apple-data 1.0.601 → 1.0.603

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 743643db69e6ebb5aeffe4a7889c49924b76154a9f08eb3c4e79e3b2c8b721e3
-  data.tar.gz: 5375a2fa841a2304c181e84294adba5601c63d43afc0e96ec40546e584ae1c21
+  metadata.gz: 6481d521a2e38a707f359222233661bd1732d032d4db3b04951e0b9c7ed80038
+  data.tar.gz: b03d824d4282dfbd6ea02badd95b7a65dc6c32efffa2a7e35a3d57f82cd86b54
 SHA512:
-  metadata.gz: a17e3415a457336e496cc41c0c4b5c5697162b55ff5e9b10957ce9353b1809a52fdd0f217749e8d844fc452a2c8bde61c83f29dfd2d42bf0104aeb4ce86a9f18
-  data.tar.gz: 8174dafa632c4e430412d91dc3444ff5414837f778ef1d83c18906b9c3c5dd2c44d6a8a21aed278f4c03e316b159c81aacba27e425fc6aff0994f6585abc8150
+  metadata.gz: 07ef65c955be0b50e3b7cb3c749107f3d2e7e438c27d88ab566431b155caa921089d32eb218634ddf6034ac1b38576c386f29b7ea256182fa93a9f07737c99a5
+  data.tar.gz: 468030029f6c6572d4f4a5567d817542e493385a8ffe0cce9872095e3cce0a346918cf28dd9185c193671ad67ca7cba060b7949fc5f1b271e4c64cce2a4cb905

data/lib/apple_data/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AppleData
-  VERSION = '1.0.601'
+  VERSION = '1.0.603'
 end

data/share/fdr.yaml

@@ -25,7 +25,7 @@ fdr_properties:
   CmCl:
     description:
   dCfg:
-    description:
+    description: Display LCD
     contexts:
     - base
     - mansta
@@ -48,10 +48,14 @@ fdr_properties:
     contexts:
     - mandev
     - mansta
+    data:
+      comb:
+        fdrd:
+        secb:
   GpC2:
     description:
   HmCA:
-    description:
+    description: Ambient Light Sensor
     contexts:
     - base
     - mansta
@@ -167,7 +171,7 @@ fdr_properties:
   rSCl:
     description:
   scrt:
-    description:
+    description: SEP Certificate
     contexts:
     - base
   SDOM:
@@ -194,5 +198,11 @@ fdr_properties:
     description:
   vcrt:
     description:
+  ADCL:
+    description: Raw Panel / Coverglass
   WMac:
     description: Wireless MAC Address
+to_be_signed_keys:
+  DGST:
+  clid:
+  inst:

data/share/img4.yaml

@@ -43,13 +43,53 @@ img4_tags:
   aupr:
     description:
   auxi:
-    description: Auxiliary Kernel Cache Image4 Hash
+    title: Auxiliary Kernel Collection (AuxKC) Image4 Manifest Hash (`auxi`)
+    description: >
+      After the system verifies that the UAKL hash matches what’s found in the `auxp` field of the
+      LocalPolicy, it requests that the AuxKC be signed by the Secure Enclave processor application that’s
+      responsible for LocalPolicy signing. Next, an SHA384 hash of the AuxKC Image4 manifest signature is placed
+      into the LocalPolicy to avoid the potential for mixing and matching previously signed AuxKCs to an operating
+      system at boot time. If iBoot finds the auxi field in the LocalPolicy, it attempts to load the AuxKC from
+      storage and validate its signature. It also verifies that the hash of the Image4 manifest attached to the
+      AuxKC matches the value found in the auxi field. If the AuxKC fails to load for any reason, the system
+      continues to boot without this boot object and (so) without any third-party kexts loaded. The auxp field
+      is a prerequisite for setting the auxi field in the LocalPolicy. Users change the auxi value implicitly
+      when they change the UAKL by approving a kext from the Security & Privacy pane in System Preferences.
+    type: binary
+    subtype: sha2-384
+    access:
+      write:
+        - macOS
   auxk:
     description: Auxiliary Kernel Cache
   auxp:
-    description: User Authorized Kext List Hash
+    title: Auxiliary Kernel Collection (AuxKC) Policy Hash (auxp)
+    description: >
+      The `auxp` is an SHA384 hash of the user-authorized kext list (UAKL) policy. This is used at
+      AuxKC generation time to help ensure that only user-authorized kexts are included in the AuxKC. `smb2`
+      is a prerequisite for setting this field. Users change the `auxp` value implicitly when they change the
+      UAKL by approving a kext from the Security & Privacy pane in System Preferences.
+    type: binary
+    subtype: sha2-384
+    access:
+      write:
+        - macOS
   auxr:
-    description: AuxKC Kext Receipt Hash
+    title: Auxiliary Kernel Collection (AuxKC) Receipt Hash (auxr)
+    description: >
+      The `auxr` is an SHA384 hash of the AuxKC receipt, which indicates the exact set of kexts that
+      were included into the AuxKC. The AuxKC receipt can be a subset of the UAKL, because kexts can be excluded
+      from the AuxKC even if they’re user authorized if they’re known to be used for attacks. In addition,
+      some kexts that can be used to break the user-kernel boundary may lead to decreased functionality,
+      such as an inability to use Apple Pay or play 4K and HDR content. Users who want these capabilities
+      opt in to a more restrictive AuxKC inclusion. The auxp field is a prerequisite for setting the auxr
+      field in the LocalPolicy. Users change the auxr value implicitly when they build a new AuxKC from
+      the Security & Privacy pane in System Preferences.
+    type: binary
+    subtype: sha2-384
+    access:
+      write:
+        - macOS
   avef:
     description: AV Encryption (DRM) Firmware
   bat0:
@@ -60,6 +100,9 @@ img4_tags:
     description: battery full image
   BLDS:
     description:
+
+  prid:
+    description: Encrypted Private Key / Private Key Info
   bles:
     description:
   BNCH:
@@ -88,6 +131,10 @@ img4_tags:
     description:
   chg0:
     description: Charging Image 0
+  faic:
+    description:
+    type: integer
+    default: 0
   chg1:
     description: Charging Image 1
   CHIP:
@@ -105,7 +152,16 @@ img4_tags:
   cmsv:
     description:
   coih:
-    description:
+    title: CustomOS Image4 Manifest Hash (coih)
+    description: >
+      The `coih` is an SHA384 hash of CustomOS Image4 manifest. The payload for that manifest is used
+      by iBoot (instead of the XNU kernel) to transfer control. Users change the `coih` value implicitly when
+      they use the `kmutil` configure-boot command-line tool in 1TR.
+    type: binary
+    subtype: sha2-384
+    access:
+      write:
+        - 1TR
   CPRO:
     description: Chip promotion fuse value (what is burned in)
     alias:
@@ -161,6 +217,18 @@ img4_tags:
       - effective-production-status-ap
   esca:
     description:
+  hrlp:
+    title: Has Secure Enclave Signed recoveryOS Local Policy (hrlp)
+    description: >
+      The `hrlp` indicates whether or not the `prot` value is the measurement of a Secure Enclave–signed
+      recoveryOS LocalPolicy. If not, then the recoveryOS LocalPolicy is signed by the Apple online signing server,
+      which signs things such as macOS Image4 files.
+    type: boolean
+    access:
+      write:
+        - 1TR
+        - recoveryOS
+        - macOS
   esdm:
     description: Extended Security Domain fuses
     alias:
@@ -179,7 +247,7 @@ img4_tags:
   euou:
     description: engineering use-only unit
   clas:
-    description: product class
+    description: product class (often used in FDR specificatons)
   psmh:
     description: previous stage manifest hash
   fchp:
@@ -261,7 +329,18 @@ img4_tags:
   krnl:
     description: Kernel
   kuid:
-    description: KEK Group UUID
+    title: Key encryption key (KEK) Group UUID (kuid)
+    description: >
+      The kuid indicates the volume that was booted. The key encryption key has typically been used
+      for Data Protection. For each LocalPolicy, it’s used to protect the LocalPolicy signing key. The
+      kuid is set by the user implicitly when creating a new operating system install.
+    type: binary
+    subtype: sha2-384
+    access:
+      write:
+        - 1TR
+        - recoveryOS
+        - macOS
   lamo:
     description:
   lckr:
@@ -273,9 +352,17 @@ img4_tags:
   logo:
     description: Apple logo image
   love:
-    description: OS Version - dotted form. Last portion after the version and comma is a cryptex update?
+    title: Local Operating System Version (love)
+    description: >
+      The love indicates the OS version that the LocalPolicy is created for. The version is obtained from the
+      next state manifest during LocalPolicy creation and is used to enforce recoveryOS pairing restrictions.
     type: string
     example: "21.3.66.0.0,0"
+    access:
+      write:
+        - 1TR
+        - recoveryOS
+        - macOS
   prtp:
     description: Product ID String
     type: string
@@ -287,7 +374,26 @@ img4_tags:
   lphp:
     description:
   lpnh:
-    description: LocalPolicy nonce hash
+    title: LocalPolicy Nonce Hash (lpnh)
+    description: >
+      The lpnh is used for anti-replay of the LocalPolicy. This is an SHA384 hash of the LocalPolicy Nonce
+      (LPN), which is stored in the Secure Storage Component and accessible using the Secure Enclave Boot
+      ROM or Secure Enclave. The raw nonce is never visible to the Application Processor, only to the
+      sepOS. An attacker wanting to convince LLB that a previous LocalPolicy they had captured was valid
+      would need to place a value into the Secure Storage Component, which hashes to the same lpnh value
+      found in the LocalPolicy they want to replay. Normally there is a single LPN valid on the system—except
+      during software updates, when two are simultaneously valid—to allow for the possibility of falling back
+      to booting the old software in the event of an update error. When any LocalPolicy for any operating
+      system is changed, all policies are re-signed with the new lpnh value corresponding to the new LPN
+      found in the Secure Storage Component. This change happens when the user changes security settings
+      or creates new operating systems with a new LocalPolicy for each.
+    type: binary
+    subtype: sha2-384
+    access:
+      write:
+        - 1TR
+        - recoveryOS
+        - macOS
   lpol:
     description: Local Policy
   ltrs:
@@ -359,7 +465,20 @@ img4_tags:
   pndp:
     description:
   prot:
-    description:
+    title: Paired recoveryOS Trusted Boot Policy Measurement (prot)
+    description: >
+      A paired recoveryOS Trusted Boot Policy Measurement (TBPM) is a special iterative SHA384 hash calculation
+      over the Image4 manifest of a LocalPolicy, excluding nonces, in order to give a consistent measurement
+      over time (because nonces like lpnh are frequently updated). The prot field, which is found only in each
+      macOS LocalPolicy, provides a pairing to indicate the recoveryOS LocalPolicy that corresponds to the
+      macOS LocalPolicy.
+    type: binary
+    subtype: sha2-384
+    access:
+      write:
+        - 1TR
+        - recoveryOS
+        - macOS
   rbmt:
     description:
   rddg:
@@ -383,11 +502,42 @@ img4_tags:
   rolp:
     description: recoveryOS local policy
   ronh:
-    description: recoveryOS nonce hash
+    title: recoveryOS Nonce Hash (ronh)
+    description: >
+      The ronh behaves the same way as the lpnh, but is found exclusively in the LocalPolicy for system
+      recoveryOS. It’s updated when the system recoveryOS is updated, such as on software updates. A
+      separate nonce from the lpnh and rpnh is used so that when a device is put into a disabled state
+      by Find My, existing operating systems can be disabled (by removing their LPN and RPN from the
+      Secure Storage Component), while still leaving the system recoveryOS bootable. In this way, the
+      operating systems can be reenabled when the system owner proves their control over the system by
+      putting in their iCloud password used for the Find My account. This change happens when a user updates
+      the system recoveryOS or creates new operating systems.
+    type: binary
+    subtype: sha2-384
+    access:
+      write:
+        - 1TR
+        - recoveryOS
+        - macOS
   rosi:
     description:
   nish:
-    description: preboot splat manifest hash
+    title: Next Stage Image4 Manifest Hash (nsih)
+    description: >
+      The nsih field represents an SHA384 hash of the Image4 manifest data structure that describes the booted
+      macOS. The macOS Image4 manifest contains measurements for all the boot objects—such as iBoot, the static
+      trust cache, device tree, Boot Kernel Collection, and signed system volume (SSV) volume root hash. When
+      LLB is directed to boot a given macOS, it’s designed to ensure that the hash of the macOS Image4 manifest
+      attached to iBoot matches what’s captured in the nsih field of the LocalPolicy. In this way, the nsih
+      captures the user intention of what operating system the user has created a LocalPolicy for. Users
+      change the nsih value implicitly when they perform a software update.
+    type: binary
+    subtype: sha2-384
+    access:
+      write:
+        - 1TR
+        - recoveryOS
+        - macOS
   spih:
     description: Cryptex1 Image4 Hash
   stng:
@@ -395,7 +545,18 @@ img4_tags:
   auxh:
     description: User Authorized Kext List Hash
   rpnh:
-    description: RemotePolicy nonce hash
+    title: Remote Policy Nonce Hash (rpnh)
+    description: >
+      The rpnh behaves the same way as the lpnh but is updated only when the remote policy is updated, such as when
+      changing the state of Find My enrollment. This change happens when the user changes the state of Find My on
+      their Mac.
+    type: binary
+    subtype: sha2-384
+    access:
+      write:
+        - 1TR
+        - recoveryOS
+        - macOS
   RSCH:
     description: Research mode
   fgpt:
@@ -515,9 +676,21 @@ img4_tags:
   vkdl:
     description:
   vuid:
-    description: Volume Group UUID
+    title: APFS volume group UUID (vuid)
+    description: >
+      The vuid indicates the volume group the kernel should use as root. This field is primarily informational
+      and isn’t used for security constraints. This vuid is set by the user implicitly when creating a new
+      operating system install.
+    type: binary
+    subtype: sha2-384
+    access:
+      - 1TR
+      - recoveryOS
+      - macOS
   ware:
     description:
+  inst:
+    descryption: The key or file to install
   wchf:
     description: Wireless Charging Framework
   xbtc:

data/share/pki.yaml

@@ -12,9 +12,18 @@ certificate_names:
   tcrt: test certificate?
   ucrt: user certificate (mapps to a single iCloud account)
   vcrt: virtual certificate?
+keys:
+  uik:
+    description: User Identity Key
+  sik:
+    description: System Identity Key
+  oik:
+    description: Owner Identity Key (the first password after restore)
 constants:
   private_oid_root: 1.2.840.113635
 oids:
+  - oid: 1.2.840.113635.100.6.17
+    description: Contains the name of the key
   - oid: 1.2.840.113635.100.5.3
     apple_description: ADC Certificate Policy
   - oid: 1.2.840.113635.100.5.4
@@ -31,8 +40,15 @@ oids:
     apple_description: Apple World Wide Developer Relations Certificates for Code Signing for Test Release through the iTMS
   - oid: 1.2.840.113635.100.6.1.4
     apple_description: Apple World Wide Developer Relations Certificates for Code Signing GM from developer to Apple
+  - oid: 1.2.840.113635.100.6.16
+    description:
+      A sequence of FDR programming commands, seperated by ";".  Each command is "PUT" or "GET" prior to a
+      4CC value, followed by a ":" then the value of the key.
+    example:
+      PUT/FSCl:sik-FXFYFXFFYFFEX-QQRRRDEETFEFYCEIESLIREILCILESCLSELRESERSER
   - oid: 1.2.840.113635.100.6.1.15
     description:
+      To be signed certificate...
       Contains the boot policy of the machine during certificate issuance
       based on boot policy.  includes BORD, ronh, lobo, SDOM, lpnh, rpnh
       BNCH, CSEC, CHIP, ECID, CPEO, OBJP, EPRO, DPRO, ESEC, DSEC and DGST
@@ -171,4 +187,6 @@ known_symbols:
     - _oidAppleSecureBootCertSpec
     - _oidAppleSecureBootTicketCertSpec
     - _oidAppleTVOSApplicationSigningProd
-    - _oidAppleTVOSApplicationSigningProdQA
+    - _oidAppleTVOSApplicationSigningProdQA
+roots:
+  FDR-CA1-ROOT-CM:

data/share/syscfg.yaml

@@ -1,4 +1,103 @@
 ---
 metadata:
   description:
-  credits:
+  credits:
+
+values:
+  RMd#:
+    description: Regulatory Model Number
+  Coor:
+    description: Country of Origin
+    values:
+      - C
+  CFG#:
+    description: Configuration Number
+  SrNm:
+    description: Serial Number
+  MLB#:
+    description: Main Logic Board Serial Number
+  Regn:
+    description: Region Info
+  Mod#:
+    description: Model Number
+  MdlC:
+    description: Model Configuration (key value seperated by ";" and "key=value")
+  CLCG:
+    description: Cover glass (gloss or opaque)
+  BMac:
+    description: Bluetooth MAC Address
+  SwBh:
+    description: Software Behavior
+  CLBG:
+  MkBS:
+  CLHS:
+  CGMt:
+  EMac:
+  EnMt:
+  BGMt:
+  EMc2:
+  rpcp:
+  MkBH:
+  WMac:
+  SBVr:
+  AROC:
+  LTAO:
+  ARSC:
+  ASCl:
+  ARXN:
+  AICl:
+  ARot:
+  ARNC:
+  ARXC:
+  GICl:
+  GRXC:
+  GRXN:
+  GRNC:
+  GRSC:
+  GSCl:
+  GYTT:
+  GRot:
+  MDCC:
+  CRot:
+  CVCC:
+  CDCC:
+  CMOC:
+  CSCM:
+  JRot:
+  CPAS:
+  PRTT: (Pressure Sensor / Barometer) temp-compensation-table
+  SPPO: (Pressure Sensor / Barometer) pressure-offset-calibration
+  PxCl: (Proximity Sensor) prox-calibration
+  PSCl:
+  STRB:
+  BCAR:
+  PrCL:
+  RACa:
+  RACm:
+  RxCL:
+  TCal:
+  WSKU:
+    description: WiFi Chip / Product SKU
+  WCAL:
+    description: WiFi Calibration Data
+  RFEM:
+  BCAL:
+  BTTx:
+  BTBF:
+  MBac:
+  BTRx:
+  RSKU:
+    description: Region SKU (in US "/LLA")
+  DClr:
+  DBCl:
+  DPCl:
+  DTCl:
+  CGSp:
+  CLCL:
+  MiGH:
+  SpPH:
+  SpGH:
+  MiGB:
+  TMac:
+  ksku:
+  TCID:

data/share/terms.yaml

@@ -195,6 +195,25 @@ terms:
       debugging, but nearly all kernels shipped by Apple can be debugged if the proper
       `boot-args` are passed on startup.
   kernel:
+  baa:
+  - title: Basic Attestation Authority (BAA)
+  oik:
+    - title: Owner Identity Key (OIK)
+  uik:
+    - title: User Identity Key (UIK)
+  ucrt:
+    - title: User identity Certificate (ucrt)
+  oic:
+    - title: Owner Identity Certificate (OIC)
+  LLB:
+  LocalPolicy:
+  RemotePolicy:
+  1TR:
+  sik:
+  oid:
+  pka:
+  siK:
+    - title: System Identity Key
   kernelcache:
   - title: Kernel Cache
     description: A kernel cache is a combined object that contains the kernel itself

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: apple-data
 version: !ruby/object:Gem::Version
-  version: 1.0.601
+  version: 1.0.603
 platform: ruby
 authors:
 - Rick Mark
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-02-14 00:00:00.000000000 Z
+date: 2024-02-15 00:00:00.000000000 Z
 dependencies: []
 description: |2
       This package includes machine readable data about Apple platforms maintained by hack-different.