apple-data 1.0.608 → 1.0.611
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +1 -1
- data/lib/apple_data/data_file.rb +27 -0
- data/lib/apple_data/version.rb +1 -1
- data/share/backup.yaml +2 -0
- data/share/baseband/qualcomm/mav13.yaml +3 -2
- data/share/baseband/qualcomm/mav20.yaml +43 -42
- data/share/baseband/qualcomm/mav21.yaml +246 -248
- data/share/baseband.yaml +62 -62
- data/share/bluetooth.yaml +33 -33
- data/share/boot_args.yaml +19 -18
- data/share/bridgeos.yaml +5 -0
- data/share/bundles.yaml +42 -40
- data/share/coprocessor.yaml +34 -45
- data/share/cores.yaml +1 -0
- data/share/credits.yaml +3 -0
- data/share/debug.yaml +6 -4
- data/share/device_tree.yaml +1 -1
- data/share/devices/ADP3,1.yaml +3 -0
- data/share/devices/ADP3,2.yaml +3 -0
- data/share/devices/AppleTV5,3.yaml +3 -0
- data/share/devices/AudioAccessory5,1.yaml +3 -0
- data/share/devices/MacBookAir10,1.yaml +3 -0
- data/share/devices/MacBookPro17,1.yaml +3 -0
- data/share/devices/MacBookPro18,1.yaml +3 -0
- data/share/devices/MacBookPro18,2.yaml +3 -0
- data/share/devices/MacBookPro18,3.yaml +3 -0
- data/share/devices/MacBookPro18,4.yaml +3 -0
- data/share/devices/Macmini9,1.yaml +3 -0
- data/share/devices/VirtualMac2,1.yaml +3 -0
- data/share/devices/Watch3,1.yaml +3 -0
- data/share/devices/Watch3,2.yaml +3 -0
- data/share/devices/Watch3,3.yaml +3 -0
- data/share/devices/Watch3,4.yaml +3 -0
- data/share/devices/Watch4,1.yaml +3 -0
- data/share/devices/Watch4,2.yaml +3 -0
- data/share/devices/Watch4,3.yaml +3 -0
- data/share/devices/Watch4,4.yaml +3 -0
- data/share/devices/Watch5,1.yaml +3 -0
- data/share/devices/Watch5,10.yaml +3 -0
- data/share/devices/Watch5,11.yaml +3 -0
- data/share/devices/Watch5,12.yaml +3 -0
- data/share/devices/Watch5,2.yaml +3 -0
- data/share/devices/Watch5,3.yaml +3 -0
- data/share/devices/Watch5,4.yaml +3 -0
- data/share/devices/Watch5,9.yaml +3 -0
- data/share/devices/Watch6,1.yaml +3 -0
- data/share/devices/Watch6,2.yaml +3 -0
- data/share/devices/Watch6,3.yaml +3 -0
- data/share/devices/Watch6,4.yaml +3 -0
- data/share/devices/Watch6,6.yaml +3 -0
- data/share/devices/Watch6,7.yaml +3 -0
- data/share/devices/Watch6,8.yaml +3 -0
- data/share/devices/Watch6,9.yaml +3 -0
- data/share/devices/iBridge2,1.yaml +3 -0
- data/share/devices/iBridge2,10.yaml +3 -0
- data/share/devices/iBridge2,11.yaml +3 -0
- data/share/devices/iBridge2,12.yaml +3 -0
- data/share/devices/iBridge2,13.yaml +3 -0
- data/share/devices/iBridge2,14.yaml +3 -0
- data/share/devices/iBridge2,15.yaml +3 -0
- data/share/devices/iBridge2,16.yaml +3 -0
- data/share/devices/iBridge2,19.yaml +3 -0
- data/share/devices/iBridge2,20.yaml +3 -0
- data/share/devices/iBridge2,21.yaml +3 -0
- data/share/devices/iBridge2,22.yaml +3 -0
- data/share/devices/iBridge2,3.yaml +3 -0
- data/share/devices/iBridge2,4.yaml +3 -0
- data/share/devices/iBridge2,5.yaml +3 -0
- data/share/devices/iBridge2,6.yaml +3 -0
- data/share/devices/iBridge2,7.yaml +3 -0
- data/share/devices/iBridge2,8.yaml +3 -0
- data/share/devices/iMac21,1.yaml +3 -0
- data/share/devices/iMac21,2.yaml +3 -0
- data/share/devices/iPad11,1.yaml +3 -0
- data/share/devices/iPad11,2.yaml +3 -0
- data/share/devices/iPad11,3.yaml +3 -0
- data/share/devices/iPad11,4.yaml +3 -0
- data/share/devices/iPad11,6.yaml +3 -0
- data/share/devices/iPad11,7.yaml +3 -0
- data/share/devices/iPad12,1.yaml +3 -0
- data/share/devices/iPad12,2.yaml +3 -0
- data/share/devices/iPad13,1.yaml +3 -0
- data/share/devices/iPad13,10.yaml +3 -0
- data/share/devices/iPad13,11.yaml +3 -0
- data/share/devices/iPad13,16.yaml +3 -0
- data/share/devices/iPad13,17.yaml +3 -0
- data/share/devices/iPad13,2.yaml +3 -0
- data/share/devices/iPad13,4.yaml +3 -0
- data/share/devices/iPad13,5.yaml +3 -0
- data/share/devices/iPad13,6.yaml +3 -0
- data/share/devices/iPad13,7.yaml +3 -0
- data/share/devices/iPad13,8.yaml +3 -0
- data/share/devices/iPad13,9.yaml +3 -0
- data/share/devices/iPad14,1.yaml +3 -0
- data/share/devices/iPad14,2.yaml +3 -0
- data/share/devices/iPad4,1.yaml +3 -0
- data/share/devices/iPad4,2.yaml +3 -0
- data/share/devices/iPad4,3.yaml +3 -0
- data/share/devices/iPad4,4.yaml +3 -0
- data/share/devices/iPad4,5.yaml +3 -0
- data/share/devices/iPad4,6.yaml +3 -0
- data/share/devices/iPad4,7.yaml +3 -0
- data/share/devices/iPad4,8.yaml +3 -0
- data/share/devices/iPad4,9.yaml +3 -0
- data/share/devices/iPad5,1.yaml +3 -0
- data/share/devices/iPad5,2.yaml +3 -0
- data/share/devices/iPad5,3.yaml +3 -0
- data/share/devices/iPad5,4.yaml +3 -0
- data/share/devices/iPad6,11.yaml +3 -0
- data/share/devices/iPad6,12.yaml +3 -0
- data/share/devices/iPad6,3.yaml +3 -0
- data/share/devices/iPad6,4.yaml +3 -0
- data/share/devices/iPad6,7.yaml +3 -0
- data/share/devices/iPad6,8.yaml +3 -0
- data/share/devices/iPad7,1.yaml +3 -0
- data/share/devices/iPad7,11.yaml +3 -0
- data/share/devices/iPad7,12.yaml +3 -0
- data/share/devices/iPad7,2.yaml +3 -0
- data/share/devices/iPad7,3.yaml +3 -0
- data/share/devices/iPad7,4.yaml +3 -0
- data/share/devices/iPad7,5.yaml +3 -0
- data/share/devices/iPad7,6.yaml +3 -0
- data/share/devices/iPad8,1.yaml +3 -0
- data/share/devices/iPad8,10.yaml +3 -0
- data/share/devices/iPad8,11.yaml +3 -0
- data/share/devices/iPad8,12.yaml +3 -0
- data/share/devices/iPad8,2.yaml +3 -0
- data/share/devices/iPad8,3.yaml +3 -0
- data/share/devices/iPad8,4.yaml +3 -0
- data/share/devices/iPad8,5.yaml +3 -0
- data/share/devices/iPad8,6.yaml +3 -0
- data/share/devices/iPad8,7.yaml +3 -0
- data/share/devices/iPad8,8.yaml +3 -0
- data/share/devices/iPad8,9.yaml +3 -0
- data/share/devices/iPhone10,1.yaml +3 -0
- data/share/devices/iPhone10,2.yaml +3 -0
- data/share/devices/iPhone10,3.yaml +3 -0
- data/share/devices/iPhone10,4.yaml +3 -0
- data/share/devices/iPhone10,5.yaml +3 -0
- data/share/devices/iPhone10,6.yaml +3 -0
- data/share/devices/iPhone11,2.yaml +3 -0
- data/share/devices/iPhone11,4.yaml +3 -0
- data/share/devices/iPhone11,6.yaml +3 -0
- data/share/devices/iPhone11,8.yaml +3 -0
- data/share/devices/iPhone12,1.yaml +3 -0
- data/share/devices/iPhone12,3.yaml +3 -0
- data/share/devices/iPhone12,5.yaml +3 -0
- data/share/devices/iPhone12,8.yaml +3 -0
- data/share/devices/iPhone13,1.yaml +3 -0
- data/share/devices/iPhone13,2.yaml +3 -0
- data/share/devices/iPhone13,3.yaml +3 -0
- data/share/devices/iPhone13,4.yaml +3 -0
- data/share/devices/iPhone14,2.yaml +3 -0
- data/share/devices/iPhone14,3.yaml +3 -0
- data/share/devices/iPhone14,4.yaml +3 -0
- data/share/devices/iPhone14,5.yaml +3 -0
- data/share/devices/iPhone14,6.yaml +3 -0
- data/share/devices/iPhone6,1.yaml +3 -0
- data/share/devices/iPhone6,2.yaml +3 -0
- data/share/devices/iPhone7,1.yaml +3 -0
- data/share/devices/iPhone7,2.yaml +3 -0
- data/share/devices/iPhone8,1.yaml +3 -0
- data/share/devices/iPhone8,2.yaml +3 -0
- data/share/devices/iPhone8,4.yaml +3 -0
- data/share/devices/iPhone9,1.yaml +3 -0
- data/share/devices/iPhone9,2.yaml +3 -0
- data/share/devices/iPhone9,3.yaml +3 -0
- data/share/devices/iPhone9,4.yaml +3 -0
- data/share/devices/iPod7,1.yaml +3 -0
- data/share/devices/iPod9,1.yaml +3 -0
- data/share/devices/iProd99,1.yaml +3 -0
- data/share/dnssd.yaml +2 -0
- data/share/entitlements.yaml +2991 -2989
- data/share/environment_variables.yaml +55 -54
- data/share/esim.yaml +4 -3
- data/share/fdr.yaml +31 -28
- data/share/firmware.yaml +5 -3
- data/share/homekit.yaml +11 -9
- data/share/iboot.yaml +141 -135
- data/share/icloud.yaml +1 -1
- data/share/img4.yaml +86 -122
- data/share/ioreg.yaml +625 -623
- data/share/ipsw.yaml +155098 -155096
- data/share/kext.yaml +427 -425
- data/share/keybags/8103.yaml +0 -1
- data/share/keys.yaml +29 -25
- data/share/launchd/services_bridgeOS_6.1.yaml +3 -0
- data/share/lightning.yaml +10 -10
- data/share/lockdownd.yaml +2 -1
- data/share/mach_o.yaml +3 -0
- data/share/mobile_gestalt.yaml +2 -0
- data/share/nvram.yaml +2 -0
- data/share/ota.yaml +7 -8
- data/share/pallas.yaml +2 -1
- data/share/pki.yaml +11 -8
- data/share/platforms.yaml +19 -19
- data/share/pmu.yaml +2 -0
- data/share/registers.yaml +1 -1
- data/share/resources.yaml +198 -198
- data/share/sandbox.yaml +1 -1
- data/share/sep.yaml +132 -131
- data/share/services.yaml +2 -0
- data/share/sip.yaml +2 -0
- data/share/smc.yaml +1 -1
- data/share/syscfg.yaml +103 -77
- data/share/terms.yaml +505 -107
- data/share/vmapple.yaml +25 -25
- metadata +2 -3
- data/share/devices/iPhone15,2.yaml +0 -0
data/share/img4.yaml
CHANGED
@@ -2,18 +2,20 @@
|
|
2
2
|
metadata:
|
3
3
|
description:
|
4
4
|
credits:
|
5
|
+
collections:
|
6
|
+
- img4_tags
|
5
7
|
types:
|
6
8
|
digest-object:
|
7
|
-
description: Digest Objects are
|
8
|
-
exist in NOR, Disk, or be received over USB. These objects will contain
|
9
|
-
value that is the cryptographic hash of the contents. They can contain
|
10
|
-
properties per object, some of which are standard and others that
|
11
|
-
specific.
|
9
|
+
description: Digest Objects are Firmware or Other Hash-able binary streams. They
|
10
|
+
will exist in NOR, Disk, or be received over USB. These objects will contain
|
11
|
+
a `DGST` value that is the cryptographic hash of the contents. They can contain
|
12
|
+
additional properties per object, some of which are standard and others that
|
13
|
+
are object specific.
|
12
14
|
common_properties:
|
13
15
|
ESEC: Effective Security Mode - The security mode after evaluating the chip
|
14
16
|
and any demotion request
|
15
|
-
EPRO: Effective Production Mode - The
|
16
|
-
production and
|
17
|
+
EPRO: Effective Production Mode - The production mode after evaluating the chip
|
18
|
+
production and demotion request
|
17
19
|
EKEY: Effective Key Access - The effective access to teh SEP, used to protect
|
18
20
|
data during demotion
|
19
21
|
subtypes:
|
@@ -24,9 +26,9 @@ types:
|
|
24
26
|
taken. To date the trust measurement is commonly found on SEP firmware images.
|
25
27
|
ssv-root-hash:
|
26
28
|
description: Root Hash values are used to validate the Signature of an APFS
|
27
|
-
Signed volume or snapshot. They will be paired to a
|
28
|
-
also are paired with `ssv-merkle-tree` which includes the metadata
|
29
|
-
volume.
|
29
|
+
Signed volume or snapshot. They will be paired to a corresponding disk
|
30
|
+
image. Some also are paired with `ssv-merkle-tree` which includes the metadata
|
31
|
+
for the volume.
|
30
32
|
trust-cache:
|
31
33
|
img4-disk-image:
|
32
34
|
description: Disk images are often signed IMG4 payloads used for USB boot
|
@@ -42,10 +44,9 @@ img4_tags:
|
|
42
44
|
description:
|
43
45
|
acib:
|
44
46
|
description:
|
45
|
-
AcID:
|
46
|
-
description: Apple Account DSID
|
47
|
-
type: integer
|
48
47
|
acid:
|
48
|
+
description: Apple Account Directory Services ID (DSID)
|
49
|
+
type: integer
|
49
50
|
aciw:
|
50
51
|
description:
|
51
52
|
ADCL:
|
@@ -58,7 +59,7 @@ img4_tags:
|
|
58
59
|
AMNM:
|
59
60
|
description: allow mix-n-match When set to true, img4s can be any valid signed
|
60
61
|
version, allowing for unusual AP tickets where some components may be from a
|
61
|
-
prior
|
62
|
+
prior version
|
62
63
|
type: boolean
|
63
64
|
anef:
|
64
65
|
description: Apple Neural Engine Firmware
|
@@ -88,8 +89,8 @@ img4_tags:
|
|
88
89
|
augs:
|
89
90
|
description: Auxiliary System Image Included in APTicket CA extensions, as well
|
90
91
|
as factory manifests. All cryptex manifests, and APTickets other then the root
|
91
|
-
APTicket (the one that is used directly from NOR) have this set to 1,
|
92
|
-
that it is an an addition or replacement to APTicket, but only if
|
92
|
+
APTicket (the one that is used directly from NOR) have this set to 1, indicating
|
93
|
+
that it is an an addition or replacement to APTicket, but only if authorized. It
|
93
94
|
also seems to travel with `aubt` and `aupr`
|
94
95
|
roots:
|
95
96
|
- ExtraContent
|
@@ -101,7 +102,7 @@ img4_tags:
|
|
101
102
|
context:
|
102
103
|
auxi:
|
103
104
|
title: Auxiliary Image4 Manifest Hash (`auxi`)
|
104
|
-
description:
|
105
|
+
description: After the system verifies that the UAKL hash matches what’s found
|
105
106
|
in the `auxp` field of the LocalPolicy, it requests that the AuxKC be signed
|
106
107
|
by the Secure Enclave processor application that’s responsible for LocalPolicy
|
107
108
|
signing. Next, an SHA384 hash of the AuxKC Image4 manifest signature is placed
|
@@ -115,8 +116,6 @@ img4_tags:
|
|
115
116
|
for setting the auxi field in the LocalPolicy. Users change the auxi value implicitly
|
116
117
|
when they change the UAKL by approving a kext from the Security & Privacy pane
|
117
118
|
in System Preferences.
|
118
|
-
|
119
|
-
'
|
120
119
|
type: digest-object
|
121
120
|
subtype: manifest
|
122
121
|
access:
|
@@ -126,13 +125,11 @@ img4_tags:
|
|
126
125
|
description: Auxiliary Kernel Cache
|
127
126
|
auxp:
|
128
127
|
title: Auxiliary Policy Hash (auxp)
|
129
|
-
description:
|
128
|
+
description: The `auxp` is an SHA384 hash of the user-authorized kext list (UAKL)
|
130
129
|
policy. This is used at AuxKC generation time to help ensure that only user-authorized
|
131
130
|
kexts are included in the AuxKC. `smb2` is a prerequisite for setting this field.
|
132
131
|
Users change the `auxp` value implicitly when they change the UAKL by approving
|
133
132
|
a kext from the Security & Privacy pane in System Preferences.
|
134
|
-
|
135
|
-
'
|
136
133
|
type: binary
|
137
134
|
subtype: sha2-384
|
138
135
|
access:
|
@@ -140,7 +137,7 @@ img4_tags:
|
|
140
137
|
- macOS
|
141
138
|
auxr:
|
142
139
|
title: Auxiliary Kernel Collection (AuxKC) Receipt Hash (auxr)
|
143
|
-
description:
|
140
|
+
description: The `auxr` is an SHA384 hash of the AuxKC receipt, which indicates
|
144
141
|
the exact set of kexts that were included into the AuxKC. The AuxKC receipt
|
145
142
|
can be a subset of the UAKL, because kexts can be excluded from the AuxKC even
|
146
143
|
if they’re user authorized if they’re known to be used for attacks. In addition,
|
@@ -150,8 +147,6 @@ img4_tags:
|
|
150
147
|
The auxp field is a prerequisite for setting the auxr field in the LocalPolicy.
|
151
148
|
Users change the auxr value implicitly when they build a new AuxKC from the
|
152
149
|
Security & Privacy pane in System Preferences.
|
153
|
-
|
154
|
-
'
|
155
150
|
type: digest-object
|
156
151
|
subtype: sha2-384
|
157
152
|
access:
|
@@ -177,27 +172,26 @@ img4_tags:
|
|
177
172
|
description: Bluetooth MAC Address
|
178
173
|
manifest: true
|
179
174
|
BNCH:
|
180
|
-
title: Boot Nonce Hash
|
175
|
+
title: Boot Nonce Cryptographic Hash
|
181
176
|
description: Based on the values of com.apple.System.boot-nonces
|
182
177
|
type: nonce
|
183
178
|
subtype:
|
184
179
|
BORD:
|
185
180
|
description: |-
|
186
|
-
The board the chip is attached to. With iPhones/iPads this is the variation between
|
187
|
-
also used for low cost devices like the SE/XR). This is
|
188
|
-
|
181
|
+
The board the chip is attached to. With iPhones/iPads this is the variation between
|
182
|
+
device sizes (occasionally also used for low cost devices like the SE/XR). This is
|
183
|
+
usually expressed as a hex encoded uint8_t. Some types of board seem to encode a
|
184
|
+
bitfield for non MP (mainline production) boards such as EVT/DVT
|
189
185
|
|
190
186
|
With the T2 this value is unique to all MacBooks with the T2.
|
191
187
|
type: integer
|
192
188
|
alias:
|
193
189
|
- board-id
|
194
190
|
bstc:
|
195
|
-
title: Base
|
196
|
-
description:
|
191
|
+
title: Base System Trust Cache
|
192
|
+
description: The Base System Trust Cache is the static trust cache (a file containing
|
197
193
|
a list of CDHashes that is to be trusted and executed at platform trust.) that
|
198
|
-
|
199
|
-
|
200
|
-
'
|
194
|
+
corresponds to the Base System (typically arm64BaseSystem.dmg).
|
201
195
|
type: digest-object
|
202
196
|
subtype: trust-cache
|
203
197
|
bsys:
|
@@ -217,8 +211,8 @@ img4_tags:
|
|
217
211
|
- ExtraContent
|
218
212
|
CEPO:
|
219
213
|
description: |-
|
220
|
-
Certificate/Chip Epoch. This is a unit of roll-forward time (monotonic) that
|
221
|
-
in the prior epoch to be fixed by a anti-rollback scheme.
|
214
|
+
Certificate/Chip Epoch. This is a unit of roll-forward time (monotonic) that
|
215
|
+
allows for any security issues in the prior epoch to be fixed by a anti-rollback scheme.
|
222
216
|
nullable: true
|
223
217
|
type: boolean
|
224
218
|
alias:
|
@@ -240,7 +234,7 @@ img4_tags:
|
|
240
234
|
width: 2
|
241
235
|
CHMH:
|
242
236
|
title: Chained Manifest Hash
|
243
|
-
description: Appears in
|
237
|
+
description: Appears in manifest / APTickets where the ticket is chained from
|
244
238
|
another via `nish` or `nsph`.
|
245
239
|
ciof:
|
246
240
|
cker:
|
@@ -261,25 +255,23 @@ img4_tags:
|
|
261
255
|
- ExtraContent
|
262
256
|
coih:
|
263
257
|
title: CustomOS Image4 Manifest Hash (coih)
|
264
|
-
description:
|
258
|
+
description: The `coih` is an SHA384 hash of CustomOS Image4 manifest. The payload
|
265
259
|
for that manifest is used by iBoot (instead of the XNU kernel) to transfer control.
|
266
260
|
Users change the `coih` value implicitly when they use the `kmutil` configure-boot
|
267
261
|
command-line tool in 1TR.
|
268
|
-
|
269
|
-
'
|
270
262
|
type: digest-object
|
271
263
|
subtype: IM4M
|
272
264
|
access:
|
273
265
|
write:
|
274
266
|
- 1TR
|
275
267
|
CPRO:
|
276
|
-
description:
|
268
|
+
description: Certificate Promotion Mode
|
277
269
|
alias:
|
278
270
|
- certificate-production-status
|
279
271
|
nullable: true
|
280
272
|
type: boolean
|
281
273
|
CSEC:
|
282
|
-
description:
|
274
|
+
description: Certificate Security Mode
|
283
275
|
type: boolean
|
284
276
|
nullable: true
|
285
277
|
alias:
|
@@ -312,7 +304,7 @@ img4_tags:
|
|
312
304
|
description:
|
313
305
|
DPRO:
|
314
306
|
description: Demote from Production Request Value is used by TSS sever to issue
|
315
|
-
EPRO values, or effective AP
|
307
|
+
EPRO values, or effective AP production state.
|
316
308
|
DSEC:
|
317
309
|
description: Demote from Secure Request Value is used by TSS server to issue ESEC
|
318
310
|
values, or effective AP Security Mode should the requester be authorized. These
|
@@ -389,23 +381,19 @@ img4_tags:
|
|
389
381
|
description:
|
390
382
|
FSCl:
|
391
383
|
ftab:
|
392
|
-
description:
|
393
|
-
|
394
|
-
|
395
|
-
|
396
|
-
|
384
|
+
description: Factory Trust - Auto Boot FTAB images (used for devices such as AirPods,
|
385
|
+
etc) are "hacktivated" or pre-APTicket'ed devices as they lack either a restore
|
386
|
+
connection, or persistent memory. Common early usage of this was the Haywire
|
387
|
+
dongles used for video conversion on the Mac. It was simplest for the device
|
388
|
+
to lack NAND and simply receive the firmware from a host on power-up. FTAB
|
397
389
|
files are fully ready to run blobs often including RTKit OS based memory images.
|
398
|
-
|
399
|
-
'
|
400
390
|
ftap:
|
401
|
-
description:
|
402
|
-
|
403
|
-
'
|
391
|
+
description: Factory Trust/FIPS Test? - Application Processor
|
404
392
|
type: hash
|
405
393
|
ftot:
|
406
|
-
description: Factory Trust - Other
|
394
|
+
description: Factory Trust/FIPS Test? - Other
|
407
395
|
ftsp:
|
408
|
-
description: Factory Trust - SEP
|
396
|
+
description: Factory Trust/FIPS Test? - SEP
|
409
397
|
type: hash
|
410
398
|
fuos:
|
411
399
|
description: Fully Unsigned OS
|
@@ -432,12 +420,10 @@ img4_tags:
|
|
432
420
|
hop0:
|
433
421
|
hrlp:
|
434
422
|
title: Has Secure Enclave Signed recoveryOS Local Policy (hrlp)
|
435
|
-
description:
|
423
|
+
description: The `hrlp` indicates whether or not the `prot` value is the measurement
|
436
424
|
of a Secure Enclave–signed recoveryOS LocalPolicy. If not, then the recoveryOS
|
437
425
|
LocalPolicy is signed by the Apple online signing server, which signs things
|
438
426
|
such as macOS Image4 files.
|
439
|
-
|
440
|
-
'
|
441
427
|
type: boolean
|
442
428
|
access:
|
443
429
|
write:
|
@@ -468,7 +454,7 @@ img4_tags:
|
|
468
454
|
IMG4:
|
469
455
|
description:
|
470
456
|
inst:
|
471
|
-
|
457
|
+
description: The key or file to install
|
472
458
|
ipdf:
|
473
459
|
description:
|
474
460
|
isor:
|
@@ -491,12 +477,10 @@ img4_tags:
|
|
491
477
|
description: Kernel
|
492
478
|
kuid:
|
493
479
|
title: Key encryption key (KEK) Group UUID (kuid)
|
494
|
-
description:
|
480
|
+
description: The kuid indicates the volume that was booted. The key encryption
|
495
481
|
key has typically been used for Data Protection. For each LocalPolicy, it’s
|
496
482
|
used to protect the LocalPolicy signing key. The kuid is set by the user implicitly
|
497
483
|
when creating a new operating system install.
|
498
|
-
|
499
|
-
'
|
500
484
|
type: binary
|
501
485
|
subtype: sha2-384
|
502
486
|
access:
|
@@ -511,7 +495,7 @@ img4_tags:
|
|
511
495
|
LLB:
|
512
496
|
description: Low Level iBoot
|
513
497
|
LNCH:
|
514
|
-
description:
|
498
|
+
description: Local Policy Nonce Cryptographic Hash
|
515
499
|
lobo:
|
516
500
|
description: Local Boot Object. Indicates that the object is to be used as the
|
517
501
|
target of a local boot only and not provided by the server for remote / DFU
|
@@ -520,11 +504,9 @@ img4_tags:
|
|
520
504
|
description: Apple logo image
|
521
505
|
love:
|
522
506
|
title: Long Operating System Version (love)
|
523
|
-
description:
|
507
|
+
description: The love indicates the OS version that the LocalPolicy is created
|
524
508
|
for. The version is obtained from the next state manifest during LocalPolicy
|
525
509
|
creation and is used to enforce recoveryOS pairing restrictions.
|
526
|
-
|
527
|
-
'
|
528
510
|
type: string
|
529
511
|
example: 21.3.66.0.0,0
|
530
512
|
access:
|
@@ -538,22 +520,20 @@ img4_tags:
|
|
538
520
|
description:
|
539
521
|
lpnh:
|
540
522
|
title: LocalPolicy Nonce Hash (lpnh)
|
541
|
-
description:
|
542
|
-
|
543
|
-
|
544
|
-
|
545
|
-
|
546
|
-
|
547
|
-
|
548
|
-
|
549
|
-
|
550
|
-
|
523
|
+
description: The lpnh is used for anti-replay of the LocalPolicy. This is an SHA384
|
524
|
+
hash of the LocalPolicy Nonce (LPN), which is stored in the Secure Storage Component
|
525
|
+
and accessible using the Secure Enclave Boot ROM or Secure Enclave. The raw
|
526
|
+
nonce is never visible to the Application Processor, only to the sepOS. An attacker
|
527
|
+
wanting to convince LLB that a previous LocalPolicy they had captured was valid
|
528
|
+
would need to place a value into the Secure Storage Component, which hashes
|
529
|
+
to the same lpnh value found in the LocalPolicy they want to replay. Normally
|
530
|
+
there is a single LPN valid on the system—except during software updates, when
|
531
|
+
two are simultaneously valid—to allow for the possibility of falling back to
|
532
|
+
booting the old software in the event of an update error. When any LocalPolicy
|
551
533
|
for any operating system is changed, all policies are re-signed with the new
|
552
534
|
lpnh value corresponding to the new LPN found in the Secure Storage Component.
|
553
535
|
This change happens when the user changes security settings or creates new operating
|
554
536
|
systems with a new LocalPolicy for each.
|
555
|
-
|
556
|
-
'
|
557
537
|
type: binary
|
558
538
|
subtype: sha2-384
|
559
539
|
access:
|
@@ -590,15 +570,13 @@ img4_tags:
|
|
590
570
|
description:
|
591
571
|
mspr:
|
592
572
|
msys:
|
593
|
-
description:
|
594
|
-
|
595
|
-
|
596
|
-
|
597
|
-
|
598
|
-
|
599
|
-
|
600
|
-
|
601
|
-
'
|
573
|
+
description: System Volume Canonical Metadata Contains a Merkle Tree of the System
|
574
|
+
Volume. The Merkle-Tree is used to verify Signed System Volume, in a similar
|
575
|
+
way to a Git repository, where every file is included in the tree of the folder
|
576
|
+
and so on up to the root node. The root node is validated against the corresponding
|
577
|
+
`root_hash`. The inclusion of the merkle tree allows for discovery of where
|
578
|
+
the system volume's data is broken, as the root_hash can only tell you if it
|
579
|
+
is broken.
|
602
580
|
mtfw:
|
603
581
|
description:
|
604
582
|
mtpf:
|
@@ -609,8 +587,8 @@ img4_tags:
|
|
609
587
|
- ExtraContent
|
610
588
|
nish:
|
611
589
|
title: Next Stage Image4 Manifest Hash (nsih)
|
612
|
-
description:
|
613
|
-
|
590
|
+
description: The nsih field represents an SHA384 hash of the Image4 manifest data
|
591
|
+
structure that describes the booted macOS. The macOS Image4 manifest contains
|
614
592
|
measurements for all the boot objects—such as iBoot, the static trust cache,
|
615
593
|
device tree, Boot Kernel Collection, and signed system volume (SSV) volume root
|
616
594
|
hash. When LLB is directed to boot a given macOS, it’s designed to ensure that
|
@@ -618,8 +596,6 @@ img4_tags:
|
|
618
596
|
in the nsih field of the LocalPolicy. In this way, the nsih captures the user
|
619
597
|
intention of what operating system the user has created a LocalPolicy for. Users
|
620
598
|
change the nsih value implicitly when they perform a software update.
|
621
|
-
|
622
|
-
'
|
623
599
|
type: binary
|
624
600
|
subtype: sha2-384
|
625
601
|
context:
|
@@ -634,11 +610,11 @@ img4_tags:
|
|
634
610
|
nsih:
|
635
611
|
description: Next Stage Image Hash
|
636
612
|
nsph:
|
637
|
-
description: Next Stage
|
613
|
+
description: Next Stage pre-boot splat manifest hash
|
638
614
|
nsrv:
|
639
615
|
description:
|
640
616
|
OBJP:
|
641
|
-
description: Object Properties - Values that may be assigned per "object" (
|
617
|
+
description: Object Properties - Values that may be assigned per "object" (firmwares)
|
642
618
|
that contain a `DGST`
|
643
619
|
type: sequence
|
644
620
|
omer:
|
@@ -656,10 +632,7 @@ img4_tags:
|
|
656
632
|
owns:
|
657
633
|
description:
|
658
634
|
pave:
|
659
|
-
description:
|
660
|
-
Cryptex.
|
661
|
-
|
662
|
-
'
|
635
|
+
description: Pre-authorization Version (XNU) The version of a pre-authorized Cryptex.
|
663
636
|
type: string
|
664
637
|
roots:
|
665
638
|
- ExtraContent
|
@@ -687,14 +660,12 @@ img4_tags:
|
|
687
660
|
description: Encrypted Private Key / Private Key Info
|
688
661
|
prot:
|
689
662
|
title: Paired recoveryOS Trusted Boot Policy Measurement (prot)
|
690
|
-
description:
|
691
|
-
|
663
|
+
description: A paired recoveryOS Trusted Boot Policy Measurement (TBPM) is a special
|
664
|
+
iterative SHA384 hash calculation over the Image4 manifest of a LocalPolicy,
|
692
665
|
excluding nonces, in order to give a consistent measurement over time (because
|
693
666
|
nonces like lpnh are frequently updated). The prot field, which is found only
|
694
667
|
in each macOS LocalPolicy, provides a pairing to indicate the recoveryOS LocalPolicy
|
695
668
|
that corresponds to the macOS LocalPolicy.
|
696
|
-
|
697
|
-
'
|
698
669
|
type: digest-object
|
699
670
|
subtype: trust-measurement
|
700
671
|
access:
|
@@ -717,10 +688,8 @@ img4_tags:
|
|
717
688
|
rbmt:
|
718
689
|
description:
|
719
690
|
rcfg:
|
720
|
-
description:
|
721
|
-
|
722
|
-
|
723
|
-
'
|
691
|
+
description: Appears in certificates issues by factory such as `T6031-SDOM1-TssLive-ManifestKey-RevA-Factory`. Potentially
|
692
|
+
indicates that the policy is for a recovery boot only.
|
724
693
|
type: boolean
|
725
694
|
rcio:
|
726
695
|
description: Restore CIO
|
@@ -755,18 +724,16 @@ img4_tags:
|
|
755
724
|
type: boolean
|
756
725
|
ronh:
|
757
726
|
title: recoveryOS Nonce Hash (ronh)
|
758
|
-
description:
|
727
|
+
description: The ronh behaves the same way as the lpnh, but is found exclusively
|
759
728
|
in the LocalPolicy for system recoveryOS. It’s updated when the system recoveryOS
|
760
729
|
is updated, such as on software updates. A separate nonce from the lpnh and
|
761
730
|
rpnh is used so that when a device is put into a disabled state by Find My,
|
762
731
|
existing operating systems can be disabled (by removing their LPN and RPN from
|
763
732
|
the Secure Storage Component), while still leaving the system recoveryOS bootable.
|
764
|
-
In this way, the operating systems can be
|
733
|
+
In this way, the operating systems can be re-enabled when the system owner proves
|
765
734
|
their control over the system by putting in their iCloud password used for the
|
766
735
|
Find My account. This change happens when a user updates the system recoveryOS
|
767
736
|
or creates new operating systems.
|
768
|
-
|
769
|
-
'
|
770
737
|
type: binary
|
771
738
|
subtype: sha2-384
|
772
739
|
access:
|
@@ -778,11 +745,9 @@ img4_tags:
|
|
778
745
|
description:
|
779
746
|
rpnh:
|
780
747
|
title: Remote Policy Nonce Hash (rpnh)
|
781
|
-
description:
|
748
|
+
description: The rpnh behaves the same way as the lpnh but is updated only when
|
782
749
|
the remote policy is updated, such as when changing the state of Find My enrollment.
|
783
750
|
This change happens when the user changes the state of Find My on their Mac.
|
784
|
-
|
785
|
-
'
|
786
751
|
type: binary
|
787
752
|
subtype: sha2-384
|
788
753
|
access:
|
@@ -841,16 +806,17 @@ img4_tags:
|
|
841
806
|
alias:
|
842
807
|
- security-domain
|
843
808
|
secb:
|
844
|
-
description: Sets a security value such as `trst` or the FDR signing trust object.
|
845
|
-
blob?". Known to include `trst` (yes a `trst` partition with a `secb`
|
846
|
-
`rssl` (Factory SSL root CA), `rvok` (Revocation
|
809
|
+
description: Sets a security value such as `trst` or the FDR signing trust object.
|
810
|
+
"security blob?". Known to include `trst` (yes a `trst` partition with a `secb`
|
811
|
+
object with a `trst` object), `rssl` (Factory SSL root CA), `rvok` (Revocation
|
812
|
+
list) and `trpk` (trusted public keys?)
|
847
813
|
SECM:
|
848
814
|
description:
|
815
|
+
sei3:
|
816
|
+
description: Secure Enclave ID (alternate)? Appears to have a value identical
|
817
|
+
to `seid`.
|
849
818
|
seid:
|
850
819
|
description: Secure Enclave ID
|
851
|
-
sei3:
|
852
|
-
description: Secure Enclave ID (alternate)?
|
853
|
-
Appears to have a value identical to `seid`.
|
854
820
|
sepi:
|
855
821
|
description: SEP Image, contains oppd and tbms in seal
|
856
822
|
type: string
|
@@ -910,7 +876,7 @@ img4_tags:
|
|
910
876
|
type: string
|
911
877
|
encoding: sha2-384
|
912
878
|
stID:
|
913
|
-
description: Station
|
879
|
+
description: Station Identifier
|
914
880
|
stng:
|
915
881
|
description: Cryptex1 Generation / Cryptex type?
|
916
882
|
styp:
|
@@ -985,12 +951,10 @@ img4_tags:
|
|
985
951
|
- ExtraContent
|
986
952
|
vuid:
|
987
953
|
title: APFS volume group UUID (vuid)
|
988
|
-
description:
|
954
|
+
description: The vuid indicates the volume group the kernel should use as root.
|
989
955
|
This field is primarily informational and isn’t used for security constraints.
|
990
956
|
This vuid is set by the user implicitly when creating a new operating system
|
991
957
|
install.
|
992
|
-
|
993
|
-
'
|
994
958
|
type: binary
|
995
959
|
subtype: sha2-384
|
996
960
|
access:
|