SUMMARY: TSS | 21C52 | 21C39 | X86_64 | libcryptex_executables-169.80.2~9 | Cryptex | Signing | Declined | iPhone 11 | iPhone 12 | CryptexManager Working || Workaround Posted

Question

SUMMARY: TSS | 21C52 | 21C39 | X86_64 | libcryptex_executables-169.80.2~9 | Cryptex | Signing | Declined | iPhone 11 | iPhone 12 | CryptexManager Working || Workaround Posted

xsscx opened this issue 3 years ago · 1 comments

21C52 | 21C39 | X86_64 | libcryptex_executables-169.80.2~9 | TSS | Cryptex | Signing | Declined | iPhone 11 | iPhone 12 | CryptexManager Working

It has been found that as of MON 10 JAN 2022 that cryptexctl for SRT 21C39 with cryptexctl from libcryptex_executables-169.80.2~9 generates TSS Signing Requests that are being Declined.

Version Info

cryptexctl version
Darwin Cryptex Management Interface Version 2.0.0: Sun Dec 19 22:28:12 PST 2021; root:libcryptex_executables-169.80.2~9/cryptexctl/WEN_ETA_X86_64

Kernel

21.2.0 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 x86_64

shasum

shasum /usr/local/bin/cryptexctl.research
3521ce63903f50b1c0052bd076bc2f7dd0193017  /usr/local/bin/cryptexctl.research

Codesign

codesign -dvvv /usr/local/bin/cryptexctl.research
Executable=/usr/local/bin/cryptexctl.research
Identifier=com.apple.security.cryptexctl
Format=Mach-O universal (x86_64 arm64e)
CodeDirectory v=20400 size=3318 flags=0x2000(library-validation) hashes=93+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=50da1fdfbd3511624b146f0dbf201e7e305a74ae
CandidateCDHashFull sha256=50da1fdfbd3511624b146f0dbf201e7e305a74ae2434fafbb70aa54767e2f95c
Hash choices=sha256
CMSDigest=50da1fdfbd3511624b146f0dbf201e7e305a74ae2434fafbb70aa54767e2f95c
CMSDigestType=2
CDHash=50da1fdfbd3511624b146f0dbf201e7e305a74ae
Signature size=4442
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Signed Time=Dec 20, 2021 at 1:28:20 AM
Info.plist entries=18
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=80

CLI

cryptexctl ${CRYPTEXCTL_PERSONALIZE_FLAGS} personalize --replace -o /Users/xss/security-research-device/example-cryptex/com.example.cryptex.cxbd.signed --variant=research com.example.cryptex.cxbd
cryptexctl: failed to personalize cryptex: Authentication error

HTTP Response

HTTP/1.1 200 OK
Server: Apple
Date: Mon, 10 Jan 2022 15:42:37 GMT
Content-Type: text/html
Content-Length: 69
Connection: close
Host: gs.apple.com
Strict-Transport-Security: max-age=31536000; includeSubdomains
X-Frame-Options: SAMEORIGIN

STATUS=94&MESSAGE=This device isn't eligible for the requested build.

Issue

It appears that cryptexctl on X86_64 makes an HTTP Request that does not contain the Key for CryptexDMG perhaps causing the Authentication Error from libcryptex:

	<string>libauthinstall-850.0.2</string>
	<key>LoadableTrustCache</key>
		kOVent8lUZhyycIztLTDLx2SEqirUUKUA0qoZmg3mfICdsE44/spe9CVnt9N
		HU9l
	<key>PersonalizedDMG</key>

Whereas it has been found that CryptexManager generates an HTTP Request containing the proper syntax:

	<string>libauthinstall-850.0.1.0.1</string>
	<key>CryptexDMG</key>
		xqPjx+ZJFIDtb1OUermcwzMbMGs/+CrMKvR/8FhoSxPJxW+j5TB2Xj6q7SAW
		vjd2
		<key>Name</key>
		<string>com.example.cryptex</string>
	<key>LoadableTrustCache</key>
		NeNmR3jjNQmWATai/+kJXPgnnhHwmDDwKxODOw6HKysM08imi6nbJjDXBvSp
		j8bw

Personalization Request from CryptexManager with cryptex installation success

.build/release/CryptexManager create -i com.example.cryptex -v 1.3.3.7 ~/Downloads/universal-srd-toybox-unstripped-commit-ea4748a7cbfa5e2f3ef188f917d4e5aeac70dd0f.dmg /Volumes/com.example.cryptex.dstroot /tmp/cptx
.build/release/CryptexManager  install /tmp/cptx
Successfully installed cryptex!
.build/release/CryptexManager  list
com.example.cryptex:
	Version: 1.3.3.7
	Mounted at: /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.Vx43Gr
	Disk image path: /private/var/run/com.apple.security.cryptexd/codex.system/live/com.example.cryptex/cpxd

macOS 11.x Unimpacted for M1 T8101 or X86_64

TSS Signing for cryptex personalizations are not impacted from M1 T8101 or X86_64 when using 20G314 with SRT 20C80, aka macOS 11.6.2 for iPhone 11 or iPhone 12 Devices.

Analysis

It was found that the HTTP Request generated by cryptexctl contains the key:

<key>PersonalizedDMG</key>

and when changed to:

<key>CryptexDMG</key>

Then, The HTTP Response contains the Signing for the Cryptex Personalization.

Reference

Requirements: https://github.com/xsscx/srd/blob/main/SecurityResearchTools_21C39/example-cryptex/README.md

OS == Big Sur

TSS cryptex personalization Signings as of MON 10 JAN 2022 at 1200 EST

macOS 11.x

M1 T8101 macOS 20G314 SRT 20C80
X86_64 macOS 20G314 SRT 20C80

macOS 12.x

X86_64 macOS 21C52 with Cryptex Manager https://github.com/pinauten/CryptexManager

Answer 1 · 2022-01-11T00:28:48.000Z

MON 10 JAN 2022 at 1828 EST

TSS is again Signing cryptex personalizations from X86_64 when using macOS 12.1 (21C52)

HTTP/1.1 200 OK
Server: Apple
Date: Mon, 10 Jan 2022 23:22:26 GMT
Content-Type: text/html
Content-Length: 4376
Connection: close
Host: gs.apple.com
Strict-Transport-Security: max-age=31536000; includeSubdomains
X-Frame-Options: SAMEORIGIN

STATUS=0&MESSAGE=SUCCESS&REQUEST_STRING

Suggestion

Dashboard with TSS, Build and other Status.

#6