Skip to content

Instantly share code, notes, and snippets.

@Cryptiiiic

Cryptiiiic/Cryptex.md

Last active April 28, 2024 05:34
Show Gist options
  • Save Cryptiiiic/bd01fac6e8b8ee0c33f71c92cf91ce3d to your computer and use it in GitHub Desktop.
Save Cryptiiiic/bd01fac6e8b8ee0c33f71c92cf91ce3d to your computer and use it in GitHub Desktop.
Download ZIP
Short overview of iOS 16+ nonce-seeds nvram variable most notably used for cryptex.
Raw
Cryptex.md

Cryptex

Short overview of iOS 16+ nonce-seeds nvram variable most notably used for cryptex.

Some structs

struct nonce_seeds_header {
    uint32_t blob_version;
    uint8_t pad[6];
    uint64_t hash_size;
    uint8_t boot_manifest_hash[48];
    uint8_t end_data[9];
};

struct nonce_seed {
    uint8_t unused_pad[8];
    uint8_t seed[16];
    uint8_t unused_end_pad[16];
};

struct nonce_seeds {
    struct nonce_seeds_header header;
    struct nonce_seed seeds[];
};

nonce-seeds nvram variable dumped from d22ap 16.5

sizeof() == 0x203

// Header/Unknown
0200000000000000000030000000000000000
// boot manifest hash(hash of the apticket)
686F676501C75A59C06249BE55AC2EF640EA62D61A7D22F8107334CC054209806CB556AA808C258579DB649809C9B7D0
// Header/Unknown tail
10B00000000000000

// com.apple.private.img4.nonce.test seed
0000000000000000969B93AD696856F7028D7749240DCF57
00000000000000000000000000000000
// com.apple.private.img4.nonce.trust-cache
00000000000000003E6D083FE13F96E4BE5ECB53724FA7C5
00000000000000000000000000000000
// com.apple.private.img4.nonce.pdi
000000000000000068CA2566CA4CD905C9B3D4BA1026B5EF
00000000000000000000000000000000
// com.apple.private.img4.nonce.cryptex
00000000000000004FFBEDCCAEBE8AB453DA9AD6A80F9916
00000000000000000000000000000000
// com.apple.private.img4.nonce.ddi
00000000000000009BEA1F420ADF76D1A1D468A127336B3F
00000000000000000000000000000000
// com.apple.private.img4.nonce.ephemeral-cryptex
000000000000000032E1867193B3F3CDF6D0EA4CE88138D8
00000000000000000000000000000000
// com.apple.private.img4.nonce.cryptex1.snuf-stub
0000000000000000210EE4C7137BCE636EB97BEED39D9B8D
00000000000000000000000000000000
// com.apple.private.img4.nonce.cryptex1.boot
000000000000000096DF5AC45A5EE83D7FC19A8494E4A322
00000000000000000000000000000000
// com.apple.private.img4.nonce.cryptex1.asset
0000000000000000177CEF5E8F0AE3D4D47FC31EC3FFEA40
00000000000000000000000000000000
// com.apple.private.img4.nonce.cryptex1.supplemental
00000000000000008040B8B7460A994FC71D2D150B84C0EB
00000000000000000000000000000000
// com.apple.private.img4.nonce.cryptex1.simulator
0000000000000000894F312358177C93ACC9B00412149500
00000000000000000000000000000000

based on the structs then cryptex seed would be: com.apple.private.img4.nonce.cryptex1.boot 0x96DF5AC45A5EE83D7FC19A8494E4A322

int crypex_boot_domain_index = 7;
struct nonce_seeds *nonce_seeds_struct = get_nonce_seeds();
uint8_t cryptex_seed = (uint8_t *)&(nonce_seeds_struct->seeds[crypex_boot_domain_index].seed);

There seems to be no consistency with nonce-seeds sizes, apple changes it when they want...

nonce-seeds size differences:

a11 16.5-16.7.x: 0x203
a14 16.1.1: 0x1B4
a15 15.0 beta: 0xD0
a15 15.4.1: 0x132
@Cryptiiiic
Copy link
Author

@P5-2005 yah this file was a bit old I discovered as much after that but forgot to add it. Just updated it. I also added some size documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment