Giters

AushaTeam / ENC-Decrypter

Decrypts ENC files used in apple hardware diagnostics

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ENC Decrypter

Python script for decrypting enc and data files in AST and apple hardware diagnostics. Diagnostics can be aquired by performing a MITM of the built-in diagnostics that are run when holding "d" during boot of most apple computers.

Required Python Modules:

numpy
pycryptodome

Usage:

decrypt.py file_to_decrypt output_file round_option
Example 1: decrypt.py Mac-9F18E312C5C2BF0B.enc dump.lua -r
Example 2: decrypt.py diags.enc dump.bin -d
Example 3: decrypt.py data Devices.json -r

There are only two round options, '-r' and '-d'. '-r' = Regular, and is used for almost everything. '-d' = diags.enc, and is specifically for 'diags.enc', as it requires it's own round calculation of '0x7E'.

Note: SMART is another file that doesn't decompress properly. It's 83kb and doesn't exactly follow the same process, as it exceeds the current function. Storage.efi also has its own decrypt / decode functions that handle this (go figure). But the file can be expanded with some tweeking. Manually set filesize and rounds to 0x142FB and disable terminator bit. Then run the script with '-r'. Watch the output size of the dumped file. Once it reaches 83kb, you can ctrl + c to kill the process. I'll work on a better implementation that will handle all this.

Diagnostics URL:

The diagnostics URL is stored in the diags.enc file located in the Support folder of the diagnostics. Once decrypted, the URL address can be altered. It requires a DNS compatible address. It doesn't like numerical IP's. If running locally, use something like nmap or check under the sharing settings on your mac to acquire your local DNS name.

Example:

Billys-MacBook-Air.local
billybobsMacBookPro.lan

Once diags.enc has been altered, make sure it retains its original name 'diags.enc', and replace the original encrypted diags.enc with the newly decrypted and altered diags.enc.

It appreas that the diags.efi application uses the same EFI protocols to load all files. It just does a header scan to check for encryption. All encrypted files follow the same format. All begin with ABBACDDCEFFE1221 Followed by the filsize of the enc file minus the header. If this is detected, it initiates the decryption and then decoding processes. But if no decryption is detected, it appears to load files normally. So you are able to modify the 'diagnostics-url' field to any value without size restrictions.

About

Decrypts ENC files used in apple hardware diagnostics

License:GNU General Public License v2.0

Languages

Language:Python 100.0%