For anynone that is running the latest version of binwalk (Binwalk v2.3.3) and when trying to extract squshfs filesystems, gets the following error:
WARNING: Extractor.execute failed to run external extractor 'sasquatch -p 1 -le -d 'squashfs-root' '%e'': [Errno 2] No such file or directory: 'sasquatch', 'sasquatch -p 1 -le -d 'squashfs-root' '%e'' might not be installed correctlyit might have to do that the sasquatch project is missing or not working correctly.
| There is a bug in SEPROM, at least up to A10 (the one I reversed), in the trustzone bounds checks. | |
| The trustzone is setup by the main AP in an early boot stage and because of that SEPROM has to verify that it's setup correctly before continuing to boot SEPOS. | |
| Otherwise the AP could write to SEPOS RAM and with that it might be able to get code execution on the SEP. | |
| The verification is done by first checking if the trustzone values are locked and then if they are correct. | |
| Those values are stored in hardware registers that both processors share. | |
| The registers are 32 bit tho and because of that apple decided to shift the address down by 12 bits before putting it into the registers. | |
| This means that if you want to lock down 0x1000000 to 0x2000000 you will actually write 0x1000 and 0x2000 to the registers. | |
| On the other side SEPROM loads these values from the hardware registers again. | |
| But instead of just comparing them against some constant it shifts up all of those values by 12 bits again before doing any check on |
| #! /usr/bin/env python3 | |
| # | |
| # sep_firmware_split.py | |
| # Brandon Azad | |
| # | |
| # Split a decrypted Apple SEP firmware image into individual Mach-O files. | |
| # | |
| # iPhone11,8 17C5053a https://twitter.com/s1guza/status/1203550760102969345 | |
| # iPhone11,8 17E255 https://twitter.com/s1guza/status/1244683851957522435 | |
| # |