Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SUMMARY: WORKAROUND | 21E230 | X86_64 | cryptexctl | 3ef28a3 | EXC_BAD_ACCESS #25

Closed
xsscx opened this issue Mar 16, 2022 · 5 comments
Closed

SUMMARY: WORKAROUND | 21E230 | X86_64 | cryptexctl | 3ef28a3 | EXC_BAD_ACCESS #25

xsscx opened this issue Mar 16, 2022 · 5 comments

Comments

@xsscx
Copy link
Owner

xsscx commented Mar 16, 2022
edited

SUMMARY: 21E230 | X86_64 | cryptexctl | EXC_BAD_ACCESS

It has been found that macOS 12.3 (21E230) X86_64 and the most recent update to cryptexctl from URL:

https://github.com/apple/security-research-device/tree/main/bin

from commit

https://github.com/apple/security-research-device/commit/3ef28a37a70d5b288a2da1a3e073975c9bae4a35

Results with EXC_BAD_ACCESS when applying the command line arg "--variant=research" from the X86_64 Platform.

Workaround

Use Cryptex Manager

Reproduction

lldb -- cryptexctl install -p -l --variant=research --persist com.example.cryptex.cxbd.signed

Crash Reproduction with lldb

Reported
@xsscx xsscx closed this as completed Mar 16, 2022
@xsscx
Copy link
Owner Author

xsscx commented Mar 16, 2022
edited

It has been found that there are other command line args that will cause a Crash:

PoC:

lldb -- cryptexctl ${CRYPTEXCTL_PERSONALIZE_FLAGS} personalize --replace com.example.cryptex.cxbd

 lldb -- cryptexctl ${CRYPTEXCTL_PERSONALIZE_FLAGS} personalize --replace  com.example.cryptex.cxbd
(lldb) target create "cryptexctl"
Current executable set to 'cryptexctl' (x86_64).
(lldb) settings set -- target.run-args  "personalize" "--replace" "com.example.cryptex.cxbd"
(lldb) r
Process 53490 launched: '/usr/local/bin/cryptexctl' (x86_64)
objc[53490]: Class AppleTypeCRetimerRestoreInfoHelper is implemented in both /usr/lib/libauthinstall.dylib (0x7ff952b32dc0) and /Library/Apple/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/MobileDevice (0x100d64880). One of the two will be used. Which one is undefined.
objc[53490]: Class AppleTypeCRetimerFirmwareAggregateRequestCreator is implemented in both /usr/lib/libauthinstall.dylib (0x7ff952b32e10) and /Library/Apple/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/MobileDevice (0x100d648d0). One of the two will be used. Which one is undefined.
objc[53490]: Class AppleTypeCRetimerFirmwareRequestCreator is implemented in both /usr/lib/libauthinstall.dylib (0x7ff952b32e60) and /Library/Apple/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/MobileDevice (0x100d64920). One of the two will be used. Which one is undefined.
objc[53490]: Class ATCRTRestoreInfoFTABFile is implemented in both /usr/lib/libauthinstall.dylib (0x7ff952b32eb0) and /Library/Apple/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/MobileDevice (0x100d64970). One of the two will be used. Which one is undefined.
objc[53490]: Class AppleTypeCRetimerFirmwareCopier is implemented in both /usr/lib/libauthinstall.dylib (0x7ff952b32f00) and /Library/Apple/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/MobileDevice (0x100d649c0). One of the two will be used. Which one is undefined.
objc[53490]: Class ATCRTRestoreInfoFTABSubfile is implemented in both /usr/lib/libauthinstall.dylib (0x7ff952b32f50) and /Library/Apple/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/MobileDevice (0x100d64a10). One of the two will be used. Which one is undefined.
2022-03-16 14:43:42.858312-0400 cryptexctl[53490:780818] [library] USBMuxListenerCreateFiltered:898 Created 0x600003310000
2022-03-16 14:43:42.858433-0400 cryptexctl[53490:780836] [library] USBMuxHandleDictionary:1437 Adding event 0x6000002103a0 to changelist.
2022-03-16 14:43:42.858497-0400 cryptexctl[53490:780836] [library] USBMuxHandleDictionary:1437 Adding event 0x6000002105e0 to changelist.
2022-03-16 14:43:42.859900-0400 cryptexctl[53490:780818] [device-manager] [anonymous]: devices list = (
    "AMDevice 0x600003d00000 {UDID = 00008101-001418DA3CC0013A, device ID = 7, location ID = 0x14100000, product ID = 0x12a8}",
    "AMDevice 0x600003d000f0 {UDID = 00008030-001538D03C40012E, device ID = 6, location ID = 0x14500000, product ID = 0x12a8}"
)
2022-03-16 14:43:42.859952-0400 cryptexctl[53490:780818] [device-manager] [anonymous]: enumerating device: AMDevice 0x600003d00000 {UDID = 00008101-001418DA3CC0013A, device ID = 7, location ID = 0x14100000, product ID = 0x12a8}
2022-03-16 14:43:42.860037-0400 cryptexctl[53490:780818] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-03-16 14:43:42.862049-0400 cryptexctl[53490:780818] [device-manager] [anonymous]: query = {
    NULL =     (
        UniqueDeviceID,
        DeviceName,
        BuildVersion,
        Image4CryptoHashMethod,
        BoardId,
        ChipID,
        SecurityDomain,
        UniqueChipID,
        CertificateProductionStatus,
        CertificateSecurityMode,
        EffectiveProductionStatusAp,
        EffectiveSecurityModeAp
    );
}
2022-03-16 14:43:42.862228-0400 cryptexctl[53490:780818] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-03-16 14:43:42.865312-0400 cryptexctl[53490:780818] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-03-16 14:43:42.872832-0400 cryptexctl[53490:780818] [device-manager] [anonymous]: query result = {
    SuccessValueKey =     {
        NULL =         {
            BoardId = 12;
            BuildVersion = 19E241;
            CertificateProductionStatus = 1;
            CertificateSecurityMode = 1;
            ChipID = 33025;
            DeviceName = "D Hoyt\U2019s iPhone";
            EffectiveProductionStatusAp = 1;
            EffectiveSecurityModeAp = 1;
            Image4CryptoHashMethod = "sha2-384";
            SecurityDomain = 1;
            UniqueChipID = 5656825135366458;
            UniqueDeviceID = "00008101-001418DA3CC0013A";
        };
    };
}
2022-03-16 14:43:42.872900-0400 cryptexctl[53490:780818] [device-manager] [anonymous]: instantiating identity from: {
    BoardId = 12;
    BuildVersion = 19E241;
    CertificateProductionStatus = 1;
    CertificateSecurityMode = 1;
    ChipID = 33025;
    DeviceName = "D Hoyt\U2019s iPhone";
    EffectiveProductionStatusAp = 1;
    EffectiveSecurityModeAp = 1;
    Image4CryptoHashMethod = "sha2-384";
    SecurityDomain = 1;
    UniqueChipID = 5656825135366458;
    UniqueDeviceID = "00008101-001418DA3CC0013A";
}
2022-03-16 14:43:42.872935-0400 cryptexctl[53490:780818] [device-manager] [anonymous]: device: udid = 00008101-001418DA3CC0013A, name = D Hoyt’s iPhone, build = 19E241
2022-03-16 14:43:42.872974-0400 cryptexctl[53490:780818] [device-manager] [anonymous]: identity = '04 00 00 00 00 00 00 00 70 41 CF 4F F8 7F 00 00 00 00 00 00 00 00 00 00 01 00 00 00 0C 00 00 00 01 81 00 00 01 00 00 00 3A 01 C0 3C DA 18 14 00 01 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 8E 22 00 00 60 00 00 60 8F 22 00 00 60 00 00 60 40 01 00 00 60 00 00'
2022-03-16 14:43:42.873119-0400 cryptexctl[53490:780818] [device] [anonymous]: setting name: D Hoyt’s iPhone
2022-03-16 14:43:42.873159-0400 cryptexctl[53490:780818] [device-manager] [anonymous]: enumerating device: AMDevice 0x600003d000f0 {UDID = 00008030-001538D03C40012E, device ID = 6, location ID = 0x14500000, product ID = 0x12a8}
2022-03-16 14:43:42.873211-0400 cryptexctl[53490:780818] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-03-16 14:43:42.875386-0400 cryptexctl[53490:780818] [device-manager] [anonymous]: query = {
    NULL =     (
        UniqueDeviceID,
        DeviceName,
        BuildVersion,
        Image4CryptoHashMethod,
        BoardId,
        ChipID,
        SecurityDomain,
        UniqueChipID,
        CertificateProductionStatus,
        CertificateSecurityMode,
        EffectiveProductionStatusAp,
        EffectiveSecurityModeAp
    );
}
2022-03-16 14:43:42.875452-0400 cryptexctl[53490:780818] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-03-16 14:43:42.878766-0400 cryptexctl[53490:780818] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-03-16 14:43:42.887937-0400 cryptexctl[53490:780818] [device-manager] [anonymous]: query result = {
    SuccessValueKey =     {
        NULL =         {
            BoardId = 4;
            BuildVersion = 19E241;
            CertificateProductionStatus = 1;
            CertificateSecurityMode = 1;
            ChipID = 32816;
            DeviceName = "D Hoyt\U2019s iPhone";
            EffectiveProductionStatusAp = 1;
            EffectiveSecurityModeAp = 1;
            Image4CryptoHashMethod = "sha2-384";
            SecurityDomain = 1;
            UniqueChipID = 5973441526104366;
            UniqueDeviceID = "00008030-001538D03C40012E";
        };
    };
}
2022-03-16 14:43:42.887999-0400 cryptexctl[53490:780818] [device-manager] [anonymous]: instantiating identity from: {
    BoardId = 4;
    BuildVersion = 19E241;
    CertificateProductionStatus = 1;
    CertificateSecurityMode = 1;
    ChipID = 32816;
    DeviceName = "D Hoyt\U2019s iPhone";
    EffectiveProductionStatusAp = 1;
    EffectiveSecurityModeAp = 1;
    Image4CryptoHashMethod = "sha2-384";
    SecurityDomain = 1;
    UniqueChipID = 5973441526104366;
    UniqueDeviceID = "00008030-001538D03C40012E";
}
2022-03-16 14:43:42.888028-0400 cryptexctl[53490:780818] [device-manager] [anonymous]: device: udid = 00008030-001538D03C40012E, name = D Hoyt’s iPhone, build = 19E241
2022-03-16 14:43:42.888051-0400 cryptexctl[53490:780818] [device-manager] [anonymous]: identity = '04 00 00 00 00 00 00 00 70 41 CF 4F F8 7F 00 00 00 00 00 00 00 00 00 00 01 00 00 00 04 00 00 00 30 80 00 00 01 00 00 00 2E 01 40 3C D0 38 15 00 01 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00 40 01 20 00 00 60 00 00 80 01 20 00 00 60 00 00 80 40 00 00 00 60 00 00'
2022-03-16 14:43:42.888075-0400 cryptexctl[53490:780818] [device] [anonymous]: setting name: D Hoyt’s iPhone
2022-03-16 14:43:42.888210-0400 cryptexctl[53490:780818] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-03-16 14:43:42.893523-0400 cryptexctl[53490:780818] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-03-16 14:43:42.896225-0400 cryptexctl[53490:780818] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-03-16 14:43:42.977068-0400 cryptexctl[53490:780818] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-03-16 14:43:42.979956-0400 cryptexctl[53490:780818] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-03-16 14:43:42.991312-0400 cryptexctl[53490:780818] [library] USBMuxConnectByPort:584 Connecting to port 46280 (c8, b4)
2022-03-16 14:43:42.993628-0400 cryptexctl[53490:780818] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-03-16 14:43:42.996455-0400 cryptexctl[53490:780818] [library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-03-16 14:43:43.090481-0400 cryptexctl[53490:780836] AMSupportPlatformCreateBufferFromNativeFilePath: open failed: No such file or directory
2022-03-16 14:43:43.090662-0400 cryptexctl[53490:780836] AMSupportPlatformCreateBufferFromNativeFilePath: /usr/local/standalone/firmware/device_map.plist
2022-03-16 14:43:43.090708-0400 cryptexctl[53490:780836] AMAuthInstallApCopyDeviceEntryFromDeviceMap: Failed to read devicemap from file:///usr/local/standalone/firmware/device_map.plist
2022-03-16 14:43:43.090775-0400 cryptexctl[53490:780836] AMAuthInstallApCreateImagePropertiesWithDeviceMapZipped: WARNING: Could not retrieve image properties from devicemap.
2022-03-16 14:43:43.090887-0400 cryptexctl[53490:780836] AMAuthInstallApCreateImagePropertiesWithDeviceMapZipped: WARNING: Consider setting alternate device_map, ie in a device-specific SDK path.  Setting default RestoreRequestRules to: {
    Digest = {length = 48, bytes = 0x1c147bfb 1ed9542c aa31ee41 93403009 ... 8f5a033f 68393389 };
    EPRO = 1;
    ESEC = 1;
    Trusted = 1;
}
2022-03-16 14:43:43.090923-0400 cryptexctl[53490:780836] AMAuthInstallApCreateImagePropertiesWithDeviceMapZipped: WARNING: Note: This default behavior may change in the future into a hard error.
2022-03-16 14:43:43.091059-0400 cryptexctl[53490:780836] cf create failed: obj = CFString
Process 53490 stopped
* thread #2, queue = 'com.apple.security.libcryptex.core.dq', stop reason = signal SIGABRT
    frame #0: 0x00007ff80f3aadba libsystem_kernel.dylib`__abort_with_payload + 10
libsystem_kernel.dylib`__abort_with_payload:
->  0x7ff80f3aadba <+10>: jae    0x7ff80f3aadc4            ; <+20>
    0x7ff80f3aadbc <+12>: movq   %rax, %rdi
    0x7ff80f3aadbf <+15>: jmp    0x7ff80f3881c5            ; cerror_nocancel
    0x7ff80f3aadc4 <+20>: retq
Target 0: (cryptexctl) stopped.
(lldb) dis -f
libsystem_kernel.dylib`__abort_with_payload:
    0x7ff80f3aadb0 <+0>:  movl   $0x2000209, %eax          ; imm = 0x2000209
    0x7ff80f3aadb5 <+5>:  movq   %rcx, %r10
    0x7ff80f3aadb8 <+8>:  syscall
->  0x7ff80f3aadba <+10>: jae    0x7ff80f3aadc4            ; <+20>
    0x7ff80f3aadbc <+12>: movq   %rax, %rdi
    0x7ff80f3aadbf <+15>: jmp    0x7ff80f3881c5            ; cerror_nocancel
    0x7ff80f3aadc4 <+20>: retq
    0x7ff80f3aadc5 <+21>: nop
    0x7ff80f3aadc6 <+22>: nop
    0x7ff80f3aadc7 <+23>: nop
(lldb) re re --all
General Purpose Registers:
       rax = 0x0000000002000209
       rbx = 0x0000000000000000
       rcx = 0x000070000384b528
       rdx = 0x000070000384b5e0
       rdi = 0x0000000000000012
       rsi = 0x0000000000000002
       rbp = 0x000070000384b570
       rsp = 0x000070000384b528
        r8 = 0x0000600001709400
        r9 = 0x0000000000000000
       r10 = 0x0000000000000054
       r11 = 0x0000000000000246
       r12 = 0x0000000000000054
       r13 = 0x000070000384b5e0
       r14 = 0x0000000000000002
       r15 = 0x0000000000000012
       rip = 0x00007ff80f3aadba  libsystem_kernel.dylib`__abort_with_payload + 10
    rflags = 0x0000000000000246
        cs = 0x0000000000000007
        fs = 0x0000000000000000
        gs = 0x0000000000000000
       eax = 0x02000209
       ebx = 0x00000000
       ecx = 0x0384b528
       edx = 0x0384b5e0
       edi = 0x00000012
       esi = 0x00000002
       ebp = 0x0384b570
       esp = 0x0384b528
       r8d = 0x01709400
       r9d = 0x00000000
      r10d = 0x00000054
      r11d = 0x00000246
      r12d = 0x00000054
      r13d = 0x0384b5e0
      r14d = 0x00000002
      r15d = 0x00000012
        ax = 0x0209
        bx = 0x0000
        cx = 0xb528
        dx = 0xb5e0
        di = 0x0012
        si = 0x0002
        bp = 0xb570
        sp = 0xb528
       r8w = 0x9400
       r9w = 0x0000
      r10w = 0x0054
      r11w = 0x0246
      r12w = 0x0054
      r13w = 0xb5e0
      r14w = 0x0002
      r15w = 0x0012
        ah = 0x02
        bh = 0x00
        ch = 0xb5
        dh = 0xb5
        al = 0x09
        bl = 0x00
        cl = 0x28
        dl = 0xe0
       dil = 0x12
       sil = 0x02
       bpl = 0x70
       spl = 0x28
       r8l = 0x00
       r9l = 0x00
      r10l = 0x54
      r11l = 0x46
      r12l = 0x54
      r13l = 0xe0
      r14l = 0x02
      r15l = 0x12

Floating Point Registers:
     fctrl = 0x037f
     fstat = 0x0000
      ftag = 0x0000
       fop = 0x0000
     fioff = 0x0f43b408
     fiseg = 0x7ff8
     fooff = 0x00000000
     foseg = 0x0000
     mxcsr = 0x00001fa0
  mxcsrmask = 0x0000ffff
     stmm0 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xff 0xff}
     stmm1 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     stmm2 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     stmm3 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     stmm4 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     stmm5 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xff 0xff}
     stmm6 = {0xbe 0x8c 0x53 0x03 0x00 0x00 0x00 0x00 0xff 0xff}
     stmm7 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm0 = {0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm1 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm2 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm3 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm4 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm5 = {0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm6 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x80 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x80 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm7 = {0xff 0xff 0x00 0x00 0xff 0xff 0x00 0x00 0xff 0xff 0x00 0x00 0xff 0xff 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm8 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      ymm9 = {0x02 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     ymm10 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     ymm11 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     ymm12 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     ymm13 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     ymm14 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     ymm15 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm0 = {0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff}
      xmm1 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm2 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm3 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm4 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm5 = {0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff}
      xmm6 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x80 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x80}
      xmm7 = {0xff 0xff 0x00 0x00 0xff 0xff 0x00 0x00 0xff 0xff 0x00 0x00 0xff 0xff 0x00 0x00}
      xmm8 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
      xmm9 = {0x02 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     xmm10 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     xmm11 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     xmm12 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     xmm13 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     xmm14 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
     xmm15 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}

Exception State Registers:
    trapno = 0x00000085
       err = 0x02000209
  faultvaddr = 0x0000000100d7f6c2

(lldb) bt all
  thread #1, queue = 'com.apple.main-thread'
    frame #0: 0x00007ff80f3879b6 libsystem_kernel.dylib`semaphore_wait_trap + 10
    frame #1: 0x00007ff80f2097ce libdispatch.dylib`_dispatch_sema4_wait + 16
    frame #2: 0x00007ff80f209c9d libdispatch.dylib`_dispatch_semaphore_wait_slow + 98
    frame #3: 0x000000010001663a cryptexctl`___lldb_unnamed_symbol137$$cryptexctl + 2890
    frame #4: 0x00007ff8119f07ff libsystem_darwin.dylib`os_subcommand_main + 671
    frame #5: 0x000000010001df70 cryptexctl`___lldb_unnamed_symbol203$$cryptexctl + 48
    frame #6: 0x000000010006951e dyld`start + 462
* thread #2, queue = 'com.apple.security.libcryptex.core.dq', stop reason = signal SIGABRT
  * frame #0: 0x00007ff80f3aadba libsystem_kernel.dylib`__abort_with_payload + 10
    frame #1: 0x00007ff80f3ac877 libsystem_kernel.dylib`abort_with_payload_wrapper_internal + 80
    frame #2: 0x00007ff80f3ac8a9 libsystem_kernel.dylib`abort_with_payload + 9
    frame #3: 0x00007ff80f30ef52 libsystem_c.dylib`_os_crash_fmt.cold.1 + 55
    frame #4: 0x00007ff80f2d34a6 libsystem_c.dylib`_os_crash_fmt + 154
    frame #5: 0x00007ffa1a685a18 libcryptex_core.dylib`_CFDictionarySetString + 218
    frame #6: 0x00007ffa1a67dea1 libcryptex_core.dylib`_shared_cdxn_stamp + 102
    frame #7: 0x00007ffa1a6844af libcryptex_core.dylib`_cryptex_scrivener_init_tss + 1396
    frame #8: 0x00007ffa1a682ed3 libcryptex_core.dylib`_cryptex_scrivener_init + 67
    frame #9: 0x00007ffa1a67d37a libcryptex_core.dylib`_cryptex_init + 12
    frame #10: 0x00007ff80f209317 libdispatch.dylib`_dispatch_client_callout + 8
    frame #11: 0x00007ff80f20f317 libdispatch.dylib`_dispatch_lane_serial_drain + 672
    frame #12: 0x00007ff80f20fdfd libdispatch.dylib`_dispatch_lane_invoke + 366
    frame #13: 0x00007ff80f219eee libdispatch.dylib`_dispatch_workloop_worker_thread + 753
    frame #14: 0x00007ff80f3c0fd0 libsystem_pthread.dylib`_pthread_wqthread + 326
    frame #15: 0x00007ff80f3bff57 libsystem_pthread.dylib`start_wqthread + 15
  thread #3
    frame #0: 0x00007ff80f38905a libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #1: 0x00007ff80f3c1034 libsystem_pthread.dylib`_pthread_wqthread + 426
    frame #2: 0x00007ff80f3bff57 libsystem_pthread.dylib`start_wqthread + 15
(lldb) q
Quitting LLDB will kill one or more processes. Do you really want to proceed: [Y/n] y

@xsscx
Copy link
Owner Author

xsscx commented Mar 25, 2022

The arg --persist also causes a Crash

@xsscx xsscx reopened this Mar 25, 2022
xsscx added a commit that referenced this issue May 5, 2022
@xsscx
arm64e cryptex build - conftest is the issue with invalid code signature
4c46cac 
On arm64e, building the default Apple example-cryptex fails. Conftest is the issue with invalid code signature, which makes the dropbear build useless for SRD. Use the pre-built DMG's using arm64e. Also, cryptex personalizations from X86_64 result with a Crash, see Issues #26 & #25. Creating a workaround now() for a fix. Use pre-built DMG's and install from arm64e only since X86_64 doesn't work ffor cryptexctl or CryptexManager due to AMFIResearch Complaints.
xsscx added a commit that referenced this issue May 5, 2022
@xsscx
On arm64e, building the default Apple example-cryptex fails. Conftest…
52715ea 
… is the issue with invalid code signature

On arm64e, building the default Apple example-cryptex fails. Conftest is the issue with invalid code signature, which makes the dropbear build useless for SRD. Use the pre-built DMG's using arm64e. Also, cryptex personalizations from X86_64 result with a Crash, see Issues #26 & #25. Creating a workaround now() for a fix. Use pre-built DMG's and install from arm64e only since X86_64 doesn't work ffor cryptexctl or CryptexManager due to AMFIResearch Complaints.
xsscx added a commit that referenced this issue May 5, 2022
@xsscx
Added Clarity for X86_64 and cryptexctl
8236d99 
1. Building the default Apple example-cryptex fails 
2. Posted a quick workaround for dropbear and its configure.ac. 
3. Use the pre-built DMG's using arm64e. 
4. Cryptex personalizations from X86_64 result with a Crashwhen using cryptexctl, see Issues #26 & #25. Use arm64e, X86_64 is a special snowflake.
5. This Repo will become Code Only with basic readme.rtfm and all Write-ups, Comments moved to https://srd.cx to lower the Noise for Cloning. Hopefully the mothership will catchup soon with fixes this will make this exercise m00t.

X86_64 Bugs du Jour for cryptexctl
------------
- macOS 12.3.1 (21E230) X86_64 Note: cryptexctl == EXC_BAD_ACCESS (SIGSEGV)
    - [CryptexManager](https://github.com/pinauten/CryptexManager) on X86_64 has AMFI complaints and isn't reliable
- cryptexctl X86_64 Error: manifest constraint violated: BORD: 13
    - com.apple.cryptex ==  firmware execution failed: 13: Permission denied 
    - MobileStorageMounter Failed to install cryptex (<private>): 13 (Permission denied)
xsscx added a commit that referenced this issue May 5, 2022
@xsscx
Add Clarity for cryptexctl
686c09a 
1. Building the default Apple example-cryptex fails 
2. Posted a quick workaround for dropbear and its configure.ac. 
3. Use the pre-built DMG's using arm64e. 
4. Cryptex personalizations from X86_64 result with a Crashwhen using cryptexctl, see Issues #26 & #25. Use arm64e, X86_64 is a special snowflake.
5. This Repo will become Code Only with basic readme.rtfm and all Write-ups, Comments moved to https://srd.cx to lower the Noise for Cloning. Hopefully the mothership will catchup soon with fixes this will make this exercise m00t.

X86_64 Bugs du Jour for cryptexctl
------------
- macOS 12.3.1 (21E230) X86_64 Note: cryptexctl == EXC_BAD_ACCESS (SIGSEGV)
    - [CryptexManager](https://github.com/pinauten/CryptexManager) on X86_64 has AMFI complaints and isn't reliable
- cryptexctl X86_64 Error: manifest constraint violated: BORD: 13
    - com.apple.cryptex ==  firmware execution failed: 13: Permission denied 
    - MobileStorageMounter Failed to install cryptex (<private>): 13 (Permission denied)
@xsscx
Copy link
Owner Author

xsscx commented May 8, 2022
edited

Pulling X86_64 from Testing for Cryptex Installations only. This issue has create a hardware requirement for arm64e install-only pipeline, which is completely un-expected, lasting more than 60 days.
Issue above Resolved in 19F77.

Closing the issue due to length of no response time and continued development problems plaguing SRD Tools.

This is also helpful for debugging cryptex issues:

echo '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Enable-Private-Data</key><true/></dict></plist>' > /Library/Preferences/Logging/com.apple.system.logging.plist

now go kill -HUP logd and check Console Log

@xsscx xsscx closed this as completed May 8, 2022
@xsscx
Copy link
Owner Author

xsscx commented May 11, 2022
edited

Re-opening as Feedback had questions......

@xsscx xsscx reopened this May 11, 2022
@xsscx
Copy link
Owner Author

xsscx commented May 29, 2022

This is a dead horse.. use CryptexManager

@xsscx xsscx closed this as completed May 29, 2022
@xsscx xsscx changed the title 21E230 | X86_64 | cryptexctl | 3ef28a3 | EXC_BAD_ACCESS SUMMARY: WORKAROUND | 21E230 | X86_64 | cryptexctl | 3ef28a3 | EXC_BAD_ACCESS May 31, 2022
@xsscx xsscx mentioned this issue Jun 3, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xsscx