Discover PAC codes in XS and 11 SecureROM and integrate

[rickmark]

Hey there,

I've seen evidence in the field that checkm8 in fact does work with later versions of the iPhone, we just need a copy of SecureROM to know the proper pointer tag and pointer authentication codes. Opening an issue to track in case those become known.

R

[Ronsor]

http://securerom.fun

[razmashat]

afaik the UaF was patched only in A13 but the info leak that checkm8 used was patched in A12 so you need a new info leak. anyway you have both A13 and A12 roms at securerom.fun

[rickmark]

afaik the UaF was patched only in A12 but the info leak that checkm8 used was patched in A12 so you need a new info leak.

That's nifty thanks for the link! I'm just wondering where the T2 has been patched if it has been. I think what happened is they patched the exploit between Bootrom_3332.0.0.1.23 and Bootrom_3865.0.0.4.7, which should mean even though the T2 is based on the A10, as long as the SecureROM is newer than that, it should be patched.

Also wondering if the T2's all share the same GID (which means an old iMac Pro can decrypt newer firmwares)

Though it still lacks ARMv8.3 PAC sad emojii