GrayKey public disclosure

1. Mr. David Miles,
2.  
3. This is addressed to you and any other people interested in keeping GrayKey product secure and not available to the wide public.
4.  
5. We are a "business group" looking forward to bring into your attention the fact that we HAVE obtained the source code for your product GrayKey and would appreciate any donation above 2 BTC sent to 1Cg61mVzMCvs2ZP148VeoBnQnv8rHxAZES if you consider that keeping this information secure is crucial.
6.  
7. Below BTC address will be monitored in the next 7 days waiting for any given donations. After the countdown ends, security on the available source code cannot be anymore assured by our group. You cannot contact us in any other form, rather than donation. Once donation is received, we'll contact you david@grayshift.com with further details.
8.  
9. Any other wild bidders are welcomed to join the donation race to 1BqFDiNKjAKBopdr37Mw7vM2oG8pgWvzNL if you want full information to be publicly released.
10.  
11. And yeah...just to make things clear from the beginning, let us state we're talking real deal. Take a quick peek at some juicy stuff extracts we have and think if they ring the bell.
12.  
13. [....]--->
14. <script>
15.     var lastApplogicVersion = null;
16.     var sawDataCopyComplete = false;
17.     var seenFirstPoll = false;
18.     var pollInterval = null;
19.     var settingsObj = {
20.         "ALPHANUMERIC_DICTIONARY": {
21.             "info": {
22.                 "help": "To brute force a complex alphanumeric passcode, upload a custom password dictionary.  If a dictionary is not uploaded, GrayKey will not attempt to brute force custom alphanumeric passcodes. The format of the dictionary is a plaintext file with one word per line.",
23.                 "name": "Custom alphanumeric dictionary",
24.                 "type": "FILE"
25.             },
26.             "value": "File \u0027passcode.txt\u0027, 10.0B"
27.         },
28.         "AUTOMATIC_DATA_DOWNLOAD": {
29.             "info": {
30.                 "help": "If disabled, data extraction must be manually initiated from the GrayKey UI.",
31.                 "name": "Automatically perform data extraction",
32.                 "type": "BOOL"
33.             },
34.             "value": true
35.         },
36.         "COLLECT_ROOTFS": {
37.             "info": {
38.                 "help": "Collect the read-only system partition during data extraction. The system partition can be collected, but under normal circumstances is not able to be modified by the device user.",
39.                 "name": "Collect system partition",
40.                 "type": "BOOL"
41.             },
42.             "value": true
43.         },
44.         "DISABLE_SESHAT": {
45.             "info": {
46.                 "help": "Persistently disable future enrollment in SE-bound passcodes on the device after initial access.",
47.                 "name": "Disable SE-bound passcode enrollment",
48.                 "type": "BOOL"
49.             },
50.             "value": true
51.         },
52.         "DOWNLOAD_INACCESSIBLE_METADATA": {
53.             "info": {
54.                 "help": "If an immediate extraction of accessible data is occurring, collect metadata for inaccessible files. The inaccessible files will appear empty, but the metadata will be accurate. This can occur in two instances - (1) SE-Bound and Before First Unlock or (2) \"Automatically perform data extraction\" is disabled and user has initiated an extraction before passcode discovery.",
55.                 "name": "Extract metadata for inaccessible files",
56.                 "type": "BOOL"
57.             },
58.             "value": true
59.         },
60.         "DOWNLOAD_PROCMEM": {
61.             "info": {
62.                 "help": "Enabling this setting will extract memory from all running processes after initial access.",
63.                 "name": "Extract process memory After First Unlock",
64.                 "type": "BOOL"
65.             },
66.             "value": true
67.         },
68.         "INITIAL_DOWNLOAD_SESHAT": {
69.             "info": {
70.                 "help": "Perform immediate extraction of all accessible data when the device has an SE-bound passcode and is in the Before First Unlock state. This may be desired because bruteforce could take a very long time.",
71.                 "name": "Immediate extraction when SE-bound passcode Before First Unlock",
72.                 "type": "BOOL"
73.             },
74.             "value": true
75.         },
76.         "STORE_STATE_NVRAM": {
77.             "info": {
78.                 "help": "If checked, the agent will save bruteforce state in NVRAM every 6 hours. If device power is lost, when the agent is re-installed it will restart the passcode bruteforce at the last saved state. Once the agent is uninstalled (manually or automatically), the state will be removed from NVRAM. Writing to NVRAM has no effect on the device filesystem.",
79.                 "name": "Save bruteforce state in NVRAM",
80.                 "type": "BOOL"
81.             },
82.             "value": true
83.         }
84.     };
85.  
86.     String.prototype.toReadableSize = function() {
87.         var sz_num = parseInt(this, 10); // don't forget the second param
88.         if (sz_num < 1024)
89.             return sz_num;
90.         else if (sz_num < 1024 * 1024)
91.             return Math.floor(sz_num / 1024) + "KB";
92.         else if (sz_num < 1024 * 1024 * 1024)
93.             return Math.floor(sz_num / (1024 * 1024)) + "MB";
94.  
95.         var gb = sz_num / (1024 * 1024 * 1024);
96.         return gb.toFixed(2) + "GB";
97.     }
98.  
99.     String.prototype.toHHMMSS = function() {
100.         var sec_num = parseInt(this, 10); // don't forget the second param
101.         var hours = Math.floor(sec_num / 3600);
102.         var minutes = Math.floor((sec_num - (hours * 3600)) / 60);
103.         var seconds = sec_num - (hours * 3600) - (minutes * 60);
104.  
105.         if (hours < 10) {
106.             hours = "0" + hours;
107.         }
108.         if (minutes < 10) {
109.             minutes = "0" + minutes;
110.         }
111.         if (seconds < 10) {
112.             seconds = "0" + seconds;
113.         }
114.         return hours + ':' + minutes + ':' + seconds;
115.     }
116.  
117.     function pollExploitStatus() {
118.         $.getJSON('/exploitStatus', function(data) {
119.                     var keepPolling = true;
120.                     if (data) {
121.                         console.log(data);
122.  
123.                         if ('version' in data && data['version'] != lastApplogicVersion) {
124.                             if (lastApplogicVersion == null) {
125.                                 lastApplogicVersion = data['version'];
126.                             } else {
127.                                 // applogic has been updated
128.                                 window.location.reload(true);
129.                                 return;
130.                             }
131.                         }
132.                         if ('nresults' in data && data["nresults"] > 0) {
133.                             $("#hasResults .btn").text(data["nresults"] + " stored results");
134.                             $("#hasResults").show()
135.                         } else {
136.                             $("#hasResults").hide()
137.                         }
138.                         $("#dataDownloadReady").hide();
139.  
140.                         showAttachedDeviceInfo(data);
141.  
142.                         var exploit_phase = data['phase'];
143.  
144. <---[......]
145.  
146. ------>[......]
147.         function showDownloadingUI(status, title) {
148.             if (!status.downloadState) {
149.                 return;
150.                 /* no download state? abort */
151.             }
152.             /* calculate the download percent */
153.             var percent = (status.downloadState.downloaded / status.downloadState.size) * 100;
154.             if (percent < 0) {
155.                 percent = 0;
156.             }
157.             if (percent > 100) {
158.                 percent = 100;
159.             }
160.             /* make the stat message */
161.             var percentStr = percent.toFixed() + "%";
162.             var statMsg = title + " " + status.downloadState.version + ":"
163.                 /* update the elements */
164.             $('#auxHeaderMessageContainer').removeClass('hidden');
165.             $('#auxProgress').addClass('progress-bar-success');
166.             $('#auxProgress').removeClass('active');
167.             $('#auxProgress').css('width', percentStr).attr('aria-valuenow', percent);
168.             $('#auxProgressMessage').html(statMsg);
169.             // ensure the iframe is visible
170.             $('#applogicFrame').removeClass('hidden');
171.         }
172.  
173.         function showWaitingUI(status, title) {
174.             // show the aux message container
175.             $('#auxHeaderMessageContainer').removeClass('hidden');
176.             // set the progress bar to 100% gray and active
177.             $('#auxProgress').removeClass('progress-bar-success');
178.             $('#auxProgress').addClass('active');
179.             $('#auxProgress').css('width', '100%').attr('aria-valuenow', 100);
180.             // display the message
181.             var statMsg = title + " " + status.downloadState.version + " install pending:"
182.             $('#auxProgressMessage').html(statMsg);
183.             // ensure the iframe is visible
184.             $('#applogicFrame').removeClass('hidden');
185.         }
186. <------[.....]