Update rmsigchks.py with t8015 patches (commented out)

[czz]

t8015_patches to be verified

[The-Synthax]

t8015 needs its own patches, the t8011 patches do not work. Even when patched properly, we still need wxn disabled on the platform.

[die-young]

The patches might be false or the USB_READ_LIMIT isn't right or the whole usbexec.py needs to be rewritten (probably not)

Edit: You can read from the SecureROM but you can't write to it.

[91728]

you can read http://newosxbook.com/bonus/iBoot.pdf, to see about the values set in the system register.
regarding WxN.
without flipping the bit you would get the following result:
(this is shellcode executing while being debugged trying to write to executable memory mapped to the securerom):

(lldb) thread step-scripted -C step.Script
[*] starting at: 0x0000000100000568
[*] overwrote pc with: 0x0000000180018000
(lldb) 0x180018400: msr    DAIFSet, #0xf
0x180018404: ldr    x5, #0x24
0x180018408: ldr    w6, 0x180018430
0x18001840c: str    w6, [x5]
0x180018410: ldr    x5, #0x28
Process 1 stopped
* thread #1, name = 'ECORE0', stop reason = trace
    frame #0: 0x0000000180018410
->  0x180018410: ldr    x5, #0x28
    0x180018414: ldr    x6, #0x2c
    0x180018418: str    x6, [x5]                
    0x18001841c: ldr    x5, #0x2c   ===========  0x100006268 (securerom)
Target 0: (No executable module.) stopped.
(lldb) si
Process 1 stopped
* thread #1, name = 'ECORE0', stop reason = instruction step into
    frame #0: 0x0000000180018414
->  0x180018414: ldr    x6, #0x2c
    0x180018418: str    x6, [x5]
    0x18001841c: ldr    x5, #0x2c
    0x180018420: br     x5
Target 0: (No executable module.) stopped.
(lldb) si
Process 1 stopped
* thread #1, name = 'ECORE0', stop reason = instruction step into
    frame #0: 0x0000000180018418
->  0x180018418: str    x6, [x5]           <---- trying to write no control flow here...
    0x18001841c: ldr    x5, #0x2c
    0x180018420: br     x5
    0x180018424: nop    
Target 0: (No executable module.) stopped.
(lldb) si
Process 1 stopped
* thread #1, name = 'ECORE0', stop reason = instruction step into
    frame #0: 0x0000000100000800                                    <---- you see that we jumped to the exception
                                                                          handler..
->  0x100000800: msr    SPSel, #0x0
    0x100000804: sub    sp, sp, #0x340            ; =0x340 
    0x100000808: stp    x0, x1, [sp]
    0x10000080c: stp    x2, x3, [sp, #0x10]

on the other hand, lets read the system register, and then flip the 19 bit (see iboot.pdf).

(lldb) thread step-scripted -C step.Script
[*] starting at: 0x0000000100000568
[*] overwrote pc with: 0x0000000180018000
(lldb) 0x180018400: msr    DAIFSet, #0xf
Process 1 stopped
* thread #1, name = 'ECORE0', stop reason = trace
    frame #0: 0x0000000180018400
->  0x180018400: msr    DAIFSet, #0xf
    0x180018404: mrs    x0, SCTLR_EL1
    0x180018408: ldr    x0, #0x20
    0x18001840c: msr    SCTLR_EL1, x0
Target 0: (No executable module.) stopped.
(lldb) si
Process 1 stopped
* thread #1, name = 'ECORE0', stop reason = instruction step into
    frame #0: 0x0000000180018404
->  0x180018404: mrs    x0, SCTLR_EL1       <---- read the system register...
    0x180018408: ldr    x0, #0x20
    0x18001840c: msr    SCTLR_EL1, x0
    0x180018410: ldr    x5, #0x20
Target 0: (No executable module.) stopped.
(lldb) si
Process 1 stopped
* thread #1, name = 'ECORE0', stop reason = instruction step into
    frame #0: 0x0000000180018408
->  0x180018408: ldr    x0, #0x20
    0x18001840c: msr    SCTLR_EL1, x0
    0x180018410: ldr    x5, #0x20
    0x180018414: ldr    x6, #0x24
Target 0: (No executable module.) stopped.
(lldb) reg r x0
      x0 = 0x000000003050198d                     <----- this is the system register value..
(lldb) si
Process 1 stopped
* thread #1, name = 'ECORE0', stop reason = instruction step into
    frame #0: 0x000000018001840c
->  0x18001840c: msr    SCTLR_EL1, x0             <----   write to system register
    0x180018410: ldr    x5, #0x20
    0x180018414: ldr    x6, #0x24
    0x180018418: str    x6, [x5]
Target 0: (No executable module.) stopped.
(lldb) si
Process 1 stopped
* thread #1, name = 'ECORE0', stop reason = instruction step into
    frame #0: 0x0000000180018410
->  0x180018410: ldr    x5, #0x20
    0x180018414: ldr    x6, #0x24
    0x180018418: str    x6, [x5]
    0x18001841c: ldr    x4, #0x24
Target 0: (No executable module.) stopped.
(lldb) reg r x0
      x0 = 0x0000000003050198                       <---- wxn bit not set anymore..
(lldb) si
Process 1 stopped
* thread #1, name = 'ECORE0', stop reason = instruction step into
    frame #0: 0x0000000180018414
->  0x180018414: ldr    x6, #0x24
    0x180018418: str    x6, [x5]
    0x18001841c: ldr    x4, #0x24
    0x180018420: br     x4
Target 0: (No executable module.) stopped.
(lldb) reg r x5
      x5 = 0x0000000100006268                           <----- trying to write again to securerom 
(lldb) si
Process 1 stopped
* thread #1, name = 'ECORE0', stop reason = instruction step into
    frame #0: 0x0000000180018418
->  0x180018418: str    x6, [x5]
    0x18001841c: ldr    x4, #0x24
    0x180018420: br     x4
    0x180018424: nop    
Target 0: (No executable module.) stopped.
(lldb) si
Process 1 stopped
* thread #1, name = 'ECORE0', stop reason = instruction step into
    frame #0: 0x000000018001841c                                      <----- execution continued, no exception.. 
->  0x18001841c: ldr    x4, #0x24
    0x180018420: br     x4
    0x180018424: nop    
    0x180018428: .long  0x03050198                ; unknown opcode
Target 0: (No executable module.) stopped.
(lldb) si
Process 1 stopped
* thread #1, name = 'ECORE0', stop reason = instruction step into
    frame #0: 0x0000000180018420
->  0x180018420: br     x4
    0x180018424: nop    
    0x180018428: .long  0x03050198                ; unknown opcode
    0x18001842c: udf    #0x0
Target 0: (No executable module.) stopped.                                <----- nothing is written to memory..
(lldb) memory read $x5
0x100006268: c0 03 5f d6 24 0b 00 94 80 7e 08 10 1f 20 03 d5  ?._?$....~... .?
0x100006278: e1 03 00 aa ab 0a 00 94 28 04 40 f9 09 a5 41 39  ?..??...(.@?.?A9
(lldb) reg r x6
      x6 = 0x000080d2c0035fd6                                  <----- this is what we tried to write,
                                                                      seems like it didn't work out = )
(lldb) 

but you can obviously execute any arbitrary code you like..
you can also influence llb.. but sigchks won't be your solution here i assume..

[91728]

(ofc that with the debugger you can just hook the function to 'execute the patches')

[91728]

wont work w/o a probe..

[czz]

"die-young:
The patches might be false or the USB_READ_LIMIT isn't right or the whole usbexec.py needs to be rewritten (probably not)"

I have set USB_READ_LIMIT = 0xFF0 on usbexec.py for iphone X to be checkm8ted.

[die-young]

Yeah 0xFF0 is the right "value". Only need to disable wxn.

[Jhoisaac]

t8015_patches to be verified
Doesn't work on my iphone 8 (10,1)
Traceback (most recent call last):
File "rmsigchks.py", line 124, in
main()
File "rmsigchks.py", line 110, in main
pdev.write_memory(k, config.patches[k])
File "/Users/jh0n4/ipwndfu_public/usbexec.py", line 44, in write_memory
def write_memory(self, address, data): self.command(self.cmd_memcpy(address, self.cmd_data_address(3), len(data)) + data, 0)

File "/Users/jh0n4/ipwndfu_public/usbexec.py", line 106, in command
response = device.ctrl_transfer(0xA1, 2, 0xFFFF, 0, response_length + 1, CMD_TIMEOUT).tostring()[1:]
File "/Users/jh0n4/ipwndfu_public/usb/core.py", line 1043, in ctrl_transfer
self.__get_timeout(timeout))
File "/Users/jh0n4/ipwndfu_public/usb/backend/libusb1.py", line 883, in ctrl_transfer
timeout))
File "/Users/jh0n4/ipwndfu_public/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 5] Input/Output Error

[czz]

Interesting reading here: https://googleprojectzero.blogspot.com/2019/10/ktrw-journey-to-build-debuggable-iphone.html?m=1

[DanielVolt]

from tech analysis checkm8 by a1exdandy: 0x1800B0610: disabe_wxn_arm64 # code for disabling WXN

[czz]

https://github.com/googleprojectzero/ktrw

[DanielVolt]

https://github.com/akayn/ipwndfu this does everything we wanted to do ;)

[die-young]

yeah but only iPhoneX need that for the iPhone8

[hirakujira]

Sorry for asking dumb question here:

If the wxn can be disabled and the patch is correct. The device still can't restore to "ANY" firmware, right?

Because https://github.com/tihmstar/futurerestore/blob/master/README.md shows that

Any 64-bit device:
Enter to pwnDFU mode and patch signature check with special fork of ipwndfu

and

If you have a jailbroken device, you can downgrade to any firmware version you have blobs for.

However, this can't fix SEP compatibility for older firmwares, right?

[djeraseit]

*** SecureROM Signature check remover by Linus Henze ***
Found: CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:000169E82007C83A IBFL:3C SRTG:[iBoot-3332.0.0.1.23] PWND:[checkm8]
Applying patches...
Traceback (most recent call last):
File "rmsigchks.py", line 101, in
main()
File "rmsigchks.py", line 88, in main
pdev.write_memory(k, config.patches[k])
File "/media/theodisbutler/RECOVERY/Mobile/ipwndfu_public/usbexec.py", line 44, in write_memory
def write_memory(self, address, data): self.command(self.cmd_memcpy(address, self.cmd_data_address(3), len(data)) + data, 0)
File "/media/theodisbutler/RECOVERY/Mobile/ipwndfu_public/usbexec.py", line 106, in command
response = device.ctrl_transfer(0xA1, 2, 0xFFFF, 0, response_length + 1, CMD_TIMEOUT).tostring()[1:]
File "/media/theodisbutler/RECOVERY/Mobile/ipwndfu_public/usb/core.py", line 1043, in ctrl_transfer
self.__get_timeout(timeout))
File "/media/theodisbutler/RECOVERY/Mobile/ipwndfu_public/usb/backend/libusb1.py", line 883, in ctrl_transfer
timeout))
File "/media/theodisbutler/RECOVERY/Mobile/ipwndfu_public/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 5] Input/Output Error

[djeraseit]

i modified usbexec.py and set USB_READ_LIMIT = 0xFF0.

Need to test. As for now phone stuck on Apple logo. Will start over and try again.

Do not merge the commit as is without modifying USB_READ_LIMIT