apple-data 1.0.611 → 1.0.612

Sign up to get free protection for your applications and to get access to all the features.
data/share/img4.yaml CHANGED
@@ -2,8 +2,34 @@
2
2
  metadata:
3
3
  description:
4
4
  credits:
5
+ - https://www.theiphonewiki.com/wiki/IMG4_File_Format
6
+ - rickmark
5
7
  collections:
6
8
  - img4_tags
9
+ - manifest_properties
10
+ - objects
11
+ - lpol_properties
12
+ - core
13
+ - types
14
+ - cryptex_properties
15
+ core:
16
+ IM4M:
17
+ description: Image4 Manifest Object (No payload, only manifest). IM4M, verion,
18
+ IM4P:
19
+ description: Image4 Payload (No Manifest, Only Data). Contains IM4P, type, description,
20
+ data and optional keybags
21
+ IM4R:
22
+ description: Image4 Recovery
23
+ IMG4:
24
+ description: Wrapper for all Image4 Objects (Payload, Manifest, Recovery)
25
+ MANB:
26
+ description: Manifest Body
27
+ MANP:
28
+ description: Manifest Properties
29
+ OBJP:
30
+ description: Object Properties - Values that may be assigned per "object" (firmwares)
31
+ that contain a `DGST`
32
+ type: sequence
7
33
  types:
8
34
  digest-object:
9
35
  description: Digest Objects are Firmware or Other Hash-able binary streams. They
@@ -12,12 +38,25 @@ types:
12
38
  additional properties per object, some of which are standard and others that
13
39
  are object specific.
14
40
  common_properties:
15
- ESEC: Effective Security Mode - The security mode after evaluating the chip
16
- and any demotion request
17
- EPRO: Effective Production Mode - The production mode after evaluating the chip
18
- production and demotion request
19
- EKEY: Effective Key Access - The effective access to teh SEP, used to protect
20
- data during demotion
41
+ DGST: The cryptographic digest of the object
42
+ EKEY:
43
+ description: Effective Key Access - The effective access to teh SEP, used
44
+ to protect data during demotion. Effective chip promoted
45
+ nullable: false
46
+ type: boolean
47
+ ESEC:
48
+ description: Effective Security Mode - The security mode after evaluating
49
+ the chip and any demotion request
50
+ alias:
51
+ - effective-security-mode-ap
52
+ EPRO:
53
+ description: Effective Production Mode - The production mode after evaluating
54
+ the chip production and demotion request. Effective chip promotion / demotion
55
+ state (if CPFM 03 this must be 0 to set ESEC)
56
+ alias:
57
+ - effective-production-status-ap
58
+ nullable: false
59
+ type: boolean
21
60
  subtypes:
22
61
  local-boot-object:
23
62
  trust-measurement:
@@ -35,71 +74,33 @@ types:
35
74
  or as the arm64BaseSystem.dmg. IMG4 is used for smaller disk images that
36
75
  can be entirely validated "single shot" unlike larger disks which use SSV
37
76
  and validate on read.
38
- img4_tags:
39
- acdc:
40
- description:
41
- acfw:
42
- description:
43
- ache:
44
- description:
45
- acib:
46
- description:
47
- acid:
48
- description: Apple Account Directory Services ID (DSID)
49
- type: integer
50
- aciw:
51
- description:
52
- ADCL:
53
- ader:
54
- description:
55
- agfi:
56
- description:
57
- almo:
58
- description: Some internal iBootable image. Unknown purpose
59
- AMNM:
60
- description: allow mix-n-match When set to true, img4s can be any valid signed
61
- version, allowing for unusual AP tickets where some components may be from a
62
- prior version
63
- type: boolean
64
- anef:
65
- description: Apple Neural Engine Firmware
66
- type: digest-object
67
- roots:
68
- - ManifestKey-DataCenter
69
- anrd:
70
- description:
71
- ansf:
72
- aofi:
73
- description:
74
- aopf:
75
- description: Always on processor firmware
76
- type: digest-object
77
- roots:
78
- - ManifestKey-DataCenter
79
- apmv:
80
- description:
81
- ater:
82
- description:
83
- atkh:
84
- description:
85
- auac:
86
- description:
87
- aubt:
88
- description: Audio Boot Chime
89
- augs:
90
- description: Auxiliary System Image Included in APTicket CA extensions, as well
91
- as factory manifests. All cryptex manifests, and APTickets other then the root
92
- APTicket (the one that is used directly from NOR) have this set to 1, indicating
93
- that it is an an addition or replacement to APTicket, but only if authorized. It
94
- also seems to travel with `aubt` and `aupr`
95
- roots:
96
- - ExtraContent
97
- - ManifestKey
98
- aupr:
99
- description: Audio Power Attach Chime
100
- auxh:
101
- description: User Authorized Kext List Hash
102
- context:
77
+ firmware:
78
+ object_properties:
79
+ oppd:
80
+ description: Unknown, used by `stg1`/`sepi` - sha384 hash sized
81
+ tbms:
82
+ description: Trusted Boot Measurement (Signature?)
83
+ notes: Likely encrypted by the SEP and opaque to the AP
84
+ trust:
85
+ objects:
86
+ rssl:
87
+ description: The valid CA used for secure communications with the FDR server
88
+ to obtain the FDR objects. This differs from the `trst` object as `rssl`
89
+ is in transit and `trst` is at rest.
90
+ trpk:
91
+ description: Trust public keys
92
+ trst:
93
+ description: The certificate used for the `seal` object
94
+ rvok:
95
+ description: Trust object revocation list
96
+ inst:
97
+ description: The key or file to install
98
+ secb:
99
+ description: Sets a security value such as `trst` or the FDR signing trust
100
+ object. "security blob?". Known to include `trst` (yes a `trst` partition
101
+ with a `secb` object with a `trst` object), `rssl` (Factory SSL root CA),
102
+ `rvok` (Revocation list) and `trpk` (trusted public keys?)
103
+ lpol_properties:
103
104
  auxi:
104
105
  title: Auxiliary Image4 Manifest Hash (`auxi`)
105
106
  description: After the system verifies that the UAKL hash matches what’s found
@@ -121,8 +122,6 @@ img4_tags:
121
122
  access:
122
123
  write:
123
124
  - macOS
124
- auxk:
125
- description: Auxiliary Kernel Cache
126
125
  auxp:
127
126
  title: Auxiliary Policy Hash (auxp)
128
127
  description: The `auxp` is an SHA384 hash of the user-authorized kext list (UAKL)
@@ -152,107 +151,6 @@ img4_tags:
152
151
  access:
153
152
  write:
154
153
  - macOS
155
- avef:
156
- description: AV Encryption (DRM) Firmware
157
- type: digest-object
158
- roots:
159
- - ManifestKey-DataCenter
160
- bat0:
161
- description: battery image 0
162
- bat1:
163
- description: battery image 1
164
- batf:
165
- description: battery full image
166
- batF:
167
- BLDS:
168
- description:
169
- bles:
170
- description:
171
- BMac:
172
- description: Bluetooth MAC Address
173
- manifest: true
174
- BNCH:
175
- title: Boot Nonce Cryptographic Hash
176
- description: Based on the values of com.apple.System.boot-nonces
177
- type: nonce
178
- subtype:
179
- BORD:
180
- description: |-
181
- The board the chip is attached to. With iPhones/iPads this is the variation between
182
- device sizes (occasionally also used for low cost devices like the SE/XR). This is
183
- usually expressed as a hex encoded uint8_t. Some types of board seem to encode a
184
- bitfield for non MP (mainline production) boards such as EVT/DVT
185
-
186
- With the T2 this value is unique to all MacBooks with the T2.
187
- type: integer
188
- alias:
189
- - board-id
190
- bstc:
191
- title: Base System Trust Cache
192
- description: The Base System Trust Cache is the static trust cache (a file containing
193
- a list of CDHashes that is to be trusted and executed at platform trust.) that
194
- corresponds to the Base System (typically arm64BaseSystem.dmg).
195
- type: digest-object
196
- subtype: trust-cache
197
- bsys:
198
- title: Base System Root Hash
199
- type: digest-object
200
- subtype: ssv-root-hash
201
- caos:
202
- description:
203
- type: digest-object
204
- root:
205
- - ExtraContent
206
- casy:
207
- description: App Cryptex SSV Root Hash
208
- type: digest-object
209
- subtype: ssv-root-hash
210
- roots:
211
- - ExtraContent
212
- CEPO:
213
- description: |-
214
- Certificate/Chip Epoch. This is a unit of roll-forward time (monotonic) that
215
- allows for any security issues in the prior epoch to be fixed by a anti-rollback scheme.
216
- nullable: true
217
- type: boolean
218
- alias:
219
- - chip-epoch
220
- cfel:
221
- description:
222
- chg0:
223
- description: Charging Image 0
224
- type: digest-object
225
- subtype: graphic
226
- chg1:
227
- description: Charging Image 1
228
- type: digest-object
229
- subtype: graphic
230
- CHIP:
231
- description: Unique identifier for a single Apple designed application processor
232
- sharing the same GID key
233
- type: integer
234
- width: 2
235
- CHMH:
236
- title: Chained Manifest Hash
237
- description: Appears in manifest / APTickets where the ticket is chained from
238
- another via `nish` or `nsph`.
239
- ciof:
240
- cker:
241
- description:
242
- ckih:
243
- description:
244
- clas:
245
- description: Class for Key / Object - Found in FDR objects
246
- examples:
247
- roots:
248
- - ExtraContent
249
- CLHS:
250
- clid:
251
- cmsv:
252
- description:
253
- cnch:
254
- roots:
255
- - ExtraContent
256
154
  coih:
257
155
  title: CustomOS Image4 Manifest Hash (coih)
258
156
  description: The `coih` is an SHA384 hash of CustomOS Image4 manifest. The payload
@@ -264,217 +162,18 @@ img4_tags:
264
162
  access:
265
163
  write:
266
164
  - 1TR
267
- CPRO:
268
- description: Certificate Promotion Mode
269
- alias:
270
- - certificate-production-status
271
- nullable: true
272
- type: boolean
273
- CSEC:
274
- description: Certificate Security Mode
275
- type: boolean
276
- nullable: true
277
- alias:
278
- - certificate-security-mode
279
- csos:
280
- description:
281
- type: digest-object
282
- roots:
283
- - ExtraContent
284
- cssy:
285
- description: System Cryptex SSV Root Hash
286
- type: digest-object
287
- subtype: ssv-root-hash
288
- roots:
289
- - ExtraContent
290
- csys:
291
- description: Install / Restore SSV Root Hash
292
- type: digest-object
293
- subtype: ssv-root-hash
294
- dali:
295
- description:
296
- data:
297
- description:
298
- dcp2:
299
- DGST:
300
- description: payload digest
301
- diag:
302
- description:
303
- disk:
304
- description:
305
- DPRO:
306
- description: Demote from Production Request Value is used by TSS sever to issue
307
- EPRO values, or effective AP production state.
308
- DSEC:
309
- description: Demote from Secure Request Value is used by TSS server to issue ESEC
310
- values, or effective AP Security Mode should the requester be authorized. These
311
- requests are not available to consumers, only to Apple Internal.
312
- dtre:
313
- description: device tree
314
- type: digest-object
315
- subtype: device-tree
316
- dtrs:
317
- description: device tree for recovery
318
- type: digest-object
319
- subtype: device-tree
320
- recovery: true
321
- dven:
322
- ECID:
323
- description: Exclusive chip identifier. This is burned into an eFuse at time
324
- of manufacture and unique across all devices sharing the same CHIP
325
- width: 8
326
- efib:
327
- description:
328
- eg0n:
329
- description: Effective GID 0 Nonce
330
- eg0t:
331
- description:
332
- eg1n:
333
- description: Effective GID 1 Nonce
334
- eg1t:
335
- description:
336
- eg3n:
337
- description: Effective GID3 Nonce
338
- eg3t:
339
- description:
340
- EKEY:
341
- description: Effective chip promoted
342
- nullable: false
343
- type: boolean
344
- EPRO:
345
- description: Effective chip promotion / demotion state (if CPFM 03 this must be
346
- 0 to set ESEC)
347
- alias:
348
- - effective-production-status-ap
349
- nullable: false
350
- type: boolean
351
- esca:
352
- description:
353
- esdm:
354
- description: Extended Security Domain fuses
355
- type: integer
356
- alias:
357
- - esdm-fuses
358
- ESEC:
359
- description: Effective security mode
360
- alias:
361
- - effective-security-mode-ap
362
- euou:
363
- description: engineering use-only unit
364
- faic:
365
- description:
366
- type: integer
367
- default: 0
368
- fchp:
369
- description: Cryptex1,ChipID - Mask
370
- roots:
371
- - ExtraContent
372
- fdrs:
373
- description:
374
- fdrt:
375
- description:
376
- fgpt:
377
- description: factory glob al pre-release trust
378
- file:
379
- description:
380
- fpgt:
381
- description:
382
- FSCl:
383
- ftab:
384
- description: Factory Trust - Auto Boot FTAB images (used for devices such as AirPods,
385
- etc) are "hacktivated" or pre-APTicket'ed devices as they lack either a restore
386
- connection, or persistent memory. Common early usage of this was the Haywire
387
- dongles used for video conversion on the Mac. It was simplest for the device
388
- to lack NAND and simply receive the firmware from a host on power-up. FTAB
389
- files are fully ready to run blobs often including RTKit OS based memory images.
390
- ftap:
391
- description: Factory Trust/FIPS Test? - Application Processor
392
- type: hash
393
- ftot:
394
- description: Factory Trust/FIPS Test? - Other
395
- ftsp:
396
- description: Factory Trust/FIPS Test? - SEP
397
- type: hash
398
- fuos:
399
- description: Fully Unsigned OS
400
- gfxf:
401
- description: Graphics Firmware
402
- ging:
403
- description:
404
- glyc:
405
- description: Gyroscope Calibration
406
- glyP:
407
- glyp:
408
- description:
409
- hash:
410
- description:
411
- hclo:
412
- description:
413
- hime:
414
- description:
415
- HmCA:
416
- hmmr:
417
- description:
418
- homr:
419
- description:
420
- hop0:
421
- hrlp:
422
- title: Has Secure Enclave Signed recoveryOS Local Policy (hrlp)
423
- description: The `hrlp` indicates whether or not the `prot` value is the measurement
424
- of a Secure Enclave–signed recoveryOS LocalPolicy. If not, then the recoveryOS
425
- LocalPolicy is signed by the Apple online signing server, which signs things
426
- such as macOS Image4 files.
165
+ hrlp:
166
+ title: Has Secure Enclave Signed recoveryOS Local Policy (hrlp)
167
+ description: The `hrlp` indicates whether or not the `prot` value is the measurement
168
+ of a Secure Enclave–signed recoveryOS LocalPolicy. If not, then the recoveryOS
169
+ LocalPolicy is signed by the Apple online signing server, which signs things
170
+ such as macOS Image4 files.
427
171
  type: boolean
428
172
  access:
429
173
  write:
430
174
  - 1TR
431
175
  - recoveryOS
432
176
  - macOS
433
- hypr:
434
- description: Hypervisor
435
- ibd1:
436
- description: iBoot Data Stage 1
437
- ibdt:
438
- description: iBoot Data
439
- iBEC:
440
- description: iBoot Epoch Change
441
- ibot:
442
- description: iBoot
443
- ibss:
444
- iBSS:
445
- description: iBoot Second Stage
446
- ienv:
447
- description:
448
- IM4M:
449
- description:
450
- IM4P:
451
- description:
452
- IM4R:
453
- description:
454
- IMG4:
455
- description:
456
- inst:
457
- description: The key or file to install
458
- ipdf:
459
- description:
460
- isor:
461
- description:
462
- ispf:
463
- description: Image Signal Processor Firmware
464
- isys:
465
- description: Install System SSV Root Hash
466
- itst:
467
- description:
468
- iuob:
469
- description:
470
- iuos:
471
- description: Internal Use Only Software
472
- iuou:
473
- description: Internal Use Only Unit
474
- kdlv:
475
- description:
476
- krnl:
477
- description: Kernel
478
177
  kuid:
479
178
  title: Key encryption key (KEK) Group UUID (kuid)
480
179
  description: The kuid indicates the volume that was booted. The key encryption
@@ -488,36 +187,10 @@ img4_tags:
488
187
  - 1TR
489
188
  - recoveryOS
490
189
  - macOS
491
- lamo:
492
- description:
493
- lckr:
494
- description:
495
- LLB:
496
- description: Low Level iBoot
497
- LNCH:
498
- description: Local Policy Nonce Cryptographic Hash
499
190
  lobo:
500
191
  description: Local Boot Object. Indicates that the object is to be used as the
501
192
  target of a local boot only and not provided by the server for remote / DFU
502
193
  boots.
503
- logo:
504
- description: Apple logo image
505
- love:
506
- title: Long Operating System Version (love)
507
- description: The love indicates the OS version that the LocalPolicy is created
508
- for. The version is obtained from the next state manifest during LocalPolicy
509
- creation and is used to enforce recoveryOS pairing restrictions.
510
- type: string
511
- example: 21.3.66.0.0,0
512
- access:
513
- write:
514
- - 1TR
515
- - recoveryOS
516
- - macOS
517
- roots:
518
- - ManifestKey-DataCenter
519
- lphp:
520
- description:
521
194
  lpnh:
522
195
  title: LocalPolicy Nonce Hash (lpnh)
523
196
  description: The lpnh is used for anti-replay of the LocalPolicy. This is an SHA384
@@ -541,50 +214,6 @@ img4_tags:
541
214
  - 1TR
542
215
  - recoveryOS
543
216
  - macOS
544
- lpol:
545
- description: Local Policy
546
- ltrs:
547
- description:
548
- magg:
549
- description:
550
- MANB:
551
- description: Manifest B
552
- MANP:
553
- description: Manifest Payload
554
- manx:
555
- description:
556
- mefi:
557
- description: MacEFI (T2 firmware for Intel chip)
558
- ment:
559
- description:
560
- mmap:
561
- description:
562
- mmer:
563
- description:
564
- mmsv:
565
- description:
566
- Mod#:
567
- mpro:
568
- description:
569
- msec:
570
- description:
571
- mspr:
572
- msys:
573
- description: System Volume Canonical Metadata Contains a Merkle Tree of the System
574
- Volume. The Merkle-Tree is used to verify Signed System Volume, in a similar
575
- way to a Git repository, where every file is included in the tree of the folder
576
- and so on up to the root node. The root node is validated against the corresponding
577
- `root_hash`. The inclusion of the merkle tree allows for discovery of where
578
- the system volume's data is broken, as the root_hash can only tell you if it
579
- is broken.
580
- mtfw:
581
- description:
582
- mtpf:
583
- name:
584
- description:
585
- ndom:
586
- roots:
587
- - ExtraContent
588
217
  nish:
589
218
  title: Next Stage Image4 Manifest Hash (nsih)
590
219
  description: The nsih field represents an SHA384 hash of the Image4 manifest data
@@ -605,59 +234,6 @@ img4_tags:
605
234
  - 1TR
606
235
  - recoveryOS
607
236
  - macOS
608
- nrde:
609
- description:
610
- nsih:
611
- description: Next Stage Image Hash
612
- nsph:
613
- description: Next Stage pre-boot splat manifest hash
614
- nsrv:
615
- description:
616
- OBJP:
617
- description: Object Properties - Values that may be assigned per "object" (firmwares)
618
- that contain a `DGST`
619
- type: sequence
620
- omer:
621
- description:
622
- ooth:
623
- description:
624
- oppd:
625
- description: Unknown, used by `stg1`/`sepi` - sha384 hash sized
626
- osev:
627
- description:
628
- osrd:
629
- description:
630
- otes:
631
- description:
632
- owns:
633
- description:
634
- pave:
635
- description: Pre-authorization Version (XNU) The version of a pre-authorized Cryptex.
636
- type: string
637
- roots:
638
- - ExtraContent
639
- PAYP:
640
- description:
641
- pcrp:
642
- description: Production certificate root
643
- pdmg:
644
- description: Personalized Disk Image
645
- pert:
646
- description:
647
- pfle:
648
- description:
649
- pflp:
650
- description:
651
- phlt:
652
- description:
653
- pmpf:
654
- description: Power Management Processor Firmware
655
- type: digest-object
656
- subtype:
657
- pndp:
658
- description:
659
- prid:
660
- description: Encrypted Private Key / Private Key Info
661
237
  prot:
662
238
  title: Paired recoveryOS Trusted Boot Policy Measurement (prot)
663
239
  description: A paired recoveryOS Trusted Boot Policy Measurement (TBPM) is a special
@@ -673,54 +249,8 @@ img4_tags:
673
249
  - 1TR
674
250
  - recoveryOS
675
251
  - macOS
676
- prtp:
677
- description: Product Type String
678
- type: string
679
- example: iPhone16,2
680
- roots:
681
- - ManifestKey-DataCenter
682
- psmh:
683
- description: previous stage manifest hash
684
- ptrp:
685
- rans:
686
- description: Restore Apple NAND Storage Firmware
687
- type: digest-object
688
- rbmt:
689
- description:
690
- rcfg:
691
- description: Appears in certificates issues by factory such as `T6031-SDOM1-TssLive-ManifestKey-RevA-Factory`. Potentially
692
- indicates that the policy is for a recovery boot only.
693
- type: boolean
694
- rcio:
695
- description: Restore CIO
696
- rdcp:
697
- rddg:
698
- description:
699
- rdsk:
700
- description: Restore Disk Image / ramdisk
701
- rdtr:
702
- description:
703
- recm:
704
- description:
705
- Regn:
706
- description: Region Code
707
- example: LL/A
708
- type: string
709
- manifest: true
710
- rfcg:
711
- type: boolean
712
- rfta:
713
- description:
714
- rfts:
715
- description:
716
- rkrn:
717
- description: restore kernel
718
- rlgo:
719
- description:
720
- RNCH:
721
- description:
722
- rolp:
723
- description: recoveryOS local policy
252
+ rolp:
253
+ description: recoveryOS local policy
724
254
  type: boolean
725
255
  ronh:
726
256
  title: recoveryOS Nonce Hash (ronh)
@@ -741,8 +271,6 @@ img4_tags:
741
271
  - 1TR
742
272
  - recoveryOS
743
273
  - macOS
744
- rosi:
745
- description:
746
274
  rpnh:
747
275
  title: Remote Policy Nonce Hash (rpnh)
748
276
  description: The rpnh behaves the same way as the lpnh but is updated only when
@@ -755,88 +283,32 @@ img4_tags:
755
283
  - 1TR
756
284
  - recoveryOS
757
285
  - macOS
758
- rsch:
759
- description: research mode
760
- RSCH:
761
- description: Research mode
762
- rsep:
763
- description: Restore SEP Image, paired with oppd/tbms
764
- type: string
765
- encoding: sha2-384
766
- rso0:
767
- description:
768
- rso1:
769
- description:
770
- rso2:
771
- description:
772
- rso3:
773
- description:
774
- rssl:
775
- description: The valid CA used for secure communications with the FDR server to
776
- obtain the FDR objects. This differs from the `trst` object as `rssl` is in
777
- transit and `trst` is at rest.
778
- rtmu:
779
- description: Restore TMU for AP
780
- type: digest-object
781
- firmware: true
782
- recovery: true
783
- rtpf:
784
- description:
785
- rtsc:
786
- description:
787
- rvok:
788
- description: Trust object revocation list
789
- scef:
790
- description:
791
- sdkp:
792
- description: SDK Platform
793
- type: string
794
- roots:
795
- - ManifestKey-DataCenter
796
- values:
797
- - iphoneos
798
- - macos
799
- SDOM:
800
- description: |-
801
- Security domain, or which set of certificates govern device security.
802
-
803
- Known values:
804
- 0x01 - Main Production certificates
805
- width: 2
806
- alias:
807
- - security-domain
808
- secb:
809
- description: Sets a security value such as `trst` or the FDR signing trust object.
810
- "security blob?". Known to include `trst` (yes a `trst` partition with a `secb`
811
- object with a `trst` object), `rssl` (Factory SSL root CA), `rvok` (Revocation
812
- list) and `trpk` (trusted public keys?)
813
- SECM:
814
- description:
815
- sei3:
816
- description: Secure Enclave ID (alternate)? Appears to have a value identical
817
- to `seid`.
818
- seid:
819
- description: Secure Enclave ID
820
- sepi:
821
- description: SEP Image, contains oppd and tbms in seal
822
- type: string
823
- encoding: sha2-384
824
- sika:
825
- description:
826
- siof:
827
- description: Smart IO Firmware
828
286
  sip0:
829
- description: System Integrity Protection (SIP) 0 Status - Overall
287
+ title: System Integrity Protection (SIP) 0 Status - Overall
288
+ description: The sip0 holds the existing System Integrity Protection (SIP) policy
289
+ bits that previously were stored in NVRAM. New SIP policy bits are added here
290
+ (instead of using LocalPolicy fields like the below) if they’re used only in
291
+ macOS and not used by LLB. Users can change this field using csrutil from 1TR
292
+ to disable SIP and downgrade to Permissive Security.
293
+ access:
294
+ write:
295
+ - 1TR
830
296
  sip1:
831
- description: System Integrity Protection (SIP) 1 Status - Signed System Volume
832
- Status
297
+ title: System Integrity Protection (SIP) 1 Status - Signed System Volume
298
+ description: If sip1 is present and true, iBoot will allow failures to verify
299
+ the SSV volume root hash. Users can change this field using csrutil or bputil
300
+ from 1TR.
833
301
  sip2:
834
- description: System Integrity Protection (SIP) 2 Status - Kernel CTRR Status
302
+ title: System Integrity Protection (SIP) 2 Status - Kernel CTRR Status
303
+ description: If sip2 is present and true, iBoot will not lock the Configurable
304
+ Text Read- only Region (CTRR) hardware register that marks kernel memory as
305
+ non-writable. Users can change this field using csrutil or bputil from 1TR.
835
306
  sip3:
836
- description: System Integrity Protection (SIP) 3 Status - Boot Args Filtering
837
- Status
838
- slvn:
839
- description:
307
+ title: System Integrity Protection (SIP) 3 Status - Boot Args Filtering
308
+ description: If sip3 is present and true, iBoot will not enforce its built-in
309
+ allow list for the boot-args NVRAM variable, which would otherwise filter the
310
+ options passed to the kernel. Users can change this field using csrutil or bputil
311
+ from 1TR.
840
312
  smb0:
841
313
  description: Secure Multi-Boot 0 - Security Mode - Full Security, Reduced, Disabled
842
314
  - Setting to 1 sets to reduced
@@ -850,35 +322,59 @@ img4_tags:
850
322
  description: Secure Multi-Boot 3 - DEP-allowed MDM Control
851
323
  smb5:
852
324
  description: Unknown - but known to exist in Factory signing
853
- snon:
854
- description: SEP Nonce
855
- SNON:
856
- description: SEP Nonce
857
325
  snuf:
858
- description: Staged next update firmware?
326
+ description: Software Nonce For Update Freshness
859
327
  spih:
860
328
  description: Cryptex1 Image4 Hash
861
- SPTM:
862
- description: Secure Page Table Monitor
863
- srnm:
864
- description:
865
- SrNm:
866
- description: Unit Serial Number
867
- manifest: true
868
- ssca:
869
- sski:
870
- description: SHA2 os some kind
329
+ vuid:
330
+ title: APFS volume group UUID (vuid)
331
+ description: The vuid indicates the volume group the kernel should use as root.
332
+ This field is primarily informational and isn’t used for security constraints.
333
+ This vuid is set by the user implicitly when creating a new operating system
334
+ install.
871
335
  type: binary
872
- ster:
873
- description:
874
- stg1:
875
- description: stage 1 bootloader
336
+ subtype: sha2-384
337
+ access:
338
+ - 1TR
339
+ - recoveryOS
340
+ - macOS
341
+ cryptex_properties:
342
+ augs:
343
+ description: Auxiliary System Image Included in APTicket CA extensions, as well
344
+ as factory manifests. All cryptex manifests, and APTickets other then the root
345
+ APTicket (the one that is used directly from NOR) have this set to 1, indicating
346
+ that it is an an addition or replacement to APTicket, but only if authorized. It
347
+ also seems to travel with `aubt` and `aupr`
348
+ roots:
349
+ - ExtraContent
350
+ - ManifestKey
351
+ auxh:
352
+ description: User Authorized Kext List Hash
353
+ context:
354
+ clas:
355
+ description: Class for Key / Object - Found in FDR objects
356
+ examples:
357
+ roots:
358
+ - ExtraContent
359
+ cnch:
360
+ roots:
361
+ - ExtraContent
362
+ fchp:
363
+ description: Family of the CHIP - Cryptex1,ChipID - Mask
364
+ roots:
365
+ - ExtraContent
366
+ ndom:
367
+ description: Nonce Domain
368
+ roots:
369
+ - ExtraContent
370
+ - ExtraContent
371
+ pave:
372
+ description: Pre-authorization Version (XNU) The version of a pre-authorized Cryptex.
876
373
  type: string
877
- encoding: sha2-384
878
- stID:
879
- description: Station Identifier
880
- stng:
881
- description: Cryptex1 Generation / Cryptex type?
374
+ roots:
375
+ - ExtraContent
376
+ snuf:
377
+ description: SoftwareNonceForUpdateFreshness
882
378
  styp:
883
379
  description: Crytpex Subtype
884
380
  type: u32
@@ -886,94 +382,697 @@ img4_tags:
886
382
  - cryptex subtype
887
383
  roots:
888
384
  - ExtraContent
889
- svrn:
890
- description: Server nonce
891
- tatp:
892
- description: Target Type (board name)
385
+ type:
386
+ description: Cryptex Type
387
+ type: integer
893
388
  roots:
894
- - ManifestKey-DataCenter
895
- tbmr:
896
- description: Trusted Boot Measurement (Recovery/Root?)
897
- tbms:
898
- description: Trusted Boot Measurement (Signature?)
899
- notes: Likely encrypted by the SEP and opaque to the AP
900
- tery:
901
- description:
902
- test:
903
- description:
904
- tics:
905
- description:
906
- TMac:
907
- description: Thunderbolt MAC Address
908
- manifest: true
909
- trca:
389
+ - ExtraContent
390
+ UDID:
391
+ description: universal device identifier
392
+ vnum:
393
+ description: Version Number - Update Maximum
394
+ type: string
395
+ roots:
396
+ - ExtraContent
397
+ cryptex_objects:
398
+ caos:
910
399
  description:
911
400
  type: digest-object
912
- roots:
401
+ root:
913
402
  - ExtraContent
914
- trcs:
403
+ casy:
404
+ description: App Cryptex SSV Root Hash
405
+ type: digest-object
406
+ subtype: ssv-root-hash
407
+ roots:
408
+ - ExtraContents
409
+ csos:
915
410
  description:
916
411
  type: digest-object
917
412
  roots:
918
413
  - ExtraContent
919
- trpk:
920
- description: Trust public keys
921
- trst:
922
- description: Trust Object
923
- tsys:
924
- description:
925
- type:
926
- description: Cryptex Type
927
- type: integer
414
+ cssy:
415
+ description: System Cryptex SSV Root Hash
416
+ type: digest-object
417
+ subtype: ssv-root-hash
928
418
  roots:
929
419
  - ExtraContent
930
- ucer:
931
- description: User Cert
932
- ucon:
933
- description:
934
- UDID:
935
- description: universal device identifier
936
- udid:
937
- description: Unique Device ID
938
- uidm:
420
+ trcs:
939
421
  description:
940
- type: boolean
422
+ type: digest-object
941
423
  roots:
942
- - ManifestKey-DataCenter
943
- vice:
944
- description:
945
- vkdl:
424
+ - ExtraContent
425
+ trca:
946
426
  description:
947
- vnum:
948
- description: Version Number - Update Maximum
949
- type: string
427
+ type: digest-object
950
428
  roots:
951
429
  - ExtraContent
952
- vuid:
953
- title: APFS volume group UUID (vuid)
954
- description: The vuid indicates the volume group the kernel should use as root.
955
- This field is primarily informational and isn’t used for security constraints.
956
- This vuid is set by the user implicitly when creating a new operating system
957
- install.
958
- type: binary
959
- subtype: sha2-384
960
- access:
961
- - 1TR
962
- - recoveryOS
963
- - macOS
964
- ware:
965
- description:
966
- WCHF:
967
- description: Wireless Charging Firmware
968
- wchf:
969
- description: Wireless Charging Framework
970
- WMac:
971
- description: Wireless MAC Address
972
- WSKU:
973
- description: Wireless SKU
974
- xbtc:
975
- description: x86 Boot Trust Cache
976
- xsys:
977
- description: x86 System Root Hash
978
- xugs:
979
- description:
430
+ manifest_properties:
431
+ acdc:
432
+ description: Apple Certified Diagnostics Center/Certificate?
433
+ acid:
434
+ description: Apple Account Directory Services ID (DSID)
435
+ type: integer
436
+ AMNM:
437
+ description: allow mix-n-match When set to true, img4s can be any valid signed
438
+ version, allowing for unusual AP tickets where some components may be from a
439
+ prior version
440
+ type: boolean
441
+ BMac:
442
+ description: Bluetooth MAC Address
443
+ manifest: true
444
+ BNCH:
445
+ title: Boot Nonce Cryptographic Hash
446
+ description: Based on the values of com.apple.System.boot-nonces, this is either
447
+ the true APNonce (in the case of SFR or the root APTicket where no scope or
448
+ tweak is applied) or a shadowed BNCH in the case of macOS. If it is a root boot
449
+ nonce the value is stored in com.apple.System.boot-nonce, for scoped or shadowed
450
+ BNCH values this is stored in `nonce-seeds` (A list of random values per domain)
451
+ metadata:
452
+ domains:
453
+ IMG4_NONCE_DOMAIN_INDEX_TEST:
454
+ value: 0
455
+ IMG4_NONCE_DOMAIN_INDEX_TRUST_CACHE:
456
+ value: 1
457
+ IMG4_NONCE_DOMAIN_INDEX_PDI:
458
+ value: 2
459
+ description: Personalized Disk Image
460
+ IMG4_NONCE_DOMAIN_INDEX_CRYPTEX:
461
+ value: 3
462
+ description: Cryptex / Rapid Security Response Domain
463
+ IMG4_NONCE_DOMAIN_INDEX_DDI:
464
+ value: 4
465
+ description: Developer Disk Image
466
+ IMG4_NONCE_DOMAIN_INDEX_EPHEMERAL_CRYPTEX:
467
+ value: 5
468
+ IMG4_NONCE_DOMAIN_INDEX_CRYPTEX1_SNUF_STUB:
469
+ value: 6
470
+ description: Staged Next Update Firmware
471
+ IMG4_NONCE_DOMAIN_INDEX_CRYPTEX1_BOOT:
472
+ value: 7
473
+ description: Boot Cryptex (OS Usually)
474
+ IMG4_NONCE_DOMAIN_INDEX_CRYPTEX1_ASSET:
475
+ value: 8
476
+ description: Asset Cryptex (App Usually)
477
+ type: nonce
478
+ subtype:
479
+ BORD:
480
+ description: |-
481
+ The board the chip is attached to. With iPhones/iPads this is the variation between
482
+ device sizes (occasionally also used for low cost devices like the SE/XR). This is
483
+ usually expressed as a hex encoded uint8_t. Some types of board seem to encode a
484
+ bitfield for non MP (mainline production) boards such as EVT/DVT
485
+
486
+ With the T2 this value is unique to all MacBooks with the T2.
487
+ type: integer
488
+ alias:
489
+ - board-id
490
+ CEPO:
491
+ description: |-
492
+ Chip Epoch. This is a unit of roll-forward time (monotonic) that
493
+ allows for any security issues in the prior epoch to be fixed by a anti-rollback scheme.
494
+ nullable: true
495
+ type: boolean
496
+ alias:
497
+ - chip-epoch
498
+ CHIP:
499
+ description: Unique identifier for a single Apple designed application processor
500
+ sharing the same GID key
501
+ type: integer
502
+ width: 2
503
+ CHMH:
504
+ title: Chained Manifest Hash
505
+ description: Appears in manifest / APTickets where the ticket is chained from
506
+ another via `nish` or `nsph`.
507
+ CPRO:
508
+ description: Certificate Promotion Mode
509
+ alias:
510
+ - certificate-production-status
511
+ nullable: true
512
+ type: boolean
513
+ CSEC:
514
+ description: Certificate Security Mode
515
+ type: boolean
516
+ nullable: true
517
+ alias:
518
+ - certificate-security-mode
519
+ ECID:
520
+ description: Exclusive chip identifier. This is burned into an eFuse at time
521
+ of manufacture and unique across all devices sharing the same CHIP
522
+ width: 8
523
+ esdm:
524
+ description: Extended Security Domain fuses
525
+ type: integer
526
+ alias:
527
+ - esdm-fuses
528
+ euou:
529
+ description: engineering use-only unit
530
+ faic:
531
+ description:
532
+ type: integer
533
+ default: 0
534
+ iuob:
535
+ description: Internal Use Only Build
536
+ iuos:
537
+ description: Internal Use Only Software
538
+ iuou:
539
+ description: Internal Use Only Unit
540
+ LNCH:
541
+ description: Local Policy Next Cryptographic Hash
542
+ love:
543
+ title: Long Operating System Version (love)
544
+ description: The love indicates the OS version that the LocalPolicy is created
545
+ for. The version is obtained from the next state manifest during LocalPolicy
546
+ creation and is used to enforce recoveryOS pairing restrictions.
547
+ type: string
548
+ example: 21.3.66.0.0,0
549
+ access:
550
+ write:
551
+ - 1TR
552
+ - recoveryOS
553
+ - macOS
554
+ roots:
555
+ - ManifestKey-DataCenter
556
+ lpol:
557
+ description: Local Policy
558
+ mmap:
559
+ description: Memory Map
560
+ Mod#:
561
+ nsih:
562
+ description: Next Stage Image4 Hash
563
+ nsph:
564
+ description: Next Stage pre-boot splat manifest hash
565
+ prtp:
566
+ description: Product Type String
567
+ type: string
568
+ example: iPhone16,2
569
+ roots:
570
+ - ManifestKey-DataCenter
571
+ psmh:
572
+ description: previous stage manifest hash
573
+ rcfg:
574
+ description: Appears in certificates issues by factory such as `T6031-SDOM1-TssLive-ManifestKey-RevA-Factory`. Potentially
575
+ indicates that the policy is for a recovery boot only.
576
+ type: boolean
577
+ Regn:
578
+ description: Region Code
579
+ example: LL/A
580
+ type: string
581
+ manifest: true
582
+ rfcg:
583
+ type: boolean
584
+ RNCH:
585
+ description:
586
+ RSCH:
587
+ description: Research mode
588
+ rsch:
589
+ description: research mode
590
+ sdkp:
591
+ description: SDK Platform
592
+ type: string
593
+ roots:
594
+ - ManifestKey-DataCenter
595
+ values:
596
+ - iphoneos
597
+ - macos
598
+ SDOM:
599
+ description: |-
600
+ Security domain, or which set of certificates govern device security.
601
+
602
+ Known values:
603
+ 0x01 - Main Production certificates
604
+ width: 2
605
+ alias:
606
+ - security-domain
607
+ SECM:
608
+ description: Security Mode
609
+ sei3:
610
+ description: Secure Enclave ID (alternate)? Appears to have a value identical
611
+ to `seid`. Used for non domain0 (`hyp0`)
612
+ seid:
613
+ description: Secure Enclave ID - Root Domain
614
+ sika:
615
+ description: System/Sealed Identity Key Protection? (Fuee)
616
+ SNON:
617
+ description: SEP Nonce
618
+ snon:
619
+ description: SEP Nonce
620
+ SrNm:
621
+ description: Unit Serial Number
622
+ manifest: true
623
+ sski:
624
+ description: SHA2 os some kind - sep/system subject key identifier?
625
+ type: binary
626
+ stng:
627
+ description: Cryptex1 Generation / Cryptex type?
628
+ svrn:
629
+ description: Server nonce
630
+ tatp:
631
+ description: Target Type (board name)
632
+ roots:
633
+ - ManifestKey-DataCenter
634
+ TMac:
635
+ description: Thunderbolt MAC Address
636
+ manifest: true
637
+ UID_MODE:
638
+ type: boolean
639
+ request: true
640
+ description: Use UID key instead of GID key for firmware keybags
641
+ see:
642
+ - uidm
643
+ uidm:
644
+ description: UID Mode
645
+ type: boolean
646
+ roots:
647
+ - ManifestKey-DataCenter
648
+ WMac:
649
+ description: Wireless MAC Address
650
+ WSKU:
651
+ description: Wireless SKU
652
+ objects:
653
+ acfw:
654
+ description:
655
+ almo:
656
+ description: Some internal iBootable image. Unknown purpose
657
+ anef:
658
+ description: Apple Neural Engine Firmware
659
+ type: digest-object
660
+ roots:
661
+ - ManifestKey-DataCenter
662
+ ansf:
663
+ description: Apple NAND Storage Firmware
664
+ aopf:
665
+ description: Always on processor firmware
666
+ type: digest-object
667
+ roots:
668
+ - ManifestKey-DataCenter
669
+ aubt:
670
+ description: Audio Boot Chime
671
+ aupr:
672
+ description: Audio Power Attach Chime
673
+ auxk:
674
+ description: Auxiliary Kernel Cache
675
+ avef:
676
+ description: AV Encryption (DRM) Firmware
677
+ type: digest-object
678
+ roots:
679
+ - ManifestKey-DataCenter
680
+ bat0:
681
+ description: battery image 0
682
+ bat1:
683
+ description: battery image 1
684
+ batF:
685
+ description: Battery Full Image
686
+ type: digest-object
687
+ subtype: graphic
688
+ firmware: true
689
+ bstc:
690
+ title: Base System Trust Cache
691
+ description: The Base System Trust Cache is the static trust cache (a file containing
692
+ a list of CDHashes that is to be trusted and executed at platform trust.) that
693
+ corresponds to the Base System (typically arm64BaseSystem.dmg).
694
+ type: digest-object
695
+ subtype: trust-cache
696
+ bsys:
697
+ title: Base System Root Hash
698
+ type: digest-object
699
+ subtype: ssv-root-hash
700
+ chg0:
701
+ description: Charging Image 0
702
+ type: digest-object
703
+ subtype: graphic
704
+ chg1:
705
+ description: Charging Image 1
706
+ type: digest-object
707
+ subtype: graphic
708
+ ciof:
709
+ description: TypeC IO Firmware
710
+ csys:
711
+ description: Install / Restore SSV Root Hash
712
+ type: digest-object
713
+ subtype: ssv-root-hash
714
+ dcp2:
715
+ dcpf:
716
+ dtre:
717
+ description: device tree
718
+ type: digest-object
719
+ subtype: device-tree
720
+ dtrs:
721
+ description: device tree for recovery
722
+ type: digest-object
723
+ subtype: device-tree
724
+ recovery: true
725
+ dven:
726
+ description: Display Vendor Data
727
+ ftab:
728
+ description: Factory Trust - Auto Boot FTAB images (used for devices such as AirPods,
729
+ etc) are "hacktivated" or pre-APTicket'ed devices as they lack either a restore
730
+ connection, or persistent memory. Common early usage of this was the Haywire
731
+ dongles used for video conversion on the Mac. It was simplest for the device
732
+ to lack NAND and simply receive the firmware from a host on power-up. FTAB
733
+ files are fully ready to run blobs often including RTKit OS based memory images.
734
+ ghost_object: true
735
+ ftap:
736
+ description: Factory Trust/FIPS Test? - Application Processor
737
+ type: hash
738
+ ghost_object: true
739
+ ftsp:
740
+ description: Factory Trust/FIPS Test? - SEP
741
+ type: hash
742
+ ghost_object: true
743
+ gfxf:
744
+ description: Graphics Firmware
745
+ glyP:
746
+ ibd1:
747
+ description: iBoot Data Stage 1
748
+ ibdt:
749
+ description: iBoot Data
750
+ iBEC:
751
+ description: iBoot Epoch Change
752
+ ibot:
753
+ description: iBoot
754
+ subtype: firmware
755
+ iBSS:
756
+ description: iBoot Second Stage
757
+ illb:
758
+ description: Low-Level iBoot
759
+ ipdf:
760
+ description:
761
+ ispf:
762
+ description: Image Signal Processor Firmware
763
+ isys:
764
+ description: Install System SSV Root Hash
765
+ krnl:
766
+ description: Kernel
767
+ logo:
768
+ description: Apple Logo Image
769
+ type: digest-object
770
+ subtype: graphic
771
+ firmware: true
772
+ lpol:
773
+ description: Local Policy Payload
774
+ magg:
775
+ description: Maggie Firmware
776
+ mefi:
777
+ description: MacEFI (T2 firmware for Intel chip)
778
+ msys:
779
+ description: System Volume Canonical Metadata Contains a Merkle Tree of the System
780
+ Volume. The Merkle-Tree is used to verify Signed System Volume, in a similar
781
+ way to a Git repository, where every file is included in the tree of the folder
782
+ and so on up to the root node. The root node is validated against the corresponding
783
+ `root_hash`. The inclusion of the merkle tree allows for discovery of where
784
+ the system volume's data is broken, as the root_hash can only tell you if it
785
+ is broken.
786
+ mtfw:
787
+ description: MultiTouch Firmware
788
+ mtpf:
789
+ pdmg:
790
+ description: Personalized Disk Image
791
+ pmpf:
792
+ description: Power Management Processor Firmware
793
+ type: digest-object
794
+ subtype:
795
+ rans:
796
+ description: Restore Apple NAND Storage Firmware
797
+ type: digest-object
798
+ subtype: firmware
799
+ firmware: apple-nand-storage
800
+ restore: true
801
+ rcio:
802
+ description: Restore TypeC IO
803
+ restore: true
804
+ rdcp:
805
+ description: Recovery DCP Firmware
806
+ restore: true
807
+ rdsk:
808
+ description: Restore Disk Image / ramdisk
809
+ rdtr:
810
+ description: Ramdisk Trust
811
+ recm:
812
+ description: Recovery/Refurbish Mode
813
+ rfta:
814
+ description: Recovery/Refurbish Factory Trust AP
815
+ rfts:
816
+ description: Recovery/Refurbish Factory Trust SEP
817
+ rkrn:
818
+ description: Restore Kernel
819
+ restore: true
820
+ rlg1:
821
+ rlg2:
822
+ rlgo:
823
+ description: Restore Logo
824
+ restore: true
825
+ rosi:
826
+ description:
827
+ rsep:
828
+ description: Restore SEP Image, paired with oppd/tbms
829
+ type: string
830
+ encoding: sha2-384
831
+ rtmu:
832
+ description: Restore TMU for AP
833
+ type: digest-object
834
+ firmware: true
835
+ recovery: true
836
+ rtsc:
837
+ description: Recovery
838
+ scef:
839
+ description: SEP Firmware (Boot Firmware without RAM Image)
840
+ sepi:
841
+ description: SEP Image (Boot and RAM Image)
842
+ type: string
843
+ encoding: sha2-384
844
+ metadata:
845
+ oppd: Original Processed Parameter Data
846
+ tbms: Trusted Boot Measurement Strings
847
+ siof:
848
+ description: Smart IO Firmware
849
+ tmuf:
850
+ description: Trusted MultiUpdater Firmware
851
+ trst:
852
+ description: Trust Object
853
+ type: digest-object
854
+ subtype: trust-object
855
+ tsys:
856
+ description: Test System Volume
857
+ WCHF:
858
+ description: Wireless Charging Firmware
859
+ wchf:
860
+ description: Wireless Charging Framework
861
+ xbtc:
862
+ description: x86 Boot Trust Cache
863
+ xsys:
864
+ description: x86 System Root Hash
865
+ img4_tags:
866
+ ache:
867
+ description:
868
+ acib:
869
+ description:
870
+ aciw:
871
+ description:
872
+ ADCL:
873
+ description: Apple Display Calibration
874
+ ader:
875
+ description:
876
+ agfi:
877
+ description:
878
+ anrd:
879
+ description: Apple Notarized Ram Disk
880
+ aofi:
881
+ description: Always on Firmware Image
882
+ apmv:
883
+ description:
884
+ ater:
885
+ description:
886
+ atkh:
887
+ description:
888
+ auac:
889
+ description:
890
+ BLDS:
891
+ description: Boot LocalPolicy Digest String?
892
+ bles:
893
+ description:
894
+ cfel:
895
+ description: Current Firmware Efffective LocalPolicy?
896
+ cker:
897
+ description: Chained Kernel for Recovery
898
+ recovery: true
899
+ ckih:
900
+ description: Chained Kernel Image4 Hash
901
+ CLHS:
902
+ description: Chained LocalPolicy Hash String
903
+ clid:
904
+ description: Class Identifier
905
+ cmsv:
906
+ description:
907
+ dali:
908
+ description:
909
+ data:
910
+ description:
911
+ diag:
912
+ description: Diagnostic (AHT) Image
913
+ disk:
914
+ description:
915
+ DPRO:
916
+ description: Demote from Production Request Value is used by TSS sever to issue
917
+ EPRO values, or effective AP production state.
918
+ DSEC:
919
+ description: Demote from Secure Request Value is used by TSS server to issue ESEC
920
+ values, or effective AP Security Mode should the requester be authorized. These
921
+ requests are not available to consumers, only to Apple Internal.
922
+ efib:
923
+ description: EFI Bootloader
924
+ eg0n:
925
+ description: Emulated GID0 Nonce
926
+ eg0t:
927
+ description: Emulated GID0 Type
928
+ eg1n:
929
+ description: Emulated GID1 Nonce
930
+ eg1t:
931
+ description: Emulated GID1 Type
932
+ eg3n:
933
+ description: Emulated GID3 Nonce
934
+ eg3t:
935
+ description: Emulated GID3 Type
936
+ esca:
937
+ description: Emulated System Certificate Authority
938
+ fdrs:
939
+ description: Factory Debug Recovery System
940
+ fdrt:
941
+ description: Factory Debug Recovery Trust
942
+ fgpt:
943
+ description: Factory Global Pre-Release Trust
944
+ file:
945
+ description:
946
+ fpgt:
947
+ description:
948
+ ftot:
949
+ description: Factory Trust/FIPS Test? - Other / Original Trust
950
+ ging:
951
+ description:
952
+ glyc:
953
+ description: Gyroscope Calibration
954
+ hash:
955
+ description:
956
+ hclo:
957
+ description: Hypervisor Custom/Current LocalPolicy Object?
958
+ hime:
959
+ description: HyperVisor Install Management Environment?
960
+ hmmr:
961
+ description: Host M M Recovery
962
+ homr:
963
+ description: Host OS M... Recovery
964
+ hop0:
965
+ description: Hypervisor OS Partition 0 (`dom0`)
966
+ hypr:
967
+ description: Hypervisor (EL2) Image
968
+ ienv:
969
+ description: Install Environment?
970
+ isor:
971
+ description:
972
+ itst:
973
+ description: Installer Test?
974
+ kdlv:
975
+ description: Kernel Linker Version
976
+ lamo:
977
+ description:
978
+ lckr:
979
+ description: Locker?
980
+ lphp:
981
+ description: Local Policy Hash Protection?
982
+ ltrs:
983
+ description: Local TrustStore Recovery System?
984
+ manx:
985
+ description:
986
+ ment:
987
+ description: Memory Map Entitlements
988
+ mmer:
989
+ description: Memory Map Entitlements for Recovery
990
+ recovery: true
991
+ mmsv:
992
+ description: Memory Map System
993
+ mpro:
994
+ description: Memory Promotion
995
+ msec:
996
+ description: Memory Security
997
+ mspr:
998
+ name:
999
+ description:
1000
+ nrde:
1001
+ description: N Ramdisk Environment
1002
+ nsrv:
1003
+ description:
1004
+ omer:
1005
+ description:
1006
+ ooth:
1007
+ description:
1008
+ osev:
1009
+ description: OS Environment
1010
+ osrd:
1011
+ description: OS Ramdisk
1012
+ otes:
1013
+ description:
1014
+ owns:
1015
+ description:
1016
+ PAYP:
1017
+ description:
1018
+ pcrp:
1019
+ description: Production certificate root
1020
+ pert:
1021
+ description: Pre-OS Environment Root Trust
1022
+ pfle:
1023
+ description: Pre-OS Firmware Launch Environment?
1024
+ pflp:
1025
+ description: Pre-OS Firmware Local Policy
1026
+ phlt:
1027
+ description: Pre-OS/Per-OS Host Local Trust
1028
+ pndp:
1029
+ description:
1030
+ prid:
1031
+ description: Encrypted Private Key / Private Key Info / Private Recovery Identity?
1032
+ ptrp:
1033
+ rbmt:
1034
+ description:
1035
+ rddg:
1036
+ description: Ramdisk for Debugging
1037
+ rso0:
1038
+ description:
1039
+ rso1:
1040
+ description:
1041
+ rso2:
1042
+ description:
1043
+ rso3:
1044
+ description:
1045
+ rtpf:
1046
+ description:
1047
+ slvn:
1048
+ description:
1049
+ SPTM:
1050
+ description: Secure Page Table Monitor
1051
+ ssca:
1052
+ description: SEP Subject Certificate Authority?
1053
+ ster:
1054
+ description:
1055
+ stg1:
1056
+ description: stage 1 bootloader
1057
+ type: string
1058
+ encoding: sha2-384
1059
+ tbmr:
1060
+ description: Trusted Boot Measurement (Recovery/Root?)
1061
+ tery:
1062
+ description:
1063
+ test:
1064
+ description:
1065
+ tics:
1066
+ description:
1067
+ ucer:
1068
+ description: User Cert
1069
+ ucon:
1070
+ description: User Console Connection
1071
+ vice:
1072
+ description:
1073
+ vkdl:
1074
+ description: Virtual Kernel ??
1075
+ ware:
1076
+ description:
1077
+ xugs:
1078
+ description: x64 User System Disk