Open source apfs.efi loader based on reverse-engineered Apple’s ApfsJumpStart driver
Loads apfs.efi from ApfsContainer located on block device.
Apfs driver verbose logging suppressed.
Version system: connects each apfs.efi to the device from which it was retrieved
Supports AppleLoadImage protocol provides EfiBinary signature check
WARNING: Please load AppleLoadImage.efi right before ApfsDriverLoader, or just put it inside drivers64uefi folder of your Clover bootloader
Implementation of AppleLoadImage protocol discoverd in ApfsJumpStart Apple driver. This protocol installs in CoreDxe Apple’s firmware.
It provides safe EFI binary loading into memory by verifiyng it’s signature.
Also gives ability to use native ApfsJumpStart driver from Apple firmware
WARNING: ApplePartitionDriver needed
This library provides reverse-engineered Apple’s crypto signature algorithms.
[…]In the fourth developer beta of iOS 12, a passcode is required any time a computer or USB accessory is connected.[…]
Extracts EFI firmware installer pkg from High Sierra installer
I tried to boot an iOS 12 kernelcache in QEMU: I managed to get as far as IOKit startup before receiving a kernel panic. I learned a lot about how iOS boots up with this project.[…]
[…]In other words, we have found no obvious way to break USB Restricted Mode once it is already engaged. However, we discovered a workaround, which happens to work exactly as we suggested back in May[…]
Drop EFI is a super Droplet for Mount any EFI Partition on macOS
Working for HFS+J, APFS, NTFS GPT, Core Storage volumes.
What does NVRAM lock/unlock actually mean
Jun 26, 2018
So, recently I’ve realized that meaning of “lock/unlock” in context of nvram on iOS is not understood correctly by many, so I’ve decieded to make a quick blog post on meaning of those words.[…]
Some time ago, I proposed that macOS 10.14 should be named Gormenghast, to reflect its many concealed and neglected features. These can trip up its own security and the protection of privacy when an old system within macOS is quietly storing sensitive data in an unprotected location. A good example is the latest vulnerability in QuickLook (or Quick Look, as Apple uses both forms). Here is a brief overview of some of the potentially sensitive information which macOS secretes away in unexpected places. If you’re concerned about protecting the security of your data, these should be places to watch; if you’re a forensic analyst, these are often rewarding places to look.[…]
Hidden caches in macOS: where your private data gets stored
Apple has a new file system, APFS. This causes Hackintosh people lots of grief. There are lots of Apple APFS binaries online, and now there’s this:
Implementation of AppleLoadImage protocol discoverd in ApfsJumpStart Apple driver. This protocol installs in CoreDxe Apple’s firmware. Gives ability to use native ApfsJumpStart driver from Apple firmware
cugu for awesome research according APFS structure
CupertinoNet and Download-Fritz for Apple EFI reverse-engineering
vit9696 for codereview and support in the development
Personally I think the best way to learn a public exploit is by understanding it line-by-line until I can understand the exploit to the fullest. I will post some of these (overly-commented 😉 ) exploits so hopefully others can learn from it, and as an attempt to give something back to the community. Also for documenting purposes, cause these things kind of fade away from my head as time passes.