struct nonce_seeds_header {
uint32_t blob_version;
uint8_t pad[6];
jevinskie
/ output-root.log
Last active
April 26, 2024 16:47
Run lsmp on *something*, *anything* without root privileges. How? A wrapper program that gets its own PID then exec's into lsmp with that PID as the process to inspect.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -> % sudo ./self-lsmp | |
| Password: | |
| argv[0] = '/usr/bin/lsmp' | |
| argv[1] = '-v' | |
| argv[2] = '-p' | |
| argv[3] = '33302' | |
| self task regular: 0x00000203 aka 515 | |
| self task read: 0x00000b03 aka 2819 |
Cryptiiiic
/ Cryptex.md
Last active
April 28, 2024 05:34
Short overview of iOS 16+ nonce-seeds nvram variable most notably used for cryptex.
miticollo
/ futurerestore.sh
Last active
February 26, 2024 06:05
In a new macOS terminal run `bash ./futurerestore.sh <path/to/SHSH> <path/to/ipsw> -c` and follow instructions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # | |
| # Perform iOS and iPadOS downgrade using gaster and futurerestore. | |
| set -e | |
| BOLD=$(tput bold) | |
| readonly BOLD | |
| NC=$(tput sgr0) | |
| readonly NC |
chris-pcguy
/ qemu-t8030_seprom_securerom_t8030_20231105_0.patch
Created
November 5, 2023 22:30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/hw/arm/apple_a13.c b/hw/arm/apple_a13.c | |
| index 551a055715..661d9c799c 100644 | |
| --- a/hw/arm/apple_a13.c | |
| +++ b/hw/arm/apple_a13.c | |
| @@ -504,7 +504,9 @@ static const ARMCPRegInfo apple_a13_cp_reginfo_tcg[] = { | |
| A13_CPREG_DEF(ARM64_REG_HID13, 3, 0, 15, 14, 0, PL1_RW, 0), | |
| A13_CPREG_DEF(ARM64_REG_HID14, 3, 0, 15, 15, 0, PL1_RW, 0), | |
| A13_CPREG_DEF(ARM64_REG_HID16, 3, 0, 15, 15, 2, PL1_RW, 0), | |
| - A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0), | |
| + A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0), // A14 SYS_LSU_ERR_STS |
chris-pcguy
/ qemu-t8030_seprom_securerom_t8030_20231104_2.patch
Created
November 4, 2023 05:05
merged/copy-pasted to a newer commit (LDRAA bug found and fixed by me) during lack of sleep, untested because of a NVMe bug.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/hw/arm/apple_a13.c b/hw/arm/apple_a13.c | |
| index 551a055715..661d9c799c 100644 | |
| --- a/hw/arm/apple_a13.c | |
| +++ b/hw/arm/apple_a13.c | |
| @@ -504,7 +504,9 @@ static const ARMCPRegInfo apple_a13_cp_reginfo_tcg[] = { | |
| A13_CPREG_DEF(ARM64_REG_HID13, 3, 0, 15, 14, 0, PL1_RW, 0), | |
| A13_CPREG_DEF(ARM64_REG_HID14, 3, 0, 15, 15, 0, PL1_RW, 0), | |
| A13_CPREG_DEF(ARM64_REG_HID16, 3, 0, 15, 15, 2, PL1_RW, 0), | |
| - A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0), | |
| + A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0), // A14 SYS_LSU_ERR_STS |
chris-pcguy
/ qemu-t8030_seprom_securerom_t8030_20231101_0.patch
Created
November 1, 2023 21:30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/hw/arm/apple_a13.c b/hw/arm/apple_a13.c | |
| index 2188683992..928ffaa988 100644 | |
| --- a/hw/arm/apple_a13.c | |
| +++ b/hw/arm/apple_a13.c | |
| @@ -504,14 +504,16 @@ static const ARMCPRegInfo apple_a13_cp_reginfo_tcg[] = { | |
| A13_CPREG_DEF(ARM64_REG_HID13, 3, 0, 15, 14, 0, PL1_RW, 0), | |
| A13_CPREG_DEF(ARM64_REG_HID14, 3, 0, 15, 15, 0, PL1_RW, 0), | |
| A13_CPREG_DEF(ARM64_REG_HID16, 3, 0, 15, 15, 2, PL1_RW, 0), | |
| - A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0), | |
| + A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0), // A14 SYS_LSU_ERR_STS |
jevinskie
/ MobileStorageMounter-DDI-verification.mm
Created
October 24, 2023 21:25
MobileStorageMounter DDI verification
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // clang-format off | |
| // clang++ -Wall -Wextra -Wno-deprecated-declarations -g -fobjc-arc -std=gnu++2b -framework Foundation -framework CommonCrypto -framework Security -o secstuff secstuff.mm && ./secstuff ./iPhoneCA.pem ./DeveloperDiskImage.dmg ./DeveloperDiskImage.dmg | |
| // xcrun --sdk iphoneos clang++ -miphoneos-version-min=14.0 -Wall -Wextra -Wno-deprecated-declarations -g -fobjc-arc -std=gnu++2b -framework Foundation -framework CommonCrypto -framework Security -Wl,-adhoc_codesign -o secstuff-ios secstuff.mm | |
| // clang-format on | |
| #define SEC_OS_IPHONE 1 | |
| #undef NDEBUG | |
| #include <CommonCrypto/CommonDigest.h> | |
| #import <Foundation/Foundation.h> | |
| #import <Security/Security.h> |
zhuowei
/ more_coretrust_notes.txt
Created
October 1, 2023 04:28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Also see https://github.com/zhuowei/CoreTrustDemo/blob/main/littlemis.txt for my previous notes | |
| first time X509ChainCheckPathWithOptions, param3 (options) is null | |
| second time X509ChainCheckPathWithOptions, param3 (options) is set | |
| -> This is the call out of CTEvaluateAMFICodeSignatureCMS_MaxDigestType, and is the one that sets the flags | |
| struct ContentInfoSignedData { | |
| int always4; // 0x0 | |
| void* someBufferFromCTParseContentInfoSignedDataArg6; // 0x8 | |
| // ? |
dlevi309
/ DLMobileGestaltSPI.h
Last active
November 6, 2023 09:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Copyright (C) 2023 Daniel Levi | |
| * | |
| * Originally based on Apple's header for WebKit. The file within this repo | |
| * named LICENSE_APPLE contains the copyright notice provided by Apple | |
| * | |
| * This header is based on my own disassembly of libMobileGestalt and contains | |
| * 760 keys that should support any iOS version up until iOS 17. | |
| * | |
| */ |
zhuowei
/ grant_full_disk_access.m
Last active
December 12, 2023 08:15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @import Darwin; | |
| @import Foundation; | |
| @import MachO; | |
| #import <mach-o/fixup-chains.h> | |
| // you'll need helpers.m from Ian Beer's write_no_write and vm_unaligned_copy_switch_race.m from | |
| // WDBFontOverwrite | |
| // Also, set an NSAppleMusicUsageDescription in Info.plist (can be anything) | |
| // Please don't call this code on iOS 14 or below | |
| // (This temporarily overwrites tccd, and on iOS 14 and above changes do not revert on reboot) |
NewerOlder