You can't "dump" a TPM. That's the whole point. They are designed such that the cryptographic secrets they hold (including ones loaded at manufacturing) are unrecoverable without an electron microscope and nation-state level resources (and even then, it would be extremely difficult if not impossible on modern process nodes).

> You can't "dump" a TPM.

> unrecoverable without an electron microscope and nation-state level resources (and even then, it would be extremely difficult if not impossible on modern process nodes).

Oh, so you can. It's only a matter of time.

Even with an electron microscope you wouldn't extract a root key it would just be a device key which they would then ban.

There's plenty that one would be able to do with a device key before it is banned.

maybe, but for a task like this it doesn't really scale

Apple aren't going to allow one phone to attest 5000 new iMessage clients

That's... amusingly, also a thing in Chinese marketplaces, for a similar purpose.

iCloud Activation Lock, on non-cellular devices (eg, Wi-Fi only iPads), relies on the device's serial number, Wi-Fi MAC, and Bluetooth MAC addresses as the three identifiers required to clear the Activation Lock check. Via special debug cables (eg, a "DCSD cable") there are ways to write in new SysCfg data to the flash to change those variables. This can also be done to Apple Watches (pre-Series 6) with a special dock also sold on the Chinese market.

You can (sort of easily) get your hands on a "clean" serial/MACs set for under $10-15 or so on the market.

Interesting. I assume this is mostly used to "wash" stolen devices to make them appear legitimate for resale? I'm surprised Apple designed the hardware to allow this without any sort of authentication.