Also here are some keys I decrypted, but never published before A15, AP+SEP, 28.10.23 gist.github.com/NyanSatan/faad… A14, AP, 18.08.21-30.06.22 gist.github.com/NyanSatan/eb7b… S6/S7, AP, 20.07.22 gist.github.com/NyanSatan/30a8…

Ah, damn it... TIME TO ROLL THE DICE YOU KNOW I'M THE TYPE TYPE TO RISK MY LIFE NOT AFRAID TO DIE iPhone15,2_17.3_21D5044a_Restore.ipsw/Firmware/all_flash/iBoot.d73.RELEASE.im4p 0F063B2A58A7D0ED99DE64038532DB39E26E03A50B2000C88A987F99AD8725C79400159A4016C3D1C1E37132B448EEA8

YOU CAN COUNT ON ME TO MISBEHAVE (Yes, this is every single production A16 key, both iBoot and SEPOS!) gist.github.com/NyanSatan/c2df…

The new version of Anya is finally released! - Far faster on large KBAG bulks - SEP support for platforms with boot monitor - New platforms supported - Easier to build IT'S STILL EXPERIMENTAL – BE EXTREMELY CAREFUL WITH THIS TOOL AND READ THE README! github.com/NyanSatan/Anya

I managed to dump application processor’s TBM firmware from Crete A0 (early A16) after all Whoever at Apple who thought that this is a good idea to remove AP-TMM CPU from Astris config of A16 and then put a relative address of it into every IPSW - you were wrong

TBM is Trusted Boot Monitor in case anyone missed - very evil mitigation that affects A16+ SecureROMs. A13+ SEP also has something very similar More information in an upcoming article (maybe)

iPod shuffle 3rd-gen HACKED! Turns out S5L8442 ROM is vulnerable to Pwnage2! (Garbage in the end of the serial number string is there by default, lol)

S5L8442 Rev.0 ROM BOOT Managed to dump the S5L8442 ROM via USB descriptors (took many hours) Proper exploit eta son!

iPod touch 3 Weird flex, but okay

Wake up, baby, a new SWD probe has just been dropped - GpioSWD! Probably you already have it in your own device! (Yes, they really update USB-C controller by bitbanging SWD - AppleAstrisGpioProbe kext is responsible for that)

I'LL NEVER SOFTEN MY GRIP iPhone16,1_17.5.1_21F90_Restore/iBoot.d83.RELEASE.im4p 4D722B1DE7F88EEAF995C39036913B17BF20791EF3099162E3948562D92ADE011294AD62B4C0E2CCA1D023CC5AAA4A90

The conference was really amazing! I also had honor to give a talk there (first time in my life!) Huge thanks to ~ for organizing it & all speakers and attendees too!

T8132 (Apple M4/Donan) in SecureROM taDFU SDOM:01 CPID:8132 CPRV:11 CPFM:03 SCEP:01 BDID:08 ECID:XXXXXXXXXXXXXXXX IBFL:3C SIKA:00 SRTG:[iBoot-9082.0.0.300.1]

USB-C Diagnostic Doom 4 bytes patch, 32 bits CRC fix, 0 hardware modifications, same result

Thanks to Apple Inc. for no longer encrypting iBoot! Here is something that might encourage them to do the same with SEPOS: iPhone16,1_18.0_22A5316j/sep-firmware.d83.RELEASE.im4p 9cec21e7cfc72ab6b6ecaac042fca58edececa79512041ccb3b06acc1dd9141989dd176e9e708498ef557dc98edb744a

Apple Meerkat/Z41aAP/iProd9,4 Cursed device with T8006 SoC (Apple S4/S5) This one only boots iBoot & diags, though is meant to run XNU Has SDOM 00, which is very unusual and apparently affects GID key somehow - I couldn’t decrypt its’ iBoot via SDOM 01 device

john I beleive this is related to fccid.io/BCGA2282

kblcrcfix - a new tool in kanzitools repo! Allows you to fix CRC of Kanzi/Chimp/Koko firmware images after patching. More info in the README! ! ! ! THIS IS DANGEROUS - USE STRICTLY ON YOUR OWN RISK ! ! ! github.com/NyanSatan/kanz…