Difference between revisions of "Bootrom 2651.0.0.3.3"

From The iPhone Wiki
Jump to: navigation, search
(formatting)
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
This is the [[bootrom]] version found in the [[Apple Watch Series 3]]. It is vulnerable to [[Checkm8_Exploit|Checkm8]].
 
This is the [[bootrom]] version found in the [[Apple Watch Series 3]]. It is vulnerable to [[Checkm8_Exploit|Checkm8]].
  +
  +
== Segmentation/Loading ==
  +
  +
All of these segments are arbitrary and nonexistient, and only serve the purpose of helping you navigate the db more easily.
  +
  +
The SecureROM image segmentation is based on iBoot.sys mapping.
  +
  +
Dump from device:
  +
* 0x0-0x1FFFF
  +
* 0x48100000-0x48200000
  +
* 0x48650000-0x48651000
  +
* 0x48800000-0x48820000
  +
* 0x49100000-0x49120000
  +
  +
Load each into decompiler
  +
  +
Segments:
  +
* __text: 0x00000000 - 0x105CC
  +
* __TEXT_hidden: 0x000105CC - 0x00010600
  +
* __cstring: 0x00010600 - 0x000106E2
  +
* __const: 0x000106E2 - 0x000149DE
  +
* __zerofill: 0x000149DE - 0x0001FFFF
  +
  +
* RAM: 0x48100000-0x48200000
  +
* MEM: 0x48650000-0x48651000
  +
* SRAM: 0x48800000-0x48820000
  +
* SMEM: 0x49100000-0x49120000
  +
  +
== Types ==
  +
  +
Some type info is available here, and can be loaded into IDA via "Load -> C Header":
  +
  +
https://github.com/KritantaDev/iBootLoader/blob/master/iBootStrap/iBoot.h
   
 
== Symbols ==
 
== Symbols ==
Line 14: Line 47:
 
#
 
#
   
symbols = {
+
symbols = {
0x00000000: 'start',
+
0x00000000: 'start',
0x00000040: 'reset',
+
0x00000040: 'reset',
0x0000005C: 'relocate_loop',
+
0x0000005C: 'relocate_loop',
0x00000078: 'relocate_data',
+
0x00000078: 'relocate_data',
0x000000A0: 'relocate_data_loop',
+
0x000000A0: 'relocate_data_loop',
0x000000B0: 'stack_setup',
+
0x000000B0: 'stack_setup',
0x00000188: 'bss_loop',
+
0x00000188: 'bss_loop',
0x00000194: 'bss_done',
+
0x00000194: 'bss_done',
0x000001A0: 'spin',
+
0x000001A0: 'spin',
0x00000200: 'aSecureromForT8004siCopyright20072014AppleInc',
+
0x00000200: 'aSecureromForT8004siCopyright20072014AppleInc',
0x00000240: 'aRomrelease',
+
0x00000240: 'aRomrelease',
0x00000280: 'aIboot26510033_0',
+
0x00000280: 'aIboot26510033_0',
0x00000300: 'Description',
+
0x00000300: 'Description',
0x00000304: 'ReleaseCategory',
+
0x00000304: 'ReleaseCategory',
0x00000308: 'iBootVersion',
+
0x00000308: 'iBootVersion',
0x0000030C: 'main',
+
0x0000030C: 'main',
0x00000310: 'Start',
+
0x00000310: 'Start',
0x0000031C: 'sram_start',
+
0x0000031C: 'sram_start',
0x00000328: 'argv',
+
0x00000328: 'argv',
0x00000334: 'heap_base',
+
0x00000334: 'heap_base',
  +
0x00000338: '_arm_read_cpsr',
0x000006F4: 'nullsub_4',
 
  +
0x00000350: '_arm_read_ifsr',
0x00000854: 'arch_halt',
 
  +
0x00000358: '_arm_read_dfsr',
0x00000860: 'arch_spin',
 
  +
0x00000360: '_arm_write_l2_aux_cr',
0x00000868: '_main',
 
  +
0x0000036C: '_arm_read_ifar',
0x000014B0: 'timer_get_ticks',
 
  +
0x00000374: '_arm_read_extended_feature_regs',
0x00001C88: 'jpt_1C84',
 
  +
0x000003CC: '_arm_read_memory_model_feature_regs',
0x00004514: 'aNrpdxekeyekeorpeceseorpdtsgdlodsmodscicedicegcnbbesccescnrpcorpc',
 
  +
0x000003E8: '_arm_read_instruction_set_attribute_regs',
0x000046B4: 'platform_cache_operation',
 
  +
0x00000410: '_arm_read_cr',
0x000050E4: 'platform_init_setup_clocks',
 
  +
0x00000418: '_arm_write_cr',
0x00005100: 'platform_init_hwpins',
 
  +
0x00000424: '_arm_read_aux_cr',
0x0000527C: 'platform_init_internal_mem',
 
  +
0x0000042C: '_arm_write_aux_cr',
0x00005288: 'platform_quiesce_hardware',
 
  +
0x00000438: '_arm_write_dar',
0x000052A0: 'platform_bootprep',
 
  +
0x00000444: '_arm_write_ttb',
0x00005308: 'chipid_clear_production_mode',
 
  +
0x00000450: '_arm_write_ttbcr',
0x00005390: 'platform_get_boot_device',
 
  +
0x0000045C: '_arm_read_dfar',
0x000053AA: 'jpt_53A6',
 
  +
0x00000464: '_arm_read_main_id',
0x000053E4: 'def_53A6',
 
  +
0x0000046C: '_arm_read_cache_id',
0x000053EC: 'platform_enable_boot_interface',
 
  +
0x00000474: '_arm_read_cache_level_id',
0x000054CC: 'platform_set_dfu_status',
 
  +
0x00000484: '_arm_write_user_rw_tid',
0x000054D8: 'platform_get_force_dfu',
 
  +
0x00000490: '_arm_read_fpexc',
0x000054EC: 'platform_get_request_dfu1',
 
  +
0x000004A0: '_arm_read_fpscr',
0x00005504: 'platform_get_request_dfu2',
 
  +
0x000004F4: '_arm_read_cache_size_selection',
0x00005864: 'platform_get_boot_trampoline',
 
  +
0x000004FC: '_arm_write_user_ro_tid',
0x000059AC: 'chipid_set_fuse_lock',
 
  +
0x00000508: '_arm_read_pmreg',
0x00005F3C: 'jpt_5F38',
 
  +
0x000005CC: '_arm_write_pmreg',
0x00005F46: 'def_5F38',
 
  +
0x00000690: '_arm_read_cache_size_id',
0x00005FD8: 'halt',
 
  +
0x00000698: '_arm_write_sup_tid',
0x00005FE4: 'nullsub_1',
 
  +
0x000006A4: '_arm_read_l2_aux_cr',
0x00005FEC: 'platform_watchdog_tickle',
 
  +
0x000006AC: '_arm_write_perip_port_remap',
0x0000601C: 'prepare_and_jump',
 
  +
0x000006B8: '_arm_read_user_rw_tid',
0x00006264: 'nullsub_3',
 
  +
0x000006C0: '_arm_write_dprot_region_8',
0x00006268: 'panic',
 
  +
0x000006CC: '_arm_read_user_ro_tid',
0x00006350: 'doublePanicIn',
 
  +
0x000006D4: '_arm_write_data_prot_register',
0x000063FC: 'platform_get_usb_cable_connected',
 
  +
0x000006E0: '_arm_flush_tlbs',
0x0000648C: 'enter_critical_section',
 
  +
0x000006F4: 'nullsub_4',
0x000064C8: 'exit_critical_section',
 
  +
0x00000798: '_arm_write_ins_prot_register',
0x0000681C: 'task_get_current_task',
 
  +
0x000007A4: '_arm_write_cacheable_registers',
0x00006890: 'list_delete',
 
  +
0x000007B4: '_arm_write_bufferable_register',
0x000068C8: 'task_yield',
 
  +
0x000007F0: '_arch_restore_ints',
0x0000698C: 'insert_run_q_tail',
 
  +
0x0000080C: '_arm_enable_fiqs',
0x000069B0: 'task_start',
 
  +
0x0000081C: '_arm_disable_fiqs',
0x000069D4: 'task_exit',
 
  +
0x0000082C: '_arm_read_sup_tid',
0x00006A10: 'wait_queue_wake_all',
 
  +
0x00000834: '_arm_write_vbar',
0x00006B24: 'wait_queue_wake_one',
 
  +
0x0000083C: '_arm_flush_branch_predictor',
0x00006D74: 'security_init',
 
  +
0x0000084C: '_arm_memory_barrier',
0x00007320: 'jpt_731C',
 
  +
0x00000854: '_arch_halt',
0x0000738C: 'def_731C',
 
  +
0x00000860: '_arch_spin',
0x0000745C: 'arch_cpu_init',
 
  +
0x00000868: '_main',
0x000074B8: 'arch_cpu_quiesce',
 
  +
0x000014B0: '_timer_get_ticks',
0x00007540: 'arm_irq',
 
  +
0x000014B4: '_aic_get_ticks',
0x000075E8: 'arm_fiq',
 
  +
0x000014CC: '_aic_spin',
0x00007690: 'arm_undefined',
 
  +
0x000014E8: '_timer_ticks_to_usecs',
0x000076C8: 'arm_syscall',
 
  +
0x000014F8: '_timer_usecs_to_ticks',
0x00007700: 'arm_prefetch_abort',
 
  +
0x00001508: '_timer_get_entropy',
0x0000773C: 'arm_data_abort',
 
  +
0x00001AD0: '_usbphy_enable_pullup',
0x00007774: 'arm_reserved',
 
  +
0x00001C88: 'jpt_1C84',
0x00007E34: 'usb_create_string_descriptor',
 
  +
0x000026C8: 'synopsys_otg_controller_init',
0x000082D6: 'jpt_82D2',
 
  +
0x00002840: '_synopsys_otg_get_connection_speed',
0x0000844C: 'def_81D2',
 
  +
0x00002A78: '_synopsys_otg_is_endpoint_stalled',
0x000086B8: 'getDFUImage',
 
  +
0x00003444: '_synopsys_otg_go_on_bus',
0x00008A00: 'image_load',
 
  +
0x000037B0: '_synopsys_otg_start_ep0_out',
0x00009454: 'def_945E',
 
  +
0x00003B34: 'verify_img4_whatever',
0x00009462: 'jpt_945E',
 
  +
0x00004514: 'aNrpdxekeyekeorpeceseorpdtsgdlodsmodscicedicegcnbbesccescnrpcorpc',
0x00009C5C: 'heap_verify',
 
  +
0x000046B4: 'platform_cache_operation',
0x0000A016: 'jpt_A012',
 
  +
0x0000475C: 'j_j__arm_memory_barrier',
0x0000A044: 'def_A012',
 
  +
0x00004784: 'j__chipid_get_minimum_epoch',
0x0000A098: 'jpt_A094',
 
  +
0x00004788: 'platform_get_usb_product_id',
0x0000A784: 'sprint_hex',
 
  +
0x000047A0: 'platform_get_usb_product_string',
0x0000A7BC: 'kAsciiHexChars',
 
  +
0x000047A8: 'platform_get_usb_serial_number_string',
0x0000A7C4: 'vsnprintf',
 
  +
0x00004888: 'platform_get_usb_more_other_string',
0x0000A7FC: 'puts',
 
  +
0x000050E4: 'platform_init_setup_clocks',
0x0000A840: 'strlcat',
 
  +
0x00005100: 'platform_init_hwpins',
0x0000A85C: '___stack_chk_fail',
 
  +
0x0000527C: 'platform_init_internal_mem',
0x0000A884: 'memcpy',
 
  +
0x00005288: 'platform_quiesce_hardware',
0x0000ABB0: 'memset',
 
  +
0x000052A0: 'platform_bootprep',
0x0000ABC8: 'bzero',
 
  +
0x00005308: 'chipid_clear_production_mode',
0x0000B08C: '_DERParseBoolean',
 
  +
0x00005374: '_platform_init_setup_clocks',
0x0000B0B0: '_DERParseInteger',
 
  +
0x00005390: 'platform_get_boot_device',
0x0000B0F4: '_DERParseInteger64',
 
  +
0x000053AA: 'jpt_53A6',
0x0000B160: '_DERDecodeSeqInit',
 
  +
0x000053E4: 'def_53A6',
0x0000B1B8: '_DERDecodeSeqContentInit',
 
  +
0x000053EC: 'platform_enable_boot_interface',
0x0000B1C8: '_DERDecodeSeqNext',
 
  +
0x000054CC: 'platform_set_dfu_status',
0x0000B270: '_DERParseSequenceContent',
 
  +
0x000054D8: 'platform_get_force_dfu',
0x0000B398: '_Img4DecodeParseLengthFromBuffer',
 
  +
0x000054EC: 'platform_get_request_dfu1',
0x0000B574: 'j_j_arch_halt',
 
  +
0x00005504: 'platform_get_request_dfu2',
0x0000B578: 'j_j_j_arch_halt',
 
  +
0x00005864: 'platform_get_boot_trampoline',
0x0000B5A4: '_DERImg4DecodeFindInSequence',
 
  +
0x00005888: '__dst',
0x0000B5E8: '_DERImg4DecodeContentFindItemWithTag',
 
  +
0x00005894: '_chipid_get_production_mode',
0x0000B614: '_DERImg4DecodeTagCompare',
 
  +
0x000058D4: '_chipid_get_security_domain',
0x0000B650: '_DERImg4Decode',
 
  +
0x000058E4: '_chipid_get_board_id',
0x0000B77C: '_DERImg4DecodeUnsignedManifest',
 
  +
0x000058F4: '_chipid_get_minimum_epoch',
0x0000B900: '_Img4DecodeInitUnsignedManifest',
 
  +
0x000059A8: '_charger_has_external',
0x0000BB90: '_Img4DecodeGetBooleanFromSection',
 
  +
0x000059AC: 'chipid_set_fuse_lock',
0x0000BBE0: '_Img4DecodeGetPropertyFromSection',
 
  +
0x00005F3C: 'jpt_5F38',
0x0000BCA0: '_Img4DecodeGetPropertyBoolean',
 
  +
0x00005F46: 'def_5F38',
0x0000BD20: '_Img4DecodeEvaluateCertificateProperties',
 
  +
0x00005FD8: 'halt',
0x0000BEDC: '_Img4DecodeEvaluateDictionaryProperties',
 
  +
0x00005FE4: 'nullsub_1',
0x000105C0: 'j_arch_halt',
 
  +
0x00005FE8: '_platform_power_spin',
0x00010600: 'aNor0',
 
  +
0x00005FEC: 'platform_watchdog_tickle',
0x00010605: 'nil',
 
  +
0x0000601C: '_prepare_and_jump',
0x00010606: 'aUsb',
 
  +
0x00006188: '_callout_dequeue',
0x0001060A: 'aImg4',
 
  +
0x0000624C: '_debug_init',
0x0001060F: 'aIm4p',
 
  +
0x00006264: 'nullsub_3',
0x00010614: 'aAppleMobileDeviceDfuMode',
 
  +
0x00006268: '__panic',
0x00010633: 'aCpid04xCprv02xCpfm02xScep02xBdid02xEcid016llxI',
 
  +
0x00006350: 'doublePanicIn',
0x0001067C: 'aSrtgS',
 
  +
0x00006354: 'panicMacro',
0x00010687: 'aNonc',
 
  +
0x000063A0: 'usb_controller_start',
0x0001068E: 'a02x',
 
  +
0x000063FC: 'platform_get_usb_cable_connected',
0x00010693: 'aSnon',
 
  +
0x0000648C: '_enter_critical_section',
0x0001069A: 'aDoublePanicIn',
 
  +
0x000064C8: '_exit_critical_section',
0x000106AB: 'doubleNewline',
 
  +
0x0000681C: '_task_get_current_task',
0x000106AE: 'newlinePanic',
 
  +
0x00006890: 'list_delete',
0x000106B7: 'colon',
 
  +
0x000068C8: 'task_yield',
0x000106BA: 'aIdleTask',
 
  +
0x0000698C: 'insert_run_q_tail',
0x000106C4: 'aNull',
 
  +
0x000069B0: 'task_start',
0x000106CB: 'aPtr',
 
  +
0x000069D4: 'task_exit',
0x000106D1: 'a0x',
 
  +
0x00006A10: 'wait_queue_wake_all',
0x000106D8: 'aAppleInc',
 
  +
0x00006B24: 'wait_queue_wake_one',
0x00012064: 'a0123456789abcdef',
 
  +
0x00006B54: '_list_remove_head',
0x00012074: 'a0123456789abcdef_0' }
 
0x000081D6: 'jpt_81D2',
+
0x00001ED4: '__src',
  +
0x00006B6C: 'event_init',
  +
0x00006B7C: 'event_signal',
  +
0x00006CE0: '_deep_idle_timeout',
  +
0x00006CEC: '_system_time',
  +
0x00006CFC: '_time_has_elapsed',
  +
0x00006D34: '_spin',
  +
0x00006D74: 'security_init',
  +
0x00006EB8: '_security_set_production_override',
  +
0x0000701C: '_arm_clean_dcache_line',
  +
0x000070A4: '_arm_clean_invalidate_dcache_line',
  +
0x000070B0: '_arm_clean_invalidate_dcache',
  +
0x00007108: '_arm_clean_dcache',
  +
0x00007160: '_arm_invalidate_dcache',
  +
0x00007230: '_arm_invalidate_icache',
  +
0x00007258: '_arm_drain_write_buffer',
  +
0x000072C8: '_arm_mmu_map_section_range',
  +
0x00007320: 'jpt_731C',
  +
0x0000738C: 'def_731C',
  +
0x000073E0: '_arm_mmu_init',
  +
0x0000742C: '_arm_fp_init',
  +
0x0000745C: 'arch_cpu_init',
  +
0x000074B8: '_arch_cpu_quiesce',
  +
0x000074E0: '_clocks_init',
  +
0x00007510: '_arch_get_entropy',
  +
0x00007540: 'arm_irq',
  +
0x000075E8: 'arm_fiq',
  +
0x00007690: 'arm_undefined',
  +
0x000076C8: 'arm_syscall',
  +
0x00007700: 'arm_prefetch_abort',
  +
0x0000773C: 'arm_data_abort',
  +
0x00007774: '___arm_reserved',
  +
0x00007AF4: '_usb_init_with_controller',
  +
0x00007B3C: '_usb_init',
  +
0x00007B4C: '_usb_quiesce',
  +
0x00007B74: '_usb_free',
  +
0x00007B88: '_usb_controller_register',
  +
0x00007BA8: '__b',
  +
0x00007BAC: 'usb_controller_init',
  +
0x00007BD0: '_usb_controller_stop',
  +
0x00007BF4: '_usb_controller_deactivate_endpoint',
  +
0x00007C18: 'usb_controller_stop',
  +
0x00007C3C: 'usb_controller_set_address',
  +
0x00007C60: 'usb_controller_get_connection_speed',
  +
0x00007C84: 'usb_controller_do_endpoint_io',
  +
0x00007CA8: 'usb_controller_stall_endpoint',
  +
0x00007CCC: 'usb_controller_reset_endpoint_data_toggle',
  +
0x00007CF0: 'usb_controller_do_test_mode',
  +
0x00007D14: 'usb_controller_abort_endpoint',
  +
0x00007D38: 'usb_controller_deactivate_endpoint',
  +
0x00007D5C: 'usb_core_init',
  +
0x00007DE8: 'usb_alloc_string_descriptor',
  +
0x00007E34: 'usb_create_string_descriptor',
  +
0x00007E68: 'usb_core_start',
  +
0x00008104: 'usb_core_register_interface',
  +
0x0000811C: 'usb_core_handle_usb_control_receive',
  +
0x000081D6: 'jpt_81D2',
  +
0x000082D6: 'jpt_82D2',
  +
0x0000844C: 'def_81D2',
  +
0x000084C8: 'usb_core_event_handler',
  +
0x00008584: 'usb_core_complete_endpoint_io',
  +
0x000085A0: 'usb_core_do_transfer',
  +
0x00008618: 'usb_core_deactivate_endpoint',
  +
0x0000862C: 'usb_core_stop',
  +
0x0000863C: '_usb_core_free',
  +
0x000086AC: 'handle_test_mode_request',
  +
0x000086B8: '_getDFUImage',
  +
0x000086E8: '_usb_dfu_init',
  +
0x0000877C: 'handle_interface_request',
  +
0x000088C8: 'data_received',
  +
0x00008958: 'handle_bus_reset',
  +
0x00008970: '_usb_dfu_exit',
  +
0x00008A00: 'image_load',
  +
0x00009320: '_siphash_aligned',
  +
0x00009454: 'def_945E',
  +
0x00009462: 'jpt_945E',
  +
0x00009690: '_required_size',
  +
0x000096DC: '_verify_block_checksum',
  +
0x00009734: '_heap_free',
  +
0x000098A4: '_calculate_block_checksum',
  +
0x000098BC: '_heap_memalign',
  +
0x00009A80: '_alloc_ep0_device_io_request',
  +
0x00009AB0: '_heap_panic',
  +
0x00009AC0: '_verify_block_padding',
  +
0x00009B10: '_free_list_add',
  +
0x00009C5C: 'heap_verify',
  +
0x00009E18: 'j__heap_free',
  +
0x0000A016: 'jpt_A012',
  +
0x0000A044: 'def_A012',
  +
0x0000A098: 'jpt_A094',
  +
0x0000A618: '_vsnprintf',
  +
0x0000A784: '_longlong_to_hexstring',
  +
0x0000A7BC: 'kAsciiHexChars',
  +
0x0000A7C4: '___vsnprintf_chk',
  +
0x0000A7FC: '_puts',
  +
0x0000A824: '_putchar',
  +
0x0000A840: '___strlcat_chk',
  +
0x0000A85C: '___stack_chk_fail',
  +
0x0000A884: '_memcpy',
  +
0x0000ABB0: '_memset',
  +
0x0000ABC8: '_bzero',
  +
0x0000ACC0: '_strlen',
  +
0x0000AD28: '_amc_phy_run_dll_update',
  +
0x0000AD74: '_strlcat',
  +
0x0000ADD0: '_strlcpy',
  +
0x0000B068: '_DERParseBitString',
  +
0x0000B08C: '_DERParseBoolean',
  +
0x0000B0B0: '_DERParseInteger',
  +
0x0000B0F4: '_DERParseInteger64',
  +
0x0000B160: '_DERDecodeSeqInit',
  +
0x0000B1B8: '_DERDecodeSeqContentInit',
  +
0x0000B1C8: '_DERDecodeSeqNext',
  +
0x0000B210: '_DERParseSequence',
  +
0x0000B270: '_DERParseSequenceContent',
  +
0x0000B398: '_Img4DecodeParseLengthFromBuffer',
  +
0x0000B3C4: '_random_get_bytes',
  +
0x0000B3E4: '_mib_get_u32',
  +
0x0000B410: '_random_get_bytes_internal',
  +
0x0000B500: '_random_get_bytes_noheap',
  +
0x0000B530: '_chipid_get_current_production_mode',
  +
0x0000B534: '_platform_get_raw_production_mode',
  +
0x0000B538: '_platform_get_security_domain',
  +
0x0000B554: 'j__chipid_get_minimum_epoch_0',
  +
0x0000B558: '_platform_get_chip_id',
  +
0x0000B560: '_platform_get_ecid_image_personalization_required',
  +
0x0000B564: '_platform_get_entropy',
  +
0x0000B568: '_platform_get_usb_vendor_id',
  +
0x0000B570: '_power_needs_precharge',
  +
0x0000B574: '_platform_halt',
  +
0x0000B578: '_platform_deep_idle',
  +
0x0000B57C: '_platform_get_usb_manufacturer_string',
  +
0x0000B584: '_platform_get_usb_device_version',
  +
0x0000B588: '_platform_get_fuse_modes',
  +
0x0000B5A4: '_DERImg4DecodeFindInSequence',
  +
0x0000B5E8: '_DERImg4DecodeContentFindItemWithTag',
  +
0x0000B614: '_DERImg4DecodeTagCompare',
  +
0x0000B650: '_DERImg4Decode',
  +
0x0000B77C: '_DERImg4DecodeUnsignedManifest',
  +
0x0000B900: '_Img4DecodeInitUnsignedManifest',
  +
0x0000BB90: '_Img4DecodeGetBooleanFromSection',
  +
0x0000BBE0: '_Img4DecodeGetPropertyFromSection',
  +
0x0000BCA0: '_Img4DecodeGetPropertyBoolean',
  +
0x0000BD20: '_Img4DecodeEvaluateCertificateProperties',
  +
0x0000BEDC: '_Img4DecodeEvaluateDictionaryProperties',
  +
0x0001053C: '_arch_get_entropy$shim',
  +
0x00010548: 'j__arm_clean_invalidate_dcache',
  +
0x00010554: '_arm_clean_invalidate_dcache_line_2',
  +
0x00010560: 'j__arm_clean_dcache',
  +
0x00010578: '_platform_get_chip_revision',
  +
0x00010584: '_arm_flush_tlbs$shim',
  +
0x00010590: '_arm_write_cp_access_cr$shim',
  +
0x000105A8: 'j__arm_enable_fiqs',
  +
0x000105B4: '_strlen$shim',
  +
0x000105C0: '_arch_halt$shim',
  +
0x00010600: 'aNor0',
  +
0x00010605: 'nil',
  +
0x00010606: 'aUsb',
  +
0x0001060A: 'aImg4',
  +
0x0001060F: 'aIm4p',
  +
0x00010614: 'aAppleMobileDeviceDfuMode',
  +
0x00010633: 'aCpid04xCprv02xCpfm02xScep02xBdid02xEcid016llxI',
  +
0x0001067C: 'aSrtgS',
  +
0x00010687: 'aNonc',
  +
0x0001068E: 'a02x',
  +
0x00010693: 'aSnon',
  +
0x0001069A: 'aDoublePanicIn',
  +
0x000106AE: 'aPanic',
  +
0x000106BA: 'aIdleTask',
  +
0x000106C4: 'aNull',
  +
0x000106CB: 'aPtr',
  +
0x000106D1: 'a0x',
  +
0x000106D8: 'aAppleInc',
  +
0x00012074: 'a0123456789abcdef',
  +
0x488001E0: 'current_task',
  +
0x48800388: 'aBootstrap_0',
  +
0x4880039C: 'a2kst',
  +
0x488003C2: 'usb_core_device_descriptor',
  +
0x488004A6: 'a0k10',
  +
0x488004AE: 'aU',
  +
0x488004B3: 'aAppleSecureBootRootCaG21',
  +
0x488004DC: 'aAppleInc10',
  +
0x488004F1: 'aUs0',
  +
0x488004F7: 'a141219201310z',
  +
0x48800506: 'a341214201310z0k10',
  +
0x48800520: 'aAppleSecureBootRootCaG21_0',
  +
0x48800549: 'aAppleInc10_0',
  +
0x4880055E: 'aUs0_0',
  +
0x48800563: 'a0',
  +
0x4880056A: 'aH',
  +
0x48802AE8: 'aCpid8004Cprv10Cpfm03Scep01Bdid1eEcid0015243e0e100026',
  +
0x48802B67: 'aNonc38876290c433a5c8c1f7cf74d0bcef20cec156411cbf654cd5cf957ee6',
  +
0x48802F30: 'aKatskatskatskatskatskatskatskatskatskatskatskatskatskatskatskats_0',
  +
0x48805F1F: 'aHex',
  +
0x48805F28: 'aQx',
  +
0x48805F2C: 'aKats',
  +
0x488060F0: 'aIdleTask_1',
  +
0x48806104: 'a2kst_1',
  +
0x48806171: 'usb_inited',
  +
0x48806174: 'controller_functions',
  +
0x488061AC: 'usb_configuration_string_desc_index',
  +
0x488061C0: 'ep0_tx_buffer',
  +
0x488062D0: 'nonce_string_desc',
  +
0x488062D8: 'registered_interfaces_count',
  +
0x48806330: 'usb_dfu_inited',
  +
0x48807BA1: 'ebolink',
  +
0x48810240: 'aApppplleeMmoobbiilleeDdeevviicceeDdffuuMmooddee',
  +
0x48810448: 'aUsb_0',
  +
0x488104C0: 'aKatskatskatskatskatskatskatskatskatskatskatskatskatskatskatskats',
  +
0x48811500: 'aCmemcmem',
  +
0x48811645: 'aPwndCheckm8' }
 
</pre>
 
</pre>
   

Latest revision as of 01:59, 8 August 2020

This is the bootrom version found in the Apple Watch Series 3. It is vulnerable to Checkm8.

Segmentation/Loading

All of these segments are arbitrary and nonexistient, and only serve the purpose of helping you navigate the db more easily.

The SecureROM image segmentation is based on iBoot.sys mapping.

Dump from device:

  • 0x0-0x1FFFF
  • 0x48100000-0x48200000
  • 0x48650000-0x48651000
  • 0x48800000-0x48820000
  • 0x49100000-0x49120000

Load each into decompiler

Segments:

  • __text: 0x00000000 - 0x105CC
  • __TEXT_hidden: 0x000105CC - 0x00010600
  • __cstring: 0x00010600 - 0x000106E2
  • __const: 0x000106E2 - 0x000149DE
  • __zerofill: 0x000149DE - 0x0001FFFF
  • RAM: 0x48100000-0x48200000
  • MEM: 0x48650000-0x48651000
  • SRAM: 0x48800000-0x48820000
  • SMEM: 0x49100000-0x49120000

Types

Some type info is available here, and can be loaded into IDA via "Load -> C Header":

https://github.com/KritantaDev/iBootLoader/blob/master/iBootStrap/iBoot.h

Symbols

#
# Symbols found by _kritanta
# For: iBoot-2651.0.0.3.3 ROMRELEASE for t8004si
# Report any mistakes here: https://github.com/KritantaDev/timestop/blob/master/Symbols/ROM/t8004
# 
# This file is in python format for ease of loading
#
# You can probably use this to bindiff symbols to most other roms
#

symbols = { 
0x00000000: 'start',	
0x00000040: 'reset',	
0x0000005C: 'relocate_loop',	
0x00000078: 'relocate_data',	
0x000000A0: 'relocate_data_loop',	
0x000000B0: 'stack_setup',	
0x00000188: 'bss_loop',	
0x00000194: 'bss_done',	
0x000001A0: 'spin',	
0x00000200: 'aSecureromForT8004siCopyright20072014AppleInc',	
0x00000240: 'aRomrelease',	
0x00000280: 'aIboot26510033_0',	
0x00000300: 'Description',	
0x00000304: 'ReleaseCategory',	
0x00000308: 'iBootVersion',	
0x0000030C: 'main',	
0x00000310: 'Start',	
0x0000031C: 'sram_start',	
0x00000328: 'argv',	
0x00000334: 'heap_base',	
0x00000338: '_arm_read_cpsr',	
0x00000350: '_arm_read_ifsr',	
0x00000358: '_arm_read_dfsr',	
0x00000360: '_arm_write_l2_aux_cr',	
0x0000036C: '_arm_read_ifar',	
0x00000374: '_arm_read_extended_feature_regs',	
0x000003CC: '_arm_read_memory_model_feature_regs',	
0x000003E8: '_arm_read_instruction_set_attribute_regs',	
0x00000410: '_arm_read_cr',	
0x00000418: '_arm_write_cr',	
0x00000424: '_arm_read_aux_cr',	
0x0000042C: '_arm_write_aux_cr',	
0x00000438: '_arm_write_dar',	
0x00000444: '_arm_write_ttb',	
0x00000450: '_arm_write_ttbcr',	
0x0000045C: '_arm_read_dfar',	
0x00000464: '_arm_read_main_id',	
0x0000046C: '_arm_read_cache_id',	
0x00000474: '_arm_read_cache_level_id',	
0x00000484: '_arm_write_user_rw_tid',	
0x00000490: '_arm_read_fpexc',	
0x000004A0: '_arm_read_fpscr',	
0x000004F4: '_arm_read_cache_size_selection',	
0x000004FC: '_arm_write_user_ro_tid',	
0x00000508: '_arm_read_pmreg',	
0x000005CC: '_arm_write_pmreg',	
0x00000690: '_arm_read_cache_size_id',	
0x00000698: '_arm_write_sup_tid',	
0x000006A4: '_arm_read_l2_aux_cr',	
0x000006AC: '_arm_write_perip_port_remap',	
0x000006B8: '_arm_read_user_rw_tid',	
0x000006C0: '_arm_write_dprot_region_8',	
0x000006CC: '_arm_read_user_ro_tid',	
0x000006D4: '_arm_write_data_prot_register',	
0x000006E0: '_arm_flush_tlbs',	
0x000006F4: 'nullsub_4',	
0x00000798: '_arm_write_ins_prot_register',	
0x000007A4: '_arm_write_cacheable_registers',	
0x000007B4: '_arm_write_bufferable_register',	
0x000007F0: '_arch_restore_ints',	
0x0000080C: '_arm_enable_fiqs',	
0x0000081C: '_arm_disable_fiqs',	
0x0000082C: '_arm_read_sup_tid',	
0x00000834: '_arm_write_vbar',	
0x0000083C: '_arm_flush_branch_predictor',	
0x0000084C: '_arm_memory_barrier',	
0x00000854: '_arch_halt',	
0x00000860: '_arch_spin',	
0x00000868: '_main',	
0x000014B0: '_timer_get_ticks',	
0x000014B4: '_aic_get_ticks',	
0x000014CC: '_aic_spin',	
0x000014E8: '_timer_ticks_to_usecs',	
0x000014F8: '_timer_usecs_to_ticks',	
0x00001508: '_timer_get_entropy',	
0x00001AD0: '_usbphy_enable_pullup',	
0x00001C88: 'jpt_1C84',	
0x00001ED4: '__src',	
0x000026C8: 'synopsys_otg_controller_init',	
0x00002840: '_synopsys_otg_get_connection_speed',	
0x00002A78: '_synopsys_otg_is_endpoint_stalled',	
0x00003444: '_synopsys_otg_go_on_bus',	
0x000037B0: '_synopsys_otg_start_ep0_out',	
0x00003B34: 'verify_img4_whatever',	
0x00004514: 'aNrpdxekeyekeorpeceseorpdtsgdlodsmodscicedicegcnbbesccescnrpcorpc',	
0x000046B4: 'platform_cache_operation',	
0x0000475C: 'j_j__arm_memory_barrier',	
0x00004784: 'j__chipid_get_minimum_epoch',	
0x00004788: 'platform_get_usb_product_id',	
0x000047A0: 'platform_get_usb_product_string',	
0x000047A8: 'platform_get_usb_serial_number_string',	
0x00004888: 'platform_get_usb_more_other_string',	
0x000050E4: 'platform_init_setup_clocks',	
0x00005100: 'platform_init_hwpins',	
0x0000527C: 'platform_init_internal_mem',	
0x00005288: 'platform_quiesce_hardware',	
0x000052A0: 'platform_bootprep',	
0x00005308: 'chipid_clear_production_mode',	
0x00005374: '_platform_init_setup_clocks',	
0x00005390: 'platform_get_boot_device',	
0x000053AA: 'jpt_53A6',	
0x000053E4: 'def_53A6',	
0x000053EC: 'platform_enable_boot_interface',	
0x000054CC: 'platform_set_dfu_status',	
0x000054D8: 'platform_get_force_dfu',	
0x000054EC: 'platform_get_request_dfu1',	
0x00005504: 'platform_get_request_dfu2',	
0x00005864: 'platform_get_boot_trampoline',	
0x00005888: '__dst',	
0x00005894: '_chipid_get_production_mode',	
0x000058D4: '_chipid_get_security_domain',	
0x000058E4: '_chipid_get_board_id',	
0x000058F4: '_chipid_get_minimum_epoch',	
0x000059A8: '_charger_has_external',	
0x000059AC: 'chipid_set_fuse_lock',	
0x00005F3C: 'jpt_5F38',	
0x00005F46: 'def_5F38',	
0x00005FD8: 'halt',	
0x00005FE4: 'nullsub_1',	
0x00005FE8: '_platform_power_spin',	
0x00005FEC: 'platform_watchdog_tickle',	
0x0000601C: '_prepare_and_jump',	
0x00006188: '_callout_dequeue',	
0x0000624C: '_debug_init',	
0x00006264: 'nullsub_3',	
0x00006268: '__panic',	
0x00006350: 'doublePanicIn',	
0x00006354: 'panicMacro',	
0x000063A0: 'usb_controller_start',	
0x000063FC: 'platform_get_usb_cable_connected',	
0x0000648C: '_enter_critical_section',	
0x000064C8: '_exit_critical_section',	
0x0000681C: '_task_get_current_task',	
0x00006890: 'list_delete',	
0x000068C8: 'task_yield',	
0x0000698C: 'insert_run_q_tail',	
0x000069B0: 'task_start',	
0x000069D4: 'task_exit',	
0x00006A10: 'wait_queue_wake_all',	
0x00006B24: 'wait_queue_wake_one',	
0x00006B54: '_list_remove_head',	
0x00006B6C: 'event_init',	
0x00006B7C: 'event_signal',	
0x00006CE0: '_deep_idle_timeout',	
0x00006CEC: '_system_time',	
0x00006CFC: '_time_has_elapsed',	
0x00006D34: '_spin',	
0x00006D74: 'security_init',	
0x00006EB8: '_security_set_production_override',	
0x0000701C: '_arm_clean_dcache_line',	
0x000070A4: '_arm_clean_invalidate_dcache_line',	
0x000070B0: '_arm_clean_invalidate_dcache',	
0x00007108: '_arm_clean_dcache',	
0x00007160: '_arm_invalidate_dcache',	
0x00007230: '_arm_invalidate_icache',	
0x00007258: '_arm_drain_write_buffer',	
0x000072C8: '_arm_mmu_map_section_range',	
0x00007320: 'jpt_731C',	
0x0000738C: 'def_731C',	
0x000073E0: '_arm_mmu_init',	
0x0000742C: '_arm_fp_init',	
0x0000745C: 'arch_cpu_init',	
0x000074B8: '_arch_cpu_quiesce',	
0x000074E0: '_clocks_init',	
0x00007510: '_arch_get_entropy',	
0x00007540: 'arm_irq',	
0x000075E8: 'arm_fiq',	
0x00007690: 'arm_undefined',	
0x000076C8: 'arm_syscall',	
0x00007700: 'arm_prefetch_abort',	
0x0000773C: 'arm_data_abort',	
0x00007774: '___arm_reserved',	
0x00007AF4: '_usb_init_with_controller',	
0x00007B3C: '_usb_init',	
0x00007B4C: '_usb_quiesce',	
0x00007B74: '_usb_free',	
0x00007B88: '_usb_controller_register',	
0x00007BA8: '__b',	
0x00007BAC: 'usb_controller_init',	
0x00007BD0: '_usb_controller_stop',	
0x00007BF4: '_usb_controller_deactivate_endpoint',	
0x00007C18: 'usb_controller_stop',	
0x00007C3C: 'usb_controller_set_address',	
0x00007C60: 'usb_controller_get_connection_speed',	
0x00007C84: 'usb_controller_do_endpoint_io',	
0x00007CA8: 'usb_controller_stall_endpoint',	
0x00007CCC: 'usb_controller_reset_endpoint_data_toggle',	
0x00007CF0: 'usb_controller_do_test_mode',	
0x00007D14: 'usb_controller_abort_endpoint',	
0x00007D38: 'usb_controller_deactivate_endpoint',	
0x00007D5C: 'usb_core_init',	
0x00007DE8: 'usb_alloc_string_descriptor',	
0x00007E34: 'usb_create_string_descriptor',	
0x00007E68: 'usb_core_start',	
0x00008104: 'usb_core_register_interface',	
0x0000811C: 'usb_core_handle_usb_control_receive',	
0x000081D6: 'jpt_81D2',	
0x000082D6: 'jpt_82D2',	
0x0000844C: 'def_81D2',	
0x000084C8: 'usb_core_event_handler',	
0x00008584: 'usb_core_complete_endpoint_io',	
0x000085A0: 'usb_core_do_transfer',	
0x00008618: 'usb_core_deactivate_endpoint',	
0x0000862C: 'usb_core_stop',	
0x0000863C: '_usb_core_free',	
0x000086AC: 'handle_test_mode_request',	
0x000086B8: '_getDFUImage',	
0x000086E8: '_usb_dfu_init',	
0x0000877C: 'handle_interface_request',	
0x000088C8: 'data_received',	
0x00008958: 'handle_bus_reset',	
0x00008970: '_usb_dfu_exit',	
0x00008A00: 'image_load',	
0x00009320: '_siphash_aligned',	
0x00009454: 'def_945E',	
0x00009462: 'jpt_945E',	
0x00009690: '_required_size',	
0x000096DC: '_verify_block_checksum',	
0x00009734: '_heap_free',	
0x000098A4: '_calculate_block_checksum',	
0x000098BC: '_heap_memalign',	
0x00009A80: '_alloc_ep0_device_io_request',	
0x00009AB0: '_heap_panic',	
0x00009AC0: '_verify_block_padding',	
0x00009B10: '_free_list_add',	
0x00009C5C: 'heap_verify',	
0x00009E18: 'j__heap_free',	
0x0000A016: 'jpt_A012',	
0x0000A044: 'def_A012',	
0x0000A098: 'jpt_A094',	
0x0000A618: '_vsnprintf',	
0x0000A784: '_longlong_to_hexstring',	
0x0000A7BC: 'kAsciiHexChars',	
0x0000A7C4: '___vsnprintf_chk',	
0x0000A7FC: '_puts',	
0x0000A824: '_putchar',	
0x0000A840: '___strlcat_chk',	
0x0000A85C: '___stack_chk_fail',	
0x0000A884: '_memcpy',	
0x0000ABB0: '_memset',	
0x0000ABC8: '_bzero',	
0x0000ACC0: '_strlen',	
0x0000AD28: '_amc_phy_run_dll_update',	
0x0000AD74: '_strlcat',	
0x0000ADD0: '_strlcpy',	
0x0000B068: '_DERParseBitString',	
0x0000B08C: '_DERParseBoolean',	
0x0000B0B0: '_DERParseInteger',	
0x0000B0F4: '_DERParseInteger64',	
0x0000B160: '_DERDecodeSeqInit',	
0x0000B1B8: '_DERDecodeSeqContentInit',	
0x0000B1C8: '_DERDecodeSeqNext',	
0x0000B210: '_DERParseSequence',	
0x0000B270: '_DERParseSequenceContent',	
0x0000B398: '_Img4DecodeParseLengthFromBuffer',	
0x0000B3C4: '_random_get_bytes',	
0x0000B3E4: '_mib_get_u32',	
0x0000B410: '_random_get_bytes_internal',	
0x0000B500: '_random_get_bytes_noheap',	
0x0000B530: '_chipid_get_current_production_mode',	
0x0000B534: '_platform_get_raw_production_mode',	
0x0000B538: '_platform_get_security_domain',	
0x0000B554: 'j__chipid_get_minimum_epoch_0',	
0x0000B558: '_platform_get_chip_id',	
0x0000B560: '_platform_get_ecid_image_personalization_required',	
0x0000B564: '_platform_get_entropy',	
0x0000B568: '_platform_get_usb_vendor_id',	
0x0000B570: '_power_needs_precharge',	
0x0000B574: '_platform_halt',	
0x0000B578: '_platform_deep_idle',	
0x0000B57C: '_platform_get_usb_manufacturer_string',	
0x0000B584: '_platform_get_usb_device_version',	
0x0000B588: '_platform_get_fuse_modes',	
0x0000B5A4: '_DERImg4DecodeFindInSequence',	
0x0000B5E8: '_DERImg4DecodeContentFindItemWithTag',	
0x0000B614: '_DERImg4DecodeTagCompare',	
0x0000B650: '_DERImg4Decode',	
0x0000B77C: '_DERImg4DecodeUnsignedManifest',	
0x0000B900: '_Img4DecodeInitUnsignedManifest',	
0x0000BB90: '_Img4DecodeGetBooleanFromSection',	
0x0000BBE0: '_Img4DecodeGetPropertyFromSection',	
0x0000BCA0: '_Img4DecodeGetPropertyBoolean',	
0x0000BD20: '_Img4DecodeEvaluateCertificateProperties',	
0x0000BEDC: '_Img4DecodeEvaluateDictionaryProperties',	
0x0001053C: '_arch_get_entropy$shim',	
0x00010548: 'j__arm_clean_invalidate_dcache',	
0x00010554: '_arm_clean_invalidate_dcache_line_2',	
0x00010560: 'j__arm_clean_dcache',	
0x00010578: '_platform_get_chip_revision',	
0x00010584: '_arm_flush_tlbs$shim',	
0x00010590: '_arm_write_cp_access_cr$shim',	
0x000105A8: 'j__arm_enable_fiqs',	
0x000105B4: '_strlen$shim',	
0x000105C0: '_arch_halt$shim',	
0x00010600: 'aNor0',	
0x00010605: 'nil',	
0x00010606: 'aUsb',	
0x0001060A: 'aImg4',	
0x0001060F: 'aIm4p',	
0x00010614: 'aAppleMobileDeviceDfuMode',	
0x00010633: 'aCpid04xCprv02xCpfm02xScep02xBdid02xEcid016llxI',	
0x0001067C: 'aSrtgS',	
0x00010687: 'aNonc',	
0x0001068E: 'a02x',	
0x00010693: 'aSnon',	
0x0001069A: 'aDoublePanicIn',	
0x000106AE: 'aPanic',	
0x000106BA: 'aIdleTask',	
0x000106C4: 'aNull',	
0x000106CB: 'aPtr',	
0x000106D1: 'a0x',	
0x000106D8: 'aAppleInc',	
0x00012074: 'a0123456789abcdef',	
0x488001E0: 'current_task',	
0x48800388: 'aBootstrap_0',	
0x4880039C: 'a2kst',	
0x488003C2: 'usb_core_device_descriptor',	
0x488004A6: 'a0k10',	
0x488004AE: 'aU',	
0x488004B3: 'aAppleSecureBootRootCaG21',	
0x488004DC: 'aAppleInc10',	
0x488004F1: 'aUs0',	
0x488004F7: 'a141219201310z',	
0x48800506: 'a341214201310z0k10',	
0x48800520: 'aAppleSecureBootRootCaG21_0',	
0x48800549: 'aAppleInc10_0',	
0x4880055E: 'aUs0_0',	
0x48800563: 'a0',	
0x4880056A: 'aH',	
0x48802AE8: 'aCpid8004Cprv10Cpfm03Scep01Bdid1eEcid0015243e0e100026',	
0x48802B67: 'aNonc38876290c433a5c8c1f7cf74d0bcef20cec156411cbf654cd5cf957ee6',	
0x48802F30: 'aKatskatskatskatskatskatskatskatskatskatskatskatskatskatskatskats_0',	
0x48805F1F: 'aHex',	
0x48805F28: 'aQx',	
0x48805F2C: 'aKats',	
0x488060F0: 'aIdleTask_1',	
0x48806104: 'a2kst_1',	
0x48806171: 'usb_inited',	
0x48806174: 'controller_functions',	
0x488061AC: 'usb_configuration_string_desc_index',	
0x488061C0: 'ep0_tx_buffer',	
0x488062D0: 'nonce_string_desc',	
0x488062D8: 'registered_interfaces_count',	
0x48806330: 'usb_dfu_inited',	
0x48807BA1: 'ebolink',	
0x48810240: 'aApppplleeMmoobbiilleeDdeevviicceeDdffuuMmooddee',	
0x48810448: 'aUsb_0',	
0x488104C0: 'aKatskatskatskatskatskatskatskatskatskatskatskatskatskatskatskats',	
0x48811500: 'aCmemcmem',	
0x48811645: 'aPwndCheckm8' }