ChanServ changed the topic of #asahi-re to: Asahi Linux: porting Linux to Apple Silicon macs | Hardware / boot process / firmware interface reverse engineering | WARNING: this channel (only) may contain binary reverse engineering discussion | RE policy: https://alx.sh/re (MANDATORY READ) | GitHub: https://alx.sh/g | Wiki: https://alx.sh/w | Logs: https://alx.sh/l/asahi-re
cylm_ has joined #asahi-re
Dcow has quit [Remote host closed the connection]
Dcow has joined #asahi-re
Dcow has quit [Remote host closed the connection]
Dcow has joined #asahi-re
cylm has joined #asahi-re
cylm_ has quit [Read error: Connection reset by peer]
Dcow has quit [Remote host closed the connection]
cylm_ has joined #asahi-re
cylm has quit [Ping timeout: 480 seconds]
cylm_ has quit [Quit: WeeChat 3.7.1]
cylm has joined #asahi-re
jole_ has joined #asahi-re
jole has quit [Read error: Connection reset by peer]
cylm has quit [Quit: WeeChat 3.7.1]
cylm has joined #asahi-re
millenialhacker has joined #asahi-re
millenialhacker has quit [Quit: Konversation terminated!]
TellowKrinkle has joined #asahi-re
millenialhacker has joined #asahi-re
millenialhacker has quit [Remote host closed the connection]
millenialhacker has joined #asahi-re
SSJ_GZ has joined #asahi-re
cylm has quit [Quit: WeeChat 3.7.1]
nicolas17 has quit [Quit: Konversation terminated!]
millenialhacker has quit [Ping timeout: 480 seconds]
millenialhacker has joined #asahi-re
millenialhacker has quit [Ping timeout: 480 seconds]
millenialhacker has joined #asahi-re
millenialhacker has quit [Remote host closed the connection]
millenialhacker has joined #asahi-re
<millenialhacker>
Quick question, I'm will RE ISP Co-processor firmware, but I have no idea where is located, I checked my EFI partition vendorfw folder, but it seems there we only have wifi/bt fw, am I right?
<millenialhacker>
at least that what I get by reading asahi installer.
<millenialhacker>
well... I'm pulling the whole ipsw and will try to just extract it and see where the fw is located
<ChaosPrincess>
its in /System/Volumes/Preboot/<uuid here>/boot/<hash here>/usr/standalone/firmware/FUD/ISP.img4
<millenialhacker>
Thanks ChaosPrincess
<ChaosPrincess>
also, you shouldnt need it unless you are loading it into ghidra or sth, it should be loaded by iboot, not the os
<millenialhacker>
I;m gonna put it on ghidra
<millenialhacker>
If I have more than one hash, easy way to check which one to pull from, I guess it's because I have principal MacOS install & Stub for Asahi Linux
<ChaosPrincess>
iiuc you should only have multiple hashes if you installed multiple oses into one container
<millenialhacker>
well only one of hashes folder has the firmware files
<millenialhacker>
Can I assume those fw files are from stub (12.3) and not main OS (13.0) ?
<ChaosPrincess>
if you grabbed it from /system/volumes/preboot - thats from the active os
<ChaosPrincess>
if you want ones from the stub, you need to mount it's preboot partition somewhere and grab it from that
<ChaosPrincess>
i think you can also grab it from the ipsw
<millenialhacker>
Ah got it got it. I'm not familiar with apple partitioning layout & containers.
<millenialhacker>
Let me mount the stub in 1TR and extract the firmware then
<millenialhacker>
rebooting to 1TR... brb
millenia_ has joined #asahi-re
millenialhacker has quit [Read error: No route to host]
millenialhacker has joined #asahi-re
millenia_ has quit [Remote host closed the connection]
millenia_ has joined #asahi-re
millenialhacker has quit [Read error: Connection reset by peer]
millenialhacker has joined #asahi-re
millenia_ has quit [Read error: Connection reset by peer]
<millenialhacker>
ChaosPrincess, I just extracted the payload from img4 / im4m containers, but Ghidra is unable to parse it saying it lacks a LINKEDIT segment. Do you know if I'm missing something?
<ChaosPrincess>
maybe play with mach-o settings in ghidra?
<ChaosPrincess>
or, load as raw, find the entry point with otool, and define that address as code in ghidra
bluetail3 has joined #asahi-re
<ChaosPrincess>
but that sounds like pain
<millenialhacker>
I do not see any mach-o options, I mean it allows to pick architecture and that's all, I tried apple silicon & arm32 (I think those co-processors are 32bits) and both failed with same error.
bluetail has quit [Ping timeout: 480 seconds]
bluetail3 is now known as bluetail
<millenialhacker>
well, otool actually reports it as ARM64 (Cpu type: 16777228)
<ChaosPrincess>
well, maybe try ida?
<millenialhacker>
I don't have IDA license :(
<millenialhacker>
I'm a hobbyist :D
<ChaosPrincess>
well, there are ways :wink:
<millenialhacker>
hahaha
<sven>
don't they have a home license for like 360eur/year or something these days?
<millenialhacker>
I don't have that amount of money in my pocket right now xP
<millenialhacker>
Has anyone here used Ghidra to analyze a co-processor fw?
Dcow has joined #asahi-re
<amarioguy>
millenialhacker: at least you get a coproc fw to analyze, the one i'm working on is encrypted :D
<marcan>
millenialhacker: Ghidra loads the ISP firmware just fine here. I suspect you messed up extracting it
<ChaosPrincess>
`dd if=ISP.img4 of=ispx bs=36 skip=1` seems to work
<millenia_>
I extracted those img4 firmware files from Mac OS 12.3 installation.
millenialhacker has quit [Ping timeout: 480 seconds]
<marcan>
different ghidra version? (I have 10.1.1)
ncopa has quit [Quit: Alpine Linux, the security-oriented, lightweight Linux distribution]
<millenia_>
that may be, I have 10.2
<millenia_>
Chaos
<millenia_>
ChaosPrincess, I tried as well with dd command and same error when I try to open it with ghidra.
<millenia_>
I will try to downgrade to ghidra 10.1
<ChaosPrincess>
might be ghidra version, i have 9.1.2
<millenia_>
10.2 was released 6 days ago, I'd not be surprised
MajorBiscuit has quit [Quit: WeeChat 3.6]
<millenia_>
Yeah, it works fine in 10.1
<millenia_>
Be aware now that 10.2 depends of mach-o binaries to include __EDITLINK segment
<millenia_>
This looks like a joke:
<millenia_>
Mach-O Binary Import
<millenia_>
Mach-O binary analysis continues to improve. Support has been added for new file formats introduced in iOS 16 and macOS 13. Improvements have also been made to function identification, symbol detection, and Objective-C support.