Skip to content

Instantly share code, notes, and snippets.

View rickmark's full-sized avatar
🔬
Decoding iOS Formats

Rick Mark rickmark

🔬
Decoding iOS Formats
259 followers · 30 following
View GitHub Profile
@rickmark
rickmark / README.md
Created January 9, 2020 03:38
Target Disk Mode - Invalid String Descriptors

This is a capture of a suspected infected T2 processor on a MacBook Air being booted in Target Disk Mode with a TotalPhase Beagle 3000 Ultimate between it and a raspberry Pi

When directly connected the raspberry Pi had the following kernel mode error in dmesg

usb 1-1.4.1: device descriptor read/64, error -32

The other attached files are USB packet captures with malformed string descriptors (see length)

@rickmark
rickmark / clean_t2_restore.sh
Last active March 15, 2024 20:18
Perform a FOSS restore of an Apple T2 processor
#!/bin/bash
WORKING_DIRECTORY=`pwd`
repo_list=(libimobiledevice idevicerestore libplist libusbmuxd usbmuxd libirecovery)
for repo in ${repo_list[@]}; do
directory="$WORKING_DIRECTORY/$repo"
if [ -d "$directory" ]; then
rm -rf "$directory"
fi
@rickmark
rickmark / Command Log
Created February 24, 2020 00:12
WTF XNU
rickmark@Pluma ~ % diskutil mount disk2s1
Volume on disk2s1 failed to mount
Perhaps the operation is not appropriate (kDAReturnNotPermitted)
If you think the volume is supported but damaged, try the "readOnly" option
rickmark@Pluma ~ % diskutil mount readOnly disk2s1
Volume on disk2s1 failed to mount
Perhaps the operation is not appropriate (kDAReturnNotPermitted)
If you think the volume is supported but damaged, try the "readOnly" option
rickmark@Pluma ~ % dd if=/dev/disk2s1 ~/transit.img
dd: unknown operand /Users/rickmark/transit.img
@rickmark
rickmark / gist:830925f1eef5955b2517e83f10b833f0
Created February 24, 2020 00:13
Strange Code-points
E4B189E4 8987E4B1 98E5BD93 E2B8B0E3 ACB1
@rickmark
rickmark / cert_list.txt
Created February 27, 2020 13:32
Certificates being used by cybercrime
SHA1 08E4987249BC450748A4A78133CBF041A3510033
[ C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA ]
SHA1 0C08B84A1F26F50549DAAB363308D3565268F160
[ C = NL, O = DigiNotar, CN = DigiNotar Root CA, emailAddress = [email protected] ]
SHA1 13DB1BA7073B75443C52A14C3BAE0CC9D478567C
[ C = US, O = Entrust, Inc., OU = www.entrust.net/rpa is incorporated by reference, OU = (c) 2009 Entrust, Inc., CN = Entrust Certification Authority - L1C ]
SHA1 17C0C59AB5D8D5852043E8EC692C409D8062AA53
[ C = NL, O = PKIoverheid TEST, CN = TRIAL PKIoverheid Organisatie TEST CA - G2 ]
SHA1 1E8E8806AA605544CDA2BBB906B5D0CC7FB6FFF7
[ CN = RCS Certification Authority, O = HT srl ]
@rickmark
rickmark / cert_list.txt
Created February 27, 2020 13:32
Certificates being used by cybercrime
SHA1 08E4987249BC450748A4A78133CBF041A3510033
[ C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA ]
SHA1 0C08B84A1F26F50549DAAB363308D3565268F160
[ C = NL, O = DigiNotar, CN = DigiNotar Root CA, emailAddress = [email protected] ]
SHA1 13DB1BA7073B75443C52A14C3BAE0CC9D478567C
[ C = US, O = Entrust, Inc., OU = www.entrust.net/rpa is incorporated by reference, OU = (c) 2009 Entrust, Inc., CN = Entrust Certification Authority - L1C ]
SHA1 17C0C59AB5D8D5852043E8EC692C409D8062AA53
[ C = NL, O = PKIoverheid TEST, CN = TRIAL PKIoverheid Organisatie TEST CA - G2 ]
SHA1 1E8E8806AA605544CDA2BBB906B5D0CC7FB6FFF7
[ CN = RCS Certification Authority, O = HT srl ]
@rickmark
rickmark / TSL Session.txt
Created February 27, 2020 13:37
Bad connection to api.apple-cloudkit.com
CONNECTED(00000006)
write to 0x7fcb6fe64d40 [0x7fcb71012003] (196 bytes => 196 (0xC4))
0000 - 16 03 01 00 bf 01 00 00-bb 03 03 ef fa cd fe bc ................
0010 - 48 71 d8 66 50 23 31 eb-f0 7b 5e d5 8a 8c 93 3d Hq.fP#1..{^....=
0020 - 8d 4c 06 7f 7a b1 6d 94-e7 c6 47 00 00 5c c0 30 .L..z.m...G..\.0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 9f 00 6b 00 39 .,.(.$.......k.9
0040 - cc a9 cc a8 cc aa ff 85-00 c4 00 88 00 81 00 9d ................
0050 - 00 3d 00 35 00 c0 00 84-c0 2f c0 2b c0 27 c0 23 .=.5...../.+.'.#
0060 - c0 13 c0 09 00 9e 00 67-00 33 00 be 00 45 00 9c .......g.3...E..
0070 - 00 3c 00 2f 00 ba 00 41-c0 11 c0 07 00 05 00 04 .<./...A........
@rickmark
rickmark / bootrom.bin.gpg.asc
Created March 7, 2020 02:45
Signature of payload
-----BEGIN PGP ARMORED FILE-----
Comment: Use "gpg --dearmor" for unpacking
owHsuQt4VNXVN77OnJnMOZP7zORCuEwCXjLjDYZAmFabE5CaBK0yifVS3xLE1gnR
VxO8ISgDtHUg2jI0/bDQfgnYS2YUaxFqxl4IatsorRUQ6lvtSxKonRC1EhEy3Ob7
rXPOZCYhYN/L8/2f//e8ybOffWZf1l573dfa6zJFsgjv/X6FSfxttVt4ngw0/870
O++774Hm++698s6Gf/3qIvknRLQOLbiykG4N5FNrBdGAIlDdWVEIT8bYqwV062wS
d4s5uzqm5KzsmK3Q0c3xeF2XuODAwRvF/RbsrxGKg5auwv2Lsb4FrVGwtGSQf+/1
01Z2LBDSB3Zh/VqMP3ueORfOWCBQkPudCu3n7zfsdOtA/Im9NUJ6S41w2doWO69J
H+giqrsH3zd4dnXc61nZsULIGGB8LBi7DO0Dwb/3HuHytZk444YZfEaGegav82Pv
@rickmark
rickmark / keybase.md
Created March 11, 2020 23:28
keybase.md

Keybase proof

I hereby claim:

  • I am rickmark on github.
  • I am rickmark (https://keybase.io/rickmark) on keybase.
  • I have a public key ASA0TAIJ026oQlDDvuke4ZnMvht07yEiyoPggDxwV9p70Ao

To claim this, I am signing this object:

@rickmark
rickmark / debain.xsig.yaml
Last active March 19, 2020 00:27
GPG Detached Signatures are so 1990s
---
version: 1
identity:
correlation_id: 6E02AF2E-A08A-4525-9494-DC3EC6BC2006
original_filename: debian-10.3.0-amd64-DVD-1.iso
origin:
scheme: https
url: https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/debian-10.3.0-amd64-DVD-1.iso
hashes:
- algorithm: SHA2-512