Skip to content

Instantly share code, notes, and snippets.

View P5-2005's full-sized avatar
🎯
Focusing

Hakim BOUKHADRA P5-2005

🎯
Focusing
79 followers · 470 following
View GitHub Profile
@leminlimez
leminlimez / Domains.md
Last active April 23, 2025 18:56
A deep dive into the iOS backup/restore system

Domains.plist

Documentation of /System/Library/Backup/Domains.plist. File taken from iOS 16.4 iPhone SE 3. The file was removed in iOS 17.0

Values

Values in the plist. Other than SystemDomains, these are not really important and are just here for preservation sake.

A domain in domains.plist contains keys that determine what gets backed up for what types of devices and where (i.e. iCloud vs iTunes). Not all domains have each key. The only 2 keys that must be in every domain are RootPath and RelativePathsToBackupAndRestore. Some domains have the value ShouldDigest. I am not sure exactly what it means but I have included it for documentation purposes.

  • Version: "24.0"
  • SystemDomains: (Dictionary), see below
@stong
stong / cups-browsed.md
Last active January 15, 2025 14:08
CUPS disclosure leaked online. Not my report. The original author is @evilsocket

Original report

  • Affected Vendor: OpenPrinting
  • Affected Product: Several components of the CUPS printing system: cups-browsed, libppd, libcupsfilters and cups-filters.
  • Affected Version: All versions <= 2.0.1 (latest release) and master.
  • Significant ICS/OT impact? no
  • Reporter: Simone Margaritelli [[email protected]]
  • Vendor contacted? yes The vendor has been notified trough Github Advisories and all bugs have been confirmed:
@jevinskie
jevinskie / output-root.log
Last active April 26, 2024 16:47
Run lsmp on *something*, *anything* without root privileges. How? A wrapper program that gets its own PID then exec's into lsmp with that PID as the process to inspect.
-> % sudo ./self-lsmp
Password:
argv[0] = '/usr/bin/lsmp'
argv[1] = '-v'
argv[2] = '-p'
argv[3] = '33302'
self task regular: 0x00000203 aka 515
self task read: 0x00000b03 aka 2819
@Cryptiiiic
Cryptiiiic / Cryptex.md
Last active October 30, 2024 03:38
Short overview of iOS 16+ nonce-seeds nvram variable most notably used for cryptex.

Cryptex

Short overview of iOS 16+ nonce-seeds nvram variable most notably used for cryptex.

Some structs

struct nonce_seeds_header {
    uint32_t blob_version;
    uint8_t pad[6];
@miticollo
miticollo / futurerestore.sh
Last active February 26, 2024 06:05
In a new macOS terminal run `bash ./futurerestore.sh <path/to/SHSH> <path/to/ipsw> -c` and follow instructions
#!/usr/bin/env bash
#
# Perform iOS and iPadOS downgrade using gaster and futurerestore.
set -e
BOLD=$(tput bold)
readonly BOLD
NC=$(tput sgr0)
readonly NC
@chris-pcguy
chris-pcguy / qemu-t8030_seprom_securerom_t8030_20231105_0.patch
Created November 5, 2023 22:30
diff --git a/hw/arm/apple_a13.c b/hw/arm/apple_a13.c
index 551a055715..661d9c799c 100644
--- a/hw/arm/apple_a13.c
+++ b/hw/arm/apple_a13.c
@@ -504,7 +504,9 @@ static const ARMCPRegInfo apple_a13_cp_reginfo_tcg[] = {
A13_CPREG_DEF(ARM64_REG_HID13, 3, 0, 15, 14, 0, PL1_RW, 0),
A13_CPREG_DEF(ARM64_REG_HID14, 3, 0, 15, 15, 0, PL1_RW, 0),
A13_CPREG_DEF(ARM64_REG_HID16, 3, 0, 15, 15, 2, PL1_RW, 0),
- A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0),
+ A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0), // A14 SYS_LSU_ERR_STS
@chris-pcguy
chris-pcguy / qemu-t8030_seprom_securerom_t8030_20231104_2.patch
Created November 4, 2023 05:05
merged/copy-pasted to a newer commit (LDRAA bug found and fixed by me) during lack of sleep, untested because of a NVMe bug.
diff --git a/hw/arm/apple_a13.c b/hw/arm/apple_a13.c
index 551a055715..661d9c799c 100644
--- a/hw/arm/apple_a13.c
+++ b/hw/arm/apple_a13.c
@@ -504,7 +504,9 @@ static const ARMCPRegInfo apple_a13_cp_reginfo_tcg[] = {
A13_CPREG_DEF(ARM64_REG_HID13, 3, 0, 15, 14, 0, PL1_RW, 0),
A13_CPREG_DEF(ARM64_REG_HID14, 3, 0, 15, 15, 0, PL1_RW, 0),
A13_CPREG_DEF(ARM64_REG_HID16, 3, 0, 15, 15, 2, PL1_RW, 0),
- A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0),
+ A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0), // A14 SYS_LSU_ERR_STS
@chris-pcguy
chris-pcguy / qemu-t8030_seprom_securerom_t8030_20231101_0.patch
Created November 1, 2023 21:30
diff --git a/hw/arm/apple_a13.c b/hw/arm/apple_a13.c
index 2188683992..928ffaa988 100644
--- a/hw/arm/apple_a13.c
+++ b/hw/arm/apple_a13.c
@@ -504,14 +504,16 @@ static const ARMCPRegInfo apple_a13_cp_reginfo_tcg[] = {
A13_CPREG_DEF(ARM64_REG_HID13, 3, 0, 15, 14, 0, PL1_RW, 0),
A13_CPREG_DEF(ARM64_REG_HID14, 3, 0, 15, 15, 0, PL1_RW, 0),
A13_CPREG_DEF(ARM64_REG_HID16, 3, 0, 15, 15, 2, PL1_RW, 0),
- A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0),
+ A13_CPREG_DEF(ARM64_REG_LSU_ERR_STS, 3, 3, 15, 0, 0, PL1_RW, 0), // A14 SYS_LSU_ERR_STS
@jevinskie
jevinskie / MobileStorageMounter-DDI-verification.mm
Created October 24, 2023 21:25
MobileStorageMounter DDI verification
// clang-format off
// clang++ -Wall -Wextra -Wno-deprecated-declarations -g -fobjc-arc -std=gnu++2b -framework Foundation -framework CommonCrypto -framework Security -o secstuff secstuff.mm && ./secstuff ./iPhoneCA.pem ./DeveloperDiskImage.dmg ./DeveloperDiskImage.dmg
// xcrun --sdk iphoneos clang++ -miphoneos-version-min=14.0 -Wall -Wextra -Wno-deprecated-declarations -g -fobjc-arc -std=gnu++2b -framework Foundation -framework CommonCrypto -framework Security -Wl,-adhoc_codesign -o secstuff-ios secstuff.mm
// clang-format on
#define SEC_OS_IPHONE 1
#undef NDEBUG
#include <CommonCrypto/CommonDigest.h>
#import <Foundation/Foundation.h>
#import <Security/Security.h>
@zhuowei
zhuowei / more_coretrust_notes.txt
Created October 1, 2023 04:28
Also see https://github.com/zhuowei/CoreTrustDemo/blob/main/littlemis.txt for my previous notes
first time X509ChainCheckPathWithOptions, param3 (options) is null
second time X509ChainCheckPathWithOptions, param3 (options) is set
-> This is the call out of CTEvaluateAMFICodeSignatureCMS_MaxDigestType, and is the one that sets the flags
struct ContentInfoSignedData {
int always4; // 0x0
void* someBufferFromCTParseContentInfoSignedDataArg6; // 0x8
// ?