Jevin Sweval jevinskie

## 22A5297f_T8027si_keys.json
{
  "device": "iPad8,1",
  "keybags": [
    {
      "buildnum": "22A5297f",
      "illb": "818B9C71517E44B43ABB4286F4E7721D9D2CE2B50ACA54DD1F90F847837922BED757C74645F44D2FFD99A26829C50B5C",
      "ibot": "0341CD7B968FD8FA8F61355CA62CDF8E85746C67C329177954E7EBEE6FB7EAF835F7D6AF8FBA205AD3A0AE2C6FEE6107",
      "ibec": "73F97951EC97654DE13B6EBEE11DD7E750AD1ADAF7892B7D1C84C48FAA4D18410E3DBAD34699F7B9C5FFC2F12B0F6C67",
      "ibss": "00F2DF875304D5474B6A5A21924250DB84A681E5E0E6BAFD3489627D563C102EA5F03EECC4F4EE1EA1EAA5EC83DC66AD"
    }

## 22A5297f_T8020si_keys.json
{
  "device": "iPhone11,2",
  "keybags": [
    {
      "buildnum": "22A5297f",
      "illb": "57AE11AFCD80CFAA9D3835BEAE2E2868BF8FB8D6E6F2B3824C8F1A36C4CA1F20933C0E8B8959AC776430C2BD46A14302",
      "ibot": "EDF2B23237C5099FF6A766DBFF00B626DCC66B89BB32077308D905A127F23EB01DF70C7035A40FB27650F194356A6951",
      "ibec": "55CCB6E4A0FC64A64DC14EB84465A0FA89DE5829601997936752C57936EF47C8F2789A5EF8E79A70FAC10225E065C87F",
      "ibss": "73C76D990BBF6BF4C91201B232107ACA40E8548EBC4B5CCA4E9213705A56E1ED9C7094EC5B8F44922930E13D7AFB60F9"
    }

## qspi_iostream.py
from amaranth import *
from amaranth.lib import enum, data, wiring, stream, io
from amaranth.lib.wiring import In, Out, connect, flipped
from amaranth.sim import Simulator


class IOStream(wiring.Component):
    def __init__(self, width, *, meta_layout=0, latency=0):
        self._latency = latency

## spi_serdes.py
from amaranth import *
from amaranth.lib import data, wiring, stream, io
from amaranth.lib.wiring import In, Out
from amaranth.sim import Simulator


class BitSerializer(wiring.Component):
    def __init__(self, *, width, length):
        self._length = length

## iPhone Mirroring.md

      
              1 file
            
          
              2 forks
            
          
              140 comments
            
          
              32 stars
            
          
                Kyle-Ye
                / iPhone Mirroring.md
            
            
              Last active
              June 29, 2024 15:20
            
              
                Launch iPhone Mirroring.app on macOS 15 Beta 1
              
          
Inspired by https://infosec.exchange/@jjtech/112612685494089718

Method 1: LLDB

Step 0

Reboot into Recovery OS + Disable SIP
csrutil disable


## 22A5282m_T8020_keys.json
{
  "device": "iPad11,1",
  "keybags": [
    {
      "buildnum": "22A5282m",
      "illb": "500ED7642DCBAC3FAD5EF526DAD40B21BFD09EDD395FDB74F17611E0A391E40D9682B689647007BF7AB38A0F6231D01F",
      "ibot": "DA97F55D9024CC7D1880333951F53C83D684D7796A2599EA126AA0E6CB7853E271BA265D0D382482841E4CD06815D747",
      "ibec": "BAC9D1DAF1FFBB67DF73D24DEE38DBF9AC2ADC91C8E8827AAF99F3D8FC02BD136A88EE5998A4DEC24F5EFCDEDE076A9C",
      "ibss": "504FB1BE10917D597D7053EDF7ADB0A0CEA41330DD110C675736550EAAA1F7A8946C6BFE740ACFDAB8AD69CCDC069CB6"
    }

## gspoc.txt
// native code exec PoC via Game Script - @carrot_c4k3 (exploits.forsale)
//
// sample shellcode: mov rax, 0x1337; ret;
// drop your own shellcode inplace here
let shellcode = [0x48,0xC7,0xC0,0x37,0x13,0x00,0x00,0xC3]

// hex printing helper functions
let i2c_map = ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F']
let c2i_map = {'0': 0, '1': 1, '2': 2, '3': 3, '4': 4, '5': 5, '6': 6, '7': 7, '8': 8, '9': 9, 'A': 0xA, 'B': 0xB, 'C': 0xC, 'D': 0xD, 'E': 0xE, 'F': 0xF}

## z3proofternaryadd.py
# mini proof of concept of how to use Z3 to prove the correctness of bit
# manipulation formulas, using the Ternary.__add__ function from
# https://gist.github.com/dougallj/9211fd24c3759f7f340dede28929c659 as an
# example

# partly inspired by Philip Zucker's post about Z3 and ranges:
# https://www.philipzucker.com/more-stupid-z3py-tricks-simple-proofs/

import z3

## ViewController.swift
//
//  ViewController.swift
//  Journal-Calendar-Demo
//
//  Created by Seb Vidal on 30/04/2024.
//

import UIKit

class ViewController: UIViewController {

## Cryptex.md

      
              1 file
            
          
              0 forks
            
          
              2 comments
            
          
              2 stars
            
          
                Cryptiiiic
                / Cryptex.md
            
            
              Last active
              April 28, 2024 05:34
            
              
                Short overview of iOS 16+ nonce-seeds nvram variable most notably used for cryptex.
              
          
    Cryptex

Short overview of iOS 16+ nonce-seeds nvram variable most notably used for cryptex.

Some structs

struct nonce_seeds_header {
    uint32_t blob_version;
    uint8_t pad[6];
	{
	"device": "iPad8,1",
	"keybags": [
	{
	"buildnum": "22A5297f",
	"illb": "818B9C71517E44B43ABB4286F4E7721D9D2CE2B50ACA54DD1F90F847837922BED757C74645F44D2FFD99A26829C50B5C",
	"ibot": "0341CD7B968FD8FA8F61355CA62CDF8E85746C67C329177954E7EBEE6FB7EAF835F7D6AF8FBA205AD3A0AE2C6FEE6107",
	"ibec": "73F97951EC97654DE13B6EBEE11DD7E750AD1ADAF7892B7D1C84C48FAA4D18410E3DBAD34699F7B9C5FFC2F12B0F6C67",
	"ibss": "00F2DF875304D5474B6A5A21924250DB84A681E5E0E6BAFD3489627D563C102EA5F03EECC4F4EE1EA1EAA5EC83DC66AD"
	}
	{
	"device": "iPhone11,2",
	"keybags": [
	{
	"buildnum": "22A5297f",
	"illb": "57AE11AFCD80CFAA9D3835BEAE2E2868BF8FB8D6E6F2B3824C8F1A36C4CA1F20933C0E8B8959AC776430C2BD46A14302",
	"ibot": "EDF2B23237C5099FF6A766DBFF00B626DCC66B89BB32077308D905A127F23EB01DF70C7035A40FB27650F194356A6951",
	"ibec": "55CCB6E4A0FC64A64DC14EB84465A0FA89DE5829601997936752C57936EF47C8F2789A5EF8E79A70FAC10225E065C87F",
	"ibss": "73C76D990BBF6BF4C91201B232107ACA40E8548EBC4B5CCA4E9213705A56E1ED9C7094EC5B8F44922930E13D7AFB60F9"
	}
	from amaranth import *
	from amaranth.lib import enum, data, wiring, stream, io
	from amaranth.lib.wiring import In, Out, connect, flipped
	from amaranth.sim import Simulator


	class IOStream(wiring.Component):
	def __init__(self, width, *, meta_layout=0, latency=0):
	self._latency = latency
	from amaranth import *
	from amaranth.lib import data, wiring, stream, io
	from amaranth.lib.wiring import In, Out
	from amaranth.sim import Simulator


	class BitSerializer(wiring.Component):
	def __init__(self, *, width, length):
	self._length = length
	{
	"device": "iPad11,1",
	"keybags": [
	{
	"buildnum": "22A5282m",
	"illb": "500ED7642DCBAC3FAD5EF526DAD40B21BFD09EDD395FDB74F17611E0A391E40D9682B689647007BF7AB38A0F6231D01F",
	"ibot": "DA97F55D9024CC7D1880333951F53C83D684D7796A2599EA126AA0E6CB7853E271BA265D0D382482841E4CD06815D747",
	"ibec": "BAC9D1DAF1FFBB67DF73D24DEE38DBF9AC2ADC91C8E8827AAF99F3D8FC02BD136A88EE5998A4DEC24F5EFCDEDE076A9C",
	"ibss": "504FB1BE10917D597D7053EDF7ADB0A0CEA41330DD110C675736550EAAA1F7A8946C6BFE740ACFDAB8AD69CCDC069CB6"
	}
	// native code exec PoC via Game Script - @carrot_c4k3 (exploits.forsale)
	//
	// sample shellcode: mov rax, 0x1337; ret;
	// drop your own shellcode inplace here
	let shellcode = [0x48,0xC7,0xC0,0x37,0x13,0x00,0x00,0xC3]

	// hex printing helper functions
	let i2c_map = ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F']
	let c2i_map = {'0': 0, '1': 1, '2': 2, '3': 3, '4': 4, '5': 5, '6': 6, '7': 7, '8': 8, '9': 9, 'A': 0xA, 'B': 0xB, 'C': 0xC, 'D': 0xD, 'E': 0xE, 'F': 0xF}
	# mini proof of concept of how to use Z3 to prove the correctness of bit
	# manipulation formulas, using the Ternary.__add__ function from
	# https://gist.github.com/dougallj/9211fd24c3759f7f340dede28929c659 as an
	# example

	# partly inspired by Philip Zucker's post about Z3 and ranges:
	# https://www.philipzucker.com/more-stupid-z3py-tricks-simple-proofs/

	import z3
	//
	// ViewController.swift
	// Journal-Calendar-Demo
	//
	// Created by Seb Vidal on 30/04/2024.
	//

	import UIKit

	class ViewController: UIViewController {