Last active
October 30, 2024 03:38
-
-
Save Cryptiiiic/bd01fac6e8b8ee0c33f71c92cf91ce3d to your computer and use it in GitHub Desktop.
Revisions
-
Cryptiiiic revised this gist
Apr 28, 2024 . 1 changed file with 3 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,7 +6,9 @@ ```c struct nonce_seeds_header { uint32_t blob_version; uint8_t pad[6]; uint64_t hash_size; uint8_t boot_manifest_hash[48]; uint8_t end_data[9]; }; -
Apr 24, 2024 . 1 changed file with 16 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,7 +6,9 @@ ```c struct nonce_seeds_header { uint8_t data[18]; uint8_t boot_manifest_hash[48]; uint8_t end_data[9]; }; struct nonce_seed { @@ -25,7 +27,11 @@ struct nonce_seeds { sizeof() == 0x203 ``` // Header/Unknown 0200000000000000000030000000000000000 // boot manifest hash(hash of the apticket) 686F676501C75A59C06249BE55AC2EF640EA62D61A7D22F8107334CC054209806CB556AA808C258579DB649809C9B7D0 // Header/Unknown tail 10B00000000000000 // com.apple.private.img4.nonce.test seed 0000000000000000969B93AD696856F7028D7749240DCF57 @@ -70,3 +76,11 @@ struct nonce_seeds *nonce_seeds_struct = get_nonce_seeds(); uint8_t cryptex_seed = (uint8_t *)&(nonce_seeds_struct->seeds[crypex_boot_domain_index].seed); ``` There seems to be no consistency with nonce-seeds sizes, apple changes it when they want... ## nonce-seeds size differences: ```c a11 16.5-16.7.x: 0x203 a14 16.1.1: 0x1B4 a15 15.0 beta: 0xD0 a15 15.4.1: 0x132 ``` -
Apr 21, 2024 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -65,7 +65,7 @@ sizeof() == 0x203 based on the structs then cryptex seed would be: com.apple.private.img4.nonce.cryptex1.boot 0x96DF5AC45A5EE83D7FC19A8494E4A322 ```c int crypex_boot_domain_index = 7; struct nonce_seeds *nonce_seeds_struct = get_nonce_seeds(); uint8_t cryptex_seed = (uint8_t *)&(nonce_seeds_struct->seeds[crypex_boot_domain_index].seed); ``` -
Apr 21, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,72 @@ # Cryptex ## Short overview of iOS 16+ nonce-seeds nvram variable most notably used for cryptex. ## Some structs ```c struct nonce_seeds_header { uint8_t data[75]; }; struct nonce_seed { uint8_t unused_pad[8]; uint8_t seed[16]; uint8_t unused_end_pad[16]; }; struct nonce_seeds { struct nonce_seeds_header header; struct nonce_seed seeds[]; }; ``` ## nonce-seeds nvram variable dumped from d22ap 16.5 sizeof() == 0x203 ``` // Header/Unknown 0200000000000000000030000000000000000686F676501C75A59C06249BE55AC2EF640EA62D61A7D22F8107334CC054209806CB556AA808C258579DB649809C9B7D010B00000000000000 // com.apple.private.img4.nonce.test seed 0000000000000000969B93AD696856F7028D7749240DCF57 00000000000000000000000000000000 // com.apple.private.img4.nonce.trust-cache 00000000000000003E6D083FE13F96E4BE5ECB53724FA7C5 00000000000000000000000000000000 // com.apple.private.img4.nonce.pdi 000000000000000068CA2566CA4CD905C9B3D4BA1026B5EF 00000000000000000000000000000000 // com.apple.private.img4.nonce.cryptex 00000000000000004FFBEDCCAEBE8AB453DA9AD6A80F9916 00000000000000000000000000000000 // com.apple.private.img4.nonce.ddi 00000000000000009BEA1F420ADF76D1A1D468A127336B3F 00000000000000000000000000000000 // com.apple.private.img4.nonce.ephemeral-cryptex 000000000000000032E1867193B3F3CDF6D0EA4CE88138D8 00000000000000000000000000000000 // com.apple.private.img4.nonce.cryptex1.snuf-stub 0000000000000000210EE4C7137BCE636EB97BEED39D9B8D 00000000000000000000000000000000 // com.apple.private.img4.nonce.cryptex1.boot 000000000000000096DF5AC45A5EE83D7FC19A8494E4A322 00000000000000000000000000000000 // com.apple.private.img4.nonce.cryptex1.asset 0000000000000000177CEF5E8F0AE3D4D47FC31EC3FFEA40 00000000000000000000000000000000 // com.apple.private.img4.nonce.cryptex1.supplemental 00000000000000008040B8B7460A994FC71D2D150B84C0EB 00000000000000000000000000000000 // com.apple.private.img4.nonce.cryptex1.simulator 0000000000000000894F312358177C93ACC9B00412149500 00000000000000000000000000000000 ``` based on the structs then cryptex seed would be: com.apple.private.img4.nonce.cryptex1.boot 0x96DF5AC45A5EE83D7FC19A8494E4A322 ```c int crypex_boot_domain_index = 7 struct nonce_seeds *nonce_seeds_struct = get_nonce_seeds(); uint8_t cryptex_seed = (uint8_t *)&(nonce_seeds_struct->seeds[crypex_boot_domain_index].seed); ```