This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import usb.core | |
import struct | |
from collections import namedtuple | |
APPLE_VID = 0x05ac | |
Target = namedtuple("Target", ["vid", "pid", "name", "model", "total_size"]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
.text | |
.pool | |
.set ARM_TTE_BLOCK_PNX, 0x0020000000000000 | |
.set ARM_TTE_BLOCK_NX, 0x0040000000000000 | |
.set SDRAM_PAGE1, 0x180082000 | |
.set SRAM_PAGE1, 0x1800841F0 | |
.global _main |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
iPhone8 15.1 19B74 | |
iBoot: 0x1800309c0 : 000080d2 | |
iBoot: 0x180038744 : af070094 | |
iBoot: 0x18003a844 : 9386ff17 | |
iBoot: 0x18001c290 : a1000058df0301eb40000054202080d2c0035fd6 | |
iBoot: 0x18001c2a4 : 4887038001000000 | |
iBoot: 0x1800325dc : 200080d2 | |
iBoot: 0x18009127f : 7261316e736e3077206d6f6465 | |
iBoot: 0x180038f04 : 1f2003d5 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# sudo pip install uefi_firmware | |
#python3 e.py input output | |
import sys | |
from uefi_firmware import efi_compressor | |
handle=open(sys.argv[1], "rb") | |
content=handle.read() | |
newc=content[7:] | |
c=efi_compressor.TianoDecompress(newc,len(newc)) | |
d=open(sys.argv[2], "wb") | |
st_mz=c.find(b"MZ") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
] printenv | |
boot-partition = "" | |
boot-path = "/System/Library/Caches/com.apple.kernelcaches/kernelcach" | |
dt-path = "/usr/standalone/firmware/devicetree.img" | |
roothash-path = "/usr/standalone/firmware/root_hash.img" | |
ibd-path = "/usr/standalone/firmware/FUD/iBootData.img" | |
sepfw-path = "/usr/standalone/firmware/sep-firmware.img" | |
tc-path = "/usr/standalone/firmware/FUD/StaticTrustCache.img" | |
tc-eng-dir = "/usr/standalone/firmware/trustcache" | |
build-style = "DEVELOPMEN" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Type | Subtype | Offset | Size | CRC32 | Name | |
Image | UEFI | 00000000 | 0299AA15 | F1D51BF8 | UEFI image | |
Padding | Non-empty | 00000000 | 000E0027 | D0F8A5FF | - Padding | |
Volume | FFSv2 | 000E0027 | 00008000 | A28B90B1 | - 8C8CE578-8A3D-4F1C-9935-896185C32DD3 | |
Free space | | 000E006F | 00007FB8 | 425AB2D9 | -- Volume free space | |
Volume | FFSv2 | 000E8027 | 028B0000 | 25F96F5F | - 8C8CE578-8A3D-4F1C-9935-896185C32DD3 | |
File | Freeform | 000E806F | 0000013C | C3B1AD8F | -- FC510EE7-FFDC-11D4-BD41-0080C73C8881 | DXE apriori file | |
Section | Raw | 000E8087 | 00000124 | 103B4756 | --- Raw section | |
File | Pad | 000E81AF | 00007E60 | D21642FD | -- Pad-file |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[0012609A:36DA001E] :-) soc -p | |
vendor: Apple | |
model: 8103 | |
primary-cpu: Tempest | |
fuse-rev: 11 | |
security-epoch: 1 | |
security-domain0: 1 | |
security-domain1: 0 | |
production-mode: 1 | |
board-id: 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- [05/04/21 15:20:57] <Info>: Waiting for DFU devices | |
- [05/04/21 15:21:20] <Verbose>: DFU mode device found | |
- [05/04/21 15:21:20] <Info>: Exploiting | |
- [05/04/21 15:21:20] <Verbose>: Attempting to perform checkm8 on 8011 10... | |
- [05/04/21 15:21:20] <Info>: Checking if device is ready | |
- [05/04/21 15:21:20] <Verbose>: == Checkm8 Preparation stage == | |
- [05/04/21 15:21:20] <Verbose>: Stalled input endpoint | |
- [05/04/21 15:21:20] <Verbose>: DFU device disconnected | |
- [05/04/21 15:21:20] <Verbose>: DFU mode device found | |
- [05/04/21 15:21:20] <Info>: Setting up the exploit (this is the heap spray) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
====================================================================================== | |
====================================================================================== | |
== Tweedle D & Tweedle dum! ========================================================== | |
====================================================================================== | |
====================================================================================== | |
Sun, 25 Oct 2020 4:44PM PST.... ====================================================== | |
Author: NOBODY (et-al) =============================================================== | |
====================================================================================== | |
= OR 'hello world of TMM & PKA' ====================================================== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There is a bug in SEPROM, at least up to A10 (the one I reversed), in the trustzone bounds checks. | |
The trustzone is setup by the main AP in an early boot stage and because of that SEPROM has to verify that it's setup correctly before continuing to boot SEPOS. | |
Otherwise the AP could write to SEPOS RAM and with that it might be able to get code execution on the SEP. | |
The verification is done by first checking if the trustzone values are locked and then if they are correct. | |
Those values are stored in hardware registers that both processors share. | |
The registers are 32 bit tho and because of that apple decided to shift the address down by 12 bits before putting it into the registers. | |
This means that if you want to lock down 0x1000000 to 0x2000000 you will actually write 0x1000 and 0x2000 to the registers. | |
On the other side SEPROM loads these values from the hardware registers again. | |
But instead of just comparing them against some constant it shifts up all of those values by 12 bits again before doing any check on |
NewerOlder