It's a dangerous set of software, so be extremely careful when using this, no warranty given, you are on your own
Previously known as kanzictl. Now it's a pack of 5 tools for interacting with Kanzi, its' derivatives (Nova/Koba) and in some cases other probes (Chimp, Koko, etc.), as well as their bootloaders
All of them are described below
A tool to interact with KanziBoot (ChimpBoot, KokoBoot - it's all the same protocol) - to dump, flash (do not summon at all costs!) or reboot your probe
Gorilla and Kong use different bootloaders with mass storage based protocol and are not supported by this tool
Using Xcode. This functionality no longer depends on libAstrisAPI
Usage is simple:
noone@Mac-mini-noone ~ % kblctl
usage: kblctl VERB [options]
where VERB is one of the following:
flash <file> flash firmware from a file
dump <file> dump firmware to a file
reset reset to normal mode
For obvious reasons, your probe must already be in bootloader mode. To enter it press a little button...:
- Kanzi/Nova/Koba - ...in the LED hole
- Chimp - ...in the non-LED hole (the furthest one from micro USB port)
- Koko - ...near the ARM Cortex Debug connector and the green blinking LED
UDT doesn't have the button (or it's unreachable due to its' special enclosure), so probeenterdfu in conjuction with astrisprobed_patcher might be handy (next 2 sections)
Once the probe reaches bootloader mode, the tool can be finally used. Examples:
noone@Mac-mini-noone ~ % kblctl dump /tmp/koba.bin # dumping
device: KanziBoot-B-REDACTED
dump request sent, reading...
successfully dumped to /tmp/koba.bin!
noone@Mac-mini-noone ~ % kblctl flash /tmp/koba.bin # flashing
device: KanziBoot-B-REDACTED
this is a dumped firmware image
flash request sent, writing...
successfully flashed!
noone@Mac-mini-noone ~ % kblctl reset # rebooting back to normal mode
device: KanziBoot-B-REDACTED
reset request sent successfully!
If there're several devices available, it will show a menu:
noone@Mac-mini-noone ~ % kblctl reset
a) KokoBoot-REDACTED
b) KanziBoot-B-REDACTED
c) ChimpBoot-3-REDACTED
Select one of the devices listed above:
A tiny tool you can use to send a probe to bootloader mode programmatically, i.e. without pressing any buttons
Using make.sh
. This program does depend on libAstrisAPI, which must be installed at /usr/local/bin
(comes with Astris since Tigris)
noone@Mac-mini-noone ~ % probeenterdfu
0) Koko-REDACTED
1) KobaSWD-REDACTED
2) ChimpSWD-REDACTED
Choose a device:
1
choice: 1
the probe should reach bootloader now
Warning: this tool uses Astris API, thus it won't be able to detect Nova or UDT without patched astrisprobed
Patches astrisprobed
in memory to make it detect Nova as Kanzi or UDT as Chimp or both
Using Xcode. This functionality doesn't depend on libAstrisAPI
noone@Mac-mini-noone ~ % sudo killall astrisprobed # might be important to kill the daemon
noone@Mac-mini-noone ~ % astrisprobed_patcher
astrisprobed_patcher OPTIONS
where OPTIONS are the following:
--daemon run as daemon
--nova patch Kanzi's PID to Nova's
--udt patch Chimp's PID to UDT's
either --nova or --udt must be passed
noone@Mac-mini-noone ~ %
Daemon mode means it will always wait for astrisprobed
' spawn. Useful if you want it to run with system startup
Warning: as you can understand from its' usage description, this tool replaces PIDs, that means if you run it with --nova
, for example, real Kanzi won't be detected anymore unless you restart astrisprobed
(same for Chimp/UDT). For more elegant solution that allows using them simultaneously, look at SNRSpoofer (next section)
SIP (System Integrity Protection) is a security feature used since OS X 10.11. Along with many other things, it also disallows using task_for_pid()
against Apple-signed executables. You can disable it by rebooting into recovery partition and exceuting the following command:
csrutil enable --without debug
This will leave you with SIP (mostly) enabled, except for disallowing certain debugging capatibilities
Warning: be extremely careful with this one
A code-less kernel extension that changes Nova's USB PID (0x1624) to Kanzi's (0x1621) on the fly by using AppleUSBMergeNub
. Thus, you can use both Kanzi and Nova at the same time with Astris, but lose the ability to use Nova with Serial Number Reader app (can be patched though)
Copy the kext to /Library/Extensions
:
sudo cp -a SNRSpoofer.kext /Library/Extensions
Fix ownerships:
sudo chown -R root:wheel /Library/Extensions/SNRSpoofer.kext
Try to load:
sudo kextload /Library/Extensions/SNRSpoofer.kext
If everything is fine, invalidate kext cache:
sudo kextcache -i /
On Big Sur you also need to reboot for changes to make effect:
sudo reboot
This one allows you to interact with KFL (Kanzi Fraud Library) functionality of your Kanzi/Nova (Koba and Chimp support will come later). To learn more about the subject, please read this
Using Xcode. This tool does depend on libAstrisAPI, which must be installed at /usr/local/bin
(comes with Astris since Tigris)
There're 2 options - generate signature using SHA-1 hash or dump a public certificate to a file:
noone@Mac-mini-noone ~ % kanzifraudctl
usage: kanzifraudctl <option> <arg>
where option is one of the following:
-g <SHA-1> generate signature from hash
-c <path> dump certificate
noone@Mac-mini-noone ~ %
Examples of an output:
noone@Mac-mini-noone ~ % kanzifraudctl -g ba66cb5bb5e6a04ead8d6506a919f6666bdf1978
signature length: 128
took 234746 microseconds
B64 SIGNATURE:
PgufF9nd2I3DHCLv9Aj1koKgjz+sQkygIcejf3SOFLWCy3MTLmNT07ipRtEewo7f4JRnCjMD
AkqAYqFg8ZAFrUd7OmF29hsm61V3DYf0vycdPGqS7wkWoIf18GPoPd4JsLbnFNKYJkABna4b
UBa2gidx51V1dsMpQZXSxf31Kl8=
noone@Mac-mini-noone ~ % kanzifraudctl -c /tmp/kanzi.der
certificate length: 908
reading at offset: 0
reading at offset: 128
reading at offset: 256
reading at offset: 384
reading at offset: 512
reading at offset: 640
reading at offset: 768
reading at offset: 896
written to /tmp/kanzi.der
noone@Mac-mini-noone ~ %
Objective-See project for ProcInfo