Anya is a KBAG decryption kit for JTAGable prototypes.

Related tags

Cryptography Anya
Overview

Anya

It's a beta, so be extremely careful when using this software and always validate results it gives you

Anya is a KBAG decryption kit for JTAGable prototypes. Here is the list of platforms currently supported:

  • M9 B0/B1 - Apple S4/S5
  • Cyprus B1 - Apple A12
  • Cebu B1 - Apple A13

Although SEP support is planned (when applicable), currently Anya only supports AP (application processor) KBAGs

Building

Requirements

  • libirecovery
  • LLVM toolchain for ARM64

Building

Build system is a dumpster fire, better just download a ZIP from releases, but still you can try:

make

...or to build a package (basically, a ZIP):

make package

List of environmental variables you might need to provide:

  • TOOLCHAIN - path to a directory where LLVM toolchain binaries capable of producing ARM64 binaries is located
  • ARM_CC - ARM64 C compiler. Suppresses need of TOOLCHAIN
  • ARM_LD - linker capable of using linker scripts. Suppresses need of TOOLCHAIN
  • ARM_OBJCOPY - objcopy to cut out raw binary out of an ELF. Suppresses need of TOOLCHAIN
  • CC - C compiler used to compile anyactl (client utility)
  • AR - archiver used to build libanya (client library - the utility is based on it)
  • VALID_HANDLER_TARGETS - list of targets to build USB DFU handler for. Current list of valid targets is M9/B0_B1, Cyprus/B1 and Cebu/B1

In the end you'll get a structure like this in the build/ folder:

build/anya.ax
build/anyactl
build/payloads/anya_handler.M9-B0_B1.bin
build/payloads/anya_handler.Cyprus-B1.bin
build/payloads/anya_handler.Cebu-B1.bin

Usage

Requirements

  • Compiled Anya
  • Astris

Usage

First of all, you need to put your device into Anya mode (basically SecureROM DFU with custom USB control request handler) via Astris:

ANYA_PAYLOAD=path/to/desired/payload astris --script path/to/anya.ax

Warning: this will force reset your device! Better put your device into iBoot recovery or SecureROM DFU mode before doing this!

Upon successful execution you will get a log like this one:

[email protected] anya % ANYA_PAYLOAD=build/payloads/anya_handler.Cyprus-B1.bin astris --script build/anya.ax
astris v2.7.2

WARNING: This version of tcl is included in macOS for compatibility with legacy software.
In future versions of macOS the tcl runtime will not be available by
default, and may require you to install an additional package.
  

Probe address: KanziSWD-REDACTED
Probe type: kanzi
Probe firmware: 1.24
Probe tckrate: 4420000

  
Listening on port 8000 for ECORE0, ECORE1, ECORE2, ECORE3, PCORE0, PCORE1
Listening on port 8006 for ISP
Listening on port 8007 for GFX
Listening on port 8008 for SIO-DMA
Listening on port 8009 for SIO-AUDIO
Listening on port 8010 for PMP
Listening on port 8011 for SMC
Listening on port 8012 for SEP
Listening on port 8013 for AOP
Listening on port 8014 for AVE-ASC
Listening on port 8015 for AVD
Listening on port 8016 for ANE
Listening on port 8017 for ANS2
Detected Cyprus B1
Loading SOC support script
Identified product D321AP
Fromresetting device...
ECORE0: ASTRIS_ERR_CPUNOTHALTED
ECORE1: ASTRIS_ERR_CPUNOTHALTED
ECORE2: ASTRIS_ERR_CPUNOTHALTED
ECORE3: ASTRIS_ERR_CPUNOTHALTED
PCORE0: ASTRIS_ERR_CPUNOTHALTED
PCORE1: ASTRIS_ERR_CPUNOTHALTED
ISP: ASTRIS_ERR_CPUNOTHALTED
GFX: ASTRIS_ERR_CPUNOTHALTED
SIO-DMA: ASTRIS_ERR_CPUNOTHALTED
SIO-AUDIO: ASTRIS_ERR_CPUNOTHALTED
PMP: ASTRIS_ERR_CPUNOTHALTED
SMC: ASTRIS_ERR_CPUNOTHALTED
SEP: ASTRIS_ERR_CPUNOTHALTED
AOP: ASTRIS_ERR_CPUNOTHALTED
AVE-ASC: ASTRIS_ERR_CPUNOTHALTED
AVD: ASTRIS_ERR_CPUNOTHALTED
ANE: ASTRIS_ERR_CPUNOTHALTED
ANS2: ASTRIS_ERR_CPUNOTHALTED
Dealing with MMU...
bp 0 cleared
bp 0 cleared
Uploading USB handler...
.
338 bytes sent in 0.155 sec, 2181 bytes per second
Forcing DFU...
bp 0 cleared
Patching iBoot flags...
bp 0 cleared
Overriding USB handler ptr...
bp 0 cleared
Unloading SOC support script
[email protected] anya %

Make sure IBFL (iBoot Flags) value in USB serial number has bit 6 set:

CPID:8020 CPRV:11 CPFM:01 SCEP:01 BDID:0E IBFL:6C ECID:REDACTED SRTG:[iBoot-3865.0.0.4.7]

This bit is not used by iBoot/SecureROM (except for M1, apparently), so Anya sets it to indicate a device is in Anya mode

Starting from now you can use anyactl, usage is quite straight-forward:

[email protected] anya % build/anyactl
usage: build/anyactl ARG[s]

where ARG[s] must be one of the following:
-k KBAG  specifies KBAG to be decrypted
-b NUM  runs benchmark with NUM random KBAGs

you can also use this one with both of the above:
-e ECID  (hexa)decimal ECID to look for

[email protected] anya %

Benchmark output example:

[email protected] anya % build/anyactl -b 10000
found: CPID:8020, CPFM:01, ECID:REDACTED
decrypting...
decrypted 10000 KBAGs in 5.054345 seconds, average - 1978.495728 KBAGs/sec
[email protected] anya %

KBAG decryption output example:

[email protected] anya % build/anyactl -k 9B064DDD9883350334AC486372A1893E38019134A7222D95875AC51CBEEB897CBD3E9003B86C33327A883B796134C81E
found: CPID:8020, CPFM:01, ECID:REDACTED
F9A6BBDE3694D99A9CACCCE890F5BB270A00885FA92754C5451F3688523C0FC7C995D90D33042F4A9967DDC2D757CC0D
[email protected] anya %

Warning: since we're using prototype devices here, you obviously need to provide a development KBAG, not production (development one usually comes second in an Image4)!

Python

Requirements

  • pyusb

Library usage

Placed in python/anya folder. Usage is quite straightforward:

from anya import *
from anya.exceptions import *

dev = AnyaDevice(ecid=ECID)	# creating connection class

try:
    dev.connect()	# connecting
except AnyaError as e:
    print("failed to connect: %s" % str(e))
    exit(-1)


try:
    decoded = decode_kbag(KBAG)	# decoding a KBAG string to bytes
except AnyaValueError as e:
    print("failed to parse KBAG: %s" % str(e))
    exit(-1)

try:
    key = dev.decrypt_kbag(decoded)	# decrypting 
except AnyaUSBError as e:
    print("failed to decrypt KBAG: %s" % str(e))
    exit(-1)

print(encode_key(key, to_upper=True)) # encoding key to a string (and printing)

Tools usage

Placed in python/ folder. There're two of them - anyactl (basically the same thing as the C variant of the ctl):

[email protected] anya % build/python/anyactl 
usage: anyactl [-h] [-k KBAG] [-b COUNT] [-e ECID]

Decrypt some KBAG or run a benchmark

optional arguments:
  -h, --help  show this help message and exit
  -k KBAG     decrypt a KBAG
  -b COUNT    run benchmark
  -e ECID     ECID to look for

...and anyafromjson - this one is used to decrypt KBAGs in batch from a JSON file:

[email protected] anya % build/python/anyafromjson 
usage: build/python/anyafromjson   [ecid (hex)]

description:

a dumb utility that takes KBAGs from an input JSON
and decrypts them with Anya. The input JSON must be
a list of dicts where every member must have "kbag"
field. The output JSON will be same, but with "key".
Thus, you can have arbitrary metadata in the dicts
that will be preserved in the output

TODO

  • SEP KBAG decryption - very complex task, as it will require a lot of RE on SEPROM and the way to communicate with it from SecureROM
  • Improve build system - for the current one is really bad
  • Common offset database - so there won't be a need to duplicate some offsets/values in Astris script and USB handlers configs

Credits

  • @axi0mX - for the idea of replacing USB handler (used in ipwndfu)
  • @pimskeks and other people behind libimobiledevice project - for libirecovery
  • @1nsane_dev - for a lot of tests on Cebu
You might also like...
Arduino sample code to help you get started using the Soracom IoT Starter Kit!
Arduino sample code to help you get started using the Soracom IoT Starter Kit!

Soracom IoT Starter Kit The Soracom IoT Starter Kit includes everything you need to build your first connected device. It includes an Arduino MKR GSM

The little C kit

ckit The little C kit bin/ckit — tool for building and testing projects (calls cmake & ninja) pkg/ — directory of some packages The main thing here is

ESP32 Audio Kit based multitrack looper

esp32_multitrack_looper ESP32 Audio Kit based multitrack looper The project can be seen in my video https://youtu.be/PKQmOsJ-g1I The project has been

RT-AK: RT-Thread AI Kit,RT-Thread AI 套件

RT-AK 是 RT-Thread AI 团队为 RT-Thread 实时操作系统所开发的 AI 套件,能够将 AI 模型一键部署到 RT-Thread 项目中。

KVDK (Key-Value Development Kit) is a key-value store library implemented in C++ language

KVDK (Key-Value Development Kit) is a key-value store library implemented in C++ language. It is designed for persistent memory and provides unified APIs for both volatile and persistent scenarios. It also demonstrates several optimization methods for high performance with persistent memory. Besides providing the basic APIs of key-value store, it offers several advanced features, like transaction, snapshot as well.

Tiny Mobile Terminal Device Kit.
Tiny Mobile Terminal Device Kit.

Tiny Mobile Terminal Device Kit.

Open source digital sound effects based on JACK audio connection kit.

Noiseworks Digital Audio Effects Repository Open source digital sound effects based on JACK audio connection kit. This repository is intended to provi

FFmpeg Kit for applications. Supports Android, Flutter, iOS, macOS, React Native and tvOS. Supersedes MobileFFmpeg, flutter_ffmpeg and react-native-ffmpeg.
FFmpeg Kit for applications. Supports Android, Flutter, iOS, macOS, React Native and tvOS. Supersedes MobileFFmpeg, flutter_ffmpeg and react-native-ffmpeg.

FFmpeg Kit for applications. Supports Android, Flutter, iOS, macOS, React Native and tvOS. Supersedes MobileFFmpeg, flutter_ffmpeg and react-native-ffmpeg.

Internal Software Development Kit for Battlefield 2042

battlefield-2042-internal-sdk Internal Software Development Kit for Battlefield 2042 SDK Includes the following: Entity Classes Player Classes Vehicle

HMS Core Scene Kit Slim Mesh Demo sample code demonstrates how to invoke external interfaces of SlimMesh to perform mesh simplification.

HMS Core Scene Kit Slim Mesh Demo English | 中文 Table of Contents Introduction Environments Requirements Result License Introduction The Slim Mesh is a

IOTBOT, which is designed as an Internet-oriented robotic coding training kit and powered by the ESP32 processor
IOTBOT, which is designed as an Internet-oriented robotic coding training kit and powered by the ESP32 processor

IOTBOT-Firmware! Test Series IOTBOT, which is designed as an Internet-oriented robotic coding training kit and powered by the ESP32 processor, knows n

A Linux reference software for building the Demo Core-Image on Renesas RZ/V2M Evaluation Kit
A Linux reference software for building the Demo Core-Image on Renesas RZ/V2M Evaluation Kit

Introduction This repository is a Linux reference software for building the Demo Core-Image on Renesas RZ/V2M Evaluation Kit . You have to get the pro

FLTK - Fast Light Tool Kit - a cross-platform C++ GUI toolkit for UNIX(r)/Linux(r) (X11)

FLTK - Fast Light Tool Kit - a cross-platform C++ GUI toolkit for UNIX(r)/Linux(r) (X11)

🎮 Cross platform development kit for Z80 and SM83 based consoles.

cdk 🎮 Cross platform development kit for Z80 and SM83 based consoles. Platform We planned to support the following consoles: Nintendo Game Boy Ninten

The DirectX Tool Kit (aka DirectXTK) is a collection of helper classes for writing DirectX 11.x code in C++

DirectX Tool Kit for DirectX 11 http://go.microsoft.com/fwlink/?LinkId=248929 Copyright (c) Microsoft Corporation. November 8, 2021 This package conta

bl_mcu_sdk is MCU software development kit provided by Bouffalo Lab Team for BL602/BL604, BL702/BL704/BL706 and other series of  RISC-V based chips in the future.
bl_mcu_sdk is MCU software development kit provided by Bouffalo Lab Team for BL602/BL604, BL702/BL704/BL706 and other series of RISC-V based chips in the future.

bl mcu sdk is an MCU software development kit provided by the Bouffalo Lab Team for BL602/BL604, BL702/BL704/BL706 and other series of chips in the future

jai programming language starter kit (minimal modules)
jai programming language starter kit (minimal modules)

jai starter kit modules jai programming language starter kit (minimal modules) Modules List sk_Window : minimal window creation and input module. sk_B

Kit: a magical, high performance programming language, designed for game development
Kit: a magical, high performance programming language, designed for game development

Kit: a magical, high performance programming language, designed for game development

jai programming language starter kit (minimal modules)
jai programming language starter kit (minimal modules)

jai starter kit modules jai programming language starter kit (minimal modules) Modules List sk_Window : minimal window creation and input module. sk_B

Releases(beta-5)
Owner
john
john
In cryptography, a cipher is an algorithm for performing encryption or decryption.

Cipher 1.0 In cryptography, a cipher is an algorithm for performing encryption or decryption. What can be done using this program? This program can us

null 1 Apr 21, 2022
sqlcipher 2.1.0 win32 for wechat database decryption(微信数据库解密)

sqlcipher-windows sqlcipher 2.1.0 win32 for wechat database decryption 根据sqlcipher-windows 2.1.0版本编译的exe文件,sqlcipher源码取自 sqlcipher-windows,openssl 1.0

popy32 12 Oct 22, 2022
A pybind11 wrapper for Rijndael decryption.

C++-dael A pybind11 wrapper for Rijndael decryption. What? As most people know, Python is considerably slower in it's operations compared to other lan

James 1 Sep 14, 2022
CodeShells | Test/Benchmark/Prototypes

The test/benchmarks/... codes that I wrote though out the time for research, test, fun, and even teach. I don't have all of them now.

Mohammad Bahoosh 2 Jan 13, 2022
UnrealKey is a tool for automatically finding the AES-256 decryption keys for Unreal Engine 4 encrypted pak files.

UnrealKey UnrealKey is a tool for automatically finding the AES-256 decryption keys for Unreal Engine 4 encrypted pak files.

Devin Acker 37 Nov 24, 2022
In cryptography, a cipher is an algorithm for performing encryption or decryption.

Cipher 1.0 In cryptography, a cipher is an algorithm for performing encryption or decryption. What can be done using this program? This program can us

null 1 Apr 21, 2022
sqlcipher 2.1.0 win32 for wechat database decryption(微信数据库解密)

sqlcipher-windows sqlcipher 2.1.0 win32 for wechat database decryption 根据sqlcipher-windows 2.1.0版本编译的exe文件,sqlcipher源码取自 sqlcipher-windows,openssl 1.0

popy32 12 Oct 22, 2022
A pybind11 wrapper for Rijndael decryption.

C++-dael A pybind11 wrapper for Rijndael decryption. What? As most people know, Python is considerably slower in it's operations compared to other lan

James 1 Sep 14, 2022
The DirectX Tool Kit (aka DirectXTK) is a collection of helper classes for writing DirectX 11.x code in C++

DirectX Tool Kit for DirectX 11 http://go.microsoft.com/fwlink/?LinkId=248929 Copyright (c) Microsoft Corporation. All rights reserved. January 9, 202

Microsoft 2.2k Nov 17, 2022
Data Plane Development Kit

DPDK is a set of libraries and drivers for fast packet processing. It supports many processor architectures and both FreeBSD and Linux. The DPDK uses

DPDK 2.2k Nov 25, 2022