The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Seputil"
m (snon) |
(subcounters) |
||
Line 298: | Line 298: | ||
14 — length in octets of value that follows (20) |
14 — length in octets of value that follows (20) |
||
67fc18385630dc6429726677d196c81466f47b5e — value (of restore nonce: snon) |
67fc18385630dc6429726677d196c81466f47b5e — value (of restore nonce: snon) |
||
− | 31 — type tag indicating SET |
+ | 31 — type tag indicating SET (of subcounters) |
03 — length in octets of value that follows (3) |
03 — length in octets of value that follows (3) |
||
− | c00100 — value |
+ | c00100 — value (priv element [0]=0) |
04 — type tag indicating STRING |
04 — type tag indicating STRING |
||
20 — length in octets of value that follows (32) |
20 — length in octets of value that follows (32) |
Revision as of 07:11, 4 August 2017
Original author(s) | Apple Inc. |
---|---|
Developer(s) | Apple Inc. |
Operating system | iOS command line |
Size | 59,184 bytes [APP] |
Available in | English |
Type | ? |
License | Closed source |
seputil is an Apple internal application (arm64). It is used to communicate with the Secure Enclave and it's processor - the SEP. The utility ramrod also uses seputil to update the firmware of the SEP. seputil is contained in the ramdisk of H6SURamDisk.dmg (which itself is located in the /usr/standalone/update/ramdisk/
folder of 7.0.4 or 7.0.5 on iPhone5s) and there in /usr/libexec/
. You just have strip off the first 0x1b (27) bytes to make the dmg readable.
seputil has the following commands:
seputil: seputil [--wait] --load <file> seputil: seputil '<SEP console command>' seputil: seputil <command> seputil: seputil: Valid <command> words: seputil: --ping Send a PING operation to the SEP OS seputil: --load Load <file> as the SEP runtime firmware seputil: --restore Load <file> as the SEP runtime firmware in restore mode seputil: --restore+art Load <file> as the SEP runtime firmware in restore mode with ART seputil: --wait Pause for kernel driver to load before failing seputil: --preflight Pre-flight load/restore firmware against ART to pre-check for boot failures seputil: --log Dump the mailbox message log seputil: --rom status Get the ROM status seputil: --rom tz0 Send a ROM TZ0 command seputil: --rom nop Send a ROM NOP command seputil: --rom nonce Send a ROM nonce request seputil: --new-nonce Request new SEP/OS nonce seputil: --kill-nonce Request invalidate SEP/OS nonce seputil: --art get Dump current ART from Memory seputil: --art set Persist the supplied ART to storage seputil: --art clear Clear the persisted ART seputil: --art ctrtest Counter self-test (DESTRUCTIVE - WILL BRICK DEVICE) seputil: --sleep Sleep the SEP NOW! seputil: --nap Nap the SEP NOW! seputil: --pingflood Ping SEP endlessly seputil: --clkgate Enable SEP clock gating seputil: --get <obj> Read obj and write to stdout seputil: --put <obj> Read stdin and write to obj seputil: --boot-check <file> Check whether a firmware might be bootable WRT the current ART seputil: --dump-fw <file> Dump measurements of firmware file seputil: Bare words on the commandline are sent to the SEP as a console command
Examples
./seputil --pingflood SEP ping #1000 SEP ping #2000 SEP ping #3000 SEP ping #4000 ./seputil --load sep-firmware.img4 seputil: load fw returned 0xe00002d5 seputil: load failed ./seputil --new-nonce Nonce (20 bytes): 0x67fc18385630dc6429726677d196c81466f47b5e ./seputil --art get raw ART: 305e0201003037020218340414519c0248f04d316a3d71e03978b4126fbfb2b15c0400041467fc18385630dc6429726677d196c81466f47b5e3103c00100042027b6dadbab356612997af0203cefeae51fe90cd985ee7cdd6211c766b8cc7a60 Successfully parsed ART: counter: 6196 manifest hash (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c sleep hash is absent restore nonce (20 bytes): 67fc18385630dc6429726677d196c81466f47b5e ./seputil --art set Segmentation fault: 11 ./seputil --log Kernel message log has 128 entries 289344381444: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289344385176: 0x0000000000000000 TX interrupt 289344391044: 0x0000000000000000 TX interrupt 289344408988: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289344409016: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289344413132: 0x0000000000000000 RX interrupt 289344413304: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289344413904: 0x0000000000000000 RX interrupt 289344413944: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289344414176: 0x0018000000dd1007 TX message ept 7, tag 10, opcode dd, param 0, data 180000 289344443356: 0x0000000000000000 RX interrupt 289344443428: 0x0068000000dd9007 RX message ept 7, tag 90, opcode dd, param 0, data 680000 289346822748: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0 289346829480: 0x0000000000000000 RX interrupt 289346829560: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0 289346830136: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0 289406511168: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289406511204: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289406538900: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289406538936: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289406543628: 0x0000000000000000 TX interrupt 289406549916: 0x0000000000000000 TX interrupt 289406566580: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289406566612: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289406571220: 0x0000000000000000 RX interrupt 289406571476: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289406571908: 0x0000000000000000 RX interrupt 289406571952: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289406572320: 0x0018000000de1007 TX message ept 7, tag 10, opcode de, param 0, data 180000 289406605068: 0x0000000000000000 RX interrupt 289406605152: 0x0068000000de9007 RX message ept 7, tag 90, opcode de, param 0, data 680000 289407383260: 0x003c000000df0907 TX message ept 7, tag 9, opcode df, param 0, data 3c0000 289407396284: 0x0000000000000000 RX interrupt 289407396380: 0x002c000000df8907 RX message ept 7, tag 89, opcode df, param 0, data 2c0000 289407403656: 0x003c000000e00907 TX message ept 7, tag 9, opcode e0, param 0, data 3c0000 289407411688: 0x0000000000000000 RX interrupt 289407411736: 0x002c000000e08907 RX message ept 7, tag 89, opcode e0, param 0, data 2c0000 289407414732: 0x003c000000e10907 TX message ept 7, tag 9, opcode e1, param 0, data 3c0000 289407422472: 0x0000000000000000 RX interrupt 289407422524: 0x002c000000e18907 RX message ept 7, tag 89, opcode e1, param 0, data 2c0000 289408986276: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0 289408991756: 0x0000000000000000 RX interrupt 289408991824: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0 289408992472: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0 289459393276: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289459393348: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289459423004: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289459423048: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289459452628: 0x0000000000000000 TX interrupt 289459453612: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289459453664: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289459466460: 0x0000000000000000 TX interrupt 289459469548: 0x0000000000000000 RX interrupt 289459470000: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289459470632: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289459471304: 0x0018000000e21007 TX message ept 7, tag 10, opcode e2, param 0, data 180000 289459524572: 0x0000000000000000 RX interrupt 289459524728: 0x0068000000e29007 RX message ept 7, tag 90, opcode e2, param 0, data 680000 289459532644: 0x004c000000e30f07 TX message ept 7, tag f, opcode e3, param 0, data 4c0000 289459552888: 0x0000000000000000 RX interrupt 289459553044: 0x002c000000e38f07 RX message ept 7, tag 8f, opcode e3, param 0, data 2c0000 289459646732: 0x0018000000e41007 TX message ept 7, tag 10, opcode e4, param 0, data 180000 289459681116: 0x0000000000000000 RX interrupt 289459681272: 0x0068000000e49007 RX message ept 7, tag 90, opcode e4, param 0, data 680000 289461898836: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0 289461906796: 0x0000000000000000 RX interrupt 289461906968: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0 289461908400: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0 289526725980: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289526726016: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289526757512: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289526757552: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289526774468: 0x0000000000000000 TX interrupt 289526782688: 0x0000000000000000 TX interrupt 289526786468: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289526786540: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289526795320: 0x0000000000000000 RX interrupt 289526795828: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289526796304: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289526796984: 0x0018000000e51007 TX message ept 7, tag 10, opcode e5, param 0, data 180000 289526847216: 0x0000000000000000 RX interrupt 289526847348: 0x0068000000e59007 RX message ept 7, tag 90, opcode e5, param 0, data 680000 289529224460: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0 289529235316: 0x0000000000000000 RX interrupt 289529235488: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0 289529236920: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0 289584681764: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289584681836: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289584710576: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289584710608: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289584730996: 0x0000000000000000 TX interrupt 289584738992: 0x0000000000000000 TX interrupt 289584739572: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289584739612: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289584748648: 0x0000000000000000 RX interrupt 289584748984: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289584749300: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289584749332: 0x0018000000e61007 TX message ept 7, tag 10, opcode e6, param 0, data 180000 289584790484: 0x0000000000000000 RX interrupt 289584790568: 0x0068000000e69007 RX message ept 7, tag 90, opcode e6, param 0, data 680000 289587176748: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0 289587185760: 0x0000000000000000 RX interrupt 289587185916: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0 289587186840: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0 288741485000: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 288741485084: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 288741514772: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 288741514812: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 288741533984: 0x0000000000000000 TX interrupt 288741541992: 0x0000000000000000 TX interrupt 288741543608: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 288741543680: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 288741552216: 0x0000000000000000 RX interrupt 288741552884: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 288741553388: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 288741553672: 0x0018000000db1007 TX message ept 7, tag 10, opcode db, param 0, data 180000 288741591912: 0x0000000000000000 RX interrupt 288741592040: 0x0068000000db9007 RX message ept 7, tag 90, opcode db, param 0, data 680000 288741599128: 0x004c000000dc0f07 TX message ept 7, tag f, opcode dc, param 0, data 4c0000 288741620732: 0x0000000000000000 RX interrupt 288741620900: 0x002c000000dc8f07 RX message ept 7, tag 8f, opcode dc, param 0, data 2c0000 288742902624: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0 288742912320: 0x0000000000000000 RX interrupt 288742912496: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0 288742913700: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0 289344354176: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289344354216: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289344381416: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 ./seputil --boot-check sep-firmware.img4 preflight: manifest hash matches sepi bootCheck: SEP may boot with ART ./seputil --dump-fw sep-firmware.img4 manifest digest (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c sepi digest (20 bytes): a22813c5ceaeada5b7eeaa55808f3019814e8b8e sepi nonce (20 bytes): e5074bd1befefc685c6b5ec6797ffc851366f76f rsep digest (20 bytes): cb9f4c6520889e2582414c5969fb0abc3b0d8277 rsep nonce (20 bytes): e5074bd1befefc685c6b5ec6797ffc851366f76f
jtool dissect
./jtool -l /Volumes/ramdisk/usr/libexec/seputil LC 00: LC_SEGMENT_64 Mem: 0x000000000-0x100000000 __PAGEZERO LC 01: LC_SEGMENT_64 Mem: 0x100000000-0x100008000 __TEXT 0x0000000100000ce8-0x00000001000055e0 __TEXT.__text 0x00000001000055e0-0x00000001000058ec __TEXT.__stubs 0x00000001000058ec-0x0000000100005c10 __TEXT.__stub_helper 0x0000000100005c10-0x0000000100006e5d __TEXT.__cstring 0x0000000100006e60-0x0000000100007fac __TEXT.__const 0x0000000100007fac-0x0000000100007ff4 __TEXT.__unwind_info LC 02: LC_SEGMENT_64 Mem: 0x100008000-0x10000c000 __DATA 0x0000000100008000-0x0000000100008050 __DATA.__got 0x0000000100008050-0x0000000100008258 __DATA.__la_symbol_ptr 0x0000000100008258-0x00000001000086e8 __DATA.__const 0x00000001000086e8-0x0000000100008990 __DATA.__data 0x0000000100008990-0x00000001000089b0 __DATA.__bss LC 03: LC_SEGMENT_64 Mem: 0x10000c000-0x100010000 __LINKEDIT LC 04: LC_DYLD_INFO_ONLY LC 05: LC_SYMTAB Symbol table is at offset 0xd9c8, with 77 entries LC 06: LC_DYSYMTAB LC 07: LC_LOAD_DYLINKER /usr/lib/dyld LC 08: LC_UUID UUID: 5C06A94F-63A7-3150-95B6-65567C70A3C8 LC 09: LC_VERSION_MIN_IPHONEOS Minimum iOS version: 7.0.0 LC 10: LC_SOURCE_VERSION Source Version: 69.1.1.0.0 LC 11: LC_MAIN Entry Point: 0x1448 (Mem: 100001448) LC 12: LC_LOAD_DYLIB /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation LC 13: LC_LOAD_DYLIB /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit LC 14: LC_LOAD_DYLIB /usr/lib/libSystem.B.dylib LC 15: LC_FUNCTION_STARTS Offset: 55592, Size: 120 LC 16: LC_DATA_IN_CODE Offset: 55712, Size: 0 LC 17: LC_DYLIB_CODE_SIGN_DRS Offset: 55712, Size: 40 LC 18: LC_CODE_SIGNATURE Offset: 58704, Size: 480
ART Object
Example 1:
./seputil --art get raw ART: 305e0201003037020218340414519c0248f04d316a3d71e03978b4126fbfb2b15c0400041467fc18385630dc6429726677d196c81466f47b5e3103c00100042027b6dadbab356612997af0203cefeae51fe90cd985ee7cdd6211c766b8cc7a60 Successfully parsed ART: counter: 6196 manifest hash (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c sleep hash is absent restore nonce (20 bytes): 67fc18385630dc6429726677d196c81466f47b5e
raw ART is also a DER encoded ASN.1 object:
30 — type tag indicating SEQUENCE 5e — length in octets of value that follows (92) 02 — type tag indicating INTEGER 01 — length in octets of value that follows 00 — value (0) 30 — type tag indicating SEQUENCE 37 — length in octets of value that follows (55) 02 — type tag indicating INTEGER 02 — length in octets of value that follows 1834 — value (6196) (of counter) 04 — type tag indicating STRING 14 — length in octets of value that follows (20) 519c0248f04d316a3d71e03978b4126fbfb2b15c — value (of manifest hash) 04 — type tag indicating STRING 00 — length in octets of value that follows (0); empty, so no value to follow (sleep hash is absent) 04 — type tag indicating STRING 14 — length in octets of value that follows (20) 67fc18385630dc6429726677d196c81466f47b5e — value (of restore nonce: snon) 31 — type tag indicating SET (of subcounters) 03 — length in octets of value that follows (3) c00100 — value (priv element [0]=0) 04 — type tag indicating STRING 20 — length in octets of value that follows (32) 27b6dadbab356612997af0203cefeae51fe90cd985ee7cdd6211c766b8cc7a60 — value (SHA-256 HMAC of the previous SEQUENCE)
Example 2:
./seputil --art get raw ART: 3072020100304b0202186c0414519c0248f04d316a3d71e03978b4126fbfb2b15c04147f75cb9012128cf71eb8fcd6b13e56a02a7324db041467fc18385630dc6429726677d196c81466f47b5e3103c0010004209ce3646167631d0df8d4db28973db8d5a27f85d345ad6ec220aeb1e22f39f31f Successfully parsed ART: counter: 6252 manifest hash (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c sleep hash (20 bytes): 7f75cb9012128cf71eb8fcd6b13e56a02a7324db restore nonce (20 bytes): 67fc18385630dc6429726677d196c81466f47b5e
Decode (used the decoder here):
SEQUENCE (3 elem) INTEGER 0 SEQUENCE (5 elem) INTEGER 6252 OCTET STRING (20 byte) 519C0248F04D316A3D71E03978B4126FBFB2B15C OCTET STRING (20 byte) 7F75CB9012128CF71EB8FCD6B13E56A02A7324DB OCTET STRING (20 byte) 67FC18385630DC6429726677D196C81466F47B5E SET (1 elem) Private 0 (1 byte) 00 OCTET STRING (32 byte) 9CE3646167631D0DF8D4DB28973DB8D5A27F85D345AD6EC220AEB1E22F39F31F
Example 3:
./seputil --art clear ART cleared from storage ./seputil --art get seputil: Get ART command error: 0xe00002bc