Home

Awesome

kanzitools

It's a dangerous set of software, so be extremely careful when using this, no warranty given, you are on your own

Previously known as kanzictl. Now it's a pack of 5 tools for interacting with Kanzi, its' derivatives (Nova/Koba) and in some cases other probes (Chimp, Koko, etc.), as well as their bootloaders

All of them are described below

kblctl

A tool to interact with KanziBoot (ChimpBoot, KokoBoot - it's all the same protocol) - to dump, flash (do not summon at all costs!) or reboot your probe

Gorilla and Kong use different bootloaders with mass storage based protocol and are not supported by this tool

Building

Using Xcode. This functionality no longer depends on libAstrisAPI

Usage

Usage is simple:

noone@Mac-mini-noone ~ % kblctl     
usage: kblctl VERB [options]
where VERB is one of the following:
	flash <file>	flash firmware from a file
	dump <file>		dump firmware to a file
	reset			reset to normal mode

For obvious reasons, your probe must already be in bootloader mode. To enter it press a little button...:

UDT doesn't have the button (or it's unreachable due to its' special enclosure), so probeenterdfu in conjuction with astrisprobed_patcher might be handy (next 2 sections)

Once the probe reaches bootloader mode, the tool can be finally used. Examples:

noone@Mac-mini-noone ~ % kblctl dump /tmp/koba.bin    # dumping
device: KanziBoot-B-REDACTED
dump request sent, reading...
successfully dumped to /tmp/koba.bin!

noone@Mac-mini-noone ~ % kblctl flash /tmp/koba.bin    # flashing
device: KanziBoot-B-REDACTED
this is a dumped firmware image
flash request sent, writing...
successfully flashed!

noone@Mac-mini-noone ~ % kblctl reset    # rebooting back to normal mode             
device: KanziBoot-B-REDACTED
reset request sent successfully!

If there're several devices available, it will show a menu:

noone@Mac-mini-noone ~ % kblctl reset              
a) KokoBoot-REDACTED
b) KanziBoot-B-REDACTED
c) ChimpBoot-3-REDACTED
Select one of the devices listed above: 

kblcrcfix

WARNING: this is dangerous! Messing with firmware can break your priceless probe! Proceed only if you absolutely know what you are doing!

A small tool that fixes CRC in Kanzi (and derivatives), Chimp (and derivatives) and Koko firmwares in case you patched them. If you don't fix CRC, probe's bootloader will not jump to the actual firmware and thus will open DFU instead

It also can be used to truncate dumped firmwares (1 MiB for Kanzi/Chimp and 128 KiB for Koko) to their original lengths

Building

Using make.sh. This tool doesn't depend on libAstrisAPI

Usage

Dead easy:

➜  kblcrcfix git:(master) ✗ ./kblcrcfix
./kblcrcfix <input> <output>

Output example:

➜  kblcrcfix git:(master) ✗ ./kblcrcfix firmware_0.90_Chimp_like_UDT.bin /dev/null
firmware length = 0x29ffc
final CRC = 0x0cb100bc
final CRC is NOT 0x0, fixing
current CRC = 0x967b004b
computed CRC = 0x6d637434
recomputed final CRC = 0x00000000
written output file
DONE!
➜  kblcrcfix git:(master) ✗

probeenterdfu

A tiny tool you can use to send a probe to bootloader mode programmatically, i.e. without pressing any buttons

Building

Using make.sh. This program does depend on libAstrisAPI, which must be installed at /usr/local/lib (comes with Astris since Tigris)

Usage

noone@Mac-mini-noone ~ % probeenterdfu
 0) Koko-REDACTED
 1) KobaSWD-REDACTED
 2) ChimpSWD-REDACTED
Choose a device: 
1
choice: 1
the probe should reach bootloader now

Warning: this tool uses Astris API, thus it won't be able to detect Nova or UDT without patched astrisprobed

astrisprobed_patcher

WARNING: this tool hasn't been tested with modern versions of Astris and macOS, so be careful!

Patches astrisprobed in memory to make it detect Nova as Kanzi or UDT as Chimp or both

Building

Using Xcode. This functionality doesn't depend on libAstrisAPI

Usage

noone@Mac-mini-noone ~ % sudo killall astrisprobed    # might be important to kill the daemon

noone@Mac-mini-noone ~ % astrisprobed_patcher
astrisprobed_patcher OPTIONS
where OPTIONS are the following:
	--daemon	run as daemon
	--nova		patch Kanzi's PID to Nova's
	--udt		patch Chimp's PID to UDT's

either --nova or --udt must be passed
noone@Mac-mini-noone ~ % 

Daemon mode means it will always wait for astrisprobed' spawn. Useful if you want it to run with system startup

You might need to kill astrisprobed (so it will respawn) before using this tool

Warning: as you can understand from its' usage description, this tool replaces PIDs, that means if you run it with --nova, for example, real Kanzi won't be detected anymore unless you restart astrisprobed (same for Chimp/UDT). For more elegant solution that allows using them simultaneously, look at SNRSpoofer (next section)

SIP notes

SIP (System Integrity Protection) is a security feature used since OS X 10.11. Along with many other things, it also disallows using task_for_pid() against Apple-signed executables. You can disable it by rebooting into recovery partition and exceuting the following command:

csrutil enable --without debug

This will leave you with SIP (mostly) enabled, except for disallowing certain debugging capatibilities

SNRSpoofer

Warning: be extremely careful with this one

A code-less kernel extension that changes Nova's USB PID (0x1624) to Kanzi's (0x1621) on the fly by using AppleUSBMergeNub. Thus, you can use both Kanzi and Nova at the same time with Astris, but lose the ability to use Nova with Serial Number Reader app (can be patched though)

Installing

Copy the kext to /Library/Extensions:

sudo cp -a SNRSpoofer.kext /Library/Extensions

Fix ownerships:

sudo chown -R root:wheel /Library/Extensions/SNRSpoofer.kext

Try to load:

sudo kextload /Library/Extensions/SNRSpoofer.kext

If everything is fine, invalidate kext cache:

sudo kextcache -i /

On Big Sur you also need to reboot for changes to make effect:

sudo reboot

kanzifraudctl

This one allows you to interact with KFL (Kanzi Fraud Library) functionality of your Kanzi/Nova (Koba and Chimp support will come later). To learn more about the subject, please read this

Building

Using Xcode. This tool does depend on libAstrisAPI, which must be installed at /usr/local/lib (comes with Astris since Tigris)

Usage

There're 2 options - generate signature using SHA-1 hash or dump a public certificate to a file:

noone@Mac-mini-noone ~ % kanzifraudctl
usage: kanzifraudctl <option> <arg>
where option is one of the following:
	-g <SHA-1>	generate signature from hash
	-c <path>	dump certificate
noone@Mac-mini-noone ~ %

Examples of an output:

noone@Mac-mini-noone ~ % kanzifraudctl -g ba66cb5bb5e6a04ead8d6506a919f6666bdf1978
signature length: 128
took 234746 microseconds
B64 SIGNATURE:
PgufF9nd2I3DHCLv9Aj1koKgjz+sQkygIcejf3SOFLWCy3MTLmNT07ipRtEewo7f4JRnCjMD
AkqAYqFg8ZAFrUd7OmF29hsm61V3DYf0vycdPGqS7wkWoIf18GPoPd4JsLbnFNKYJkABna4b
UBa2gidx51V1dsMpQZXSxf31Kl8=

noone@Mac-mini-noone ~ % kanzifraudctl -c /tmp/kanzi.der
certificate length: 908
reading at offset: 0
reading at offset: 128
reading at offset: 256
reading at offset: 384
reading at offset: 512
reading at offset: 640
reading at offset: 768
reading at offset: 896
written to /tmp/kanzi.der
noone@Mac-mini-noone ~ %

Credits

Objective-See project for ProcInfo