Exploiting checkm8 with unknown SecureROM for the T2 chip
The checkm8 exploit appeared a long time ago, and you can find a lot of materials about it in the public domain. However, the question remains, how the SecureROM of a certain device was originally obtained to adapt different offsets of the exploit for it? Earlier, Alex demonstrated the method of initial firmware dumping for S5L8747X (Haywire) and S7002 (AppleWatch) chips. In this talk, he will show a much more complex method that will work on devices with WXN, using T2 as an example.