The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Secure Enclave
The Secure Enclave is part of the A7 chip and a basic part of Apples Touch ID fingerprint technology. Within the Secure Enclave the fingerprint data is stored in an encrypted form which - according to Apple - can only be decrypted by a key available by the Secure Enclave thus making fingerprint data walled off from the rest of A7 Chip and as well as the rest of iOS. The secure enclave itself is a flashable 4MB processore called the secure enclave processor (SEP) as documented in Appple Patent Application 20130308838. The technology used is basically ARM's TrustZone/SecurCore.
The SEP is located in the devicetree under IODeviceTree:/arm-io/sep and manged by the AppleSEPManager driver.
SEP OS
The SEP has its own OS called SEP OS and there exists a tool called seputil which is used to communicate with it.
seputil has the following valid commands:
seputil: seputil [--wait] --load <file> seputil: seputil '<SEP console command>' seputil: seputil <command> seputil: seputil: Valid <command> words: seputil: --ping Send a PING operation to the SEP OS seputil: --load Load <file> as the SEP runtime firmware seputil: --restore Load <file> as the SEP runtime firmware in restore mode seputil: --restore+art Load <file> as the SEP runtime firmware in restore mode with ART seputil: --wait Pause for kernel driver to load before failing seputil: --preflight Pre-flight load/restore firmware against ART to pre-check for boot failures seputil: --log Dump the mailbox message log seputil: --rom status Get the ROM status seputil: --rom tz0 Send a ROM TZ0 command seputil: --rom nop Send a ROM NOP command seputil: --rom nonce Send a ROM nonce request seputil: --new-nonce Request new SEP/OS nonce seputil: --kill-nonce Request invalidate SEP/OS nonce seputil: --art get Dump current ART from Memory seputil: --art set Persist the supplied ART to storage seputil: --art clear Clear the persisted ART seputil: --art ctrtest Counter self-test (DESTRUCTIVE - WILL BRICK DEVICE) seputil: --sleep Sleep the SEP NOW! seputil: --nap Nap the SEP NOW! seputil: --pingflood Ping SEP endlessly seputil: --clkgate Enable SEP clock gating seputil: --get <obj> Read obj and write to stdout seputil: --put <obj> Read stdin and write to obj seputil: --boot-check <file> Check whether a firmware might be bootable WRT the current ART seputil: --dump-fw <file> Dump measurements of firmware file seputil: Bare words on the commandline are sent to the SEP as a console command
Examples:
./seputil --pingflood SEP ping #1000 SEP ping #2000 SEP ping #3000 SEP ping #4000 ./seputil --new-nonce Nonce (20 bytes): 0x67fc18385630dc6429726677d196c81466f47b5e ./seputil --art get raw ART: 305e0201003037020218340414519c0248f04d316a3d71e03978b4126fbfb2b15c0400041467fc18385630dc6429726677d196c81466f47b5e3103c00100042027b6dadbab356612997af0203cefeae51fe90cd985ee7cdd6211c766b8cc7a60 Successfully parsed ART: counter: 6196 manifest hash (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c sleep hash is absent restore nonce (20 bytes): 67fc18385630dc6429726677d196c81466f47b5e ./seputil --log Kernel message log has 128 entries 289344381444: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289344385176: 0x0000000000000000 TX interrupt 289344391044: 0x0000000000000000 TX interrupt 289344408988: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289344409016: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289344413132: 0x0000000000000000 RX interrupt 289344413304: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289344413904: 0x0000000000000000 RX interrupt 289344413944: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289344414176: 0x0018000000dd1007 TX message ept 7, tag 10, opcode dd, param 0, data 180000 289344443356: 0x0000000000000000 RX interrupt 289344443428: 0x0068000000dd9007 RX message ept 7, tag 90, opcode dd, param 0, data 680000 289346822748: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0 289346829480: 0x0000000000000000 RX interrupt 289346829560: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0 289346830136: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0 289406511168: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289406511204: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289406538900: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289406538936: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289406543628: 0x0000000000000000 TX interrupt 289406549916: 0x0000000000000000 TX interrupt 289406566580: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289406566612: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289406571220: 0x0000000000000000 RX interrupt 289406571476: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289406571908: 0x0000000000000000 RX interrupt 289406571952: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289406572320: 0x0018000000de1007 TX message ept 7, tag 10, opcode de, param 0, data 180000 289406605068: 0x0000000000000000 RX interrupt 289406605152: 0x0068000000de9007 RX message ept 7, tag 90, opcode de, param 0, data 680000 289407383260: 0x003c000000df0907 TX message ept 7, tag 9, opcode df, param 0, data 3c0000 289407396284: 0x0000000000000000 RX interrupt 289407396380: 0x002c000000df8907 RX message ept 7, tag 89, opcode df, param 0, data 2c0000 289407403656: 0x003c000000e00907 TX message ept 7, tag 9, opcode e0, param 0, data 3c0000 289407411688: 0x0000000000000000 RX interrupt 289407411736: 0x002c000000e08907 RX message ept 7, tag 89, opcode e0, param 0, data 2c0000 289407414732: 0x003c000000e10907 TX message ept 7, tag 9, opcode e1, param 0, data 3c0000 289407422472: 0x0000000000000000 RX interrupt 289407422524: 0x002c000000e18907 RX message ept 7, tag 89, opcode e1, param 0, data 2c0000 289408986276: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0 289408991756: 0x0000000000000000 RX interrupt 289408991824: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0 289408992472: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0 289459393276: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289459393348: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289459423004: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289459423048: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289459452628: 0x0000000000000000 TX interrupt 289459453612: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289459453664: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289459466460: 0x0000000000000000 TX interrupt 289459469548: 0x0000000000000000 RX interrupt 289459470000: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289459470632: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289459471304: 0x0018000000e21007 TX message ept 7, tag 10, opcode e2, param 0, data 180000 289459524572: 0x0000000000000000 RX interrupt 289459524728: 0x0068000000e29007 RX message ept 7, tag 90, opcode e2, param 0, data 680000 289459532644: 0x004c000000e30f07 TX message ept 7, tag f, opcode e3, param 0, data 4c0000 289459552888: 0x0000000000000000 RX interrupt 289459553044: 0x002c000000e38f07 RX message ept 7, tag 8f, opcode e3, param 0, data 2c0000 289459646732: 0x0018000000e41007 TX message ept 7, tag 10, opcode e4, param 0, data 180000 289459681116: 0x0000000000000000 RX interrupt 289459681272: 0x0068000000e49007 RX message ept 7, tag 90, opcode e4, param 0, data 680000 289461898836: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0 289461906796: 0x0000000000000000 RX interrupt 289461906968: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0 289461908400: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0 289526725980: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289526726016: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289526757512: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289526757552: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289526774468: 0x0000000000000000 TX interrupt 289526782688: 0x0000000000000000 TX interrupt 289526786468: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289526786540: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289526795320: 0x0000000000000000 RX interrupt 289526795828: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289526796304: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289526796984: 0x0018000000e51007 TX message ept 7, tag 10, opcode e5, param 0, data 180000 289526847216: 0x0000000000000000 RX interrupt 289526847348: 0x0068000000e59007 RX message ept 7, tag 90, opcode e5, param 0, data 680000 289529224460: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0 289529235316: 0x0000000000000000 RX interrupt 289529235488: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0 289529236920: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0 289584681764: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289584681836: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289584710576: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289584710608: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289584730996: 0x0000000000000000 TX interrupt 289584738992: 0x0000000000000000 TX interrupt 289584739572: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289584739612: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289584748648: 0x0000000000000000 RX interrupt 289584748984: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289584749300: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289584749332: 0x0018000000e61007 TX message ept 7, tag 10, opcode e6, param 0, data 180000 289584790484: 0x0000000000000000 RX interrupt 289584790568: 0x0068000000e69007 RX message ept 7, tag 90, opcode e6, param 0, data 680000 289587176748: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0 289587185760: 0x0000000000000000 RX interrupt 289587185916: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0 289587186840: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0 288741485000: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 288741485084: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 288741514772: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 288741514812: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 288741533984: 0x0000000000000000 TX interrupt 288741541992: 0x0000000000000000 TX interrupt 288741543608: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 288741543680: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 288741552216: 0x0000000000000000 RX interrupt 288741552884: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 288741553388: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 288741553672: 0x0018000000db1007 TX message ept 7, tag 10, opcode db, param 0, data 180000 288741591912: 0x0000000000000000 RX interrupt 288741592040: 0x0068000000db9007 RX message ept 7, tag 90, opcode db, param 0, data 680000 288741599128: 0x004c000000dc0f07 TX message ept 7, tag f, opcode dc, param 0, data 4c0000 288741620732: 0x0000000000000000 RX interrupt 288741620900: 0x002c000000dc8f07 RX message ept 7, tag 8f, opcode dc, param 0, data 2c0000 288742902624: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0 288742912320: 0x0000000000000000 RX interrupt 288742912496: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0 288742913700: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0 289344354176: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289344354216: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289344381416: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 ./seputil --boot-check sep-firmware.img4 preflight: manifest hash matches sepi bootCheck: SEP may boot with ART ./seputil --dump-fw sep-firmware.img4 manifest digest (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c sepi digest (20 bytes): a22813c5ceaeada5b7eeaa55808f3019814e8b8e sepi nonce (20 bytes): e5074bd1befefc685c6b5ec6797ffc851366f76f rsep digest (20 bytes): cb9f4c6520889e2582414c5969fb0abc3b0d8277 rsep nonce (20 bytes): e5074bd1befefc685c6b5ec6797ffc851366f76f