Seputil

seputil has the following commands:

seputil: seputil [--wait] --load seputil: seputil '' seputil: seputil seputil: seputil: Valid words: seputil:    --ping        Send a PING operation to the SEP OS seputil:     --load        Load as the SEP runtime firmware seputil:    --restore     Load as the SEP runtime firmware in restore mode seputil:    --restore+art Load as the SEP runtime firmware in restore mode with ART seputil:    --wait        Pause for kernel driver to load before failing seputil:    --preflight   Pre-flight load/restore firmware against ART to pre-check for boot failures seputil:    --log         Dump the mailbox message log seputil:    --rom status  Get the ROM status seputil:    --rom tz0     Send a ROM TZ0 command seputil:    --rom nop     Send a ROM NOP command seputil:    --rom nonce   Send a ROM nonce request seputil:    --new-nonce   Request new SEP/OS nonce seputil:    --kill-nonce  Request invalidate SEP/OS nonce seputil:    --art get     Dump current ART from Memory seputil:    --art set     Persist the supplied ART to storage seputil:    --art clear   Clear the persisted ART seputil:    --art ctrtest Counter self-test (DESTRUCTIVE - WILL BRICK DEVICE) seputil:    --sleep       Sleep the SEP NOW! seputil:    --nap         Nap the SEP NOW! seputil:    --pingflood   Ping SEP endlessly seputil:    --clkgate     Enable SEP clock gating seputil:    --get   Read obj and write to stdout seputil:    --put   Read stdin and write to obj seputil:    --boot-check  Check whether a firmware might be bootable WRT the current ART seputil:    --dump-fw     Dump measurements of firmware file seputil:  Bare words on the commandline are sent to the SEP as a console command

Examples
./seputil --pingflood SEP ping #1000 SEP ping #2000 SEP ping #3000 SEP ping #4000

./seputil --load sep-firmware.img4 seputil: load fw returned 0xe00002d5 seputil: load failed

./seputil --new-nonce Nonce (20 bytes): 0x67fc18385630dc6429726677d196c81466f47b5e

./seputil --art get raw ART: 305e0201003037020218340414519c0248f04d316a3d71e03978b4126fbfb2b15c0400041467fc18385630dc6429726677d196c81466f47b5e3103c00100042027b6dadbab356612997af0203cefeae51fe90cd985ee7cdd6211c766b8cc7a60 Successfully parsed ART: counter: 6196 manifest hash (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c sleep hash is absent restore nonce (20 bytes): 67fc18385630dc6429726677d196c81466f47b5e

./seputil --art set Segmentation fault: 11

./seputil --log Kernel message log has 128 entries 289344381444: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289344385176: 0x0000000000000000 TX interrupt 289344391044: 0x0000000000000000 TX interrupt 289344408988: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289344409016: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289344413132: 0x0000000000000000 RX interrupt 289344413304: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289344413904: 0x0000000000000000 RX interrupt 289344413944: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289344414176: 0x0018000000dd1007 TX message ept 7, tag 10, opcode dd, param 0, data 180000 289344443356: 0x0000000000000000 RX interrupt 289344443428: 0x0068000000dd9007 RX message ept 7, tag 90, opcode dd, param 0, data 680000 289346822748: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0 289346829480: 0x0000000000000000 RX interrupt 289346829560: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0 289346830136: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0 289406511168: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289406511204: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289406538900: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289406538936: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289406543628: 0x0000000000000000 TX interrupt 289406549916: 0x0000000000000000 TX interrupt 289406566580: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289406566612: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289406571220: 0x0000000000000000 RX interrupt 289406571476: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289406571908: 0x0000000000000000 RX interrupt 289406571952: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289406572320: 0x0018000000de1007 TX message ept 7, tag 10, opcode de, param 0, data 180000 289406605068: 0x0000000000000000 RX interrupt 289406605152: 0x0068000000de9007 RX message ept 7, tag 90, opcode de, param 0, data 680000 289407383260: 0x003c000000df0907 TX message ept 7, tag 9, opcode df, param 0, data 3c0000 289407396284: 0x0000000000000000 RX interrupt 289407396380: 0x002c000000df8907 RX message ept 7, tag 89, opcode df, param 0, data 2c0000 289407403656: 0x003c000000e00907 TX message ept 7, tag 9, opcode e0, param 0, data 3c0000 289407411688: 0x0000000000000000 RX interrupt 289407411736: 0x002c000000e08907 RX message ept 7, tag 89, opcode e0, param 0, data 2c0000 289407414732: 0x003c000000e10907 TX message ept 7, tag 9, opcode e1, param 0, data 3c0000 289407422472: 0x0000000000000000 RX interrupt 289407422524: 0x002c000000e18907 RX message ept 7, tag 89, opcode e1, param 0, data 2c0000 289408986276: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0 289408991756: 0x0000000000000000 RX interrupt 289408991824: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0 289408992472: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0 289459393276: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289459393348: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289459423004: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289459423048: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289459452628: 0x0000000000000000 TX interrupt 289459453612: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289459453664: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289459466460: 0x0000000000000000 TX interrupt 289459469548: 0x0000000000000000 RX interrupt 289459470000: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289459470632: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289459471304: 0x0018000000e21007 TX message ept 7, tag 10, opcode e2, param 0, data 180000 289459524572: 0x0000000000000000 RX interrupt 289459524728: 0x0068000000e29007 RX message ept 7, tag 90, opcode e2, param 0, data 680000 289459532644: 0x004c000000e30f07 TX message ept 7, tag f, opcode e3, param 0, data 4c0000 289459552888: 0x0000000000000000 RX interrupt 289459553044: 0x002c000000e38f07 RX message ept 7, tag 8f, opcode e3, param 0, data 2c0000 289459646732: 0x0018000000e41007 TX message ept 7, tag 10, opcode e4, param 0, data 180000 289459681116: 0x0000000000000000 RX interrupt 289459681272: 0x0068000000e49007 RX message ept 7, tag 90, opcode e4, param 0, data 680000 289461898836: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0 289461906796: 0x0000000000000000 RX interrupt 289461906968: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0 289461908400: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0 289526725980: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289526726016: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289526757512: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289526757552: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289526774468: 0x0000000000000000 TX interrupt 289526782688: 0x0000000000000000 TX interrupt 289526786468: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289526786540: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289526795320: 0x0000000000000000 RX interrupt 289526795828: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289526796304: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289526796984: 0x0018000000e51007 TX message ept 7, tag 10, opcode e5, param 0, data 180000 289526847216: 0x0000000000000000 RX interrupt 289526847348: 0x0068000000e59007 RX message ept 7, tag 90, opcode e5, param 0, data 680000 289529224460: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0 289529235316: 0x0000000000000000 RX interrupt 289529235488: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0 289529236920: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0 289584681764: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289584681836: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289584710576: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289584710608: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289584730996: 0x0000000000000000 TX interrupt 289584738992: 0x0000000000000000 TX interrupt 289584739572: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289584739612: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289584748648: 0x0000000000000000 RX interrupt 289584748984: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289584749300: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 289584749332: 0x0018000000e61007 TX message ept 7, tag 10, opcode e6, param 0, data 180000 289584790484: 0x0000000000000000 RX interrupt 289584790568: 0x0068000000e69007 RX message ept 7, tag 90, opcode e6, param 0, data 680000 289587176748: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0 289587185760: 0x0000000000000000 RX interrupt 289587185916: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0 289587186840: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0 288741485000: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 288741485084: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 288741514772: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 288741514812: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 288741533984: 0x0000000000000000 TX interrupt 288741541992: 0x0000000000000000 TX interrupt 288741543608: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 288741543680: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 288741552216: 0x0000000000000000 RX interrupt 288741552884: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 288741553388: 0x0000000000010000 RX message ept 0, tag 0, opcode 1, param 0, data 0 288741553672: 0x0018000000db1007 TX message ept 7, tag 10, opcode db, param 0, data 180000 288741591912: 0x0000000000000000 RX interrupt 288741592040: 0x0068000000db9007 RX message ept 7, tag 90, opcode db, param 0, data 680000 288741599128: 0x004c000000dc0f07 TX message ept 7, tag f, opcode dc, param 0, data 4c0000 288741620732: 0x0000000000000000 RX interrupt 288741620900: 0x002c000000dc8f07 RX message ept 7, tag 8f, opcode dc, param 0, data 2c0000 288742902624: 0x0000000000130000 TX message ept 0, tag 0, opcode 13, param 0, data 0 288742912320: 0x0000000000000000 RX interrupt 288742912496: 0x0000000000110000 RX message ept 0, tag 0, opcode 11, param 0, data 0 288742913700: 0x0000000000120000 TX message ept 0, tag 0, opcode 12, param 0, data 0 289344354176: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289344354216: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0 289344381416: 0x0000000000000000 TX message ept 0, tag 0, opcode 0, param 0, data 0

./seputil --boot-check sep-firmware.img4 preflight: manifest hash matches sepi bootCheck: SEP may boot with ART

./seputil --dump-fw sep-firmware.img4 manifest digest (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c sepi digest (20 bytes): a22813c5ceaeada5b7eeaa55808f3019814e8b8e sepi nonce (20 bytes): e5074bd1befefc685c6b5ec6797ffc851366f76f rsep digest (20 bytes): cb9f4c6520889e2582414c5969fb0abc3b0d8277 rsep nonce (20 bytes): e5074bd1befefc685c6b5ec6797ffc851366f76f

jtool dissect
./jtool -l /Volumes/ramdisk/usr/libexec/seputil LC 00: LC_SEGMENT_64         Mem: 0x000000000-0x100000000	__PAGEZERO LC 01: LC_SEGMENT_64         Mem: 0x100000000-0x100008000	__TEXT 0x0000000100000ce8-0x00000001000055e0	__TEXT.__text 0x00000001000055e0-0x00000001000058ec	__TEXT.__stubs 0x00000001000058ec-0x0000000100005c10	__TEXT.__stub_helper 0x0000000100005c10-0x0000000100006e5d	__TEXT.__cstring 0x0000000100006e60-0x0000000100007fac	__TEXT.__const 0x0000000100007fac-0x0000000100007ff4	__TEXT.__unwind_info LC 02: LC_SEGMENT_64         Mem: 0x100008000-0x10000c000	__DATA 0x0000000100008000-0x0000000100008050	__DATA.__got 0x0000000100008050-0x0000000100008258	__DATA.__la_symbol_ptr 0x0000000100008258-0x00000001000086e8	__DATA.__const 0x00000001000086e8-0x0000000100008990	__DATA.__data 0x0000000100008990-0x00000001000089b0	__DATA.__bss LC 03: LC_SEGMENT_64         Mem: 0x10000c000-0x100010000	__LINKEDIT LC 04: LC_DYLD_INFO_ONLY LC 05: LC_SYMTAB            	Symbol table is at offset 0xd9c8, with 77 entries LC 06: LC_DYSYMTAB LC 07: LC_LOAD_DYLINKER     	/usr/lib/dyld LC 08: LC_UUID              	UUID: 5C06A94F-63A7-3150-95B6-65567C70A3C8 LC 09: LC_VERSION_MIN_IPHONEOS	Minimum iOS version:    7.0.0 LC 10: LC_SOURCE_VERSION    	Source Version:          69.1.1.0.0 LC 11: LC_MAIN              	Entry Point:             0x1448 (Mem: 100001448) LC 12: LC_LOAD_DYLIB        	/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation LC 13: LC_LOAD_DYLIB        	/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit LC 14: LC_LOAD_DYLIB        	/usr/lib/libSystem.B.dylib LC 15: LC_FUNCTION_STARTS   	Offset: 55592, Size: 120 LC 16: LC_DATA_IN_CODE      	Offset: 55712, Size: 0 LC 17: LC_DYLIB_CODE_SIGN_DRS	Offset: 55712, Size: 40 LC 18: LC_CODE_SIGNATURE    	Offset: 58704, Size: 480

ART Object
Example 1: ./seputil --art get raw ART: 305e0201003037020218340414519c0248f04d316a3d71e03978b4126fbfb2b15c0400041467fc18385630dc6429726677d196c81466f47b5e3103c00100042027b6dadbab356612997af0203cefeae51fe90cd985ee7cdd6211c766b8cc7a60 Successfully parsed ART: counter: 6196 manifest hash (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c sleep hash is absent restore nonce (20 bytes): 67fc18385630dc6429726677d196c81466f47b5e

raw ART is also a DER encoded ASN.1 object:

30 — type tag indicating SEQUENCE 5e — length in octets of value that follows (92) 02 — type tag indicating INTEGER 01 — length in octets of value that follows 00 — value (0) 30 — type tag indicating SEQUENCE 37 — length in octets of value that follows (55) 02 — type tag indicating INTEGER 02 — length in octets of value that follows 1834 — value (6196) (of counter) 04 — type tag indicating STRING 14 — length in octets of value that follows (20) 519c0248f04d316a3d71e03978b4126fbfb2b15c — value (of manifest hash) 04 — type tag indicating STRING 00 — length in octets of value that follows (0); empty, so no value to follow (sleep has is absent) 04 — type tag indicating STRING 14 — length in octets of value that follows (20) 67fc18385630dc6429726677d196c81466f47b5e — value (of restore nonce) 31 — type tag indicating SET 03 — length in octets of value that follows (3) c00100 — value 04 — type tag indicating STRING 20 — length in octets of value that follows (32) 27b6dadbab356612997af0203cefeae51fe90cd985ee7cdd6211c766b8cc7a60 — value

Example 2: ./seputil --art get raw ART: 3072020100304b0202186c0414519c0248f04d316a3d71e03978b4126fbfb2b15c04147f75cb9012128cf71eb8fcd6b13e56a02a7324db041467fc18385630dc6429726677d196c81466f47b5e3103c0010004209ce3646167631d0df8d4db28973db8d5a27f85d345ad6ec220aeb1e22f39f31f Successfully parsed ART: counter: 6252 manifest hash (20 bytes): 519c0248f04d316a3d71e03978b4126fbfb2b15c sleep hash (20 bytes): 7f75cb9012128cf71eb8fcd6b13e56a02a7324db restore nonce (20 bytes): 67fc18385630dc6429726677d196c81466f47b5e

Decode (used the decoder here):

SEQUENCE (3 elem) INTEGER 0 SEQUENCE (5 elem) INTEGER 6252 OCTET STRING (20 byte) 519C0248F04D316A3D71E03978B4126FBFB2B15C OCTET STRING (20 byte) 7F75CB9012128CF71EB8FCD6B13E56A02A7324DB OCTET STRING (20 byte) 67FC18385630DC6429726677D196C81466F47B5E SET (1 elem) Private 0 (1 byte) 00 OCTET STRING (32 byte) 9CE3646167631D0DF8D4DB28973DB8D5A27F85D345AD6EC220AEB1E22F39F31F

Example 3: ./seputil --art clear ART cleared from storage

./seputil --art get seputil: Get ART command error: 0xe00002bc