Search

Search

Estimated reading time: 3 minutes

Executive Summary

This Article will cover Flash Recovery & IPSW Restoration on the Apple Security Research Device. Bricking the SRD happens from time to time and these instructions should help you Recover quickly.

Resources

Source: https://github.com/apple/security-research-device/tree/main/example-cryptex

• PR42: https://github.com/apple/security-research-device/pull/42
• Universal DMG: https://xss.cx/srd/dmg/srd-universal-cryptex.dmg
• ASAN Beta DMG: https://xss.cx/srd/dmg/srd-asan-cryptex-beta.dmg
• UBSAN Beta DMG: https://xss.cx/srd/dmg/srd-ubsan-cryptex-beta.dmg
• Install: https://github.com/xsscx/srd/tree/main/dmg#readme
• Discussion: nvram settings disabling KTRR, CTRR and kASLR https://github.com/apple/security-research-device/discussions/2
• Build Entitlements Issues for PR 42, 48, 49 https://github.com/xsscx/srd/blob/main/srd_tools-24.100.3/example-cryptex/srd-iphone11-iphone12-entitlements-testing-sample-example.md

SRD Flash Recovery

The Flash Recovery Process is a work-in-progress Upstream and reading runtime.h is suggested. All Flash Updates can be done with Finder or srdutil. If you see an Error Message for your SRD, open Terminal and follow the Instructions below.

Start by opening your Terminal and Paste in the following command which is specific for iPhone11,8,iPhone12,1_15.1_19B74_Restore.ipsw on October 25, 2021:

defaults write com.apple.AMPDevicesAgent ipsw-variant -string 'Research Customer Erase Install (IPSW)'

If you use a Beta IPSW such as iPhone11,8,iPhone12,1_15.2_19C5026i_Restore.ipsw on October 27, 2021:

defaults write com.apple.AMPDevicesAgent ipsw-variant -string 'Research Developer Erase Install (IPSW)'

The next step is to killall Finder in Terminal, Paste in the following command:

killall Finder

Open Finder, Click on iPhone 11 as shown in the Picture below:

Step 4: Hold the Option Key and Click Restore iPhone. Use File Picker to Select the IPSW to Flash. Same process for a Retail Device. I’m using iPhone11,8,iPhone12,1_15.1_19B5060d_Restore.ipsw.

Step 5: Verify the Logfile, this Log Message means you’re Updating the SRD.

requested variant: Research Developer Erase Install (IPSW)
amai: AMAuthInstallBundleCopyBuildIdentityForVariant: searching for variant Research Developer Erase Install (IPSW) (0 recovery)
amai: AMAuthInstallBundleCopyBuildIdentityForVariant: AMAuthInstallBundleCopyBuildIdentityForVariant: Found variant: Research Developer Erase Install (IPSW)
amai: AMAuthInstallBundleFDRSupported: FDR is supported for this device
no override trust object found
requested variant: Research Developer Erase Install (IPSW)

srdutil

srdutil is the command line utility found in Security Research Tools 21C39.

DYLD_PRINT_APIS=1 DYLD_FORCE_FLAT_NAMESPACE=1 srdutil restore -v -s -S  -e 0x1538d03c40012e -i ~/Downloads/18C66.ipsw

Additional information for srdutil can be found here.

Example SRD Cryptex DMG Install

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/xsscx/srd/main/dmg/install.sh)"

Related Links

• SRD First Boot
• missing dylib libMobileRestoreInternalExtensions
• SRD Cryptex Installation
• srdutil
• Best Practice & Transparency