struct nonce_seeds_header {
uint32_t blob_version;
uint8_t pad[6];
Cryptiiiic
/ Cryptex.md
Last active
April 28, 2024 05:34
Short overview of iOS 16+ nonce-seeds nvram variable most notably used for cryptex.
Cryptiiiic
/ ios16_downgrading.txt
Created
March 1, 2023 00:10
The unfortunate state of iOS downgrading
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Unfortunately I have some bad news for downgrading. | |
| Before I explain the bad news at the end of this post, I first need to introduce a background of iOS devices. | |
| In iOS 16, Apple introduced a new firmware component known as Cryptex1. Technically, this is a "virtual" co-processor. | |
| It's purpose is to allow Apple to push RSRs (Rapid Security Responses) which are separate from traditional iOS updates and can be installed much faster. | |
| Like other firmwares, it also has a signing ticket locked to a cryptographic nonce (number-used-once). | |
| We commonly refer to the Apple signing tickets as SHSH blobs. | |
| Meaning the firmware can't be installed without a valid signing ticket as well as a matching nonce. | |
| The "big two" components we deal with signing/nonces are AP and SEP. AP is basically the main device chip (Application Processor). | |
| SEP is the security chip (Secure Enclave Processor). | |
| With regards to APNonce, Apple conveniently gave us the com.apple.System.boot-nonce NVRAM property which we use to set the APNonce generator. |
Cryptiiiic
/ futurerestore-static-linux.sh
Last active
July 16, 2023 22:03
Futurerestore static compile script for Linux
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Made by @Cryptiiiic, Cryptic#6293 | |
| # please build in this docker container: | |
| # docker run -it --name debian debian:buster-slim | |
| set -e | |
| export FR_BASE=/tmp/build | |
| export C_ARGS="-fPIC -static" | |
| export CXX_ARGS="-fPIC -static" | |
| export LD_ARGS="-Wl,--allow-multiple-definition -static -L/usr/lib/x86_64-linux-gnu -L/tmp/out/lib" | |
| export C_ARGS2="-fPIC" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| if [ "$(defaults read com.apple.screencapture location)" != "~/Screenshots" ]; then | |
| defaults write com.apple.screencapture location "\~/Screenshots" | |
| fi | |
| if [[ -f "/usr/local/bin/jq" ]]; then | |
| cd ~/Screenshots | |
| name=jelbrek_icu.png | |
| touch ./.screenshot_watch |
Cryptiiiic
/ offsets_multipath_kfree.md
Last active
March 1, 2023 05:45
How to find offsets for Multipath_KFree
- Open Terminal and run
nm kernelcache.dec | grep _kernprocIn this example, 0xfffffff0075d50a0 is our kernproc address.(iPhone6S on 11.3.1)
- Drag your kernelcache.dec into ida and stringsearch for
fStampMapping[kAGXHostMemoryTimestamp]This should take you tocom.apple.AGXG5P:__cstringsection. - Double click on the first text:FFFFFFF...
- Scroll down all the way until you see something like this.
- Double click on unk_FFFFFFF... which is located at the second ADRP.
Cryptiiiic
/ How to find OFFSET_ZONE_MAP for v0rtex.md
Created
December 9, 2017 19:01
Guide to finding the Zone Map offset for v0rtex
- Open your decompressed kernel in hopper.
- Go to the string tab and search for
zone_init: kmem_suballoc failed - Click the result that came up. You are going to want to double click on the
DATA XREF=sub_fffffff. - Double click on the DATA XREF to the very far right of the location you landed on.
- The offset will be the first qword above the location you jumped to.
Cryptiiiic
/ How to find OFFSET_ROP_ADD_X0_X0_0x10 for v0rtex.md
Last active
December 9, 2017 18:07
Guide for finding the ROP Gadget for the v0rtex exploit.md
- Open the kernel in radare2 using
r2 kernelcache.release.nxxx.dec. (Kernel has to be decompressed) - Once the kernel is open in r2, we are going to search for assembly code with
"/c add x0, x0, 0x10; ret"You should get an output like this: - We are going to take the second address at the top(in this example it's
0xfffffff00651a178) and we are going to seek to it as well as subtracting0x4. Here is the command:s 0xfffffff00651a178 - 0x4. - We are going to print out the assembly code of
0xfffffff00651a174usingpd 2. The output should look similar to this: - If your output looks similar to this, take the address of
add x0, x0, 0x10and that is the ROP Gadget offset.
