Skip to content

Instantly share code, notes, and snippets.

@fproulx
Last active March 19, 2023 18:45
Show Gist options
  • Save fproulx/5615207 to your computer and use it in GitHub Desktop.
Save fproulx/5615207 to your computer and use it in GitHub Desktop.

NorthSec 2013 - iOS Forensics track

Track Write-up by original track author: François Proulx (francois (d0t) proulx (at-sign) gmail (d0t) com)

Files provided for the track

  • An unmarked *.tar.bz2 file found on a random machine
  • Compressed archive contents:
    • CASE_GHB-2345453763-2239982 (see below)
    • CASE_GHB-2345453763-2239982_b512786b70a19df8-keybag.plist (see below)
    • CASE_GHB-2345453763-2239982_data_20130330-1458.dmg (> 500 MB)
    • CASE_GHB-2345453763-2239982_keychain-2.db
  • Some of these files are attached to this article, for the rest, you'll have to download the full archive
  • The CASE_GHB-2345453763-2239982 file provides all the tracks instructions
  • The CASE_GHB-2345453763-2239982_data_20130330-1458.dmg is a full forensics dump of an iPhone 4 device (as described in the track instructions)

Tools required for the track

  • A modern (OS X 10.7 and up) Mac computer comes bundled with all the tools
  • On a PC running Windows or Linux:

Where to find the flags

As is the case in all forensics investigation, there is rarely a single way to obtain a piece of data. Oftentimes, a forensics dump will contain numerous copies of the data (sometimes in different formats). Thus, the procedure describe below may not be the one you would've followed, nor is necessarly the fastest, easiest. Having the right set of tools and a creative mind will generally lead to good results.

Below, I will give you the flag and a list of files where you could have found it. As you do more and more forensics, you'll develop a sense to cut the crap and go straight to the good stuff... Everytime there is a new technique to extract the piece of data, I will take more time to show you how to use each tool.

General notes

  1. Mount the compressed DMG archive. On a Mac this is trivial, but it might take you more time on another system
  2. Carefully read the instructions (there are a few hints to help you)
  3. The mounted filesystem is found under /Volumes/Data (on a Mac)
  4. Start by exploring the mounted filesystem to give you an idea of its structure and a general understanding of where some of the files you are looking or might be hidden
  5. You will most likely pop a shell at some point and use other tools (like find, grep, strings, etc.)
  6. A good understanding of the user facing (with the GUI) of the system (in this case iOS) can be very useful
  7. Keep in mind that where data is stored often changes between version of the OS (in this case we are looking at iOS 6.1)

Useful aliases

As you learn each tool, you'll probably want to setup some aliases to get your job done faster.

Here are some aliases, you might like:

  • alias plxml='plutil -convert xml1 -o -'
  • alias sqldump='echo ".dump" | sqlite3'

1. What is Raymond's cellphone number (international format) ?

  • Flag: 15149676544
  • Pro tip: RTFM grep man page there are some goodies... Learn what -Uslri does !
    • grep -Uslri "514.*967.*6544" .
  • The Phone number could be found in:
    • ./mobile/Library/AddressBook/AddressBook.sqlitedb
    • ./mobile/Library/Preferences/com.apple.imservice.FaceTime.plist
    • ./mobile/Library/Preferences/com.apple.imservice.SMS.plist
    • ./mobile/Library/Preferences/com.apple.imservice.iMessage.plist
    • ./wireless/Library/Preferences/com.apple.commcenter.plist
  • Probably the most reliable and trustworthy way to get the phone number associated with the phone (the one currently provisioning by the SIM card) is through commcenter (note the use of plutil to convert a binary PList file to XML)
    • plutil -convert xml1 -o - ./wireless/Library/Preferences/com.apple.commcenter.plist
  • Here is a way to extract the phone number from the Address Book database (note the use of sqlite3 and the ".dump" command)
    • sqlite3 ./mobile/Library/AddressBook/AddressBook.sqlitedb .dump | grep Raymond | grep 514
  • Here is another way to extract from the FaceTime settings
    • plutil -convert xml1 -o - ./mobile/Library/Preferences/com.apple.imservice.FaceTime.plist | grep 514

2. What is Raymond's GMail account and its password (e-mail/password) ?

  • Flag: raymond.tusk@gmail.com/7JZ+GCIMx9yjPlRB
  • You could probably start by grepping "@gmail.com" to get a list of interesting file. Also many people have their name in their email address, so you could include raymond's name...
  • grep -Uslri "raymond.*@gmail\.com" .
  • Since Raymond uses his gmail.com account as his Apple ID as well, this will give you way more results than you'd like...
  • Once you've confirmed that his address is raymond.tusk@gmail.com, you can proceed with the extraction of his password
  • As a forensics expert, you should know that on an iPhone, passwords for system apps (as well as properly developed apps use the Keychain).
  • The keychain can be found here ./Keychains/keychain-2.db, but you could've found it using find . -type f -iname *keychain*
  • The keychain data is encrypted using a encryption key derived from a hardware key (stored in the crypto processor)
  • The hardware key and/or derived keys can only be extracted by inspecting the live memory, so there is no way to do this only using the provided dump.
  • Since you need physical access to the device (connected via USB), I have provided the extracted keybag in the *.tar.bz2 archive
    • CASE_GHB-2345453763-2239982_keychain-2.db
  • In order to use this file, you'll need to download the keychain_tool.py script found here
  • This script uses the keybag file to decrypt the keychain
  • python keychain_tool.py -d CASE_GHB-2345453763-2239982_keychain-2.db CASE_GHB-2345453763-2239982_b512786b70a19df8-keybag.plist| grep "imap\.gmail"

3. What is Raymond's iPhone IMEI (International Mobile Equipment Identifier) ?

4. Where and when is Raymond supposed to meet his mistress ? What's her name ? (MISTRESS_NAME/NUMERIC_ROOM_NUMBER/24_HOUR_FORMAT_TIME)

5. What is the name of the coding alphabet that the criminals use when refering to their actions? Our sources think it might be a very old phonetic alphabet from the US Army (YEAR_FIRSTWORD_SECONDWORD)

6. Apart from Raymond, give the full name of all his partners in crime (3 persons). (FirstName1_LastName1+FirstName2_LastName2+FirstName3_LastName3 in alphabetical order)

7. Give the probable code name they will use to refer to their next scheduled status meeting (given that all four criminals will attend, sort them in alphabetic order)

8. Give the name and postal code of the first two secret locations (use the format LocationCodeName1_FirstPartOfPostalCode+LocationCodeName2_FirstPartOfPostalCode)

9. Give the name and exact coordinates of the third and last secret location (LocationCodeName1_latitude_longitude)

10. What is the stock symbol that was the target of their latest illegal insider trading?

11. What is the UPC code of Raymond's favorite booze, the name of the product + GPS location of where he typically buys this booze (format: 0123456_BoozeBrandName_latitude_longitude)

12. It looks like our criminals are planning on meeting abroad. Find the cryptographic signature (512 bits) of boarding pass for the flight landing in their secret location.

13. Give the bank account information they are using the transfer money to their offshore account (use the format: BANKID_BRANCHID_ACCOUNTNUMBER)

14. We suspect that Raymond and his team have been contracted by a stocks trading company to create a custom iPhone application to store material information on stock trading. Try extracting the most valuable secret information stored by this app.

The following was obtained from our mole working for the national police...
===========================
===========================
===========================
Police forensics case GHB-2345453763-2239982
=============================================
As an mobile forensics expert, you've been asked to contribute to a securities fraud investigation of the Major Fraud division of the state police. You need to help the agents to build a case against Raymond Tusk, the Chief Financial Officer of OnionOtar LLC. Mr Tusk is suspected to take part in illegal insider tradings where he and his crime partners are using non-public material information regarding high margin tradings on the stock market.
Here are some basic informations regarding to suspect:
Raymond Tusk personal informations:
* Born on April 5th 1949 in Bridgeport, West Virginia
* CFO at OnionOtar since May 2005
* Married to Sally Rosenberg
* Linked In profile: http://www.linkedin.com/pub/raymond-tusk/65/b94/bb5
* Facebook profile: https://www.facebook.com/raymond.tusk
* Twitter profile: https://twitter.com/raymondtusk
Forensics expert notes:
- We have used the official toolset to extract from the suspect's iPhone 4 device
- http://code.google.com/p/iphone-dataprotection/
1. The device was imaged byte-for-byte (using dd) without leaving any trace (RAMDISK injection technique)
2. The pin / passcode was bruteforced when physically connected to the device (pin was 1234)
3. The keybag was exported
4. Sparse image was compressed from 16 GB down to 512 MB
TODO: We did not have time to decrypt the keychain, but we have already extracted all we needed from the target's physical device
The prosecutor asked you to answer the following forensics questions:
(All latitude / longitude to be provided in decimal format: for instance 42.335567,-77.234345)
1. What is Raymond's cellphone number (international format) ?
2. What is Raymond's GMail account and its password (e-mail/password) ?
3. What is Raymond's iPhone IMEI (International Mobile Equipment Identifier) ?
4. Where and when is Raymond supposed to meet his mistress ? What's her name ? (MISTRESS_NAME/NUMERIC_ROOM_NUMBER/24_HOUR_FORMAT_TIME)
5. What is the name of the coding alphabet that the criminals use when refering to their actions? Our sources think it might be a very old phonetic alphabet from the US Army (YEAR_FIRSTWORD_SECONDWORD)
5. Apart from Raymond, give the full name of all his partners in crime (3 persons). (FirstName1_LastName1+FirstName2_LastName2+FirstName3_LastName3 in alphabetical order)
6. Give the probable code name they will use to refer to their next scheduled status meeting (given that all four criminals will attend, sort them in alphabetic order)
7. Give the name and postal code of the first two secret locations
(use the format LocationCodeName1_FirstPartOfPostalCode+LocationCodeName2_FirstPartOfPostalCode)
8. Give the name and exact coordinates of the third and last secret location (LocationCodeName1_latitude_longitude)
9. What is the stock symbol that was the target of their latest illegal insider trading?
10. What is the UPC code of Raymond's favorite booze, the name of the product + GPS location of where he typically buys this booze
(format: 0123456_BoozeBrandName_latitude_longitude)
11. It looks like our criminals are planning on meeting abroad. Find the cryptographic signature (512 bits) of boarding pass for the flight landing in their secret location.
12. Give the bank account information they are using the transfer money to their offshore account
(use the format: BANKID_BRANCHID_ACCOUNTNUMBER)
13. We suspect that Raymond and his team have been contracted by a stocks trading company to create a custom iPhone application to store material information on stock trading. Try extracting the most valuable secret information stored by this app.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DKey</key>
<string>84fb253dbce4066e00e7f5475aeb828af09ca7f4e27a9615c29b8e8ade46ec63</string>
<key>ECID</key>
<integer>2912273892302</integer>
<key>EMF</key>
<string>7cb3d1295cf56910c92d5f5276f01fcecbb754d7b8bdb58054eb15f17ed31904</string>
<key>KeyBagKeys</key>
<data>
REFUQQAABORWRVJTAAAABAAAAANUWVBFAAAABAAAAABVVUlEAAAAEInHQtGRTkrkiaa3
+zl2aB5ITUNLAAAAKLEDRYPLy4A8UwmLHGJncl+XvbcFVAcGkCy+Du6ux1jOo9tonaZK
ps9XUkFQAAAABAAAAAFTQUxUAAAAFCZuZwhD5e/py0391L+qoPACuK1eSVRFUgAAAAQA
AMNQVVVJRAAAABCk87HYmlRND6u3PwF/vaPwQ0xBUwAAAAQAAAALV1JBUAAAAAQAAAAB
S1RZUAAAAAQAAAAAV1BLWQAAACAxls2wkv96gRNXbf4RTXzYTqC7SdXuRYRFe91XsCOc
r1VVSUQAAAAQM6cP4uJdSJykoRQOxjQXp0NMQVMAAAAEAAAACldSQVAAAAAEAAAAA0tU
WVAAAAAEAAAAAFdQS1kAAAAoePtZBy4af9mYJ8kuZpfSAETNAGVhCCGIglvC5JrFuoEc
4rQiHNFSOlVVSUQAAAAQgbCYh11SQWyuLcqg4XpqtkNMQVMAAAAEAAAACVdSQVAAAAAE
AAAAA0tUWVAAAAAEAAAAAFdQS1kAAAAoSN8dDIl060SI20dIoXKqnn6KkqeCem9Bhg+D
/Dk27PKIMffNaANcnlVVSUQAAAAQ0PUYkv3zTW2/WnoVTcBZmENMQVMAAAAEAAAACFdS
QVAAAAAEAAAAAUtUWVAAAAAEAAAAAFdQS1kAAAAgsPAn3zBhjfgE+VdAlzPEePQ/EJ4I
vnywHgIyAeJwhgNVVUlEAAAAEOxQNRwFPUKii3A+Eim4P4tDTEFTAAAABAAAAAdXUkFQ
AAAABAAAAANLVFlQAAAABAAAAABXUEtZAAAAKJi16e4LUW2VUiHDvOs6yZFcNwyuxWlP
ehR/xa3haax26aLEAW+uzPFVVUlEAAAAENEsn+/od0ukn6zIT8dC8DtDTEFTAAAABAAA
AAZXUkFQAAAABAAAAANLVFlQAAAABAAAAABXUEtZAAAAKGyaoCzTTBEXp07KTNIB+LCy
0tuCGAoGetzfw+7o7qPIge3Vszf0rGZVVUlEAAAAEL86w+1C4kqyoQv9HT3foENDTEFT
AAAABAAAAAVXUkFQAAAABAAAAANLVFlQAAAABAAAAABXUEtZAAAAKLeKoQ5tFlT7MJGg
qxOiFkpBhh7OT2MZvU8I96peFa+g5SV8sUCzHmBVVUlEAAAAELkZo516ZEgiqkvhcvV2
QspDTEFTAAAABAAAAANXUkFQAAAABAAAAANLVFlQAAAABAAAAABXUEtZAAAAKMK+Fy8r
eHGDkBdkQZCdua5+LWS20R34RXRDukmQKiaOC+AL7Ch51xxVVUlEAAAAEJ3SkVWkCU19
kiWG3bqwvpBDTEFTAAAABAAAAAJXUkFQAAAABAAAAANLVFlQAAAABAAAAAFXUEtZAAAA
KHcRp/ZTYqFweQXzEXBOwFyyip4RXAw8DssEo6AuCGud6frfattaM0BQQktZAAAAIGWK
xYR8p2d9iHCPxt8um8YC5FIvnBcdNr0OXR0c5rxbVVVJRAAAABCxft0QnytP+qaByPSn
oCryQ0xBUwAAAAQAAAABV1JBUAAAAAQAAAADS1RZUAAAAAQAAAAAV1BLWQAAACjmCbPO
kiARYKTuZessNCwTyy6wUkLvRQK/+mHeA+dCPR+K3PO+DA9SU0lHTgAAABTxdJZUF/j6
StIRuAAEAm+Kemn00g==
</data>
<key>btMac</key>
<string>24:ab:81:8c:57:06</string>
<key>dataVolumeOffset</key>
<integer>178176</integer>
<key>dataVolumeUUID</key>
<string>b512786b70a19df8</string>
<key>hwModel</key>
<string>N90AP</string>
<key>imei</key>
<string>012545008722548</string>
<key>kern.bootargs</key>
<string>rd=md0 pio-error=0 -v </string>
<key>key835</key>
<string>e0d459b574f4f2862bd089edeab14d99</string>
<key>key899</key>
<string>7874451d9a4d11575c8a2292c0801ec8</string>
<key>key89A</key>
<string>cdb45e510e3f8455b079a6693cb01ee8</string>
<key>key89B</key>
<string>e60093b107a6f874626257202f0135ab</string>
<key>keybags</key>
<dict>
<key>89c742d1914e4ae489a6b7fb3976681e</key>
<dict>
<key>KeyBagKeys</key>
<data>
REFUQQAABORWRVJTAAAABAAAAANUWVBFAAAABAAAAABVVUlEAAAA
EInHQtGRTkrkiaa3+zl2aB5ITUNLAAAAKLEDRYPLy4A8UwmLHGJn
cl+XvbcFVAcGkCy+Du6ux1jOo9tonaZKps9XUkFQAAAABAAAAAFT
QUxUAAAAFCZuZwhD5e/py0391L+qoPACuK1eSVRFUgAAAAQAAMNQ
VVVJRAAAABCk87HYmlRND6u3PwF/vaPwQ0xBUwAAAAQAAAALV1JB
UAAAAAQAAAABS1RZUAAAAAQAAAAAV1BLWQAAACAxls2wkv96gRNX
bf4RTXzYTqC7SdXuRYRFe91XsCOcr1VVSUQAAAAQM6cP4uJdSJyk
oRQOxjQXp0NMQVMAAAAEAAAACldSQVAAAAAEAAAAA0tUWVAAAAAE
AAAAAFdQS1kAAAAoePtZBy4af9mYJ8kuZpfSAETNAGVhCCGIglvC
5JrFuoEc4rQiHNFSOlVVSUQAAAAQgbCYh11SQWyuLcqg4XpqtkNM
QVMAAAAEAAAACVdSQVAAAAAEAAAAA0tUWVAAAAAEAAAAAFdQS1kA
AAAoSN8dDIl060SI20dIoXKqnn6KkqeCem9Bhg+D/Dk27PKIMffN
aANcnlVVSUQAAAAQ0PUYkv3zTW2/WnoVTcBZmENMQVMAAAAEAAAA
CFdSQVAAAAAEAAAAAUtUWVAAAAAEAAAAAFdQS1kAAAAgsPAn3zBh
jfgE+VdAlzPEePQ/EJ4IvnywHgIyAeJwhgNVVUlEAAAAEOxQNRwF
PUKii3A+Eim4P4tDTEFTAAAABAAAAAdXUkFQAAAABAAAAANLVFlQ
AAAABAAAAABXUEtZAAAAKJi16e4LUW2VUiHDvOs6yZFcNwyuxWlP
ehR/xa3haax26aLEAW+uzPFVVUlEAAAAENEsn+/od0ukn6zIT8dC
8DtDTEFTAAAABAAAAAZXUkFQAAAABAAAAANLVFlQAAAABAAAAABX
UEtZAAAAKGyaoCzTTBEXp07KTNIB+LCy0tuCGAoGetzfw+7o7qPI
ge3Vszf0rGZVVUlEAAAAEL86w+1C4kqyoQv9HT3foENDTEFTAAAA
BAAAAAVXUkFQAAAABAAAAANLVFlQAAAABAAAAABXUEtZAAAAKLeK
oQ5tFlT7MJGgqxOiFkpBhh7OT2MZvU8I96peFa+g5SV8sUCzHmBV
VUlEAAAAELkZo516ZEgiqkvhcvV2QspDTEFTAAAABAAAAANXUkFQ
AAAABAAAAANLVFlQAAAABAAAAABXUEtZAAAAKMK+Fy8reHGDkBdk
QZCdua5+LWS20R34RXRDukmQKiaOC+AL7Ch51xxVVUlEAAAAEJ3S
kVWkCU19kiWG3bqwvpBDTEFTAAAABAAAAAJXUkFQAAAABAAAAANL
VFlQAAAABAAAAAFXUEtZAAAAKHcRp/ZTYqFweQXzEXBOwFyyip4R
XAw8DssEo6AuCGud6frfattaM0BQQktZAAAAIGWKxYR8p2d9iHCP
xt8um8YC5FIvnBcdNr0OXR0c5rxbVVVJRAAAABCxft0QnytP+qaB
yPSnoCryQ0xBUwAAAAQAAAABV1JBUAAAAAQAAAADS1RZUAAAAAQA
AAAAV1BLWQAAACjmCbPOkiARYKTuZessNCwTyy6wUkLvRQK/+mHe
A+dCPR+K3PO+DA9SU0lHTgAAABTxdJZUF/j6StIRuAAEAm+Kemn0
0g==
</data>
<key>passcode</key>
<string>1234</string>
<key>passcodeKey</key>
<string>00e23566472fe24b084e2b30439f311defb1959887fcb95e43b97105eb77c3de</string>
</dict>
</dict>
<key>lockers</key>
<data>
a0w0ADFHQUIxR0FCd+izsvvRplwQGdQraUi1bJiGR0UDHHOU4iPrIXxvWuS1VRd+KF26
CxpqHX9z13SLa0xQAE1Wd0yseeopmstGcyUL25yLP2kNmL7vpkl3zIrdp4+pmmRnwSz1
p0sG6LcXfTTl2diXfFFvjYlQW7xF4OFqPZjCe8xS14Y/Q01ly62vb5nCPV8BPWtMKAB5
ZWvEemsnV6oTcDH1qXtbdm3uOwNVqkN49h6axCbbKxCTJ6B925p4ntgct2tMAABFTk9E
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
</data>
<key>nand</key>
<dict>
<key>#block-pages</key>
<integer>128</integer>
<key>#bootloader-bytes</key>
<integer>1536</integer>
<key>#ce</key>
<integer>4</integer>
<key>#ce-blocks</key>
<integer>4100</integer>
<key>#page-bytes</key>
<integer>8192</integer>
<key>#spare-bytes</key>
<integer>448</integer>
<key>banks-per-ce</key>
<integer>2</integer>
<key>bbt-format</key>
<integer>1</integer>
<key>boot-from-nand</key>
<data>
AQAAAA==
</data>
<key>device-readid</key>
<integer>848619416</integer>
<key>dumpedPageSize</key>
<integer>8212</integer>
<key>is-bfn-partitioned</key>
<true/>
<key>meta-per-logical-page</key>
<integer>12</integer>
<key>metadata-whitening</key>
<data>
AQAAAA==
</data>
<key>name</key>
<data>
ZGlzawA=
</data>
<key>partitions</key>
<dict>
<key>Boot Block</key>
<dict>
<key>Block Count</key>
<integer>1</integer>
<key>Block Offset</key>
<integer>0</integer>
</dict>
<key>Effaceable</key>
<dict>
<key>Block Count</key>
<integer>1</integer>
<key>Block Offset</key>
<integer>1</integer>
</dict>
<key>Filesystem</key>
<dict>
<key>Block Count</key>
<integer>4084</integer>
<key>Block Offset</key>
<integer>16</integer>
</dict>
<key>Firmware</key>
<dict>
<key>Block Count</key>
<integer>8</integer>
<key>Block Offset</key>
<integer>8</integer>
</dict>
<key>NVRAM</key>
<dict>
<key>Block Count</key>
<integer>6</integer>
<key>Block Offset</key>
<integer>2</integer>
</dict>
</dict>
<key>ppn-device</key>
<false/>
<key>use-4k-aes-chain</key>
<data>
AQAAAA==
</data>
<key>valid-meta-per-logical-page</key>
<integer>10</integer>
<key>vendor-type</key>
<integer>1376273</integer>
</dict>
<key>passcode</key>
<string>1234</string>
<key>passcodeKey</key>
<string>00e23566472fe24b084e2b30439f311defb1959887fcb95e43b97105eb77c3de</string>
<key>ramdisk compile time</key>
<string>Feb 17 2013 02:42:17</string>
<key>ramdisk revision</key>
<string>a829f9fe7a77</string>
<key>serialNumber</key>
<string>82051WRAA4S</string>
<key>udid</key>
<string>c591ea6f5e14167d10f3c8462173a84d7a1ff088</string>
<key>wifiMac</key>
<string>24:ab:81:8c:57:07</string>
</dict>
</plist>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment