Difference between revisions of "Seputil"

From The iPhone Wiki
Jump to: navigation, search
m (snon)
(subcounters)
Line 298: Line 298:
 
14 — length in octets of value that follows (20)
 
14 — length in octets of value that follows (20)
 
67fc18385630dc6429726677d196c81466f47b5e — value (of restore nonce: snon)
 
67fc18385630dc6429726677d196c81466f47b5e — value (of restore nonce: snon)
31 — type tag indicating SET
+
31 — type tag indicating SET (of subcounters)
 
03 — length in octets of value that follows (3)
 
03 — length in octets of value that follows (3)
c00100 — value
+
c00100 — value (priv element [0]=0)
 
04 — type tag indicating STRING
 
04 — type tag indicating STRING
 
20 — length in octets of value that follows (32)
 
20 — length in octets of value that follows (32)

Revision as of 07:11, 4 August 2017

Original author(s) Apple Inc.
Developer(s) Apple Inc.
Operating system iOS command line
Size 59,184 bytes [APP]
Available in English
Type ?
License Closed source

seputil is an Apple internal application (arm64). It is used to communicate with the Secure Enclave and it's processor - the SEP. The utility ramrod also uses seputil to update the firmware of the SEP. seputil is contained in the ramdisk of H6SURamDisk.dmg (which itself is located in the /usr/standalone/update/ramdisk/ folder of 7.0.4 or 7.0.5 on iPhone5s) and there in /usr/libexec/. You just have strip off the first 0x1b (27) bytes to make the dmg readable.

seputil has the following commands:

seputil: seputil [--wait] --load <file>
seputil: seputil '<SEP console command>'
seputil: seputil <command>
seputil: 
seputil: Valid <command> words:
seputil:     --ping        Send a PING operation to the SEP OS
seputil:     --load        Load <file> as the SEP runtime firmware
seputil:     --restore     Load <file> as the SEP runtime firmware in restore mode
seputil:     --restore+art Load <file> as the SEP runtime firmware in restore mode with ART
seputil:     --wait        Pause for kernel driver to load before failing
seputil:     --preflight   Pre-flight load/restore firmware against ART to pre-check for boot failures
seputil:     --log         Dump the mailbox message log
seputil:     --rom status  Get the ROM status
seputil:     --rom tz0     Send a ROM TZ0 command
seputil:     --rom nop     Send a ROM NOP command
seputil:     --rom nonce   Send a ROM nonce request
seputil:     --new-nonce   Request new SEP/OS nonce
seputil:     --kill-nonce  Request invalidate SEP/OS nonce
seputil:     --art get     Dump current ART from Memory
seputil:     --art set     Persist the supplied ART to storage
seputil:     --art clear   Clear the persisted ART
seputil:     --art ctrtest Counter self-test (DESTRUCTIVE - WILL BRICK DEVICE)
seputil:     --sleep       Sleep the SEP NOW!
seputil:     --nap         Nap the SEP NOW!
seputil:     --pingflood   Ping SEP endlessly
seputil:     --clkgate     Enable SEP clock gating
seputil:     --get <obj>   Read obj and write to stdout
seputil:     --put <obj>   Read stdin and write to obj
seputil:     --boot-check <file>  Check whether a firmware might be bootable WRT the current ART
seputil:     --dump-fw <file>     Dump measurements of firmware file
seputil:   Bare words on the commandline are sent to the SEP as a console command

Examples

./seputil --pingflood
SEP ping #1000
SEP ping #2000
SEP ping #3000
SEP ping #4000

./seputil --load sep-firmware.img4 
seputil: load fw returned 0xe00002d5
seputil: load failed

./seputil --new-nonce
Nonce (20 bytes): 0x67fc18385630dc6429726677d196c81466f47b5e

./seputil --art get  
raw ART: 305e0201003037020218340414519c0248f04d316a3d71e03978b4126fbfb2b15c0400041467fc18385630dc6429726677d196c81466f47b5e3103c00100042027b6dadbab356612997af0203cefeae51fe90cd985ee7cdd6211c766b8cc7a60
Successfully parsed ART:
counter: 6196
manifest hash (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c
sleep hash is absent
restore nonce (20 bytes): 67fc18385630dc6429726677d196c81466f47b5e

./seputil --art set
Segmentation fault: 11

./seputil --log    
Kernel message log has 128 entries
289344381444: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289344385176: 0x0000000000000000 TX interrupt
289344391044: 0x0000000000000000 TX interrupt
289344408988: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289344409016: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289344413132: 0x0000000000000000 RX interrupt
289344413304: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289344413904: 0x0000000000000000 RX interrupt
289344413944: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289344414176: 0x0018000000dd1007 TX message ept 7, tag 10, opcode dd, param 0, data 180000
289344443356: 0x0000000000000000 RX interrupt
289344443428: 0x0068000000dd9007 RX message ept 7, tag 90, opcode dd, param 0, data 680000
289346822748: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0
289346829480: 0x0000000000000000 RX interrupt
289346829560: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0
289346830136: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0
289406511168: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289406511204: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289406538900: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289406538936: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289406543628: 0x0000000000000000 TX interrupt
289406549916: 0x0000000000000000 TX interrupt
289406566580: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289406566612: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289406571220: 0x0000000000000000 RX interrupt
289406571476: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289406571908: 0x0000000000000000 RX interrupt
289406571952: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289406572320: 0x0018000000de1007 TX message ept 7, tag 10, opcode de, param 0, data 180000
289406605068: 0x0000000000000000 RX interrupt
289406605152: 0x0068000000de9007 RX message ept 7, tag 90, opcode de, param 0, data 680000
289407383260: 0x003c000000df0907 TX message ept 7, tag 9, opcode df, param 0, data 3c0000
289407396284: 0x0000000000000000 RX interrupt
289407396380: 0x002c000000df8907 RX message ept 7, tag 89, opcode df, param 0, data 2c0000
289407403656: 0x003c000000e00907 TX message ept 7, tag 9, opcode e0, param 0, data 3c0000
289407411688: 0x0000000000000000 RX interrupt
289407411736: 0x002c000000e08907 RX message ept 7, tag 89, opcode e0, param 0, data 2c0000
289407414732: 0x003c000000e10907 TX message ept 7, tag 9, opcode e1, param 0, data 3c0000
289407422472: 0x0000000000000000 RX interrupt
289407422524: 0x002c000000e18907 RX message ept 7, tag 89, opcode e1, param 0, data 2c0000
289408986276: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0
289408991756: 0x0000000000000000 RX interrupt
289408991824: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0
289408992472: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0
289459393276: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289459393348: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289459423004: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289459423048: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289459452628: 0x0000000000000000 TX interrupt
289459453612: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289459453664: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289459466460: 0x0000000000000000 TX interrupt
289459469548: 0x0000000000000000 RX interrupt
289459470000: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289459470632: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289459471304: 0x0018000000e21007 TX message ept 7, tag 10, opcode e2, param 0, data 180000
289459524572: 0x0000000000000000 RX interrupt
289459524728: 0x0068000000e29007 RX message ept 7, tag 90, opcode e2, param 0, data 680000
289459532644: 0x004c000000e30f07 TX message ept 7, tag f, opcode e3, param 0, data 4c0000
289459552888: 0x0000000000000000 RX interrupt
289459553044: 0x002c000000e38f07 RX message ept 7, tag 8f, opcode e3, param 0, data 2c0000
289459646732: 0x0018000000e41007 TX message ept 7, tag 10, opcode e4, param 0, data 180000
289459681116: 0x0000000000000000 RX interrupt
289459681272: 0x0068000000e49007 RX message ept 7, tag 90, opcode e4, param 0, data 680000
289461898836: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0
289461906796: 0x0000000000000000 RX interrupt
289461906968: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0
289461908400: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0
289526725980: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289526726016: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289526757512: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289526757552: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289526774468: 0x0000000000000000 TX interrupt
289526782688: 0x0000000000000000 TX interrupt
289526786468: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289526786540: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289526795320: 0x0000000000000000 RX interrupt
289526795828: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289526796304: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289526796984: 0x0018000000e51007 TX message ept 7, tag 10, opcode e5, param 0, data 180000
289526847216: 0x0000000000000000 RX interrupt
289526847348: 0x0068000000e59007 RX message ept 7, tag 90, opcode e5, param 0, data 680000
289529224460: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0
289529235316: 0x0000000000000000 RX interrupt
289529235488: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0
289529236920: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0
289584681764: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289584681836: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289584710576: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289584710608: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289584730996: 0x0000000000000000 TX interrupt
289584738992: 0x0000000000000000 TX interrupt
289584739572: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289584739612: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289584748648: 0x0000000000000000 RX interrupt
289584748984: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289584749300: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
289584749332: 0x0018000000e61007 TX message ept 7, tag 10, opcode e6, param 0, data 180000
289584790484: 0x0000000000000000 RX interrupt
289584790568: 0x0068000000e69007 RX message ept 7, tag 90, opcode e6, param 0, data 680000
289587176748: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0
289587185760: 0x0000000000000000 RX interrupt
289587185916: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0
289587186840: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0
288741485000: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
288741485084: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
288741514772: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
288741514812: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
288741533984: 0x0000000000000000 TX interrupt
288741541992: 0x0000000000000000 TX interrupt
288741543608: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
288741543680: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
288741552216: 0x0000000000000000 RX interrupt
288741552884: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
288741553388: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0
288741553672: 0x0018000000db1007 TX message ept 7, tag 10, opcode db, param 0, data 180000
288741591912: 0x0000000000000000 RX interrupt
288741592040: 0x0068000000db9007 RX message ept 7, tag 90, opcode db, param 0, data 680000
288741599128: 0x004c000000dc0f07 TX message ept 7, tag f, opcode dc, param 0, data 4c0000
288741620732: 0x0000000000000000 RX interrupt
288741620900: 0x002c000000dc8f07 RX message ept 7, tag 8f, opcode dc, param 0, data 2c0000
288742902624: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0
288742912320: 0x0000000000000000 RX interrupt
288742912496: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0
288742913700: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0
289344354176: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289344354216: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0
289344381416: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0

./seputil --boot-check sep-firmware.img4 
preflight: manifest hash matches sepi
bootCheck: SEP may boot with ART

./seputil --dump-fw sep-firmware.img4 
manifest digest (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c
sepi digest (20 bytes): a22813c5ceaeada5b7eeaa55808f3019814e8b8e
sepi nonce (20 bytes): e5074bd1befefc685c6b5ec6797ffc851366f76f
rsep digest (20 bytes): cb9f4c6520889e2582414c5969fb0abc3b0d8277
rsep nonce (20 bytes): e5074bd1befefc685c6b5ec6797ffc851366f76f

jtool dissect

./jtool -l /Volumes/ramdisk/usr/libexec/seputil 
LC 00: LC_SEGMENT_64          Mem: 0x000000000-0x100000000	__PAGEZERO
LC 01: LC_SEGMENT_64          Mem: 0x100000000-0x100008000	__TEXT
	0x0000000100000ce8-0x00000001000055e0	__TEXT.__text
	0x00000001000055e0-0x00000001000058ec	__TEXT.__stubs
	0x00000001000058ec-0x0000000100005c10	__TEXT.__stub_helper
	0x0000000100005c10-0x0000000100006e5d	__TEXT.__cstring
	0x0000000100006e60-0x0000000100007fac	__TEXT.__const
	0x0000000100007fac-0x0000000100007ff4	__TEXT.__unwind_info
LC 02: LC_SEGMENT_64          Mem: 0x100008000-0x10000c000	__DATA
	0x0000000100008000-0x0000000100008050	__DATA.__got
	0x0000000100008050-0x0000000100008258	__DATA.__la_symbol_ptr
	0x0000000100008258-0x00000001000086e8	__DATA.__const
	0x00000001000086e8-0x0000000100008990	__DATA.__data
	0x0000000100008990-0x00000001000089b0	__DATA.__bss
LC 03: LC_SEGMENT_64          Mem: 0x10000c000-0x100010000	__LINKEDIT
LC 04: LC_DYLD_INFO_ONLY     
LC 05: LC_SYMTAB             	Symbol table is at offset 0xd9c8, with 77 entries
LC 06: LC_DYSYMTAB           
LC 07: LC_LOAD_DYLINKER      	/usr/lib/dyld
LC 08: LC_UUID               	UUID: 5C06A94F-63A7-3150-95B6-65567C70A3C8
LC 09: LC_VERSION_MIN_IPHONEOS	Minimum iOS  version:    7.0.0
LC 10: LC_SOURCE_VERSION     	Source Version:          69.1.1.0.0
LC 11: LC_MAIN               	Entry Point:             0x1448 (Mem: 100001448)
LC 12: LC_LOAD_DYLIB         	/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
LC 13: LC_LOAD_DYLIB         	/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
LC 14: LC_LOAD_DYLIB         	/usr/lib/libSystem.B.dylib
LC 15: LC_FUNCTION_STARTS    	Offset: 55592, Size: 120
LC 16: LC_DATA_IN_CODE       	Offset: 55712, Size: 0
LC 17: LC_DYLIB_CODE_SIGN_DRS	Offset: 55712, Size: 40
LC 18: LC_CODE_SIGNATURE     	Offset: 58704, Size: 480

ART Object

Example 1:

./seputil --art get  
raw ART: 305e0201003037020218340414519c0248f04d316a3d71e03978b4126fbfb2b15c0400041467fc18385630dc6429726677d196c81466f47b5e3103c00100042027b6dadbab356612997af0203cefeae51fe90cd985ee7cdd6211c766b8cc7a60
Successfully parsed ART:
counter: 6196
manifest hash (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c
sleep hash is absent
restore nonce (20 bytes): 67fc18385630dc6429726677d196c81466f47b5e

raw ART is also a DER encoded ASN.1 object:

30 — type tag indicating SEQUENCE
5e — length in octets of value that follows (92)
   02 — type tag indicating INTEGER
   01 — length in octets of value that follows
      00 — value (0)
   30 — type tag indicating SEQUENCE
   37 — length in octets of value that follows (55)
      02 — type tag indicating INTEGER
      02 — length in octets of value that follows
         1834 — value (6196) (of counter)
      04 — type tag indicating STRING
      14 — length in octets of value that follows (20)
         519c0248f04d316a3d71e03978b4126fbfb2b15c — value (of manifest hash)
      04 — type tag indicating STRING
      00 — length in octets of value that follows (0); empty, so no value to follow (sleep hash is absent)
      04 — type tag indicating STRING
      14 — length in octets of value that follows (20)
         67fc18385630dc6429726677d196c81466f47b5e — value (of restore nonce: snon)
      31 — type tag indicating SET (of subcounters)
      03 — length in octets of value that follows (3)
      c00100 — value (priv element [0]=0)
   04 — type tag indicating STRING
   20 — length in octets of value that follows (32)
      27b6dadbab356612997af0203cefeae51fe90cd985ee7cdd6211c766b8cc7a60 — value (SHA-256 HMAC of the previous SEQUENCE)
 

Example 2:

./seputil --art get
raw ART: 3072020100304b0202186c0414519c0248f04d316a3d71e03978b4126fbfb2b15c04147f75cb9012128cf71eb8fcd6b13e56a02a7324db041467fc18385630dc6429726677d196c81466f47b5e3103c0010004209ce3646167631d0df8d4db28973db8d5a27f85d345ad6ec220aeb1e22f39f31f
Successfully parsed ART:
counter: 6252
manifest hash (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c
sleep hash (20 bytes): 7f75cb9012128cf71eb8fcd6b13e56a02a7324db
restore nonce (20 bytes): 67fc18385630dc6429726677d196c81466f47b5e

Decode (used the decoder here):

SEQUENCE (3 elem)
   INTEGER 0
   SEQUENCE (5 elem)
      INTEGER 6252
      OCTET STRING (20 byte) 519C0248F04D316A3D71E03978B4126FBFB2B15C
      OCTET STRING (20 byte) 7F75CB9012128CF71EB8FCD6B13E56A02A7324DB
      OCTET STRING (20 byte) 67FC18385630DC6429726677D196C81466F47B5E
      SET (1 elem)
         Private 0 (1 byte) 00
   OCTET STRING (32 byte) 9CE3646167631D0DF8D4DB28973DB8D5A27F85D345AD6EC220AEB1E22F39F31F

Example 3:

./seputil --art clear
ART cleared from storage

./seputil --art get  
seputil: Get ART command error: 0xe00002bc