d-dandrew
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // fork() and rootless fix for Procursus bootstrap (named libTS2JailbreakEnv.dylib) | |
| // there's lots of stuff not cleaned up, feel free to play around | |
| // Requires fishhook from https://github.com/khanhduytran0/fishhook | |
| // Usage: inject to libiosexec.dylib, ensure all binaries have get-task-allow entitlement | |
| #include <assert.h> | |
| #include <errno.h> | |
| #include <fcntl.h> | |
| #include <mach/mach_init.h> | |
| #include <mach-o/dyld.h> |
Cryptiiiic
/ ios16_downgrading.txt
Created
March 1, 2023 00:10
The unfortunate state of iOS downgrading
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Unfortunately I have some bad news for downgrading. | |
| Before I explain the bad news at the end of this post, I first need to introduce a background of iOS devices. | |
| In iOS 16, Apple introduced a new firmware component known as Cryptex1. Technically, this is a "virtual" co-processor. | |
| It's purpose is to allow Apple to push RSRs (Rapid Security Responses) which are separate from traditional iOS updates and can be installed much faster. | |
| Like other firmwares, it also has a signing ticket locked to a cryptographic nonce (number-used-once). | |
| We commonly refer to the Apple signing tickets as SHSH blobs. | |
| Meaning the firmware can't be installed without a valid signing ticket as well as a matching nonce. | |
| The "big two" components we deal with signing/nonces are AP and SEP. AP is basically the main device chip (Application Processor). | |
| SEP is the security chip (Secure Enclave Processor). | |
| With regards to APNonce, Apple conveniently gave us the com.apple.System.boot-nonce NVRAM property which we use to set the APNonce generator. |
zhuowei
/ m1n1_lockdown.py
Last active
December 7, 2023 08:55
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # enable AMCC read-only region lockdown in m1n1 on M1 (Mac Mini 2020) for testing | |
| # see https://github.com/AsahiLinux/m1n1/blob/v1.1.4/src/mcc.c | |
| # https://github.com/apple-oss-distributions/xnu/blob/xnu-7195.50.7.100.1/osfmk/arm64/amcc_rorgn.c | |
| lockdownstart = 0x8_4000_0000 | |
| # amcc's protection page size seems to be 0x8000? | |
| lockdownend = 0x8_4000_8000 | |
| rambase = 0x8_0000_0000 | |
| for plane in range(3, -1, -1): | |
| print(hex(0x2_0000_0000 + 0x40000*plane + 0x680)) | |
| write32(0x2_0000_0000 + 0x40000*plane + 0x680, (lockdownstart - rambase) >> 14) |