#REDIRECT [[User:Userlandkernel]]

User:Userlandkernel

2020-02-13T16:58:11Z

Xnudaemon:

User:Userlandkernel

2020-02-13T16:55:16Z

Xnudaemon:

== About me ==
* @userlandkernel on Twitter
* Hacking stuff (literally anything, web / networks, vending machines, radio etc etc) since 2012
* Love developing nerdy debug tools and documenting the unknown
* Am more known for my interest in iOS
* I am a fast learner
* I like hardware based side channel attacks (CoreSight KTRW, WatchTower defeat with CPACR, Meltdown & Spectre)

== Disclosed iOS Vulnerabilities ==
* IOUSBFamily use after free
* assetsd type-confusion
* iBooks Denial-of-Service
* Shortcuts App, partial sandbox escape

== Current projects ==
* Reverse engineering the NVME firmware
* Flashing custom-made NVME firmware
* Testing whether NVME firmware can turn off or alter IOMMU.
* Research whether NVME can be a persistent side-channel to patching iBoot at SecureBoot time

User:Userlandkernel

2020-02-13T16:54:47Z

Xnudaemon:

== About me ==
* @userlandkernel on Twitter
* Hacking stuff (literally anything, web / networks, vending machines, radio etc etc) since 2012
* Love developing nerdy debug tools and documenting the unknown
* Am more known for my interest in iOS
* I am a fast learner
* I like hardware based side channel attacks (CoreSight KTRW, WatchTower defeat with CPACR, Meltdown & Spectre)

== Disclosed iOS Vulnerabilities ==
* IOUSBFamily use after free
* assetsd type-confusion
* iBooks Denial-of-Service
- Shortcuts App, partial sandbox escape

== Current projects ==
* Reverse engineering the NVME firmware
* Flashing custom-made NVME firmware
* Testing whether NVME firmware can turn off or alter IOMMU.
* Research whether NVME can be a persistent side-channel to patching iBoot at SecureBoot time

User:Userlandkernel

2020-02-13T16:53:34Z

Xnudaemon: Created page with "== About me == - @userlandkernel on Twitter - Hacking stuff (literally anything, web / networks, vending machines, radio etc etc) since 2012 - Love developing nerdy debug tool..."

== About me ==
- @userlandkernel on Twitter
- Hacking stuff (literally anything, web / networks, vending machines, radio etc etc) since 2012
- Love developing nerdy debug tools and documenting the unknown
- Am more known for my interest in iOS
- I am a fast learner
- I like hardware based side channel attacks

== Disclosed iOS Vulnerabilities ==
- IOUSBFamily use after free
- assetsd type-confusion
- iBooks Denial-of-Service
- Shortcuts App, partial sandbox escape

== Current projects ==
- Reverse engineering the NVME firmware
- Flashing custom-made NVME firmware
- Testing whether NVME firmware can turn off or alter IOMMU.
- Research whether NVME can be a persistent side-channel to patching iBoot at SecureBoot time

SysCfg

2020-02-13T09:51:36Z

Xnudaemon: /* SysCfg */

SysCfg

2020-02-13T09:48:28Z

Xnudaemon: /* SysCfg */

SysCfg

2020-02-13T09:43:30Z

Xnudaemon: /* Keys */

== SysCfg==

**SysCfg** also known as System Configuration is a partition on the NAND found on iOS devices.
It stores the Serial Numbers and Calibrations of hardware of the device, and the Software Behaviour bits.

== Keys ==

* AICl
* ARot
* ASCi
* ASCl
* ATGa
* BCMB
* BCMS
* BLCl
* BMac
* BTRx
* BTTx
* Batt
* CBAT
* CGSp
* DClr
* EMac
* FCMB
* FCMS
* FDAC
* FG2G
* GICl
* GLCl
* GRot
* GSCi
* GSCl
* GTCl
* GYTT
* LCM#
* LSCI
* LTAO
* MLB#
* MdlC
* Mod#
* MtCl
* MtSN
* NFCl
* NSrN
* NoCl
* NvSn
* OFCl
* OrbC
* OrbG
* PACV
* PRSq
* PxCl
* RMd#
* Regn
* SPPO
* SpCl
* SrNm
* SwBh
* TCal
* VBCA
* VBST
* VPBR
* W24R
* WCAL
* WMac
* WRxT

SysCfg

2020-02-13T09:40:46Z

2019-11-27T16:12:54Z

Xnudaemon:

[[File:Carousel.jpeg|320px]]
__NOTOC__
== Summary ==
Carousel is essentially watchOS's graphical user interface (much the same as GNOME is to Linux, Explorer is to Microsoft Windows, and Finder is to Mac OS) and manages graphical services such as icons and multitasking. When it is launched, it registers PurpleSystemEventPort, essentially making it the main application.
Perhaps you already know about SpringBoard on iOS, Carousel is the equivalent to it for watchOS devices.

=== Primary Functions===
* Carousel acts a stacking window manager, rendering the child applications
* Carousel activates/deactivates and manages memory of the UIKit applications it launches

Carousel

2019-11-27T16:11:19Z

Xnudaemon:

[[File:320px-Carousel.jpeg]]
__NOTOC__
== Summary ==
Carousel is essentially watchOS's graphical user interface (much the same as GNOME is to Linux, Explorer is to Microsoft Windows, and Finder is to Mac OS) and manages graphical services such as icons and multitasking. When it is launched, it registers PurpleSystemEventPort, essentially making it the main application.
Perhaps you already know about SpringBoard on iOS, Carousel is the equivalent to it for watchOS devices.

=== Primary Functions===
* Carousel acts a stacking window manager, rendering the child applications
* Carousel activates/deactivates and manages memory of the UIKit applications it launches

Carousel

2019-11-27T16:11:05Z

Xnudaemon:

----
[[File:320px-Carousel.jpeg]]
__NOTOC__
== Summary ==
Carousel is essentially watchOS's graphical user interface (much the same as GNOME is to Linux, Explorer is to Microsoft Windows, and Finder is to Mac OS) and manages graphical services such as icons and multitasking. When it is launched, it registers PurpleSystemEventPort, essentially making it the main application.
Perhaps you already know about SpringBoard on iOS, Carousel is the equivalent to it for watchOS devices.

=== Primary Functions===
* Carousel acts a stacking window manager, rendering the child applications
* Carousel activates/deactivates and manages memory of the UIKit applications it launches

Carousel

2019-11-27T16:10:09Z

Xnudaemon: Created page with "File:Carousel.jpeg __NOTOC__ == Summary == Carousel is essentially watchOS's graphical user interface (much the same as GNOME is to Linux, Explorer is to Microsoft Windows..."

[[File:Carousel.jpeg]]
__NOTOC__
== Summary ==
Carousel is essentially watchOS's graphical user interface (much the same as GNOME is to Linux, Explorer is to Microsoft Windows, and Finder is to Mac OS) and manages graphical services such as icons and multitasking. When it is launched, it registers PurpleSystemEventPort, essentially making it the main application.
Perhaps you already know about SpringBoard on iOS, Carousel is the equivalent to it for watchOS devices.

=== Primary Functions===
* Carousel acts a stacking window manager, rendering the child applications
* Carousel activates/deactivates and manages memory of the UIKit applications it launches

File:Carousel.jpeg

2019-11-27T16:09:39Z

Xnudaemon:

PeaceC 16C50 (iPad7,5)

2019-10-03T00:52:11Z

Xnudaemon: Decrypted SEP

{{keys
| Version = 12.1.1
| Build = 16C50
| Device = iPad7,5
| Codename = PeaceC
| DownloadURL = http://updates-http.cdn-apple.com/2018FallFCS/fullrestores/041-05470/5863A30A-E9F9-11E8-89CA-DE55C29EBEDD/iPad_64bit_TouchID_ASTC_12.1.1_16C50_Restore.ipsw

| RootFS = 048-40444-058
| RootFSKey = Not Encrypted

| UpdateRamdisk = 048-40327-058
| UpdateRamdiskIV = Not Encrypted

| RestoreRamdisk = 048-40310-058
| RestoreRamdiskIV = Not Encrypted

| AppleLogo = applelogo@2x~ipad.im4p
| AppleLogoIV = Not Encrypted

| AOPFirmware = aopfw-ipad7baop.im4p
| AOPFirmwareIV = Not Encrypted

| BatteryCharging0 = batterycharging0@2x~ipad.im4p
| BatteryCharging0IV = Not Encrypted

| BatteryCharging1 = batterycharging1@2x~ipad.im4p
| BatteryCharging1IV = Not Encrypted

| BatteryFull = batteryfull@2x~ipad.im4p
| BatteryFullIV = Not Encrypted

| BatteryLow0 = batterylow0@2x~ipad.im4p
| BatteryLow0IV = Not Encrypted

| BatteryLow1 = batterylow1@2x~ipad.im4p
| BatteryLow1IV = Not Encrypted

| DeviceTree = DeviceTree.j71bap.im4p
| DeviceTreeIV = Not Encrypted

| GlyphPlugin = glyphplugin@2x~ipad-lightning.im4p
| GlyphPluginIV = Not Encrypted

| iBEC = iBEC.ipad7b.RELEASE.im4p
| iBECIV = ef6c2d88db083fdb656c8c637455fb5c
| iBECKey = 4764a65b48b053bc55531fb78cdc10616d127a54d6f73d433a3bb5e965045b6e

| iBoot = iBoot.ipad7b.RELEASE.im4p
| iBootIV = 4c04a0d71f43d41691a2af5986365c9b
| iBootKey = be6e91d41a589ff1a6d33544d53a8687ecd5936687b785932df04845689ac538

| iBSS = iBSS.ipad7b.RELEASE.im4p
| iBSSIV = 77929c9327f952b69fa78b6ab068e2e9
| iBSSKey = 2f3eb57425b55178002440b6980f2712e3816f0dae908ae000c0ecfd6671eb2a

| Kernelcache = kernelcache.release.ipad7b
| KernelcacheIV = Not Encrypted

| LLB = LLB.ipad7b.RELEASE.im4p
| LLBIV = 193ebe58a15b00617537fbec853db3c6
| LLBKey = 8ac15c4b2164b96345002a054c67fc71a52af91d92ae2ddaeeac01bfeae750cd

| RecoveryMode = recoverymode@2x~ipad-lightning.im4p
| RecoveryModeIV = Not Encrypted

| SEPFirmware = sep-firmware.j71b.RELEASE.im4p
| SEPFirmwareIV = 4c5ee90c5b16df6d2944fab2ce71e7e
| SEPFirmwareKey = 64d00c87a8ad36b6812c062b881734b324701e8af5183c8e2f78110c3cc9cfc4b
| SEPFirmwareKBAG = F934BF35EA161DF7E806058B84F107CAD03C6DAC377EA20063C07822319C5C148E8691E08571AEC56E1011339D8549C2
}}

Trek-3.4.03

2018-11-17T00:22:16Z

Xnudaemon: Xnudaemon moved page 3.4.03 to Trek-3.4.03

== Trek Baseband 3.4.03 ==

----

'''iPhone 4S'''

Chip ID: 0x5a00e1.

Internal Chip name: qsc6695.

Full Internal Chip name: q6695-SSMFTSZ-4307. (Found in DBL.mbn)

OS Bootloader version: Q62xx-OSBL.

== Trek Firmware ==

----

The internal name for the baseband firmware is Trek.

Trek can be extracted from an iOS firmware image (ipsw file).

Trek does not seem to be encrypted and therefore can easily be reverse engineered.

At the bottom of each file you can see a code signing certificate, as the firmware needs to be code signed just like Apple iOS firmware does.

All baseband chips up to today are produced by Qualcomm.

The architecture of the chip seems to be ARM as I already expected.

The baseband chip is completely separated from iOS and is only referenced through the kernel and through the bbupdater utility.

CommCenter seems to be a highlevel framework on top of the baseband providing an interface that iOS can work with.

The filesystem used by the baseband seems to be YAFFS (Yet Another Flash FileSystem)

== Firmware Structure ==

As mentioned above, the baseband firmware is not encrypted and when taken from iOS Firmware it will be named ending with a .bbfw (Basebandfirmware) extension.

However when running file on that firmware image you can see that it's just a zip file, just like ipsw files are thus extracting it gives us new, unencrypted files:

- Info.plist

- Options.plist

- amss.mbn (The baseband operating system)

- dbl.mbn (Assumably, factory DFU bootloader)

- osbl.mbn (The Bootloader that bootstraps the normal operating system of the baseband)

- restoredbl.mbn (The restore bootloader)

'''Info.plist'''

----

contains some basic information about the chip id and firmware version, it can be compared to the BuildManifest.plist file in iOS firmware.

'''Options.plist'''

----

I haven't figured out what this is for yet but as the name suggest it is mostlikely for configuration purposes.

'''AMSS.mbn'''

----

This file is what I believe the baseband operating system, file reports that it consists of ARM code.

At the bottom of the file the codesignature can again be found.

It also seems to contain the filesystem for the nand which is all unencrypted thus pretty interesting.

The filesystem will be explained further on this wiki when I have time for it.

What's the most remarkable are strings revealing how to enter specific device modes:

Hold * key to reset & log abort
Hold # key to enter dload mode

The dload mode is probably download mode, it is probably comparable to iBoot's communication where you can upload files into iBoot's memory/

For those looking for vulnerabilities in the baseband firmware one string already made me raise a flag.

The baseband seems to support the parsing of property list files.

Because property list files define a type, a user controlled modded type might lead to type confusion bugs.

'''OSBL.mbn'''

----

OSBL reveals a lot of information about the architecture and internal names and hardware identifiers of the baseband chip.

It also contains references to sourcecode files that tell us that the baseband firmware was written in C, as expected.

OSBL is what I believe an abbreviation of Operating System Bootloader.

By just looking at the strings of the file you can determine a few serial numbers that this firmware is meant for and the name of the chip:

MT29F4G16ABC

MT29F4G08ABC

MT29F2G16ABD

MT29F2G08ABD

KFN4G16Q2A-DEB8

Q62xx-OSBL (The bootloader build version, I think)

QSC6695 (The name of the chip as used internally at Qualcomm, if you look it up you can find some chinese suppliers that sell it.)

The strings also reveal the following source code structure:

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\dload\target\qsc6695\src\dloadarm.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\common\shared\src\boot_elf_loader.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\common\shared\src\boot_elf_loader_if.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\common\shared\src\boot_sec_elf_loader.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\common\shared\src\boot_sec_elf_loader_if.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\common\shared\src\boot_clobber_prot.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\common\shared\src\boot_clobber_prot_local.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\common\shared\src\boot_flash_dev_if.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\common\shared\src\boot_hash_if.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\common\shared\src\boot_auth_if.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\common\shared\src\boot_fsbl_config_if.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\common\target\qsc6695\src\boot_pbl_accessor.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\osbl\shared\src\osbl_mc.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\osbl\shared\src\osbl_loader.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\osbl\shared\src\osbl_error_handler.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\osbl\shared\src\osbl_hash.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\osbl\shared\src\osbl_shared_seg.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\osbl\target\qsc6695\src\osbl_stubs.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\osbl\target\qsc6695\src\osbl_hw_init.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\osbl\target\qsc6695\src\osbl_mc_target.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\osbl\target\qsc6695\src\osbl_target.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\secboot2\osbl\target\qsc6695\src\osbl_sahara.c

C:\BWA\TrekBaseBandFW-240\srcroot\core\boot\amssboot\target\qsc6695\src\boot_shared_progressive_boot_block.c

Looking at these you might get a better idea of the bootstages of the iPhone baseband.

'''DBL.mbn'''

----

This debugging bootloader, in my thoughts a DFU mode seems to be able to make ROM dumps as well.

- mav_core_dump.bin

- mav_hsic_dump.bin

- mav_nor_dump.bin

- sdram_dump.bin

- iram_dump.bin

These are all strings that reveal these dumps can be generated taken from the start of this bootloader.

What also is interesting is the information revealing the hardware ID in a lower section just after the codesignature:

07 0000 SHA11

06 0000 MODEL_ID1

05 00002000 SW_SIZE1

04 0023 OEM_ID1"0

03 000000000000000F DEBUG1"0

02 005000E100230000 HW_ID1"0

01 0000000000000000 SW_ID1

Maverick1

Onur Tackin0

This image also mentions HS-USBCORE (HighSpeed USB-Core)

3.4.03

2018-11-17T00:22:16Z

Xnudaemon: Xnudaemon moved page 3.4.03 to Trek-3.4.03

#REDIRECT [[Trek-3.4.03]]

2017-09-13T11:43:05Z

Xnudaemon: /* DYLD_SHARED_CACHE */

== DYLD_SHARED_CACHE ==

Since iPhone OS 3.1, all system (private and public) libraries have been combined into a big cache file to improve performance.
The original files are redundant and thus eliminated from the system.
If you're looking for binaries or libraries inside of /System/Library/Frameworks or /System/Library/PrivateFrameworks (or other directories) and can't, this is why.
OS X also uses a shared cache.
Unlike iOS, OS X ships with the source binaries still on-disk, particularly so it can be updated with update_dyld_shared_cache.
The cache is only vaguely documented in dyld man pages.

== Extracted dyld_shared_caches
[https://github.com/coffeebreakerz/iOS1031-dyld_shared_cache iOS 10.3.1 ARM64]

Dyld shared cache

2017-09-13T11:42:33Z

Xnudaemon: Added a page about the dyld_shared_cache

== DYLD_SHARED_CACHE ==

Since iPhone OS 3.1, all system (private and public) libraries have been combined into a big cache file to improve performance. The original files are redundant and thus eliminated from the system.
If you're looking for binaries or libraries inside of /System/Library/Frameworks or /System/Library/PrivateFrameworks (or other directories) and can't, this is why.
OS X also uses a shared cache. Unlike iOS, OS X ships with the source binaries still on-disk, particularly so it can be updated with update_dyld_shared_cache. The cache is only vaguely documented in dyld man pages.

== Extracted dyld_shared_caches
[https://github.com/coffeebreakerz/iOS1031-dyld_shared_cache iOS 10.3.1 ARM64]