From 2b3181d2de7b74c7a2998c8224498c8062288b01 Mon Sep 17 00:00:00 2001 From: Cryptiiiic Date: Mon, 19 Feb 2024 21:42:37 -0800 Subject: [PATCH] Working PoC --- tsschecker/tss.c | 22 ++++++++++++++-------- tsschecker/tsschecker.c | 4 ++-- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/tsschecker/tss.c b/tsschecker/tss.c index 31061f0..e2fc802 100644 --- a/tsschecker/tss.c +++ b/tsschecker/tss.c @@ -27,7 +27,7 @@ #include #include #include -#define AUTH_VERSION "914.40.5" +#define AUTH_VERSION "973.0.5" #ifdef WIN32 #define TSS_CLIENT_VERSION_STRING "libauthinstall_Win-"AUTH_VERSION"" #else @@ -85,7 +85,7 @@ plist_t tss_request_new(plist_t overrides) int tss_request_add_local_policy_tags(plist_t request, plist_t parameters) { - plist_dict_set_item(request, "@ApImg4Ticket", plist_new_bool(1)); +// plist_dict_set_item(request, "@ApImg4Ticket", plist_new_bool(1)); if (_plist_dict_copy_bool(request, parameters, "Ap,LocalBoot", NULL) < 0) { tsserror("ERROR: Unable to find required Ap,LocalBoot in parameters\n"); @@ -104,10 +104,11 @@ int tss_request_add_local_policy_tags(plist_t request, plist_t parameters) _plist_dict_copy_data(request, parameters, "Ap,RecoveryOSPolicyNonceHash", NULL); _plist_dict_copy_data(request, parameters, "Ap,VolumeUUID", NULL); - _plist_dict_copy_uint(request, parameters, "ApECID", NULL); +// _plist_dict_copy_uint(request, parameters, "ApECID", NULL); _plist_dict_copy_uint(request, parameters, "ApChipID", NULL); _plist_dict_copy_uint(request, parameters, "ApBoardID", NULL); - _plist_dict_copy_uint(request, parameters, "ApSecurityDomain", NULL); +// _plist_dict_copy_uint(request, parameters, "ApSecurityDomain", NULL); + plist_dict_set_item(request, "ApSecurityDomain", plist_new_string("0x01")); // _plist_dict_copy_data(request, parameters, "ApNonce", NULL); if (!plist_dict_get_item(request, "ApSecurityMode")) { @@ -149,7 +150,8 @@ int tss_parameters_add_from_manifest(plist_t parameters, plist_t build_identity, return -1; } - _plist_dict_copy_uint(parameters, build_identity, "ApSecurityDomain", NULL); +// _plist_dict_copy_uint(parameters, build_identity, "ApSecurityDomain", NULL); + plist_dict_set_item(parameters, "ApSecurityDomain", plist_new_string("0x01")); _plist_dict_copy_uint(parameters, build_identity, "BMU,BoardID", NULL); _plist_dict_copy_uint(parameters, build_identity, "BMU,ChipID", NULL); @@ -272,7 +274,7 @@ int tss_request_add_ap_img4_tags(plist_t request, plist_t parameters) // return -1; // } - plist_dict_set_item(request, "@ApImg4Ticket", plist_new_bool(1)); +// plist_dict_set_item(request, "@ApImg4Ticket", plist_new_bool(1)); if (!plist_dict_get_item(request, "ApSecurityMode")) { /* copy from parameters if available */ @@ -346,11 +348,15 @@ int tss_request_add_ap_img3_tags(plist_t request, plist_t parameters) int tss_request_add_common_tags(plist_t request, plist_t parameters, plist_t overrides) { - _plist_dict_copy_uint(request, parameters, "ApECID", NULL); +// _plist_dict_copy_uint(request, parameters, "ApECID", NULL); // _plist_dict_copy_data(request, parameters, "UniqueBuildID", NULL); _plist_dict_copy_uint(request, parameters, "ApChipID", NULL); _plist_dict_copy_uint(request, parameters, "ApBoardID", NULL); - _plist_dict_copy_uint(request, parameters, "ApSecurityDomain", NULL); +// _plist_dict_copy_uint(request, parameters, "ApSecurityDomain", NULL); + plist_dict_set_item(request, "ApSecurityDomain", plist_new_string("0x01")); + plist_dict_set_item(request, "@Locality", plist_new_string("en_US")); + plist_dict_set_item(request, "@BBTicket", plist_new_bool(1)); + plist_dict_set_item(request, "Cryptex1,ProductionMode", plist_new_bool(1)); /* apply overrides */ if (overrides) { diff --git a/tsschecker/tsschecker.c b/tsschecker/tsschecker.c index 0aff9e7..eac383e 100755 --- a/tsschecker/tsschecker.c +++ b/tsschecker/tsschecker.c @@ -1154,8 +1154,8 @@ int tssrequest(plist_t *tssreqret, char *buildManifest, t_devicevals *devVals, t plist_get_int_val(chipid_node, &chipid); chipid = __bswap_64(chipid); } -// uint64_t ecid = __bswap_64(devVals->ecid); - uint64_t ecid = __bswap_64(0); + uint64_t ecid = __bswap_64(devVals->ecid); +// uint64_t ecid = __bswap_64(0); uint64_t udid[2] = {chipid, ecid}; uint64_t nonce[4] = {0xA3E5796653BA4F3F, 0xCDA1BC56E6F9B24C, 0x7F80200449C54C70, 0xE42296AD9826E810}; plist_dict_set_item(tssreq, "Cryptex1,UDID", plist_new_data((const char *)&udid, 0x10));