...\n<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook SSHRD_Script % .\/Darwin\/irecovery -f sshramdisk\/iBSS.img4\n[==================================================] 100.0%\n<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook Darwin % .\/irecovery -s\n> \n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc6d0\ud588\ub358 \uc608\uc0c1 \uacb0\uacfc<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-macbook Darwin % .\/irecovery -s\n96ede82803e085b:365\n\n=======================================\n::\n:: iBoot for d20, Copyright 2007-2020, Apple Inc.\n::\n::\tRemote boot, Board 0xa (d201ap)\/Rev 0xf\n::\n::\tBUILD_TAG: iBoot-6723.80.19\n::\n::\tBUILD_STYLE: RELEASE\n...\n<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\uc0dd\uac01 \uc815\ub9ac<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc77c\ubc18 \ucf00\uc774\ube14\uacfc DCSD\/JTAG \ucf00\uc774\ube14\uc744 \ub9e4\ubc88 \ubd84\ub9ac\ud574\uc11c \uc0ac\uc6a9\ud558\ub294\ub370 \uc788\uc5b4\uc11c \ucee4\ub110 \ub514\ubc84\uae45\uc740 \ube44\ud6a8\uc728\uc801.\n<ul class=\"wp-block-list\">\n<li>\uc720\uc800\ud658\uacbd\uc5d0\uc11c \ub7a8\ub514\uc2a4\ud06c \ubaa8\ub4dc\uc5d0\uc11c \uc775\uc2a4\ud50c\ub85c\uc787 \ud504\ub85c\uadf8\ub7a8\uc744 \uc2e4\ud589\uc2dc\ud0ac\ub824\uba74 \uc77c\ubc18 \ucf00\uc774\ube14\ub85c \uc5f0\uacb0\ud574\uc11c \uc258 \uba85\ub839\uc5b4\ub97c \uc785\ub825\ud574\uc57c\ud560\ud150\ub370, \ucee4\ub110 \ub514\ubc84\uae45\uc744 \ud560\ub824\uba74 \ub2e4\uc2dc DCSD\/JTAG \ucf00\uc774\ube14\ub85c \uc5f0\uacb0\uc2dc\ucf1c\uc57c\ub418\ub2c8 \ubd88\ud3b8\ud568.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>iOS 12.x~14.x\ub294 KTRW\ub85c \uc544\uc774\ud3f08 \ucee4\ub110 \ub514\ubc84\uae45<\/li>\n\n\n\n<li>QEMUAppleSilicon\uc73c\ub85c \uac00\uc0c1 \uc544\uc774\ud3f011 iOS 14.0b5 \ucee4\ub110 \ub514\ubc84\uae45\ub3c4 \uac00\ub2a5<\/li>\n\n\n\n<li>iOS 15.x+\uc758 \uacbd\uc6b0, macOS 12.0.1+\ub85c \ub300\uccb4\ud558\uc5ec \ucee4\ub110 \ub514\ubc84\uae45 &#8211; super-tart\ub85c \ub77c\uc774\ube0c \ucee4\ub110 \ub514\ubc84\uae45\ud558\ub294 \ubc29\ubc95\uc774 \uc88b\uc744\ub4ef (macOS 12.0.1+)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\uc900\ube44\ubb3c \uc870\ub9bd \uc644\uc131 \uc0ac\uc9c4 Pico\uc6a9 SDK \/ tamarin(\uad6c\ubc84\uc804) \ud38c\uc6e8\uc5b4 \ucef4\ud30c\uc77c Pico \ubcf4\ub4dc\uc5d0 tamarin \ud38c\uc6e8\uc5b4 \uc5c5\ub85c\ub4dc DCSD \ubaa8\ub4dc\ub85c \uc2dc\ub9ac\uc5bc \ub85c\uadf8 \ud655\uc778\ud558\uae30 JTAG \ubaa8\ub4dc\ub85c SecureRom \ub514\ubc84\uae45 OpenOCD \ube4c\ub4dc \ubc0f \ud658\uacbd \uc124\uce58 SecureRom&hellip;&nbsp;<a href=\"https:\/\/h4ck.kr\/?p=4032\" rel=\"bookmark\">\ub354 \ubcf4\uae30 &raquo;<span class=\"screen-reader-text\">Tamarine\uc73c\ub85c \uc544\uc774\ud3f0\/\uc544\uc774\ud328\ub4dc JTAG\ub514\ubc84\uae45 \/ \uc2dc\ub9ac\uc5bc \ub85c\uadf8 \ucd9c\ub825\ud574\ubcf4\uae30<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[72],"tags":[11,12,13,25],"class_list":["post-4032","post","type-post","status-publish","format-standard","hentry","category-realworld","tag-ios","tag-ios-kernel","tag-macos","tag-pwnable"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/4032","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4032"}],"version-history":[{"count":5,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/4032\/revisions"}],"predecessor-version":[{"id":4052,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/4032\/revisions\/4052"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4032"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4032"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4032"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}