[roblabla]

I'm very confused. On one hand, the tweet claims to have a bootrom exploit. On the other hand, the fifth tweet in the chain talks about an iBoot vulnerability that got patched in ios12 beta[1].

Maybe the vulnerable codepath has some code sharing between iBoot and SecureROM?

[1]: https://twitter.com/axi0mX/status/1177544539046703104

[comex]

> Maybe the vulnerable codepath has some code sharing between iBoot and SecureROM?

It does.

[mstg]

Comex himself has spoken! It turns out I definitely didn't understand it correctly. Thanks for the clarification!

[bumblebritches5]

Do you have iBoot's source code from the leak a while back?

[null_auspices]

https://github.com/PUNISHMENT-POSSE/Apple-iOS-9-Source-Code

[mstg]

If I've understood this correctly, it was an iBoot vulnerability enabling the exploitation of the BootROM vulnerability untethered (without connecting to a computer again). Since the iBoot vulnerability is patched, the phone has to be connected to a computer every time to boot if there has been any tinkering (custom FW or any change in boot sequence).

So prepatch you could exploit the BootROM vulnerability untethered with the iBoot vulnerability, but postpatch have to connect to a computer to boot every time if you have done any tinkering which is why it is currently only adviced for security researchers. Tinkering with the BootROM also leads to invalidations of APTickets (so a future restore may be impossible without special gear).