https://www.theiphonewiki.com/w/api.php?action=feedcontributions&feedformat=atom&user=RickmarkThe iPhone Wiki - User contributions [en]2026-05-07T10:27:44ZUser contributionsMediaWiki 1.31.14https://www.theiphonewiki.com/w/index.php?title=Hack_Different&diff=122123Hack Different2022-04-14T05:55:15Z<p>Rickmark: /* Hacky */</p>
<hr />
<div>[[File:HackDifferent.png]]<br />
<br />
Hack Different is an open community originated by the [[checkra1n]] core team. It provides a more open jailbreak and research support network. The Hack Different GitHub organization serves as maintainer for several key projects to ensure support and continuity.<br />
<br />
* [http://hackdiffe.rent http://hackdiffe.rent Main Page]<br />
* [https://discord.gg/hackdifferent https://discord.gg/hackdifferent Discord Server]<br />
* [https://github.com/hack-different https://github.com/hack-different GitHub Organization]<br />
<br />
== Hacky ==<br />
<br />
[[File:Hacky.png]]<br />
<br />
Hacky is an open source bot that provides a semblance of order in Hack Different's Discord server.<br />
<br />
[[Category:Hackers]]<br />
[[Category:Teams]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Hack_Different&diff=122122Hack Different2022-04-14T05:54:53Z<p>Rickmark: </p>
<hr />
<div>[[File:HackDifferent.png]]<br />
<br />
Hack Different is an open community originated by the [[checkra1n]] core team. It provides a more open jailbreak and research support network. The Hack Different GitHub organization serves as maintainer for several key projects to ensure support and continuity.<br />
<br />
* [http://hackdiffe.rent http://hackdiffe.rent Main Page]<br />
* [https://discord.gg/hackdifferent https://discord.gg/hackdifferent Discord Server]<br />
* [https://github.com/hack-different https://github.com/hack-different GitHub Organization]<br />
<br />
== Hacky ==<br />
<br />
Hacky is an open source bot that provides a semblance of order in Hack Different's Discord server.<br />
<br />
[[Category:Hackers]]<br />
[[Category:Teams]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Hack_Different&diff=122121Hack Different2022-04-14T05:54:42Z<p>Rickmark: </p>
<hr />
<div>[[File:HackDifferent.jpg]]<br />
<br />
Hack Different is an open community originated by the [[checkra1n]] core team. It provides a more open jailbreak and research support network. The Hack Different GitHub organization serves as maintainer for several key projects to ensure support and continuity.<br />
<br />
* [http://hackdiffe.rent http://hackdiffe.rent Main Page]<br />
* [https://discord.gg/hackdifferent https://discord.gg/hackdifferent Discord Server]<br />
* [https://github.com/hack-different https://github.com/hack-different GitHub Organization]<br />
<br />
== Hacky ==<br />
<br />
Hacky is an open source bot that provides a semblance of order in Hack Different's Discord server.<br />
<br />
[[Category:Hackers]]<br />
[[Category:Teams]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=File:HackDifferent.png&diff=122120File:HackDifferent.png2022-04-14T05:54:13Z<p>Rickmark: The Hack Different logo, with the checkm8 logo included as a nod to the origination by the checkra1n team and the importance of checkm8 to research</p>
<hr />
<div>== Summary ==<br />
The Hack Different logo, with the checkm8 logo included as a nod to the origination by the checkra1n team and the importance of checkm8 to research</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=File:Hacky.png&diff=122119File:Hacky.png2022-04-14T05:53:14Z<p>Rickmark: The logo for Hacky, the Hack Different bot</p>
<hr />
<div>== Summary ==<br />
The logo for Hacky, the Hack Different bot</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Hack_Different&diff=122118Hack Different2022-04-14T05:52:29Z<p>Rickmark: </p>
<hr />
<div>[[File:HackDifferent]]<br />
<br />
Hack Different is an open community originated by the [[checkra1n]] core team. It provides a more open jailbreak and research support network. The Hack Different GitHub organization serves as maintainer for several key projects to ensure support and continuity.<br />
<br />
* [http://hackdiffe.rent http://hackdiffe.rent Main Page]<br />
* [https://discord.gg/hackdifferent https://discord.gg/hackdifferent Discord Server]<br />
* [https://github.com/hack-different https://github.com/hack-different GitHub Organization]<br />
<br />
== Hacky ==<br />
<br />
Hacky is an open source bot that provides a semblance of order in Hack Different's Discord server.<br />
<br />
[[Category:Hackers]]<br />
[[Category:Teams]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Hack_Different&diff=122117Hack Different2022-04-14T05:51:19Z<p>Rickmark: </p>
<hr />
<div>Hack Different is an open community originated by the [[checkra1n]] core team. It provides a more open jailbreak and research support network. The Hack Different GitHub organization serves as maintainer for several key projects to ensure support and continuity.<br />
<br />
* [http://hackdiffe.rent http://hackdiffe.rent Main Page]<br />
* [https://discord.gg/hackdifferent https://discord.gg/hackdifferent Discord Server]<br />
* [https://github.com/hack-different https://github.com/hack-different GitHub Organization]<br />
<br />
[[Category:Hackers]]<br />
[[Category:Teams]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=User:Rickmark&diff=122116User:Rickmark2022-04-14T05:50:21Z<p>Rickmark: </p>
<hr />
<div>{{lowercase}}<br />
'''rickmark''' is known for the adaptation of '''libimobiledevice''' for the T2 processor, as well as reverse engineering the [[USB Target Disk Mode]] protocol.<br />
<br />
He also participated in [[t8012 checkm8]] and it's inclusion in [[checkra1n]].<br />
<br />
He actively participates in [[Hack Different]] which hosts a number of open source Apple ecosystem projects[https://github.com/hack-different], as well as a Discord server[https://discord.gg/hackdifferent]<br />
<br />
He originated and actively maintains the `apple-knowledge` project, which creates machine readable documentation of Apple platforms to supplement the lack of specification and documentation in the Apple ecosystem.<br />
<br />
GPG Keygrip <code>AB8A 31E3 F065 3820 8409 222E DCC7 7F05 03C5 4932</code><br />
<br />
== External Links ==<br />
* [https://github.com/rickmark Github]<br />
* [https://github.com/su_rickmark Twitter]<br />
<br />
[[Category:Hackers]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=User:Rickmark&diff=122115User:Rickmark2022-04-14T05:49:59Z<p>Rickmark: </p>
<hr />
<div>{{lowercase}}<br />
'''rickmark''' is known for the adaptation of '''libimobiledevice''' for the T2 processor, as well as reverse engineering the [[USB Target Disk Mode]] protocol.<br />
<br />
He also participated in [[t8012 checkm8]] and it's inclusion in [[checkra1n]].<br />
<br />
He actively participates in [https://hackdiffe.rent] which hosts a number of open source Apple ecosystem projects[https://github.com/hack-different], as well as a Discord server[https://discord.gg/hackdifferent]<br />
<br />
He originated and actively maintains the `apple-knowledge` project, which creates machine readable documentation of Apple platforms to supplement the lack of specification and documentation in the Apple ecosystem.<br />
<br />
GPG Keygrip <code>AB8A 31E3 F065 3820 8409 222E DCC7 7F05 03C5 4932</code><br />
<br />
== External Links ==<br />
* [https://github.com/rickmark Github]<br />
* [https://github.com/su_rickmark Twitter]<br />
<br />
[[Category:Hackers]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Hack_Different&diff=122114Hack Different2022-04-14T05:49:08Z<p>Rickmark: </p>
<hr />
<div>Hack Different is an open community originated by the [[checkra1n]] core team. It provides a more open jailbreak and research support network. The Hack Different GitHub organization serves as maintainer for several key projects to ensure support and continuity.<br />
<br />
(Main Page)[http://hackdiffe.rent]<br />
(Discord Server)[https://discord.gg/hackdifferent]<br />
(GitHub Organization)[https://github.com/hack-different]<br />
<br />
[[Category:Hackers]]<br />
[[Category:Teams]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Hack_Different&diff=122113Hack Different2022-04-14T05:48:39Z<p>Rickmark: Created page with "Hack Different is an open community originated by the checkra1n core team. It provides a more open jailbreak and research support network. The Hack Different GitHub orga..."</p>
<hr />
<div>Hack Different is an open community originated by the [[checkra1n]] core team. It provides a more open jailbreak and research support network. The Hack Different GitHub organization serves as maintainer for several key projects to ensure support and continuity.<br />
<br />
[http://hackdiffe.rent]<br />
[https://discord.gg/hackdifferent]<br />
[https://github.com/hack-different]<br />
<br />
[[Category:Hackers]]<br />
[[Category:Teams]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=User:Rickmark&diff=122112User:Rickmark2022-04-14T05:45:47Z<p>Rickmark: </p>
<hr />
<div>{{lowercase}}<br />
'''rickmark''' is known for the adaptation of '''libimobiledevice''' for the T2 processor, as well as reverse engineering the [[USB Target Disk Mode]] protocol.<br />
<br />
He also participated in [[t8012 checkm8]] and it's inclusion in [[checkra1n]].<br />
<br />
He actively participates in [https://hackdiffe.rent] which hosts a number of open source Apple ecosystem projects ([https://github.com/hack-different]), as well as a Discord server ([https://discord.gg/hackdifferent])<br />
<br />
He originated and actively maintains the `apple-knowledge` project, which creates machine readable documentation of Apple platforms to supplement the lack of specification and documentation in the Apple ecosystem.<br />
<br />
GPG Keygrip <code>AB8A 31E3 F065 3820 8409 222E DCC7 7F05 03C5 4932</code><br />
<br />
== External Links ==<br />
* [https://github.com/rickmark Github]<br />
* [https://github.com/su_rickmark Twitter]<br />
<br />
[[Category:Hackers]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=User:Rickmark&diff=122111User:Rickmark2022-04-14T05:37:57Z<p>Rickmark: </p>
<hr />
<div>{{lowercase}}<br />
'''rickmark''' is known for the adaptation of '''libimobiledevice''' for the T2 processor, as well as reverse engineering the [[USB Target Disk Mode]] protocol.<br />
<br />
He also participated in [[t8012 checkm8]] and it's inclusion in [[checkra1n]].<br />
<br />
GPG Keygrip <code>AB8A 31E3 F065 3820 8409 222E DCC7 7F05 03C5 4932</code><br />
<br />
== External Links ==<br />
* [https://github.com/rickmark Github]<br />
* [https://github.com/su_rickmark Twitter]<br />
<br />
[[Category:Hackers]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=T6001&diff=119091T60012021-10-26T19:20:23Z<p>Rickmark: </p>
<hr />
<div>The '''Apple M1 Max''' is an ARM-based [[wikipedia:System on a chip|SoC]] designed by Apple Inc for Mac computers, as an upscaled version of the [[M1]].<br />
<br />
It was first introduced at Apple's [[Keynotes#2021|'Unleashed' keynote on {{date|2021|10|18}}]].<br />
<br />
It's identified internally as '''T6001'''.<br />
<br />
== Board Info ==<br />
<br />
<pre><br />
ChipID => 0x6001<br />
HWModel => J314cAP<br />
BuildVersion => 21A559<br />
OSVersion => 12.0.1 (initial)<br />
BridgeVersion => 19.16.10548.0.0,0 (initial)<br />
BoardId => 0x08<br />
DeviceColor => unknown<br />
ModelNumber => Z15H0010K<br />
RegionCode => LL<br />
HardwarePlatform => t6001<br />
</pre><br />
<br />
== See Also ==<br />
<br />
* [[M1]]<br />
* [[M1 Pro]]<br />
<br />
{{stub|hardware}}<br />
[[Category:Application Processors]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=T6001&diff=119090T60012021-10-26T19:18:23Z<p>Rickmark: </p>
<hr />
<div>The '''Apple M1 Max''' is an ARM-based [[wikipedia:System on a chip|SoC]] designed by Apple Inc for Mac computers, as an upscaled version of the [[M1]].<br />
<br />
It was first introduced at Apple's [[Keynotes#2021|'Unleashed' keynote on {{date|2021|10|18}}]].<br />
<br />
It's identified internally as '''T6001'''.<br />
<br />
== Board Info ==<br />
<br />
ChipID => 0x6001<br />
HWModel => J314cAP<br />
BuildVersion => 21A559<br />
OSVersion => 12.0.1 (initial)<br />
BridgeVersion => 19.16.10548.0.0,0 (initial)<br />
BoardId => 0x08<br />
DeviceColor => unknown<br />
ModelNumber => Z15H0010K<br />
RegionCode => LL<br />
HardwarePlatform => t6001<br />
<br />
== See Also ==<br />
<br />
* [[M1]]<br />
* [[M1 Pro]]<br />
<br />
{{stub|hardware}}<br />
[[Category:Application Processors]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=RemotePairing.framework&diff=119068RemotePairing.framework2021-10-26T04:11:45Z<p>Rickmark: Created page with "= RemotePairing = `RemotePairing.framework` is a part of the developer tools that allow an iDevice to be paired via a shared iCloud account."</p>
<hr />
<div>= RemotePairing =<br />
<br />
`RemotePairing.framework` is a part of the developer tools that allow an iDevice to be paired via a shared iCloud account.</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Rapport&diff=119067Rapport2021-10-26T04:10:49Z<p>Rickmark: </p>
<hr />
<div>= Rapport =<br />
<br />
Rapport is a framework that provides information about devices that share a iCloud account. This also includes family members as well as "guests" such as those who are using media services such as AirPlay. This breaks down broadly into the UI seen in System Preferences where a users's devices are shown.<br />
<br />
= Frameworks =<br />
<br />
== Rapport.framework ==<br />
<br />
This framework allows a client to ask for other signed in devices to a iCloud account.<br />
<br />
== RapportUI.framework ==<br />
<br />
This provides UI elements about devices including their icons and identifiers<br />
<br />
= Services =<br />
<br />
Devices implement services to respond to remote requests via the `rapportd` service</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Rapport&diff=119066Rapport2021-10-26T04:10:02Z<p>Rickmark: Created page with "# Rapport Rapport is a framework that provides information about devices that share a iCloud account. This also includes family members as well as "guests" such as those who..."</p>
<hr />
<div># Rapport<br />
<br />
Rapport is a framework that provides information about devices that share a iCloud account. This also includes family members as well as "guests" such as those who are using media services such as AirPlay. This breaks down broadly into the UI seen in System Preferences where a users's devices are shown.<br />
<br />
# Frameworks<br />
<br />
## Rapport.framework<br />
<br />
This framework allows a client to ask for other signed in devices to a iCloud account.<br />
<br />
## RapportUI.framework<br />
<br />
This provides UI elements about devices including their icons and identifiers</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Apple_Wireless_Diagnostics_Daemon_(AWDD)&diff=118718Apple Wireless Diagnostics Daemon (AWDD)2021-10-17T18:05:26Z<p>Rickmark: </p>
<hr />
<div>AWDD is a binary logging system for the Baseband, Bluetooth, NFC, GSM/LTE, WiFi, UWB and other such wireless radio coprocessors. Over the years it has taken on a few other responsibilities such as Springboard Locking, FaceID, and any other system level events best represented in a compact binary format. This is in opposition to text based or Plist style log files, which are also still common for other subsystems. AWDD is a proprietary TLV encoding.<br />
<br />
<br />
= TVL Encoding Scheme =<br />
<br />
== Tags ==<br />
<br />
Tags are multi-byte integers with the lowest 3 bits being the primal type, while the remaining bits get shifted right (>> 3) to become the "index" from the definition. This makes the "timestamp" value in a log (tag 0x08) actually type 0x00 and index 0x01 matching up with definition from the ambiant root file. Having a lowest order bit of 0x00 means that the value is to be interpreted as a multi-byte integer.<br />
<br />
Tags that are high in the lowest order bit are length prefixed (common of strings)<br />
<br />
0x08 index 1 with a type of 0x00 - e.g. "timestamp"<br />
0x10 index 2 with a type of 0x00 - PropertyDefinition.Index<br />
0x18 index 3 with a type of 0x00 - PropertyDefinition.Flags<br />
0x22 index 4 with a type of 0x02 - PropertyDefinition.Name<br />
0x0A index 1 with a type of 0x02 - ObjectDefinition<br />
0x12 index 2 with a type of 0x02 - PropertyDefinition<br />
Clearly we demonstrate a primordial integer vs a length prefixed sequence<br />
<br />
== Types ==<br />
<br />
Potential for enum or flags<br />
<br />
0x00 - Length encoded integer<br />
0x01 - FLAG?<br />
0x02 - Object with length prefixed multi-byte integer<br />
0x03<br />
0x04 - FLAG?<br />
0x05<br />
0x06<br />
0x07<br />
This implies that type 0x02 is some form of sequence<br />
<br />
== Multi-byte integers ==<br />
<br />
The AWDD format can encode multi-byte integers in a format similar to ASN.1 (I'm not yet totally convinced this isn't ASN.1 but hey, when have I ever done protocols the easy way?).<br />
<br />
For a multi-byte integer the high order bit (0x80) is set on all bytes which are not the final byte of the integer. Once all the bytes of the integer are collected, the high order bit is masked off, (& 0x7F) and the remaining 7 bit bytes are bitstring concatenated to produce the final integer. This is complicated as the integer is still little endian though the encoding uses the most-significant-bit in big-endian format to determine the int's run length. The completed algorith is in decode_variable_length_int which returns the int and how many bytes were used to encode it.<br />
<br />
This also means for integers <= 127 the integer is the same as a single byte uint8<br />
<br />
== Tag, optional length, data ==<br />
<br />
Depending on the type of the value, you will encounter a tag (itself a multi-byte int) per the above specification with a direct value, or a length prefixed value.<br />
<br />
An example: If the value type is an int, then a variable length int tag, followed by a variable length int the value<br />
<br />
If the value is a string, then a variable length int tag, followed by a variable length int length then the bytes of the string.<br />
<br />
== Definitions ==<br />
<br />
The definition table is a collection of ObjectDefinitions and EnumDefinitions<br />
<br />
DEFINE_OBJECT_TAG = 0x0A<br />
DEFINE_ENUM_TAG = 0x12<br />
An ObjectDefinition is either a Class or an Event - they are broadly equal. A class will be a collection of property definitions where each definition is a combination of property name, type (primal), flags, and extensions.<br />
<br />
An object definition is TAG_CLASS_DEFINITION followed by a length of the object definition. It is then parsed as a a TAG_CLASS_NAME and a series of TAG_PROPERTY_DEFINITIONs which are a length followed by their fields.<br />
<br />
TAG_CLASS_DEFINITION = 0x0A # Name of the class or event<br />
TAG_CLASS_NAME = 0x0A # The string defining the class name (optional)<br />
TAG_PROPERTY_DEFINITION = 0x12 # Repeated for each property<br />
In the context of a property flags can be 0x00 in the case of a normal scalar property of 0x01 in the case of a "multi-property" or a property which can occur multiple times.<br />
<br />
# Base Property Types - RE still in progress<br />
class PropertyType(IntEnum):<br />
UNKNOWN = 0x00<br />
DOUBLE = 0x01<br />
FLOAT = 0x02<br />
INTEGER_64 = 0x03<br />
INTEGER = 0x04<br />
UNKNOWN_5 = 0x05<br />
INTEGER_32 = 0x06<br />
INTEGER_UNSIGNED = 0x07<br />
UNKNOWN_8 = 0x08<br />
UNKNOWN_9 = 0x09<br />
BOOLEAN = 0x0C<br />
ENUM = 0x0B<br />
STRING = 0x0D<br />
BYTES = 0x0E<br />
PACKED_UINT_32 = 0x15<br />
UNKNOWN_17 = 0x11<br />
UNKNOWN_20 = 0x14<br />
OBJECT = 0x1B<br />
<br />
# Basic Property Values (must occur)<br />
TAG_INDEX = 0x08 # This defines the tag for reference<br />
TAG_TYPE = 0x10 # Primal object type (PropertyType)<br />
TAG_FLAGS = 0x18 # PropertyFalgs<br />
TAG_NAME = 0x22 # The name of the property<br />
Various base types have extended type information. For instance a string property can have a format type of "UUID" and an integer type can have a value of "Timestamp". Each of these is specified by a particular tag on the property definition.<br />
<br />
# Extended or optinal values on a property definition<br />
TAG_OBJECT_REFERENCE = 0x28 # The class of the property in the case of a non-primitive, scalar<br />
TAG_STRING_FORMAT = 0x30 # StringFormat<br />
TAG_LIST_ITEM_TYPE = 0x38 # Type of the element in the case of a collection<br />
TAG_ENUM_INDEX = 0x40 # The EnumDefinition this enum references<br />
TAG_INTEGER_FORMAT = 0x48 # Integer type sub-specifier<br />
TAG_EXTENSION = 0x50 # Set to 0x01 if this property is an extension on another class<br />
TAG_EXTENSION_TARGET = 0x60 # The class to extend<br />
Sub-format Specifiers<br />
<br />
class PropertyFlags(IntFlag):<br />
NONE = 0x00<br />
REPEATED = 0x01<br />
<br />
class IntegerFormat(IntEnum):<br />
TIMESTAMP = 0x01<br />
TRIGGER_ID = 0x03<br />
PROFILE_ID = 0x04<br />
AVERAGE_TIME = 0x15<br />
TIME_DELTA = 0x16<br />
TIMEZONE_OFFSET = 0x17<br />
ASSOCIATED_TIME = 0x18<br />
PERIOD_IN_HOURS = 0x19<br />
TIME_OF_DAY = 0x1E<br />
SAMPLE_TIMESTAMP = 0x1F<br />
<br />
class StringFormat(IntEnum):<br />
UNKNOWN = 0x00<br />
UUID = 0x01<br />
An EnumDefinition is a class that defines a range of integer values, which can be either a selection enumeration or a flags style enumeration. The definition will include the textual representation of each value.<br />
<br />
= Metadata Files =s<br />
<br />
Metadata files are a MAGIC (AWDM), a version (0xXXXXYYYY) and N (0xNNNNNNNN) regions<br />
<br />
If N == 0 then you are reading a root manifest and should read until tag == 0x00000000<br />
<br />
In all cases there should be a 0x00000000 after the region definitions<br />
<br />
Regions fall into two broad categories - tag specific and non-tag specific<br />
<br />
Region tags are 0xTTTTFFFF where TTTT is type and FFFF is number of uint32 fields (little endian)<br />
<br />
struct {<br />
uint32 magic, // "AWDM"<br />
uint16 major, // 0x0100 - little endian 1<br />
uint16 minor, // 0x0100 - little endian 1<br />
uint32 regions // either region count or 0<br />
}<br />
<br />
// N region entries, see below<br />
<br />
struct {<br />
uint32 zero // = 0x00000000<br />
}<br />
Tag specific<br />
<br />
struct {<br />
uint32 tag,<br />
uint32 offset,<br />
uint32 size,<br />
uint32 checksum // assumed<br />
}<br />
Tag 0x02000400 - Structure Table<br />
<br />
This is an import or structure table. In the case of the root table of the root manifest the contents are identical to the display or definition table (0x03000400).<br />
<br />
For metadata manifests which extend the root, this file will broadly import from others and not define the display names of properties etc.<br />
<br />
Tag 0x03000400 - Definition Table<br />
<br />
This table of definitions create new objects with new properties that extend the existing schema. It will contain object definitions, with property definitions as well as enum definitions.<br />
<br />
This table contains class and object definitions designed to "enrich" the definitions from the 0x02000400 table with additional data for translation into text format.<br />
<br />
== Non-tag specific ==<br />
<br />
struct {<br />
uint32 offest<br />
uint32 size<br />
}<br />
Tag 0x04000200 - File Identity<br />
<br />
This region defines two values, the UUID of the file as well as it's display name.<br />
<br />
This is analogous to a LC_UUID in Mach-O<br />
<br />
0x0A - String - File UUID<br />
0x12 - String - Source File<br />
0x18 - Timestamp - Build Time<br />
Tag 0x05000200 - Root Object Class Definitions<br />
<br />
This defines the root ambient classes. It's only relevant on the root manifest as it is the only file to define the root object class. These classes are used by the properties on the root object defined by 0x02000400/0x03000400 where tag == 0x00<br />
<br />
Tag 0x06000200 - Extension Points<br />
<br />
This region lists all known extension properties. These must be loaded from their assocated constituant extension manifests<br />
<br />
= Log Files =</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=AWDD&diff=118706AWDD2021-10-16T10:05:46Z<p>Rickmark: Redirected page to Apple Wireless Diagnostics Daemon (AWDD)</p>
<hr />
<div>#REDIRECT[[Apple Wireless Diagnostics Daemon (AWDD)]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Apple_Wireless_Diagnostics_Daemon_(AWDD)&diff=118705Apple Wireless Diagnostics Daemon (AWDD)2021-10-16T10:05:22Z<p>Rickmark: </p>
<hr />
<div>AWDD is a binary logging system for the Baseband, Bluetooth, NFC, GSM/LTE, WiFi, UWB and other such wireless radio coprocessors. Over the years it has taken on a few other responsibilities such as Springboard Locking, FaceID, and any other system level events best represented in a compact binary format. This is in opposition to text based or Plist style log files, which are also still common for other subsystems. AWDD is a proprietary TLV encoding.</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Apple_Wireless_Diagnostics_Daemon_(AWDD)&diff=118704Apple Wireless Diagnostics Daemon (AWDD)2021-10-16T10:03:48Z<p>Rickmark: Created page with "AWDD is a binary logging system for the Baseband, Bluetooth, NFC, GSM/LTE, WiFi, UWB and other such coprocessors. Over the years it has taken on a few other responsibilities..."</p>
<hr />
<div>AWDD is a binary logging system for the Baseband, Bluetooth, NFC, GSM/LTE, WiFi, UWB and other such coprocessors. Over the years it has taken on a few other responsibilities such as Springboard Locking, FaceID, and any other system level events best represented in a compact binary format. This is in opposition to text based or Plist style log files, which are also still common for other subsystems. AWDD is a proprietary TLV encoding.</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Codenames&diff=117986Codenames2021-09-26T23:30:45Z<p>Rickmark: </p>
<hr />
<div>{{About||firmware version codenames (BuildTrains)|Firmware Codenames}}<br />
<br />
This page lists several code names of Apple features.<br />
<br />
; ACE : The USB-C port controller on the Mac<br />
; Broadway : [https://en.wikipedia.org/wiki/Apple_Card Apple Card]<br />
; Brook: Handwashing detection (BrookServices and BrookDataCollection private frameworks since iOS 14).<br />
; Durian : AirTags (seen eg. in the firmware update)<br />
; Ensemble : Universal Control (macOS 12/iOS 15)<br />
; Haywire : [[Haywire|Lightning video adapters]] (eg. Lightning to HDMI)<br />
; HiFive : Chip present in Lightning cable connectors to negotiate the Lightning protocol.<br />
; [[Hydra]] : Multiplexing chip in iDevices since iPhone X to deal with the Lightning protocol.<br />
; Madrid : [[Messages|iMessage]]<ref>"Madrid" and <code>com.apple.madrid</code> appear in iMessage code, data files, and protocol</ref><br />
; Maverick : Update protocol from AP to Baseband chip<br />
; Medusa : iPad Split Screen (probably Slide Over etc. too), not to be confused with the T1 EFI device (http://www.cmizapper.com/products/medusa-3.html)<br />
; Mesa : TouchID on iDevices<br />
; Rose : U1 / Ultra Wide Band chip<br />
; Sanddollar : TouchID on the T1/T2 MacBook<br />
; Savage : Baseband related (references wireless, ICCID (therefore eSIM?), MEID, etc), related to Yonkers<br />
; Stark : CarPlay<br />
; [[Stockholm]] : Apple Pay / [[Secure Element]] (handles NFC as well)<br />
; Skywagon : Xcode Cloud<br />
; [[Tristar]] : Multiplexing chip in iDevices that deals with the Lightning protocol.<br />
; Vinyl : The eSIM or eUICC<br />
; Wormhole : AirDrop<ref>sharingd used to have classes like <code>SDWormholeConnection</code></ref><br />
; Yonkers : Baseband / Wireless related (relates to Savage)<br />
<br />
== Unknown names ==<br />
<br />
Codenames seen somewhere, but for which we don't know the meaning or it's not certain,<br />
and needs more investigation.<br />
<br />
; Absinthe: FairPlay-related<br />
; Avocado: Seen in SpringBoard code <code>os_feature_enabled_impl("SpringBoard", "Avocado")</code><br />
; Futhark: Private framework since iOS 9 (text detection?)<br />
; Madia: Unknown<br />
; Mescal: FairPlay-related<br />
; Morphun: Private framework, there's also a MorphunData asset in mesu.<br />
; Neutrino: Private frameworks since iOS 11 (NeutrinoCore and NeutrinoKit).<br />
; Nitrogen: Unknown<br />
; Orion: MCU of some kind<br />
; Osprey: Private framework iOS 13, related to Siri, uses Absinthe<br />
; Pegasus: Private framework since iOS 9 (not related to NSO's exploit tool).<br />
; Peppy: Unknown<br />
; Proud Lock: Mentioned on SpringBoard code, possibly FaceID unlock?<br />
; Silex: Private framework since iOS 11.<br />
; Vapor: Seen in SpringBoard code <code>os_feature_enabled_impl("NotificationCenter", "Vapor")</code><br />
; Veridian<br />
; Viceroy: Seen in multiple frameworks, FaceTime-related.<br />
; Xavier: Private frameworks since iOS 14 (XavierCore/XavierNews).<br />
<br />
== CPU cores ==<br />
<br />
Since the A6, Apple SoCs have Apple-designed CPU cores. This table lists their names.<br />
<br />
{| class="wikitable"<br />
! SoC<br />
! Performance core<br />
! Low-power core<br />
|-<br />
| [[A6]]<br />
| Swift<br />
| {{n/a}}<br />
|-<br />
| [[A7]]<br />
| Cyclone<br />
| {{n/a}}<br />
|-<br />
| [[A8]]<br />
| Typhoon<br />
| {{n/a}}<br />
|-<br />
| [[A9]]<br />
| Twister<br />
| {{n/a}}<br />
|-<br />
| [[A10]]<br />
| Hurricane<br />
| Zephyr<br />
|-<br />
| [[A11]]<br />
| Monsoon<br />
| Mistral<br />
|-<br />
| [[A12]]<br />
| Vortex<br />
| Tempest<br />
|-<br />
| [[A13]]<br />
| Lightning<br />
| Thunder<br />
|-<br />
| [[A14]]/[[M1]]<br />
| Firestorm<br />
| Icestorm<br />
|-<br />
| [[A15]]<ref>https://twitter.com/never_released/status/1431406418322657280</ref><br />
| Avalanche<br />
| Blizzard<br />
|}<br />
<br />
== References / notes ==<br />
<references/></div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Seputil&diff=117984Seputil2021-09-26T22:22:33Z<p>Rickmark: </p>
<hr />
<div>{{lowercase}}<br />
{{Infobox software<br />
| name = seputil<br />
| title = <br />
| collapsible = <br />
| author = Apple Inc.<br />
| developer = Apple Inc.<br />
| released = <br />
| discontinued = <br />
| latest release date = <br />
| latest preview version = <br />
| latest preview date = <br />
| programming language = <br />
| operating system = [[wikipedia:iOS|iOS]] command line<br />
| platform = <br />
| size = 59,184 bytes [APP] <br />
| language = [[wikipedia:English language|English]]<br />
| status = <br />
| genre = ?<br />
| license = [[wikipedia:Proprietary software|Closed source]]<br />
| website = <br />
}}<br />
<br />
'''seputil''' is an iOS command-line interface tool. It is used to communicate with the [[Secure Enclave]] and its processor - the SEP. The utility [[ramrod]] also uses seputil to update the firmware of the SEP. seputil itself is contained in HXXXRamDisk.dmg, located in <code>/usr/standalone/update/ramdisk/</code> (the name of the ramdisk varies depending on the firmware.) Once mounted, the seputil executable is found in <code>/usr/libexec/</code>. The file is an im4 file and therefore needs the first 0x1b (27) bytes are stripped to make the dmg readable, or img4tool can be used<br />
<br />
seputil has the following commands:<br />
<br />
<pre><br />
seputil: seputil [--wait] --load <file><br />
seputil: seputil '<SEP console command>'<br />
seputil: seputil <command><br />
seputil: <br />
seputil: Valid <command> words:<br />
seputil: --ping Send a PING operation to the SEP OS<br />
seputil: --load Load <file> as the SEP runtime firmware<br />
seputil: --restore Load <file> as the SEP runtime firmware in restore mode<br />
seputil: --restore+art Load <file> as the SEP runtime firmware in restore mode with ART<br />
seputil: --wait Pause for kernel driver to load before failing<br />
seputil: --preflight Pre-flight load/restore firmware against ART to pre-check for boot failures<br />
seputil: --log Dump the mailbox message log<br />
seputil: --rom status Get the ROM status<br />
seputil: --rom tz0 Send a ROM TZ0 command<br />
seputil: --rom nop Send a ROM NOP command<br />
seputil: --rom nonce Send a ROM nonce request<br />
seputil: --new-nonce Request new SEP/OS nonce<br />
seputil: --kill-nonce Request invalidate SEP/OS nonce<br />
seputil: --art get Dump current ART from Memory<br />
seputil: --art set Persist the supplied ART to storage<br />
seputil: --art clear Clear the persisted ART<br />
seputil: --art ctrtest Counter self-test (DESTRUCTIVE - can brick some legacy devices!)<br />
seputil: --sleep Sleep the SEP NOW!<br />
seputil: --nap Nap the SEP NOW!<br />
seputil: --pingflood Ping SEP endlessly<br />
seputil: --clkgate Enable SEP clock gating<br />
seputil: --get <obj> Read obj and write to stdout<br />
seputil: --put <obj> Read stdin and write to obj<br />
seputil: --boot-check <file> Check whether a firmware might be bootable WRT the current ART<br />
seputil: --dump-fw <file> Dump measurements of firmware file<br />
seputil: Bare words on the commandline are sent to the SEP as a console command<br />
</pre><br />
<br />
==Examples==<br />
<pre><br />
./seputil --pingflood<br />
SEP ping #1000<br />
SEP ping #2000<br />
SEP ping #3000<br />
SEP ping #4000<br />
<br />
./seputil --load sep-firmware.img4 <br />
seputil: load fw returned 0xe00002d5<br />
seputil: load failed<br />
<br />
./seputil --new-nonce<br />
Nonce (20 bytes): 0x67fc18385630dc6429726677d196c81466f47b5e<br />
<br />
./seputil --art get <br />
raw ART: 305e0201003037020218340414519c0248f04d316a3d71e03978b4126fbfb2b15c0400041467fc18385630dc6429726677d196c81466f47b5e3103c00100042027b6dadbab356612997af0203cefeae51fe90cd985ee7cdd6211c766b8cc7a60<br />
Successfully parsed ART:<br />
counter: 6196<br />
manifest hash (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c<br />
sleep hash is absent<br />
restore nonce (20 bytes): 67fc18385630dc6429726677d196c81466f47b5e<br />
<br />
./seputil --log <br />
Kernel message log has 128 entries<br />
289344381444: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289344385176: 0x0000000000000000 TX interrupt<br />
289344391044: 0x0000000000000000 TX interrupt<br />
289344408988: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289344409016: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289344413132: 0x0000000000000000 RX interrupt<br />
289344413304: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0<br />
289344413904: 0x0000000000000000 RX interrupt<br />
289344413944: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0<br />
289344414176: 0x0018000000dd1007 TX message ept 7, tag 10, opcode dd, param 0, data 180000<br />
289344443356: 0x0000000000000000 RX interrupt<br />
289344443428: 0x0068000000dd9007 RX message ept 7, tag 90, opcode dd, param 0, data 680000<br />
289346822748: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0<br />
289346829480: 0x0000000000000000 RX interrupt<br />
289346829560: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0<br />
289346830136: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0<br />
289406511168: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289406511204: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289406538900: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289406538936: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289406543628: 0x0000000000000000 TX interrupt<br />
289406549916: 0x0000000000000000 TX interrupt<br />
289406566580: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289406566612: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289406571220: 0x0000000000000000 RX interrupt<br />
289406571476: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0<br />
289406571908: 0x0000000000000000 RX interrupt<br />
289406571952: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0<br />
289406572320: 0x0018000000de1007 TX message ept 7, tag 10, opcode de, param 0, data 180000<br />
289406605068: 0x0000000000000000 RX interrupt<br />
289406605152: 0x0068000000de9007 RX message ept 7, tag 90, opcode de, param 0, data 680000<br />
289407383260: 0x003c000000df0907 TX message ept 7, tag 9, opcode df, param 0, data 3c0000<br />
289407396284: 0x0000000000000000 RX interrupt<br />
289407396380: 0x002c000000df8907 RX message ept 7, tag 89, opcode df, param 0, data 2c0000<br />
289407403656: 0x003c000000e00907 TX message ept 7, tag 9, opcode e0, param 0, data 3c0000<br />
289407411688: 0x0000000000000000 RX interrupt<br />
289407411736: 0x002c000000e08907 RX message ept 7, tag 89, opcode e0, param 0, data 2c0000<br />
289407414732: 0x003c000000e10907 TX message ept 7, tag 9, opcode e1, param 0, data 3c0000<br />
289407422472: 0x0000000000000000 RX interrupt<br />
289407422524: 0x002c000000e18907 RX message ept 7, tag 89, opcode e1, param 0, data 2c0000<br />
289408986276: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0<br />
289408991756: 0x0000000000000000 RX interrupt<br />
289408991824: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0<br />
289408992472: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0<br />
289459393276: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289459393348: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289459423004: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289459423048: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289459452628: 0x0000000000000000 TX interrupt<br />
289459453612: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289459453664: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289459466460: 0x0000000000000000 TX interrupt<br />
289459469548: 0x0000000000000000 RX interrupt<br />
289459470000: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0<br />
289459470632: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0<br />
289459471304: 0x0018000000e21007 TX message ept 7, tag 10, opcode e2, param 0, data 180000<br />
289459524572: 0x0000000000000000 RX interrupt<br />
289459524728: 0x0068000000e29007 RX message ept 7, tag 90, opcode e2, param 0, data 680000<br />
289459532644: 0x004c000000e30f07 TX message ept 7, tag f, opcode e3, param 0, data 4c0000<br />
289459552888: 0x0000000000000000 RX interrupt<br />
289459553044: 0x002c000000e38f07 RX message ept 7, tag 8f, opcode e3, param 0, data 2c0000<br />
289459646732: 0x0018000000e41007 TX message ept 7, tag 10, opcode e4, param 0, data 180000<br />
289459681116: 0x0000000000000000 RX interrupt<br />
289459681272: 0x0068000000e49007 RX message ept 7, tag 90, opcode e4, param 0, data 680000<br />
289461898836: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0<br />
289461906796: 0x0000000000000000 RX interrupt<br />
289461906968: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0<br />
289461908400: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0<br />
289526725980: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289526726016: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289526757512: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289526757552: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289526774468: 0x0000000000000000 TX interrupt<br />
289526782688: 0x0000000000000000 TX interrupt<br />
289526786468: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289526786540: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289526795320: 0x0000000000000000 RX interrupt<br />
289526795828: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0<br />
289526796304: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0<br />
289526796984: 0x0018000000e51007 TX message ept 7, tag 10, opcode e5, param 0, data 180000<br />
289526847216: 0x0000000000000000 RX interrupt<br />
289526847348: 0x0068000000e59007 RX message ept 7, tag 90, opcode e5, param 0, data 680000<br />
289529224460: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0<br />
289529235316: 0x0000000000000000 RX interrupt<br />
289529235488: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0<br />
289529236920: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0<br />
289584681764: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289584681836: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289584710576: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289584710608: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289584730996: 0x0000000000000000 TX interrupt<br />
289584738992: 0x0000000000000000 TX interrupt<br />
289584739572: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289584739612: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289584748648: 0x0000000000000000 RX interrupt<br />
289584748984: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0<br />
289584749300: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0<br />
289584749332: 0x0018000000e61007 TX message ept 7, tag 10, opcode e6, param 0, data 180000<br />
289584790484: 0x0000000000000000 RX interrupt<br />
289584790568: 0x0068000000e69007 RX message ept 7, tag 90, opcode e6, param 0, data 680000<br />
289587176748: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0<br />
289587185760: 0x0000000000000000 RX interrupt<br />
289587185916: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0<br />
289587186840: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0<br />
288741485000: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
288741485084: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
288741514772: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
288741514812: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
288741533984: 0x0000000000000000 TX interrupt<br />
288741541992: 0x0000000000000000 TX interrupt<br />
288741543608: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
288741543680: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
288741552216: 0x0000000000000000 RX interrupt<br />
288741552884: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0<br />
288741553388: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0<br />
288741553672: 0x0018000000db1007 TX message ept 7, tag 10, opcode db, param 0, data 180000<br />
288741591912: 0x0000000000000000 RX interrupt<br />
288741592040: 0x0068000000db9007 RX message ept 7, tag 90, opcode db, param 0, data 680000<br />
288741599128: 0x004c000000dc0f07 TX message ept 7, tag f, opcode dc, param 0, data 4c0000<br />
288741620732: 0x0000000000000000 RX interrupt<br />
288741620900: 0x002c000000dc8f07 RX message ept 7, tag 8f, opcode dc, param 0, data 2c0000<br />
288742902624: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0<br />
288742912320: 0x0000000000000000 RX interrupt<br />
288742912496: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0<br />
288742913700: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0<br />
289344354176: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289344354216: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
289344381416: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0<br />
<br />
./seputil --boot-check sep-firmware.img4 <br />
preflight: manifest hash matches sepi<br />
bootCheck: SEP may boot with ART<br />
<br />
./seputil --dump-fw sep-firmware.img4 <br />
manifest digest (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c<br />
sepi digest (20 bytes): a22813c5ceaeada5b7eeaa55808f3019814e8b8e<br />
sepi nonce (20 bytes): e5074bd1befefc685c6b5ec6797ffc851366f76f<br />
rsep digest (20 bytes): cb9f4c6520889e2582414c5969fb0abc3b0d8277<br />
rsep nonce (20 bytes): e5074bd1befefc685c6b5ec6797ffc851366f76f<br />
</pre><br />
<br />
== jtool dissect ==<br />
<br />
<pre><br />
./jtool -l /Volumes/ramdisk/usr/libexec/seputil <br />
LC 00: LC_SEGMENT_64 Mem: 0x000000000-0x100000000 __PAGEZERO<br />
LC 01: LC_SEGMENT_64 Mem: 0x100000000-0x100008000 __TEXT<br />
0x0000000100000ce8-0x00000001000055e0 __TEXT.__text<br />
0x00000001000055e0-0x00000001000058ec __TEXT.__stubs<br />
0x00000001000058ec-0x0000000100005c10 __TEXT.__stub_helper<br />
0x0000000100005c10-0x0000000100006e5d __TEXT.__cstring<br />
0x0000000100006e60-0x0000000100007fac __TEXT.__const<br />
0x0000000100007fac-0x0000000100007ff4 __TEXT.__unwind_info<br />
LC 02: LC_SEGMENT_64 Mem: 0x100008000-0x10000c000 __DATA<br />
0x0000000100008000-0x0000000100008050 __DATA.__got<br />
0x0000000100008050-0x0000000100008258 __DATA.__la_symbol_ptr<br />
0x0000000100008258-0x00000001000086e8 __DATA.__const<br />
0x00000001000086e8-0x0000000100008990 __DATA.__data<br />
0x0000000100008990-0x00000001000089b0 __DATA.__bss<br />
LC 03: LC_SEGMENT_64 Mem: 0x10000c000-0x100010000 __LINKEDIT<br />
LC 04: LC_DYLD_INFO_ONLY <br />
LC 05: LC_SYMTAB Symbol table is at offset 0xd9c8, with 77 entries<br />
LC 06: LC_DYSYMTAB <br />
LC 07: LC_LOAD_DYLINKER /usr/lib/dyld<br />
LC 08: LC_UUID UUID: 5C06A94F-63A7-3150-95B6-65567C70A3C8<br />
LC 09: LC_VERSION_MIN_IPHONEOS Minimum iOS version: 7.0.0<br />
LC 10: LC_SOURCE_VERSION Source Version: 69.1.1.0.0<br />
LC 11: LC_MAIN Entry Point: 0x1448 (Mem: 100001448)<br />
LC 12: LC_LOAD_DYLIB /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation<br />
LC 13: LC_LOAD_DYLIB /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit<br />
LC 14: LC_LOAD_DYLIB /usr/lib/libSystem.B.dylib<br />
LC 15: LC_FUNCTION_STARTS Offset: 55592, Size: 120<br />
LC 16: LC_DATA_IN_CODE Offset: 55712, Size: 0<br />
LC 17: LC_DYLIB_CODE_SIGN_DRS Offset: 55712, Size: 40<br />
LC 18: LC_CODE_SIGNATURE Offset: 58704, Size: 480<br />
</pre><br />
<br />
==ART Object==<br />
<br />
Example 1:<br />
<pre><br />
./seputil --art get <br />
raw ART: 305e0201003037020218340414519c0248f04d316a3d71e03978b4126fbfb2b15c0400041467fc18385630dc6429726677d196c81466f47b5e3103c00100042027b6dadbab356612997af0203cefeae51fe90cd985ee7cdd6211c766b8cc7a60<br />
Successfully parsed ART:<br />
counter: 6196<br />
manifest hash (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c<br />
sleep hash is absent<br />
restore nonce (20 bytes): 67fc18385630dc6429726677d196c81466f47b5e<br />
</pre><br />
<br />
raw ART is also a [http://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One#Example_encoded_in_DER DER encoded ASN.1 object]:<br />
<br />
<pre><br />
30 — type tag indicating SEQUENCE<br />
5e — length in octets of value that follows (92)<br />
02 — type tag indicating INTEGER<br />
01 — length in octets of value that follows<br />
00 — value (0)<br />
30 — type tag indicating SEQUENCE<br />
37 — length in octets of value that follows (55)<br />
02 — type tag indicating INTEGER<br />
02 — length in octets of value that follows<br />
1834 — value (6196) (of counter)<br />
04 — type tag indicating STRING<br />
14 — length in octets of value that follows (20)<br />
519c0248f04d316a3d71e03978b4126fbfb2b15c — value (of manifest hash)<br />
04 — type tag indicating STRING<br />
00 — length in octets of value that follows (0); empty, so no value to follow (sleep hash is absent)<br />
04 — type tag indicating STRING<br />
14 — length in octets of value that follows (20)<br />
67fc18385630dc6429726677d196c81466f47b5e — value (of restore nonce: snon)<br />
31 — type tag indicating SET (of subcounters)<br />
03 — length in octets of value that follows (3)<br />
c00100 — value (priv element [0]=0)<br />
04 — type tag indicating STRING<br />
20 — length in octets of value that follows (32)<br />
27b6dadbab356612997af0203cefeae51fe90cd985ee7cdd6211c766b8cc7a60 — value (SHA-256 HMAC of the previous SEQUENCE)<br />
</pre><br />
<br />
Example 2:<br />
<pre><br />
./seputil --art get<br />
raw ART: 3072020100304b0202186c0414519c0248f04d316a3d71e03978b4126fbfb2b15c04147f75cb9012128cf71eb8fcd6b13e56a02a7324db041467fc18385630dc6429726677d196c81466f47b5e3103c0010004209ce3646167631d0df8d4db28973db8d5a27f85d345ad6ec220aeb1e22f39f31f<br />
Successfully parsed ART:<br />
counter: 6252<br />
manifest hash (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c<br />
sleep hash (20 bytes): 7f75cb9012128cf71eb8fcd6b13e56a02a7324db<br />
restore nonce (20 bytes): 67fc18385630dc6429726677d196c81466f47b5e<br />
</pre><br />
<br />
Decode (used the decoder [http://lapo.it/asn1js/ here]):<br />
<br />
<pre><br />
SEQUENCE (3 elem)<br />
INTEGER 0<br />
SEQUENCE (5 elem)<br />
INTEGER 6252<br />
OCTET STRING (20 byte) 519C0248F04D316A3D71E03978B4126FBFB2B15C<br />
OCTET STRING (20 byte) 7F75CB9012128CF71EB8FCD6B13E56A02A7324DB<br />
OCTET STRING (20 byte) 67FC18385630DC6429726677D196C81466F47B5E<br />
SET (1 elem)<br />
Private 0 (1 byte) 00<br />
OCTET STRING (32 byte) 9CE3646167631D0DF8D4DB28973DB8D5A27F85D345AD6EC220AEB1E22F39F31F<br />
</pre><br />
<br />
Example 3:<br />
Don't try this at home kids!<br />DESTRUCTIVE - WILL [[Brick|BRICK]] SOME LEGACY DEVICES!!!<br />
<pre><br />
./seputil --art clear<br />
ART cleared from storage<br />
<br />
./seputil --art get <br />
seputil: Get ART command error: 0xe00002bc<br />
</pre></div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Codenames&diff=117240Codenames2021-09-18T03:25:27Z<p>Rickmark: </p>
<hr />
<div>{{About||firmware version codenames (BuildTrains)|Firmware Codenames}}<br />
<br />
This page lists several code names of Apple features.<br />
<br />
; ACE : The USB-C port controller on the Mac<br />
; Broadway : [https://en.wikipedia.org/wiki/Apple_Card Apple Card]<br />
; Brook: Handwashing detection (BrookServices and BrookDataCollection private frameworks since iOS 14).<br />
; Durian : AirTags (seen eg. in the firmware update)<br />
; Ensemble : Universal Control (macOS 12/iOS 15)<br />
; Haywire : [[Haywire|Lightning video adapters]] (eg. Lightning to HDMI)<br />
; HiFive : Chip present in Lightning cable connectors to negotiate the Lightning protocol.<br />
; [[Hydra]] : Multiplexing chip in iDevices since iPhone X to deal with the Lightning protocol.<br />
; Madrid : [[Messages|iMessage]]<ref>"Madrid" and <code>com.apple.madrid</code> appear in iMessage code, data files, and protocol</ref><br />
; Medusa : iPad Split Screen (probably Slide Over etc. too), not to be confused with the T1 EFI device (http://www.cmizapper.com/products/medusa-3.html)<br />
; Mesa : TouchID on iDevices<br />
; Rose : U1 / Ultra Wide Band chip<br />
; Sanddollar : TouchID on the T1/T2 MacBook<br />
; Savage : Baseband related (references wireless, ICCID, MEID, etc), related to Yonkers<br />
; Stark : CarPlay<br />
; [[Stockholm]] : Apple Pay / [[Secure Element]] (handles NFC as well)<br />
; Skywagon : Xcode Cloud<br />
; [[Tristar]] : Multiplexing chip in iDevices that deals with the Lightning protocol.<br />
; Vinyl : The eSIM or eUICC<br />
; Wormhole : AirDrop<ref>sharingd used to have classes like <code>SDWormholeConnection</code></ref><br />
; Yonkers : Baseband / Wireless related (relates to Savage)<br />
<br />
== Unknown names ==<br />
<br />
Codenames seen somewhere, but for which we don't know the meaning or it's not certain,<br />
and needs more investigation.<br />
<br />
; Absinthe: FairPlay-related<br />
; Avocado: Seen in SpringBoard code <code>os_feature_enabled_impl("SpringBoard", "Avocado")</code><br />
; Futhark: Private framework since iOS 9 (text detection?)<br />
; Mescal: FairPlay-related<br />
; Morphun: Private framework, there's also a MorphunData asset in mesu.<br />
; Neutrino: Private frameworks since iOS 11 (NeutrinoCore and NeutrinoKit).<br />
; Osprey: Private framework iOS 13, related to Siri, uses Absinthe<br />
; Pegasus: Private framework since iOS 9 (not related to NSO's exploit tool).<br />
; Proud Lock: Mentioned on SpringBoard code, possibly FaceID unlock?<br />
; Silex: Private framework since iOS 11.<br />
; Vapor: Seen in SpringBoard code <code>os_feature_enabled_impl("NotificationCenter", "Vapor")</code><br />
; Viceroy: Seen in multiple frameworks, FaceTime-related.<br />
; Xavier: Private frameworks since iOS 14 (XavierCore/XavierNews).<br />
<br />
== CPU cores ==<br />
<br />
Since the A6, Apple SoCs have Apple-designed CPU cores. This table lists their names.<br />
<br />
{| class="wikitable"<br />
! SoC<br />
! Performance core<br />
! Low-power core<br />
|-<br />
| [[A6]]<br />
| Swift<br />
| {{n/a}}<br />
|-<br />
| [[A7]]<br />
| Cyclone<br />
| {{n/a}}<br />
|-<br />
| [[A8]]<br />
| Typhoon<br />
| {{n/a}}<br />
|-<br />
| [[A9]]<br />
| Twister<br />
| {{n/a}}<br />
|-<br />
| [[A10]]<br />
| Hurricane<br />
| Zephyr<br />
|-<br />
| [[A11]]<br />
| Monsoon<br />
| Mistral<br />
|-<br />
| [[A12]]<br />
| Vortex<br />
| Tempest<br />
|-<br />
| [[A13]]<br />
| Lightning<br />
| Thunder<br />
|-<br />
| [[A14]]/[[M1]]<br />
| Firestorm<br />
| Icestorm<br />
|-<br />
| [[A15]]<ref>https://twitter.com/never_released/status/1431406418322657280</ref><br />
| Avalanche<br />
| Blizzard<br />
|}<br />
<br />
== References / notes ==<br />
<references/></div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Codenames&diff=117239Codenames2021-09-18T03:20:35Z<p>Rickmark: Added known codenames</p>
<hr />
<div>{{About||firmware version codenames (BuildTrains)|Firmware Codenames}}<br />
<br />
This page lists several code names of Apple features.<br />
<br />
; Broadway : [https://en.wikipedia.org/wiki/Apple_Card Apple Card]<br />
; Brook: Handwashing detection (BrookServices and BrookDataCollection private frameworks since iOS 14).<br />
; Durian : AirTags (seen eg. in the firmware update)<br />
; Ensemble : Universal Control (macOS 12/iOS 15)<br />
; Haywire : [[Haywire|Lightning video adapters]] (eg. Lightning to HDMI)<br />
; HiFive : Chip present in Lightning cable connectors to negotiate the Lightning protocol.<br />
; [[Hydra]] : Multiplexing chip in iDevices since iPhone X to deal with the Lightning protocol.<br />
; Madrid : [[Messages|iMessage]]<ref>"Madrid" and <code>com.apple.madrid</code> appear in iMessage code, data files, and protocol</ref><br />
; Medusa : iPad Split Screen (probably Slide Over etc. too)<br />
; Mesa : TouchID on iDevices<br />
; Sanddollar : TouchID on the T1/T2 MacBook<br />
; Rose : U1 / Ultra Wide Band chip<br />
; Stark : CarPlay<br />
; [[Stockholm]] : Apple Pay / [[Secure Element]]<br />
; Skywagon : Xcode Cloud<br />
; [[Tristar]] : Multiplexing chip in iDevices that deals with the Lightning protocol.<br />
; Wormhole : AirDrop<ref>sharingd used to have classes like <code>SDWormholeConnection</code></ref><br />
; Vinyl : The eSIM or eUICC<br />
; ACE : The USB-C port controller on the Mac<br />
<br />
== Unknown names ==<br />
<br />
Codenames seen somewhere, but for which we don't know the meaning or it's not certain,<br />
and needs more investigation.<br />
<br />
; Absinthe: FairPlay-related<br />
; Avocado: Seen in SpringBoard code <code>os_feature_enabled_impl("SpringBoard", "Avocado")</code><br />
; Futhark: Private framework since iOS 9 (text detection?)<br />
; Mescal: FairPlay-related<br />
; Morphun: Private framework, there's also a MorphunData asset in mesu.<br />
; Neutrino: Private frameworks since iOS 11 (NeutrinoCore and NeutrinoKit).<br />
; Osprey: Private framework iOS 13, related to Siri, uses Absinthe<br />
; Pegasus: Private framework since iOS 9 (not related to NSO's exploit tool).<br />
; Proud Lock: Mentioned on SpringBoard code, possibly FaceID unlock?<br />
; Silex: Private framework since iOS 11.<br />
; Vapor: Seen in SpringBoard code <code>os_feature_enabled_impl("NotificationCenter", "Vapor")</code><br />
; Viceroy: Seen in multiple frameworks, FaceTime-related.<br />
; Xavier: Private frameworks since iOS 14 (XavierCore/XavierNews).<br />
<br />
== CPU cores ==<br />
<br />
Since the A6, Apple SoCs have Apple-designed CPU cores. This table lists their names.<br />
<br />
{| class="wikitable"<br />
! SoC<br />
! Performance core<br />
! Low-power core<br />
|-<br />
| [[A6]]<br />
| Swift<br />
| {{n/a}}<br />
|-<br />
| [[A7]]<br />
| Cyclone<br />
| {{n/a}}<br />
|-<br />
| [[A8]]<br />
| Typhoon<br />
| {{n/a}}<br />
|-<br />
| [[A9]]<br />
| Twister<br />
| {{n/a}}<br />
|-<br />
| [[A10]]<br />
| Hurricane<br />
| Zephyr<br />
|-<br />
| [[A11]]<br />
| Monsoon<br />
| Mistral<br />
|-<br />
| [[A12]]<br />
| Vortex<br />
| Tempest<br />
|-<br />
| [[A13]]<br />
| Lightning<br />
| Thunder<br />
|-<br />
| [[A14]]/[[M1]]<br />
| Firestorm<br />
| Icestorm<br />
|-<br />
| [[A15]]<ref>https://twitter.com/never_released/status/1431406418322657280</ref><br />
| Avalanche<br />
| Blizzard<br />
|}<br />
<br />
== References / notes ==<br />
<references/></div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=T8012&diff=108106T80122020-10-23T05:40:35Z<p>Rickmark: /* Identifying the T2 from macOS */</p>
<hr />
<div>'''T8012''', also just known as the '''T2''' is the CPU introduced in the [[J137AP|second-generation iBridge processor]], the processor found on the iMac Pro, and used on all subsequent T2 enabled Mac products.<br />
<br />
== Enabled Mac Products ==<br />
<br />
Devices sourced from [https://github.com/libimobiledevice/libirecovery/blob/master/src/libirecovery.c]<br />
<br />
{| class="wikitable"<br />
!iBridge Product ID<br />
!Board ID<br />
!Board Minor<br />
!Description (Product ID)<br />
!checkm8/blackbird confirmed<br />
|-<br />
|iBridge2,1<br />
|J137AP<br />
|0x0A<br />
|Apple T2 iMacPro1,1 (j137)<br />
|yes<br />
|-<br />
|iBridge2,3<br />
|J680AP<br />
|0x0B<br />
|Apple T2 MacBookPro15,1 (j680)<br />
|yes<br />
|-<br />
|iBridge2,4<br />
|J132AP<br />
|0x0C<br />
|Apple T2 MacBookPro15,2 (j132)<br />
|yes<br />
|-<br />
|iBridge2,5<br />
|J174AP<br />
|0x0E<br />
|Apple T2 Macmini8,1 (j174)<br />
|yes<br />
|-<br />
|iBridge2,6<br />
|J160AP<br />
|0x0F<br />
|Apple T2 MacPro7,1 (j160)<br />
|yes<br />
|-<br />
|iBridge2,7<br />
|J780AP<br />
|0x07<br />
|Apple T2 MacBookPro15,3 (j780)<br />
|yes<br />
|-<br />
|iBridge2,8<br />
|J140kAP<br />
|0x17<br />
|Apple T2 MacBookAir8,1 (j140k)<br />
|yes<br />
|-<br />
|iBridge2,10<br />
|J213AP<br />
|0x18<br />
|Apple T2 MacBookPro15,4 (j213)<br />
|yes<br />
|-<br />
|iBridge2,11<br />
|J230AP<br />
|0x1F<br />
|?<br />
|?<br />
|-<br />
|iBridge2,12<br />
|J140aAP<br />
|0x37<br />
|Apple T2 MacBookAir8,2 (j140a)<br />
|yes<br />
|-<br />
|iBridge2,13<br />
|J214AP<br />
|0x1E<br />
|?<br />
|?<br />
|-<br />
|iBridge2,14<br />
|J152fAP<br />
|0x3A<br />
|Apple T2 MacBookPro16,1 (j152f)<br />
|yes<br />
|-<br />
|iBridge2,15<br />
|J230kAP<br />
|0x3F<br />
|Apple T2 MacBookAir9,1 (j223k)<br />
|yes<br />
|-<br />
|iBridge2,16<br />
|J214kAP<br />
|0x3E<br />
|?<br />
|?<br />
|-<br />
|iBridge2,19<br />
|J185AP<br />
|0x22<br />
|?<br />
|?<br />
|-<br />
|iBridge2,20<br />
|J185fAP<br />
|0x23<br />
|?<br />
|?<br />
|-<br />
|iBridge2,21<br />
|J223AP<br />
|0x3B<br />
|?<br />
|?<br />
|-<br />
|iBridge2,22<br />
|J215AP<br />
|0x38<br />
|?<br />
|?<br />
|}<br />
<br />
==T2 Recovery USB Device ID==<br />
During the restore process, the T2 presents as a [[Restore Mode]] <code>com.apple.recoveryd</code> service, but uses the USB product ID of <code>0x8086</code> instead of the iPhone's <code>0x1290-0x12AF</code>.[https://github.com/libimobiledevice/usbmuxd/blob/master/udev/39-usbmuxd.rules.in]<br />
<br />
==Bootrom Exploits==<br />
The T8012 uses Bootrom version [[Bootrom_3401.0.0.1.16]] which is vulnerable to [[checkm8]]. A fork of [[checkm8]] with support for the t2 exists at [https://github.com/h0m3us3r/ipwndfu h0m3us3r] and a checkra1n with T2 tutorial is at [https://blog.t8012.dev/t2-checkra1n-guide/ t8012 blog]. The adaption of checkm8 was performed by the [[t8012 checkm8]] group by brute forcing the various locations from ROM. The copyright string reads <code>SecureROM for t8012si, Copyright 2007-2016, Apple Inc</code>, for version [[Bootrom_3401.0.0.1.16]].<br />
<br />
* [https://twitter.com/axi0mX/status/1182915286858522624 axi0mX T2 support tweet]<br />
* [https://twitter.com/qwertyoruiopz/status/1237400943047704576?s=21 quertyoruiop's early checkra1n previews]<br />
<br />
Similar to iPhones, iPads, and iPods, iBridge firmware bundles come in IPSW form. Build train codenames are appended with "HWBridge" to distinguish them from normal firmwares, and the disk image files inside have labels that are appended with "UniversalBridgeOS." They can only be restored to if the Mac is in [[DFU mode]].<br />
<br />
=== The T2 Secure Enclave Processor (SEP) ===<br />
<br />
The T2 is based on the A10 silicon design and therefore has a A10 SEP. The A10 SEP is a ARM Cortex-A7 32bit CPU. The T2 Secure Enclave is vulnerable to the same exploit Pangu presented at MOSEC named `blackbird`.<br />
<br />
The T2 SEP is responsible for acting as a secure store for symmetric secrets (tokens) as well as asymmetric credentials that can be generated and wrapped by the SEP. The SEP plays a key role in disk encryption.<br />
<br />
== Entering DFU Mode ==<br />
The T2 models can be restored via a Thunderbolt cable using [https://apps.apple.com/us/app/apple-configurator-2/id1037126344?mt=12 Apple Configurator 2].<br />
<br />
=== Desktop Macs ===<br />
For example, iMac Pro and Mac mini models from 2018 or later.<ref>https://support.apple.com/en-us/guide/apple-configurator-2/apdebea5be51/mac</ref><br />
<br />
# Completely power off the Mac; disconnect it from external power.<br />
# Attach one end of a Thunderbolt cable to the correct Thunderbolt port on the Mac.<br />
#* iMac Pro: The Thunderbolt port that is located next to the Ethernet port.<br />
#* Mac mini: The Thunderbolt port that is located next to the HDMI port.<br />
# Connect the other end to any Thunderbolt or USB port on the host Mac (the device which will be used for restoring).<br />
# Hold down the power button on the back of the Mac for 3 seconds, while connecting the power cord.<br />
<br />
=== Portable Macs ===<br />
For example, MacBook models from 2018 or later.<ref>https://support.apple.com/en-us/guide/apple-configurator-2/apd0020c3dc2/mac</ref><br />
<br />
# Completely power off the Mac; disconnect it from external power.<br />
# Attach one end of a Thunderbolt cable to the Thunderbolt port that is located on the left side, closest to the front.<br />
# Connect the other end to any Thunderbolt or USB port on the host Mac (the device which will be used for restoring).<br />
# Hold down the power button, right Shift key, and left Control and Option keys, for 3 seconds.<br />
<br />
=== Identifying the T2 from DFU ===<br />
<br />
Once a device is in DFU enumerating the USB device yields the BoardID. Using either Linux's <code>lsusb -v</code> or macOS's <code>ioreg -p IOUSB</code> the USB serial attribute will contain the same information as any other Apple A core iBoot device. (http://newosxbook.com/bonus/iBoot.pdf). The ChipID will always be 8012. The value for BDID is the BoardID. Full decoding of the version string can be performed using the code at https://github.com/das-iboot/das-iboot/blob/master/das_iboot/device.py. These values for BDID, CPID, CPRV and ECID are in Hex.<br />
<br />
=== Identifying the T2 from macOS ===<br />
<br />
This will provide many of the same values as DFU but in Decimal instead of Hex like above:<br />
<br />
<syntaxhighlight lang="bash"><br />
# ECID in decimal instead of Hex<br />
/usr/libexec/remotectl get-property localbridge UniqueChipID<br />
# Chip ID CPID in decimal (32786 == 0x8012)<br />
/usr/libexec/remotectl get-property localbridge ChipID<br />
# Board Revision CPRV in decimal instead of hex<br />
/usr/libexec/remotectl get-property localbridge BoardRevision<br />
# Board ID (BDID) in decimal instead of hex<br />
/usr/libexec/remotectl get-property localbridge BoardId<br />
# Hardware Model is the name of the Board<br />
/usr/libexec/remotectl get-property localbridge HWModel<br />
# Mac Model String<br />
sysctl -n hw.model<br />
</syntaxhighlight><br />
<br />
== Mac Configuration Utility ==<br />
[[Image:MCUIcon.png|thumb|The Mac Configuration Utility icon.]]<br />
<br />
In order to restore a firmware to an iBridge device, technicians must use two Apple Internal tools. The first one, '''Apple Service Toolkit (AST)''', is used to initiate a diagnostic session between the host Mac and the Mac in DFU mode. The second tool, which must be installed on the host Mac, is known as the '''Mac Configuration Utility (MCU)'''. It communicates with AST to provide board information and initiate restores and diagnostics over-the-air. MCU supports macOS 10.13.2 or later.<br />
<br />
[[Image:MCU.png|thumb|The Mac Configuration Utility startup screen.]]<br />
<br />
iBridge devices can still be managed if there is no firmware present by booting a diagnostic image, which is pushed to the device by MCU after a '''Blank Board Serializer''' test is initiated on AST. This test will also assign a serial number to a new board.<br />
<br />
During a restore, an Apple logo and progress bar will show on the screen, similar to that of a normal device restore. It is unknown if iBridge firmwares are signed, or if they are verified by the host or by iBridge devices.<br />
<br />
== References ==<br />
<references /><br />
<br />
[[Category:Application Processors]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=T8012&diff=107859T80122020-10-14T18:00:32Z<p>Rickmark: /* Bootrom Exploits */</p>
<hr />
<div>'''T8012''', also just known as the '''T2''' is the CPU introduced in the [[J137AP|second-generation iBridge processor]], the processor found on the iMac Pro, and used on all subsequent T2 enabled Mac products.<br />
<br />
== Enabled Mac Products ==<br />
<br />
Devices sourced from [https://github.com/libimobiledevice/libirecovery/blob/master/src/libirecovery.c]<br />
<br />
{| class="wikitable"<br />
!iBridge Product ID<br />
!Board ID<br />
!Board Minor<br />
!Description (Product ID)<br />
!checkm8/blackbird confirmed<br />
|-<br />
|iBridge2,1<br />
|J137AP<br />
|0x0A<br />
|Apple T2 iMacPro1,1 (j137)<br />
|yes<br />
|-<br />
|iBridge2,3<br />
|J680AP<br />
|0x0B<br />
|Apple T2 MacBookPro15,1 (j680)<br />
|yes<br />
|-<br />
|iBridge2,4<br />
|J132AP<br />
|0x0C<br />
|Apple T2 MacBookPro15,2 (j132)<br />
|yes<br />
|-<br />
|iBridge2,5<br />
|J174AP<br />
|0x0E<br />
|Apple T2 Macmini8,1 (j174)<br />
|yes<br />
|-<br />
|iBridge2,6<br />
|J160AP<br />
|0x0F<br />
|Apple T2 MacPro7,1 (j160)<br />
|yes<br />
|-<br />
|iBridge2,7<br />
|J780AP<br />
|0x07<br />
|Apple T2 MacBookPro15,3 (j780)<br />
|yes<br />
|-<br />
|iBridge2,8<br />
|J140kAP<br />
|0x17<br />
|Apple T2 MacBookAir8,1 (j140k)<br />
|yes<br />
|-<br />
|iBridge2,10<br />
|J213AP<br />
|0x18<br />
|Apple T2 MacBookPro15,4 (j213)<br />
|yes<br />
|-<br />
|iBridge2,11<br />
|J230AP<br />
|0x1F<br />
|?<br />
|?<br />
|-<br />
|iBridge2,12<br />
|J140aAP<br />
|0x37<br />
|Apple T2 MacBookAir8,2 (j140a)<br />
|yes<br />
|-<br />
|iBridge2,13<br />
|J214AP<br />
|0x1E<br />
|?<br />
|?<br />
|-<br />
|iBridge2,14<br />
|J152fAP<br />
|0x3A<br />
|Apple T2 MacBookPro16,1 (j152f)<br />
|yes<br />
|-<br />
|iBridge2,15<br />
|J230kAP<br />
|0x3F<br />
|Apple T2 MacBookAir9,1 (j223k)<br />
|yes<br />
|-<br />
|iBridge2,16<br />
|J214kAP<br />
|0x3E<br />
|?<br />
|?<br />
|-<br />
|iBridge2,19<br />
|J185AP<br />
|0x22<br />
|?<br />
|?<br />
|-<br />
|iBridge2,20<br />
|J185fAP<br />
|0x23<br />
|?<br />
|?<br />
|-<br />
|iBridge2,21<br />
|J223AP<br />
|0x3B<br />
|?<br />
|?<br />
|-<br />
|iBridge2,22<br />
|J215AP<br />
|0x38<br />
|?<br />
|?<br />
|}<br />
<br />
==T2 Recovery USB Device ID==<br />
During the restore process, the T2 presents as a [[Restore Mode]] <code>com.apple.recoveryd</code> service, but uses the USB product ID of <code>0x8086</code> instead of the iPhone's <code>0x1290-0x12AF</code>.[https://github.com/libimobiledevice/usbmuxd/blob/master/udev/39-usbmuxd.rules.in]<br />
<br />
==Bootrom Exploits==<br />
The T8012 uses Bootrom version [[Bootrom_3401.0.0.1.16]] which is vulnerable to [[checkm8]]. A fork of [[checkm8]] with support for the t2 exists at [https://github.com/h0m3us3r/ipwndfu h0m3us3r] and a checkra1n with T2 tutorial is at [https://blog.t8012.dev/t2-checkra1n-guide/ t8012 blog]. The adaption of checkm8 was performed by the [[t8012 checkm8]] group by brute forcing the various locations from ROM. The copyright string reads <code>SecureROM for t8012si, Copyright 2007-2016, Apple Inc</code>, for version [[Bootrom_3401.0.0.1.16]].<br />
<br />
* [https://twitter.com/axi0mX/status/1182915286858522624 axi0mX T2 support tweet]<br />
* [https://twitter.com/qwertyoruiopz/status/1237400943047704576?s=21 quertyoruiop's early checkra1n previews]<br />
<br />
Similar to iPhones, iPads, and iPods, iBridge firmware bundles come in IPSW form. Build train codenames are appended with "HWBridge" to distinguish them from normal firmwares, and the disk image files inside have labels that are appended with "UniversalBridgeOS." They can only be restored to if the Mac is in [[DFU mode]].<br />
<br />
=== The T2 Secure Enclave Processor (SEP) ===<br />
<br />
The T2 is based on the A10 silicon design and therefore has a A10 SEP. The A10 SEP is a ARM Cortex-A7 32bit CPU. The T2 Secure Enclave is vulnerable to the same exploit Pangu presented at MOSEC named `blackbird`.<br />
<br />
The T2 SEP is responsible for acting as a secure store for symmetric secrets (tokens) as well as asymmetric credentials that can be generated and wrapped by the SEP. The SEP plays a key role in disk encryption.<br />
<br />
== Entering DFU Mode ==<br />
The T2 models can be restored via a Thunderbolt cable using [https://apps.apple.com/us/app/apple-configurator-2/id1037126344?mt=12 Apple Configurator 2].<br />
<br />
=== Desktop Macs ===<br />
For example, iMac Pro and Mac mini models from 2018 or later.<ref>https://support.apple.com/en-us/guide/apple-configurator-2/apdebea5be51/mac</ref><br />
<br />
# Completely power off the Mac; disconnect it from external power.<br />
# Attach one end of a Thunderbolt cable to the correct Thunderbolt port on the Mac.<br />
#* iMac Pro: The Thunderbolt port that is located next to the Ethernet port.<br />
#* Mac mini: The Thunderbolt port that is located next to the HDMI port.<br />
# Connect the other end to any Thunderbolt or USB port on the host Mac (the device which will be used for restoring).<br />
# Hold down the power button on the back of the Mac for 3 seconds, while connecting the power cord.<br />
<br />
=== Portable Macs ===<br />
For example, MacBook models from 2018 or later.<ref>https://support.apple.com/en-us/guide/apple-configurator-2/apd0020c3dc2/mac</ref><br />
<br />
# Completely power off the Mac; disconnect it from external power.<br />
# Attach one end of a Thunderbolt cable to the Thunderbolt port that is located on the left side, closest to the front.<br />
# Connect the other end to any Thunderbolt or USB port on the host Mac (the device which will be used for restoring).<br />
# Hold down the power button, right Shift key, and left Control and Option keys, for 3 seconds.<br />
<br />
=== Identifying the T2 from DFU ===<br />
<br />
Once a device is in DFU enumerating the USB device yields the BoardID. Using either Linux's <code>lsusb -v</code> or macOS's <code>ioreg -p IOUSB</code> the USB serial attribute will contain the same information as any other Apple A core iBoot device. (http://newosxbook.com/bonus/iBoot.pdf). The ChipID will always be 8012. The value for BDID is the BoardID. Full decoding of the version string can be performed using the code at https://github.com/das-iboot/das-iboot/blob/master/das_iboot/device.py. These values for BDID, CPID, CPRV and ECID are in Hex.<br />
<br />
=== Identifying the T2 from macOS ===<br />
<br />
This will provide many of the same values as DFU but in Decimal instead of Hex like above:<br />
<br />
<syntaxhighlight lang="bash"><br />
# ECID in decimal instead of Hex<br />
/usr/libexec/remotectl get-property localbridge UniqueChipID<br />
# Chip ID CPID in decimal (32786 == 0x8012)<br />
/usr/libexec/remotectl get-property localbridge ChipID<br />
# Board Revision CPRV in decimal instead of hex<br />
/usr/libexec/remotectl get-property localbridge BoardRevision<br />
# Board ID (BDID) in decimal instead of hex<br />
/usr/libexec/remotectl get-property localbridge BoardId<br />
# Hardware Model is the name of the Board<br />
/usr/libexec/remotectl get-property localbridge HWModel<br />
</syntaxhighlight><br />
<br />
== Mac Configuration Utility ==<br />
[[Image:MCUIcon.png|thumb|The Mac Configuration Utility icon.]]<br />
<br />
In order to restore a firmware to an iBridge device, technicians must use two Apple Internal tools. The first one, '''Apple Service Toolkit (AST)''', is used to initiate a diagnostic session between the host Mac and the Mac in DFU mode. The second tool, which must be installed on the host Mac, is known as the '''Mac Configuration Utility (MCU)'''. It communicates with AST to provide board information and initiate restores and diagnostics over-the-air. MCU supports macOS 10.13.2 or later.<br />
<br />
[[Image:MCU.png|thumb|The Mac Configuration Utility startup screen.]]<br />
<br />
iBridge devices can still be managed if there is no firmware present by booting a diagnostic image, which is pushed to the device by MCU after a '''Blank Board Serializer''' test is initiated on AST. This test will also assign a serial number to a new board.<br />
<br />
During a restore, an Apple logo and progress bar will show on the screen, similar to that of a normal device restore. It is unknown if iBridge firmwares are signed, or if they are verified by the host or by iBridge devices.<br />
<br />
== References ==<br />
<references /><br />
<br />
[[Category:Application Processors]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=T8012_checkm8&diff=107858T8012 checkm82020-10-14T17:59:17Z<p>Rickmark: /* Work */</p>
<hr />
<div>{{DISPLAYTITLE:t8012 checkm8}}<br />
The least imaginative team name...<br />
<br />
'''t8012 checkm8''' is a team of who have applied the [[checkm8]] vulnerability to the [[t8012]] or "T2" security processor on modern Mac computers. <br />
<br />
==Work==<br />
* PlugNPwn auto DFU for the T2 [https://blog.t8012.dev/plug-n-pwn/]<br />
* [[Checkm8]] port to the T2 processor [https://github.com/h0m3us3r/ipwndfu]<br />
* [[T2]] restore using '''libimobiledevice''' [https://gist.github.com/rickmark/9245ed3ef7f36d5a0421557f68c4681b]<br />
* [[USB Target Disk Mode]]<br />
* Apple [[SMC]] Firmware Reverse Engineering<br />
* Analysis of [[FDR]] data in the SysCfg region of Flash, and it's potential for Malware<br />
<br />
== Official Members ==<br />
*[[User:h0m3us3r|h0m3us3r]]<br />
*[[User:aunali1|aunali1]]<br />
*[[User:mrarm|mrarm]]<br />
*[[User:rickmark|rickmark]]<br />
<br />
== Links ==<br />
* Website - https://t8012.dev<br />
* Blog - https://blog.t8012.dev<br />
* Twitter - https://twitter.com/t8012dev<br />
* GitHub - https://github.com/t8012<br />
<br />
[[Category:Hackers]]<br />
[[Category:Teams]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Chimp_Cable&diff=107749Chimp Cable2020-10-10T19:50:16Z<p>Rickmark: </p>
<hr />
<div>[[File:Chimp_Cable.jpeg|right|thumb|A Normal Chimp Cable (credit Mr White)]]<br />
<br />
The '''Chimp Cable''' is a JTAG/SWD Cable capable of debugging CPFM 00 or 01 devices (EVT and DVT devices), or CPFM 03 (production devices) which demoted which have a USB-C port. The Chimp is used with the [[T2]] and [[iPad Pro]]. They can be purchased from obscure markets. <br />
<br />
{{stub|hardware}}<br />
[[Category:Cables]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Chimp_Cable&diff=107748Chimp Cable2020-10-10T19:49:59Z<p>Rickmark: </p>
<hr />
<div>[[File:Chimp_Cable.jpeg|right|thumb|A Normal Chimp Cable (credit Mr White)]]<br />
<br />
The '''Chimp Cable''' is a JTAG/SWD Cable capable of debugging CPFM 00 or 01 devices (EVT and DVT devices), or CPFM 03 (production devices) which demoted which have a USB-C port. The Chimp is used with the [[T2]] and [[iPad Pro]]. They can be purchased from obscure markets. There are two known types of the Kanzi cable.<br />
<br />
{{stub|hardware}}<br />
[[Category:Cables]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=File:Chimp_Cable.jpeg&diff=107747File:Chimp Cable.jpeg2020-10-10T19:49:36Z<p>Rickmark: </p>
<hr />
<div></div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Chimp_Cable&diff=107746Chimp Cable2020-10-10T19:49:02Z<p>Rickmark: Created page with "A Normal Chimp Cable (credit Mr White) The ```Chimp Cable``` is a JTAG/SWD Cable capable of debugging CPFM 00 or 01 devices (EVT and DVT..."</p>
<hr />
<div>[[File:Chimp_Cable.jpeg|right|thumb|A Normal Chimp Cable (credit Mr White)]]<br />
<br />
The ```Chimp Cable``` is a JTAG/SWD Cable capable of debugging CPFM 00 or 01 devices (EVT and DVT devices), or CPFM 03 (production devices) which demoted which have a USB-C port. The Chimp is used with the [[T2]] and [[iPad Pro]]. They can be purchased from obscure markets. There are two known types of the Kanzi cable.<br />
<br />
{{stub|hardware}}<br />
[[Category:Cables]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=T8012_checkm8&diff=107732T8012 checkm82020-10-09T05:13:42Z<p>Rickmark: </p>
<hr />
<div>{{DISPLAYTITLE:t8012 checkm8}}<br />
The least imaginative team name...<br />
<br />
'''t8012 checkm8''' is a team of who have applied the [[checkm8]] vulnerability to the [[t8012]] or "T2" security processor on modern Mac computers. <br />
<br />
==Work==<br />
* [[Checkm8]] port to the T2 processor [https://github.com/h0m3us3r/ipwndfu]<br />
* [[T2]] restore using '''libimobiledevice''' [https://gist.github.com/rickmark/9245ed3ef7f36d5a0421557f68c4681b]<br />
* [[USB Target Disk Mode]]<br />
* Apple [[SMC]] Firmware Reverse Engineering<br />
* Analysis of [[FDR]] data in the SysCfg region of Flash, and it's potential for Malware<br />
<br />
== Official Members ==<br />
*[[User:h0m3us3r|h0m3us3r]]<br />
*[[User:aunali1|aunali1]]<br />
*[[User:mrarm|mrarm]]<br />
*[[User:rickmark|rickmark]]<br />
<br />
== Links ==<br />
* Website - https://t8012.dev<br />
* Blog - https://blog.t8012.dev<br />
* Twitter - https://twitter.com/t8012dev<br />
* GitHub - https://github.com/t8012<br />
<br />
[[Category:Hackers]]<br />
[[Category:Teams]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=IPSW_File_Format&diff=107055IPSW File Format2020-09-16T23:58:50Z<p>Rickmark: /* Firmwares found in IPSW */</p>
<hr />
<div>{{redirect|IPSW|the component of XPwn|ipsw}}<br />
{{see also|Disk Image Formats}}<br />
'''IPSW''' ('''iP'''od<sup>[[#Notes|[1]<nowiki/>]]</sup> '''S'''oft'''w'''are) files have the Magic Number 504B0304 (PK\003\004) and thus are [[wikipedia:ZIP (file format)|ZIP]] archives. They can be modified with typical zip/unzip tools (i.e. change extension to .zip and double click). IPSWs are used to deliver the [[iDevice|device's]] firmware to the end-user.<br />
<br />
== Archive Structure ==<br />
* [[Restore Ramdisk]]<br />
* [[Update Ramdisk]] (some firmwares don't have one due to various reasons)<br />
* [[:/|Filesystem Ramdisk]] (the largest [[Apple Disk Image|.dmg]] file)<br />
* [[Device Tree]] (model specific)<br />
* [[Kernelcache]] (model specific; processor specific on pre-[[S5L8930|A4]])<br />
* BuildManifest.plist (first appeared in [[iOS|iPhone OS]] 3.0 beta 2)<br />
* Restore.plist<br />
* ''Firmware/''<br />
** ''all_flash/''<br />
*** ''all_flash.XXXXX.production/'' (model specific i.e. [[M68AP]], [[N82AP]], etc.)<br />
**** [[S5L File Formats#IMG2|IMG2]]/[[IMG3 File Format|IMG3]] files<br />
**** manifest<br />
** dfu/''<br />
*** [[iBEC]].XXXXX.dfu (model specific i.e. [[M68AP]], [[N82AP]], etc.)<br />
*** [[iBSS]].XXXXX.dfu<br />
*** [[WTF]].XXXXX.dfu (model specific and only for [[M68AP]], [[N82AP]], [[N45AP]], [[N72AP]]; not present in firmwares for the [[N88AP|iPhone 3GS]] and later, because it was used to patch issues with the DFU mode that was burned into the bootrom)<br />
** [[Baseband Device|Baseband]] (may be one or many files depending on the model)<br />
<br />
=== Example ===<br />
Here are the contents of the [[Kirkwood 7A341 (iPhone2,1)|iPhone 3GS 3.0 (7A341)]] firmware IPSW:<br />
* <code>[[:/|018-5302-002.dmg]]</code> (281214976 bytes)<br />
* <code>[[Update Ramdisk|018-5304-002.dmg]]</code> (12769604 bytes)<br />
* <code>[[Restore Ramdisk|018-5306-002.dmg]]</code> (12777796 bytes)<br />
* <code><!--[[#BuildManifest.plist|-->BuildManifest.plist<!--]]--></code> (21097 bytes)<br />
* <code>[[kernelcache]].release.s5l8920x</code> (4695492 bytes)<br />
* <code><!--[[#Restore.plist|-->Restore.plist<!--]]--></code> (1763 bytes)<br />
* ''<code>Firmware/</code>''<br />
** ''<code>all_flash/</code>''<br />
*** ''<code>all_flash.n88ap.production/</code>''<br />
**** <code>[[AppleLogo|applelogo]].s5l8920x.img3</code> (9604 bytes)<br />
**** <code>[[BatteryCharging0|batterycharging0]].s5l8920x.img3</code> (19716 bytes)<br />
**** <code>[[BatteryCharging1|batterycharging1]].s5l8920x.img3</code> (24900 bytes)<br />
**** <code>[[BatteryFull|batteryfull]].s5l8920x.img3</code> (76100 bytes)<br />
**** <code>[[BatteryLow0|batterylow0]].s5l8920x.img3</code> (56772 bytes)<br />
**** <code>[[BatteryLow1|batterylow1]].s5l8920x.img3</code> (65348 bytes)<br />
**** <code>[[DeviceTree]].n88ap.img3</code> (44996 bytes)<br />
**** <code>[[GlyphCharging|glyphcharging]].s5l8920x.img3</code> (20356 bytes)<br />
**** <code>[[GlyphPlugin|glyphplugin]].s5l8920x.img3</code> (19332 bytes)<br />
**** <code>[[iBoot (Bootloader)|iBoot]].n88ap.RELEASE.img3</code> (178500 bytes)<br />
**** <code>[[LLB]].n88ap.RELEASE.img3</code> (67908 bytes)<br />
**** <code>manifest</code> (341 bytes)<br />
**** <code>[[NeedService|needservice]].s5l8920x.img3</code> (20484 bytes)<br />
**** <code>[[RecoveryMode|recoverymode]].s5l8920x.img3</code> (47876 bytes)<br />
** ''<code>dfu/</code>''<br />
*** <code>[[iBEC]].n88ap.RELEASE.dfu</code> (104772 bytes)<br />
*** <code>[[iBSS]].n88ap.RELEASE.dfu</code> (104772 bytes)<br />
<br />
<br />
== Firmwares found in IPSW ==<br />
Per http://newosxbook.com/bonus/vol1AppA.html<br />
{| class="wikitable" <br />
|-<br />
! Filename<br />
! Use<br />
|-<br />
| ICE17-1.xx.xx.Release.bbfw<br />
| Intel modem / baseband<br />
|-<br />
| Mav17-1.xx.xx.Release.bbfw<br />
| Maverick modem / baseband<br />
|-<br />
| AOP/aopfw-iphone##aop.im4p<br />
| Always on processor<br />
|-<br />
| Savage/Savage.B[0/2]-[Dev/Prod].[vt.]fw<br />
| FaceID<br />
|-<br />
| Yonkers/Yonkers.EA01_F###_[Dev/Prod]fw<br />
| FaceID<br />
|-<br />
| SE/Stockholm##.RELEASE.sefw<br />
| Secure Element<br />
|-<br />
| Maggie/AppleMaggieFirmwareImage.im4p<br />
| ?<br />
|-<br />
| cpu_Multitouch.im4p<br />
| Multitouch controller<br />
|-<br />
| isp/adc-petra-d3x.im4p<br />
| Image Signal Processor<br />
|-<br />
| ane/h11_ane_fw_quin.im4p<br />
| [[Apple Neural Engine]]<br />
|-<br />
| WirelessPower/WirelessPower.iphone##.im4p<br />
| Wireless charging controller<br />
|-<br />
| SmartIOFirmwareCHIP.im4p<br />
| [[T8020]] and later Smart I/O<br />
|-<br />
| board_CallanFirmware.im4p<br />
| Haptics Firmware<br />
|-<br />
| ave/AppleAVE2FW.im4p<br />
| Audio/Video Encoder<br />
|-<br />
| agx/armfw_g11p.im4p<br />
| GPU Scheduler/Command Stream Processor<br />
|-<br />
| all_flash/sep-firmware.*.im4p<br />
| Secure Enclave Processor<br />
|-<br />
| liquiddetect@2436~iphone-lightning.im4p<br />
| Liquid Damage Detection<br />
|-<br />
| pmp/t8030pmp.im4p<br />
| Power Management Processor<br />
|-<br />
| Rose/r1p0/ftab.bin<br />
| Rose (TouchID) sensor<br />
|-<br />
| vinyl_05.vnlfw<br />
| eSIM<br />
|-<br />
| Veridian<br />
| ? (Some form of signing/device integrity)<br />
|}<br />
<br />
== Notes ==<br />
# IPSW files have been used since the very first iPod, though they have [http://www.freemyipod.org/wiki/Firmware a different format] than firmwares for iOS devices.<br />
<br />
[[Category:File Formats]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=IPSW_File_Format&diff=107054IPSW File Format2020-09-16T23:56:53Z<p>Rickmark: /* Firmwares found in IPSW */</p>
<hr />
<div>{{redirect|IPSW|the component of XPwn|ipsw}}<br />
{{see also|Disk Image Formats}}<br />
'''IPSW''' ('''iP'''od<sup>[[#Notes|[1]<nowiki/>]]</sup> '''S'''oft'''w'''are) files have the Magic Number 504B0304 (PK\003\004) and thus are [[wikipedia:ZIP (file format)|ZIP]] archives. They can be modified with typical zip/unzip tools (i.e. change extension to .zip and double click). IPSWs are used to deliver the [[iDevice|device's]] firmware to the end-user.<br />
<br />
== Archive Structure ==<br />
* [[Restore Ramdisk]]<br />
* [[Update Ramdisk]] (some firmwares don't have one due to various reasons)<br />
* [[:/|Filesystem Ramdisk]] (the largest [[Apple Disk Image|.dmg]] file)<br />
* [[Device Tree]] (model specific)<br />
* [[Kernelcache]] (model specific; processor specific on pre-[[S5L8930|A4]])<br />
* BuildManifest.plist (first appeared in [[iOS|iPhone OS]] 3.0 beta 2)<br />
* Restore.plist<br />
* ''Firmware/''<br />
** ''all_flash/''<br />
*** ''all_flash.XXXXX.production/'' (model specific i.e. [[M68AP]], [[N82AP]], etc.)<br />
**** [[S5L File Formats#IMG2|IMG2]]/[[IMG3 File Format|IMG3]] files<br />
**** manifest<br />
** dfu/''<br />
*** [[iBEC]].XXXXX.dfu (model specific i.e. [[M68AP]], [[N82AP]], etc.)<br />
*** [[iBSS]].XXXXX.dfu<br />
*** [[WTF]].XXXXX.dfu (model specific and only for [[M68AP]], [[N82AP]], [[N45AP]], [[N72AP]]; not present in firmwares for the [[N88AP|iPhone 3GS]] and later, because it was used to patch issues with the DFU mode that was burned into the bootrom)<br />
** [[Baseband Device|Baseband]] (may be one or many files depending on the model)<br />
<br />
=== Example ===<br />
Here are the contents of the [[Kirkwood 7A341 (iPhone2,1)|iPhone 3GS 3.0 (7A341)]] firmware IPSW:<br />
* <code>[[:/|018-5302-002.dmg]]</code> (281214976 bytes)<br />
* <code>[[Update Ramdisk|018-5304-002.dmg]]</code> (12769604 bytes)<br />
* <code>[[Restore Ramdisk|018-5306-002.dmg]]</code> (12777796 bytes)<br />
* <code><!--[[#BuildManifest.plist|-->BuildManifest.plist<!--]]--></code> (21097 bytes)<br />
* <code>[[kernelcache]].release.s5l8920x</code> (4695492 bytes)<br />
* <code><!--[[#Restore.plist|-->Restore.plist<!--]]--></code> (1763 bytes)<br />
* ''<code>Firmware/</code>''<br />
** ''<code>all_flash/</code>''<br />
*** ''<code>all_flash.n88ap.production/</code>''<br />
**** <code>[[AppleLogo|applelogo]].s5l8920x.img3</code> (9604 bytes)<br />
**** <code>[[BatteryCharging0|batterycharging0]].s5l8920x.img3</code> (19716 bytes)<br />
**** <code>[[BatteryCharging1|batterycharging1]].s5l8920x.img3</code> (24900 bytes)<br />
**** <code>[[BatteryFull|batteryfull]].s5l8920x.img3</code> (76100 bytes)<br />
**** <code>[[BatteryLow0|batterylow0]].s5l8920x.img3</code> (56772 bytes)<br />
**** <code>[[BatteryLow1|batterylow1]].s5l8920x.img3</code> (65348 bytes)<br />
**** <code>[[DeviceTree]].n88ap.img3</code> (44996 bytes)<br />
**** <code>[[GlyphCharging|glyphcharging]].s5l8920x.img3</code> (20356 bytes)<br />
**** <code>[[GlyphPlugin|glyphplugin]].s5l8920x.img3</code> (19332 bytes)<br />
**** <code>[[iBoot (Bootloader)|iBoot]].n88ap.RELEASE.img3</code> (178500 bytes)<br />
**** <code>[[LLB]].n88ap.RELEASE.img3</code> (67908 bytes)<br />
**** <code>manifest</code> (341 bytes)<br />
**** <code>[[NeedService|needservice]].s5l8920x.img3</code> (20484 bytes)<br />
**** <code>[[RecoveryMode|recoverymode]].s5l8920x.img3</code> (47876 bytes)<br />
** ''<code>dfu/</code>''<br />
*** <code>[[iBEC]].n88ap.RELEASE.dfu</code> (104772 bytes)<br />
*** <code>[[iBSS]].n88ap.RELEASE.dfu</code> (104772 bytes)<br />
<br />
<br />
== Firmwares found in IPSW ==<br />
Per http://newosxbook.com/bonus/vol1AppA.html<br />
{| class="wikitable" <br />
|-<br />
! Filename<br />
! Use<br />
|-<br />
| ICE17-1.xx.xx.Release.bbfw<br />
| Intel modem / baseband<br />
|-<br />
| Mav17-1.xx.xx.Release.bbfw<br />
| Maverick modem / baseband<br />
|-<br />
| AOP/aopfw-iphone##aop.im4p<br />
| Always on processor<br />
|-<br />
| Savage/Savage.B[0/2]-[Dev/Prod].[vt.]fw<br />
| FaceID<br />
|-<br />
| Yonkers/Yonkers.EA01_F###_[Dev/Prod]fw<br />
| FaceID<br />
|-<br />
| SE/Stockholm##.RELEASE.sefw<br />
| Secure Element<br />
|-<br />
| Maggie/AppleMaggieFirmwareImage.im4p<br />
| ?<br />
|-<br />
| cpu_Multitouch.im4p<br />
| Multitouch controller<br />
|-<br />
| isp/adc-petra-d3x.im4p<br />
| Image Signal Processor<br />
|-<br />
| ane/h11_ane_fw_quin.im4p<br />
| [[Apple Neural Engine]]<br />
|-<br />
| WirelessPower/WirelessPower.iphone##.im4p<br />
| Wireless charging controller<br />
|-<br />
| SmartIOFirmwareCHIP.im4p<br />
| [[T8020]] and later Smart I/O<br />
|-<br />
| board_CallanFirmware.im4p<br />
| Haptics Firmware<br />
|-<br />
| ave/AppleAVE2FW.im4p<br />
| Audio/Video Encoder<br />
|-<br />
| agx/armfw_g11p.im4p<br />
| GPU Scheduler/Command Stream Processor<br />
|-<br />
| all_flash/sep-firmware.*.im4p<br />
| Secure Enclave Processor<br />
|-<br />
| liquiddetect@2436~iphone-lightning.im4p<br />
| Liquid Damage Detection<br />
|-<br />
| pmp/t8030pmp.im4p<br />
| Power Management Processor<br />
|-<br />
| Rose/r1p0/ftab.bin<br />
| Rose (TouchID) sensor<br />
|}<br />
<br />
== Notes ==<br />
# IPSW files have been used since the very first iPod, though they have [http://www.freemyipod.org/wiki/Firmware a different format] than firmwares for iOS devices.<br />
<br />
[[Category:File Formats]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=IPSW_File_Format&diff=106953IPSW File Format2020-09-16T00:34:47Z<p>Rickmark: /* Firmwares found in IPSW */</p>
<hr />
<div>{{redirect|IPSW|the component of XPwn|ipsw}}<br />
{{see also|Disk Image Formats}}<br />
'''IPSW''' ('''iP'''od<sup>[[#Notes|[1]<nowiki/>]]</sup> '''S'''oft'''w'''are) files have the Magic Number 504B0304 (PK\003\004) and thus are [[wikipedia:ZIP (file format)|ZIP]] archives. They can be modified with typical zip/unzip tools (i.e. change extension to .zip and double click). IPSWs are used to deliver the [[iDevice|device's]] firmware to the end-user.<br />
<br />
== Archive Structure ==<br />
* [[Restore Ramdisk]]<br />
* [[Update Ramdisk]] (some firmwares don't have one due to various reasons)<br />
* [[:/|Filesystem Ramdisk]] (the largest [[Apple Disk Image|.dmg]] file)<br />
* [[Device Tree]] (model specific)<br />
* [[Kernelcache]] (model specific; processor specific on pre-[[S5L8930|A4]])<br />
* BuildManifest.plist (first appeared in [[iOS|iPhone OS]] 3.0 beta 2)<br />
* Restore.plist<br />
* ''Firmware/''<br />
** ''all_flash/''<br />
*** ''all_flash.XXXXX.production/'' (model specific i.e. [[M68AP]], [[N82AP]], etc.)<br />
**** [[S5L File Formats#IMG2|IMG2]]/[[IMG3 File Format|IMG3]] files<br />
**** manifest<br />
** dfu/''<br />
*** [[iBEC]].XXXXX.dfu (model specific i.e. [[M68AP]], [[N82AP]], etc.)<br />
*** [[iBSS]].XXXXX.dfu<br />
*** [[WTF]].XXXXX.dfu (model specific and only for [[M68AP]], [[N82AP]], [[N45AP]], [[N72AP]]; not present in firmwares for the [[N88AP|iPhone 3GS]] and later, because it was used to patch issues with the DFU mode that was burned into the bootrom)<br />
** [[Baseband Device|Baseband]] (may be one or many files depending on the model)<br />
<br />
=== Example ===<br />
Here are the contents of the [[Kirkwood 7A341 (iPhone2,1)|iPhone 3GS 3.0 (7A341)]] firmware IPSW:<br />
* <code>[[:/|018-5302-002.dmg]]</code> (281214976 bytes)<br />
* <code>[[Update Ramdisk|018-5304-002.dmg]]</code> (12769604 bytes)<br />
* <code>[[Restore Ramdisk|018-5306-002.dmg]]</code> (12777796 bytes)<br />
* <code><!--[[#BuildManifest.plist|-->BuildManifest.plist<!--]]--></code> (21097 bytes)<br />
* <code>[[kernelcache]].release.s5l8920x</code> (4695492 bytes)<br />
* <code><!--[[#Restore.plist|-->Restore.plist<!--]]--></code> (1763 bytes)<br />
* ''<code>Firmware/</code>''<br />
** ''<code>all_flash/</code>''<br />
*** ''<code>all_flash.n88ap.production/</code>''<br />
**** <code>[[AppleLogo|applelogo]].s5l8920x.img3</code> (9604 bytes)<br />
**** <code>[[BatteryCharging0|batterycharging0]].s5l8920x.img3</code> (19716 bytes)<br />
**** <code>[[BatteryCharging1|batterycharging1]].s5l8920x.img3</code> (24900 bytes)<br />
**** <code>[[BatteryFull|batteryfull]].s5l8920x.img3</code> (76100 bytes)<br />
**** <code>[[BatteryLow0|batterylow0]].s5l8920x.img3</code> (56772 bytes)<br />
**** <code>[[BatteryLow1|batterylow1]].s5l8920x.img3</code> (65348 bytes)<br />
**** <code>[[DeviceTree]].n88ap.img3</code> (44996 bytes)<br />
**** <code>[[GlyphCharging|glyphcharging]].s5l8920x.img3</code> (20356 bytes)<br />
**** <code>[[GlyphPlugin|glyphplugin]].s5l8920x.img3</code> (19332 bytes)<br />
**** <code>[[iBoot (Bootloader)|iBoot]].n88ap.RELEASE.img3</code> (178500 bytes)<br />
**** <code>[[LLB]].n88ap.RELEASE.img3</code> (67908 bytes)<br />
**** <code>manifest</code> (341 bytes)<br />
**** <code>[[NeedService|needservice]].s5l8920x.img3</code> (20484 bytes)<br />
**** <code>[[RecoveryMode|recoverymode]].s5l8920x.img3</code> (47876 bytes)<br />
** ''<code>dfu/</code>''<br />
*** <code>[[iBEC]].n88ap.RELEASE.dfu</code> (104772 bytes)<br />
*** <code>[[iBSS]].n88ap.RELEASE.dfu</code> (104772 bytes)<br />
<br />
<br />
== Firmwares found in IPSW ==<br />
Per http://newosxbook.com/bonus/vol1AppA.html<br />
{| class="wikitable" <br />
|-<br />
! Filename<br />
! Use<br />
|-<br />
| ICE17-1.xx.xx.Release.bbfw<br />
| Intel modem / baseband<br />
|-<br />
| Mav17-1.xx.xx.Release.bbfw<br />
| Maverick modem / baseband<br />
|-<br />
| AOP/aopfw-iphone##aop.im4p<br />
| Always on processor<br />
|-<br />
| Savage/Savage.B[0/2]-[Dev/Prod].[vt.]fw<br />
| FaceID<br />
|-<br />
| Yonkers/Yonkers.EA01_F###_[Dev/Prod]fw<br />
| FaceID<br />
|-<br />
| SE/Stockholm##.RELEASE.sefw<br />
| Secure Element<br />
|-<br />
| Maggie/AppleMaggieFirmwareImage.im4p<br />
| ?<br />
|-<br />
| cpu_Multitouch.im4p<br />
| Multitouch controller<br />
|-<br />
| isp/adc-petra-d3x.im4p<br />
| Image Signal Processor<br />
|-<br />
| ane/h11_ane_fw_quin.im4p<br />
| [[Apple Neural Engine]]<br />
|-<br />
| WirelessPower/WirelessPower.iphone##.im4p<br />
| Wireless charging controller<br />
|-<br />
| SmartIOFirmwareCHIP.im4p<br />
| [[T8020]] and later Smart I/O<br />
|-<br />
| board_CallanFirmware.im4p<br />
| Haptics Firmware<br />
|-<br />
| ave/AppleAVE2FW.im4p<br />
| Audio/Video Encoder<br />
|-<br />
| agx/armfw_g11p.im4p<br />
| GPU Scheduler/Command Stream Processor<br />
|}<br />
<br />
== Notes ==<br />
# IPSW files have been used since the very first iPod, though they have [http://www.freemyipod.org/wiki/Firmware a different format] than firmwares for iOS devices.<br />
<br />
[[Category:File Formats]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=IPSW_File_Format&diff=106952IPSW File Format2020-09-16T00:34:26Z<p>Rickmark: </p>
<hr />
<div>{{redirect|IPSW|the component of XPwn|ipsw}}<br />
{{see also|Disk Image Formats}}<br />
'''IPSW''' ('''iP'''od<sup>[[#Notes|[1]<nowiki/>]]</sup> '''S'''oft'''w'''are) files have the Magic Number 504B0304 (PK\003\004) and thus are [[wikipedia:ZIP (file format)|ZIP]] archives. They can be modified with typical zip/unzip tools (i.e. change extension to .zip and double click). IPSWs are used to deliver the [[iDevice|device's]] firmware to the end-user.<br />
<br />
== Archive Structure ==<br />
* [[Restore Ramdisk]]<br />
* [[Update Ramdisk]] (some firmwares don't have one due to various reasons)<br />
* [[:/|Filesystem Ramdisk]] (the largest [[Apple Disk Image|.dmg]] file)<br />
* [[Device Tree]] (model specific)<br />
* [[Kernelcache]] (model specific; processor specific on pre-[[S5L8930|A4]])<br />
* BuildManifest.plist (first appeared in [[iOS|iPhone OS]] 3.0 beta 2)<br />
* Restore.plist<br />
* ''Firmware/''<br />
** ''all_flash/''<br />
*** ''all_flash.XXXXX.production/'' (model specific i.e. [[M68AP]], [[N82AP]], etc.)<br />
**** [[S5L File Formats#IMG2|IMG2]]/[[IMG3 File Format|IMG3]] files<br />
**** manifest<br />
** dfu/''<br />
*** [[iBEC]].XXXXX.dfu (model specific i.e. [[M68AP]], [[N82AP]], etc.)<br />
*** [[iBSS]].XXXXX.dfu<br />
*** [[WTF]].XXXXX.dfu (model specific and only for [[M68AP]], [[N82AP]], [[N45AP]], [[N72AP]]; not present in firmwares for the [[N88AP|iPhone 3GS]] and later, because it was used to patch issues with the DFU mode that was burned into the bootrom)<br />
** [[Baseband Device|Baseband]] (may be one or many files depending on the model)<br />
<br />
=== Example ===<br />
Here are the contents of the [[Kirkwood 7A341 (iPhone2,1)|iPhone 3GS 3.0 (7A341)]] firmware IPSW:<br />
* <code>[[:/|018-5302-002.dmg]]</code> (281214976 bytes)<br />
* <code>[[Update Ramdisk|018-5304-002.dmg]]</code> (12769604 bytes)<br />
* <code>[[Restore Ramdisk|018-5306-002.dmg]]</code> (12777796 bytes)<br />
* <code><!--[[#BuildManifest.plist|-->BuildManifest.plist<!--]]--></code> (21097 bytes)<br />
* <code>[[kernelcache]].release.s5l8920x</code> (4695492 bytes)<br />
* <code><!--[[#Restore.plist|-->Restore.plist<!--]]--></code> (1763 bytes)<br />
* ''<code>Firmware/</code>''<br />
** ''<code>all_flash/</code>''<br />
*** ''<code>all_flash.n88ap.production/</code>''<br />
**** <code>[[AppleLogo|applelogo]].s5l8920x.img3</code> (9604 bytes)<br />
**** <code>[[BatteryCharging0|batterycharging0]].s5l8920x.img3</code> (19716 bytes)<br />
**** <code>[[BatteryCharging1|batterycharging1]].s5l8920x.img3</code> (24900 bytes)<br />
**** <code>[[BatteryFull|batteryfull]].s5l8920x.img3</code> (76100 bytes)<br />
**** <code>[[BatteryLow0|batterylow0]].s5l8920x.img3</code> (56772 bytes)<br />
**** <code>[[BatteryLow1|batterylow1]].s5l8920x.img3</code> (65348 bytes)<br />
**** <code>[[DeviceTree]].n88ap.img3</code> (44996 bytes)<br />
**** <code>[[GlyphCharging|glyphcharging]].s5l8920x.img3</code> (20356 bytes)<br />
**** <code>[[GlyphPlugin|glyphplugin]].s5l8920x.img3</code> (19332 bytes)<br />
**** <code>[[iBoot (Bootloader)|iBoot]].n88ap.RELEASE.img3</code> (178500 bytes)<br />
**** <code>[[LLB]].n88ap.RELEASE.img3</code> (67908 bytes)<br />
**** <code>manifest</code> (341 bytes)<br />
**** <code>[[NeedService|needservice]].s5l8920x.img3</code> (20484 bytes)<br />
**** <code>[[RecoveryMode|recoverymode]].s5l8920x.img3</code> (47876 bytes)<br />
** ''<code>dfu/</code>''<br />
*** <code>[[iBEC]].n88ap.RELEASE.dfu</code> (104772 bytes)<br />
*** <code>[[iBSS]].n88ap.RELEASE.dfu</code> (104772 bytes)<br />
<br />
<br />
== Firmwares found in IPSW ==<br />
Per http://newosxbook.com/bonus/vol1AppA.html<br />
{| class="wikitable" <br />
|-<br />
! Filename<br />
! Use<br />
|-<br />
| ICE17-1.xx.xx.Release.bbfw<br />
| Intel modem / baseband<br />
| -<br />
| Mav17-1.xx.xx.Release.bbfw<br />
| Maverick modem / baseband<br />
|-<br />
| AOP/aopfw-iphone##aop.im4p<br />
| Always on processor<br />
|-<br />
| Savage/Savage.B[0/2]-[Dev/Prod].[vt.]fw<br />
| FaceID<br />
|-<br />
| Yonkers/Yonkers.EA01_F###_[Dev/Prod]fw<br />
| FaceID<br />
|-<br />
| SE/Stockholm##.RELEASE.sefw<br />
| Secure Element<br />
|-<br />
| Maggie/AppleMaggieFirmwareImage.im4p<br />
| ?<br />
|-<br />
| cpu_Multitouch.im4p<br />
| Multitouch controller<br />
|-<br />
| isp/adc-petra-d3x.im4p<br />
| Image Signal Processor<br />
|-<br />
| ane/h11_ane_fw_quin.im4p<br />
| [[Apple Neural Engine]]<br />
|-<br />
| WirelessPower/WirelessPower.iphone##.im4p<br />
| Wireless charging controller<br />
|-<br />
| SmartIOFirmwareCHIP.im4p<br />
| [[T8020]] and later Smart I/O<br />
|-<br />
| board_CallanFirmware.im4p<br />
| Haptics Firmware<br />
|-<br />
| ave/AppleAVE2FW.im4p<br />
| Audio/Video Encoder<br />
|-<br />
| agx/armfw_g11p.im4p<br />
| GPU Scheduler/Command Stream Processor<br />
|}<br />
<br />
<br />
== Notes ==<br />
# IPSW files have been used since the very first iPod, though they have [http://www.freemyipod.org/wiki/Firmware a different format] than firmwares for iOS devices.<br />
<br />
[[Category:File Formats]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Savage&diff=106951Savage2020-09-16T00:22:42Z<p>Rickmark: Redirected page to FaceID</p>
<hr />
<div>#REDIRECT [[FaceID]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Yonkers&diff=106950Yonkers2020-09-16T00:22:15Z<p>Rickmark: Redirected page to FaceID</p>
<hr />
<div>#REDIRECT [[FaceID]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=ANE&diff=106948ANE2020-09-16T00:21:38Z<p>Rickmark: Redirected page to Apple Neural Engine</p>
<hr />
<div>#REDIRECT [[Apple Neural Engine]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Provisioning_Profiles&diff=106683Provisioning Profiles2020-09-03T00:51:33Z<p>Rickmark: Created page with "= Introduction = Provisioning profiles allow for running apps with entitlements or signing certificates outside of the normal configuration of iOS. == File Format == The `m..."</p>
<hr />
<div>= Introduction =<br />
<br />
Provisioning profiles allow for running apps with entitlements or signing certificates outside of the normal configuration of iOS.<br />
<br />
== File Format ==<br />
<br />
The `mobileprovision` file is a PKCS7 (CMS) signed payload of a plist.</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Tristar&diff=106682Tristar2020-09-03T00:48:51Z<p>Rickmark: /* Introduction */</p>
<hr />
<div>= Introduction =<br />
<br />
Apple ASIC that multiplexes the Lightning port. Superseded by [[Hydra]] in iPhone X and later<br />
<br />
http://ramtin-amin.fr/tristar.html</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Hydra&diff=106681Hydra2020-09-03T00:48:41Z<p>Rickmark: Created page with "= Introduction = Successor to the Tristar"</p>
<hr />
<div>= Introduction =<br />
<br />
Successor to the [[Tristar]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=Tristar&diff=106680Tristar2020-09-03T00:48:12Z<p>Rickmark: Created page with "= Introduction = Apple ASIC that multiplexes the Lightning port. Superseded by Hydra in iPhone X and later"</p>
<hr />
<div>= Introduction =<br />
<br />
Apple ASIC that multiplexes the Lightning port. Superseded by [[Hydra]] in iPhone X and later</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=SecureBoot&diff=106590SecureBoot2020-08-29T00:36:34Z<p>Rickmark: /* = Verified Components */</p>
<hr />
<div>== Introduction == <br />
<br />
With the advent of the [[T2]] [[macOS]] gained the ability to verify the integrity of the OS as it is booted.<br />
<br />
=== Verified Components ===<br />
<br />
* The T2 verifies MacEFI via [[img4]] and feeds it to the Intel CPU via eSPI<br />
* MacEFI verifies the `boot.efi` component<br />
** If in Full Security mode it requires a [[im4m]] manifest that is specific to the T2 [[ECID]]<br />
** If in Medium Security mode it requires a [[im4m]] manifest that is specific to the T2 [[CPID]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=SecureBoot&diff=106589SecureBoot2020-08-29T00:36:26Z<p>Rickmark: Created page with "== Introduction == With the advent of the T2 macOS gained the ability to verify the integrity of the OS as it is booted. === Verified Components == * The T2 verifi..."</p>
<hr />
<div>== Introduction == <br />
<br />
With the advent of the [[T2]] [[macOS]] gained the ability to verify the integrity of the OS as it is booted.<br />
<br />
=== Verified Components ==<br />
<br />
* The T2 verifies MacEFI via [[img4]] and feeds it to the Intel CPU via eSPI<br />
* MacEFI verifies the `boot.efi` component<br />
** If in Full Security mode it requires a [[im4m]] manifest that is specific to the T2 [[ECID]]<br />
** If in Medium Security mode it requires a [[im4m]] manifest that is specific to the T2 [[CPID]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=T8012&diff=106588T80122020-08-29T00:32:47Z<p>Rickmark: /* Bootrom Exploits */</p>
<hr />
<div>'''T8012''', also just known as the '''T2''' is the CPU introduced in the [[J137AP|second-generation iBridge processor]], the processor found on the iMac Pro, and used on all subsequent T2 enabled Mac products.<br />
<br />
== Enabled Mac Products ==<br />
<br />
Devices sourced from [https://github.com/libimobiledevice/libirecovery/blob/master/src/libirecovery.c]<br />
<br />
{| class="wikitable"<br />
!iBridge Product ID<br />
!Board ID<br />
!Board Minor<br />
!Description (Product ID)<br />
!checkm8/blackbird confirmed<br />
|-<br />
|iBridge2,1<br />
|J137AP<br />
|0x0A<br />
|Apple T2 iMacPro1,1 (j137)<br />
|yes<br />
|-<br />
|iBridge2,3<br />
|J680AP<br />
|0x0B<br />
|Apple T2 MacBookPro15,1 (j680)<br />
|yes<br />
|-<br />
|iBridge2,4<br />
|J132AP<br />
|0x0C<br />
|Apple T2 MacBookPro15,2 (j132)<br />
|yes<br />
|-<br />
|iBridge2,5<br />
|J174AP<br />
|0x0E<br />
|Apple T2 Macmini8,1 (j174)<br />
|yes<br />
|-<br />
|iBridge2,6<br />
|J160AP<br />
|0x0F<br />
|Apple T2 MacPro7,1 (j160)<br />
|yes<br />
|-<br />
|iBridge2,7<br />
|J780AP<br />
|0x07<br />
|Apple T2 MacBookPro15,3 (j780)<br />
|yes<br />
|-<br />
|iBridge2,8<br />
|J140kAP<br />
|0x17<br />
|Apple T2 MacBookAir8,1 (j140k)<br />
|yes<br />
|-<br />
|iBridge2,10<br />
|J213AP<br />
|0x18<br />
|Apple T2 MacBookPro15,4 (j213)<br />
|yes<br />
|-<br />
|iBridge2,11<br />
|J230AP<br />
|0x1F<br />
|?<br />
|?<br />
|-<br />
|iBridge2,12<br />
|J140aAP<br />
|0x37<br />
|Apple T2 MacBookAir8,2 (j140a)<br />
|yes<br />
|-<br />
|iBridge2,13<br />
|J214AP<br />
|0x1E<br />
|?<br />
|?<br />
|-<br />
|iBridge2,14<br />
|J152fAP<br />
|0x3A<br />
|Apple T2 MacBookPro16,1 (j152f)<br />
|yes<br />
|-<br />
|iBridge2,15<br />
|J230kAP<br />
|0x3F<br />
|Apple T2 MacBookAir9,1 (j223k)<br />
|yes<br />
|-<br />
|iBridge2,16<br />
|J214kAP<br />
|0x3E<br />
|?<br />
|?<br />
|-<br />
|iBridge2,19<br />
|J185AP<br />
|0x22<br />
|?<br />
|?<br />
|-<br />
|iBridge2,20<br />
|J185fAP<br />
|0x23<br />
|?<br />
|?<br />
|-<br />
|iBridge2,21<br />
|J223AP<br />
|0x3B<br />
|?<br />
|?<br />
|-<br />
|iBridge2,22<br />
|J215AP<br />
|0x38<br />
|?<br />
|?<br />
|}<br />
<br />
==T2 Recovery USB Device ID==<br />
During the restore process, the T2 presents as a [[Restore Mode]] <code>com.apple.recoveryd</code> service, but uses the USB product ID of <code>0x8086</code> instead of the iPhone's <code>0x1290-0x12AF</code>.[https://github.com/libimobiledevice/usbmuxd/blob/master/udev/39-usbmuxd.rules.in]<br />
<br />
==Bootrom Exploits==<br />
The T8012 uses Bootrom version [[Bootrom_3401.0.0.1.16]] which is vulnerable to [[checkm8]]. A fork of [[checkm8]] with support for the t2 exists at [https://github.com/h0m3us3r/ipwndfu h0m3us3r]. The adaption of checkm8 was performed by the [[t8012 checkm8]] group by brute forcing the various locations from ROM. The copyright string reads <code>SecureROM for t8012si, Copyright 2007-2016, Apple Inc</code>, for version [[Bootrom_3401.0.0.1.16]].<br />
<br />
* [https://twitter.com/axi0mX/status/1182915286858522624 axi0mX T2 support tweet]<br />
* [https://twitter.com/qwertyoruiopz/status/1237400943047704576?s=21 quertyoruiop's early checkra1n previews]<br />
<br />
Similar to iPhones, iPads, and iPods, iBridge firmware bundles come in IPSW form. Build train codenames are appended with "HWBridge" to distinguish them from normal firmwares, and the disk image files inside have labels that are appended with "UniversalBridgeOS." They can only be restored to if the Mac is in [[DFU mode]].<br />
<br />
=== The T2 Secure Enclave Processor (SEP) ===<br />
<br />
The T2 is based on the A10 silicon design and therefore has a A10 SEP. The A10 SEP is a ARM Cortex-A7 32bit CPU. The T2 Secure Enclave is vulnerable to the same exploit Pangu presented at MOSEC named `blackbird`.<br />
<br />
The T2 SEP is responsible for acting as a secure store for symmetric secrets (tokens) as well as asymmetric credentials that can be generated and wrapped by the SEP. The SEP plays a key role in disk encryption.<br />
<br />
== Entering DFU Mode ==<br />
The T2 models can be restored via a Thunderbolt cable using [https://apps.apple.com/us/app/apple-configurator-2/id1037126344?mt=12 Apple Configurator 2].<br />
<br />
=== Desktop Macs ===<br />
For example, iMac Pro and Mac mini models from 2018 or later.<ref>https://support.apple.com/en-us/guide/apple-configurator-2/apdebea5be51/mac</ref><br />
<br />
# Completely power off the Mac; disconnect it from external power.<br />
# Attach one end of a Thunderbolt cable to the correct Thunderbolt port on the Mac.<br />
#* iMac Pro: The Thunderbolt port that is located next to the Ethernet port.<br />
#* Mac mini: The Thunderbolt port that is located next to the HDMI port.<br />
# Connect the other end to any Thunderbolt or USB port on the host Mac (the device which will be used for restoring).<br />
# Hold down the power button on the back of the Mac for 3 seconds, while connecting the power cord.<br />
<br />
=== Portable Macs ===<br />
For example, MacBook models from 2018 or later.<ref>https://support.apple.com/en-us/guide/apple-configurator-2/apd0020c3dc2/mac</ref><br />
<br />
# Completely power off the Mac; disconnect it from external power.<br />
# Attach one end of a Thunderbolt cable to the Thunderbolt port that is located on the left side, closest to the front.<br />
# Connect the other end to any Thunderbolt or USB port on the host Mac (the device which will be used for restoring).<br />
# Hold down the power button, right Shift key, and left Control and Option keys, for 3 seconds.<br />
<br />
=== Identifying the T2 from DFU ===<br />
<br />
Once a device is in DFU enumerating the USB device yields the BoardID. Using either Linux's <code>lsusb -v</code> or macOS's <code>ioreg -p IOUSB</code> the USB serial attribute will contain the same information as any other Apple A core iBoot device. (http://newosxbook.com/bonus/iBoot.pdf). The ChipID will always be 8012. The value for BDID is the BoardID. Full decoding of the version string can be performed using the code at https://github.com/das-iboot/das-iboot/blob/master/das_iboot/device.py. These values for BDID, CPID, CPRV and ECID are in Hex.<br />
<br />
=== Identifying the T2 from macOS ===<br />
<br />
This will provide many of the same values as DFU but in Decimal instead of Hex like above:<br />
<br />
<syntaxhighlight lang="bash"><br />
# ECID in decimal instead of Hex<br />
/usr/libexec/remotectl get-property localbridge UniqueChipID<br />
# Chip ID CPID in decimal (32786 == 0x8012)<br />
/usr/libexec/remotectl get-property localbridge ChipID<br />
# Board Revision CPRV in decimal instead of hex<br />
/usr/libexec/remotectl get-property localbridge BoardRevision<br />
# Board ID (BDID) in decimal instead of hex<br />
/usr/libexec/remotectl get-property localbridge BoardId<br />
# Hardware Model is the name of the Board<br />
/usr/libexec/remotectl get-property localbridge HWModel<br />
</syntaxhighlight><br />
<br />
== Mac Configuration Utility ==<br />
[[Image:MCUIcon.png|thumb|The Mac Configuration Utility icon.]]<br />
<br />
In order to restore a firmware to an iBridge device, technicians must use two Apple Internal tools. The first one, '''Apple Service Toolkit (AST)''', is used to initiate a diagnostic session between the host Mac and the Mac in DFU mode. The second tool, which must be installed on the host Mac, is known as the '''Mac Configuration Utility (MCU)'''. It communicates with AST to provide board information and initiate restores and diagnostics over-the-air. MCU supports macOS 10.13.2 or later.<br />
<br />
[[Image:MCU.png|thumb|The Mac Configuration Utility startup screen.]]<br />
<br />
iBridge devices can still be managed if there is no firmware present by booting a diagnostic image, which is pushed to the device by MCU after a '''Blank Board Serializer''' test is initiated on AST. This test will also assign a serial number to a new board.<br />
<br />
During a restore, an Apple logo and progress bar will show on the screen, similar to that of a normal device restore. It is unknown if iBridge firmwares are signed, or if they are verified by the host or by iBridge devices.<br />
<br />
== References ==<br />
<references /><br />
<br />
[[Category:Application Processors]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=T8012&diff=106587T80122020-08-29T00:32:30Z<p>Rickmark: /* The T2 SEP */</p>
<hr />
<div>'''T8012''', also just known as the '''T2''' is the CPU introduced in the [[J137AP|second-generation iBridge processor]], the processor found on the iMac Pro, and used on all subsequent T2 enabled Mac products.<br />
<br />
== Enabled Mac Products ==<br />
<br />
Devices sourced from [https://github.com/libimobiledevice/libirecovery/blob/master/src/libirecovery.c]<br />
<br />
{| class="wikitable"<br />
!iBridge Product ID<br />
!Board ID<br />
!Board Minor<br />
!Description (Product ID)<br />
!checkm8/blackbird confirmed<br />
|-<br />
|iBridge2,1<br />
|J137AP<br />
|0x0A<br />
|Apple T2 iMacPro1,1 (j137)<br />
|yes<br />
|-<br />
|iBridge2,3<br />
|J680AP<br />
|0x0B<br />
|Apple T2 MacBookPro15,1 (j680)<br />
|yes<br />
|-<br />
|iBridge2,4<br />
|J132AP<br />
|0x0C<br />
|Apple T2 MacBookPro15,2 (j132)<br />
|yes<br />
|-<br />
|iBridge2,5<br />
|J174AP<br />
|0x0E<br />
|Apple T2 Macmini8,1 (j174)<br />
|yes<br />
|-<br />
|iBridge2,6<br />
|J160AP<br />
|0x0F<br />
|Apple T2 MacPro7,1 (j160)<br />
|yes<br />
|-<br />
|iBridge2,7<br />
|J780AP<br />
|0x07<br />
|Apple T2 MacBookPro15,3 (j780)<br />
|yes<br />
|-<br />
|iBridge2,8<br />
|J140kAP<br />
|0x17<br />
|Apple T2 MacBookAir8,1 (j140k)<br />
|yes<br />
|-<br />
|iBridge2,10<br />
|J213AP<br />
|0x18<br />
|Apple T2 MacBookPro15,4 (j213)<br />
|yes<br />
|-<br />
|iBridge2,11<br />
|J230AP<br />
|0x1F<br />
|?<br />
|?<br />
|-<br />
|iBridge2,12<br />
|J140aAP<br />
|0x37<br />
|Apple T2 MacBookAir8,2 (j140a)<br />
|yes<br />
|-<br />
|iBridge2,13<br />
|J214AP<br />
|0x1E<br />
|?<br />
|?<br />
|-<br />
|iBridge2,14<br />
|J152fAP<br />
|0x3A<br />
|Apple T2 MacBookPro16,1 (j152f)<br />
|yes<br />
|-<br />
|iBridge2,15<br />
|J230kAP<br />
|0x3F<br />
|Apple T2 MacBookAir9,1 (j223k)<br />
|yes<br />
|-<br />
|iBridge2,16<br />
|J214kAP<br />
|0x3E<br />
|?<br />
|?<br />
|-<br />
|iBridge2,19<br />
|J185AP<br />
|0x22<br />
|?<br />
|?<br />
|-<br />
|iBridge2,20<br />
|J185fAP<br />
|0x23<br />
|?<br />
|?<br />
|-<br />
|iBridge2,21<br />
|J223AP<br />
|0x3B<br />
|?<br />
|?<br />
|-<br />
|iBridge2,22<br />
|J215AP<br />
|0x38<br />
|?<br />
|?<br />
|}<br />
<br />
==T2 Recovery USB Device ID==<br />
During the restore process, the T2 presents as a [[Restore Mode]] <code>com.apple.recoveryd</code> service, but uses the USB product ID of <code>0x8086</code> instead of the iPhone's <code>0x1290-0x12AF</code>.[https://github.com/libimobiledevice/usbmuxd/blob/master/udev/39-usbmuxd.rules.in]<br />
<br />
==Bootrom Exploits==<br />
The T8012 uses Bootrom version [[Bootrom_3401.0.0.1.16]] which is vulnerable to [[checkm8]]. A fork of [[checkm8]] with support for the t2 exists at [https://github.com/h0m3us3r/ipwndfu h0m3us3r]. The adaption of checkm8 was performed by the [[t8012 checkm8]] group by brute forcing the various locations from ROM. The copyright string reads <code>SecureROM for t8012si, Copyright 2007-2016, Apple Inc</code>, for version [[Bootrom_3401.0.0.1.16]].<br />
<br />
[https://twitter.com/axi0mX/status/1182915286858522624 axi0mX T2 support tweet]<br />
[https://twitter.com/qwertyoruiopz/status/1237400943047704576?s=21 quertyoruiop's early checkra1n previews]<br />
<br />
Similar to iPhones, iPads, and iPods, iBridge firmware bundles come in IPSW form. Build train codenames are appended with "HWBridge" to distinguish them from normal firmwares, and the disk image files inside have labels that are appended with "UniversalBridgeOS." They can only be restored to if the Mac is in [[DFU mode]].<br />
<br />
=== The T2 Secure Enclave Processor (SEP) ===<br />
<br />
The T2 is based on the A10 silicon design and therefore has a A10 SEP. The A10 SEP is a ARM Cortex-A7 32bit CPU. The T2 Secure Enclave is vulnerable to the same exploit Pangu presented at MOSEC named `blackbird`.<br />
<br />
The T2 SEP is responsible for acting as a secure store for symmetric secrets (tokens) as well as asymmetric credentials that can be generated and wrapped by the SEP. The SEP plays a key role in disk encryption.<br />
<br />
== Entering DFU Mode ==<br />
The T2 models can be restored via a Thunderbolt cable using [https://apps.apple.com/us/app/apple-configurator-2/id1037126344?mt=12 Apple Configurator 2].<br />
<br />
=== Desktop Macs ===<br />
For example, iMac Pro and Mac mini models from 2018 or later.<ref>https://support.apple.com/en-us/guide/apple-configurator-2/apdebea5be51/mac</ref><br />
<br />
# Completely power off the Mac; disconnect it from external power.<br />
# Attach one end of a Thunderbolt cable to the correct Thunderbolt port on the Mac.<br />
#* iMac Pro: The Thunderbolt port that is located next to the Ethernet port.<br />
#* Mac mini: The Thunderbolt port that is located next to the HDMI port.<br />
# Connect the other end to any Thunderbolt or USB port on the host Mac (the device which will be used for restoring).<br />
# Hold down the power button on the back of the Mac for 3 seconds, while connecting the power cord.<br />
<br />
=== Portable Macs ===<br />
For example, MacBook models from 2018 or later.<ref>https://support.apple.com/en-us/guide/apple-configurator-2/apd0020c3dc2/mac</ref><br />
<br />
# Completely power off the Mac; disconnect it from external power.<br />
# Attach one end of a Thunderbolt cable to the Thunderbolt port that is located on the left side, closest to the front.<br />
# Connect the other end to any Thunderbolt or USB port on the host Mac (the device which will be used for restoring).<br />
# Hold down the power button, right Shift key, and left Control and Option keys, for 3 seconds.<br />
<br />
=== Identifying the T2 from DFU ===<br />
<br />
Once a device is in DFU enumerating the USB device yields the BoardID. Using either Linux's <code>lsusb -v</code> or macOS's <code>ioreg -p IOUSB</code> the USB serial attribute will contain the same information as any other Apple A core iBoot device. (http://newosxbook.com/bonus/iBoot.pdf). The ChipID will always be 8012. The value for BDID is the BoardID. Full decoding of the version string can be performed using the code at https://github.com/das-iboot/das-iboot/blob/master/das_iboot/device.py. These values for BDID, CPID, CPRV and ECID are in Hex.<br />
<br />
=== Identifying the T2 from macOS ===<br />
<br />
This will provide many of the same values as DFU but in Decimal instead of Hex like above:<br />
<br />
<syntaxhighlight lang="bash"><br />
# ECID in decimal instead of Hex<br />
/usr/libexec/remotectl get-property localbridge UniqueChipID<br />
# Chip ID CPID in decimal (32786 == 0x8012)<br />
/usr/libexec/remotectl get-property localbridge ChipID<br />
# Board Revision CPRV in decimal instead of hex<br />
/usr/libexec/remotectl get-property localbridge BoardRevision<br />
# Board ID (BDID) in decimal instead of hex<br />
/usr/libexec/remotectl get-property localbridge BoardId<br />
# Hardware Model is the name of the Board<br />
/usr/libexec/remotectl get-property localbridge HWModel<br />
</syntaxhighlight><br />
<br />
== Mac Configuration Utility ==<br />
[[Image:MCUIcon.png|thumb|The Mac Configuration Utility icon.]]<br />
<br />
In order to restore a firmware to an iBridge device, technicians must use two Apple Internal tools. The first one, '''Apple Service Toolkit (AST)''', is used to initiate a diagnostic session between the host Mac and the Mac in DFU mode. The second tool, which must be installed on the host Mac, is known as the '''Mac Configuration Utility (MCU)'''. It communicates with AST to provide board information and initiate restores and diagnostics over-the-air. MCU supports macOS 10.13.2 or later.<br />
<br />
[[Image:MCU.png|thumb|The Mac Configuration Utility startup screen.]]<br />
<br />
iBridge devices can still be managed if there is no firmware present by booting a diagnostic image, which is pushed to the device by MCU after a '''Blank Board Serializer''' test is initiated on AST. This test will also assign a serial number to a new board.<br />
<br />
During a restore, an Apple logo and progress bar will show on the screen, similar to that of a normal device restore. It is unknown if iBridge firmwares are signed, or if they are verified by the host or by iBridge devices.<br />
<br />
== References ==<br />
<references /><br />
<br />
[[Category:Application Processors]]</div>Rickmarkhttps://www.theiphonewiki.com/w/index.php?title=T8012&diff=106586T80122020-08-29T00:31:21Z<p>Rickmark: /* The T2 SEP */</p>
<hr />
<div>'''T8012''', also just known as the '''T2''' is the CPU introduced in the [[J137AP|second-generation iBridge processor]], the processor found on the iMac Pro, and used on all subsequent T2 enabled Mac products.<br />
<br />
== Enabled Mac Products ==<br />
<br />
Devices sourced from [https://github.com/libimobiledevice/libirecovery/blob/master/src/libirecovery.c]<br />
<br />
{| class="wikitable"<br />
!iBridge Product ID<br />
!Board ID<br />
!Board Minor<br />
!Description (Product ID)<br />
!checkm8/blackbird confirmed<br />
|-<br />
|iBridge2,1<br />
|J137AP<br />
|0x0A<br />
|Apple T2 iMacPro1,1 (j137)<br />
|yes<br />
|-<br />
|iBridge2,3<br />
|J680AP<br />
|0x0B<br />
|Apple T2 MacBookPro15,1 (j680)<br />
|yes<br />
|-<br />
|iBridge2,4<br />
|J132AP<br />
|0x0C<br />
|Apple T2 MacBookPro15,2 (j132)<br />
|yes<br />
|-<br />
|iBridge2,5<br />
|J174AP<br />
|0x0E<br />
|Apple T2 Macmini8,1 (j174)<br />
|yes<br />
|-<br />
|iBridge2,6<br />
|J160AP<br />
|0x0F<br />
|Apple T2 MacPro7,1 (j160)<br />
|yes<br />
|-<br />
|iBridge2,7<br />
|J780AP<br />
|0x07<br />
|Apple T2 MacBookPro15,3 (j780)<br />
|yes<br />
|-<br />
|iBridge2,8<br />
|J140kAP<br />
|0x17<br />
|Apple T2 MacBookAir8,1 (j140k)<br />
|yes<br />
|-<br />
|iBridge2,10<br />
|J213AP<br />
|0x18<br />
|Apple T2 MacBookPro15,4 (j213)<br />
|yes<br />
|-<br />
|iBridge2,11<br />
|J230AP<br />
|0x1F<br />
|?<br />
|?<br />
|-<br />
|iBridge2,12<br />
|J140aAP<br />
|0x37<br />
|Apple T2 MacBookAir8,2 (j140a)<br />
|yes<br />
|-<br />
|iBridge2,13<br />
|J214AP<br />
|0x1E<br />
|?<br />
|?<br />
|-<br />
|iBridge2,14<br />
|J152fAP<br />
|0x3A<br />
|Apple T2 MacBookPro16,1 (j152f)<br />
|yes<br />
|-<br />
|iBridge2,15<br />
|J230kAP<br />
|0x3F<br />
|Apple T2 MacBookAir9,1 (j223k)<br />
|yes<br />
|-<br />
|iBridge2,16<br />
|J214kAP<br />
|0x3E<br />
|?<br />
|?<br />
|-<br />
|iBridge2,19<br />
|J185AP<br />
|0x22<br />
|?<br />
|?<br />
|-<br />
|iBridge2,20<br />
|J185fAP<br />
|0x23<br />
|?<br />
|?<br />
|-<br />
|iBridge2,21<br />
|J223AP<br />
|0x3B<br />
|?<br />
|?<br />
|-<br />
|iBridge2,22<br />
|J215AP<br />
|0x38<br />
|?<br />
|?<br />
|}<br />
<br />
==T2 Recovery USB Device ID==<br />
During the restore process, the T2 presents as a [[Restore Mode]] <code>com.apple.recoveryd</code> service, but uses the USB product ID of <code>0x8086</code> instead of the iPhone's <code>0x1290-0x12AF</code>.[https://github.com/libimobiledevice/usbmuxd/blob/master/udev/39-usbmuxd.rules.in]<br />
<br />
==Bootrom Exploits==<br />
The T8012 uses Bootrom version [[Bootrom_3401.0.0.1.16]] which is vulnerable to [[checkm8]]. A fork of [[checkm8]] with support for the t2 exists at [https://github.com/h0m3us3r/ipwndfu h0m3us3r]. The adaption of checkm8 was performed by the [[t8012 checkm8]] group by brute forcing the various locations from ROM. The copyright string reads <code>SecureROM for t8012si, Copyright 2007-2016, Apple Inc</code>, for version [[Bootrom_3401.0.0.1.16]].<br />
<br />
[https://twitter.com/axi0mX/status/1182915286858522624 axi0mX T2 support tweet]<br />
[https://twitter.com/qwertyoruiopz/status/1237400943047704576?s=21 quertyoruiop's early checkra1n previews]<br />
<br />
Similar to iPhones, iPads, and iPods, iBridge firmware bundles come in IPSW form. Build train codenames are appended with "HWBridge" to distinguish them from normal firmwares, and the disk image files inside have labels that are appended with "UniversalBridgeOS." They can only be restored to if the Mac is in [[DFU mode]].<br />
<br />
=== The T2 SEP ===<br />
<br />
The T2 is based on the A10 silicon design and therefore has a A10 SEP. The A10 SEP is a ARM Cortex-A7 32bit CPU. The T2 Secure Enclave is vulnerable to the same exploit Pangu presented at MOSEC named `blackbird`.<br />
<br />
== Entering DFU Mode ==<br />
The T2 models can be restored via a Thunderbolt cable using [https://apps.apple.com/us/app/apple-configurator-2/id1037126344?mt=12 Apple Configurator 2].<br />
<br />
=== Desktop Macs ===<br />
For example, iMac Pro and Mac mini models from 2018 or later.<ref>https://support.apple.com/en-us/guide/apple-configurator-2/apdebea5be51/mac</ref><br />
<br />
# Completely power off the Mac; disconnect it from external power.<br />
# Attach one end of a Thunderbolt cable to the correct Thunderbolt port on the Mac.<br />
#* iMac Pro: The Thunderbolt port that is located next to the Ethernet port.<br />
#* Mac mini: The Thunderbolt port that is located next to the HDMI port.<br />
# Connect the other end to any Thunderbolt or USB port on the host Mac (the device which will be used for restoring).<br />
# Hold down the power button on the back of the Mac for 3 seconds, while connecting the power cord.<br />
<br />
=== Portable Macs ===<br />
For example, MacBook models from 2018 or later.<ref>https://support.apple.com/en-us/guide/apple-configurator-2/apd0020c3dc2/mac</ref><br />
<br />
# Completely power off the Mac; disconnect it from external power.<br />
# Attach one end of a Thunderbolt cable to the Thunderbolt port that is located on the left side, closest to the front.<br />
# Connect the other end to any Thunderbolt or USB port on the host Mac (the device which will be used for restoring).<br />
# Hold down the power button, right Shift key, and left Control and Option keys, for 3 seconds.<br />
<br />
=== Identifying the T2 from DFU ===<br />
<br />
Once a device is in DFU enumerating the USB device yields the BoardID. Using either Linux's <code>lsusb -v</code> or macOS's <code>ioreg -p IOUSB</code> the USB serial attribute will contain the same information as any other Apple A core iBoot device. (http://newosxbook.com/bonus/iBoot.pdf). The ChipID will always be 8012. The value for BDID is the BoardID. Full decoding of the version string can be performed using the code at https://github.com/das-iboot/das-iboot/blob/master/das_iboot/device.py. These values for BDID, CPID, CPRV and ECID are in Hex.<br />
<br />
=== Identifying the T2 from macOS ===<br />
<br />
This will provide many of the same values as DFU but in Decimal instead of Hex like above:<br />
<br />
<syntaxhighlight lang="bash"><br />
# ECID in decimal instead of Hex<br />
/usr/libexec/remotectl get-property localbridge UniqueChipID<br />
# Chip ID CPID in decimal (32786 == 0x8012)<br />
/usr/libexec/remotectl get-property localbridge ChipID<br />
# Board Revision CPRV in decimal instead of hex<br />
/usr/libexec/remotectl get-property localbridge BoardRevision<br />
# Board ID (BDID) in decimal instead of hex<br />
/usr/libexec/remotectl get-property localbridge BoardId<br />
# Hardware Model is the name of the Board<br />
/usr/libexec/remotectl get-property localbridge HWModel<br />
</syntaxhighlight><br />
<br />
== Mac Configuration Utility ==<br />
[[Image:MCUIcon.png|thumb|The Mac Configuration Utility icon.]]<br />
<br />
In order to restore a firmware to an iBridge device, technicians must use two Apple Internal tools. The first one, '''Apple Service Toolkit (AST)''', is used to initiate a diagnostic session between the host Mac and the Mac in DFU mode. The second tool, which must be installed on the host Mac, is known as the '''Mac Configuration Utility (MCU)'''. It communicates with AST to provide board information and initiate restores and diagnostics over-the-air. MCU supports macOS 10.13.2 or later.<br />
<br />
[[Image:MCU.png|thumb|The Mac Configuration Utility startup screen.]]<br />
<br />
iBridge devices can still be managed if there is no firmware present by booting a diagnostic image, which is pushed to the device by MCU after a '''Blank Board Serializer''' test is initiated on AST. This test will also assign a serial number to a new board.<br />
<br />
During a restore, an Apple logo and progress bar will show on the screen, similar to that of a normal device restore. It is unknown if iBridge firmwares are signed, or if they are verified by the host or by iBridge devices.<br />
<br />
== References ==<br />
<references /><br />
<br />
[[Category:Application Processors]]</div>Rickmark