xsscx / srd Goto Github PK

View Code? Open in Web Editor NEW

52.0 8.0 9.0 1.47 GB

Welcome to Hoyt's SRD Repo for the Apple Security Research Device. Contribute Code or Open an Issue or Discussion.

License: GNU General Public License v3.0

Makefile 10.61% C 50.84% Assembly 23.32% Python 1.38% Shell 8.32% Roff 1.35% M4 2.89% C++ 1.19% Objective-C 0.11%

apple security research device srd code c assembler arm ios crosscompile clang lldb asan fuzzing cryptex arm64e xnu

srd's Introduction

Welcome to Hoyt's SRD Repo

whoami

I am David Hoyt.

SUMMARY

This Repo was ahead of the Apple Repo as of December 15, 2022 when I returned my Devices
Built on macOS 13.x X86_64 & arm64e
The DMG's are all Built with XNU 8792.60.55 and options Targeting for iOS 16
Frida, Toybox Unstripped, SSH, debugserver, other example Register Code
Largest Public Code Repo for the Apple Security Research Device with all details provide
iOSOnMAC Fuzzing native iOS Apps on macOS - https://github.com/xsscx/macos-research/tree/main/code/iOSOnMac
Required Reading - https://github.com/xsscx/srd/issues?q=is%3Aissue+is%3Aclosed
Open an Issue or Ask a Question
See https://github.com/xsscx/macos-research

Toybox Unstripped

nm -a com.example.cryptex.dstroot/usr/bin/toybox  | wc -l
     941

START HERE

Install my Pre-Built SRD DMG

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/xsscx/srd/main/dmg/install.sh)"

SRD Example DMG, Build & Installation Status for iOS 16.x w/ + 8792.60.55

Build OS & Device Info	Example DMG	debugserver DMG	ASAN DMG	UBSAN DMG
macOS 13.0.1 22A400 X86_64	PASS	PASS	PASS	PASS
macOS 13 Beta T8101	PASS	PASS	PASS	PASS
X86_64 Install to iPhone 11 16.2_20C5049e	PASS	PASS	PASS	PASS
T8101 Install to iPhone 12 16.2_20C5049e	PASS	PASS	PASS	PASS

Last Known Good Working Configuration(s)

SIP Enabled
macOS 13.x X86_64 or M1 T8101 macOS 13.x
cryptexctl or CryptexManager
Xcode beta

Lastest IPSW Installations

Signed File: iPhone11,8,iPhone12,1_15.5_19F77_Restore.ipsw | defaults write com.apple.AMPDevicesAgent ipsw-variant -string 'Research Customer Erase Install (IPSW)' 
Signed File: iPhone13,2,iPhone13,3_15.5_19F77_Restore.ipsw | defaults write com.apple.AMPDevicesAgent ipsw-variant -string 'Research Customer Erase Install (IPSW)'
Signed File: iPhone12,1_16.0_20A5328h_Restore.ipsw | defaults write com.apple.AMPDevicesAgent ipsw-variant -string 'Research Developer Erase Install (IPSW)'
Signed File: iPhone13,2,iPhone13,3_16.0_20A5328h_Restore.ipsw | defaults write com.apple.AMPDevicesAgent ipsw-variant -string 'Research Developer Erase Install (IPSW)'

Prerequisites

Security Research Tools https://github.com/apple/security-research-device

Resources

Source: https://github.com/apple/security-research-device/tree/main/example-cryptex
DMG: https://github.com/xsscx/srd/raw/main/dmg/srd-universal-cryptex.dmg
Install: https://github.com/xsscx/srd/tree/main/dmg#readme
Discussion: nvram settings disabling KTRR, CTRR and kASLR https://github.com/apple/security-research-device/discussions/2
IPSW & Cryptex Installations
- Build Info, Issue Tracker
- Summary & Workarounds
- iPhone 11 & 12 SRD Models
Pre-built DMG's for the Apple Security Research Device
- toyboxunstripped
- frida
- debugserver
- Sample PoC's from CVE's
  - Chain3
  - P0 PoC's
    - Stage 0,1,2
    - port_refs
  - ZecOps
    - iOS 13 + 14 Voucher Leak
Sample Code
- Example ASAN Makefile and Binary
- Example UBSAN Makefile and Binary
- Example Code Coverage Makefile and Binary
- Example libarchive.a
- Example aslr Binary
- Example Binaries in /bin

SRD DMG Testing

Universal cryptex for iPhone 11 and iPhone 12 SRD Models
Tested on the iPhone 11 for all IPSW from the iOS 14.3 floor for the iPhone 11 up to the latest iOS 16
Tested on the iPhone 12 for all IPSW from the iOS 15.2 floor for the iPhone 12 up to the latest iOS 16
Tested on macOS 11.6.x using SRT 20C80, macOS 12.x using 21F79 and Cryptex Manager from X86_64 and M1 T8101 Platforms

SRD Cryptex Log Collector

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/xsscx/srd/main/srd_tools-24.100.3/example-cryptex/srd-cryptex-logcollector.sh)"

Hosts

X86_64

sysctl -a | grep CPU
machdep.cpu.brand_string: Intel(R) Core(TM) i7-8700B CPU @ 3.20GHz

Run Targets

SRD's - iPhone 11 and iPhone 12
iPhone 12 Pro Max
iPad 12 Pro
X86_64 mini
M1 T8101

How-To Compile for iOS

xcrun -sdk iphoneos clang -g -O2  -mios-version-min=14.3 -DDEBUG=0  -Wall -Wpedantic -Wno-gnu -Werror -Wunused-variable -o a.out code.s

To ALL - Open a Discussion, PR or Issue with Suggestions, Comments, Bugs, Feedback, Tips etc..
Collaborative Research
All Code and Questions are Welcome
When you see Code Errors, Fails or LOL's.. Please Open an Issue... Thanks!

srd's People

Contributors

Stargazers

Watchers

Forkers

cyberflamego mrcodechef impost0r skochinsky jonathanjonathanjonathan ttotal hardstylist derekselander ink-splatters

srd's Issues

SUMMARY: Unable to obtain a task name port right for pid: (os/kern) failure (0x5)

SpringBoard and others....

Unable to obtain a task name port right for pid 1143: (os/kern) failure (0x5)

Sample

error	20:45:25.476450-0400	SpringBoard	Unable to obtain a task name port right for pid 50 [/usr/sbin/wifid]: (os/kern) failure (0x5)
error	20:45:29.253326-0400	SpringBoard	Unable to obtain a task name port right for pid 68 [/usr/libexec/locationd]: (os/kern) failure (0x5)
error	20:47:07.382154-0400	SpringBoard	Unable to obtain a task name port right for pid 314 [/usr/bin/sysdiagnose]: (os/kern) failure (0x5)

Reported: https://feedbackassistant.apple.com/feedback/9904294

SUMMARY: Request for Help to Build CryptexManager on M1 T8101

Hello! After some manual attempts, I'm unsuccessful at building for arm64. Can you offer the correct steps for a successful M1 build for CryptexManager? Reported: pinauten/CryptexManager#3

Using Source https://github.com/pinauten/CryptexManager on M1 T8101 with Details:

kern.version: Darwin Kernel Version 21.4.0: Mon Feb 21 20:36:53 PST 2022; root:xnu-8020.101.4~2/RELEASE_ARM64_T8101
kern.osversion: 21E230
kern.iossupportversion: 15.4
kern.osproductversioncompat: 10.16
kern.osproductversion: 12.3
kern.osproductversioncompat: 10.16
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk
Apple clang version 13.1.6 (clang-1316.0.21.2)
Target: arm64-apple-darwin21.4.0
InstalledDir: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin
Darwin Cryptex Management Interface Version 2.0.0: Tue Jan 25 23:53:01 PST 2022; root:libcryptex_executables-170.100.20~29/cryptexctl/WEN_ETA_ARM64E
machdep.cpu.brand_string: Apple M1
System Integrity Protection status: enabled
swift-driver version: 1.45.2 Apple Swift version 5.6 (swiftlang-5.6.0.323.62 clang-1316.0.20.8)
Target: arm64-apple-macosx12.0

Reproduction

Here are my reproduction steps using M1 T8101:

Step 1:

brew reinstall --build-from-source ideviceinstaller libimobiledevice
==> Reinstalling ideviceinstaller
==> ./configure --prefix=/opt/homebrew/Cellar/ideviceinstaller/1.1.1
==> make install
🍺  /opt/homebrew/Cellar/ideviceinstaller/1.1.1: 8 files, 102.1KB, built in 10 seconds
..
🍺  /opt/homebrew/Cellar/libimobiledevice/1.3.0: 72 files, 1.5MB, built in 11 seconds
==> Running `brew cleanup libimobiledevice`...

Step 2: Attempt to Build CryptexManager on M1 T8101 with command line:

swift build -c release -Xlinker -L/opt/homebrew/lib/

Build Log

swift build -c release -Xlinker -L/opt/homebrew/lib/
warning: Usage of /Users/xss/Library/org.swift.swiftpm/collections.json has been deprecated. Please delete it and use the new /Users/xss/Library/org.swift.swiftpm/configuration/collections.json instead.
Fetching https://github.com/pinauten/Swift_libimobiledevice from cache
Fetched https://github.com/pinauten/Swift_libimobiledevice (0.25s)
Fetching https://github.com/pinauten/libcryptex from cache
Fetched https://github.com/pinauten/libcryptex (0.26s)
Fetching https://github.com/pinauten/SwiftUtils from cache
Fetched https://github.com/pinauten/SwiftUtils (0.26s)
Creating working copy for https://github.com/pinauten/SwiftUtils
Working copy of https://github.com/pinauten/SwiftUtils resolved at master
Creating working copy for https://github.com/pinauten/Swift_libimobiledevice
Working copy of https://github.com/pinauten/Swift_libimobiledevice resolved at master
Creating working copy for https://github.com/pinauten/libcryptex
Working copy of https://github.com/pinauten/libcryptex resolved at master
Building for production...
<module-includes>:1:9: note: in file included from <module-includes>:1:
#import "libimobiledevice.h"
        ^
/Users/xss/Downloads/CryptexManager-master/.build/checkouts/Swift_libimobiledevice/Sources/Clibimobiledevice/libimobiledevice.h:12:10: error: 'libimobiledevice/libimobiledevice.h' file not found
#include <libimobiledevice/libimobiledevice.h>
         ^
/Users/xss/Downloads/CryptexManager-master/.build/checkouts/Swift_libimobiledevice/Sources/Swift_libimobiledevice/AFC.swift:10:8: error: could not build Objective-C module 'Clibimobiledevice'
import Clibimobiledevice
       ^

File Info from Errors

ls -al /Users/xss/Downloads/CryptexManager-master/.build/checkouts/Swift_libimobiledevice/Sources/Clibimobiledevice/libimobiledevice.h
-r--r--r--  1 xss  staff  477 Mar 17 10:17 /Users/xss/Downloads/CryptexManager-master/.build/checkouts/Swift_libimobiledevice/Sources/Clibimobiledevice/libimobiledevice.h

ls -la /opt/homebrew/lib/libimobiledevice-1.0.
libimobiledevice-1.0.6.dylib@  libimobiledevice-1.0.a@        libimobiledevice-1.0.dylib@

Summary

Have made no progress after some manual edits and wanted to ask for the correct steps to success to build CryptexManager on M1 T8101.

Thank You

SUMMARY: BUILD | 19D50 | Entitlement Issues

It has been found that the signature for simple-shell example code is rejected by AMFI Research when using SRT 21C39 on iPhone 11 + iPhone 12 with 19D50, and possibly other version, due to unsuitable CT policy.

Source

https://github.com/apple/security-research-device/tree/main/example-cryptex/src/simple-shell

iPhone 11

uname -a

SRD0009 21.3.0 Darwin Kernel Version 21.3.0: Wed Jan  5 21:44:45 PST 2022; root:xnu-8019.80.24~23/RELEASE_ARM64_T8030 iPhone12,1 Toybox

Console Log

default	09:50:01.225928-0500	cryptexd	AMSupportPlatformCreateBufferFromNativeFilePath: open failed: No such file or directory
default	09:50:01.226183-0500	cryptexd	<private>
default	09:50:01.226283-0500	cryptexd	<private>
default	09:50:01.226376-0500	cryptexd	<private>
default	09:50:01.226468-0500	cryptexd	<private>
default	09:50:01.227339-0500	cryptexd	AMSupportPlatformCreateBufferFromNativeFilePath: open failed: No such file or directory
default	09:50:01.227597-0500	cryptexd	<private>
default	09:50:01.227696-0500	cryptexd	<private>
default	09:50:01.227761-0500	cryptexd	<private>
default	09:50:01.227792-0500	cryptexd	<private>
default	09:50:01.227961-0500	cryptexd	AMSupportPlatformCreateBufferFromNativeFilePath: open failed: No such file or directory
default	09:50:01.228029-0500	cryptexd	<private>
default	09:50:01.228064-0500	cryptexd	<private>
default	09:50:01.228095-0500	cryptexd	<private>
default	09:50:01.228127-0500	cryptexd	<private>
default	09:50:01.228316-0500	cryptexd	AMSupportPlatformCreateBufferFromNativeFilePath: open failed: No such file or directory
default	09:50:01.228435-0500	cryptexd	<private>
default	09:50:01.228477-0500	cryptexd	<private>
default	09:50:01.228512-0500	cryptexd	[anonymous]: tss request = <private>
default	09:50:01.286221-0500	kernel	hfs: mounted com.example.cryptex.dstroot on device disk3s1
error	09:50:01.289122-0500	cryptexd	missing label
error	09:50:01.289161-0500	cryptexd	failed to frob plist: <xpc object>: [22: Invalid argument]
error	09:50:01.289216-0500	cryptexd	<private>: failed to bootstrap service: <private>: [22: Invalid argument]
default	09:50:01.298893-0500	MobileStorageMounter	cryptex mount point = <private>
default	09:50:01.299624-0500	MobileStorageMounter	Posting notification: com.apple.mobile.cryptex_mounted
default	09:50:01.301723-0500	installd	0x16b3ff000 main_block_invoke_2: event: <OS_xpc_dictionary: <dictionary: 0x105f052b0> { count = 4, transaction: 0, voucher = 0x105f04a20, contents =
	"UserInfo" => <dictionary: 0x105f040a0> { count = 2, transaction: 0, voucher = 0x0, contents =
		"DiskImageType" => <string: 0x105f05030> { length = 7, contents = "Cryptex" }
		"DiskImageMountPath" => <string: 0x105f04bb0> { length = 75, contents = "/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.SaodjY" }
	}
	"Name" => <string: 0x105f04f20> { length = 35, contents = "com.apple.mobile.disk_image_mounted" }
	"Object" => <string: 0x105f04f50> { length = 20, contents = "MobileStorageMounter" }
	"XPCEventName" => <string: 0x105f055c0> { length = 35, contents = "com.apple.mobile.disk_image_mounted" }
}>
default	09:50:01.315119-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.SaodjY/usr/bin/simple-shell' is adhoc signed.
default	09:50:01.315145-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.SaodjY/usr/bin/simple-shell': unsuitable CT policy 0 for this platform/device, rejecting signature.
default	09:50:01.329533-0500	installd	0x16b3ff000 -[MIDeveloperDiskImageTracker imageMounted:]: received notification: file:///private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.SaodjY/Applications/
default	09:50:01.329827-0500	installd	0x16b3ff000 -[MIDeveloperDiskImageTracker checkMountPoint:]_block_invoke: /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.SaodjY/Applications is not present now or before
error	09:50:01.392422-0500	kernel	Sandbox: mobile_storage_p(269) deny(1) file-read-metadata /private/var/run/com.apple.security.cryptexd/codex.system/live/com.example.cryptex/cpxd
error	09:50:01.490565-0500	simple-server	Hello! I'm simple-server from the example cryptex!
error	09:50:01.490709-0500	simple-server	I'm about to bind to 0.0.0.0:7777
error	09:50:01.490952-0500	simple-server	I'm about to listen on fd: 3
error	09:50:01.491127-0500	simple-server	Waiting for a client to connect...
error	09:50:01.511826-0500	dropbear	send failed: Invalid argument
error	09:50:01.511933-0500	dropbear	send failed: Invalid argument
error	09:50:01.511970-0500	dropbear	send failed: Invalid argument
default	09:50:11.176348-0500	dropbear	Password auth succeeded for 'root' from 192.168.3.83:57440
default	09:50:11.203689-0500	dropbear	CRYPTEX_SHELL specified. User shell is now '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.SaodjY/usr/bin/sh'
default	09:50:11.206820-0500	dropbear	Setting PATH to '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.SaodjY/sbin:/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.SaodjY/bin:/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.SaodjY/usr/bin:/sbin:/bin:/usr/bin'
default	09:50:11.209203-0500	dropbear	Starting shell: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.SaodjY/usr/bin/sh'
default	09:50:11.326214-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.SaodjY/usr/bin/simple-shell' is adhoc signed.
default	09:50:11.326399-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.SaodjY/usr/bin/simple-shell': unsuitable CT policy 0 for this platform/device, rejecting signature.
error	09:50:11.996740-0500	kernel	1 duplicate report for Sandbox: mobile_storage_p(269) deny(1) file-read-metadata /private/var/run/com.apple.security.cryptexd/codex.system/live/com.example.cryptex/cpxd
default	09:50:21.340920-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.SaodjY/usr/bin/simple-shell' is adhoc signed.
default	09:50:21.341113-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.SaodjY/usr/bin/simple-shell': unsuitable CT policy 0 for this platform/device, rejecting signature.
default	09:50:31.350737-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.SaodjY/usr/bin/simple-shell' is adhoc signed.
default	09:50:31.350843-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.SaodjY/usr/bin/simple-shell': unsuitable CT policy 0 for this platform/device, rejecting signature.
default	09:50:41.474349-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.SaodjY/usr/bin/simple-shell' is adhoc signed.
default	09:50:41.474395-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.SaodjY/usr/bin/simple-shell': unsuitable CT policy 0 for this platform/device, rejecting signature.

Status

simple-shell, Service Exited, unsuitable CT policy, Recently Identified, AMFI Research, Hardcoded

Reported: https://github.com/apple/security-research-device/issues/43

SUMMARY: 15.4_19E5209h | CoreTrust | AMFI Research | Load Trust Cache | unsuitable CT policy | iPhone 11 | iPhone 12 | AppleMobileFileIntegrity_research

SUMMARY for PR42 using 15.4_19E5219e

With reference to PR's https://github.com/apple/security-research-device/pull/42 and https://github.com/apple/security-research-device/pull/49 when using https://github.com/apple/security-research-device/pull/48 using 15.4_19E5219e.

For 15.4_19E5219e_Restore.ipsw, AMFI_Research is complaining about the new Entitlements in https://github.com/apple/security-research-device/blob/main/example-cryptex/src/cryptex-run/entitlements.plist installed from macOS 12.2 (21D49) on X86_64 as shown in Console log for Xcode Version 13.3 beta 1 using 15.4_19E5219e:

default	08:52:51.037405-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.AXoRC0/usr/bin/cryptex-run' is adhoc signed.
default	08:52:51.037436-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.AXoRC0/usr/bin/cryptex-run': unsuitable CT policy 0 for this platform/device, rejecting signature.

when using Apple Feedback ASAN & UBSAN Makefile contained in PR https://github.com/apple/security-research-device/pull/42 and Xcode Version 13.3 beta 1 using 15.4_19E5219e.

AMFI_Research when personalized and cryptex installed from macOS 12.3 (21E5206e) using 15.4_19E5219e does not thrown the Error :

cryptex-run: unsuitable CT policy 0 for this platform/device, rejecting signature

when using 15.4_19E5219e and the default Makefile https://github.com/apple/security-research-device/blob/main/example-cryptex/src/hello/Makefile and Xcode Version 13.3 beta 1

For M1 T8101 macOS 12.3 (21E5206e) the Result of this PR42 with Xcode Version 13.3 beta 1 is:

AMFI: constraint violation /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.GfvfKO/usr/bin/libclang_rt.asan_ios_dynamic.dylib has entitlements but is not a main binary

Starting Entitlement for libclang_rt.asan_ios_dynamic.dylib for Xcode Version 13.3 beta 1

codesign --display --entitlements - --xml /Applications/Xcode-beta.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/13.1.6/lib/darwin/libclang_rt.ubsan_ios_dynamic.dylib 2>&1 > default-asan-codesign.plist
Executable=/Applications/Xcode-beta.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/13.1.6/lib/darwin/libclang_rt.ubsan_ios_dynamic.dylib

Final dstroot Entitlement for libclang_rt.asan_ios_dynamic.dylib for Xcode Version 13.3 beta 1

codesign --display --entitlements - --xml com.example.cryptex.dstroot/usr/bin/libclang_rt.asan_ios_dynamic.dylib

Executable=/Users/xss/example-cryptex/com.example.cryptex.dstroot/usr/bin/libclang_rt.asan_ios_dynamic.dylib

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.private.security.no-container</key>
		<true/>
	<key>com.apple.security.network.client</key>
		<true/>
	<key>com.apple.security.network.server</key>
		<true/>
	<key>platform-application</key>
		<true/></dict>
</plist>

Those Entitlements are equal to cryptex-run, which throws the unsuitable CT policy 0 for this platform/device, rejecting signature as noted above from X86_64 macOS 12.2 personalization and installation. Perhaps @TorgoApple can offer insight. In the example Apple Feedback Makefile of this PR42 there is no provision for codesigning with the comment:

# TODO: Figure out if codesigning is actually necessary

Note

debugserver + SAN Libs work as expected when installed on 15.4_19E5219e from macOS 12.3 (21E5206e) when using Xcode Version 13.3 beta 1.

(lldb) process attach --pid 298
Process 298 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x00000001fdd4f500 libsystem_kernel.dylib`mach_msg_trap + 8
libsystem_kernel.dylib`mach_msg_trap:
->  0x1fdd4f500 <+8>: ret

libsystem_kernel.dylib`mach_msg_overwrite_trap:
    0x1fdd4f504 <+0>: mov    x16, #-0x20
    0x1fdd4f508 <+4>: svc    #0x80
    0x1fdd4f50c <+8>: ret
Target 0: (OTATaskingAgent) stopped.
Executable module set to "/usr/libexec/OTATaskingAgent".
(lldb) image list
[  0]  /usr/libexec/OTATaskingAgent (0x00000001025e8000)
[  1]  /usr/lib/dyld (0x00000001028c0000)
[  2]  /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (0x00000001d35a6000)

Occasional Results of PR https://github.com/apple/security-research-device/pull/42 and https://github.com/apple/security-research-device/pull/49 when using https://github.com/apple/security-research-device/pull/48 with T8101 on macOS 12.3 (21E5206e) when using Xcode 13.3 Beta 2 - Build version 13E5095k

kernel	AMFI: '/usr/bin/debugserver' is adhoc signed.
kernel	AMFI: '/usr/bin/debugserver': unsuitable CT policy 0 for this platform/device, rejecting signature.
kernel	AMFI: '/usr/bin/hello' is adhoc signed.
kernel	AMFI: '/usr/bin/hello': unsuitable CT policy 0 for this platform/device, rejecting signature.

Takeaway

80%+ Installation Success Rate using 15.4_19E5219e for PR https://github.com/apple/security-research-device/pull/42 and https://github.com/apple/security-research-device/pull/49 when using https://github.com/apple/security-research-device/pull/48 with T8101 on macOS 12.3 (21E5206e) when using Xcode 13.3 Beta 2 - Build version 13E5095k. As noted in prior Issues, the AMFI complaint is intermittent.

cryptexctl device list

udid                           name       build      BORD       CHIP       ECID
00008030-001538D03C40012E      SRD0009 19E5219e   0x4        0x8030     0x1538d03c40012e
00008101-001418DA3CC0013A      SRD0037    19E5219e   0xc        0x8101     0x1418da3cc0013a

Prior Fix

https://github.com/apple/security-research-device/pull/48

Knowledgebase

SUMMARY: FB9903967 | FAIL on SAN dylib are caused by file system sandbox blocked mmap()

SUMMARY for PR42 using 15.4_19E5219e

Opened: Apple Feedback Case ID FB9903967 | file system sandbox blocked
Opened: Apple Feedback Case ID FB9904294: Springboard, runningboardd: Unable to obtain a task name port right: (os/kern) failure (0x5), prior Report of FB9643887

PR42

entitlements applied to quiet AMFI.
entitlement errors on the SAN dylib are caused by file system sandbox blocked mmap().
Here is the AMFI complaint for the SAN Dylibs as of SUN 13 FEB 2022: (file system sandbox blocked mmap()

ASI found [dyld] (sensitive) 'Library not loaded: @rpath/libclang_rt.asan_ios_dynamic.dylib
  Referenced from: /mnt/com.example.cryptex.lYwXkJ/usr/bin/hello
  Reason: tried: '/mnt/com.example.cryptex.lYwXkJ/usr/bin/libclang_rt.asan_ios_dynamic.dylib' (file system sandbox blocked mmap() of '/mnt/com.example.cryptex.lYwXkJ/usr/bin/libclang_rt.asan_ios_dynamic.dylib'), '/Applications/Xcode-beta.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/13.1.6/lib/darwin/libclang_rt.asan_ios_dynamic.dylib' (no such file), '/mnt/com.example.cryptex.lYwXkJ/usr/bin/libclang_rt.asan_ios_dynamic.dylib' (file system sandbox blocked mmap() of '/mnt/com.example.cryptex.lYwXkJ/usr/bin/libclang_rt.asan_ios_dynamic.dylib'), '/Applications/Xcode-beta.app/Contents/Developer/Toolchains/Xcode<…>'

The FIX could be to permit the file system sandbox to allow mmap of *SAN Dylibs, and other Tooling in the Trust Cache. Perhaps there are Workarounds @TorgoApple can provide, but this looks like a Milestone can be set to permit the file system sandbox to allow mmap of *SAN Dylibs, and other Tooling.

PR48

Just for clarity, AMFI is complaining about the entitlements in https://github.com/apple/security-research-device/pull/48 and https://github.com/apple/security-research-device/pull/49

default	11:21:26.476366-0500	kernel	AMFI: '/usr/bin/debugserver' is adhoc signed.
default	11:21:26.476457-0500	kernel	AMFI: '/usr/bin/debugserver': unsuitable CT policy 0 for this platform/device, rejecting signature.

Very Cool .. To see debugserver and Frida come alive. Looks like more PPL groming needed, more later in a different PR

Prior Fix

https://github.com/apple/security-research-device/pull/48
FB9643887 15.1_19B5042h SpringBoard Unable to obtain a task name port right for pid xxx: (os/kern) failure (0x5)

Knowledgebase

https://github.com/apple/security-research-device/issues/27
https://github.com/apple/security-research-device/issues/43
https://github.com/apple/security-research-device/issues/44
https://github.com/apple/security-research-device/issues/46
https://github.com/apple/security-research-device/issues/47
https://github.com/apple/security-research-device/issues/48
https://github.com/apple/security-research-device/issues/49
https://github.com/apple/security-research-device/issues/50
Opened: Apple Feedback Case ID FB9903967 | file system sandbox blocked
Opened: Apple Feedback Case ID FB9904294: Springboard, runningboardd: Unable to obtain a task name port right: (os/kern) failure (0x5), prior Report of FB9643887

SUMMARY: BUILD | 19E5209h | 13E5086k | libclang_rt.asan_ios_dynamic.dylib | Entitlement Issues

With respect to ios 15.4 Beta 19E5209h and Xcode 13E5086k | libclang_rt.asan_ios_dynamic.dylib

Issue

cryptex-run: unsuitable CT policy 0 for this platform/device, rejecting signature

Repro

Terminal

Step 1: Make & Install Cryptex

make clean
make
make install

Step 2: Collect Logs

sudo -E cryptexctl log collect

Step 3: Search Logs

open ./system_logs.logarchive
Search == cryptex

Step 4: Review & Confirm the Issue

Source

https://github.com/apple/security-research-device/tree/main/example-cryptex

Codesign Info

codesign -dvv /usr/local/bin/cryptexctl.research
Executable=/usr/local/bin/cryptexctl.research
Identifier=com.apple.security.cryptexctl
Format=Mach-O universal (x86_64 arm64e)
CodeDirectory v=20400 size=3286 flags=0x2000(library-validation) hashes=92+7 location=embedded
Signature size=4442
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Signed Time=Jan 26, 2022 at 02:53:39
Info.plist entries=18
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=80

Host Version Info

=====================================
SRD Host Cryptex Troubleshooter Log Info
=====================================
Sun Jan 30 21:40:51 EST 2022
macOS 12.3 (21E5196i) 
21.4.0 Darwin Kernel Version 21.4.0: Tue Jan 18 13:02:08 PST 2022; root:xnu-8020.100.406.0.1~18/RELEASE_ARM64_T8101 arm64
Apple clang version 13.1.6 (clang-1316.0.19.2)
Target: arm64-apple-darwin21.4.0
Thread model: posix
InstalledDir: /Applications/Xcode-beta.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin
Darwin Cryptex Management Interface Version 2.0.0: Tue Jan 25 23:53:01 PST 2022; root:libcryptex_executables-170.100.20~29/cryptexctl/WEN_ETA_ARM64E
machdep.cpu.brand_string: Apple M1
System Integrity Protection status: disabled.
cryptexctl: flags = [none]
cryptexctl: will re-exec: /usr/local/bin/cryptexctl.research
cryptexctl.research: path = /usr/local/bin/cryptexctl.research
MobileDevice version = 1369.100.45.111.1
cryptexctl.research: argv[_main] =
cryptexctl.research:   [0] = cryptexctl
cryptexctl.research:   [1] = -v2
cryptexctl.research:   [2] = -d2
cryptexctl.research:   [3] = install
cryptexctl.research:   [4] = --variant=research
cryptexctl.research:   [5] = --persist
cryptexctl.research:   [6] = --print-info
cryptexctl.research:   [7] = ./com.example.cryptex.cxbd.signed

Issue Summary

default	21:35:49.740365-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.WJMQAm/usr/bin/cryptex-run' is adhoc signed.
default	21:35:49.740483-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.WJMQAm/usr/bin/cryptex-run': unsuitable CT policy 0 for this platform/device, rejecting signature.

iPhone 11 Log Collection

default	2022-01-30 21:50:54.186624 -0500	launchd	service state: spawning
default	2022-01-30 21:50:54.186683 -0500	launchd	launching: inefficient
default	2022-01-30 21:50:54.188719 -0500	launchd	xpcproxy spawned with pid 4448
default	2022-01-30 21:50:54.188781 -0500	launchd	internal event: SPAWNED, code = 0
default	2022-01-30 21:50:54.188801 -0500	launchd	service state: xpcproxy
default	2022-01-30 21:50:54.188817 -0500	launchd	deferred event: domain spawn response: 0
default	2022-01-30 21:50:54.188839 -0500	launchd	internal event: SOURCE_ATTACH, code = 0
default	2022-01-30 21:50:54.196063 -0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.enqAqx/usr/bin/cryptex-run' is adhoc signed.
default	2022-01-30 21:50:54.196108 -0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.enqAqx/usr/bin/cryptex-run': unsuitable CT policy 0 for this platform/device, rejecting signature.
default	2022-01-30 21:50:54.196371 -0500	launchd	service state: running
default	2022-01-30 21:50:54.196410 -0500	launchd	internal event: INIT, code = 0
default	2022-01-30 21:50:54.196435 -0500	launchd	Successfully spawned cryptex-run[4448] because inefficient
default	2022-01-30 21:50:54.197077 -0500	launchd	removing service since it exited with consistent failure - OS_REASON_EXEC
default	2022-01-30 21:50:54.197093 -0500	launchd	service exited: dirty = 0, supported pressured-exit = 0
default	2022-01-30 21:50:54.197109 -0500	launchd	service state: exited
default	2022-01-30 21:50:54.197125 -0500	launchd	internal event: EXITED, code = 0
default	2022-01-30 21:50:54.197135 -0500	launchd	service inactive: com.example.cryptex.sshd
default	2022-01-30 21:50:54.197153 -0500	launchd	service state: not running
default	2022-01-30 21:50:54.197175 -0500	launchd	Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
default	2022-01-30 21:50:54.197276 -0500	launchd	internal event: WILL_SPAWN, code = 0
default	2022-01-30 21:50:54.197290 -0500	launchd	service state: spawn scheduled
default	2022-01-30 21:50:54.197303 -0500	launchd	service throttled by 10 seconds
default	2022-01-30 21:50:56.494889 -0500	launchd	service state: spawning
default	2022-01-30 21:50:56.494950 -0500	launchd	launching: inefficient
default	2022-01-30 21:50:56.497005 -0500	launchd	xpcproxy spawned with pid 4449
default	2022-01-30 21:50:56.497064 -0500	launchd	internal event: SPAWNED, code = 0
default	2022-01-30 21:50:56.497081 -0500	launchd	service state: xpcproxy
default	2022-01-30 21:50:56.497098 -0500	launchd	deferred event: domain spawn response: 0
default	2022-01-30 21:50:56.497124 -0500	launchd	internal event: SOURCE_ATTACH, code = 0
default	2022-01-30 21:50:56.505707 -0500	launchd	service state: running
default	2022-01-30 21:50:56.505748 -0500	launchd	internal event: INIT, code = 0
default	2022-01-30 21:50:56.505769 -0500	launchd	Successfully spawned hello[4449] because inefficient
default	2022-01-30 21:50:56.544836 -0500	launchd	service exited: dirty = 0, supported pressured-exit = 0
default	2022-01-30 21:50:56.544877 -0500	launchd	jettisoned: JETSAM_REASON_MEMORY_PERPROCESSLIMIT
default	2022-01-30 21:50:56.544894 -0500	launchd	service state: exited
default	2022-01-30 21:50:56.544913 -0500	launchd	internal event: EXITED, code = 0
default	2022-01-30 21:50:56.544923 -0500	launchd	service inactive: com.example.cryptex.hello
default	2022-01-30 21:50:56.544939 -0500	launchd	service state: not running
default	2022-01-30 21:50:56.544960 -0500	launchd	Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
default	2022-01-30 21:50:56.545021 -0500	launchd	internal event: WILL_SPAWN, code = 0
default	2022-01-30 21:50:56.545036 -0500	launchd	service state: spawn scheduled
default	2022-01-30 21:50:56.545048 -0500	launchd	service throttled by 10 seconds
default	2022-01-30 21:51:04.202399 -0500	launchd	service state: spawning
default	2022-01-30 21:51:04.202461 -0500	launchd	launching: inefficient
default	2022-01-30 21:51:04.204480 -0500	launchd	xpcproxy spawned with pid 4451
default	2022-01-30 21:51:04.204545 -0500	launchd	internal event: SPAWNED, code = 0
default	2022-01-30 21:51:04.204562 -0500	launchd	service state: xpcproxy
default	2022-01-30 21:51:04.204577 -0500	launchd	deferred event: domain spawn response: 0
default	2022-01-30 21:51:04.204611 -0500	launchd	internal event: SOURCE_ATTACH, code = 0
default	2022-01-30 21:51:04.211842 -0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.enqAqx/usr/bin/cryptex-run' is adhoc signed.
default	2022-01-30 21:51:04.211884 -0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.enqAqx/usr/bin/cryptex-run': unsuitable CT policy 0 for this platform/device, rejecting signature.
default	2022-01-30 21:51:04.212199 -0500	launchd	service state: running
default	2022-01-30 21:51:04.212246 -0500	launchd	internal event: INIT, code = 0
default	2022-01-30 21:51:04.212271 -0500	launchd	Successfully spawned cryptex-run[4451] because inefficient
default	2022-01-30 21:51:04.212918 -0500	launchd	removing service since it exited with consistent failure - OS_REASON_EXEC
default	2022-01-30 21:51:04.212949 -0500	launchd	service exited: dirty = 0, supported pressured-exit = 0
default	2022-01-30 21:51:04.212965 -0500	launchd	service state: exited
default	2022-01-30 21:51:04.212980 -0500	launchd	internal event: EXITED, code = 0
default	2022-01-30 21:51:04.212990 -0500	launchd	service inactive: com.example.cryptex.sshd
default	2022-01-30 21:51:04.213009 -0500	launchd	service state: not running

iPhone 12 Log Collection

default	2022-01-31 06:12:16.660702 -0800	launchd	service state: spawning
default	2022-01-31 06:12:16.660758 -0800	launchd	launching: inefficient
default	2022-01-31 06:12:16.662678 -0800	launchd	xpcproxy spawned with pid 1010
default	2022-01-31 06:12:16.662724 -0800	launchd	internal event: SPAWNED, code = 0
default	2022-01-31 06:12:16.662739 -0800	launchd	service state: xpcproxy
default	2022-01-31 06:12:16.662750 -0800	launchd	deferred event: domain spawn response: 0
default	2022-01-31 06:12:16.662772 -0800	launchd	internal event: SOURCE_ATTACH, code = 0
default	2022-01-31 06:12:16.668931 -0800	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.znycKY/usr/bin/cryptex-run' is adhoc signed.
default	2022-01-31 06:12:16.668956 -0800	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.znycKY/usr/bin/cryptex-run': unsuitable CT policy 0 for this platform/device, rejecting signature.
default	2022-01-31 06:12:16.669169 -0800	launchd	service state: running
default	2022-01-31 06:12:16.669203 -0800	launchd	internal event: INIT, code = 0
default	2022-01-31 06:12:16.669223 -0800	launchd	Successfully spawned cryptex-run[1010] because inefficient
default	2022-01-31 06:12:16.669852 -0800	launchd	removing service since it exited with consistent failure - OS_REASON_EXEC
default	2022-01-31 06:12:16.669881 -0800	launchd	exited with exit reason (namespace: 9 code: 0x1) - OS_REASON_EXEC
default	2022-01-31 06:12:16.669895 -0800	launchd	service state: exited
default	2022-01-31 06:12:16.669912 -0800	launchd	internal event: EXITED, code = 0
default	2022-01-31 06:12:16.669922 -0800	launchd	service inactive: com.example.cryptex.sshd
default	2022-01-31 06:12:16.669934 -0800	launchd	service state: not running

UX

No SSH Access

ssh: connect to host 192.168.3.70 port 22: Connection refused

Prior Report(s)

https://github.com/apple/security-research-device/issues/43: 19D50 | AMFI Research | 21C39 | simple-shell | unsuitable CT policy 0 for this platform/device, rejecting signature

Cryptex Manager

CryptexManager can also be used for Cryptex Installation. The Console Logs shows similar Errors :

default	13:51:44.456337-0500	ReportCrash	ASI found [dyld] (sensitive) 'Library not loaded: @rpath/libclang_rt.asan_ios_dynamic.dylib
  Referenced from: /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.YCRf5T/usr/bin/hello
  Reason: tried: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.YCRf5T/usr/bin/libclang_rt.asan_ios_dynamic.dylib' (code signature invalid (errno=1) sliceOffset=0x001FC000, codeBlobOffset=0x000B5B70, codeBlobSize=0x00006D40 for '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.YCRf5T/usr/bin/libclang_rt.asan_ios_dynamic.dylib'), '/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/13.0.0/lib/darwin/libclang_rt.asan_ios_dynamic.dylib' (no such file), '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.YCRf5T/usr/bin/libclang_rt.asan_ios_dynamic.dylib' (code signature invalid (errno=1) sliceOffset=0x001FC000, codeBlobOffset=0x000B5B70, codeBlobSize=0x00006D40 for '/private/var/run/com.apple.security.cryptexd<…>'
error	13:51:51.232732-0500	kernel	Sandbox: mobile_storage_p(302) deny(1) file-read-metadata /private/var/run/com.apple.security.cryptexd/codex.system/live/com.example.cryptex/cpxd
default	13:51:54.417943-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.YCRf5T/usr/bin/libclang_rt.asan_ios_dynamic.dylib': unsuitable CT policy 0x8 for this platform/device, rejecting signature.
default	13:51:54.424813-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.YCRf5T/usr/bin/libclang_rt.asan_ios_dynamic.dylib': unsuitable CT policy 0x8 for this platform/device, rejecting signature.
default	13:51:54.433294-0500	ReportCrash	ASI found [dyld] (sensitive) 'Library not loaded: @rpath/libclang_rt.asan_ios_dynamic.dylib
  Referenced from: /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.YCRf5T/usr/bin/hello
  Reason: tried: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.YCRf5T/usr/bin/libclang_rt.asan_ios_dynamic.dylib' (code signature invalid (errno=1) sliceOffset=0x001FC000, codeBlobOffset=0x000B5B70, codeBlobSize=0x00006D40 for '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.YCRf5T/usr/bin/libclang_rt.asan_ios_dynamic.dylib'), '/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/13.0.0/lib/darwin/libclang_rt.asan_ios_dynamic.dylib' (no such file), '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.YCRf5T/usr/bin/libclang_rt.asan_ios_dynamic.dylib' (code signature invalid (errno=1) sliceOffset=0x001FC000, codeBlobOffset=0x000B5B70, codeBlobSize=0x00006D40 for '/private/var/run/com.apple.security.cryptexd<…>'
default	13:52:04.451750-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.YCRf5T/usr/bin/libclang_rt.asan_ios_dynamic.dylib': unsuitable CT policy 0x8 for this platform/device, rejecting signature.
default	13:52:04.458494-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.YCRf5T/usr/bin/libclang_rt.asan_ios_dynamic.dylib': unsuitable CT policy 0x8 for this platform/device, rejecting signature.

CryptexManager is able to successfully perform a Cryptex Installation for ios 15.4 Beta 19E5209h with Host X86_64 when using macOS 12.2 (21D49):

uname -a
Darwin SRD0009 21.4.0 Darwin Kernel Version 21.4.0: Sun Jan 16 20:50:39 PST 2022; root:xnu-8020.100.406.0.1~10/RELEASE_ARM64_T8030 iPhone12,1 Toybox

SUMMARY: PR | 21C39 | Readme.md Changes for troubleshooting

21C39 | Readme.md Changes for troubleshooting

It was found that the troubleshooting instructions for cryptexctl contain in Readme.md can be optimized.

A suggested change to the Readme.md is shown below:

Remove: cryptexctl -v9 -d9 -ldt install --print-info ./com.example.cryptex.cxbd
Add: cryptexctl -v4 -d4 install --variant=research --persist --print-info ./com.example.cryptex.cxbd.signed (21C39)

Then, then correct output is shown for cryptexctl -print-info as shown below:

cryptexctl.research:   executable_path => /usr/local/bin/cryptexctl.research
cryptexctl.research:   ptr_munge =>
cryptexctl.research:   main_stack =>
cryptexctl.research:   executable_file => 0x1c01000006,0x53ca9
cryptexctl.research:   dyld_file => 0x1c01000006,0xfffffff000e3982
cryptexctl.research:   executable_cdhash => 50da1fdfbd3511624b146f0dbf201e7e305a74ae
cryptexctl.research:   executable_boothash => 4a503cd7f10ec917ef7203df2f670ad4c20962a3
cryptexctl.research:   th_port =>
will persist cryptex

Example Data Collector

date >> srd-cryptex-troubleshooter.log
uname -a >> srd-cryptex-troubleshooter.log
clang -v >> srd-cryptex-troubleshooter.log
cryptexctl version >> srd-cryptex-troubleshooter.log
sysctl -a | grep brand >> srd-cryptex-troubleshooter.log
csrutil status >> srd-cryptex-troubleshooter.log
cryptexctl -v4 -d4  install --variant=research --persist --print-info ./com.example.cryptex.cxbd.signed
sudo sysdiagnose

cat srd-cryptex-troubleshooter.log

Mon Jan 17 07:36:48 EST 2022
Darwin mini.local 21.2.0 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 x86_64
Darwin Cryptex Management Interface Version 2.0.0: Sun Dec 19 22:28:12 PST 2021; root:libcryptex_executables-169.80.2~9/cryptexctl/WEN_ETA_X86_64
machdep.cpu.brand: 0
machdep.cpu.brand_string: Intel(R) Core(TM) i7-8700B CPU @ 3.20GHz
System Integrity Protection status: disabled.

It was also found that the command line args -t is not shown when cryptexctl is run. Please consider documenting the -t arg.

Please consider making these changes to your Readme.md.

Commit: 8283d85
Report: https://github.com/apple/security-research-device/issues/40

SUMMARY: macOS Ventura Beta 22A5266r | Xcode Version 14.0 beta (14A5228q) | IPSW 16.0_20A5283p | AMFI: Launch Constraint Violation | cryptex | no launch for ./example-cryptex/ | Multiple Errors | UX == no ssh, debugserver or Frida

Summary

Out of the box ./example-cryptex/ doesn't install to iPhone 11 or iPhone 12 due to multiple Issues detailed below.

Platform

macOS Ventura Beta 22A5266r | Xcode Version 14.0 beta (14A5228q) on arm64e with IPSW 16.0_20A5283p on SRD's

Source Code

Source Code == https://github.com/apple/security-research-device
Modified Code == https://github.com/xsscx/srd

Trouble Report

launchd doesn't fire for the cryptex.

User Experience | UX

The UX is no ssh, no Frida, no debugserver etc..

The Problem

Issue: There is an issue with Launchd on iOS16 for the cryptex + related service.

AMFI: Launch Constraint Violation (not enforcing), error info: c[6]p[2]m[3]e[255], (Process was launched as a system service unexpectedly but met System Service constraints) launching proc[vc: 1 pid: 390]: /private/preboot/Cryptexes/App/usr/libexec/passwordbreachd, launch type 1, failure proc [vc: 1 pid: 1]: /sbin/launchd

Nothing is launching from the cryptex.

This is the pertinent portion of the SRD Console Log that shows the mount taking place, then a failure on probe, and to convert signature. Hopefully this is enough for Apple to help start troubleshooting the issue of a cryptex not launching code like Frida, dropbear, debugserver etc...

	diskarbitrationd	created disk, id = /dev/disk4.
	diskarbitrationd	created disk, id = /dev/disk4s1.
	diskarbitrationd	probed disk, id = /dev/disk4s1, with hfs, ongoing.
	kernel	hfs: mounted com.example.cryptex.dstroot on device disk4s1
	kernel	static IOReturn AppleMobileFileIntegrityUserClient::loadTrustCache(OSObject *, void *, IOExternalMethodArguments *): PID 302 is requesting a trust cache load
	diskarbitrationd	probed disk, id = /dev/disk4s1, with hfs, failure.
  diskarbitrationd	unable to probe /dev/disk4s1 (status code 0xFFFFFFFC).
	MobileStorageMounter	cryptex mount point = <private>
	MobileStorageMounter	Posting notification: com.apple.mobile.cryptex_mounted
	MobileStorageMounter	Posting notification: com.apple.mobile.disk_image_mounted (<private>)
	mobile_storage_proxy	Sending response: <private>
	diskarbitrationd	Idle timer started 1 4b08fc0
	lockdownd	main_block_invoke: <private>
	mobile_storage_proxy	Host connection (<private>): <private>
	mobile_storage_proxy	Sending response: <private>
	lockdownd	Failed to convert signature from <private>
	lockdownd	load_agents_for_mount: <private>
	lockdownd	Starting browsing: <private>
	lockdownd	refresh_remote_services_block_invoke: <private>
	lockdownd	refresh_remote_services_block_invoke: <private>
	lockdownd	mounted_image_callback: <private>
	lockdownd	handle_get_value: <private>
...
kernel	1 duplicate report for Sandbox: MobileStorageMounter(320) deny(1) file-read-metadata /private/var/run/com.apple.security.cryptexd/codex.system/live/com.example.cryptex/cpxd
kernel	Sandbox: mobile_storage_proxy(319) deny(1) file-read-metadata /private/var/run/com.apple.security.cryptexd/codex.system/live/com.example.cryptex/cpxd
kernel	1 duplicate report for Sandbox: mobile_storage_proxy(319) deny(1) file-read-metadata /private/var/run/com.apple.security.cryptexd/codex.system/live/com.example.cryptex/cpxd

Reported: https://github.com/apple/security-research-device/issues/64

Error with cryptexctl create

Reproduction:

cryptexctl ${CRYPTEXCTL_FLAGS} create --research --replace ${CRYPTEXCTL_CREATE_FLAGS} --identifier=com.example.cryptex --version=1.3.3.7 --variant=research com.example.cryptex.dmg

SUMMARY: TSS | Finder | macOS 12.2 (21D49) | X86_64 | macOS 12.3 (21E5196i) | T8101 | iPhone 12 | iPhone13,2,iPhone13,3_15.4_19E5209h_Restore.ipsw | server request error: Declined to authorize this image on this device for this user

IPSW Updated Declined for iPhone 12

The Logged Error Message was:

[07:52:04.8679] amai: AMAuthInstallRequestSendSync: failed tss request:>>>>>>>>>>
[07:52:04.8679] amai: _AMAuthInstallApCreatePersonalizedResponseInternal: server request error: Declined to authorize this image on this device for this user.
[07:52:04.8679] amai: AMAuthInstallBundlePersonalizePartialWithRecoveryOS: failed to create ap ticket
[07:52:04.8679] failed to personalize the restore bundle: Declined to authorize this image on this device for this user.
[07:52:04.8679] AMRAuthInstallDeletePersonalizedBundle
[07:52:04.8690] Personalization failed
[07:52:04.8690] Finished BootedOS Restore Phase: Failed

The iPhone 11 Completed the Update Process for the Reported IPSW

SUMMARY: TSS | ECID | T8101 | X86_64 | Downgrade | IPSW | iPhone 12 aka 13,1 | SRD0037 | declined to sign downgrade request || Workaround Posted

TSS is Declining to Sign an IPSW when attempting to Update 0x1418da3cc0013a with Apple M1 when using macOS 11.6.2 (20G314) with the typical Message: boo hoo

TSS is Permitting an IPSW Signing with Intel X86_64 when using macOS 12.1 (21C62).

This was the same behavior with the original iPhone 11 for SRDC 2021. At Shipping, TSS worked on X86_64 but not on T8101. Resolution was approximately 60 days.

Notification sent via e-mail 20-Dec-2021

SUMMARY: BUILD | 19C5026i | debugserver | entitlements | config | research.com.apple.license-to-operate

Apple Feedback FB9737956 | iPhone11,8,iPhone12,1_15.2_19C5026i_Restore.ipsw | SRD | 19C5026i | Entitlement | research.com.apple.license-to-operate

Describe the bug
Apple Feedback FB9737956: Entitlements and Configs needed for SRD. I re-signed debugserver with research.com.apple.license-to-operate and it doesn't work as expected. iPhone11,8,iPhone12,1_15.2_19C5026i_Restore.ipsw
I am wondering what other entitlements and configs are suggested / required for use on SRD now that this entitlement has been Published with the Release of iOS 15.1 and this PR is Public at URL frida/frida-core#400

To Reproduce
Steps to reproduce the behavior:

Extract debugserver
add to cryptex
make install
ssh to srd, attach works etc.. but can't list process, and the Remote doesn't realize it is attached.
But I can confirm PPL is out of the way! :-)
See URL https://srd.cx/debugserver-installation-configuration/

Expected behavior
TBD, now that PPL is out of the way we can focus on continuing to groom out the SRD and debugging Tools.

Screenshots
N/A

Desktop (please complete the following information):

Smartphone (please complete the following information):
Darwin iPhone 21.1.0 Darwin Kernel Version 21.1.0: Wed Oct 13 18:16:58 PDT 2021; root:xnu-8019.42.4~1/RELEASE_ARM64_T8030 iPhone12,1 Toybox

Additional context
See the landing page readme for more info, see URL https://srd.cx/debugserver-installation-configuration/

./debugserver 192.168.3.37:1921 ./hello
debugserver-@(#)PROGRAM:LLDB PROJECT:lldb-1300.2.10
for arm64.
Listening to port 1921 for a connection from 192.168.3.37...
Got a connection, launched process ./hello (pid = 335).
Exiting.

(lldb) process connect connect://192.168.3.31:1921
(lldb) plat proc list
error: no processes were found on the "remote-ios" platform
(lldb) plat proc list
error: no processes were found on the "remote-ios" platform

Summary

It is my understanding that Apple is now aware from other participants that this entitlement research.com.apple.license-to-operate does not provide the necessary functionality to support Frida and other research tools for the Apple Security Research Device.

SUMMARY: TSS | 21C52 | 21D5025f | 21C39 | X86_64 | T8101 | SRD0009 | SRD0037 | iPhone 11 | iPhone 12 || Workaround Posted | Work in Progress

21C52 | 21D5025f | 21C39 | X86_64 | T8101 | TSS | SRD0009 | SRD0037 | iPhone 11 | iPhone 12

Main Tracker for https://github.com/apple/security-research-device/issues/9

SUMMARY: TSS | 21C52 | 20G314 | 19D5040e | iPhone 12 | Declined via Finder | srdutil success

TSS | 21C52 | 20G314 | 19D5040e | iPhone 12 | Declined via Finder | srdutil success

Device == iPhone 12 aka SRD0037
iOS = iOS 15.2 - Floor IPSW

Finder

Filename == iPhone13,2,iPhone13,3_15.3_19D5040e_Restore.ipsw
Device == SRD0037

defaults write com.apple.AMPDevicesAgent ipsw-variant -string 'Research Developer Erase Install (IPSW)'
killall Finder

Host OS

20.6.0 Darwin Kernel Version 20.6.0: Wed Nov 10 22:23:05 PST 2021; root:xnu-7195.141.14~1/RELEASE_ARM64_T8101 arm6
21.2.0 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 x86_64

[19:13:41.1840] Failure Description:
[19:13:41.1840] Depth:0 Code:4028 Error:Personalization failed
[19:13:41.1840] Depth:1 Code:3194 Error:Declined to authorize this image on this device for this user.

TSS Signed iPhone11,8,iPhone12,1_15.3_19D5040e_Restore.ipsw for the iPhone 11.

Restore completed, status:0

Reported https://github.com/apple/security-research-device/issues/35

Updated THU 13 JAN 2022 at 0700 EST

It has been found that srdutil will successfully Upgrade the iPhone 12 with IPSW iPhone13,2,iPhone13,3_15.3_19D5040e_Restore.ipsw when using macOS 12.1 (21C52) from X86_64.

Audit Trail

srdutil restore iPhone13,2,iPhone13,3_15.3_19D5040e_Restore.ipsw

srdutil restore -D -v -s -e 0x1418da3cc0013a -i ~/Downloads/13-19D5040e.ipsw
[+] Patching PRKit with variant: "Research Developer Erase Install (IPSW)"
[+] Patching PRKit with IPSW: "/Users/xss/Downloads/13-19D5040e.ipsw"
[+] Dumping restore options
{
    AuthInstallVariant = "Research Developer Erase Install (IPSW)";
    AutoBootDelay = 0;
    CreateFilesystemPartitions = 1;
    FlashNOR = 1;
    NORImageType = production;
    RestoreBootArgs = "rd=md0 nand-enable-reformat=1 -progress";
    RestoreBundlePath = "file:///Users/xss/Downloads/13-19D5040e.ipsw";
    UpdateBaseband = 1;
}
[x] Waiting for device with ECID: 0x1418da3cc0013a to connect...
[x] Scanning for restorable devices...
[+] ECID: 0x1418da3cc0013a - connected
[+] ECID: 0x1418da3cc0013a - Sending device to recovery
[-] ECID: 0x1418da3cc0013a - disconnected
[+] ECID: 0x1418da3cc0013a - connected
[!] ECID: 0x1418da3cc0013a - target acquired - beginning restore
[   0% ] Restoring image
[   1% ] Restoring image
[   5% ] Restoring image
[   6% ] Restoring image
...
[   0% ] Updating SE Firmware
[   0% ] Updating Veridian
[ 100% ] Updating Veridian
[   0% ] Updating AppleTCON
[ 100% ] Updating AppleTCON
[   0% ] Updating Rose
[ 100% ] Updating Rose
[ 100% ] Requesting EAN data
[  16% ] Requesting EAN data
[  33% ] Requesting EAN data
[  50% ] Requesting EAN data
[  66% ] Requesting EAN data
[  83% ] Requesting EAN data
[ 100% ] Requesting EAN data
[ 100% ] Requesting EAN data
[ 100% ] Unrecognized operation (0)

[++++] Restore complete!

SUMMARY: SRD | cryptex does not persist across Reboots | kernel Sandbox: mobile_storage_p deny file-read-metadata com.apple.security.cryptexd/.../cpxd | cryptexctl --persist Crash

SUMMARY

Updated FRI 2 JUN 2022:

With 19F77, the CoreTrust | AMFI_Research issues continue to lay down, but stil have Cryptex won't Persist on Reboot.

And, cryptexctl --persist causes a Crash when using X86_64, see URL #25

Current Status

cryptexctl works fine on arm64e
cryptexctl Crashes on X86_64
Intermittent CoreTrust Issues
CryptexManager works as expected
Cryptex won't Persist on Reboot

Yet, When a cryptex is installed ~~from X86_64, when using CryptexManager & when cryptexctl worked on X86_64,~~ there is still an Error:

error	kernel	Sandbox: mobile_storage_p(274) deny(1) file-read-metadata /private/var/run/com.apple.security.cryptexd/codex.system/live/com.example.cryptex/cpxd

That Error results with the Console Log:

mobile_storage_proxy	Failed to convert signature from /private/var/run/com.apple.security.cryptexd/codex.system/live/com.example.cryptex/cpxd

~~That error is a critical issue as you can see because a signature issue means AMFI_Research will complain, and we can't use the Tooling on the Cryptex.~~

And, there is no persistence across Reboots for the SRD Platform.

Please Advise if additional information is required.

Reported: https://feedbackassistant.apple.com/feedback/10015448

This is a long-cycle Fix for cryptexctl on X86_64.

Workaround

Use CryptexManager https://github.com/pinauten/CryptexManager/

Closing out the Issue.

SPRR JIT

On iOS, dynamic-codesigning entitlement is required to enable JIT, can you update the registers fuzz results when run with that entitlement?
Thanks

SRD | XNU Build Pipeline | ./example-cryptex/ | Makefile | make | m4 | configure | conftest | X86_64 | arm64e | rule debugging

Discussion & Analysis

Build Pipeline when using Makefile on arm64e when compared to X86_64 for the Apple SRD ./example-cryptex/ as provided at URL https://github.com/apple/security-research-device are not the same Result.

With reference to Issue #36 there are Build Pipeline anomalies between X86_64 and arm64e when using same OS and XNU.

As of June 1, 2022, the Net Result is that toybox is not properly groomed for installation to the SRD's, resulting in a UX of ssh login failure as shown in Issue https://github.com/apple/security-research-device/issues/59.

With respect to the Build Pipeline for the Apple Security Research Device and the Makefile in the provided ./example-cryptex/, there are Rule issues preventing the proper Build and Codesigning of toybox, and possibly other example Source, such as the XNU sdk-graft rules.

Additionally, Gatekeeper, CoreTrust & AMFI Endpoints must be reachable, and therefore need the typical: if exist, if success, on error Rules aded to the Makefile to write to stdout any errors with Reachability that would automagically impact the Build Pipeline.

The debugging exercise begins by comparing the top-level Makefile as provided by Apple with that of a normal Build for toybox, then backing out the net additions, like sed and the goodies section.

The recent tip-off that there was a Build Pipeline Issue was the time-to-build metric which added many seconds to the process and the visual graph of buildtime showed toybox constantly Re-building, always following a:

make all

when CWD == ./example-cryptex/.

Additionally, the second tip-off to a Build Pipeline error was the Codesigning error:

cryptexctl: mach-o is not signed: /private/var/folders/.../usr/bin/toybox

Workaround

https://github.com/xsscx/srd/blob/main/srd_tools-24.100.3/example-cryptex/june_1_2022-daily-build-fixup.sh

REMOVING the Apple injected top-level Makefile rule for toybox-bin and correctly hand-rolling the toybox unstripped Build process provides continuity & stability to the Example DMG.

Debugging the Makefile, testing the potential modifications and validating with unit tests are in proccess.

SUMMARY: BUILD | 21C52 | 21D5025f | 20C80 | 21C39 | X86_64 | T8101 | Toybox | Build | Resolved

21C52 | 21D5025f | 20C80 | 21C39 | X86_64 | T8101 | Toybox | Build

Last Update: Sunday 9 JAN 2022 at 2248 US Eastern Time

It has been found that for macOS 15.2 when using X86_64 or T8010 that with a Target == iOS SDK 15.2, and possibly others, that Toybox does not Build.

Error

.clang: error: no such file or directory: 'generated/obj/vi.o'
make[2]: *** [toybox] Error 1
make[1]: *** [toybox-bin] Error 2

Last Known Good Working Build for Toybox for macOS or iOS

landley/toybox@ea4748a

macOS 11.6.3 with 20C80 when using X86_64 or M1 uo to Toybox Commit

landley/toybox@ea4748a

macOS 12.x with 21C39 when using X86_64 or M1 up to Toybox Commit

Other Report

See URL landley/toybox#314

Workaround

Install a pre-build DMG from Repo at URL https://github.com/xsscx/srd/tree/main/dmg

Research in Progress

SRD | iPhone11 | iPhone12 | Restore | Status | Sample | Testing | Tatsu Signing Server | TSS

Reference URL https://github.com/apple/security-research-device/issues/70 with Subject: Downgrades broken again dated 8/28/2022

Downgrade Notes for SRD Models iPhone 11 + 12

HOST

Tue Oct 25 09:03:41 EDT 2022
kern.version: Darwin Kernel Version 22.1.0: Sun Oct  9 20:14:54 PDT 2022; root:xnu-8792.41.9~2/RELEASE_X86_64
kern.osversion: 22A380
kern.iossupportversion: 16.1
kern.osproductversioncompat: 10.16
kern.osproductversion: 13.0
kern.osproductversioncompat: 10.16
/Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk
udid                           name       build      BORD       CHIP       ECID
Apple clang version 14.0.0 (clang-1400.0.29.201)
Target: x86_64-apple-darwin22.1.0
Thread model: posix
InstalledDir: /Applications/Xcode-beta.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin
Darwin Cryptex Management Interface Version 2.0.0: Wed Jun 29 00:19:41 PDT 2022; root:libcryptex_executables-170.100.24~552/cryptexctl/WEN_ETA_X86_64
machdep.cpu.brand_string: Intel(R) Core(TM) i7-8700B CPU @ 3.20GHz
machdep.cpu.brand: 0
System Integrity Protection status: disabled.
cryptexctl: flags = [none]
cryptexctl: will re-exec: /usr/local/bin/cryptexctl.research
cryptexctl.research: path = /usr/local/bin/cryptexctl.research
MobileDevice version = 1497.41.2

iPhone 12 SRD - Downgrade Notes

When using iOS 16 - latest beta OR retail restore ipsw

iOS 15.7 - Downgrade - PASS for Finder

Log

2022-10-25 08:51:57.000 AMPDevicesAgent[851:103]: AMPDevicesAgent: Software payload version: 19H12 (option key)

Downgrade Results for Finder:

iOS 15.7 -> 15.6.1 - Hang
iOS 15.7 -> 15.6 - Hang
iOS 15.7 -> 15.5 - Hang
iOS 15.7 -> 15.4 - Hang
iOS 15.7 -> 15.3 - Hang
iOS 15.7 -> 15.2 - Hang

Log

Can't send dump_console command since device is not in recovery mode
State is now set to error: AMRestorePerformRestoreModeRestoreWithError failed with error: 1

iPhone 11 SRD - Downgrade Notes

When using iOS 16 - latest beta OR retail restore ipsw

iOS 15.4 - Downgrade - PASS for Finder

Log

2022-10-25 08:08:27.000 AMPDevicesAgent[851:103]: AMPDevicesAgent: Software payload version: 19E241 (option key)

iOS 15.0 - Downgrade - PASS for Finder

Log

2022-10-25 08:22:42.000 AMPDevicesAgent[851:103]: AMPDevicesAgent: Software payload version: 19A344 (option key)

iOS 14.7 - Downgrade - PASS for srdutil + Finder

Repro

(1)  srdutil restore -v -s -D -e .... -i /path.part/iPhone11,8,iPhone12,1_14.7.1_18G82_Restore.ipsw
(2)  Finder | Software payload version: 19A344 (option key)

Log

2022-10-25 08:37:29.000 AMPDevicesAgent[851:103]: AMPDevicesAgent: Apple Mobile Device version: 1497.41.2
2022-10-25 08:37:29.000 AMPDevicesAgent[851:103]: AMPDevicesAgent: Software payload version: 18G69 (option key)

Further downgrades for the SRD iPhone 11 Model are left as an exercise to the Reader.

Comments

No additional testing was performed with macOS12.x or macOS 13.x Beta which may yield different Results
iPhone 11 SRD Users may find that further testing with srdutil can Result with a larger IPSW restore window

SUMMARY: Suggested changes for dropbear configure.ac for srd on iOS 15 | srd ssh login issue

SUMMARY

ssh login doesn't work for example-cryptex, conftest crash

It has been found that obsolete macros in dropbear won't build a default binary to allow for srd login via ssh. A suggested Fix for dropbear configure.ac is at URL:

https://raw.githubusercontent.com/xsscx/srd/main/srd_tools-24.100.3/example-cryptex/src/dropbear/configure.ac

For those who enjoy bypassing the build pipeline, see URL https://github.com/xsscx/srd/tree/main/dmg

These are the errors addressed via the suggested configure.ac

[dropbear] - [+] Building dropbear
[dropbear] - Checking you have automake on your path to configure dropbear
configure.ac:27: warning: underquoted definition of DB_TRYADDCFLAGS
configure.ac:27:   run info Automake 'Extending aclocal'
configure.ac:27:   or see https://www.gnu.org/software/automake/manual/automake.html#Extending-aclocal
configure.ac:367: warning: The macro `AC_HEADER_STDC' is obsolete.
configure.ac:367: You should run autoupdate.
./lib/autoconf/headers.m4:704: AC_HEADER_STDC is expanded from...
configure.ac:367: the top level
configure.ac:382: warning: The macro `AC_HEADER_TIME' is obsolete.
configure.ac:382: You should run autoupdate.
./lib/autoconf/headers.m4:743: AC_HEADER_TIME is expanded from...
configure.ac:382: the top level
configure.ac:862: warning: The macro `AC_CONFIG_HEADER' is obsolete.
configure.ac:862: You should run autoupdate.
./lib/autoconf/status.m4:719: AC_CONFIG_HEADER is expanded from...
configure.ac:862: the top level
configure: WARNING: using cross tools not prefixed with host triplet
configure: WARNING: ** Cannot find lastlog **

It has also been found that the default entitlements for dropbear from the Apple ./example-cryptex/ are:

Binary has 3 boolean entitlements:
	com.apple.security.network.client: true
	com.apple.security.network.server: true
	com.apple.private.security.no-container: true

Required Changes: Bump to XNU-8019.41.5

Reported: https://github.com/apple/security-research-device/issues/57

Knowledgebase

IORegistry

The IORegistry contains a lot of information about the hardware of these devices.
Can you run ioreg -w0 -l AND ioreg -w0 -l -p IODeviceTree and post the results, especially the iPhone 11-based models(1st gen SRD)?

Thank you very much.

P/s: the result might contains your serials so make sure to censor that if needed.

SUMMARY: Workaround: Makefile for SRD ./example-cryptex/ won't Build toybox unstripped

~~Recent Changes to Toybox~~ The Apple-provided Makefile as of 1 JUN 2022 won't Build toybox unstripped build for iOS.

Note: toybox unstripped builds fine on X86_64 and arm64e (macOS), but unstripped fails to build for iOS.

Additional research in progress... this issue happened in the last 48-96 hours, so a roll-back to Last Known Good Revision for Toybox may be necessary to continue building the SRD Universal Cryptex which contains toybox unstripped by default.

This issue is specific to iOS | SRD.

SUMMARY: macOS Version 12.3 Beta (21E5206e) | Security Research Tools srd_tools-24.100.3 | srdutil restore | hang

SUMMARY

Host T8101

macOS Version 12.3 Beta (21E5206e)
Security Research Tools srd_tools-24.100.3

srdutil checkin

iphone 11 Successful
iPhone 12 Successful

srdutil restore

iPhone 11 Unsuccessful
iPhone 12 Unsuccessful

srdutil restore 19E5219e from 21E5206e

srdutil restore  -e 0x1538d03c40012e -D -v -s -i ~/Downloads/iPhone13,2,iPhone13,3_15.4_19E5219e_Restore.ipsw
[+] Patching PRKit with variant: "Research Developer Erase Install (IPSW)"
[+] Patching PRKit with IPSW: "/Users/xss/Downloads/iPhone13,2,iPhone13,3_15.4_19E5219e_Restore.ipsw"
[+] Dumping restore options
{
    AuthInstallVariant = "Research Developer Erase Install (IPSW)";
    AutoBootDelay = 0;
    CreateFilesystemPartitions = 1;
    FlashNOR = 1;
    NORImageType = production;
    RestoreBootArgs = "rd=md0 nand-enable-reformat=1 -progress";
    RestoreBundlePath = "file:///Users/xss/Downloads/iPhone13,2,iPhone13,3_15.4_19E5219e_Restore.ipsw";
    UpdateBaseband = 1;
}
[x] Waiting for device with ECID: 0x1538d03c40012e to connect...
[x] Scanning for restorable devices...
[+] ECID: 0x1418da3cc0013a - connected
...
(Program Hang)

Workaround

macOS 12.2 (21D49) [X86_64]

Knowledgebase

Reported: https://github.com/apple/security-research-device/issues/51

SUMMARY: CryptexManager | SecStaticCode: verification failed (trust result 6, error -2147409652) | MacOS error: -67062

CryptexManager X86_64 Error

Summary

There is an Error being thrown by CryptexManager on X86_64 with macOS 12.3 that Results with: SecStaticCode: verification failed (trust result 6, error -2147409652) & MacOS error: -67062

Logging

Host Logging X86_64 macOS 12.3

default	08:34:44.546211-0400	kernel	hfs: unmount initiated on com.example.cryptex.dstroot on device disk7s1
default	08:34:48.053188-0400	kernel	hfs: mounted com.example.cryptex.dstroot on device disk7s1
default	08:34:48.281646-0400	CryptexManager	MacOS error: -67062
default	08:34:48.282854-0400	CryptexManager	MacOS error: -67062
default	08:34:48.286695-0400	CryptexManager	Trust evaluate failure: [leaf Revocation1]
default	08:34:48.287012-0400	CryptexManager	SecStaticCode: verification failed (trust result 6, error -2147409652)
default	08:34:48.287031-0400	CryptexManager	MacOS error: -2147409652
default	08:34:49.326564-0400	CryptexManager	networkd_settings_read_from_file initialized networkd settings by reading plist directly
default	08:34:49.326719-0400	CryptexManager	networkd_settings_read_from_file initialized networkd settings by reading plist directly
default	08:34:49.328324-0400	CryptexManager	Task <3B3260AA-CB97-4FE8-9AE2-B6A9F73CC1F9>.<1> resuming, timeouts(60.0, 604800.0) QOS(0x21) Voucher (null)
default	08:34:49.328814-0400	CryptexManager	[Telemetry]: Activity <nw_activity 12:2 [EB4F9233-0320-45B3-90BC-12D5F98D4A86] (reporting strategy default)> on Task <3B3260AA-CB97-4FE8-9AE2-B6A9F73CC1F9>.<1> was not selected for reporting
default	08:34:49.329155-0400	CryptexManager	-[SOConfigurationClient init]  on <private>
default	08:34:49.329427-0400	CryptexManager	<SOServiceConnection: 0x600002a08120>: new XPC connection
default	08:34:49.331492-0400	CryptexManager	Initializing connection
default	08:34:49.331553-0400	CryptexManager	Removing all cached process handles
default	08:34:49.331624-0400	CryptexManager	Sending handshake request attempt #1 to server
default	08:34:49.331656-0400	CryptexManager	Creating connection to com.apple.runningboard
default	08:34:49.331984-0400	runningboardd	Resolved pid 49846 to [anon<CryptexManager>(501):49846]
default	08:34:49.332117-0400	runningboardd	[anon<CryptexManager>(501):49846] This process will not be managed.
default	08:34:49.332139-0400	runningboardd	Now tracking process: [anon<CryptexManager>(501):49846]
default	08:34:49.332437-0400	runningboardd	Setting client for [anon<CryptexManager>(501):49846] as ready
default	08:34:49.332659-0400	CryptexManager	Handshake succeeded
default	08:34:49.332685-0400	CryptexManager	Identity resolved as anon<CryptexManager>(501)
default	08:34:49.332904-0400	runningboardd	Acquiring assertion targeting [anon<CryptexManager>(501):49846] from originator [anon<CryptexManager>(501):49846] with description <RBSAssertionDescriptor| "com.apple.CFNetwork.StorageDB" ID:221-49846-2913 target:49846 attributes:[
	<RBSDomainAttribute| domain:"com.apple.common" name:"FinishTaskUninterruptable" sourceEnvironment:"(null)">,
	<RBSAcquisitionCompletionAttribute| policy:AfterApplication>
	]>
default	08:34:49.332974-0400	runningboardd	Assertion 221-49846-2913 (target:[anon<CryptexManager>(501):49846]) will be created as active as no start-time-defining assertions exist
default	08:34:49.333256-0400	runningboardd	[anon<CryptexManager>(501):49846] Ignoring jetsam update because this process is not memory-managed
default	08:34:49.333286-0400	runningboardd	[anon<CryptexManager>(501):49846] Ignoring suspend because this process is not lifecycle managed
default	08:34:49.333304-0400	runningboardd	[anon<CryptexManager>(501):49846] Ignoring role changes because this process is not role managed
default	08:34:49.333378-0400	runningboardd	[anon<CryptexManager>(501):49846] Ignoring GPU update because this process is not GPU managed
default	08:34:49.333977-0400	runningboardd	Acquiring assertion targeting [anon<CryptexManager>(501):49846] from originator [daemon<com.apple.powerd>:107] with description <RBSAssertionDescriptor| "App is holding power assertion" ID:221-107-2914 target:49846 attributes:[
	<RBSDomainAttribute| domain:"com.apple.appnap" name:"PowerAssertion" sourceEnvironment:"(null)">,
	<RBSAcquisitionCompletionAttribute| policy:AfterApplication>
	]>
default	08:34:49.334045-0400	runningboardd	Assertion 221-107-2914 (target:[anon<CryptexManager>(501):49846]) will be created as active
default	08:34:49.334515-0400	runningboardd	[anon<CryptexManager>(501):49846] Ignoring jetsam update because this process is not memory-managed
default	08:34:49.334563-0400	runningboardd	[anon<CryptexManager>(501):49846] Ignoring suspend because this process is not lifecycle managed
default	08:34:49.334614-0400	runningboardd	[anon<CryptexManager>(501):49846] Ignoring role changes because this process is not role managed
default	08:34:49.334682-0400	runningboardd	[anon<CryptexManager>(501):49846] Ignoring GPU update because this process is not GPU managed
default	08:34:49.336689-0400	CryptexManager	Faulting in NSHTTPCookieStorage singleton
default	08:34:49.336710-0400	CryptexManager	Faulting in CFHTTPCookieStorage singleton
default	08:34:49.336720-0400	CryptexManager	Creating default cookie storage with process/bundle identifier
default	08:34:49.337341-0400	CryptexManager	Connection 1: starting, TC(0x0)
default	08:34:49.337439-0400	CryptexManager	[C1 9F10A3C9-8346-499E-8107-F4EFC86E40D3 Hostname#c59ffa3c:80 tcp, url hash: 4c193d22, definite, attribution: developer, context: com.apple.CFNetwork.NSURLSession.{71CFF2F0-BBF1-4039-A7A3-4536D1E9A912}{(null)}{Y}{2} (private), proc: 9554AF4E-33C5-3FEA-855C-1A0349FCFE55] start
default	08:34:49.337475-0400	CryptexManager	[C1 Hostname#c59ffa3c:80 initial path ((null))] event: path:start @0.000s
default	08:34:49.337718-0400	CryptexManager	[C1 Hostname#c59ffa3c:80 waiting path (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: path:satisfied @0.000s, uuid: 62B23907-FB5E-488A-B54E-5069B7FBE2D9
default	08:34:49.337914-0400	CryptexManager	[C1 Hostname#c59ffa3c:80 in_progress proxy (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: proxy:start_process @0.000s
default	08:34:49.337930-0400	CryptexManager	nw_connection_report_state_with_handler_on_nw_queue [C1] reporting state preparing
default	08:34:49.338395-0400	CryptexManager	[C1 Hostname#c59ffa3c:80 in_progress proxy (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: proxy:finish_process @0.000s
default	08:34:49.338412-0400	CryptexManager	[C1 Hostname#c59ffa3c:80 in_progress proxy (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: proxy:start_resolve @0.000s
default	08:34:49.338428-0400	CryptexManager	[C1 Hostname#c59ffa3c:80 in_progress proxy (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: proxy:finish_resolve @0.000s
default	08:34:49.338546-0400	CryptexManager	[C1.1 127.0.0.1:9090 initial path ((null))] event: path:start @0.001s
default	08:34:49.338726-0400	CryptexManager	[C1.1 127.0.0.1:9090 waiting path (satisfied (Path is satisfied), interface: lo0)] event: path:satisfied @0.001s, uuid: 2905368A-74E6-4674-850C-1171C25F1921
default	08:34:49.339037-0400	CryptexManager	[C1.1 127.0.0.1:9090 in_progress socket-flow (satisfied (Path is satisfied), interface: lo0)] event: flow:start_connect @0.001s
default	08:34:49.339138-0400	CryptexManager	Task <3B3260AA-CB97-4FE8-9AE2-B6A9F73CC1F9>.<1> setting up Connection 1
default	08:34:49.339241-0400	CryptexManager	nw_socket_handle_socket_event [C1.1:2] Socket received CONNECTED event
default	08:34:49.339322-0400	CryptexManager	nw_flow_connected [C1.1 127.0.0.1:9090 in_progress socket-flow (satisfied (Path is satisfied), viable, interface: lo0)] Transport protocol connected (socket)
default	08:34:49.339435-0400	CryptexManager	[C1.1 127.0.0.1:9090 in_progress socket-flow (satisfied (Path is satisfied), viable, interface: lo0)] event: flow:finish_transport @0.001s
default	08:34:49.339463-0400	CryptexManager	nw_flow_connected [C1.1 127.0.0.1:9090 in_progress socket-flow (satisfied (Path is satisfied), viable, interface: lo0)] Output protocol connected (CFNetworkConnection-86841355)
default	08:34:49.339611-0400	CryptexManager	[C1.1 127.0.0.1:9090 ready socket-flow (satisfied (Path is satisfied), viable, interface: lo0)] event: flow:finish_connect @0.002s
default	08:34:49.339714-0400	CryptexManager	nw_connection_report_state_with_handler_on_nw_queue [C1] reporting state ready
default	08:34:49.339768-0400	CryptexManager	[C1 Hostname#c59ffa3c:80 ready proxy (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: flow:finish_connect @0.002s
default	08:34:49.339819-0400	CryptexManager	[C1.1 127.0.0.1:9090 ready socket-flow (satisfied (Path is satisfied), viable, interface: lo0)] event: flow:changed_viability @0.002s
default	08:34:49.339855-0400	CryptexManager	[C1 Hostname#c59ffa3c:80 ready proxy (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: flow:changed_viability @0.002s
default	08:34:49.339901-0400	CryptexManager	Connection 1: connected successfully
default	08:34:49.339951-0400	CryptexManager	Connection 1: ready C(N) E(N)
default	08:34:49.340071-0400	CryptexManager	Task <3B3260AA-CB97-4FE8-9AE2-B6A9F73CC1F9>.<1> now using Connection 1
default	08:34:49.340212-0400	CryptexManager	Connection 1: received viability advisory(Y)
default	08:34:49.340816-0400	CryptexManager	Task <3B3260AA-CB97-4FE8-9AE2-B6A9F73CC1F9>.<1> sent request, body S 1602
default	08:34:49.340882-0400	CryptexManager	Received configuration update from daemon (initial)
default	08:34:49.567378-0400	CryptexManager	Task <3B3260AA-CB97-4FE8-9AE2-B6A9F73CC1F9>.<1> received response, status 200 content C
default	08:34:49.567672-0400	CryptexManager	Task <3B3260AA-CB97-4FE8-9AE2-B6A9F73CC1F9>.<1> response ended
default	08:34:49.567748-0400	CryptexManager	Task <3B3260AA-CB97-4FE8-9AE2-B6A9F73CC1F9>.<1> done using Connection 1
default	08:34:49.567950-0400	CryptexManager	Task <3B3260AA-CB97-4FE8-9AE2-B6A9F73CC1F9>.<1> summary for task success {transaction_duration_ms=236, response_status=200, connection=1, protocol="http/1.1", domain_lookup_duration_ms=0, connect_duration_ms=1, secure_connection_duration_ms=0, private_relay=false, request_start_ms=8, request_duration_ms=0, response_start_ms=235, response_duration_ms=0, request_bytes=1924, response_bytes=3422, cache_hit=true}
default	08:34:49.568243-0400	CryptexManager	Task <3B3260AA-CB97-4FE8-9AE2-B6A9F73CC1F9>.<1> finished successfully
default	08:34:49.581902-0400	CryptexManager	Entering exit handler.
default	08:34:49.581943-0400	CryptexManager	Exiting exit handler.
default	08:34:49.582530-0400	runningboardd	XPC connection invalidated: [anon<CryptexManager>(501):49846]
default	08:34:49.584667-0400	runningboardd	[anon<CryptexManager>(501):49846] termination reported by proc_exit
default	08:34:49.687657-0400	runningboardd	Removing process: [anon<CryptexManager>(501):49846]
default	08:34:49.687870-0400	runningboardd	removeJobWithInstance called for identity without existing job [anon<CryptexManager>(501):49846]
default	08:34:49.687901-0400	runningboardd	Removing assertions for terminated process: [anon<CryptexManager>(501):49846]
default	08:34:51.355717-0400	kernel	hfs: unmount initiated on com.example.cryptex.dstroot on device disk7s1
default	08:35:32.954539-0400	cryptexctl.research	USBMuxListenerCreateFiltered:898 Created 0x600000a70000
default	08:35:32.954601-0400	cryptexctl.research	USBMuxHandleDictionary:1437 Adding event 0x600003b74080 to changelist.
default	08:35:32.954638-0400	cryptexctl.research	USBMuxHandleDictionary:1437 Adding event 0x600003b74440 to changelist.
default	08:35:32.956223-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:32.957940-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:32.960450-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:32.967808-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:32.970031-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:32.973449-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:32.983098-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:32.990300-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:32.993941-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:33.056474-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:33.059588-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:33.068056-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 8385 (c1, 20)
default	08:35:33.069921-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:33.071819-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:40.369041-0400	cryptexctl.research	USBMuxListenerCreateFiltered:898 Created 0x600001830000
default	08:35:40.369118-0400	cryptexctl.research	USBMuxHandleDictionary:1437 Adding event 0x600002934020 to changelist.
default	08:35:40.369155-0400	cryptexctl.research	USBMuxHandleDictionary:1437 Adding event 0x6000029341c0 to changelist.
default	08:35:40.370888-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:40.372891-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:40.376018-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:40.383877-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:40.386029-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:40.389321-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:40.399600-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:40.406924-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:40.410437-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:40.465230-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:40.468584-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:40.477663-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 11457 (c1, 2c)
default	08:35:40.479582-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:40.481574-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:42.645468-0400	cryptexctl.research	USBMuxListenerCreateFiltered:898 Created 0x6000031dc1e0
default	08:35:42.645535-0400	cryptexctl.research	USBMuxHandleDictionary:1437 Adding event 0x6000000dd7e0 to changelist.
default	08:35:42.645577-0400	cryptexctl.research	USBMuxHandleDictionary:1437 Adding event 0x6000000dd820 to changelist.
default	08:35:42.647450-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:42.649343-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:42.652508-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:42.661042-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:42.662364-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:42.664354-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:42.678039-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:42.681704-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:42.683826-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:42.722131-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:42.723979-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:42.730782-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 14529 (c1, 38)
default	08:35:42.732270-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:42.734174-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:35:42.803335-0400	sudo	     xss : TTY=ttys000 ; PWD=/Users/xss/iphone11 ; USER=root ; COMMAND=/bin/cp src/toybox/toybox-src/generated/unstripped/toybox com.example.cryptex.dstroot/usr/bin
default	08:35:44.140093-0400	kernel	hfs: mounted com.example.cryptex.dstroot on device disk7s1
default	08:35:44.306488-0400	deleted	totalAvailable ENTRY, Volume: /Volumes/com.example.cryptex.dstroot, Calling process: Finder
default	08:35:44.306562-0400	deleted	totalAvailable info CACHE_DELETE_VOLUME : /Volumes/com.example.cryptex.dstroot
default	08:35:44.307213-0400	Finder	CacheDeleteCopyPurgeableSpaceWithInfo result for /Volumes/com.example.cryptex.dstroot : {
    "CACHE_DELETE_ERROR" = "CacheDeleteCopyPurgeableSpaceWithInfo error: INVALID VOLUME";
}
error	08:35:44.307043-0400	deleted	unable to validate volume "/Volumes/com.example.cryptex.dstroot"
default	08:35:45.922596-0400	kernel	hfs: unmount initiated on com.example.cryptex.dstroot on device disk7s1
default	08:35:49.289410-0400	kernel	hfs: mounted com.example.cryptex.dstroot on device disk7s1
default	08:35:49.531914-0400	CryptexManager	MacOS error: -67062
default	08:35:49.533190-0400	CryptexManager	MacOS error: -67062
default	08:35:49.537194-0400	CryptexManager	Trust evaluate failure: [leaf Revocation1]
default	08:35:49.537498-0400	CryptexManager	SecStaticCode: verification failed (trust result 6, error -2147409652)
default	08:35:49.537520-0400	CryptexManager	MacOS error: -2147409652
default	08:35:50.598618-0400	CryptexManager	networkd_settings_read_from_file initialized networkd settings by reading plist directly
default	08:35:50.598767-0400	CryptexManager	networkd_settings_read_from_file initialized networkd settings by reading plist directly
default	08:35:50.600466-0400	CryptexManager	Task <6C5632F2-799C-4760-97FB-9EB218FEBFF5>.<1> resuming, timeouts(60.0, 604800.0) QOS(0x21) Voucher (null)
default	08:35:50.600946-0400	CryptexManager	[Telemetry]: Activity <nw_activity 12:2 [0305DE98-0EE9-4773-9834-35CE55332C65] (reporting strategy default)> on Task <6C5632F2-799C-4760-97FB-9EB218FEBFF5>.<1> was not selected for reporting
default	08:35:50.601296-0400	CryptexManager	-[SOConfigurationClient init]  on <private>
default	08:35:50.601593-0400	CryptexManager	<SOServiceConnection: 0x600001a80cc0>: new XPC connection
default	08:35:50.603709-0400	CryptexManager	Initializing connection
default	08:35:50.603770-0400	CryptexManager	Removing all cached process handles
default	08:35:50.603828-0400	CryptexManager	Sending handshake request attempt #1 to server
default	08:35:50.603857-0400	CryptexManager	Creating connection to com.apple.runningboard
default	08:35:50.604199-0400	runningboardd	Resolved pid 49902 to [anon<CryptexManager>(501):49902]
default	08:35:50.604331-0400	runningboardd	[anon<CryptexManager>(501):49902] This process will not be managed.
default	08:35:50.604351-0400	runningboardd	Now tracking process: [anon<CryptexManager>(501):49902]
default	08:35:50.604669-0400	runningboardd	Setting client for [anon<CryptexManager>(501):49902] as ready
default	08:35:50.604892-0400	CryptexManager	Handshake succeeded
default	08:35:50.604921-0400	CryptexManager	Identity resolved as anon<CryptexManager>(501)
default	08:35:50.605122-0400	runningboardd	Acquiring assertion targeting [anon<CryptexManager>(501):49902] from originator [anon<CryptexManager>(501):49902] with description <RBSAssertionDescriptor| "com.apple.CFNetwork.StorageDB" ID:221-49902-2930 target:49902 attributes:[
	<RBSDomainAttribute| domain:"com.apple.common" name:"FinishTaskUninterruptable" sourceEnvironment:"(null)">,
	<RBSAcquisitionCompletionAttribute| policy:AfterApplication>
	]>
default	08:35:50.605194-0400	runningboardd	Assertion 221-49902-2930 (target:[anon<CryptexManager>(501):49902]) will be created as active as no start-time-defining assertions exist
default	08:35:50.605545-0400	runningboardd	[anon<CryptexManager>(501):49902] Ignoring jetsam update because this process is not memory-managed
default	08:35:50.605565-0400	runningboardd	[anon<CryptexManager>(501):49902] Ignoring suspend because this process is not lifecycle managed
default	08:35:50.605597-0400	runningboardd	[anon<CryptexManager>(501):49902] Ignoring role changes because this process is not role managed
default	08:35:50.605664-0400	runningboardd	[anon<CryptexManager>(501):49902] Ignoring GPU update because this process is not GPU managed
default	08:35:50.606208-0400	runningboardd	Acquiring assertion targeting [anon<CryptexManager>(501):49902] from originator [daemon<com.apple.powerd>:107] with description <RBSAssertionDescriptor| "App is holding power assertion" ID:221-107-2931 target:49902 attributes:[
	<RBSDomainAttribute| domain:"com.apple.appnap" name:"PowerAssertion" sourceEnvironment:"(null)">,
	<RBSAcquisitionCompletionAttribute| policy:AfterApplication>
	]>
default	08:35:50.606276-0400	runningboardd	Assertion 221-107-2931 (target:[anon<CryptexManager>(501):49902]) will be created as active
default	08:35:50.606848-0400	runningboardd	[anon<CryptexManager>(501):49902] Ignoring jetsam update because this process is not memory-managed
default	08:35:50.606878-0400	runningboardd	[anon<CryptexManager>(501):49902] Ignoring suspend because this process is not lifecycle managed
default	08:35:50.606972-0400	runningboardd	[anon<CryptexManager>(501):49902] Ignoring role changes because this process is not role managed
default	08:35:50.607044-0400	runningboardd	[anon<CryptexManager>(501):49902] Ignoring GPU update because this process is not GPU managed
default	08:35:50.609143-0400	CryptexManager	Faulting in NSHTTPCookieStorage singleton
default	08:35:50.609163-0400	CryptexManager	Faulting in CFHTTPCookieStorage singleton
default	08:35:50.609174-0400	CryptexManager	Creating default cookie storage with process/bundle identifier
default	08:35:50.609863-0400	CryptexManager	Connection 1: starting, TC(0x0)
default	08:35:50.609972-0400	CryptexManager	[C1 F104DEB3-AA26-4A24-B23B-D3D7349D0AAE Hostname#24a30126:80 tcp, url hash: 351ac070, definite, attribution: developer, context: com.apple.CFNetwork.NSURLSession.{06ED3410-67F0-4B19-A9E5-1FEC4B13D0A9}{(null)}{Y}{2} (private), proc: 9554AF4E-33C5-3FEA-855C-1A0349FCFE55] start
default	08:35:50.610008-0400	CryptexManager	[C1 Hostname#24a30126:80 initial path ((null))] event: path:start @0.000s
default	08:35:50.610251-0400	CryptexManager	[C1 Hostname#24a30126:80 waiting path (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: path:satisfied @0.000s, uuid: 7D4AE745-5250-469C-BF60-2AF75487B6BD
default	08:35:50.610446-0400	CryptexManager	[C1 Hostname#24a30126:80 in_progress proxy (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: proxy:start_process @0.000s
default	08:35:50.610460-0400	CryptexManager	nw_connection_report_state_with_handler_on_nw_queue [C1] reporting state preparing
default	08:35:50.610903-0400	CryptexManager	[C1 Hostname#24a30126:80 in_progress proxy (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: proxy:finish_process @0.000s
default	08:35:50.610922-0400	CryptexManager	[C1 Hostname#24a30126:80 in_progress proxy (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: proxy:start_resolve @0.000s
default	08:35:50.610954-0400	CryptexManager	[C1 Hostname#24a30126:80 in_progress proxy (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: proxy:finish_resolve @0.000s
default	08:35:50.611151-0400	CryptexManager	[C1.1 127.0.0.1:9090 initial path ((null))] event: path:start @0.001s
default	08:35:50.611315-0400	CryptexManager	[C1.1 127.0.0.1:9090 waiting path (satisfied (Path is satisfied), interface: lo0)] event: path:satisfied @0.001s, uuid: 518AFAC0-C8D5-4E9C-9E36-D2FE0E99E20B
default	08:35:50.611654-0400	CryptexManager	[C1.1 127.0.0.1:9090 in_progress socket-flow (satisfied (Path is satisfied), interface: lo0)] event: flow:start_connect @0.001s
default	08:35:50.611747-0400	CryptexManager	Task <6C5632F2-799C-4760-97FB-9EB218FEBFF5>.<1> setting up Connection 1
default	08:35:50.611908-0400	CryptexManager	nw_socket_handle_socket_event [C1.1:2] Socket received CONNECTED event
default	08:35:50.611980-0400	CryptexManager	nw_flow_connected [C1.1 127.0.0.1:9090 in_progress socket-flow (satisfied (Path is satisfied), viable, interface: lo0)] Transport protocol connected (socket)
default	08:35:50.612139-0400	CryptexManager	[C1.1 127.0.0.1:9090 in_progress socket-flow (satisfied (Path is satisfied), viable, interface: lo0)] event: flow:finish_transport @0.002s
default	08:35:50.612158-0400	CryptexManager	nw_flow_connected [C1.1 127.0.0.1:9090 in_progress socket-flow (satisfied (Path is satisfied), viable, interface: lo0)] Output protocol connected (CFNetworkConnection-2512041395)
default	08:35:50.612322-0400	CryptexManager	[C1.1 127.0.0.1:9090 ready socket-flow (satisfied (Path is satisfied), viable, interface: lo0)] event: flow:finish_connect @0.002s
default	08:35:50.612384-0400	CryptexManager	nw_connection_report_state_with_handler_on_nw_queue [C1] reporting state ready
default	08:35:50.612438-0400	CryptexManager	[C1 Hostname#24a30126:80 ready proxy (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: flow:finish_connect @0.002s
default	08:35:50.612510-0400	CryptexManager	[C1.1 127.0.0.1:9090 ready socket-flow (satisfied (Path is satisfied), viable, interface: lo0)] event: flow:changed_viability @0.002s
default	08:35:50.612541-0400	CryptexManager	[C1 Hostname#24a30126:80 ready proxy (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: flow:changed_viability @0.002s
default	08:35:50.612576-0400	CryptexManager	Connection 1: connected successfully
default	08:35:50.612627-0400	CryptexManager	Connection 1: ready C(N) E(N)
default	08:35:50.612790-0400	CryptexManager	Task <6C5632F2-799C-4760-97FB-9EB218FEBFF5>.<1> now using Connection 1
default	08:35:50.612895-0400	CryptexManager	Connection 1: received viability advisory(Y)
default	08:35:50.613590-0400	CryptexManager	Task <6C5632F2-799C-4760-97FB-9EB218FEBFF5>.<1> sent request, body S 1602
default	08:35:50.613786-0400	CryptexManager	Received configuration update from daemon (initial)
default	08:35:50.807051-0400	CryptexManager	Task <6C5632F2-799C-4760-97FB-9EB218FEBFF5>.<1> received response, status 200 content C
default	08:35:50.807367-0400	CryptexManager	Task <6C5632F2-799C-4760-97FB-9EB218FEBFF5>.<1> response ended
default	08:35:50.807406-0400	CryptexManager	Task <6C5632F2-799C-4760-97FB-9EB218FEBFF5>.<1> done using Connection 1
default	08:35:50.807511-0400	CryptexManager	Task <6C5632F2-799C-4760-97FB-9EB218FEBFF5>.<1> summary for task success {transaction_duration_ms=203, response_status=200, connection=1, protocol="http/1.1", domain_lookup_duration_ms=0, connect_duration_ms=1, secure_connection_duration_ms=0, private_relay=false, request_start_ms=9, request_duration_ms=0, response_start_ms=203, response_duration_ms=0, request_bytes=1924, response_bytes=3421, cache_hit=true}
default	08:35:50.807707-0400	CryptexManager	Task <6C5632F2-799C-4760-97FB-9EB218FEBFF5>.<1> finished successfully
default	08:35:50.819351-0400	CryptexManager	Entering exit handler.
default	08:35:50.819377-0400	CryptexManager	Exiting exit handler.
default	08:35:50.819766-0400	runningboardd	XPC connection invalidated: [anon<CryptexManager>(501):49902]
default	08:35:50.821820-0400	runningboardd	[anon<CryptexManager>(501):49902] termination reported by proc_exit
default	08:35:50.922514-0400	runningboardd	Removing process: [anon<CryptexManager>(501):49902]
default	08:35:50.922751-0400	runningboardd	removeJobWithInstance called for identity without existing job [anon<CryptexManager>(501):49902]
default	08:35:50.922775-0400	runningboardd	Removing assertions for terminated process: [anon<CryptexManager>(501):49902]
default	08:35:52.536663-0400	kernel	hfs: unmount initiated on com.example.cryptex.dstroot on device disk7s1
default	08:36:32.912314-0400	sudo	     xss : TTY=ttys000 ; PWD=/Users/xss/iphone11 ; USER=root ; COMMAND=/usr/bin/xattr -c 11.sh 12.sh Makefile Readme.md backup.sh bin build-asan-test.sh build-asan.sh build-check-install.sh build-ubsan-test.sh build-ubsan.sh build.sh build_env copy.mk build_env.mk check-magic.sh checkme-001.txt cm.sh dir-clean.sh dmg.sh ent.sh entitlement-checks.sh entitlements-at-src.txt example-checks.sh fresh.sh install-dmg.sh list-dstroot-entitlements-in-binary.txt list-src-entitlements-in-binary.txt logging.mk logs machodump make-all-compare-entitlements.txt make-install-compare-entitlements.txt new-clean.sh notarize-staple.sh register-tests.sh sdk-graft sdk-graft.zip src src-check srd-cryptex-file-attribute-collector.log srd-cryptex-file-attribute-collector.sh srd-cryptex-file-nm-collector.log srd-cryptex-logcollector.log srd-cryptex-logcollector.sh srd-cryptex-troubleshooter.log srd-cryptex-troubleshooter.sh srd-iphone11-register-collector-sample-002.txt
default	08:36:32.912342-0400	sudo	     xss : (command continued) srd-iphone11-register-collector.txt srd-sprr srd-violated-constraints-001.txt test-pr42.sh test1.sh testme.sh tmp umnt.sh x86-asan-notarize-staple.sh x86-notarize-staple.sh x86-ubsan-notarize-staple.sh src/cryptex-run src/dd src/debugserver src/dropbear src/frida src/hello src/nvram src/register-template src/s3_0_c15_c11_0 src/s3_0_c15_c15_2 src/s3_0_c15_c1_0 src/s3_0_c15_c4_0 src/s3_0_c15_c4_1 src/s3_0_c15_c5_0 src/s3_0_c15_c9_0 src/s3_0_c5_c6_1 src/s3_1_c15_c0_0 src/s3_3_c15_c7_0 src/s3_4_C15_C2_7 src/s3_4_c15_c10_5 src/s3_4_c15_c1_2 src/s3_4_c15_c2_0 src/s3_4_c15_c2_1 src/s3_4_c15_c2_2 src/s3_4_c15_c2_3 src/s3_4_c15_c5_2 src/s3_4_c25_c2_4 src/s3_5_c15_c0_1 src/s3_5_c15_c10_0 src/s3_5_c15_c10_1 src/s3_5_c15_c10_2 src/s3_5_c15_c10_3 src/s3_5_c15_c10_4 src/s3_5_c15_c10_5 src/s3_5_c15_c10_6 src/s3_5_c15_c10_7 src/s3_6_c15_c0_0 src/s3_6_c15_c1_0 src/s3_6_c15_c1_1 src/s3_6_c15_c1_2 src/s3_6_c15_c1_3 src/s3_6_c15_c1_5
default	08:36:32.912367-0400	sudo	     xss : (command continued) src/s3_6_c15_c1_6 src/s3_6_c15_c1_7 src/s3_6_c15_c3_0 src/s3_6_c15_c3_1 src/s3_6_c15_c3_2 src/s3_6_c15_c3_3 src/s3_6_c15_c8_0 src/simple-server src/simple-shell src/toybox src/cryptex-run/Makefile src/cryptex-run/cryptex-run.c src/cryptex-run/entitlements.plist src/dd/Makefile src/dd/Makefile_original.txt src/dd/README.md src/dd/args.c src/dd/conv.c src/dd/conv_tab.c src/dd/extern.h src/dd/misc.c src/dd/position.c src/debugserver/Makefile src/debugserver/debugserver-research.plist src/dropbear/Makefile src/dropbear/README.md src/dropbear/cryptex-aware.diff src/dropbear/dropbear-research.plist src/dropbear/entitlements.plist src/dropbear/localoptions.h src/frida/Makefile src/frida/README.md src/frida/frida-policyd.plist src/frida/frida-server.plist src/frida/thin.py src/hello/Makefile src/hello/Makefile.dist src/hello/Makefile.git src/hello/Makefile.old copy src/hello/Makefile.san src/hello/Makefile.test-san
default	08:36:32.912718-0400	sudo	     xss : (command continued) src/s3_6_c15_c8_0/s3_6_c15_c8_0-flip.dSYM src/s3_6_c15_c8_0/s3_6_c15_c8_0-read.c src/s3_6_c15_c8_0/s3_6_c15_c8_0-read.dSYM src/s3_6_c15_c8_0/s3_6_c15_c8_0.plist src/simple-server/Makefile src/simple-server/README.md src/simple-server/entitlements.plist src/simple-server/simple-server.c src/simple-server/simple-server.plist src/simple-shell/Makefile src/simple-shell/entitlements.plist src/simple-shell/simple-shell.c src/simple-shell/simple-shell.plist src/toybox/Makefile src/toybox/entitlements.plist src/toybox/srd-universal-cryptex.dmg
default	08:38:23.778075-0400	kernel	hfs: mounted com.example.cryptex.dstroot on device disk7s1
default	08:38:23.953799-0400	deleted	totalAvailable ENTRY, Volume: /Volumes/com.example.cryptex.dstroot, Calling process: Finder
default	08:38:23.953879-0400	deleted	totalAvailable info CACHE_DELETE_VOLUME : /Volumes/com.example.cryptex.dstroot
default	08:38:23.954500-0400	Finder	CacheDeleteCopyPurgeableSpaceWithInfo result for /Volumes/com.example.cryptex.dstroot : {
    "CACHE_DELETE_ERROR" = "CacheDeleteCopyPurgeableSpaceWithInfo error: INVALID VOLUME";
}
error	08:38:23.954335-0400	deleted	unable to validate volume "/Volumes/com.example.cryptex.dstroot"
default	08:38:25.564850-0400	kernel	hfs: unmount initiated on com.example.cryptex.dstroot on device disk7s1
default	08:38:27.559360-0400	cryptexctl.research	USBMuxListenerCreateFiltered:898 Created 0x60000283c000
default	08:38:27.559421-0400	cryptexctl.research	USBMuxHandleDictionary:1437 Adding event 0x600001934340 to changelist.
default	08:38:27.559459-0400	cryptexctl.research	USBMuxHandleDictionary:1437 Adding event 0x6000019341e0 to changelist.
default	08:38:27.560964-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:27.562695-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:27.565470-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:27.572745-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:27.574878-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:27.577888-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:27.599308-0400	kernel	hfs: mounted com.example.cryptex.dstroot on device disk7s1
error	08:38:27.641777-0400	cryptexctl.research	[anonymous]: fat file: 0xbebafeca: [79: Inappropriate file type or format]
error	08:38:27.659459-0400	cryptexctl.research	[anonymous]: fat file: 0xbebafeca: [79: Inappropriate file type or format]
error	08:38:27.685574-0400	cryptexctl.research	[anonymous]: fat file: 0xbebafeca: [79: Inappropriate file type or format]
error	08:38:27.687489-0400	cryptexctl.research	[anonymous]: fat file: 0xbebafeca: [79: Inappropriate file type or format]
error	08:38:27.696355-0400	cryptexctl.research	[anonymous]: fat file: 0xbebafeca: [79: Inappropriate file type or format]
error	08:38:27.901097-0400	cryptexctl.research	[anonymous]: fat file: 0xbebafeca: [79: Inappropriate file type or format]
default	08:38:27.918711-0400	kernel	hfs: unmount initiated on com.example.cryptex.dstroot on device disk7s1
default	08:38:42.215784-0400	cryptexctl.research	USBMuxListenerCreateFiltered:898 Created 0x600003694640
default	08:38:42.215864-0400	cryptexctl.research	USBMuxHandleDictionary:1437 Adding event 0x6000007854e0 to changelist.
default	08:38:42.215905-0400	cryptexctl.research	USBMuxHandleDictionary:1437 Adding event 0x6000007857a0 to changelist.
default	08:38:42.217578-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:42.219439-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:42.221837-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:42.229190-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:42.231983-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:42.235965-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:42.246268-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:42.253587-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:42.257045-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:42.318497-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:42.322562-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:42.332454-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 19137 (c1, 4a)
default	08:38:42.334408-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:42.337192-0400	cryptexctl.research	USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
default	08:38:42.402961-0400	sudo	     xss : TTY=ttys000 ; PWD=/Users/xss/iphone11 ; USER=root ; COMMAND=/bin/cp src/toybox/toybox-src/generated/unstripped/toybox com.example.cryptex.dstroot/usr/bin
default	08:38:43.706360-0400	kernel	hfs: mounted com.example.cryptex.dstroot on device disk7s1
default	08:38:43.932432-0400	deleted	totalAvailable ENTRY, Volume: /Volumes/com.example.cryptex.dstroot, Calling process: Finder
default	08:38:43.932496-0400	deleted	totalAvailable info CACHE_DELETE_VOLUME : /Volumes/com.example.cryptex.dstroot
default	08:38:43.933147-0400	Finder	CacheDeleteCopyPurgeableSpaceWithInfo result for /Volumes/com.example.cryptex.dstroot : {
    "CACHE_DELETE_ERROR" = "CacheDeleteCopyPurgeableSpaceWithInfo error: INVALID VOLUME";
}
error	08:38:43.933001-0400	deleted	unable to validate volume "/Volumes/com.example.cryptex.dstroot"
default	08:38:45.530615-0400	kernel	hfs: unmount initiated on com.example.cryptex.dstroot on device disk7s1
default	08:38:49.060481-0400	kernel	hfs: mounted com.example.cryptex.dstroot on device disk7s1
default	08:38:49.304702-0400	CryptexManager	MacOS error: -67062
default	08:38:49.305497-0400	CryptexManager	MacOS error: -67062
default	08:38:49.309267-0400	CryptexManager	Trust evaluate failure: [leaf Revocation1]
default	08:38:49.309555-0400	CryptexManager	SecStaticCode: verification failed (trust result 6, error -2147409652)
default	08:38:49.309576-0400	CryptexManager	MacOS error: -2147409652
default	08:38:50.362247-0400	CryptexManager	networkd_settings_read_from_file initialized networkd settings by reading plist directly
default	08:38:50.362420-0400	CryptexManager	networkd_settings_read_from_file initialized networkd settings by reading plist directly
default	08:38:50.364006-0400	CryptexManager	Task <8CCDA13A-077D-43F7-848B-DAB729FB1E45>.<1> resuming, timeouts(60.0, 604800.0) QOS(0x21) Voucher (null)
default	08:38:50.364474-0400	CryptexManager	[Telemetry]: Activity <nw_activity 12:2 [635972EC-1CD5-4B6E-9F1E-30A428E20FC5] (reporting strategy default)> on Task <8CCDA13A-077D-43F7-848B-DAB729FB1E45>.<1> was not selected for reporting
default	08:38:50.364779-0400	CryptexManager	-[SOConfigurationClient init]  on <private>
default	08:38:50.365056-0400	CryptexManager	<SOServiceConnection: 0x60000116d820>: new XPC connection
default	08:38:50.367104-0400	CryptexManager	Initializing connection
default	08:38:50.367160-0400	CryptexManager	Removing all cached process handles
default	08:38:50.367192-0400	CryptexManager	Sending handshake request attempt #1 to server
default	08:38:50.367217-0400	CryptexManager	Creating connection to com.apple.runningboard
default	08:38:50.367522-0400	runningboardd	Resolved pid 61390 to [anon<CryptexManager>(501):61390]
default	08:38:50.367652-0400	runningboardd	[anon<CryptexManager>(501):61390] This process will not be managed.
default	08:38:50.367674-0400	runningboardd	Now tracking process: [anon<CryptexManager>(501):61390]
default	08:38:50.368056-0400	runningboardd	Setting client for [anon<CryptexManager>(501):61390] as ready
default	08:38:50.368324-0400	CryptexManager	Handshake succeeded
default	08:38:50.368350-0400	CryptexManager	Identity resolved as anon<CryptexManager>(501)
default	08:38:50.368549-0400	runningboardd	Acquiring assertion targeting [anon<CryptexManager>(501):61390] from originator [anon<CryptexManager>(501):61390] with description <RBSAssertionDescriptor| "com.apple.CFNetwork.StorageDB" ID:221-61390-2985 target:61390 attributes:[
	<RBSDomainAttribute| domain:"com.apple.common" name:"FinishTaskUninterruptable" sourceEnvironment:"(null)">,
	<RBSAcquisitionCompletionAttribute| policy:AfterApplication>
	]>
default	08:38:50.368619-0400	runningboardd	Assertion 221-61390-2985 (target:[anon<CryptexManager>(501):61390]) will be created as active as no start-time-defining assertions exist
default	08:38:50.368899-0400	runningboardd	[anon<CryptexManager>(501):61390] Ignoring jetsam update because this process is not memory-managed
default	08:38:50.368922-0400	runningboardd	[anon<CryptexManager>(501):61390] Ignoring suspend because this process is not lifecycle managed
default	08:38:50.368943-0400	runningboardd	[anon<CryptexManager>(501):61390] Ignoring role changes because this process is not role managed
default	08:38:50.368982-0400	runningboardd	[anon<CryptexManager>(501):61390] Ignoring GPU update because this process is not GPU managed
default	08:38:50.369647-0400	runningboardd	Acquiring assertion targeting [anon<CryptexManager>(501):61390] from originator [daemon<com.apple.powerd>:107] with description <RBSAssertionDescriptor| "App is holding power assertion" ID:221-107-2986 target:61390 attributes:[
	<RBSDomainAttribute| domain:"com.apple.appnap" name:"PowerAssertion" sourceEnvironment:"(null)">,
	<RBSAcquisitionCompletionAttribute| policy:AfterApplication>
	]>
default	08:38:50.369710-0400	runningboardd	Assertion 221-107-2986 (target:[anon<CryptexManager>(501):61390]) will be created as active
default	08:38:50.370187-0400	runningboardd	[anon<CryptexManager>(501):61390] Ignoring jetsam update because this process is not memory-managed
default	08:38:50.370260-0400	runningboardd	[anon<CryptexManager>(501):61390] Ignoring suspend because this process is not lifecycle managed
default	08:38:50.370357-0400	runningboardd	[anon<CryptexManager>(501):61390] Ignoring role changes because this process is not role managed
default	08:38:50.370486-0400	runningboardd	[anon<CryptexManager>(501):61390] Ignoring GPU update because this process is not GPU managed
default	08:38:50.373310-0400	CryptexManager	Faulting in NSHTTPCookieStorage singleton
default	08:38:50.373328-0400	CryptexManager	Faulting in CFHTTPCookieStorage singleton
default	08:38:50.373338-0400	CryptexManager	Creating default cookie storage with process/bundle identifier
default	08:38:50.373948-0400	CryptexManager	Connection 1: starting, TC(0x0)
default	08:38:50.374046-0400	CryptexManager	[C1 FD88EAE0-1A11-4388-86A1-7000FDBF870D Hostname#1ba70818:80 tcp, url hash: 7fd3daff, definite, attribution: developer, context: com.apple.CFNetwork.NSURLSession.{4C152A83-B466-4A13-95D7-151B4EDDFD04}{(null)}{Y}{2} (private), proc: 9554AF4E-33C5-3FEA-855C-1A0349FCFE55] start
default	08:38:50.374083-0400	CryptexManager	[C1 Hostname#1ba70818:80 initial path ((null))] event: path:start @0.000s
default	08:38:50.374325-0400	CryptexManager	[C1 Hostname#1ba70818:80 waiting path (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: path:satisfied @0.000s, uuid: E7AA2368-CF14-46FE-98A6-828B5F8D4324
default	08:38:50.374520-0400	CryptexManager	[C1 Hostname#1ba70818:80 in_progress proxy (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: proxy:start_process @0.000s
default	08:38:50.374533-0400	CryptexManager	nw_connection_report_state_with_handler_on_nw_queue [C1] reporting state preparing
default	08:38:50.374989-0400	CryptexManager	[C1 Hostname#1ba70818:80 in_progress proxy (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: proxy:finish_process @0.000s
default	08:38:50.375005-0400	CryptexManager	[C1 Hostname#1ba70818:80 in_progress proxy (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: proxy:start_resolve @0.000s
default	08:38:50.375020-0400	CryptexManager	[C1 Hostname#1ba70818:80 in_progress proxy (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: proxy:finish_resolve @0.000s
default	08:38:50.375166-0400	CryptexManager	[C1.1 127.0.0.1:9090 initial path ((null))] event: path:start @0.001s
default	08:38:50.375353-0400	CryptexManager	[C1.1 127.0.0.1:9090 waiting path (satisfied (Path is satisfied), interface: lo0)] event: path:satisfied @0.001s, uuid: 9B5C6877-21B0-4FB5-B43A-53FC4550C0EE
default	08:38:50.375674-0400	CryptexManager	[C1.1 127.0.0.1:9090 in_progress socket-flow (satisfied (Path is satisfied), interface: lo0)] event: flow:start_connect @0.001s
default	08:38:50.375771-0400	CryptexManager	Task <8CCDA13A-077D-43F7-848B-DAB729FB1E45>.<1> setting up Connection 1
default	08:38:50.375869-0400	CryptexManager	nw_socket_handle_socket_event [C1.1:2] Socket received CONNECTED event
default	08:38:50.375955-0400	CryptexManager	nw_flow_connected [C1.1 127.0.0.1:9090 in_progress socket-flow (satisfied (Path is satisfied), viable, interface: lo0)] Transport protocol connected (socket)
default	08:38:50.376072-0400	CryptexManager	[C1.1 127.0.0.1:9090 in_progress socket-flow (satisfied (Path is satisfied), viable, interface: lo0)] event: flow:finish_transport @0.002s
default	08:38:50.376126-0400	CryptexManager	nw_flow_connected [C1.1 127.0.0.1:9090 in_progress socket-flow (satisfied (Path is satisfied), viable, interface: lo0)] Output protocol connected (CFNetworkConnection-4095830641)
default	08:38:50.376255-0400	CryptexManager	[C1.1 127.0.0.1:9090 ready socket-flow (satisfied (Path is satisfied), viable, interface: lo0)] event: flow:finish_connect @0.002s
default	08:38:50.376355-0400	CryptexManager	nw_connection_report_state_with_handler_on_nw_queue [C1] reporting state ready
default	08:38:50.376411-0400	CryptexManager	[C1 Hostname#1ba70818:80 ready proxy (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: flow:finish_connect @0.002s
default	08:38:50.376461-0400	CryptexManager	[C1.1 127.0.0.1:9090 ready socket-flow (satisfied (Path is satisfied), viable, interface: lo0)] event: flow:changed_viability @0.002s
default	08:38:50.376497-0400	CryptexManager	[C1 Hostname#1ba70818:80 ready proxy (satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns, proxy)] event: flow:changed_viability @0.002s
default	08:38:50.376544-0400	CryptexManager	Connection 1: connected successfully
default	08:38:50.376600-0400	CryptexManager	Connection 1: ready C(N) E(N)
default	08:38:50.376724-0400	CryptexManager	Task <8CCDA13A-077D-43F7-848B-DAB729FB1E45>.<1> now using Connection 1
default	08:38:50.376863-0400	CryptexManager	Connection 1: received viability advisory(Y)
default	08:38:50.377510-0400	CryptexManager	Task <8CCDA13A-077D-43F7-848B-DAB729FB1E45>.<1> sent request, body S 1601
default	08:38:50.377584-0400	CryptexManager	Received configuration update from daemon (initial)
default	08:38:50.618233-0400	CryptexManager	Task <8CCDA13A-077D-43F7-848B-DAB729FB1E45>.<1> received response, status 200 content C
default	08:38:50.618583-0400	CryptexManager	Task <8CCDA13A-077D-43F7-848B-DAB729FB1E45>.<1> response ended
default	08:38:50.618662-0400	CryptexManager	Task <8CCDA13A-077D-43F7-848B-DAB729FB1E45>.<1> done using Connection 1
default	08:38:50.618851-0400	CryptexManager	Task <8CCDA13A-077D-43F7-848B-DAB729FB1E45>.<1> summary for task success {transaction_duration_ms=251, response_status=200, connection=1, protocol="http/1.1", domain_lookup_duration_ms=0, connect_duration_ms=1, secure_connection_duration_ms=0, private_relay=false, request_start_ms=10, request_duration_ms=0, response_start_ms=251, response_duration_ms=0, request_bytes=1923, response_bytes=3457, cache_hit=true}
default	08:38:50.619174-0400	CryptexManager	Task <8CCDA13A-077D-43F7-848B-DAB729FB1E45>.<1> finished successfully
default	08:38:50.633033-0400	CryptexManager	Entering exit handler.
default	08:38:50.633100-0400	CryptexManager	Exiting exit handler.
default	08:38:50.634671-0400	runningboardd	XPC connection invalidated: [anon<CryptexManager>(501):61390]
default	08:38:50.641074-0400	runningboardd	[anon<CryptexManager>(501):61390] termination reported by proc_exit
default	08:38:50.741866-0400	runningboardd	Removing process: [anon<CryptexManager>(501):61390]
default	08:38:50.742002-0400	runningboardd	removeJobWithInstance called for identity without existing job [anon<CryptexManager>(501):61390]
default	08:38:50.742023-0400	runningboardd	Removing assertions for terminated process: [anon<CryptexManager>(501):61390]
default	08:38:52.461632-0400	kernel	hfs: unmount initiated on com.example.cryptex.dstroot on device disk7s1

SRD Logging for iPhone 11 aka SRD0009

default	08:34:50.906970-0400	cryptexd	[anonymous]: tss request = <private>
error	08:34:50.909512-0400	cryptexd	manifest constraint violated: BORD: 13
error	08:34:50.909734-0400	cryptexd	[anonymous]: firmware execution failed: [13: Permission denied]
error	08:34:50.909770-0400	cryptexd	[anonymous]: authentication failed: [13: Permission denied]
error	08:34:50.910209-0400	cryptexd	<private>: cpxd authentication: [13: Permission denied]
error	08:34:50.913410-0400	cryptexd	manifest constraint violated: BORD: 13
error	08:34:50.913825-0400	cryptexd	[anonymous]: firmware execution failed: [13: Permission denied]
error	08:34:50.913893-0400	cryptexd	[anonymous]: authentication failed: [13: Permission denied]
error	08:34:50.913969-0400	cryptexd	<private>: c411 authentication: [13: Permission denied]
error	08:34:50.914041-0400	cryptexd	<private>: _codex_import_core_continue failed with invalid asset: cpxd: [13: Permission denied]
error	08:34:50.914186-0400	cryptexd	<private>: installation failed: [13: Permission denied]
error	08:34:50.914254-0400	cryptexd	sending reply: [13: Permission denied]
error	08:34:50.914601-0400	MobileStorageMounter	rpc_init_local: [13: Permission denied]
error	08:34:50.914679-0400	MobileStorageMounter	<private>: ipc failure: [13: Permission denied]
error	08:34:50.914748-0400	MobileStorageMounter	<private>: install rpc: [13: Permission denied]
default	08:34:50.914818-0400	MobileStorageMounter	Failed to install cryptex (<private>): 13 (Permission denied)

SUMMARY: BUILD | 19E5209h | 13E5086k | debugserver | other dylib | Entitlement Issues

debugserver

Code: https://github.com/xsscx/srd/tree/main/SecurityResearchTools_21C39/example-cryptex/src/debugserver with Entitlement https://github.com/xsscx/srd/blob/main/SecurityResearchTools_21C39/example-cryptex/src/debugserver/debugserver.plist

Existing Entitlements pre-19E5209h [last known good configuration]

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>com.apple.security.cs.debugger</key>
        <true/>
        <key>task_for_pid-allow</key>
        <true/>
        <key>research.com.apple.license-to-operate</key>
	<true/>
</dict>
</plist>

codesign -dvvv debugserver

Executable=/Volumes/DeveloperDiskImage/usr/bin/debugserver
Identifier=com.apple.debugserver
Format=Mach-O universal (arm64e arm64)
CodeDirectory v=20400 size=5294 flags=0x2(adhoc) hashes=155+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=5c6bccad645891f594a5b6a2760575168b8a78d6
CandidateCDHashFull sha256=5c6bccad645891f594a5b6a2760575168b8a78d6ce712b338aae4e9100c93663
Hash choices=sha256
CMSDigest=5c6bccad645891f594a5b6a2760575168b8a78d6ce712b338aae4e9100c93663
CMSDigestType=2
CDHash=5c6bccad645891f594a5b6a2760575168b8a78d6
Signature=adhoc
Info.plist entries=5
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12

Issue Summary

DNBProcessLaunch() returned error: 'Operation not permitted'

PoC

./debugserver 192.168.3.37:1921 ./hello
debugserver-@(#)PROGRAM:LLDB  PROJECT:lldb-1316.2.4.12
 for arm64.
error: failed to launch process ./debugserver: Operation not permitted
Exiting.

Issue

error	21:14:46.741600-0500	kernel	Sandbox: debugserver(586) deny(1) process-fork
default	21:14:46.742089-0500	debugserver	1 +0.000000 sec [024a/0103]: error: ::posix_spawnp ( pid => 0, path = '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.AxJSUi/usr/bin/hello', file_actions = 0x16cef9ef0, attr = 0x16cef9f08, argv = 0x142804470, envp = 0x142804480 ) err = Operation not permitted (0x00000001)
default	21:14:46.742259-0500	debugserver	2 +0.000266 sec [024a/0103]: RNBRunLoopLaunchInferior DNBProcessLaunch() returned error: 'Operation not permitted'

uname -a

Darwin SRD0037 21.4.0 Darwin Kernel Version 21.4.0: Sun Jan 16 20:50:39 PST 2022; root:xnu-8020.100.406.0.1~10/RELEASE_ARM64_T8101 iPhone13,2 Toybox

date

Mon Jan 31 21:47:01 EST 2022

SUMMARY: WORKAROUND | 21E230 | X86_64 | cryptexctl | 3ef28a3 | EXC_BAD_ACCESS

SUMMARY: 21E230 | X86_64 | cryptexctl | EXC_BAD_ACCESS

It has been found that macOS 12.3 (21E230) X86_64 and the most recent update to cryptexctl from URL:

https://github.com/apple/security-research-device/tree/main/bin

from commit

https://github.com/apple/security-research-device/commit/3ef28a37a70d5b288a2da1a3e073975c9bae4a35

Results with EXC_BAD_ACCESS when applying the command line arg "--variant=research" from the X86_64 Platform.

Workaround

Use Cryptex Manager

Reproduction

lldb -- cryptexctl install -p -l --variant=research --persist com.example.cryptex.cxbd.signed

Crash Reproduction with lldb

Reported

SUMMARY: Resolved: srdutil | hang when using --kernel-cache

Summary

Can you confirm what Version of srdutil contains working --kernel-cache

Source https://github.com/apple/security-research-device/blob/main/bin/srdutil

Reproduction

Older: srdutil restore --kernel-cache $(pwd)/kernelcache.patched.image4 ...

srdutil: unrecognized option `--kernel-cache'
srdutil: unknown option: --kernel-cache

Newer: srdutil restore --kernel-cache $(pwd)/kernelcache.patched.image4 ...

hang...

srdutil file info

Tried

codesign -dvvv /usr/local/bin/srdutil
Executable=/usr/local/bin/srdutil
Identifier=com.apple.security.srdutil
Format=Mach-O universal (x86_64 arm64e arm64)
CodeDirectory v=20400 size=787 flags=0x2000(library-validation) hashes=14+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=d265ab2979a223f884963a73c9e93460c2afcd40
CandidateCDHashFull sha256=d265ab2979a223f884963a73c9e93460c2afcd40d0885bc3e43be07576aff175
Hash choices=sha256
CMSDigest=d265ab2979a223f884963a73c9e93460c2afcd40d0885bc3e43be07576aff175
CMSDigestType=2
CDHash=d265ab2979a223f884963a73c9e93460c2afcd40
Signature size=4442
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Signed Time=Nov 10, 2021 at 01:33:58
Info.plist entries=18
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=76

Which doesn't have the arg --kernel-cache

Tried

codesign -dvvv srdutil
Executable=/Users/xss/Downloads/security-research-device-main/bin/srdutil
Identifier=com.apple.security.srdutil
Format=Mach-O universal (x86_64 arm64e arm64)
CodeDirectory v=20400 size=787 flags=0x2000(library-validation) hashes=14+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=9ad5286fa35fc5d60c051d0e8e470bbe4c4f0ff2
CandidateCDHashFull sha256=9ad5286fa35fc5d60c051d0e8e470bbe4c4f0ff27b364a7bf85a00eaa7735bd1
Hash choices=sha256
CMSDigest=9ad5286fa35fc5d60c051d0e8e470bbe4c4f0ff27b364a7bf85a00eaa7735bd1
CMSDigestType=2
CDHash=9ad5286fa35fc5d60c051d0e8e470bbe4c4f0ff2
Signature size=4442
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Signed Time=Jan 22, 2022 at 05:57:18
Info.plist entries=18
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=76

Which hangs on T8101 & X86_64 for iPhone 11.

Checking with the iPhone 12, srdutil hangs around:

dyld[50263]: dlsym(0xfff13c6d6460, "OSStateCreateStringWithData")
dyld[50263]:      dlsym("OSStateCreateStringWithData") => NULL

https://github.com/apple/security-research-device/issues/56

SUMMARY: Example com.apple.system.logging.plist for SRD

It has been found that the SRD supports com.apple.system.logging.plist.

Reproduction: ssh to the SRD and CopyPasta

echo '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Enable-Private-Data</key><true/></dict></plist>' > /Library/Preferences/Logging/com.apple.system.logging.plist

That will turn on some helpful logging , with a kill - HUP to logd

Using the example .plist on the iPhone 12, we see Logging Details for the Console Log Messages.

default	17:31:00.135083-0400	cryptexd	AMSupportPlatformCreateBufferFromNativeFilePath: open failed: No such file or directory
default	17:31:00.135283-0400	cryptexd	AMAuthInstallApCopyDeviceEntryFromDeviceMap: Failed to read devicemap from file:///usr/local/standalone/firmware/device_map.plist
default	17:31:00.135377-0400	cryptexd	AMAuthInstallApCreateImagePropertiesWithDeviceMapZipped: WARNING: Could not retrieve image properties from devicemap.
default	17:31:00.135473-0400	cryptexd	AMAuthInstallApCreateImagePropertiesWithDeviceMapZipped: WARNING: Consider setting alternate device_map, ie in a device-specific SDK path.  Setting default RestoreRequestRules to: {
    Digest = {length = 48, bytes = 0xd867ae97 4a9ec256 6720109b b7f0feb7 ... 124f2c9f 7060dbc8 };
    EPRO = 1;
    ESEC = 1;
    Trusted = 1;
}
default	17:31:00.135556-0400	cryptexd	AMAuthInstallApCreateImagePropertiesWithDeviceMapZipped: WARNING: Note: This default behavior may change in the future into a hard error.
default	17:31:00.136066-0400	cryptexd	AMSupportPlatformCreateBufferFromNativeFilePath: open failed: No such file or directory
default	17:31:00.136235-0400	cryptexd	AMAuthInstallApCopyDeviceEntryFromDeviceMap: Failed to read devicemap from file:///usr/local/standalone/firmware/device_map.plist
default	17:31:00.136323-0400	cryptexd	AMAuthInstallApCreateImagePropertiesWithDeviceMapZipped: WARNING: Could not retrieve image properties from devicemap.
default	17:31:00.136405-0400	cryptexd	AMAuthInstallApCreateImagePropertiesWithDeviceMapZipped: WARNING: Consider setting alternate device_map, ie in a device-specific SDK path.  Setting default RestoreRequestRules to: {
    Digest = {length = 48, bytes = 0xbfb65b82 4d738fde 23870bcd cbfea296 ... 7874c480 4b56c6e4 };
    EPRO = 1;
    ESEC = 1;
    Trusted = 1;
}
default	17:31:00.136471-0400	cryptexd	AMAuthInstallApCreateImagePropertiesWithDeviceMapZipped: WARNING: Note: This default behavior may change in the future into a hard error.
default	17:31:00.136615-0400	cryptexd	AMSupportPlatformCreateBufferFromNativeFilePath: open failed: No such file or directory

SUMMARY: FB10428297 | SRD | IPSW 15.6_19G5046d_Restore | Crash | debugserver | Symbol not found: (_objc_release_x20)

SUMMARY

When using 15.6_19G5046d for either SRD iPhone 11 or iPhone 12 its has been found that the following Crash Report reproduces when installing the default ./example-cryptex/ from either X86_64 or arm64e:

Reproduction

make clean
make install

Source

https://github.com/apple/security-research-device

Console Log

ASI found [dyld] (sensitive) 'Symbol not found: (_objc_release_x20)
  Referenced from: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.EPj3zU/usr/bin/debugserver'
  Expected in: '/usr/lib/libobjc.A.dylib''

Version id

uname -a
Darwin SRD0009 21.6.0 Darwin Kernel Version 21.6.0: Sun Jun  5 16:51:51 PDT 2022; root:xnu-8020.140.36~29/RELEASE_ARM64_T8030 iPhone12,1 Toybox

whoami
root

date
Thu Jun 23 06:51:55 EDT 2022

and

uname -a
Darwin SRD0037 21.6.0 Darwin Kernel Version 21.6.0: Sun May 22 21:41:28 PDT 2022; root:xnu-8020.140.30~10/RELEASE_ARM64_T8101 iPhone13,2 Toybox

date
Thu Jun 23 07:07:56 EDT 2022

whoami
root

Crash Report

Last Updated: THU 23 JUN 2022

Hardware Model:      iPhone12,1
Process:             debugserver [455]
Path:                /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.EPj3zU/usr/bin/debugserver
Identifier:          debugserver
Version:             ???
Code Type:           ARM-64 (Native)
Role:                Unspecified
Parent Process:      launchd [1]
Coalition:           com.example.cryptex.debugserver [502]

Date/Time:           2022-06-23 06:49:29.3405 -0400
Launch Time:         2022-06-23 06:49:29.3123 -0400
OS Version:          iPhone OS 15.6 (19G5046d)
Release Type:        Beta
Baseband Version:    3.04.00
Report Version:      104

Exception Type:  EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note:  EXC_CORPSE_NOTIFY
Termination Reason: DYLD 4 Symbol missing
Symbol not found: (_objc_release_x20)
Referenced from: '/Volumes/VOLUME/*/debugserver'
Expected in: '/usr/lib/libobjc.A.dylib'
(terminated at launch; ignore backtrace)

Triggered by Thread:  0

Thread 0 Crashed:
0   dyld                          	       0x1052c8b14 __abort_with_payload + 8
1   dyld                          	       0x1052ce6cc abort_with_payload_wrapper_internal + 104
2   dyld                          	       0x1052ce700 abort_with_payload + 16
3   dyld                          	       0x10529ea00 dyld4::halt(char const*) + 580
4   dyld                          	       0x10529ba20 dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 3560
5   dyld                          	       0x105299d84 start + 488


Thread 0 crashed with ARM Thread State (64-bit):
    x0: 0x0000000000000006   x1: 0x0000000000000004   x2: 0x000000016b1ea318   x3: 0x000000000000009f
    x4: 0x000000016b1e9f18   x5: 0x0000000000000000   x6: 0x0000000000000000   x7: 0x000000016b1e9990
    x8: 0x0000000000000020   x9: 0x0000000000000009  x10: 0x000000016b1e9fc3  x11: 0x00000000000000c3
   x12: 0x0000000000000000  x13: 0x0000000000000034  x14: 0x000000021f9d9f90  x15: 0x0000000000000000
   x16: 0x0000000000000209  x17: 0x00000001052c31c8  x18: 0x0000000000000000  x19: 0x0000000000000000
   x20: 0x000000016b1e9f18  x21: 0x000000000000009f  x22: 0x000000016b1ea318  x23: 0x0000000000000004
   x24: 0x0000000000000006  x25: 0x000000016b1e9f18  x26: 0x0000000000000400  x27: 0x0000000000000400
   x28: 0x00000000000000ab   fp: 0x000000016b1e9ee0   lr: 0x00000001052ce6cc
    sp: 0x000000016b1e9ea0   pc: 0x00000001052c8b14 cpsr: 0x00000000
   far: 0x00000001051b8000  esr: 0x56000080  Address size fault

Binary Images:
       0x105280000 -        0x1052d7fff dyld arm64e  <2d3a4c3340a83b37bab46c8e83def771> /usr/lib/dyld

EOF

Reported

Feedback FB10428297

Workaround

Rollback

SUMMARY: WORKAROUND: SRD | dropbear and old ac macros need a fix

SRD | Recent Commits to Dropbear and old ac macro result in Login Failure | Workaround

Recent Commits to Dropbear have caused the ssh session bail due to use of old ac macros...

Current workaround it to use the Dropbear / Toybox Binaries fromaround April 6, 2022:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/xsscx/srd/main/dmg/install.sh)"

Additional research in progresss.........

SUMMARY: macOS Version 12.3.1 (Build 21E258) | Xcode 13.3.1 (20103) (Build 13E500a) | dyld_shared_cache_extract_dylibs failed | DVTRadarComponentKey = 487927

dyld_shared_cache_extract_dylibs failed

Reported: https://feedbackassistant.apple.com/feedback/10010173

SUMMARY: PR | 21C52 | 19C63 | 21C39 | libcryptex_executables-169.80.2~9 | cryptexctl | Segmentation Fault | Undefined Behavior

SUMMARY: 21C52 | 19C63 | 21C39 | libcryptex_executables-169.80.2~9 | cryptexctl | Segmentation Fault | Undefined Behavior

Last Updated: SAT 15 JAN 2022 at 1550 EST

It has been found that cryptexctl occasionally exhibits undefined behavior and segmentation faults. Below is a Crash and Undefined Behavior example for further analysis by Upstream. ~~Supporting materials to be uploaded to Box CoB TUES 18 JAN 2022~~. Reported https://github.com/apple/security-research-device/issues/39.

cryptexctl version

Darwin Cryptex Management Interface Version 2.0.0: Sun Dec 19 22:28:12 PST 2021; root:libcryptex_executables-169.80.2~9/cryptexctl/WEN_ETA_X86_64

uname -a

Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 x86_64

Issues

Undefined Behavior

PoC

cryptexctl -v9 -d9 -ldt install --print-info ./com.example.cryptex.cxbd.signed

Log

AMDeviceMountImage (thread 0x1040ba600): Could not mount image: 0xe8000076 (kAMDMobileImageMounterImageMountFailed)
...
2022-01-15 15:42:52.513328-0500 cryptexctl.research[99636:481030] [install]   th_port =>
2022-01-15 15:42:52.513945-0500 cryptexctl.research[99636:481030] [bundle] [anonymous]: _cryptex_bundle_find_cryptex_elm failed to find default: [3: No such process]
cryptexctl.research: failed to copy cryptex from bundle: No such process

Segmentation Fault

PoC

cryptexctl -v9 -d9 -ldt install --print-info ./com.example.cryptex.cxbd

Log

2022-01-15 15:44:50.916085-0500 cryptexctl.research[99641:481540] [utility] read 2008 bytes
2022-01-15 15:44:50.916104-0500 cryptexctl.research[99641:481540] [utility] read 311 bytes

Crash

Process:               cryptexctl.research [87664]
Path:                  /usr/local/bin/cryptexctl.research
Identifier:            cryptexctl.research
Code Type:             X86-64 (Native)
Date/Time:             2022-01-15 14:44:41.5615 -0500
OS Version:            macOS 12.1 (21C52)
Report Version:        12
Bridge OS Version:     6.1 (19P647)
System Integrity Protection: disabled
Crashed Thread:        2  Dispatch queue: com.apple.security.libcryptex.core.dq
Exception Type:        EXC_CRASH (SIGABRT)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY
Termination Reason:    Namespace LIBSYSTEM, Code 2 Application Triggered Fault

Application Specific Information:
cf create failed: obj = %s


Thread 0::  Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib        	    0x7ff808c44af6 semaphore_wait_trap + 10
1   libdispatch.dylib             	    0x7ff808acb178 _dispatch_sema4_wait + 16
2   libdispatch.dylib             	    0x7ff808acb647 _dispatch_semaphore_wait_slow + 98
3   cryptexctl.research           	       0x10574f63a 0x105739000 + 91706
4   libsystem_darwin.dylib        	    0x7ff80b2b47df os_subcommand_main + 671
5   cryptexctl.research           	       0x105756f70 0x105739000 + 122736
6   dyld                          	       0x1076fc4fe start + 462

Thread 1:
0   libsystem_pthread.dylib       	    0x7ff808c7cfec start_wqthread + 0

Thread 2 Crashed::  Dispatch queue: com.apple.security.libcryptex.core.dq
0   libsystem_kernel.dylib        	    0x7ff808c67dfe __abort_with_payload + 10
1   libsystem_kernel.dylib        	    0x7ff808c69893 abort_with_payload_wrapper_internal + 80
2   libsystem_kernel.dylib        	    0x7ff808c698c5 abort_with_payload + 9
3   libsystem_c.dylib             	    0x7ff808bccf45 _os_crash_fmt.cold.1 + 55
4   libsystem_c.dylib             	    0x7ff808b913c5 _os_crash_fmt + 154
5   libcryptex_core.dylib         	    0x7ffa12f7aa03 _CFDictionarySetString + 218
6   libcryptex_core.dylib         	    0x7ffa12f72f01 _shared_cdxn_stamp + 102
7   libcryptex_core.dylib         	    0x7ffa12f79488 _cryptex_scrivener_init_tss + 1396
8   libcryptex_core.dylib         	    0x7ffa12f77ec3 _cryptex_scrivener_init + 67
9   libcryptex_core.dylib         	    0x7ffa12f723fa _cryptex_init + 12
10  libdispatch.dylib             	    0x7ff808acacc9 _dispatch_client_callout + 8
11  libdispatch.dylib             	    0x7ff808ad0cee _dispatch_lane_serial_drain + 696
12  libdispatch.dylib             	    0x7ff808ad17c8 _dispatch_lane_invoke + 366
13  libdispatch.dylib             	    0x7ff808adb7e1 _dispatch_workloop_worker_thread + 758
14  libsystem_pthread.dylib       	    0x7ff808c7e074 _pthread_wqthread + 326
15  libsystem_pthread.dylib       	    0x7ff808c7cffb start_wqthread + 15


Thread 2 crashed with X86 Thread State (64-bit):
  rax: 0x0000000002000209  rbx: 0x0000000000000000  rcx: 0x000070000f5d9518  rdx: 0x000070000f5d95d0
  rdi: 0x0000000000000012  rsi: 0x0000000000000002  rbp: 0x000070000f5d9560  rsp: 0x000070000f5d9518
   r8: 0x0000600002f5d800   r9: 0x0000000000000000  r10: 0x0000000000000054  r11: 0x0000000000000246
  r12: 0x0000000000000054  r13: 0x000070000f5d95d0  r14: 0x0000000000000002  r15: 0x0000000000000012
  rip: 0x00007ff808c67dfe  rfl: 0x0000000000000246  cr2: 0x00000001063bb507
  
Logical CPU:     0
Error Code:      0x02000209 
Trap Number:     133


Binary Images:
    0x7ff808c44000 -     0x7ff808c7afff libsystem_kernel.dylib (*) <5aa1e5be-b5b8-3a02-9885-a8c99e0ca378> /usr/lib/system/libsystem_kernel.dylib
    0x7ff808ac8000 -     0x7ff808b0efff libdispatch.dylib (*) <c8f7bfb6-4b1a-37cd-a32d-cd5069c916df> /usr/lib/system/libdispatch.dylib
       0x105739000 -        0x105780fff cryptexctl.research (*) <c6cbb58f-9ab2-3213-8142-4a796bea7f2e> /usr/local/bin/cryptexctl.research
    0x7ff80b2b1000 -     0x7ff80b2bafff libsystem_darwin.dylib (*) <88f69b74-233c-32a0-8d4a-3fcdd556d829> /usr/lib/system/libsystem_darwin.dylib
       0x1076f7000 -        0x107762fff dyld (*) <cef5a27a-d50b-3020-af03-1734b19bc8c5> /usr/lib/dyld
    0x7ff808c7b000 -     0x7ff808c86fff libsystem_pthread.dylib (*) <6c7561b4-4b92-3f45-921e-abe669299844> /usr/lib/system/libsystem_pthread.dylib
    0x7ff808b4c000 -     0x7ff808bd4fff libsystem_c.dylib (*) <e58814cc-dcb7-35a5-badc-e367ed3ac207> /usr/lib/system/libsystem_c.dylib
    0x7ffa12f6e000 -     0x7ffa12f81fff libcryptex_core.dylib (*) <c446231e-b1ac-3e33-bc41-b674540928ea> /usr/lib/libcryptex_core.dylib

Log Stream

ReportCrash: Formulating fatal 309 report for corpse[41025] cryptexctl.research

SUMMARY: TSS | 21C52 | 21C39 | X86_64 | libcryptex_executables-169.80.2~9 | Cryptex | Signing | Declined | iPhone 11 | iPhone 12 | CryptexManager Working || Workaround Posted

21C52 | 21C39 | X86_64 | libcryptex_executables-169.80.2~9 | TSS | Cryptex | Signing | Declined | iPhone 11 | iPhone 12 | CryptexManager Working

It has been found that as of MON 10 JAN 2022 that cryptexctl for SRT 21C39 with cryptexctl from libcryptex_executables-169.80.2~9 generates TSS Signing Requests that are being Declined.

Version Info

cryptexctl version
Darwin Cryptex Management Interface Version 2.0.0: Sun Dec 19 22:28:12 PST 2021; root:libcryptex_executables-169.80.2~9/cryptexctl/WEN_ETA_X86_64

Kernel

21.2.0 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 x86_64

shasum

shasum /usr/local/bin/cryptexctl.research
3521ce63903f50b1c0052bd076bc2f7dd0193017  /usr/local/bin/cryptexctl.research

Codesign

codesign -dvvv /usr/local/bin/cryptexctl.research
Executable=/usr/local/bin/cryptexctl.research
Identifier=com.apple.security.cryptexctl
Format=Mach-O universal (x86_64 arm64e)
CodeDirectory v=20400 size=3318 flags=0x2000(library-validation) hashes=93+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=50da1fdfbd3511624b146f0dbf201e7e305a74ae
CandidateCDHashFull sha256=50da1fdfbd3511624b146f0dbf201e7e305a74ae2434fafbb70aa54767e2f95c
Hash choices=sha256
CMSDigest=50da1fdfbd3511624b146f0dbf201e7e305a74ae2434fafbb70aa54767e2f95c
CMSDigestType=2
CDHash=50da1fdfbd3511624b146f0dbf201e7e305a74ae
Signature size=4442
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Signed Time=Dec 20, 2021 at 1:28:20 AM
Info.plist entries=18
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=80

CLI

cryptexctl ${CRYPTEXCTL_PERSONALIZE_FLAGS} personalize --replace -o /Users/xss/security-research-device/example-cryptex/com.example.cryptex.cxbd.signed --variant=research com.example.cryptex.cxbd
cryptexctl: failed to personalize cryptex: Authentication error

HTTP Response

HTTP/1.1 200 OK
Server: Apple
Date: Mon, 10 Jan 2022 15:42:37 GMT
Content-Type: text/html
Content-Length: 69
Connection: close
Host: gs.apple.com
Strict-Transport-Security: max-age=31536000; includeSubdomains
X-Frame-Options: SAMEORIGIN

STATUS=94&MESSAGE=This device isn't eligible for the requested build.

Issue

It appears that cryptexctl on X86_64 makes an HTTP Request that does not contain the Key for CryptexDMG perhaps causing the Authentication Error from libcryptex:

	<string>libauthinstall-850.0.2</string>
	<key>LoadableTrustCache</key>
		kOVent8lUZhyycIztLTDLx2SEqirUUKUA0qoZmg3mfICdsE44/spe9CVnt9N
		HU9l
	<key>PersonalizedDMG</key>

Whereas it has been found that CryptexManager generates an HTTP Request containing the proper syntax:

	<string>libauthinstall-850.0.1.0.1</string>
	<key>CryptexDMG</key>
		xqPjx+ZJFIDtb1OUermcwzMbMGs/+CrMKvR/8FhoSxPJxW+j5TB2Xj6q7SAW
		vjd2
		<key>Name</key>
		<string>com.example.cryptex</string>
	<key>LoadableTrustCache</key>
		NeNmR3jjNQmWATai/+kJXPgnnhHwmDDwKxODOw6HKysM08imi6nbJjDXBvSp
		j8bw

Personalization Request from CryptexManager with cryptex installation success

.build/release/CryptexManager create -i com.example.cryptex -v 1.3.3.7 ~/Downloads/universal-srd-toybox-unstripped-commit-ea4748a7cbfa5e2f3ef188f917d4e5aeac70dd0f.dmg /Volumes/com.example.cryptex.dstroot /tmp/cptx
.build/release/CryptexManager  install /tmp/cptx
Successfully installed cryptex!
.build/release/CryptexManager  list
com.example.cryptex:
	Version: 1.3.3.7
	Mounted at: /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.Vx43Gr
	Disk image path: /private/var/run/com.apple.security.cryptexd/codex.system/live/com.example.cryptex/cpxd

macOS 11.x Unimpacted for M1 T8101 or X86_64

TSS Signing for cryptex personalizations are not impacted from M1 T8101 or X86_64 when using 20G314 with SRT 20C80, aka macOS 11.6.2 for iPhone 11 or iPhone 12 Devices.

Analysis

It was found that the HTTP Request generated by cryptexctl contains the key:

<key>PersonalizedDMG</key>

and when changed to:

<key>CryptexDMG</key>

Then, The HTTP Response contains the Signing for the Cryptex Personalization.

Reference

Requirements: https://github.com/xsscx/srd/blob/main/SecurityResearchTools_21C39/example-cryptex/README.md

OS == Big Sur

TSS cryptex personalization Signings as of MON 10 JAN 2022 at 1200 EST

macOS 11.x

M1 T8101 macOS 20G314 SRT 20C80
X86_64 macOS 20G314 SRT 20C80

macOS 12.x

X86_64 macOS 21C52 with Cryptex Manager https://github.com/pinauten/CryptexManager

SUMMARY: BUILD | 21C39 | Makefile | Delta | Diff

It has been found that the Makefile for SRT 21C39 contains the following code:

.PHONY: clean
clean:
	rm -rf ${CRYPTEX_ROOT_DIR} ${CRYPTEX_DMG_NAME} ${CRYPTEX_ID}.cptx
	rm -rf include
	# Loop through each project and call its clean target
	$(foreach proj,$(PROJECT_DIRS),$(MAKE) $(EXTRA_MAKE_FLAGS) -C $(proj) clean;)

Whereas the Filenames to be Deleted are named:

com.example.cryptex.cxbd
com.example.cryptex.cxbd.signed

diff

<	rm -rf ${CRYPTEX_ROOT_DIR} ${CRYPTEX_DMG_NAME} ${CRYPTEX_ID}.cptx
>	rm -rf ${CRYPTEX_ROOT_DIR} ${CRYPTEX_DMG_NAME} ${CRYPTEX_ID}.cxdb ${CRYPTEX_ID}.cxdb.signed

Commit: 37dadc1

Reported: https://github.com/apple/security-research-device/issues/38

SUMMARY: PR | srd_tools-24.100.3 at #41

Re: Update srd_tools to srd_tools-24.100.3 at https://github.com/apple/security-research-device/pull/41#

Crash Report for Darwin Cryptex Management Interface Version 2.0.0: Tue Jan 25 23:53:01 PST 2022;

X86_64

=====================================
SRD Cryptex Troubleshooter Log Info
=====================================
Fri Jan 28 09:37:36 EST 2022
Darwin mini.local 21.3.0 Darwin Kernel Version 21.3.0: Wed Jan  5 21:37:58 PST 2022; root:xnu-8019.80.24~20/RELEASE_X86_64 x86_64
Apple clang version 13.0.0 (clang-1300.0.29.30)
Target: x86_64-apple-darwin21.3.0
Thread model: posix
InstalledDir: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin
Darwin Cryptex Management Interface Version 2.0.0: Tue Jan 25 23:53:01 PST 2022; root:libcryptex_executables-170.100.20~29/cryptexctl/WEN_ETA_X86_64
machdep.cpu.brand: 0
machdep.cpu.brand_string: Intel(R) Core(TM) i7-8700B CPU @ 3.20GHz
System Integrity Protection status: disabled.
cryptexctl: flags = [none]
cryptexctl: will re-exec: /usr/local/bin/cryptexctl.research
cryptexctl.research: path = /usr/local/bin/cryptexctl.research
MobileDevice version = 1368.60.4
cryptexctl.research: argv[_main] =
cryptexctl.research:   [0] = cryptexctl
cryptexctl.research:   [1] = -v2
cryptexctl.research:   [2] = -d2
cryptexctl.research:   [3] = install
cryptexctl.research:   [4] = --variant=research
cryptexctl.research:   [5] = --persist
cryptexctl.research:   [6] = --print-info
cryptexctl.research:   [7] = ./com.example.cryptex.cxbd.signed```

For X86_64, a quick check indates that this new cryptexctl binary being run via:

make clean
make
make install

Results in:

Process:               cryptexctl.research [32239]
Path:                  /usr/local/bin/cryptexctl.research
Identifier:            cryptexctl.research
Version:               ???
Code Type:             X86-64 (Native)
Date/Time:             2022-01-28 09:33:11.5166 -0500
OS Version:            macOS 12.2 (21D49)
Report Version:        12
Bridge OS Version:     6.2 (19P744)
System Integrity Protection: disabled
Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000010
Exception Codes:       0x0000000000000001, 0x0000000000000010
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process:   exc handler [32239]

VM Region Info: 0x10 is not in any region.  Bytes before following region: 4416004080
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                      10736e000-1073b6000    [  288K] r-x/r-x SM=COW  ...xctl.research

Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   cryptexctl.research           	       0x10737f079 0x10736e000 + 69753
1   cryptexctl.research           	       0x10737ebe2 0x10736e000 + 68578
2   libsystem_darwin.dylib        	    0x7ff8199c37df os_subcommand_main + 671
3   cryptexctl.research           	       0x10738bdc0 0x10736e000 + 122304
4   dyld                          	       0x111cd94fe start + 462

Thread 1:
0   libsystem_pthread.dylib       	    0x7ff81738bfec start_wqthread + 0

Thread 2:
0   libsystem_pthread.dylib       	    0x7ff81738bfec start_wqthread + 0


Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x0000000000000000  rbx: 0x00006000030bc480  rcx: 0x0000000100001480  rdx: 0x00007ff7b8b915e0
  rdi: 0x00006000030bc480  rsi: 0x00007ff7b8b91110  rbp: 0x00007ff7b8b91540  rsp: 0x00007ff7b8b91110
   r8: 0x00006000010b0600   r9: 0x00007ff859ff2e40  r10: 0x0000000000000018  r11: 0x81389640e70ffd72
  r12: 0x00007ffa598c4c60  r13: 0x00006000030bc480  r14: 0x00007ff7b8b915e0  r15: 0x0000000000000000
  rip: 0x000000010737f079  rfl: 0x0000000000010246  cr2: 0x0000000000000010
  
Logical CPU:     8
Error Code:      0x00000004 (no mapping for user data read)
Trap Number:     14

Thread 0 instruction stream:
  31 c0 5d e9 ec c9 00 00-55 48 89 e5 41 57 41 56  1.].....UH..AWAV
  41 54 53 48 81 ec 10 04-00 00 49 89 d6 48 89 fb  ATSH......I..H..
  48 8b 05 e0 6f 03 00 48-8b 00 48 89 45 d8 4c 8b  H...o..H..H.E.L.
  66 08 41 f6 04 24 20 75-7a 0f 57 c0 48 8d b5 d0  f.A..$ uz.W.H...
  fb ff ff 0f 29 46 20 0f-29 46 10 0f 29 06 48 c7  ....)F .)F..).H.
  46 30 00 00 00 00 49 8b-44 24 18 48 8b 44 c3 40  F0....I.D$.H.D.@
 [8b]78 10 e8 b6 0b 01 00-85 c0 0f 85 c0 00 00 00  .x..............	<==
  48 8b b5 d0 fb ff ff 48-8b 95 d8 fb ff ff 48 8b  H......H......H.
  05 52 70 03 00 48 8b 08-31 ff e8 b0 26 02 00 48  .Rp..H..1...&..H
  85 c0 0f 84 c6 00 00 00-48 89 c3 48 c7 85 f8 fb  ........H..H....
  ff ff 00 00 00 00 48 89-c7 e8 09 27 02 00 49 89  ......H....'..I.
  c7 eb 51 4c 8d bd d0 fb-ff ff ba 00 04 00 00 4c  ..QL...........L

Binary Images:
       0x10736e000 -        0x1073b5fff cryptexctl.research (*) <c67acc37-d0e3-39b1-8ea8-befc7a9bf5de> /usr/local/bin/cryptexctl.research
    0x7ff8199c0000 -     0x7ff8199c9fff libsystem_darwin.dylib (*) <f5936196-44b5-36da-8bd2-8a1d53a570c0> /usr/lib/system/libsystem_darwin.dylib
       0x111cd4000 -        0x111d3ffff dyld (*) <7de33963-bbc5-3996-ba6e-f1d562c17c95> /usr/lib/dyld
    0x7ff81738a000 -     0x7ff817395fff libsystem_pthread.dylib (*) <ee564342-d8f2-396d-b642-40092cf34d82> /usr/lib/system/libsystem_pthread.dylib
               0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ???

M1 T8101 ARM

=====================================
SRD Cryptex Troubleshooter Log Info
=====================================
Fri Jan 28 13:28:15 EST 2022
Darwin macbookpro.local 21.2.0 Darwin Kernel Version 21.2.0: Sun Nov 28 20:29:10 PST 2021; root:xnu-8019.61.5~1/RELEASE_ARM64_T8101 arm64
Apple clang version 13.0.0 (clang-1300.0.29.30)
Target: arm64-apple-darwin21.2.0
Thread model: posix
InstalledDir: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin
Darwin Cryptex Management Interface Version 2.0.0: Tue Jan 25 23:53:01 PST 2022; root:libcryptex_executables-170.100.20~29/cryptexctl/WEN_ETA_ARM64E
machdep.cpu.brand_string: Apple M1
System Integrity Protection status: disabled.
cryptexctl: flags = [none]
cryptexctl: will re-exec: /usr/local/bin/cryptexctl.research
cryptexctl.research: path = /usr/local/bin/cryptexctl.research
MobileDevice version = 1368.60.4
cryptexctl.research: argv[_main] =
cryptexctl.research:   [0] = cryptexctl
cryptexctl.research:   [1] = -v2
cryptexctl.research:   [2] = -d2
cryptexctl.research:   [3] = install
cryptexctl.research:   [4] = --variant=research
cryptexctl.research:   [5] = --persist
cryptexctl.research:   [6] = --print-info
cryptexctl.research:   [7] = ./com.example.cryptex.cxbd.signed

M1 T8101 ARM Crash

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000010
Exception Codes:       0x0000000000000001, 0x0000000000000010
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process:   exc handler [18176]

VM Region Info: 0x10 is not in any region.  Bytes before following region: 4363534320
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                      104164000-1041ac000    [  288K] r-x/r-x SM=COW  ...xctl.research

Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   cryptexctl.research           	       0x104174df0 0x104164000 + 69104
1   cryptexctl.research           	       0x1041748f4 0x104164000 + 67828
2   cryptexctl.research           	       0x1041748f4 0x104164000 + 67828
3   libsystem_darwin.dylib        	       0x194adf578 os_subcommand_main + 716
4   cryptexctl.research           	       0x10418257c 0x104164000 + 124284
5   dyld                          	       0x1042150f4 start + 520

Thread 1:
0   libsystem_pthread.dylib       	       0x1923ac010 start_wqthread + 0

Thread 2:
0   libsystem_pthread.dylib       	       0x1923ac010 start_wqthread + 0


Thread 0 crashed with ARM Thread State (64-bit):
    x0: 0x0000600003bdd000   x1: 0x00006000015c14c0   x2: 0x000000016bc9b410   x3: 0x0000600001bdcde0
    x4: 0x0000000000000bc4   x5: 0x00000001ec0d80d0   x6: 0x007974696c697475   x7: 0x0000000000000001
    x8: 0x0000000000000000   x9: 0x55802c026e5c0050  x10: 0x0000000200001480  x11: 0x007ffffffffffff8
   x12: 0x0000000100001480  x13: 0x0000000000000001  x14: 0x0000000076000000  x15: 0x000000000000a41c
   x16: 0x710d8001d7979c9c  x17: 0x00000001041ac4c0  x18: 0x0000000000000000  x19: 0x000000016bc9af40
   x20: 0x000000016bc9b410  x21: 0x0000600003bdd000  x22: 0x00000001e63dad60  x23: 0x00006000027dc090
   x24: 0x00000001041a2ff2  x25: 0x000000016bc9b420  x26: 0x0000000000000009  x27: 0x00000001eb9c1b34
   x28: 0x00000001e87541b0   fp: 0x000000016bc9b380   lr: 0x85588001041748f4
    sp: 0x000000016bc9af40   pc: 0x0000000104174df0 cpsr: 0x40001000
   far: 0x0000000000000010  esr: 0x92000006 (Data Abort) byte read Translation fault

Binary Images:
       0x104164000 -        0x1041abfff cryptexctl.research (*) <8f3e3286-ec82-3a73-ac06-5e2ff79bd30e> /usr/local/bin/cryptexctl.research
       0x194adb000 -        0x194ae5fff libsystem_darwin.dylib (*) <3e100e89-39e4-3eb8-b107-74f2128ef205> /usr/lib/system/libsystem_darwin.dylib
       0x104210000 -        0x10426ffff dyld (*) <7e92b284-4b90-3b68-b31a-3ddc4c0e8d40> /usr/lib/dyld
       0x1923aa000 -        0x1923b6fff libsystem_pthread.dylib (*) <ed328b18-eeef-3b15-8858-798b19b0c2cd> /usr/lib/system/libsystem_pthread.dylib
               0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ???

SUMMARY: CoreTrust | AMFI Research | 15.4_19E5209h_Restore.ipsw | Load Trust Cache | unsuitable CT policy | iPhone 11 | iPhone 12 | AppleMobileFileIntegrity_research

SUMMARY

Subject to Minor Revision. This issue appears infrequently when Unit Testing Pull Request https://github.com/apple/security-research-device/pull/42. It has been found that when using 15.4_19E5209h_Restore.ipsw for personalizing a cryptex, iPhone 11 or iPhone 12, with address sanitizer dylibs including libgmalloc.dylib, and possibly debugserver, when using Apple Feedback Makefile https://github.com/xsscx/srd/blob/main/SecurityResearchTools_21C39/example-cryptex/src/hello/Makefile that AppleMobileFileIntegrity_research will occasionally Write to the Console Log:

unsuitable CT policy 0 for this platform/device, rejecting signature.

UX

Launchd fails to load the cryptex

Reproduction with example-cryptex

Source Makefile https://github.com/xsscx/srd/blob/main/SecurityResearchTools_21C39/example-cryptex/src/hello/Makefile

make install

Comment

The ASAN & UBSAN Installation successfully completes approximately 80% of attempted installations from macOS 12.2 or macOS 12.3 Beta. The HTTP Responses contain only a few bits of delta, likely causing the Error:

kernel: (AppleMobileFileIntegrity_research) static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Process 29 is checking if a cdhash is in the trust cache
kernel: (AppleMobileFileIntegrity_research) static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Returning IOReturn 0x0 to process 29
cryptexd: [com.apple.libcryptex:codex] <private>: openat: [2: No such file or directory]
kernel: (AppleMobileFileIntegrity_research) Invalid denylist

It is thought that AppleMobileFileIntegrity_research possibly contains the functionality.

Version Info

iOS IPSW

15.4_19E5209h_Restore.ipsw

Darwin Image4 Validator Version 4.2.0: Sun Jan 16 21:08:12 PST 2022; root:AppleImage4-158.100.11~1565/AppleImage4/RELEASE_ARM64E

Host X86_64

Mon Feb  7 16:27:40 EST 2022
kern.version: Darwin Kernel Version 21.3.0: Wed Jan  5 21:37:58 PST 2022; root:xnu-8019.80.24~20/RELEASE_X86_64
kern.osversion: 21D49
kern.iossupportversion: 15.3
kern.osproductversion: 12.2
kern.osproductversioncompat: 10.16
udid                           name       build      BORD       CHIP       ECID
00008101-001418DA3CC0013A      SRD0009 		19E5209h   0xc        0x8101     0x1418da3cc0013a
00008030-001538D03C40012E      SRD0037 		19E5209h   0x4        0x8030     0x1538d03c40012e
Apple clang version 13.1.6 (clang-1316.0.19.2)
Target: x86_64-apple-darwin21.3.0
InstalledDir: /Applications/Xcode-beta.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin
/Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk
Darwin Cryptex Management Interface Version 2.0.0: Sun Dec 19 22:28:12 PST 2021; root:libcryptex_executables-169.80.2~9/cryptexctl/WEN_ETA_X86_64
machdep.cpu.brand: 0
machdep.cpu.brand_string: Intel(R) Core(TM) i7-8700B CPU @ 3.20GHz
System Integrity Protection status: disabled.

HOST T8101

Mon Feb  7 16:33:40 EST 2022
kern.version: Darwin Kernel Version 21.4.0: Tue Jan 18 13:02:08 PST 2022; root:xnu-8020.100.406.0.1~18/RELEASE_ARM64_T8101
kern.osversion: 21E5196i
kern.iossupportversion: 15.4
kern.osproductversioncompat: 10.16
kern.osproductversion: 12.3
kern.osproductversioncompat: 10.16
/Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk
udid                           name       build      BORD       CHIP       ECID
00008101-001418DA3CC0013A      SRD0009 		19E5209h   0xc        0x8101     0x1418da3cc0013a
00008030-001538D03C40012E      SRD0037 		19E5209h   0x4        0x8030     0x1538d03c40012e
Apple clang version 13.1.6 (clang-1316.0.19.2)
Target: arm64-apple-darwin21.4.0
InstalledDir: /Applications/Xcode-beta.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin
Darwin Cryptex Management Interface Version 2.0.0: Tue Jan 25 23:53:01 PST 2022; root:libcryptex_executables-170.100.20~29/cryptexctl/WEN_ETA_ARM64E
machdep.cpu.brand_string: Apple M1
System Integrity Protection status: disabled.

Problem Statement for unsuitable CT policy 0 for this platform/device, rejecting signature

When loading a Trust Cache that contains *SAN Dylibs, and occasionally debugserver, AppleMobileFileIntegrity_research throws to Console Log:

unsuitable CT policy 0 for this platform/device, rejecting signature

Console Log for unsuitable CT policy 0 for this platform/device, rejecting signature

2022-02-04 13:45:18.882885-0500 0x127e     Default     0x0                  202    0    cryptexd: (libcryptex_core.dylib) [com.apple.libcryptex:scrivener] [anonymous]: tss request = <private>
2022-02-04 13:45:18.923219-0500 0x127e     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) static IOReturn AppleMobileFileIntegrityUserClient::loadTrustCache(OSObject *, void *, IOExternalMethodArguments *): PID 202 is requesting a trust cache load
2022-02-04 13:45:18.924095-0500 0x127e     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI: Successfully loaded a new image4 v1 trust cache with 40 entries.
2022-02-04 13:45:18.925129-0500 0x127e     Error       0x0                  202    0    cryptexd: [com.apple.libcryptex:quire] missing label
2022-02-04 13:45:18.925136-0500 0x127e     Error       0x0                  202    0    cryptexd: [com.apple.libcryptex:quire] failed to frob plist: <xpc object>: [22: Invalid argument]
2022-02-04 13:45:18.925138-0500 0x127e     Error       0x0                  202    0    cryptexd: [com.apple.libcryptex:quire] <private>: failed to bootstrap service: <private>: [22: Invalid argument]
2022-02-04 13:45:25.207182-0500 0x131a     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) Invalid denylist
2022-02-04 14:34:02.486497-0500 0x65       Default     0x0                  0      0    kernel: (AppleImage4) Darwin Image4 Validator Version 4.2.0: Sun Jan 16 21:08:12 PST 2022; root:AppleImage4-158.100.11~1565/AppleImage4/RELEASE_ARM64E
2022-02-04 14:34:02.487129-0500 0x65       Default     0x0                  0      0    kernel: (AppleImage4) AppleImage4:
2022-02-04 14:34:02.487178-0500 0x65       Default     0x0                  0      0    kernel: (AppleImage4) failed to read nvram property: oblit-inprogress: 2
2022-02-04 14:34:02.487345-0500 0x65       Default     0x0                  0      0    kernel: (AppleImage4)
2022-02-04 14:34:02.488401-0500 0x65       Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI is running in RESEARCH mode!
2022-02-04 14:34:02.488609-0500 0x65       Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI: UDID enforcement enabled
2022-02-04 14:34:09.384409-0500 0x62d      Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Process 29 is checking if a cdhash is in the trust cache
2022-02-04 14:34:09.385801-0500 0x62d      Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) static IOReturn AppleMobileFileIntegrityUserClient::isCdhashInTrustCache(OSObject *, void *, IOExternalMethodArguments *): Returning IOReturn 0x0 to process 29
2022-02-04 14:34:05.550904-0500 0xace      Error       0x0                  202    0    cryptexd: [com.apple.libcryptex:codex] <private>: openat: [2: No such file or directory]
2022-02-04 14:36:26.754496-0500 0x13b5     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) Invalid denylist
2022-02-04 14:39:24.550382-0500 0x1688     Default     0x0                  202    0    cryptexd: [com.apple.libcryptex:authinstall] <private>
...
2022-02-04 14:39:24.551076-0500 0x1688     Default     0x0                  202    0    cryptexd: [com.apple.libcryptex:authinstall] <private>
2022-02-04 14:39:24.551094-0500 0x1688     Default     0x0                  202    0    cryptexd: (libcryptex_core.dylib) [com.apple.libcryptex:scrivener] [anonymous]: tss request = <private>
2022-02-04 14:39:24.616109-0500 0x1688     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) static IOReturn AppleMobileFileIntegrityUserClient::loadTrustCache(OSObject *, void *, IOExternalMethodArguments *): PID 202 is requesting a trust cache load
2022-02-04 14:39:24.617122-0500 0x1688     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI: Successfully loaded a new image4 v1 trust cache with 52 entries.
2022-02-04 14:39:24.622526-0500 0x1688     Error       0x0                  202    0    cryptexd: [com.apple.libcryptex:quire] missing label
2022-02-04 14:39:24.622534-0500 0x1688     Error       0x0                  202    0    cryptexd: [com.apple.libcryptex:quire] failed to frob plist: <xpc object>: [22: Invalid argument]
2022-02-04 14:39:24.622538-0500 0x1688     Error       0x0                  202    0    cryptexd: [com.apple.libcryptex:quire] <private>: failed to bootstrap service: <private>: [22: Invalid argument]
2022-02-04 14:39:24.817914-0500 0x169b     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.Of92Dh/usr/bin/cryptex-run' is adhoc signed.
2022-02-04 14:39:24.817932-0500 0x169b     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.Of92Dh/usr/bin/cryptex-run': unsuitable CT policy 0 for this platform/device, rejecting signature.
2022-02-04 14:39:24.817936-0500 0x169b     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI: code signature validation failed.
2022-02-04 14:39:34.833073-0500 0x171f     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.Of92Dh/usr/bin/cryptex-run' is adhoc signed.
2022-02-04 14:39:34.833105-0500 0x171f     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.Of92Dh/usr/bin/cryptex-run': unsuitable CT policy 0 for this platform/device, rejecting signature.
2022-02-04 14:39:34.833112-0500 0x171f     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI: code signature validation failed.
2022-02-04 14:39:44.844462-0500 0x1761     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.Of92Dh/usr/bin/cryptex-run' is adhoc signed.
2022-02-04 14:39:44.844489-0500 0x1761     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.Of92Dh/usr/bin/cryptex-run': unsuitable CT policy 0 for this platform/device, rejecting signature.
2022-02-04 14:39:44.844495-0500 0x1761     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI: code signature validation failed.
2022-02-04 14:39:54.860344-0500 0x17ad     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.Of92Dh/usr/bin/cryptex-run' is adhoc signed.
2022-02-04 14:39:54.860375-0500 0x17ad     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.Of92Dh/usr/bin/cryptex-run': unsuitable CT policy 0 for this platform/device, rejecting signature.
2022-02-04 14:39:54.860382-0500 0x17ad     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI: code signature validation failed.
2022-02-04 14:40:04.874073-0500 0x18a6     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.Of92Dh/usr/bin/cryptex-run' is adhoc signed.
2022-02-04 14:40:04.874095-0500 0x18a6     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.Of92Dh/usr/bin/cryptex-run': unsuitable CT policy 0 for this platform/device, rejecting signature.
2022-02-04 14:40:04.874098-0500 0x18a6     Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity_research) AMFI: code signature validation failed.
2022-02-04 14:40:09.382576-0500 0x17c9     Default     0x0                  202    0    cryptexd: (libcryptex_core.dylib) [com.apple.libcryptex:authinstall] <private>
2022

cryptexctl -v9 -d9 -ldt install --variant=research --persist --print-info ./com.example.cryptex.cxbd.signed

2022-02-07 14:38:26.144023-0500 cryptexctl.research[70656:2902489] [install]   ptr_munge =>
cryptexctl.research:   main_stack =>
2022-02-07 14:38:26.144227-0500 cryptexctl.research[70656:2902489] [install]   main_stack =>
cryptexctl.research:   executable_file => 0x1c01000005,0x774973
2022-02-07 14:38:26.144239-0500 cryptexctl.research[70656:2902489] [install]   executable_file => 0x1c01000005,0x774973
cryptexctl.research:   dyld_file => 0x1c01000005,0xfffffff000e3cb5
2022-02-07 14:38:26.144268-0500 cryptexctl.research[70656:2902489] [install]   dyld_file => 0x1c01000005,0xfffffff000e3cb5
cryptexctl.research:   executable_cdhash => 50da1fdfbd3511624b146f0dbf201e7e305a74ae
2022-02-07 14:38:26.144276-0500 cryptexctl.research[70656:2902489] [install]   executable_cdhash => 50da1fdfbd3511624b146f0dbf201e7e305a74ae
cryptexctl.research:   executable_boothash => a203fd8a1362a0de49d1dc334725b5df1a19a5cf
2022-02-07 14:38:26.144286-0500 cryptexctl.research[70656:2902489] [install]   executable_boothash => a203fd8a1362a0de49d1dc334725b5df1a19a5cf
cryptexctl.research:   th_port =>
2022-02-07 14:38:26.144315-0500 cryptexctl.research[70656:2902489] [install]   th_port =>
will persist cryptex
2022-02-07 14:38:26.144329-0500 cryptexctl.research[70656:2902489] [install] will persist cryptex
2022-02-07 14:38:26.150802-0500 cryptexctl.research[70656:2902489] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-02-07 14:38:26.154525-0500 cryptexctl.research[70656:2902489] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-02-07 14:38:26.201995-0500 cryptexctl.research[70656:2902489] [device] SRD0009: connected to device: AMDevice 0x600001420000 {UDID = 00008101-001418DA3CC0013A, device ID = 28, location ID = 0x14100000, product ID = 0x12a8}
2022-02-07 14:38:26.202050-0500 cryptexctl.research[70656:2902489] [utility] read 1106 bytes
2022-02-07 14:38:26.202113-0500 cryptexctl.research[70656:2902489] [utility] read 311 bytes
2022-02-07 14:38:26.202133-0500 cryptexctl.research[70656:2902489] [utility] read 3012 bytes
2022-02-07 14:38:26.202325-0500 cryptexctl.research[70656:2902489] AMDeviceMountImage (thread 0x110638600): Preparing to mount image at /Users/xss/example-cryptex/com.example.cryptex.cxbd.signed/Restore/Cryptex/research/cpxd.
2022-02-07 14:38:26.202409-0500 cryptexctl.research[70656:2902489] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-02-07 14:38:26.205714-0500 cryptexctl.research[70656:2902489] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-02-07 14:38:26.207125-0500 cryptexctl.research[70656:2902489] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-02-07 14:38:26.240729-0500 cryptexctl.research[70656:2902489] [library] USBMuxConnectByPort:584 Connecting to port 23489 (c1, 5b)
2022-02-07 14:38:26.241902-0500 cryptexctl.research[70656:2902489] _UsbMuxSecureStartService (thread 0x110638600): SSL requested for service com.apple.mobile.mobile_image_mounter with device 00008101-001418DA3CC0013A
2022-02-07 14:38:26.243712-0500 cryptexctl.research[70656:2902489] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-02-07 14:38:26.247433-0500 cryptexctl.research[70656:2902489] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-02-07 14:38:26.277265-0500 cryptexctl.research[70656:2902489] _UsbMuxSecureStartService (thread 0x110638600): returned 0 starting service com.apple.mobile.mobile_image_mounter on device 00008101-001418DA3CC0013A at port 49499, out fd = -1.
2022-02-07 14:38:26.279212-0500 cryptexctl.research[70656:2902489] AMDeviceStopSession (thread 0x110638600): returned 0x0 for device 28
2022-02-07 14:38:26.279442-0500 cryptexctl.research[70656:2902489] fire_callback (thread 0x110638600): Invalid input.
2022-02-07 14:38:26.279605-0500 cryptexctl.research[70656:2902489] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-02-07 14:38:26.282702-0500 cryptexctl.research[70656:2902489] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-02-07 14:38:26.294559-0500 cryptexctl.research[70656:2902489] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-02-07 14:38:26.296897-0500 cryptexctl.research[70656:2902489] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-02-07 14:38:26.299170-0500 cryptexctl.research[70656:2902489] fire_callback (thread 0x110638600): Invalid input.
2022-02-07 14:38:26.300768-0500 cryptexctl.research[70656:2902489] stream_image (thread 0x110638600): ACK'd (ReceiveBytesAck), proceeding with transfer...
2022-02-07 14:38:26.942376-0500 cryptexctl.research[70656:2902489] stream_image (thread 0x110638600): transfer complete (Complete).
2022-02-07 14:38:26.942440-0500 cryptexctl.research[70656:2902489] fire_callback (thread 0x110638600): Invalid input.
2022-02-07 14:38:27.087997-0500 cryptexctl.research[70656:2902489] AMDeviceMountImage (thread 0x110638600): The image (/Users/xss/example-cryptex/com.example.cryptex.cxbd.signed/Restore/Cryptex/research/cpxd) has been mounted.

Quick Repro Instructions

make install
[ CHECK Console Log for unsuitable CT policy ]
...
rm -rf com.example.cryptex.cxbd com.example.cryptex.cxbd.signed
cryptexctl ${CRYPTEXCTL_FLAGS} create --research --replace ${CRYPTEXCTL_CREATE_FLAGS} --identifier=com.example.cryptex --version=1.3.3.7 --variant=research com.example.cryptex.dmg
cryptexctl ${CRYPTEXCTL_PERSONALIZE_FLAGS} personalize --replace  --variant=research com.example.cryptex.cxbd
cryptexctl uninstall com.example.cryptex
cryptexctl install --variant=research --persist com.example.cryptex.cxbd.signed
cryptexctl list
[ WATCH SRD Console Log for unsuitable CT policy ]
[ ELSE SRD *SAN Cryptex Install Success ]

View the logs from the archive

sudo -E cryptexctl log collect
cryptexctl log show -- --archive ./system_logs.logarchive

Console Log for Good Cryptex Installation for *SAN Dylibs

default	15:16:33.313380-0500	cryptexd	[anonymous]: tss request = <private>
default	15:16:33.354851-0500	kernel	hfs: mounted com.example.cryptex.dstroot on device disk2s1
error	15:16:33.357615-0500	cryptexd	missing label
error	15:16:33.357652-0500	cryptexd	failed to frob plist: <xpc object>: [22: Invalid argument]
error	15:16:33.357681-0500	cryptexd	<private>: failed to bootstrap service: <private>: [22: Invalid argument]
default	15:16:33.362209-0500	MobileStorageMounter	cryptex mount point = <private>
default	15:16:33.363030-0500	MobileStorageMounter	Posting notification: com.apple.mobile.cryptex_mounted
default	15:16:33.363780-0500	installd	0x16d097000 main_block_invoke_2: event: <OS_xpc_dictionary: <dictionary: 0x133f0c350> { count = 4, transaction: 0, voucher = 0x133f0ed90, contents =
	"UserInfo" => <dictionary: 0x133f0f650> { count = 2, transaction: 0, voucher = 0x0, contents =
		"DiskImageType" => <string: 0x133f0d110> { length = 7, contents = "Cryptex" }
		"DiskImageMountPath" => <string: 0x133f05440> { length = 75, contents = "/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.o2Ya1h" }
	}
	"Name" => <string: 0x133f0bc90> { length = 35, contents = "com.apple.mobile.disk_image_mounted" }
	"Object" => <string: 0x133f10930> { length = 20, contents = "MobileStorageMounter" }
	"XPCEventName" => <string: 0x133f048e0> { length = 35, contents = "com.apple.mobile.disk_image_mounted" }
}>
default	15:16:33.377556-0500	installd	0x16d097000 -[MIDeveloperDiskImageTracker imageMounted:]: received notification: file:///private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.o2Ya1h/Applications/
default	15:16:33.377759-0500	installd	0x16d097000 -[MIDeveloperDiskImageTracker checkMountPoint:]_block_invoke: /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.o2Ya1h/Applications is not present now or before
error	15:16:33.437371-0500	kernel	1 duplicate report for Sandbox: MobileStorageMou(303) deny(1) file-read-metadata /private/var/run/com.apple.security.cryptexd/codex.system/live/com.example.cryptex/cpxd
error	15:16:33.437403-0500	kernel	Sandbox: mobile_storage_p(302) deny(1) file-read-metadata /private/var/run/com.apple.security.cryptexd/codex.system/live/com.example.cryptex/cpxd
error	15:16:33.549983-0500	simple-server	Hello! I'm simple-server from the example cryptex!
error	15:16:33.550098-0500	simple-server	I'm about to bind to 0.0.0.0:7777
error	15:16:33.550152-0500	simple-server	I'm about to listen on fd: 3
error	15:16:33.550302-0500	simple-server	Waiting for a client to connect...
error	15:16:33.569217-0500	simple-shell	I'm about to listen on fd: 3
error	15:16:33.571396-0500	dropbear	send failed: Invalid argument

Sysdiagnose

srd009-srd0037-github_issue_47-sysdiagnose_2022.02.07_15-37-14-0500_iPhone-OS_iPhone_19E5209h.zip uploaded to app.box.com on MON 7 FEB 2022 1543 EST

Request

Help is be appreciated isolating the Entitlements that are likely the cause(s) of the Console log message to increase to Successful Installation Rates for PR42 https://github.com/apple/security-research-device/pull/42.

Knowledgebase

Workaround

make clean
make install

Reported: https://github.com/apple/security-research-device/issues/47

SUMMARY | TSS | Finder | macOS Version 12.3 Beta (21E5206e) | macOS 12.2 (21D49) | iPhone 12 | iPhone13,2,iPhone13,3_15.4_19E5219e_Restore.ipsw | Declined

SUMMARY

Reproduction

Terminal

defaults write com.apple.AMPDevicesAgent ipsw-variant -string 'Research Developer Erase Install (IPSW)'
killall Finder

Finder

Step 1: Press Option Key + Restore iPhone in Finder
Step 2: Select your IPSW

Logging

[09:12:05.0788] Depth:0 Code:4028 Error:Personalization failed

Workaround

Step 1: Use srdutil restore
Step 2: Declined the Finder popup to Restore
Step 3: Using Finder, Select your SRD
Step 4: Press Option Key + Restore iPhone in Finder
Step 5: Select your IPSW

Knowledgebase

Reported: https://github.com/apple/security-research-device/issues/52

SUMMARY: SRD | Discussion | nvram settings disabling KTRR, CTRR and kASLR

SUMMARY

With respect to 19E5209h and the the nvram settings for SRD, when possible, please provide examples for the existing nvram settings and for those nvram settings disabling KTRR, CTRR and kASLR.

nvram wishlist

Please consider including nvram settings to programmatically configure the SRD following IPSW Operations with Finder, srdutil or other Tooling that may be made available.

Proposed nvram setting:

nvram bypass-setup --ecid=blah

The proposed nvram setting bypass-setup would take an SRD with IPSW and bypass Manual Configuration. The nvram configuration option would setup the SRD with wireless, ip, netmask, gateway, dns OR optionally dhcp, --ipv4=ipv4_dhcp, which consumes the IPv4 Defaults from the Network.

 nvram bypass-setup --ecid=blah --ssid=public --password=secret --type=wpa --ipv4=192.168.x.y --ipv4netmask=255.255.255.0 --gateway=192.168.x.y --dns=192.168.x.y --interface=Index

Proposed nvram setting:

nvram show

The proposed nvram setting interface would take an SRD with IPSW and output all Interface Property Index Details or a specified Index.

 nvram show interface index

Proposed nvram setting:

nvram reboot --ecid=blah --cpuid=Index

The proposed nvram setting reboot would provide for programmatic Reboot of SRD or optionally take an Index to Halt and Start a CPU.

nvram config file

Please also consider adding additional nvram settings, such as those shown below, that could be placed in a nvram.cfg settings file on the Host to programmatically manage SRD:

! start: srd nvram config description file
! This file contains all descriptors for nvram with example usage
nvram console log comment Starting IPSW install of blah^Z
! Set mode to Restore
nvram mode restore 
! Set mode to DFU
nvram mode dfu
! Write 100 lines from Console Log to stdout
nvram console log 100 

! SRD needs programmatic Reboot functionality
nvram reboot
! end: srd nv

Pseudo-Workflow

#!/bin/sh
echo "Running IPSW Provisioning Script for ECID $blah"
srdutil restore ipsw
nvram bypass-setup  --ecid=blah --ssid=public --password=secret --type=wpa --ipv4=192.168.x.y --ipv4netmask=255.255.255.0 --gateway=192.168.x.y --dns=192.168.x.y
nvram show interface index
...
make install
ssh 192.168.x.y
...
nvram reboot --ecid=blah --cpuid==Index

Sample Code Requests

Please consider providing sample code to demonstrate and confirm the disablement and enablement of KTRR & CTRR capabilities for the SRD
Please consider providing sample code to demonstrate and confirm that kASLR is enabled & disabled for the SRD

Thank You
Added to Discussion https://github.com/apple/security-research-device/discussions/2

xsscx / srd Goto Github PK

srd's Introduction

Welcome to Hoyt's SRD Repo

whoami

SUMMARY

Toybox Unstripped

START HERE

SRD Example DMG, Build & Installation Status for iOS 16.x w/ + 8792.60.55

Last Known Good Working Configuration(s)

Lastest IPSW Installations

Prerequisites

Resources

SRD DMG Testing

SRD Cryptex Log Collector

Hosts

X86_64

Run Targets

How-To Compile for iOS

srd's People

Contributors

Stargazers

Watchers

Forkers

srd's Issues

Sample

Reproduction

Build Log

File Info from Errors

Summary

Source

iPhone 11

Status

SUMMARY for PR42 using 15.4_19E5219e

With reference to PR's https://github.com/apple/security-research-device/pull/42 and https://github.com/apple/security-research-device/pull/49 when using https://github.com/apple/security-research-device/pull/48 using 15.4_19E5219e.

Starting Entitlement for libclang_rt.asan_ios_dynamic.dylib for Xcode Version 13.3 beta 1

Final dstroot Entitlement for libclang_rt.asan_ios_dynamic.dylib for Xcode Version 13.3 beta 1

Note

Takeaway

cryptexctl device list

Prior Fix

Knowledgebase

SUMMARY for PR42 using 15.4_19E5219e

PR42

Here is the AMFI complaint for the SAN Dylibs as of SUN 13 FEB 2022: (file system sandbox blocked mmap()

PR48

Prior Fix

Knowledgebase

Issue

Repro

Terminal

Source

Codesign Info

Host Version Info

Issue Summary

iPhone 11 Log Collection

iPhone 12 Log Collection

UX

Prior Report(s)

Cryptex Manager

21C39 | Readme.md Changes for troubleshooting

Example Data Collector

Summary

Platform

Source Code

Trouble Report

User Experience | UX

The Problem

Error with cryptexctl create

Apple Feedback FB9737956 | iPhone11,8,iPhone12,1_15.2_19C5026i_Restore.ipsw | SRD | 19C5026i | Entitlement | research.com.apple.license-to-operate

Summary

TSS | 21C52 | 20G314 | 19D5040e | iPhone 12 | Declined via Finder | srdutil success

Finder

Updated THU 13 JAN 2022 at 0700 EST

Audit Trail

SUMMARY

Current Status

Workaround

Discussion & Analysis

Workaround

21C52 | 21D5025f | 20C80 | 21C39 | X86_64 | T8101 | Toybox | Build