zhuowei

Also see https://github.com/zhuowei/CoreTrustDemo/blob/main/littlemis.txt for my previous notes

first time X509ChainCheckPathWithOptions, param3 (options) is null
second time X509ChainCheckPathWithOptions, param3 (options) is set
-> This is the call out of CTEvaluateAMFICodeSignatureCMS_MaxDigestType, and is the one that sets the flags

struct ContentInfoSignedData {
  int always4; // 0x0
  void* someBufferFromCTParseContentInfoSignedDataArg6; // 0x8
  // ?

zhuowei

@Gina Yei: #WithAllMyHeartAndMore
A Very Boy Band Holiday
America the Beautiful
Among the Stars
Artemis Fowl
Be Our Chef
Bear Witness
Best in Snow
Better Nate Than Ever
Beyond Infinity: Buzz and the Journey to Lightyear

zhuowei

PurpleSystemAppPort
PurpleSystemEventPort
UIASTNotificationCenter
com.apple.ABDatabaseDoctor
com.apple.AppSSO.service-xpc
com.apple.AuthenticationServicesCore.AuthenticationServicesAgent
com.apple.CARenderServer
com.apple.ClipServices.clipserviced
com.apple.CoreAuthentication.daemon
com.apple.DeviceAccess.xpc

zhuowei

@import Darwin;
@import Foundation;
@import MachO;

#import <mach-o/fixup-chains.h>
// you'll need helpers.m from Ian Beer's write_no_write and vm_unaligned_copy_switch_race.m from
// WDBFontOverwrite
// Also, set an NSAppleMusicUsageDescription in Info.plist (can be anything)
// Please don't call this code on iOS 14 or below
// (This temporarily overwrites tccd, and on iOS 14 and above changes do not revert on reboot)

zhuowei

import png
import sys
with open(sys.argv[1], "rb") as infile:
    chunks = list(png.Reader(file=infile).chunks())

chunks.insert(1, (b"cICP", bytes([9, 16, 0, 1])))

with open(sys.argv[2], "wb") as outfile:
    png.write_chunks(outfile, chunks)

zhuowei

import sys
from PIL import Image, PngImagePlugin

# adds a cICP chunk to PNG files to specify color gamut and HDR brightness.
# This example uses the sample BT2020 + PQ cICP chunk from https://w3c.github.io/PNG-spec/#11cICP
# Requires Pillow >8.0.0. See https://github.com/python-pillow/Pillow/pull/4292
# View the resulting PNG in an app that supports cICP chunks, such as Chrome 105+
# (https://chromium-review.googlesource.com/c/chromium/src/+/3705739)
# For more information about CICP, see https://github.com/AOMediaCodec/libavif/wiki/CICP

zhuowei

# enable AMCC read-only region lockdown in m1n1 on M1 (Mac Mini 2020) for testing
# see https://github.com/AsahiLinux/m1n1/blob/v1.1.4/src/mcc.c
# https://github.com/apple-oss-distributions/xnu/blob/xnu-7195.50.7.100.1/osfmk/arm64/amcc_rorgn.c
lockdownstart = 0x8_4000_0000
# amcc's protection page size seems to be 0x8000?
lockdownend = 0x8_4000_8000
rambase = 0x8_0000_0000
for plane in range(3, -1, -1):
    print(hex(0x2_0000_0000 + 0x40000*plane + 0x680))
    write32(0x2_0000_0000 + 0x40000*plane + 0x680, (lockdownstart - rambase) >> 14)

zhuowei

--- crash at 2022/05/01 21:19:21---
build:7a75bff14545-1.10.0-release.135263-buildbot
   r0:00000000    r1:00000000     r2:00030ca0    r3: 00000000
  r12:00003fe0    lr:0802f343     pc:0802f354   psr: 21000000
 cfsr:00010000  hfsr:40000000  mmfar:00000000  bfar: 00000000
rcccsr:00000000
heap allocated: 63008
Lua totalbytes=0 GCdebt=0 GCestimate=0 stacksize=0

--- crash at 2022/05/01 21:19:53---

zhuowei

import libtorrent as lt

# usage:
# sudo apt install python3-libtorrent
# wget https://thenftbay.org/billion-dollar-nft-torrent.torrent
# python3 t.py

info = lt.torrent_info("billion-dollar-nft-torrent.torrent")
print("Number of pieces: ", info.num_pieces())
print("dumping piece hashes:")

zhuowei

SoftSIM across two computers: this doesn't work and I don't know why; can someone help

On the bluetooth computer:

sudo sdptool browse 00:11:22:33:44:55
<snip>
Service Name: SIM Access
Service RecHandle: 0x1000c
Service Class ID List: