SPRR JIT
TrungNguyen1909 opened this issue · 17 comments
On iOS, dynamic-codesigning entitlement is required to enable JIT, can you update the registers fuzz results when run with that entitlement?
Thanks
Hello! yes... planning on that and more.. the commit is incomplete because I was working on getting debugserver running on 19A5281h .. but I ran into.. "(Breakpoint) pointer authentication trap DA" ... and spent time filing Feedback... FB9221569 | FB9221261 | FB9223349. .. .. So. Thank you for opening an issue, and I'll leave this open, and return results.. If you want to put together a PR, or just email or whatever.. please do..
My bad for the incomplete commit.. went down the debug server rabbit hole.. and lost track of time .. looking forward to getting to on this project after a few days off for the holiday here in states.
Thank You!
Please suggest anything else..
uname -a
Darwin iPhone 20.6.0 Darwin Kernel Version 20.6.0: Sun Jun 20 22:50:32 PDT 2021; root:xnu-7195.140.39.0.1~13/RELEASE_ARM64_T8030 iPhone12,1
whoami
root
id -G
0 1 2 3 4 5 8 9 20 29 80
id
uid=433086517(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),20(staff),29(certusers),80(admin)
id -g
0
entitlements.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>dynamic-codesigning</key>
<true/>
<key>platform-application</key>
<true/>
<key>com.apple.private.security.no-container</key>
<true/>
</dict>
</plist>
Here is the view on the SRD:
# ls -la ../../
total 0
drwxr-xr-x 4 mobile staff 204 2021-07-01 20:36 .
drwxr-xr-x 5 root daemon 160 2021-07-01 20:36 ..
drwxr-xr-x 3 mobile staff 102 2021-07-01 16:02 Library
drwxr-xr-x 3 mobile staff 102 2021-07-01 16:02 usr
# ls -la ../../Library/LaunchDaemons
total 20
drwxr-xr-x 7 mobile staff 238 2021-07-01 16:04 .
drwxr-xr-x 3 mobile staff 102 2021-07-01 16:02 ..
-rw-r--r-- 1 mobile staff 1388 2021-07-01 20:36 dropbear-research.plist
-rw-r--r-- 1 mobile staff 374 2021-07-01 20:36 entitlements.plist
-rw-r--r-- 1 mobile staff 649 2021-07-01 20:36 hello.plist
-rw-r--r-- 1 mobile staff 1254 2021-07-01 20:36 simple-server.plist
-rw-r--r-- 1 mobile staff 1129 2021-07-01 20:36 simple-shell.plist
#
My TODO List:
19A5281h
Update the entitlements.plist
Update Makefile to include entitlements.plist
Commit
18G5052d
Update the entitlements.plist
Update Makefile to include entitlements.plist
Commit
REQUIRED
19A5281h
Hand-roll cryptex with Toybox Unstripped for install with Register Permission Check Code and Debugserver
Jetsam Issue - Pending Questions from Upstream
18G5052d
Hand-roll cryptex with Toybox Unstripped for install with Register Permission Check Code and Debugserver
CAVEAT: User = root and I'm Side-loading executable code onto the device with arbitrary entitlements at the same permission level as Apple operating system components.
Down the Road:
Create command line version to enter EL1, push Stack, single CPU at EL0, Test, Return EL1, Report and End... or something along those lines... still working on proper prototype for the state change.. x86 meets arm... rtfm in process...
Xcode Project for testing as mobile user
Hey-
I did some quick directory and file cleanup so I can granularly build unit tests and add them to the cryptex. See URL https://github.com/xsscx/srd/tree/main/code/registers
https://github.com/xsscx/srd/edit/main/code/registers/S3_6_c15_c1_6/
https://github.com/xsscx/srd/edit/main/code/registers/s3_6_c15_c1_5/
CAVEAT: User = root and I'm Side-loading executable code onto the device with arbitrary entitlements at the same permission level as Apple operating system components, EL1.
- The code is 100% CopyPasta from Sven Peter for M1 Apple Silicon and needs to be refactored to run on the SRD and iOS on iPhone 11.
If anyone has spare time, perhaps the EL0 SPRR Test can be pulled into Xcode and and turned into a PR.. and I will add to my TODO List...
Last Item.. the M1racles Test obviously works and I will Post the unit test soon.
Reminder to all - I'm an idiot, not a ninja.. so if you have any suggestions, please add to this Issue or open a new Issue.
Thanks for Open and Issue, hopefully I'll get this issue sorted out soon.
@xsscx, I don't see the result anywhere.
Moreover, on T8030 systems, SPRR EL1 registers are S3_6_c15_c3_0 and S3_6_c15_c1_7;
SPRR EL0 registers are S3_6_c15_c1_5 and S3_6_c15_c1_6;
S3_6_c15_c3_1, S3_6_c15_c1_0 and S3_6_c15_c1_1 seem to be configuration registers, but their behavior are unknown.
Would be nice if we could test in EL1 though.
Copy. In process. Can you give me a link the Source for Register Definitions you are using, or paste in a List.. clearly I've got a bad join and I'll look at that later..
I'll take the list.. and mod the code to take input from -file or xargs or something so we can just feed in a list of registers to check.. if anyone has the time to do such a things.. please setup a PR.. otherwise.. I'll add that TODO.
I just re-scripted those 4 registers.. from EL1 .. finishing up the expect script and will post results.
Thanks for the correction.
I don't have a list. This is based on my observations and RE.
Here is a rough list (not sure if it's correct or not)
- Set s3_6_c15_c1_0 = 1 // (?) SPRR_CONFIG_EL1
- Set s3_6_c15_c1_1 = 1 // Unknown
- Set s3_6_c15_c3_0 = 0x2020 a506 f020 f0e0 // SPRR_PERM_EL1
- Set s3_6_c15_c1_7 = 0x2020 a500 f020 f000 // (UNK (EL1)) Diff XPRR_PPL_RW_PERM | XPRR_PPL_RX_PERM
- Set s3_6_c15_c1_5 = 0x2010000030100000 // SPRR_PERM_EL0
- Set s3_6_c15_c1_6 = 0x2020000030200000 // (UNK (EL0)) Diff XPRR_USER_JIT_PERM | XPRR_USER_RX_PERM
- Set s3_6_c15_c1_0 = 1 // (?) SPRR_CONFIG_EL1
- S3_6_C15_C3_1 = USER_JIT ? 0xc00 : 0x0 // XPRR protected?
Hi!
This is quick and dirty .. I'll clean it up in about 12 hours and Post lots of data.. Thank you for Posting that Register Info.. I'll be sharing 100% of my findings ..
Here is what I got for 1 register so far.. I had to update a few things.. and it takes about 20m to turn around a Build.. Cryptex and to end with Results..
uname -a
Darwin iPhone 20.6.0 Darwin Kernel Version 20.6.0: Sun Jun 20 22:50:32 PDT 2021; root:xnu-7195.140.39.0.1~13/RELEASE_ARM64_T8030 iPhone12,1
CODE for Read
cat S3_6_c15_c1_6-read.c
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
void write_sprr(uint64_t v)
{
__asm__ __volatile__("msr s3_6_c15_c1_6, %0\n"
"isb sy\n" ::"r"(v)
:);
}
uint64_t read_sprr(void)
{
uint64_t v;
__asm__ __volatile__("isb sy\n"
"mrs %0, s3_6_c15_c1_6\n"
: "=r"(v)::"memory");
return v;
}
int main(int argc, char *argv[])
{
for (int i = 0; i < 64; ++i) {
printf("s3_6_c15_c1_6 bit %02d: %016llx\n", i, read_sprr());
}
}
Code for Flip
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
void write_sprr(uint64_t v)
{
__asm__ __volatile__("msr S3_6_c15_c1_6, %0\n"
"isb sy\n" ::"r"(v)
:);
}
uint64_t read_sprr(void)
{
uint64_t v;
__asm__ __volatile__("isb sy\n"
"mrs %0, S3_6_c15_c1_6\n"
: "=r"(v)::"memory");
return v;
}
int main(int argc, char *argv[])
{
// {
// for (int j = 0; j < 64; ++j) {
// printf("Read Initial Register bit %02d: %016llx\n", j, read_sprr());
// }
// }
for (int i = 0; i < 64; ++i) {
write_sprr(1ULL<<i);
printf("Flipped Register s3_6_c15_c1_6 bit %02d: %016llx\n", i, read_sprr());
}
}
# ./s3_6_c15_c1_6-read
s3_6_c15_c1_6 bit 00: 2020000030200000
s3_6_c15_c1_6 bit 01: 2020000030200000
s3_6_c15_c1_6 bit 02: 2020000030200000
s3_6_c15_c1_6 bit 03: 2020000030200000
s3_6_c15_c1_6 bit 04: 2020000030200000
s3_6_c15_c1_6 bit 05: 2020000030200000
s3_6_c15_c1_6 bit 06: 2020000030200000
s3_6_c15_c1_6 bit 07: 2020000030200000
s3_6_c15_c1_6 bit 08: 2020000030200000
s3_6_c15_c1_6 bit 09: 2020000030200000
s3_6_c15_c1_6 bit 10: 2020000030200000
s3_6_c15_c1_6 bit 11: 2020000030200000
s3_6_c15_c1_6 bit 12: 2020000030200000
s3_6_c15_c1_6 bit 13: 2020000030200000
s3_6_c15_c1_6 bit 14: 2020000030200000
s3_6_c15_c1_6 bit 15: 2020000030200000
s3_6_c15_c1_6 bit 16: 2020000030200000
s3_6_c15_c1_6 bit 17: 2020000030200000
s3_6_c15_c1_6 bit 18: 2020000030200000
s3_6_c15_c1_6 bit 19: 2020000030200000
s3_6_c15_c1_6 bit 20: 2020000030200000
s3_6_c15_c1_6 bit 21: 2020000030200000
s3_6_c15_c1_6 bit 22: 2020000030200000
s3_6_c15_c1_6 bit 23: 2020000030200000
s3_6_c15_c1_6 bit 24: 2020000030200000
s3_6_c15_c1_6 bit 25: 2020000030200000
s3_6_c15_c1_6 bit 26: 2020000030200000
s3_6_c15_c1_6 bit 27: 2020000030200000
s3_6_c15_c1_6 bit 28: 2020000030200000
s3_6_c15_c1_6 bit 29: 2020000030200000
s3_6_c15_c1_6 bit 30: 2020000030200000
s3_6_c15_c1_6 bit 31: 2020000030200000
s3_6_c15_c1_6 bit 32: 2020000030200000
s3_6_c15_c1_6 bit 33: 2020000030200000
s3_6_c15_c1_6 bit 34: 2020000030200000
s3_6_c15_c1_6 bit 35: 2020000030200000
s3_6_c15_c1_6 bit 36: 2020000030200000
s3_6_c15_c1_6 bit 37: 2020000030200000
s3_6_c15_c1_6 bit 38: 2020000030200000
s3_6_c15_c1_6 bit 39: 2020000030200000
s3_6_c15_c1_6 bit 40: 2020000030200000
s3_6_c15_c1_6 bit 41: 2020000030200000
s3_6_c15_c1_6 bit 42: 2020000030200000
s3_6_c15_c1_6 bit 43: 2020000030200000
s3_6_c15_c1_6 bit 44: 2020000030200000
s3_6_c15_c1_6 bit 45: 2020000030200000
s3_6_c15_c1_6 bit 46: 2020000030200000
s3_6_c15_c1_6 bit 47: 2020000030200000
s3_6_c15_c1_6 bit 48: 2020000030200000
s3_6_c15_c1_6 bit 49: 2020000030200000
s3_6_c15_c1_6 bit 50: 2020000030200000
s3_6_c15_c1_6 bit 51: 2020000030200000
s3_6_c15_c1_6 bit 52: 2020000030200000
s3_6_c15_c1_6 bit 53: 2020000030200000
s3_6_c15_c1_6 bit 54: 2020000030200000
s3_6_c15_c1_6 bit 55: 2020000030200000
s3_6_c15_c1_6 bit 56: 2020000030200000
s3_6_c15_c1_6 bit 57: 2020000030200000
s3_6_c15_c1_6 bit 58: 2020000030200000
s3_6_c15_c1_6 bit 59: 2020000030200000
s3_6_c15_c1_6 bit 60: 2020000030200000
s3_6_c15_c1_6 bit 61: 2020000030200000
s3_6_c15_c1_6 bit 62: 2020000030200000
s3_6_c15_c1_6 bit 63: 2020000030200000
# ./s3_6_c15_c1_6-flip
Flipped Register s3_6_c15_c1_6 bit 00: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 01: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 02: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 03: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 04: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 05: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 06: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 07: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 08: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 09: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 10: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 11: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 12: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 13: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 14: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 15: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 16: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 17: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 18: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 19: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 20: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 21: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 22: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 23: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 24: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 25: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 26: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 27: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 28: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 29: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 30: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 31: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 32: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 33: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 34: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 35: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 36: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 37: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 38: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 39: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 40: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 41: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 42: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 43: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 44: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 45: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 46: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 47: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 48: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 49: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 50: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 51: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 52: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 53: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 54: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 55: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 56: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 57: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 58: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 59: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 60: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 61: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 62: 2020000030200000
Flipped Register s3_6_c15_c1_6 bit 63: 2020000030200000
#
#CODE
cat src/S3_6_c15_c1_5/s3_6_c15_c1_5-read.c
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
void write_sprr(uint64_t v)
{
__asm__ __volatile__("msr s3_6_c15_c1_5, %0\n"
"isb sy\n" ::"r"(v)
:);
}
uint64_t read_sprr(void)
{
uint64_t v;
__asm__ __volatile__("isb sy\n"
"mrs %0, s3_6_c15_c1_5\n"
: "=r"(v)::"memory");
return v;
}
int main(int argc, char *argv[])
{
for (int i = 0; i < 64; ++i) {
printf("s3_6_c15_c1_5 bit %02d: %016llx\n", i, read_sprr());
}
}
cat src/S3_6_c15_c1_5/s3_6_c15_c1_5-flip.c
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
void write_sprr(uint64_t v)
{
__asm__ __volatile__("msr S3_6_c15_c1_5, %0\n"
"isb sy\n" ::"r"(v)
:);
}
uint64_t read_sprr(void)
{
uint64_t v;
__asm__ __volatile__("isb sy\n"
"mrs %0, S3_6_c15_c1_5\n"
: "=r"(v)::"memory");
return v;
}
int main(int argc, char *argv[])
{
// {
// for (int j = 0; j < 64; ++j) {
// printf("Read Initial Register bit %02d: %016llx\n", j, read_sprr());
// }
// }
for (int i = 0; i < 64; ++i) {
write_sprr(1ULL<<i);
printf("Flipped Register s3_6_c15_c1_5 bit %02d: %016llx\n", i, read_sprr());
}
}
# uname -a
Darwin iPhone 20.6.0 Darwin Kernel Version 20.6.0: Sun Jun 20 22:50:32 PDT 2021; root:xnu-7195.140.39.0.1~13/RELEASE_ARM64_T8030 iPhone12,1
# ./s3_6_c15_c1_5-flip
Flipped Register s3_6_c15_c1_5 bit 00: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 01: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 02: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 03: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 04: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 05: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 06: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 07: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 08: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 09: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 10: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 11: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 12: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 13: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 14: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 15: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 16: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 17: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 18: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 19: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 20: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 21: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 22: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 23: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 24: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 25: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 26: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 27: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 28: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 29: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 30: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 31: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 32: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 33: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 34: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 35: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 36: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 37: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 38: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 39: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 40: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 41: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 42: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 43: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 44: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 45: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 46: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 47: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 48: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 49: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 50: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 51: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 52: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 53: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 54: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 55: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 56: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 57: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 58: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 59: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 60: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 61: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 62: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 63: 2010000030100000
# ./s3_6_c15_c1_5-read
s3_6_c15_c1_5 bit 00: 2010000030100000
s3_6_c15_c1_5 bit 01: 2010000030100000
s3_6_c15_c1_5 bit 02: 2010000030100000
s3_6_c15_c1_5 bit 03: 2010000030100000
s3_6_c15_c1_5 bit 04: 2010000030100000
s3_6_c15_c1_5 bit 05: 2010000030100000
s3_6_c15_c1_5 bit 06: 2010000030100000
s3_6_c15_c1_5 bit 07: 2010000030100000
s3_6_c15_c1_5 bit 08: 2010000030100000
s3_6_c15_c1_5 bit 09: 2010000030100000
s3_6_c15_c1_5 bit 10: 2010000030100000
s3_6_c15_c1_5 bit 11: 2010000030100000
s3_6_c15_c1_5 bit 12: 2010000030100000
s3_6_c15_c1_5 bit 13: 2010000030100000
s3_6_c15_c1_5 bit 14: 2010000030100000
s3_6_c15_c1_5 bit 15: 2010000030100000
s3_6_c15_c1_5 bit 16: 2010000030100000
s3_6_c15_c1_5 bit 17: 2010000030100000
s3_6_c15_c1_5 bit 18: 2010000030100000
s3_6_c15_c1_5 bit 19: 2010000030100000
s3_6_c15_c1_5 bit 20: 2010000030100000
s3_6_c15_c1_5 bit 21: 2010000030100000
s3_6_c15_c1_5 bit 22: 2010000030100000
s3_6_c15_c1_5 bit 23: 2010000030100000
s3_6_c15_c1_5 bit 24: 2010000030100000
s3_6_c15_c1_5 bit 25: 2010000030100000
s3_6_c15_c1_5 bit 26: 2010000030100000
s3_6_c15_c1_5 bit 27: 2010000030100000
s3_6_c15_c1_5 bit 28: 2010000030100000
s3_6_c15_c1_5 bit 29: 2010000030100000
s3_6_c15_c1_5 bit 30: 2010000030100000
s3_6_c15_c1_5 bit 31: 2010000030100000
s3_6_c15_c1_5 bit 32: 2010000030100000
s3_6_c15_c1_5 bit 33: 2010000030100000
s3_6_c15_c1_5 bit 34: 2010000030100000
s3_6_c15_c1_5 bit 35: 2010000030100000
s3_6_c15_c1_5 bit 36: 2010000030100000
s3_6_c15_c1_5 bit 37: 2010000030100000
s3_6_c15_c1_5 bit 38: 2010000030100000
s3_6_c15_c1_5 bit 39: 2010000030100000
s3_6_c15_c1_5 bit 40: 2010000030100000
s3_6_c15_c1_5 bit 41: 2010000030100000
s3_6_c15_c1_5 bit 42: 2010000030100000
s3_6_c15_c1_5 bit 43: 2010000030100000
s3_6_c15_c1_5 bit 44: 2010000030100000
s3_6_c15_c1_5 bit 45: 2010000030100000
s3_6_c15_c1_5 bit 46: 2010000030100000
s3_6_c15_c1_5 bit 47: 2010000030100000
s3_6_c15_c1_5 bit 48: 2010000030100000
s3_6_c15_c1_5 bit 49: 2010000030100000
s3_6_c15_c1_5 bit 50: 2010000030100000
s3_6_c15_c1_5 bit 51: 2010000030100000
s3_6_c15_c1_5 bit 52: 2010000030100000
s3_6_c15_c1_5 bit 53: 2010000030100000
s3_6_c15_c1_5 bit 54: 2010000030100000
s3_6_c15_c1_5 bit 55: 2010000030100000
s3_6_c15_c1_5 bit 56: 2010000030100000
s3_6_c15_c1_5 bit 57: 2010000030100000
s3_6_c15_c1_5 bit 58: 2010000030100000
s3_6_c15_c1_5 bit 59: 2010000030100000
s3_6_c15_c1_5 bit 60: 2010000030100000
s3_6_c15_c1_5 bit 61: 2010000030100000
s3_6_c15_c1_5 bit 62: 2010000030100000
s3_6_c15_c1_5 bit 63: 2010000030100000
Apparently, MAP_JIT is only available in a sandboxed environment for iOS. Can you try flipping the registers inside an app or something? Of course dynamic-codesigning is still required.
Hello - yes, read that earlier when doing more RTFM... I'm in learning mode, def not a ninja on ARM.. so if anyone has ideas and/or Code to share, please ADD your Comments.
I have the state change on my TODO List.. from EL1 -> EL0 and/or create Xcode App to provide the Results for EL0 Tests.
My plan is to write a fuzzing harness and just start discovering Registers too, a la Marcan. I'll check everything, with/without entitlements, from EL0/EL1 etc.. More like Pitchfork & Clusterbomb with Intruder if you use Burp Suite..
I very much appreciate your info, I'll be on this all day.
I'll continue updating Code and Results.
Thank You for your input, I hope to have some Code and Results soon.
Root user is EL0, not EL1 -.-
By EL1, I meant kernel code execution
Question -
What iOS Version for this info?
- Set s3_6_c15_c1_0 = 1 // (?) SPRR_CONFIG_EL1
- Set s3_6_c15_c1_1 = 1 // Unknown
- Set s3_6_c15_c3_0 = 0x2020 a506 f020 f0e0 // SPRR_PERM_EL1
- Set s3_6_c15_c1_7 = 0x2020 a500 f020 f000 // (UNK (EL1)) Diff XPRR_PPL_RW_PERM | XPRR_PPL_RX_PERM
- Set s3_6_c15_c1_5 = 0x2010000030100000 // SPRR_PERM_EL0
- Set s3_6_c15_c1_6 = 0x2020000030200000 // (UNK (EL0)) Diff XPRR_USER_JIT_PERM | XPRR_USER_RX_PERM
- Set s3_6_c15_c1_0 = 1 // (?) SPRR_CONFIG_EL1
- S3_6_C15_C3_1 = USER_JIT ? 0xc00 : 0x0 // XPRR protected?
Can you paste in the uname -a or Build Info?
Also.. What toolchain info are you build from?
And, assuming you are testing on JB, which flavor?
I just want to do a Repro on the iOS and Hardware you got that info from..
I'm in the process of making some Toolchain changes ... I see another favor of XNU has been Released so I need to include all those changes in the Build Process and then re-run.. it is a bit brittle..
Yes, I see comment for..
Root user is EL0, not EL1 -.- By EL1, I meant kernel code execution
I need TODO a taxonmy markdown or something.. often when we are all chatting about something its M1 related and then the conversation moves to iOS and we all need to do that shift.. I often forget.. so thank you for posting that clarification for all to read.
At some point I hope to include Links to all the Docs for 8030, XNU etc.. just been swamped trying to keep up with all the Seeds, Landings and everything else..
Thanks again for the info.
I'm in the process of updating the Build Toolchain so hopefully after up'g to 11.4 the signing server will still provide love to the X86_64 http request. :-)
The register definition should apply to all iOS version of T8030(iPhone 11)
I don't have a JB device to test this out though. (Otherwise I wouldn't be here yk)
If you wonder how I got it, I do static analysis on T8030's kernel and match it with M1's kernel.
Copy. we're all doing same this end. just wanted to check.. sometimes people have JTAG hooked up and can see things we can't on the SRD, eg: Registers etc.. Thank you very much for the info, currently working on update.
Just finished updating my Toolchain
Back on this for the balance of day.
XNU Export
export XNU_VERSION=xnu-7195.81.3
X86_64
xcode-select -p
/Applications/Xcode.app/Contents/Developer
clang -v
Apple clang version 13.0.0 (clang-1300.0.18.6)
Target: arm64-apple-darwin20.5.0
Thread model: posix
InstalledDir: /Applications/Xcode-beta.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin
iOS SDK at /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS14.5.sdk
iOS SDK at /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS15.0.sdk
M1 Apple Silicon
xcode-select -p
/Applications/Xcode-beta.app/Contents/Developer
clang -v
Apple clang version 13.0.0 (clang-1300.0.18.6)
Target: arm64-apple-darwin20.5.0
Thread model: posix
InstalledDir: /Applications/Xcode-beta.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin
iOS SDK at /Applications/Xcode-beta.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS15.0.sdk
iOS SDK 15
iOS SDK 14
iOS 14Beta7
iOS 15Beta2
Added more Code and specifically added unit test for those registers you specified. What I did was took the register and created a directory with the Code, and then the Readme.md contains the Crash Report .. there were a few cases that something could be flipped, like the m1racles register.. but so far mostly crash reports.. I've already send an e-mail Upstream asking to have a look at this Issue, Code and Results. I stil feel like there is are other issues involved specific to SRD, but maybe I'm just jaded.
Examples for some Results:
[Crash Reports]
https://github.com/xsscx/srd/tree/main/code/registers/s3_6_c15_c3_0
https://github.com/xsscx/srd/tree/main/code/registers/s3_6_c15_c2_5
https://github.com/xsscx/srd/tree/main/code/registers/s3_6_c15_c1_7
[Read Register]
https://github.com/xsscx/srd/tree/main/code/registers/s3_6_c15_c1_6
As always.. please share any Comments, Feedback, Code etc.. I'll continue posting Info...
Thank You
I havent seen any results for S3_6_c15_c1_5 yet. Did you misread it?
These SIGILL crashes are expected though.
Updated Tuesday, July 6, 2021 0824 US Eastern
s3_6_c15_c1_5 is read, no flip
https://github.com/xsscx/srd/tree/main/code/registers/s3_6_c15_c1_5
IPSW: iPhone11,8,iPhone12,1_14.7_18G5052d_Restore.ipsw
uname -a
Darwin iPhone 20.6.0 Darwin Kernel Version 20.6.0: Sun Jun 20 22:50:32 PDT 2021; root:xnu-7195.140.39.0.1~13/RELEASE_ARM64_T8030 iPhone12,1
id
uid=1473273909(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),20(staff),29(certusers),80(admin)
id -G
0 1 2 3 4 5 8 9 20 29 80
id -g
0
CODE
void write_sprr(uint64_t v)
{
__asm__ __volatile__("msr s3_6_c15_c1_5, %0\n"
"isb sy\n" ::"r"(v)
:);
}
...
uint64_t read_sprr(void)
{
uint64_t v;
__asm__ __volatile__("isb sy\n"
"mrs %0, s3_6_c15_c1_5\n"
: "=r"(v)::"memory");
return v;
}
..
int main(int argc, char *argv[])
{
..
for (int i = 0; i < 64; ++i) {
write_sprr(1ULL<<i);
printf("Flipped Register s3_6_c15_c1_5 bit %02d: %016llx\n", i, read_sprr());
}
}
PLIST
dynamic-codesigning
com.apple.private.security.no-container
# ./s3_6_c15_c1_5-flip
Read Initial Register s3_6_c15_c1_5 bit 00: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 01: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 02: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 03: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 04: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 05: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 06: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 07: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 08: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 09: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 10: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 11: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 12: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 13: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 14: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 15: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 16: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 17: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 18: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 19: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 20: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 21: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 22: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 23: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 24: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 25: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 26: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 27: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 28: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 29: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 30: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 31: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 32: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 33: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 34: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 35: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 36: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 37: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 38: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 39: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 40: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 41: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 42: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 43: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 44: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 45: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 46: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 47: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 48: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 49: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 50: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 51: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 52: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 53: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 54: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 55: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 56: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 57: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 58: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 59: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 60: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 61: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 62: 2010000030100000
Read Initial Register s3_6_c15_c1_5 bit 63: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 00: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 01: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 02: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 03: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 04: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 05: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 06: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 07: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 08: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 09: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 10: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 11: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 12: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 13: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 14: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 15: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 16: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 17: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 18: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 19: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 20: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 21: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 22: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 23: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 24: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 25: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 26: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 27: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 28: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 29: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 30: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 31: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 32: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 33: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 34: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 35: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 36: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 37: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 38: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 39: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 40: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 41: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 42: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 43: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 44: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 45: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 46: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 47: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 48: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 49: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 50: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 51: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 52: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 53: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 54: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 55: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 56: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 57: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 58: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 59: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 60: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 61: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 62: 2010000030100000
Flipped Register s3_6_c15_c1_5 bit 63: 2010000030100000
#
IF you have more Registers to check, please do let me know.
Thank You!
SUMMARY:
s3_5_c15_c10_1 : 0x0000000000000000
s3_6_c15_c1_6 : 0x2020000030200000