• Stars
    star
    111
  • Rank 314,510 (Top 7 %)
  • Language
    Assembly
  • Created over 5 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Apple hardware secrets

APRR

Some utilities to probe/explore Apple's APRR CPU feature.

Write-up here.

Building

You'll need vmacho from my misc repo. Once you have that, just:

make

Usage

Requires the ability to run shellcode in EL1 on A10 chips or newer.
You might want to tweak APRR0_MASK/APRR1_MASK in aprr.s before using.

Upload the aprr.bin to a physically contiguous region of memory, then make one CPU jump to it right after reset. When it ran through, dump 0x13000 bytes from offset 0x10 of that memory region, and transfer back to the host. Feed the saved bindump to the parse util together with the APRR0_MASK/APRR1_MASK you used. Four data sets are present, at offsets 0x0, 0x4c00, 0x9800 and 0xe400. Example invocation:

./parse result.bin 0x0    0xfffff3f3fffff3f3 0xfffff3f3fffff3f3 >results/0xfffff3f3fffff3f3-0xfffff3f3fffff3f3-PAN-WXN.txt
./parse result.bin 0x4c00 0xfffff3f3fffff3f3 0xfffff3f3fffff3f3 >results/0xfffff3f3fffff3f3-0xfffff3f3fffff3f3-NOPAN-WXN.txt
./parse result.bin 0x9800 0xfffff3f3fffff3f3 0xfffff3f3fffff3f3 >results/0xfffff3f3fffff3f3-0xfffff3f3fffff3f3-PAN-NOWXN.txt
./parse result.bin 0xe400 0xfffff3f3fffff3f3 0xfffff3f3fffff3f3 >results/0xfffff3f3fffff3f3-0xfffff3f3fffff3f3-NOPAN-NOWXN.txt

Results

/results contains a pre-parsed set of test results, run on an A10 device.

See that folder for a format description.

yolo.c

Contains a kernel info leak that gives you the address of __PPLDATA_CONST on A12. 0day at the time of writing, should work at least up to & including iOS 13.0 beta 6.

More Repositories

1

ios-resources

Useful resources for iOS hacking
1,579
star
2

IOHIDeous

IOHIDFamily 0day
C
443
star
3

psychicpaper

iOS <13.5 sandbox escape/entitlement 0day
C
327
star
4

iometa

arm64 IOKit class dumper
C
256
star
5

v0rtex

IOSurface exploit
Objective-C
215
star
6

iokit-utils

Dev tools for probing IOKit
C
192
star
7

libkrw

Lib kernel r/w
C
188
star
8

imobax

iOS Mobile Backup Extractor
C
178
star
9

cl0ver

tfp0 for iOS 9.0-9.3.4
C
154
star
10

PhoenixNonce

64-bit nonce setter for iOS 9.3.4-9.3.5
Objective-C
96
star
11

hsp4

macOS kext for host_special_port(4) patch
C
89
star
12

tbdump

Utility to create tbd's off dylibs
C
77
star
13

dt

DeviceTree
C
73
star
14

IOKernelRW

Insecurity as an IOService
C++
63
star
15

cuck00

Twenty-twenty, bugs aplenty!
C
53
star
16

ios-scripts

iOS-related command line goodies
Shell
50
star
17

nordump

Apple Silicon NOR dumper
C++
41
star
18

lz4dec

Tiny arm64 LZ4 decompressor
C
40
star
19

ld64

Apple ld64 for Debian
Makefile
40
star
20

ios-build

Build files for things related to iOS
C
36
star
21

misc

C
34
star
22

siguza.github.io

Siguza's Blog
HTML
28
star
23

fscmp

CLI frontend for com.apple.decmpfs / AppleFSCompression.framework
C
27
star
24

UserScripts

My Tampermonkey scripts
JavaScript
14
star
25

aea1meta

AEA metadata dumper
C
12
star
26

libprovision

Library for dealing with Apple provisioning profiles and code signatures
10
star
27

StackScripts

My Tampermonkey scripts I use on StackExchange sites
JavaScript
7
star
28

VirtualPack

Bukkit Plugin "VirtualPack"
Java
7
star
29

recfg

C
6
star
30

Stash

Random stuff
Shell
6
star
31

lz4hc

C
3
star
32

libcrippy-1

Forked from openjailbreak.org
Makefile
2
star
33

NBTLib

A version-presistent bridge between Bukkit and Minecraft
Java
1
star
34

libpartialzip-1

Forked from openjailbreak.org
C
1
star
35

InvisiNOT

Bukkit Plugin "InvisiNOT"
Java
1
star