Difference between revisions of "Seputil"

From The iPhone Wiki
Jump to: navigation, search
(iOS application => iOS command-line interface tool)
m (spelling)
 
(5 intermediate revisions by 4 users not shown)
Line 22: Line 22:
 
}}
 
}}
   
'''seputil''' is an iOS command-line interface tool. It is used to communicate with the [[Secure Enclave]] and its processor - the SEP. The utility [[ramrod]] also uses seputil to update the firmware of the SEP. seputil itself is contained in HXXXRamDisk.dmg, located in <code>/usr/standalone/update/ramdisk/</code> (the name of the ramdisk varies depending on the firmware.) Once mounted, the seputil executable is found in <code>/usr/libexec/</code>. The first 0x1b (27) bytes are stripped to make the dmg readable.
+
'''seputil''' is an iOS command-line interface tool. It is used to communicate with the [[Secure Enclave]] and its processor - the SEP. The utility [[ramrod]] also uses seputil to update the firmware of the SEP. seputil itself is contained in HXXXRamDisk.dmg, located in <code>/usr/standalone/update/ramdisk/</code> (the name of the ramdisk varies depending on the firmware.) Once mounted, the seputil executable is found in <code>/usr/libexec/</code>. The file is an [[IMG4 File Format|IMG4]] file and therefore needs the first 0x1b (27) bytes are stripped to make the dmg readable, or img4tool can be used
   
 
seputil has the following commands:
 
seputil has the following commands:
Line 48: Line 48:
 
seputil: --art set Persist the supplied ART to storage
 
seputil: --art set Persist the supplied ART to storage
 
seputil: --art clear Clear the persisted ART
 
seputil: --art clear Clear the persisted ART
seputil: --art ctrtest Counter self-test (DESTRUCTIVE - WILL BRICK DEVICE)
+
seputil: --art ctrtest Counter self-test (DESTRUCTIVE - can brick some legacy devices!)
 
seputil: --sleep Sleep the SEP NOW!
 
seputil: --sleep Sleep the SEP NOW!
 
seputil: --nap Nap the SEP NOW!
 
seputil: --nap Nap the SEP NOW!
Line 331: Line 331:
   
 
Example 3:
 
Example 3:
  +
Don't try this at home kids!<br />DESTRUCTIVE - WILL [[Brick|BRICK]] SOME LEGACY DEVICES!!!
 
<pre>
 
<pre>
 
./seputil --art clear
 
./seputil --art clear

Latest revision as of 23:07, 26 September 2021

Original author(s) Apple Inc.
Developer(s) Apple Inc.
Operating system iOS command line
Size 59,184 bytes [APP]
Available in English
Type ?
License Closed source

seputil is an iOS command-line interface tool. It is used to communicate with the Secure Enclave and its processor - the SEP. The utility ramrod also uses seputil to update the firmware of the SEP. seputil itself is contained in HXXXRamDisk.dmg, located in /usr/standalone/update/ramdisk/ (the name of the ramdisk varies depending on the firmware.) Once mounted, the seputil executable is found in /usr/libexec/. The file is an IMG4 file and therefore needs the first 0x1b (27) bytes are stripped to make the dmg readable, or img4tool can be used

seputil has the following commands:

seputil: seputil [--wait] --load <file>
seputil: seputil '<SEP console command>'
seputil: seputil <command>
seputil: 
seputil: Valid <command> words:
seputil:     --ping        Send a PING operation to the SEP OS
seputil:     --load        Load <file> as the SEP runtime firmware
seputil:     --restore     Load <file> as the SEP runtime firmware in restore mode
seputil:     --restore+art Load <file> as the SEP runtime firmware in restore mode with ART
seputil:     --wait        Pause for kernel driver to load before failing
seputil:     --preflight   Pre-flight load/restore firmware against ART to pre-check for boot failures
seputil:     --log         Dump the mailbox message log
seputil:     --rom status  Get the ROM status
seputil:     --rom tz0     Send a ROM TZ0 command
seputil:     --rom nop     Send a ROM NOP command
seputil:     --rom nonce   Send a ROM nonce request
seputil:     --new-nonce   Request new SEP/OS nonce
seputil:     --kill-nonce  Request invalidate SEP/OS nonce
seputil:     --art get     Dump current ART from Memory
seputil:     --art set     Persist the supplied ART to storage
seputil:     --art clear   Clear the persisted ART
seputil:     --art ctrtest Counter self-test (DESTRUCTIVE - can brick some legacy devices!)
seputil:     --sleep       Sleep the SEP NOW!
seputil:     --nap         Nap the SEP NOW!
seputil:     --pingflood   Ping SEP endlessly
seputil:     --clkgate     Enable SEP clock gating
seputil:     --get <obj>   Read obj and write to stdout
seputil:     --put <obj>   Read stdin and write to obj
seputil:     --boot-check <file>  Check whether a firmware might be bootable WRT the current ART
seputil:     --dump-fw <file>     Dump measurements of firmware file
seputil:   Bare words on the commandline are sent to the SEP as a console command

Examples

./seputil --pingflood
SEP ping #1000
SEP ping #2000
SEP ping #3000
SEP ping #4000

./seputil --load sep-firmware.img4 
seputil: load fw returned 0xe00002d5
seputil: load failed

./seputil --new-nonce
Nonce (20 bytes): 0x67fc18385630dc6429726677d196c81466f47b5e

./seputil --art get  
raw ART: 305e0201003037020218340414519c0248f04d316a3d71e03978b4126fbfb2b15c0400041467fc18385630dc6429726677d196c81466f47b5e3103c00100042027b6dadbab356612997af0203cefeae51fe90cd985ee7cdd6211c766b8cc7a60
Successfully parsed ART:
counter: 6196
manifest hash (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c
sleep hash is absent
restore nonce (20 bytes): 67fc18385630dc6429726677d196c81466f47b5e

./seputil --log    
Kernel message log has 128 entries
289344381444: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289344385176: 0x0000000000000000 TX interrupt
289344391044: 0x0000000000000000 TX interrupt
289344408988: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289344409016: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289344413132: 0x0000000000000000 RX interrupt
289344413304: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289344413904: 0x0000000000000000 RX interrupt
289344413944: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289344414176: 0x0018000000dd1007 TX message ept 7, tag 10, opcode dd, param 0, data 180000
289344443356: 0x0000000000000000 RX interrupt
289344443428: 0x0068000000dd9007 RX message ept 7, tag 90, opcode dd, param 0, data 680000
289346822748: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0
289346829480: 0x0000000000000000 RX interrupt
289346829560: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0
289346830136: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0
289406511168: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289406511204: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289406538900: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289406538936: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289406543628: 0x0000000000000000 TX interrupt
289406549916: 0x0000000000000000 TX interrupt
289406566580: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289406566612: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289406571220: 0x0000000000000000 RX interrupt
289406571476: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289406571908: 0x0000000000000000 RX interrupt
289406571952: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289406572320: 0x0018000000de1007 TX message ept 7, tag 10, opcode de, param 0, data 180000
289406605068: 0x0000000000000000 RX interrupt
289406605152: 0x0068000000de9007 RX message ept 7, tag 90, opcode de, param 0, data 680000
289407383260: 0x003c000000df0907 TX message ept 7, tag 9, opcode df, param 0, data 3c0000
289407396284: 0x0000000000000000 RX interrupt
289407396380: 0x002c000000df8907 RX message ept 7, tag 89, opcode df, param 0, data 2c0000
289407403656: 0x003c000000e00907 TX message ept 7, tag 9, opcode e0, param 0, data 3c0000
289407411688: 0x0000000000000000 RX interrupt
289407411736: 0x002c000000e08907 RX message ept 7, tag 89, opcode e0, param 0, data 2c0000
289407414732: 0x003c000000e10907 TX message ept 7, tag 9, opcode e1, param 0, data 3c0000
289407422472: 0x0000000000000000 RX interrupt
289407422524: 0x002c000000e18907 RX message ept 7, tag 89, opcode e1, param 0, data 2c0000
289408986276: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0
289408991756: 0x0000000000000000 RX interrupt
289408991824: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0
289408992472: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0
289459393276: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289459393348: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289459423004: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289459423048: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289459452628: 0x0000000000000000 TX interrupt
289459453612: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289459453664: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289459466460: 0x0000000000000000 TX interrupt
289459469548: 0x0000000000000000 RX interrupt
289459470000: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289459470632: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289459471304: 0x0018000000e21007 TX message ept 7, tag 10, opcode e2, param 0, data 180000
289459524572: 0x0000000000000000 RX interrupt
289459524728: 0x0068000000e29007 RX message ept 7, tag 90, opcode e2, param 0, data 680000
289459532644: 0x004c000000e30f07 TX message ept 7, tag f, opcode e3, param 0, data 4c0000
289459552888: 0x0000000000000000 RX interrupt
289459553044: 0x002c000000e38f07 RX message ept 7, tag 8f, opcode e3, param 0, data 2c0000
289459646732: 0x0018000000e41007 TX message ept 7, tag 10, opcode e4, param 0, data 180000
289459681116: 0x0000000000000000 RX interrupt
289459681272: 0x0068000000e49007 RX message ept 7, tag 90, opcode e4, param 0, data 680000
289461898836: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0
289461906796: 0x0000000000000000 RX interrupt
289461906968: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0
289461908400: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0
289526725980: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289526726016: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289526757512: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289526757552: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289526774468: 0x0000000000000000 TX interrupt
289526782688: 0x0000000000000000 TX interrupt
289526786468: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289526786540: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289526795320: 0x0000000000000000 RX interrupt
289526795828: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289526796304: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289526796984: 0x0018000000e51007 TX message ept 7, tag 10, opcode e5, param 0, data 180000
289526847216: 0x0000000000000000 RX interrupt
289526847348: 0x0068000000e59007 RX message ept 7, tag 90, opcode e5, param 0, data 680000
289529224460: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0
289529235316: 0x0000000000000000 RX interrupt
289529235488: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0
289529236920: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0
289584681764: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289584681836: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289584710576: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289584710608: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289584730996: 0x0000000000000000 TX interrupt
289584738992: 0x0000000000000000 TX interrupt
289584739572: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289584739612: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289584748648: 0x0000000000000000 RX interrupt
289584748984: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289584749300: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289584749332: 0x0018000000e61007 TX message ept 7, tag 10, opcode e6, param 0, data 180000
289584790484: 0x0000000000000000 RX interrupt
289584790568: 0x0068000000e69007 RX message ept 7, tag 90, opcode e6, param 0, data 680000
289587176748: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0
289587185760: 0x0000000000000000 RX interrupt
289587185916: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0
289587186840: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0
288741485000: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
288741485084: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
288741514772: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
288741514812: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
288741533984: 0x0000000000000000 TX interrupt
288741541992: 0x0000000000000000 TX interrupt
288741543608: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
288741543680: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
288741552216: 0x0000000000000000 RX interrupt
288741552884: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
288741553388: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
288741553672: 0x0018000000db1007 TX message ept 7, tag 10, opcode db, param 0, data 180000
288741591912: 0x0000000000000000 RX interrupt
288741592040: 0x0068000000db9007 RX message ept 7, tag 90, opcode db, param 0, data 680000
288741599128: 0x004c000000dc0f07 TX message ept 7, tag f, opcode dc, param 0, data 4c0000
288741620732: 0x0000000000000000 RX interrupt
288741620900: 0x002c000000dc8f07 RX message ept 7, tag 8f, opcode dc, param 0, data 2c0000
288742902624: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0
288742912320: 0x0000000000000000 RX interrupt
288742912496: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0
288742913700: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0
289344354176: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289344354216: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289344381416: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0

./seputil --boot-check sep-firmware.img4 
preflight: manifest hash matches sepi
bootCheck: SEP may boot with ART

./seputil --dump-fw sep-firmware.img4 
manifest digest (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c
sepi digest (20 bytes): a22813c5ceaeada5b7eeaa55808f3019814e8b8e
sepi nonce (20 bytes): e5074bd1befefc685c6b5ec6797ffc851366f76f
rsep digest (20 bytes): cb9f4c6520889e2582414c5969fb0abc3b0d8277
rsep nonce (20 bytes): e5074bd1befefc685c6b5ec6797ffc851366f76f

jtool dissect

./jtool -l /Volumes/ramdisk/usr/libexec/seputil 
LC 00: LC_SEGMENT_64          Mem: 0x000000000-0x100000000	__PAGEZERO
LC 01: LC_SEGMENT_64          Mem: 0x100000000-0x100008000	__TEXT
	0x0000000100000ce8-0x00000001000055e0	__TEXT.__text
	0x00000001000055e0-0x00000001000058ec	__TEXT.__stubs
	0x00000001000058ec-0x0000000100005c10	__TEXT.__stub_helper
	0x0000000100005c10-0x0000000100006e5d	__TEXT.__cstring
	0x0000000100006e60-0x0000000100007fac	__TEXT.__const
	0x0000000100007fac-0x0000000100007ff4	__TEXT.__unwind_info
LC 02: LC_SEGMENT_64          Mem: 0x100008000-0x10000c000	__DATA
	0x0000000100008000-0x0000000100008050	__DATA.__got
	0x0000000100008050-0x0000000100008258	__DATA.__la_symbol_ptr
	0x0000000100008258-0x00000001000086e8	__DATA.__const
	0x00000001000086e8-0x0000000100008990	__DATA.__data
	0x0000000100008990-0x00000001000089b0	__DATA.__bss
LC 03: LC_SEGMENT_64          Mem: 0x10000c000-0x100010000	__LINKEDIT
LC 04: LC_DYLD_INFO_ONLY     
LC 05: LC_SYMTAB             	Symbol table is at offset 0xd9c8, with 77 entries
LC 06: LC_DYSYMTAB           
LC 07: LC_LOAD_DYLINKER      	/usr/lib/dyld
LC 08: LC_UUID               	UUID: 5C06A94F-63A7-3150-95B6-65567C70A3C8
LC 09: LC_VERSION_MIN_IPHONEOS	Minimum iOS  version:    7.0.0
LC 10: LC_SOURCE_VERSION     	Source Version:          69.1.1.0.0
LC 11: LC_MAIN               	Entry Point:             0x1448 (Mem: 100001448)
LC 12: LC_LOAD_DYLIB         	/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
LC 13: LC_LOAD_DYLIB         	/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
LC 14: LC_LOAD_DYLIB         	/usr/lib/libSystem.B.dylib
LC 15: LC_FUNCTION_STARTS    	Offset: 55592, Size: 120
LC 16: LC_DATA_IN_CODE       	Offset: 55712, Size: 0
LC 17: LC_DYLIB_CODE_SIGN_DRS	Offset: 55712, Size: 40
LC 18: LC_CODE_SIGNATURE     	Offset: 58704, Size: 480

ART Object

Example 1:

./seputil --art get  
raw ART: 305e0201003037020218340414519c0248f04d316a3d71e03978b4126fbfb2b15c0400041467fc18385630dc6429726677d196c81466f47b5e3103c00100042027b6dadbab356612997af0203cefeae51fe90cd985ee7cdd6211c766b8cc7a60
Successfully parsed ART:
counter: 6196
manifest hash (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c
sleep hash is absent
restore nonce (20 bytes): 67fc18385630dc6429726677d196c81466f47b5e

raw ART is also a DER encoded ASN.1 object:

30 — type tag indicating SEQUENCE
5e — length in octets of value that follows (92)
   02 — type tag indicating INTEGER
   01 — length in octets of value that follows
      00 — value (0)
   30 — type tag indicating SEQUENCE
   37 — length in octets of value that follows (55)
      02 — type tag indicating INTEGER
      02 — length in octets of value that follows
         1834 — value (6196) (of counter)
      04 — type tag indicating STRING
      14 — length in octets of value that follows (20)
         519c0248f04d316a3d71e03978b4126fbfb2b15c — value (of manifest hash)
      04 — type tag indicating STRING
      00 — length in octets of value that follows (0); empty, so no value to follow (sleep hash is absent)
      04 — type tag indicating STRING
      14 — length in octets of value that follows (20)
         67fc18385630dc6429726677d196c81466f47b5e — value (of restore nonce: snon)
      31 — type tag indicating SET (of subcounters)
      03 — length in octets of value that follows (3)
      c00100 — value (priv element [0]=0)
   04 — type tag indicating STRING
   20 — length in octets of value that follows (32)
      27b6dadbab356612997af0203cefeae51fe90cd985ee7cdd6211c766b8cc7a60 — value (SHA-256 HMAC of the previous SEQUENCE)
 

Example 2:

./seputil --art get
raw ART: 3072020100304b0202186c0414519c0248f04d316a3d71e03978b4126fbfb2b15c04147f75cb9012128cf71eb8fcd6b13e56a02a7324db041467fc18385630dc6429726677d196c81466f47b5e3103c0010004209ce3646167631d0df8d4db28973db8d5a27f85d345ad6ec220aeb1e22f39f31f
Successfully parsed ART:
counter: 6252
manifest hash (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c
sleep hash (20 bytes): 7f75cb9012128cf71eb8fcd6b13e56a02a7324db
restore nonce (20 bytes): 67fc18385630dc6429726677d196c81466f47b5e

Decode (used the decoder here):

SEQUENCE (3 elem)
   INTEGER 0
   SEQUENCE (5 elem)
      INTEGER 6252
      OCTET STRING (20 byte) 519C0248F04D316A3D71E03978B4126FBFB2B15C
      OCTET STRING (20 byte) 7F75CB9012128CF71EB8FCD6B13E56A02A7324DB
      OCTET STRING (20 byte) 67FC18385630DC6429726677D196C81466F47B5E
      SET (1 elem)
         Private 0 (1 byte) 00
   OCTET STRING (32 byte) 9CE3646167631D0DF8D4DB28973DB8D5A27F85D345AD6EC220AEB1E22F39F31F

Example 3: Don't try this at home kids!
DESTRUCTIVE - WILL BRICK SOME LEGACY DEVICES!!!

./seputil --art clear
ART cleared from storage

./seputil --art get  
seputil: Get ART command error: 0xe00002bc