apple-data 1.0.603 → 1.0.604

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6481d521a2e38a707f359222233661bd1732d032d4db3b04951e0b9c7ed80038
-  data.tar.gz: b03d824d4282dfbd6ea02badd95b7a65dc6c32efffa2a7e35a3d57f82cd86b54
+  metadata.gz: 505cf3230870a47f259145e62e3f09e63064d46e3f3b6c34532e41394fcff002
+  data.tar.gz: 3c57444d5e7147281f03a6aa8aad3ea8539e010643dde4b4706f6e223aa43033
 SHA512:
-  metadata.gz: 07ef65c955be0b50e3b7cb3c749107f3d2e7e438c27d88ab566431b155caa921089d32eb218634ddf6034ac1b38576c386f29b7ea256182fa93a9f07737c99a5
-  data.tar.gz: 468030029f6c6572d4f4a5567d817542e493385a8ffe0cce9872095e3cce0a346918cf28dd9185c193671ad67ca7cba060b7949fc5f1b271e4c64cce2a4cb905
+  metadata.gz: 8fcbbf092c4ca492488bd9a95b4812c32d4f8f9d51f86c253799dc3a729fc41da8f21f0407f3fa22b3ad9bc1bb36dd1c8914c60cd73bb8d97c1f9ae921cd8dec
+  data.tar.gz: 2d0d389c91f4ec3ad3b9848536ec093bf8dd2877bed17e2d74df1e9579b820ea61261567086fb4e300ec1a6cc2953070b87c80d064cc01db5d01eec03b17771e

data/lib/apple_data/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AppleData
-  VERSION = '1.0.603'
+  VERSION = '1.0.604'
 end

data/share/img4.yaml

@@ -2,6 +2,32 @@
 metadata:
   description:
   credits:
+types:
+  digest-object:
+    description: Digest Objects are Firmare or Other Hashable Datastreams.
+      They will exist in NOR, Disk, or be received over USB.  These objects
+      will contain a `DGST` value that is the cryptographic hash of the contents.
+      They can contain additional properties per object, some of which are standard
+      and others that are object specific.
+    common_properties:
+      ESEC:
+      EPRO:
+      EKEY:
+    subtypes:
+      local-boot-object:
+      trust-measurement:
+        description: A trust measurement is requested from the processor to ensure that
+          the boot flow has not changed since a prior time that measurement was taken.
+          To date the trust measurement is commonly found on SEP firmware images.
+      ssv-root-hash:
+        description: Root Hash values are used to validate the Signature of an APFS Signed
+          volume or snapshot.  They will be paired to a coresponding disk image.  Some also
+          are paired with `ssv-merkle-tree` which includes the metadata for the volume.
+      trust-cache:
+      img4-disk-image:
+        description: Disk images are often signed IMG4 payloads used for USB boot or as the
+          arm64BaseSystem.dmg.  IMG4 is used for smaller disk images that can be entirely
+          validated "single shot" unlike larger disks which use SSV and validate on read.
 img4_tags:
   acfw:
     description:
@@ -22,12 +48,18 @@ img4_tags:
     type: boolean
   anef:
     description: Apple Neural Engine Firmware
+    type: digest-object
+    roots:
+    - ManifestKey-DataCenter
   anrd:
     description:
   aofi:
     description:
   aopf:
     description: Always on processor firmware
+    type: digest-object
+    roots:
+    - ManifestKey-DataCenter
   apmv:
     description:
   ater:
@@ -37,9 +69,14 @@ img4_tags:
   auac:
     description:
   aubt:
-    description:
+    description: Auxiliary
   augs:
-    description: Included in APTicket CA extensions
+    description:
+      Auxiliary User System Image
+      Included in APTicket CA extensions, as well as factory manifests.
+    roots:
+      - ExtraContent
+      - ManifestKey
   aupr:
     description:
   auxi:
@@ -85,13 +122,16 @@ img4_tags:
       opt in to a more restrictive AuxKC inclusion. The auxp field is a prerequisite for setting the auxr
       field in the LocalPolicy. Users change the auxr value implicitly when they build a new AuxKC from
       the Security & Privacy pane in System Preferences.
-    type: binary
+    type: digest-object
     subtype: sha2-384
     access:
       write:
         - macOS
   avef:
     description: AV Encryption (DRM) Firmware
+    type: digest-object
+    roots:
+    - ManifestKey-DataCenter
   bat0:
     description: battery image 0
   bat1:
@@ -100,11 +140,14 @@ img4_tags:
     description: battery full image
   BLDS:
     description:
-
   prid:
     description: Encrypted Private Key / Private Key Info
   bles:
     description:
+  rtmu:
+    description: Restore TMU for AP
+    type: digest-object
+    recovery: true
   BNCH:
     description: Boot Nonce Hash - based on the values of com.apple.System.boot-nonces
   BORD:
@@ -118,28 +161,39 @@ img4_tags:
     alias:
       - board-id
   bstc:
-    description:
+    description: Base Sysetm Static Trust Cache
+    type: digest-object
+    subtype: trust-cache
   bsys:
-    description:
+    description: Base System Seal Root Hash
+    type: digest-object
+    subtype: ssv-root-hash
   CEPO:
     description: |-
       Certificate/Chip Epoch.  This is a unit of roll-forward time (monotonic) that allows for any security issues
       in the prior epoch to be fixed by a anti-rollback scheme.
+    nullable: true
+    type: boolean
     alias:
       - chip-epoch
   cfel:
     description:
   chg0:
     description: Charging Image 0
+    type: digest-object
+    subtype: graphic
   faic:
     description:
     type: integer
     default: 0
   chg1:
     description: Charging Image 1
+    type: digest-object
+    subtype: graphic
   CHIP:
     description: Unique identifier for a single Apple designed application processor
       sharing the same GID key
+    type: integer
     width: 2
   nsph:
     description: preboot splat manifest hash
@@ -151,14 +205,17 @@ img4_tags:
     description:
   cmsv:
     description:
+  rans:
+    description: Restore Apple NAND Storage Firmware
+    type: digest-object
   coih:
     title: CustomOS Image4 Manifest Hash (coih)
     description: >
       The `coih` is an SHA384 hash of CustomOS Image4 manifest. The payload for that manifest is used
       by iBoot (instead of the XNU kernel) to transfer control. Users change the `coih` value implicitly when
       they use the `kmutil` configure-boot command-line tool in 1TR.
-    type: binary
-    subtype: sha2-384
+    type: digest-object
+    subtype: IM4M
     access:
       write:
         - 1TR
@@ -166,31 +223,71 @@ img4_tags:
     description: Chip promotion fuse value (what is burned in)
     alias:
       - certificate-production-status
+    nullable: true
     type: boolean
   CSEC:
     description: Burned-in chip security mode
+    type: boolean
+    nullable: true
     alias:
       - certificate-security-mode
   csys:
-    description:
+    description: Install / Restore SSV Root Hash
+    type: digest-object
+    subtype: ssv-root-hash
   dali:
     description:
   data:
     description:
+  casy:
+    description: App Cryptex SSV Root Hash
+    type: digest-object
+    subtype: ssv-root-hash
+    roots:
+    - ExtraContent
+  cssy:
+    description: System Cryptex SSV Root Hash
+    type: digest-object
+    subtype: ssv-root-hash
+    roots:
+    - ExtraContent
   DGST:
     description: payload digest
   diag:
     description:
+  trca:
+    description:
+    type: digest-object
+    roots:
+    - ExtraContent
+  csos:
+    description:
+    type: digest-object
+    roots:
+    - ExtraContent
+  trcs:
+    description:
+    type: digest-object
+    roots:
+    - ExtraContent
   disk:
     description:
   DPRO:
-    description:
+    description: Demote from Production Request
+      Value is used by TSS sever to issue EPRO values, or effective AP prodctuion state.
   DSEC:
-    description:
+    description: Demote from Secure Request
+      Value is used by TSS server to issue ESEC values, or effective AP Security Mode should the
+      requester be authorized.  These requests are not available to consumers, only to Apple Internal.
   dtre:
     description: device tree
+    type: digest-object
+    subtype: device-tree
   dtrs:
     description: device tree for recovery
+    type: digest-object
+    subtype: device-tree
+    recovery: true
   ECID:
     description: Exclusive chip identifier.  This is burned into an eFuse at time
       of manufacture and unique across all devices sharing the same CHIP
@@ -211,10 +308,16 @@ img4_tags:
     description:
   EKEY:
     description: Effective chip promoted
+    nullable: false
+    type: boolean
   EPRO:
     description: Effective chip promotion / demotion state (if CPFM 03 this must be 0 to set ESEC)
     alias:
       - effective-production-status-ap
+    nullable: false
+    type: boolean
+  secb:
+    description: Sets a security value such as `trst` or the FDR signing trust object.  "security blob?"
   esca:
     description:
   hrlp:
@@ -231,6 +334,7 @@ img4_tags:
         - macOS
   esdm:
     description: Extended Security Domain fuses
+    type: integer
     alias:
       - esdm-fuses
   styp:
@@ -238,6 +342,37 @@ img4_tags:
     type: u32
     alias:
       - cryptex subtype
+    roots:
+    - ExtraContent
+  acid:
+  WSKU:
+    description: Wireless SKU
+  WMac:
+    description: Wireless MAC Address
+  TMac:
+    description: Thunderbolt MAC Address
+    manifest: true
+  BMac:
+    description: Bluetooth MAC Address
+    manifest: true
+  SrNm:
+    description: Unit Serial Number
+    manifest: true
+  ptrp:
+  snuf:
+    description: Staged next update firmware?
+  Regn:
+    description: Region Code
+    example: LL/A
+    type: string
+    manifest: true
+  Mod#:
+  CLHS:
+  HmCA:
+  FSCl:
+  ADCL:
+  clid:
+  hop0:
   oppd:
     description: Unknown, used by `stg1`/`sepi` - sha384 hash sized
   ESEC:
@@ -247,25 +382,49 @@ img4_tags:
   euou:
     description: engineering use-only unit
   clas:
-    description: product class (often used in FDR specificatons)
+    description: Class for Key / Object - Found in FDR objects
+    examples:
+    roots:
+    - ExtraContent
   psmh:
     description: previous stage manifest hash
+
   fchp:
-    description: Cryptex1,ChipID
+    description: Cryptex1,ChipID - Mask
+    roots:
+    - ExtraContent
   fdrs:
     description:
+  rvok:
+    description: Trust object revocation list
+  trpk:
+    description: Trust public keys
+  rssl:
+    description: The valid CA used for secure communications with the FDR server to obtain the FDR objects.  This
+      differs from the `trst` object as `rssl` is in transit and `trst` is at rest.
   fdrt:
     description:
   file:
     description:
   fpgt:
     description:
+  ftab:
+    description: >
+      Factory Trust - Auto Boot
+      FTAB images (used for devices such as AirPods, etc) are "hacktivated" or pre-APTicket'ed devices as they
+      lack either a restore connection, or persistet memory.  Common early usage of this was the Heywire dongles
+      used for video conversion on the Mac.  It was simplest for the device to lack NAND and simply receive the
+      firmware from a host on powerup.  FTAB files are fully ready to run blobs often including RTKit OS based
+      memory images.
   ftap:
-    description:
+    description: >
+      Factory Trust - Application Processor
+    type: hash
   ftot:
-    description:
+    description: Factory Trust - Other
   ftsp:
-    description:
+    description: Factory Trust - SEP
+    type: hash
   fuos:
     description: Fully Unsigned OS
   gfxf:
@@ -273,7 +432,7 @@ img4_tags:
   ging:
     description:
   glyc:
-    description:
+    description: Gyroscope Calibration
   glyp:
     description:
   hash:
@@ -286,14 +445,34 @@ img4_tags:
     description:
   homr:
     description:
-  hrlp:
-    description:
+  cnch:
+    roots:
+    - ExtraContent
+  ndom:
+    roots:
+    - ExtraContent
+  pave:
+    description: XNU version string?
+    type: string
+    roots:
+    - ExtraContent
   hypr:
     description: Hypervisor
   iBEC:
     description: iBoot Epoch Change
-  iBoot:
+  ibot:
     description: iBoot
+  ibdt:
+  ibd1:
+  glyP:
+  ibss:
+  dven:
+  dcp2:
+  ciof:
+  batF:
+  ansf:
+  rfcg:
+    type: boolean
   iBSS:
     description: iBoot Second Stage
   ienv:
@@ -315,19 +494,21 @@ img4_tags:
   ispf:
     description: Image Signal Processor Firmware
   isys:
-    description: iBridge System
+    description: Install System SSV Root Hash
   itst:
     description:
   iuob:
     description:
   iuos:
-    description:
+    description: Internal Use Only Software
   iuou:
-    description:
+    description: Internal Use Only Unit
   kdlv:
     description:
   krnl:
     description: Kernel
+  acdc:
+    description:
   kuid:
     title: Key encryption key (KEK) Group UUID (kuid)
     description: >
@@ -348,7 +529,8 @@ img4_tags:
   LNCH:
     description:
   lobo:
-    description: Local Boot
+    description: Local Boot Object.  Indicates that the object is to be used as the target of a local boot only
+      and not provided by the server for remote / DFU boots.
   logo:
     description: Apple logo image
   love:
@@ -363,16 +545,25 @@ img4_tags:
         - 1TR
         - recoveryOS
         - macOS
+    roots:
+    - ManifestKey-DataCenter
   prtp:
     description: Product ID String
     type: string
     example: iPhone16,2
+    roots:
+    - ManifestKey-DataCenter
   sdkp:
-    description: SEP Product Type
+    description: SDK for Product
     type: string
-    example: iphoneos
+    roots:
+    - ManifestKey-DataCenter
+    values:
+    - iphoneos
+    - macos
   lphp:
     description:
+  mspr:
   lpnh:
     title: LocalPolicy Nonce Hash (lpnh)
     description: >
@@ -401,7 +592,7 @@ img4_tags:
   magg:
     description:
   MANB:
-    description:
+    description: Manifest B
   MANP:
     description: Manifest Payload
   manx:
@@ -421,7 +612,7 @@ img4_tags:
   msec:
     description:
   msys:
-    description:
+    description: Merkle Tree Metadata for System Disk
   mtfw:
     description:
   name:
@@ -433,7 +624,8 @@ img4_tags:
   nsrv:
     description:
   OBJP:
-    description:
+    description: Object Properties - Values that may be assigned per "object" (firmawres) that contain a `DGST`
+    type: sequence
   omer:
     description:
   ooth:
@@ -462,6 +654,8 @@ img4_tags:
     description:
   pmpf:
     description: Power Management Processor Firmware
+    type: digest-object
+    subtype:
   pndp:
     description:
   prot:
@@ -472,8 +666,8 @@ img4_tags:
       over time (because nonces like lpnh are frequently updated). The prot field, which is found only in each
       macOS LocalPolicy, provides a pairing to indicate the recoveryOS LocalPolicy that corresponds to the
       macOS LocalPolicy.
-    type: binary
-    subtype: sha2-384
+    type: digest-object
+    subtype: trust-measurement
     access:
       write:
         - 1TR
@@ -481,18 +675,25 @@ img4_tags:
         - macOS
   rbmt:
     description:
+  mtpf:
   rddg:
     description:
   rdsk:
-    description: Restore Disk Image
+    description: Restore Disk Image / ramdisk
   rdtr:
     description:
   recm:
     description:
+  rcfg:
+    description: >
+      Appears in certificates issues by factory such as `T6031-SDOM1-TssLive-ManifestKey-RevA-Factory`.
+      Potentially indicates that the policy is for a recovery boot only.
+    type: boolean
   rfta:
     description:
   rfts:
     description:
+  rdcp:
   rkrn:
     description: restore kernel
   rlgo:
@@ -501,6 +702,7 @@ img4_tags:
     description:
   rolp:
     description: recoveryOS local policy
+    type: boolean
   ronh:
     title: recoveryOS Nonce Hash (ronh)
     description: >
@@ -533,6 +735,8 @@ img4_tags:
       change the nsih value implicitly when they perform a software update.
     type: binary
     subtype: sha2-384
+    context:
+      lpol:
     access:
       write:
         - 1TR
@@ -541,9 +745,10 @@ img4_tags:
   spih:
     description: Cryptex1 Image4 Hash
   stng:
-    description: Cryptex1 Generation
+    description: Cryptex1 Generation / Cryptex type?
   auxh:
     description: User Authorized Kext List Hash
+    context:
   rpnh:
     title: Remote Policy Nonce Hash (rpnh)
     description: >
@@ -559,15 +764,19 @@ img4_tags:
         - macOS
   RSCH:
     description: Research mode
+  rcio:
+    description: Restore CIO
   fgpt:
-    description: factory pre-release global trust
+    description: factory glob al pre-release trust
   UDID:
     description: universal device identifier
   rsch:
     description: research mode
   vnum:
-    description: maximum restore version
+    description: Version Number - Update Maximum
     type: string
+    roots:
+    - ExtraContent
   rsep:
     description: Restore SEP Image, paired with oppd/tbms
     type: string
@@ -622,21 +831,21 @@ img4_tags:
   slvn:
     description:
   smb0:
-    description: Secure Multi-Boot 0 - Security Mode - Full Security, Reduced, Disabled
+    description: Secure Multi-Boot 0 - Security Mode - Full Security, Reduced, Disabled - Setting to 1 sets to reduced
   smb1:
-    description: Secure Multi-Boot 1
+    description: Secure Multi-Boot 1 - Setting to 1 allows Permissive
   smb2:
     description: Secure Multi-Boot 2 - 3rd Party Kexts Status
   smb3:
     description: Secure Multi-Boot 3 - User-allowed MDM Control
   smb4:
     description: Secure Multi-Boot 3 - DEP-allowed MDM Control
+  smb5:
+    description: Unknown - but known to exist in Factory signing
   SNON:
     description: SEP Nonce
   snon:
     description: SEP Nonce
-  snuf:
-    description:
   srnm:
     description:
   ster:
@@ -644,12 +853,14 @@ img4_tags:
   svrn:
     description: Server nonce
   tbmr:
-    description: Trusted Boot Measurement (Root?)
+    description: Trusted Boot Measurement (Recovery/Root?)
   tbms:
     description: Trusted Boot Measurement (Signature?)
     notes: Likely encrypted by the SEP and opaque to the AP
   tatp:
-    description: Board Name (such as d84)
+    description: Board Name (such as d84) - Target AP Test
+    roots:
+    - ManifestKey-DataCenter
   tery:
     description:
   test:
@@ -657,11 +868,19 @@ img4_tags:
   tics:
     description:
   trst:
-    description: Trust Cache
+    description: Trust Object
   tsys:
     description:
   type:
     description: Cryptex Type
+    type: integer
+    roots:
+    - ExtraContent
+  caos:
+    description:
+    type: digest-object
+    root:
+    - ExtraContent
   ucer:
     description: User Cert
   ucon:
@@ -671,6 +890,8 @@ img4_tags:
   uidm:
     description:
     type: boolean
+    roots:
+    - ManifestKey-DataCenter
   vice:
     description:
   vkdl:
@@ -689,6 +910,9 @@ img4_tags:
       - macOS
   ware:
     description:
+  sski:
+    description: SHA2 os some kind
+    type: binary
   inst:
     descryption: The key or file to install
   wchf:

data/share/pki.yaml

@@ -5,10 +5,10 @@ metadata:
 certificate_names:
   dcrt: device certificate
   dcrt-oid: device owner certificate
-  lcrt: local certificate?
+  lcrt: Lynx / Secure Storage for SEP Certificate
   pcrt: product/production certificate?
   rcrt: remote/recovery certificate?
-  scrt: server certificate?
+  scrt: SEP Certificate
   tcrt: test certificate?
   ucrt: user certificate (mapps to a single iCloud account)
   vcrt: virtual certificate?
@@ -47,17 +47,23 @@ oids:
     example:
       PUT/FSCl:sik-FXFYFXFFYFFEX-QQRRRDEETFEFYCEIESLIREILCILESCLSELRESERSER
   - oid: 1.2.840.113635.100.6.1.15
+    name: TSS Signing Delegation Constraints
     description:
-      To be signed certificate...
-      Contains the boot policy of the machine during certificate issuance
-      based on boot policy.  includes BORD, ronh, lobo, SDOM, lpnh, rpnh
-      BNCH, CSEC, CHIP, ECID, CPEO, OBJP, EPRO, DPRO, ESEC, DSEC and DGST
+      Constriction on values that can be specified or signed by this certificate.  Conatins two sub-sequesnces, the MANP (Manifest Properties)
+      and the OBJP (Object Properties).  Manifest properties are at the issued IM4M, and object properties are per signed object (firmware).
+      Values of NULL mean tha tthis certificate can sign any value for that property, values that are set are values that must be signed
+      with that value by this certificate.  This is how for example `T6031-SDOM1` is enforced.  The certificate for that set of servers
+      have a null value for ECID (meaning it can be used for any ECID) and have fixed values for CHIP / Security Domain SDOM.
+
+      This is how Live TSS for customers differs from factory signing in what properties it can include.  Factory only manifest properties
+      include `augs`, `uidm`
     found_in:
       - ucrt
       - dcrt-oid
     issuers:
       - Basic Attestation User Sub CA2
       - FDRDC-UCRT-SUBCA
+      - T6031-SDOM1-TssLive-ManifestKey-RevA-Factory
     ous:
       - BAA Certification
       - ucrt Leaf Certificate
@@ -80,7 +86,7 @@ oids:
   - oid: 1.2.840.113635.100.7.1.1
     apple_description: 'Apple FairPlay certificate extended Application Authentication & Authorization: Policy'
   - oid: 1.2.840.113635.100.8.4
-    description: contains 3 integer values in ASN1, the second of which seems to be a 64bit mask of 0xFE000000
+    description: Contains a sequence of integer values.  Some are 0, some are 1, others appear to be int32 bitmasks.
     is_asn_body: true
     is_extension: true
     found_in:
@@ -91,6 +97,7 @@ oids:
     ous:
       - BAA Certification
   - oid: 1.2.840.113635.100.8.5
+    description: Similar in nature to `1.2.840.113635.100.8.4`. Non-integer values observed of `ssca`.
     is_asn_body: true
     is_extension: true
     found_in:
@@ -190,3 +197,28 @@ known_symbols:
     - _oidAppleTVOSApplicationSigningProdQA
 roots:
   FDR-CA1-ROOT-CM:
+  FDR-DC-SSL-ROOT:
+  FDR Sealing Server CA 1:
+    subordinate_cas:
+      FDR-SS-CM-E1:
+  Basic Attestation User Root CA:
+    subordinate_cas:
+      Basic Attestation User Sub CA2:
+        description:
+          Issues `ucrt` subordinate CA's that are used for user level signing.  Under this `BAA Certification`
+          certs are issued.
+  Apple Secure Boot Root CA - G6:
+    subordinate_cas:
+      T6031-SDOM1-RecoveryBoot-RevA-Factory:
+        description:
+      T6031-SDOM1-TssLive-ManifestKey-RevA-Factory:
+  Apple X86 Secure Boot Root CA - G1:
+    subject_key_id: 301680147D73CE0A3B41A1A352D2B1141EF6F5B4DD76E6E8
+    subordinate_cas:
+      T6031-SDOM1-TssLive-ManifestKey-Global-RevA-DataCenter:
+        subject_key_id: 0414D8B9E3E9C4A1C542ECB72FC2CF0C2F861E1B3EEF
+  Apple Extra Content Global Root CA - G1:
+    subject_key_id: 30168014AA63251D082C72A381536C94D2864995881CB0D0
+    subordinate_cas:
+      ZFF10-SDOM1-TssLive-ManifestKey-ExtraContent-Global-RevA-DataCenter:
+        subject_key_id: 041442FEAB470561CE2A7471B55AC0D81AB7536F4B36

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: apple-data
 version: !ruby/object:Gem::Version
-  version: 1.0.603
+  version: 1.0.604
 platform: ruby
 authors:
 - Rick Mark
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-02-15 00:00:00.000000000 Z
+date: 2024-02-18 00:00:00.000000000 Z
 dependencies: []
 description: |2
       This package includes machine readable data about Apple platforms maintained by hack-different.