forked from hack-different/apple-knowledge
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsep.yaml
215 lines (215 loc) · 5.88 KB
/
sep.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
---
metadata:
description:
credits:
sep_services:
SEPD:
description: 'Incorrect: fixed at ID 0, sepd is a play on launchd'
fixed_endpoint: 0
xnu_name: AppleSEPControl
xnu_kext: AppleSEPManager
opcodes:
- id: 0
const: kOpCode_NOP
description: No operation
- id: 2
const: kOpCode_SET_OOL_IN_ADDR
description: set the address of a block of AP memory to be transfered to the
SEP for the next request
- id: 3
const: kOpCode_SET_OOL_OUT_ADDR
description: set the address of a block of AP memory to be used to return the
result of a given SEP response
- id: 4
const: kOpCode_SET_OOL_IN_SIZE
description: set the size of the memory block to be transfered to the endpoint
as a parameter
- id: 5
const: kOpCode_SET_OOL_OUT_SIZE
description: set the size of the memory block allocated to the be written to
as a response to a SEP request
- id: 10
const: kOpCode_TTYIN
- id: 12
const: kOpCode_Sleep
description: put the SEP into low power and wait for an external IRQ
- id: 19
name: kOpCode_Nap
description: put the SEP into low power and wake after a timeout
- id: 20
const: kOpCode_SECMODE_REQUEST
description: get the current effective security mode of the SEP
- id: 24
const: kOpCode_SELFTEST
description: perform diagnostics and internal consistancy checks on the the
SEP
- id: 37
name: kOpCode_ERASE_INSTALL
description: Queue the system for a wipe and install of IPSW
- id: 38
const: kOpCode_L4_PANIC
description: Panic the L4 microkernel
- id: 39
const: kOpCode_SEPOSPANIC
description: Panic the SEPOS
slog:
description: SEP logging service
xnu_name: AppleSEPLogger
xnu_kext: AppleSEPManager
arts:
description: Anti-replay Token Storage
xnu_name: AppleSEPARTStorage
xnu_kext: AppleSEPManager
artr:
description: Anti-replay token request
xnu_name:
sepS:
description: SEP services endpoint
sbio:
description: Secure Biometic Services
skgs:
description: Secure Key Generation Service
xarm:
description: xART
xars:
description: xART
cntl:
description:
sidv:
description:
test:
description: Test Service
sars:
description: Secure Anti-Replay Service
enti:
description: Entitlement Service
debg:
description: Debug
xnu_name: AppleSEPDebug
xnu_kext: AppleSEPManager
"sks\0":
description: Secure Key Storage (AppleKeyStore)
xnu_name: AppleSEPKeyStore
xnu_kext: AppleSEPKeyStore
"sse\0":
description: Proxy access to the SE (secure element)
xnu_kext: AppleSSE
scrd:
description: Secure Credential Manager (AppleCredentialStore)
xnu_kext: AppleCredentialManager
lpol:
name: boot_policy
description: Manage Apple Silicon macOS boot policy
opcodes:
- id: 2
name: begin_update_policy
description: Begin a boot policy update operation
- id: 3
name: end_update_policy
disc:
fixed_endpoint: 253
name: discovery
description: |-
First advertise, then expose
`id` is endpoint number `name` is `'scrd'` or `'sks\0'` for example. (4 char code)
struct app_info {
uint64_t physical_addr;
uint32_t virtual_base;
uint32_t size;
uint32_t entry;
uint8_t name[12];
uint8_t hash[16];
}
opcodes:
0:
name: advertise
request_struct: |
// Credit: ntrung03
struct ep_advertise_data {
uint8_t id; /* param */
uint32_t name; /* data, Apple 4CC for the applet name */
};
1:
name: expose
request_struct: |
// Credit: ntrung03
struct ep_expose_data {
uint8_t id; /* param */
char ool_in_min_pages;
char ool_in_max_pages;
char ool_out_min_pages;
char ool_out_max_pages;
};
krnl:
fixed_endpoint: 254
name: L4info
opcodes:
- id: 0
name: L4_Ipc
desciption: Set up ipc between two threads
- id: 4
name: L4_ThreadSwitch
description: Yield execution to thread
- id: 8
name: L4_ThreadControl
description: Create or delete threads
privileged: true
- id: 12
name: L4_ExchangeRegisters
description: Exchange registers
- id: 16
name: L4_Schedule
description: Set thread scheduling information
- id: 20
name: L4_MapControl
description: Map or free virtual memory
privileged: true
- id: 24
name: L4_SpaceControl
description: Create a new address space
privileged: true
- id: 28
name: L4_ProcessorControl
description: Sets processor attributes
- id: 32
name: L4_CacheControl
description: Cache flushing
- id: 36
name: L4_IpcControl
description: Adjust IPC access
privileged: true
- id: 40
name: L4_InterruptControl
description: Enable or disable an interrupt
privileged: true
- id: 44
name: L4_GetTimebase
description: Gets the system time
- id: 48
name: L4_SetTimeout
description: Set timeout for IPC sessions
- id: 52
name: L4_SharedMappingControl
description: Set up a shared mapping
privileged: true
- id: 56
name: L4_SleepKernel
description: cause the SEP kernel to sleep until an external inturupt occurs
- id: 60
name: L4_PowerControl
- id: 64
name: L4_KernelInterface
description: Get information about the running L4 kernel
sepr:
fixed_endpoint: 255
name: seprom
opcodes:
- id: 1
name: ping
description: request a pong from the SEP
- id: 15
name: panic
description: Common to all Apps, panic
- id: 10
name: random
description: get random bytes from the SEP