search

xsscx / srd

Welcome to Hoyt's SRD Repo for the Apple Security Research Device. Contribute Code or Open an Issue or Discussion.
Other
63 stars 12 forks source link

SUMMARY: Resolved: srdutil | hang when using --kernel-cache #28

Closed xsscx closed 2 years ago

xsscx commented 2 years ago

Summary

Can you confirm what Version of srdutil contains working --kernel-cache

Source https://github.com/apple/security-research-device/blob/main/bin/srdutil

Reproduction

Older: srdutil restore --kernel-cache $(pwd)/kernelcache.patched.image4 ...

srdutil: unrecognized option `--kernel-cache' srdutil: unknown option: --kernel-cache

Newer: srdutil restore --kernel-cache $(pwd)/kernelcache.patched.image4 ...

hang...

srdutil file info

Tried

codesign -dvvv /usr/local/bin/srdutil
Executable=/usr/local/bin/srdutil
Identifier=com.apple.security.srdutil
Format=Mach-O universal (x86_64 arm64e arm64)
CodeDirectory v=20400 size=787 flags=0x2000(library-validation) hashes=14+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=d265ab2979a223f884963a73c9e93460c2afcd40
CandidateCDHashFull sha256=d265ab2979a223f884963a73c9e93460c2afcd40d0885bc3e43be07576aff175
Hash choices=sha256
CMSDigest=d265ab2979a223f884963a73c9e93460c2afcd40d0885bc3e43be07576aff175
CMSDigestType=2
CDHash=d265ab2979a223f884963a73c9e93460c2afcd40
Signature size=4442
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Signed Time=Nov 10, 2021 at 01:33:58
Info.plist entries=18
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=76

Which doesn't have the arg --kernel-cache

Tried 

codesign -dvvv srdutil
Executable=/Users/xss/Downloads/security-research-device-main/bin/srdutil
Identifier=com.apple.security.srdutil
Format=Mach-O universal (x86_64 arm64e arm64)
CodeDirectory v=20400 size=787 flags=0x2000(library-validation) hashes=14+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=9ad5286fa35fc5d60c051d0e8e470bbe4c4f0ff2
CandidateCDHashFull sha256=9ad5286fa35fc5d60c051d0e8e470bbe4c4f0ff27b364a7bf85a00eaa7735bd1
Hash choices=sha256
CMSDigest=9ad5286fa35fc5d60c051d0e8e470bbe4c4f0ff27b364a7bf85a00eaa7735bd1
CMSDigestType=2
CDHash=9ad5286fa35fc5d60c051d0e8e470bbe4c4f0ff2
Signature size=4442
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Signed Time=Jan 22, 2022 at 05:57:18
Info.plist entries=18
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=76

Which hangs on T8101 & X86_64 for iPhone 11.

Checking with the iPhone 12, srdutil hangs around:

dyld[50263]: dlsym(0xfff13c6d6460, "OSStateCreateStringWithData")
dyld[50263]:      dlsym("OSStateCreateStringWithData") => NULL

https://github.com/apple/security-research-device/issues/56

xsscx commented 2 years ago

SUMMARY

Started out not by using the correct args on the command line for srdutil and generated an error. Needed help and @Nessphoro provided the right answers.

Steps to successful Kernel Cache Install on iPhone 12

Step 1: Read https://github.com/apple/security-research-device/tree/main/example-kernelcache and complete the steps to generate your first kernel cache.

Step 2: Use the example command line:

defaults write com.apple.AMPDevicesAgent ipsw-variant -string 'Research Customer Erase Install (IPSW)'
killall Finder
srdutil restore -v -s -e 0x1418da3cc0013a -K=/Users/xss/iphone12/example-kernelcache/kernelcache.patched.image4  -i /Users/xss/iphone12/example-kernelcache/iPhone13,2,iPhone13,3_15.4_19E241_Restore.ipsw

Step 3:

Install cryptex

Step 4:

ssh to srd

Step 5:

uname -a
CopyPasta Kernel Cache

Successful kernel cache install for iPhone 12

Thank You