def AlignedStruct(name, *subcons, **kw):
"""a struct of aligned fields
* name - the name of the struct
* subcons - the subcons that make up this structure
* kw - keyword arguments to pass to Aligned: 'modulus' and 'pattern'
"""
return Struct(name, *(Aligned(sc, **kw) for sc in subcons))
def BitStruct(name, *subcons):
r"""A struct of bitwise fields
:param name: the name of the struct
:param \*subcons: the subcons that make up this structure
"""
return Bitwise(Struct(name, *subcons))
def EmbeddedBitStruct(*subcons):
r"""
An embedded BitStruct. no name is necessary.
:param \*subcons: the subcons that make up this structure
"""
return Bitwise(Embedded(Struct(None, *subcons)))
def AlignedStruct(name, *subcons, **kw):
r"""A struct of aligned fields
:param name: the name of the struct
:param \*subcons: the subcons that make up this structure
:param \*\*kw: keyword arguments to pass to Aligned: 'modulus' and 'pattern'
"""
return Struct(name, *(Aligned(sc, **kw) for sc in subcons))
def ClassEntry_():
return Struct(
"_type" / Int16ul,
"isInstance" / C.Computed(lambda this: this._type & 1),
"Class_Index" / C.Computed(lambda this: this._type >> 1),
"_valid" / C.Computed(lambda this: this._type < len(this._root.defs)),
"index" / Int16ul, "content" / C.If(
this.isInstance,
C.LazyBound(lambda: PrefixedOffset(
Int64ul, ClassImplementation(this._._.Class_Index), -8))))
0x3E94D589: [4096, 128, 8, 216, 4, 2, 4, 2, 3872, 8, 8],
0x3ED5D72C: [8192, 128, 8, 216, 4, 2, 4, 2, 7744, 8, 8],
0x3E94D52C: [4096, 128, 8, 216, 4, 2, 4, 2, 3872, 8, 8]
}
_vfl_vfl_context = Struct("_vfl_vfl_context",
ULInt32("usn_inc"),
Array(3, ULInt16("control_block")),
ULInt16("unk1"),
ULInt32("usn_dec"),
ULInt16("active_context_block"),
ULInt16("next_context_page"),
ULInt16("unk2"),
ULInt16("field_16"),
ULInt16("field_18"),
ULInt16("num_reserved_blocks"),
ULInt16("reserved_block_pool_start"),
ULInt16("total_reserved_blocks"),
Array(820, ULInt16("reserved_block_pool_map")),
Array(282, ULInt8("bad_block_table")),
Array(4, ULInt16("vfl_context_block")),
ULInt16("remapping_schedule_start"),
Array(0x48, ULInt8("unk3")),
ULInt32("version"),
ULInt32("checksum1"),
ULInt32("checksum2")
)
_vfl_vsvfl_spare_data = Struct("_vfl_vsvfl_spare_data",
Union("foo",
Struct("user",ULInt32("logicalPageNumber"),ULInt32("usn")),
Struct("meta",ULInt32("usnDec"),ULInt16("idx"), ULInt8("field_6"), ULInt8("field_7"))
from construct.core import Struct, Union
from construct.macros import *
from crypto.aes import AESdecryptCBC
from crypto.aeswrap import AESUnwrap
from zipfile import crc32
import struct
Dkey = 0x446B6579
EMF = 0x454D4621
BAG1 = 0x42414731
DONE = 0x444f4e45 #locker sentinel
#**** = 0x2A2A2A2A #wildcard for erase
#MAGIC (kL) | LEN (2bytes) | TAG (4) | DATA (LEN)
Locker = Struct("Locker", String("magic", 2), ULInt16("length"),
Union("tag", ULInt32("int"), String("tag", 4)),
String("data", lambda ctx: ctx["length"]))
Lockers = RepeatUntil(lambda obj, ctx: obj.tag.int == DONE, Locker)
def xor_strings(s, key):
res = ""
for i in xrange(len(s)):
res += chr(ord(s[i]) ^ ord(key[i % len(key)]))
return res
def check_effaceable_header(plog):
z = xor_strings(plog[:16], plog[16:32])
if z[:4] != "ecaF":
AFC_FOPEN_APPEND = 0x00000005 # a O_WRONLY | O_APPEND | O_CREAT
AFC_FOPEN_RDAPPEND = 0x00000006 # a+ O_RDWR | O_APPEND | O_CREAT
AFC_HARDLINK = 1
AFC_SYMLINK = 2
AFC_LOCK_SH = 1 | 4 # shared lock
AFC_LOCK_EX = 2 | 4 # exclusive lock
AFC_LOCK_UN = 8 | 4 # unlock
AFCMAGIC = "CFA6LPAA"
AFCPacket = Struct("AFCPacket",
String("magic", 8,),
ULInt64("entire_length"),
ULInt64("this_length"),
ULInt64("packet_num"),
ULInt64("operation")
)
#typedef struct {
# uint64_t filehandle, size;
#} AFCFilePacket;
class AFCError(IOError):
lookup_table = {
AFC_E_SUCCESS: "Success",
AFC_E_UNKNOWN_ERROR: "Unknown error",
AFC_E_OP_HEADER_INVALID: "OP header invalid",
AFC_E_NO_RESOURCES: "No resources",
AFC_E_READ_ERROR: "Read error",
GreedyBytes,
PrefixedArray,
Default,
If,
this,
)
WIDEVINE_SYSTEM_ID = UUID("edef8ba9-79d6-4ace-a3c8-27dcd51d21ed")
# Construct for a Widevine PSSH box
PSSH_BOX = Prefixed(
Int32ub,
Struct(
"type" / Const(b"pssh"),
"version" / Default(Int8ub, 1),
"flags" / Const(0, Int24ub),
"system_id" / Const(WIDEVINE_SYSTEM_ID.bytes, Bytes(16)),
"key_ids" / If(this.version == 1, PrefixedArray(Int32ub, Bytes(16))),
"data" / Prefixed(Int32ub, GreedyBytes),
),
includelength=True,
)
VALID_TRACKS = ["AUDIO", "SD", "HD", "UHD1", "UHD2"]
PROTECTION_SCHEME = {
"cenc": 1667591779,
"cens": 1667591795,
"cbc1": 1667392305,
"cbcs": 1667392371,
}
"content", "_data" / C.Rebuild(
C.Struct("size" / C.Rebuild(sizetype,
C.len_(this.data) - offs),
"data" / C.Bytes(this.size + offs)), lambda obj:
{"data": type.build(obj.content, **{
**obj._params,
**obj
})}), "content" / C.RestreamData(this._data.data, type))
# Class definition handling
ClassMemberDefinition = Struct(
"name" / DataPointer(Int64ul, CString("utf8"), "names"),
"type" / Byte,
"unkn" / Byte,
"size" / Byte,
"_unknData" / C.Default(Byte[69], [0 for _ in range(69)]),
)
ClassDefinition = DataPointer(
Int64ul,
Struct("hash" / Int64ul,
"members" / C.PrefixedArray(Int64ul, ClassMemberDefinition)),
"definitionData")
ClassDefinitionList = C.FocusedSeq(
"definitions", "_count" / C.Rebuild(Int32ul, C.len_(this.definitions)),
"definitions" / C.Prefixed(
Int32ul,
C.Aligned(
from construct.core import Struct, Int16ub
difuse_request = Struct(
op=Int16ub,
length=Int16ub,
)
difuse_response = Struct(status=Int16ub, length=Int16ub)
from crypto.aes import AESdecryptCBC
from util import hexdump
WHIMORY_SIGNATURE_MAGIC = "xrmw"
WHIMORY_SIGNATURE_VER_PPN_CUR = 7
PPNSignature = Struct(
"PPNSignature",
String("magic", 4),
ULInt32("f4"),
ULInt32("whimory_ver_at_birth"),
ULInt32("ftl_major_version"),
ULInt32("ftl_minor_version"),
ULInt32("xxx"),
ULInt32("vfl_major_version"),
ULInt32("vfl_minor_version"),
ULInt32("f20"),
ULInt32("FPart_major"),
ULInt32("f22"),
ULInt32("f23"),
ULInt32("f24"),
ULInt32("geometry_num_ce"),
)
PPNVFLSpare = Struct(
"PPNVFLSpare",
ULInt8("type"),
ULInt8("bank"),
ULInt16("index"),
ULInt32("ctx_age"),
from construct.core import Struct
from construct.macros import *
IMG2 = Struct(
"IMG2",
String("magic", 4),
ULInt32("block_size"),
ULInt32("images_offset"),
ULInt32("images_block"),
ULInt32("images_length"),
Padding(0x1C),
ULInt32("crc32"),
)
import struct
#https://github.com/iDroid-Project/openiBoot/blob/master/openiboot/ftl-yaftl/yaftl.c
YAFTL_CXT = Struct(
"YAFTL_CXT",
String("version", 4),
ULInt32("unknCalculatedValue0"),
ULInt32("totalPages"),
ULInt32("latestUserBlock"),
ULInt32("cxt_unkn0_usn"),
ULInt32("latestIndexBlock"),
ULInt32("maxIndexUsn"),
ULInt32("blockStatsField4"),
ULInt32("blockStatsField10"),
ULInt32("numAllocatedBlocks"),
ULInt32("numIAllocatedBlocks"),
ULInt32("unk184_0xA"),
Array(10, ULInt32("cxt_unkn1")),
ULInt32("field_58"),
ULInt16("tocArrayLength"),
ULInt16("tocPagesPerBlock"),
ULInt16("tocEntriesPerPage"),
ULInt16("unkn_0x2A"),
ULInt16("userPagesPerBlock"),
ULInt16("unk64"),
Array(11, ULInt32("cxt_unkn2")),
ULInt8("unk188_0x63"),
)
TOCStruct = Struct(
"TOCStruct",
'section_len': 0,
'block_len2': 28
}
IDB = {
'block_type': 0x00000001,
'block_len': 20,
'link_type': 1,
'reserved': 0,
'snap_len': 0,
'block_len2': 20
}
shb = Struct(
block_type=Int32ub,
block_len=Int32ub,
bom=Int32ub,
major_version=Int16ub,
minor_version=Int16ub,
section_len=Int64ub,
block_len2=Int32ub,
)
idb = Struct(
block_type=Int32ub,
block_len=Int32ub,
link_type=Int16ub,
reserved=Int16ub,
snap_len=Int32ub,
block_len2=Int32ub,
)
epb_head = Struct(block_type=Int32ub,
block_len=Int32ub,
def BitStruct(name, *subcons):
"""a struct of bitwise fields
* name - the name of the struct
* subcons - the subcons that make up this structure
"""
return Bitwise(Struct(name, *subcons))
def EmbeddedBitStruct(*subcons):
"""an embedded BitStruct. no name is necessary.
* subcons - the subcons that make up this structure
"""
return Bitwise(Embedded(Struct(None, *subcons)))
def RGBA():
return Struct("red" / Byte, "green" / Byte, "blue" / Byte, "alpha" / Byte)
AFC_HARDLINK = 1
AFC_SYMLINK = 2
AFC_LOCK_SH = 1 | 4 #/**< shared lock */
AFC_LOCK_EX = 2 | 4 #/**< exclusive lock */
AFC_LOCK_UN = 8 | 4 #/**< unlock */
if PY3:
AFCMAGIC = b"CFA6LPAA"
else:
AFCMAGIC = "CFA6LPAA"
AFCPacket = Struct(
"magic" / Const(AFCMAGIC),
"entire_length" / Int64ul,
"this_length" / Int64ul,
"packet_num" / Int64ul,
"operation" / Int64ul,
)
class AFCClient(object):
def __init__(self,
lockdown=None,
serviceName="com.apple.afc",
service=None,
udid=None,
logger=None):
self.logger = logger or logging.getLogger(__name__)
self.serviceName = serviceName
self.lockdown = lockdown if lockdown else LockdownClient(udid=udid)
def Vector4():
return Struct("x" / Float32l, "y" / Float32l, "z" / Float32l,
"w" / Float32l)
def Quat4():
return Struct("x" / Float32l, "y" / Float32l, "z" / Float32l,
"w" / Float32l)
def Vector2():
return Struct("u" / Float32l, "v" / Float32l)
h2fmi_hash_table = [0] * 256
for i in xrange(256):
val = ((0x19660D * val) + 0x3C6EF35F) & 0xffffffff
for j in xrange(762):
val = ((0x19660D * val) + 0x3C6EF35F) & 0xffffffff
h2fmi_hash_table[i] = val & 0xffffffff
return h2fmi_hash_table
# Page types (as defined in the spare data "type" bitfield)
PAGETYPE_INDEX = 0x4 #Index block indicator
PAGETYPE_LBN = 0x10 # User data
PAGETYPE_FTL_CLEAN = 0x20 # FTL context (unmounted, clean)
PAGETYPE_VFL = 0x80 #/ VFL context
SpareData = Struct("SpareData", ULInt32("lpn"), ULInt32("usn"),
ULInt8("field_8"), ULInt8("type"), ULInt16("field_A"))
# Block status (as defined in the BlockStruct structure)
BLOCKSTATUS_ALLOCATED = 0x1
BLOCKSTATUS_FTLCTRL = 0x2
BLOCKSTATUS_GC = 0x4
BLOCKSTATUS_CURRENT = 0x8
BLOCKSTATUS_FTLCTRL_SEL = 0x10
BLOCKSTATUS_I_GC = 0x20
BLOCKSTATUS_I_ALLOCATED = 0x40
BLOCKSTATUS_I_CURRENT = 0x80
BLOCKSTATUS_FREE = 0xFF
ERROR_ARG = 0x80000001
ERROR_NAND = 0x80000002
ERROR_EMPTY = 0x80000003
def Capsule():
return Struct("min" / Vector4(), "max" / Vector4(), "scale" / Float32l,
"unkn" / Float32l, "unkn2" / Int32ul, "unkn3" / Int32ul)
from carver import NANDCarver
from construct.core import Struct
from construct.macros import ULInt32, ULInt16, Array, ULInt8, Padding
from pprint import pprint
from structs import SpareData
from util import hexdump
from vfl import VFL
import plistlib
"""
openiboot/plat-s5l8900/ftl.c
openiboot/plat-s5l8900/includes/s5l8900/ftl.h
"""
FTLCxtLog = Struct("FTLCxtLog", ULInt32("usn"), ULInt16("wVbn"),
ULInt16("wLbn"), ULInt32("wPageOffsets"),
ULInt16("pagesUsed"), ULInt16("pagesCurrent"),
ULInt32("isSequential"))
FTLCxtElement2 = Struct("FTLCxtElement2", ULInt16("field_0"),
ULInt16("field_2"))
FTLCxt = Struct(
"FTLCxt",
ULInt32("usnDec"),
ULInt32("nextblockusn"),
ULInt16("wNumOfFreeVb"),
ULInt16("nextFreeIdx"),
ULInt16("swapCounter"),
Array(20, ULInt16("awFreeVb")),
ULInt16("field_36"),
Array(18, ULInt32("pages_for_pawMapTable")),
Array(36, ULInt32("pages_for_pawEraseCounterTable")),
from construct.core import Struct
from construct.macros import *
from construct import RepeatUntil, OneOf
from util import hexdump
SCFGItem = Struct("SCFGItem",
String("tag", 4),
String("data", 16, padchar="\x00")
)
SCFG = Struct("SCFG",
OneOf(String("magic", 4), ["gfCS"]),
ULInt32("length"),
ULInt32("unk1"),
ULInt32("unk2"),
ULInt32("unk3"),
ULInt32("unk4")
)
def parse_SCFG(data):
res = {}
scfg = SCFG.parse(data)
assert scfg.length > 0x18
for i in Array((scfg.length - 0x18) / 20, SCFGItem).parse(data[0x18:scfg.length]):
if i.tag != "\xFF\xFF\xFF\xFF":
res[str(i.tag)[::-1]] = str(i.data)
return res