Liam(Cryptic) Cryptiiiic

Open the kernel in radare2 using r2 kernelcache.release.nxxx.dec. (Kernel has to be decompressed)
Once the kernel is open in r2, we are going to search for assembly code with "/c add x0, x0, 0x10; ret" You should get an output like this:
We are going to take the second address at the top(in this example it's 0xfffffff00651a178) and we are going to seek to it as well as subtracting 0x4. Here is the command: s 0xfffffff00651a178 - 0x4.
We are going to print out the assembly code of 0xfffffff00651a174 using pd 2. The output should look similar to this:
If your output looks similar to this, take the address of add x0, x0, 0x10 and that is the ROP Gadget offset.

Open your decompressed kernel in hopper.
Go to the string tab and search for zone_init: kmem_suballoc failed
Click the result that came up. You are going to want to double click on the DATA XREF=sub_fffffff.
Double click on the DATA XREF to the very far right of the location you landed on.
The offset will be the first qword above the location you jumped to.

Open Terminal and run nm kernelcache.dec | grep _kernproc In this example, 0xfffffff0075d50a0 is our kernproc address.(iPhone6S on 11.3.1)
Drag your kernelcache.dec into ida and stringsearch for fStampMapping[kAGXHostMemoryTimestamp] This should take you to com.apple.AGXG5P:__cstring section.
Double click on the first text:FFFFFFF...
Scroll down all the way until you see something like this.
Double click on unk_FFFFFFF... which is located at the second ADRP.

Cryptex

struct nonce_seeds_header {
    uint32_t blob_version;
    uint8_t pad[6];

	#!/bin/bash

	if [ "$(defaults read com.apple.screencapture location)" != "~/Screenshots" ]; then
	defaults write com.apple.screencapture location "\~/Screenshots"
	fi

	if [[ -f "/usr/local/bin/jq" ]]; then
	cd ~/Screenshots
	name=jelbrek_icu.png
	touch ./.screenshot_watch

	#!/usr/bin/env bash
	# Made by @Cryptiiiic, Cryptic#6293
	# please build in this docker container:
	# docker run -it --name debian debian:buster-slim
	set -e
	export FR_BASE=/tmp/build
	export C_ARGS="-fPIC -static"
	export CXX_ARGS="-fPIC -static"
	export LD_ARGS="-Wl,--allow-multiple-definition -static -L/usr/lib/x86_64-linux-gnu -L/tmp/out/lib"
	export C_ARGS2="-fPIC"

	Unfortunately I have some bad news for downgrading.
	Before I explain the bad news at the end of this post, I first need to introduce a background of iOS devices.
	In iOS 16, Apple introduced a new firmware component known as Cryptex1. Technically, this is a "virtual" co-processor.
	It's purpose is to allow Apple to push RSRs (Rapid Security Responses) which are separate from traditional iOS updates and can be installed much faster.
	Like other firmwares, it also has a signing ticket locked to a cryptographic nonce (number-used-once).
	We commonly refer to the Apple signing tickets as SHSH blobs.
	Meaning the firmware can't be installed without a valid signing ticket as well as a matching nonce.
	The "big two" components we deal with signing/nonces are AP and SEP. AP is basically the main device chip (Application Processor).
	SEP is the security chip (Secure Enclave Processor).
	With regards to APNonce, Apple conveniently gave us the com.apple.System.boot-nonce NVRAM property which we use to set the APNonce generator.