Skip to content

Instantly share code, notes, and snippets.

@Cryptiiiic

Cryptiiiic/Cryptex.md

Last active October 30, 2024 03:38
Show Gist options
  • Save Cryptiiiic/bd01fac6e8b8ee0c33f71c92cf91ce3d to your computer and use it in GitHub Desktop.
Save Cryptiiiic/bd01fac6e8b8ee0c33f71c92cf91ce3d to your computer and use it in GitHub Desktop.
Download ZIP
Short overview of iOS 16+ nonce-seeds nvram variable most notably used for cryptex.
Raw
Cryptex.md

Cryptex

Short overview of iOS 16+ nonce-seeds nvram variable most notably used for cryptex.

Some structs

struct nonce_seeds_header {
    uint32_t blob_version;
    uint8_t pad[6];
    uint64_t hash_size;
    uint8_t boot_manifest_hash[48];
    uint8_t end_data[9];
};

struct nonce_seed {
    uint8_t unused_pad[8];
    uint8_t seed[16];
    uint8_t unused_end_pad[16];
};

struct nonce_seeds {
    struct nonce_seeds_header header;
    struct nonce_seed seeds[];
};

nonce-seeds nvram variable dumped from d22ap 16.5

sizeof() == 0x203

// Header/Unknown
0200000000000000000030000000000000000
// boot manifest hash(hash of the apticket)
686F676501C75A59C06249BE55AC2EF640EA62D61A7D22F8107334CC054209806CB556AA808C258579DB649809C9B7D0
// Header/Unknown tail
10B00000000000000

// com.apple.private.img4.nonce.test seed
0000000000000000969B93AD696856F7028D7749240DCF57
00000000000000000000000000000000
// com.apple.private.img4.nonce.trust-cache
00000000000000003E6D083FE13F96E4BE5ECB53724FA7C5
00000000000000000000000000000000
// com.apple.private.img4.nonce.pdi
000000000000000068CA2566CA4CD905C9B3D4BA1026B5EF
00000000000000000000000000000000
// com.apple.private.img4.nonce.cryptex
00000000000000004FFBEDCCAEBE8AB453DA9AD6A80F9916
00000000000000000000000000000000
// com.apple.private.img4.nonce.ddi
00000000000000009BEA1F420ADF76D1A1D468A127336B3F
00000000000000000000000000000000
// com.apple.private.img4.nonce.ephemeral-cryptex
000000000000000032E1867193B3F3CDF6D0EA4CE88138D8
00000000000000000000000000000000
// com.apple.private.img4.nonce.cryptex1.snuf-stub
0000000000000000210EE4C7137BCE636EB97BEED39D9B8D
00000000000000000000000000000000
// com.apple.private.img4.nonce.cryptex1.boot
000000000000000096DF5AC45A5EE83D7FC19A8494E4A322
00000000000000000000000000000000
// com.apple.private.img4.nonce.cryptex1.asset
0000000000000000177CEF5E8F0AE3D4D47FC31EC3FFEA40
00000000000000000000000000000000
// com.apple.private.img4.nonce.cryptex1.supplemental
00000000000000008040B8B7460A994FC71D2D150B84C0EB
00000000000000000000000000000000
// com.apple.private.img4.nonce.cryptex1.simulator
0000000000000000894F312358177C93ACC9B00412149500
00000000000000000000000000000000

based on the structs then cryptex seed would be: com.apple.private.img4.nonce.cryptex1.boot 0x96DF5AC45A5EE83D7FC19A8494E4A322

int crypex_boot_domain_index = 7;
struct nonce_seeds *nonce_seeds_struct = get_nonce_seeds();
uint8_t cryptex_seed = (uint8_t *)&(nonce_seeds_struct->seeds[crypex_boot_domain_index].seed);

There seems to be no consistency with nonce-seeds sizes, apple changes it when they want...

nonce-seeds size differences:

a11 16.5-16.7.x: 0x203
a14 16.1.1: 0x1B4
a15 15.0 beta: 0xD0
a15 15.4.1: 0x132
@P5-2005
Copy link

P5-2005 commented Apr 21, 2024
edited
Loading

about unknown header :

686F676501C75A59C06249BE55AC2EF640EA62D61A7D22F8107334CC054209806CB556AA808C258579DB649809C9B7D0

this is preboot random folder, aka the hash of apticket.der
confirmed already this on 16.7.7

C:\Users\PC\Downloads\libimobile-suite-latest_x86_64-mingw64>ideviceinfo -k NonVolatileRAM | findstr "nonce-seeds"
nonce-seeds: AgAAAAAAAAAAADAAAAAAAAAAXHKCXnvpWc6oTPqJMTGcum6zTbcEjMxYTEuRQfyjVz8KFszt6Jjc7mmUPvvgzOplAQsAAAAAAAAAAAAAAAAAAACVNHYQ43w66gfhl7AHpztpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAn2lMNSLMENd5B8wdJ0uOmwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN7zyVZlkvnNf/Dw/IWGEoQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/We2biUMMMTGgJBo7qx3IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuTwIMUB4OXqR3jZDMTI4sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKRYwy9Vwva7hmq+IFRrqaoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1mixtGBP/1kPd1BNGuc4wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANRxhH1gdcpSwO1/GHYyxrQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5V9Li2Cv1ZW+TzzeizxHYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACXOGC/TdFioykez1OAYd5EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAptbpHj3iyF0TTbFO2pTMBQAAAAAAAAAAAAAAAAAAAAA=

0200000000000000000030000000000000005c72825e7be959cea84cfa8931319cba6eb34db7048ccc584c4b9141fca3573f0a16ccede898dcee69943efbe0ccea65010b00000000000000000000000000000095347610e37c3aea07e197b007a73b690000000000000000000000000000000000000000000000009f694c3522cc10d77907cc1d274b8e9b000000000000000000000000000000000000000000000000def3c9566592f9cd7ff0f0fc858612840000000000000000000000000000000000000000000000003f59ed9b89430c3131a0241a3bab1dc8000000000000000000000000000000000000000000000000b93c08314078397a91de3643313238b0000000000000000000000000000000000000000000000000a458c32f55c2f6bb866abe20546ba9aa000000000000000000000000000000000000000000000000359a2c6d1813ffd643ddd41346b9ce30000000000000000000000000000000000000000000000000351c611f581d7294b03b5fc61d8cb1ad0000000000000000000000000000000000000000000000002e55f4b8b60afd595be4f3cde8b3c476000000000000000000000000000000000000000000000000973860bf4dd162a3291ecf538061de44000000000000000000000000000000000000000000000000a6d6e91e3de2c85d134db14eda94cc0500000000000000000000000000000000

020000000000000000003000000000000000
5c72825e7be959cea84cfa8931319cba6eb34db7048ccc584c4b9141fca3573f0a16ccede898dcee69943efbe0ccea65
010b00000000000000
000000000000000095347610e37c3aea07e197b007a73b6900000000000000000000000000000000
00000000000000009f694c3522cc10d77907cc1d274b8e9b00000000000000000000000000000000
0000000000000000def3c9566592f9cd7ff0f0fc8586128400000000000000000000000000000000
00000000000000003f59ed9b89430c3131a0241a3bab1dc800000000000000000000000000000000
0000000000000000b93c08314078397a91de3643313238b000000000000000000000000000000000
0000000000000000a458c32f55c2f6bb866abe20546ba9aa00000000000000000000000000000000
0000000000000000359a2c6d1813ffd643ddd41346b9ce3000000000000000000000000000000000
0000000000000000351c611f581d7294b03b5fc61d8cb1ad00000000000000000000000000000000
00000000000000002e55f4b8b60afd595be4f3cde8b3c47600000000000000000000000000000000
0000000000000000973860bf4dd162a3291ecf538061de4400000000000000000000000000000000
0000000000000000a6d6e91e3de2c85d134db14eda94cc0500000000000000000000000000000000

Screenshot 2024-04-21 215855

Screenshot 2024-04-21 221501

@Cryptiiiic
Copy link
Author

@P5-2005 yah this file was a bit old I discovered as much after that but forgot to add it. Just updated it. I also added some size documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment