Ios: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Chris (Diskussion | Beiträge) |
Chris (Diskussion | Beiträge) |
||
| (6 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 6: | Zeile 6: | ||
https://github.com/palera1n/palera1n | https://github.com/palera1n/palera1n | ||
git clone https://github.com/palera1n/palera1n.git | |||
== SSH RamDisk == | == SSH RamDisk == | ||
| Zeile 54: | Zeile 56: | ||
rm -v /mnt1/usr/libexec/mob.plist | rm -v /mnt1/usr/libexec/mob.plist | ||
</pre> | </pre> | ||
=== Abfolge bei sshrd.sh 15.8.3 === | |||
* pzb Download von iPad 15.8.3 Restore IPSW Dateien | |||
* gaster decrypt iBSS nach iBSS.dec | |||
* gaster decrypt iBEC nach iBEC.dec | |||
* iBoot64Patcher iBSS.dec nach iBSS.patched | |||
* img4 iBSS.patched nach iBSS.img4 | |||
* iBoot64Patcher iBEC.dec nach iBEC.patched | |||
* img4 iBEC.patched nach iBEC.img4 | |||
* img4 kernelcache nach kcache.raw extrahieren | |||
* Kplooshfinder kcache.raw nach kcache.patched | |||
* kerneldiff kcache.raw mit kcache.patched diff nach kc.bpatch | |||
* img4 mit gepatchtem kernelcache erstellen | |||
* img4 DeviceTree erstellen | |||
=== Abfolge bei sshrd.sh boot === | |||
* gaster pwn | |||
* gaster reset | |||
* irecovery -f iBSS.img4 | |||
* irecovery -f iBEC.img4 | |||
* irecovery -f logo.img4 | |||
* irecovery -c "setpicture 0x1" | |||
* irecovery -f ramdisk.img4 | |||
* irecovery -c ramdisk | |||
* irecovery -f devicetree.img4 | |||
* irecovery -c devicetree | |||
* irecovery -f trustcache.img4 | |||
* irecovery -c firmware | |||
* irecovery -f kernelcache.img4 | |||
* irecovery -c bootx | |||
== goldra1n == | == goldra1n == | ||
| Zeile 725: | Zeile 759: | ||
=== iBSS.img4 === | === iBSS.img4 === | ||
== Glossar == | |||
'''iBSS''' | |||
iBSS (short for iBoot Single Stage) is a stripped down version of iBoot, missing things such as interacting with the filesystem. Can be uploaded via DFU to bootstrap iBEC during a DFU Mode restore. | |||
'''iBEC''' | |||
iBEC (short for iBoot Epoch Change) is a stripped down version of iBoot which is uploaded when performing a restore from Fake DFU in LLB. It was renamed iBootStage2 in iOS 10. | |||
== Jailbreak manuell == | |||
* palera1n -D | |||
* sshrd.sh 15.8.3 | |||
* sshrd.sh boot | |||
* sshrd.sh ssh | |||
* mount_filesystems | |||
Aktuelle Version vom 22. Februar 2025, 02:42 Uhr
PongoOS
https://github.com/checkra1n/PongoOS
palera1n
https://github.com/palera1n/palera1n
git clone https://github.com/palera1n/palera1n.git
SSH RamDisk
https://github.com/verygenericname/SSHRD_Script
git clone https://github.com/verygenericname/SSHRD_Script.git --recursive
- RamDisk generieren
./sshrd.sh 15.8.3
- mit palera1n in den DFU Mode gehen
./palera1n-linux-x86_64 -D
- RamDisk booten
./sshrd.sh boot
- iproxy starten
iproxy 9999:22
- mit ssh verbinden
ssh root@localhost -p9999
- iCloud Bypass
mv -v /mnt1/usr/libexec/mobileactivationd /mnt$di/usr/libexec/mobileactivationdBackup ldid -e /mnt1/usr/libexec/mobileactivationdBackup > /mnt1/usr/libexec/mob.plist scp -P9999 gold root@localhost:/mnt1/usr/libexec/mobileactivationd chmod 755 /mnt1/usr/libexec/mobileactivationd ldid -S/mnt1/usr/libexec/mob.plist /mnt1/usr/libexec/mobileactivationd rm -v /mnt1/usr/libexec/mob.plist
Abfolge bei sshrd.sh 15.8.3
- pzb Download von iPad 15.8.3 Restore IPSW Dateien
- gaster decrypt iBSS nach iBSS.dec
- gaster decrypt iBEC nach iBEC.dec
- iBoot64Patcher iBSS.dec nach iBSS.patched
- img4 iBSS.patched nach iBSS.img4
- iBoot64Patcher iBEC.dec nach iBEC.patched
- img4 iBEC.patched nach iBEC.img4
- img4 kernelcache nach kcache.raw extrahieren
- Kplooshfinder kcache.raw nach kcache.patched
- kerneldiff kcache.raw mit kcache.patched diff nach kc.bpatch
- img4 mit gepatchtem kernelcache erstellen
- img4 DeviceTree erstellen
Abfolge bei sshrd.sh boot
- gaster pwn
- gaster reset
- irecovery -f iBSS.img4
- irecovery -f iBEC.img4
- irecovery -f logo.img4
- irecovery -c "setpicture 0x1"
- irecovery -f ramdisk.img4
- irecovery -c ramdisk
- irecovery -f devicetree.img4
- irecovery -c devicetree
- irecovery -f trustcache.img4
- irecovery -c firmware
- irecovery -f kernelcache.img4
- irecovery -c bootx
goldra1n
https://github.com/NarYuki/Goldra1n-c.git
Ramdisk Part
# Dump blobs, and install pogo if needed
if [ -f blobs/"$deviceid"-"$version".der ]; then
if [ -f .rd_in_progress ]; then
rm blobs/"$deviceid"-"$version".der
fi
fi
if [ ! -f blobs/"$deviceid"-"$version".der ]; then
mkdir -p blobs
_kill_if_running iproxy
cd ramdisk
chmod +x sshrd.sh
echo "[*] Creating ramdisk"
if [ "$sshrd19G69" = "1" ]; then
./sshrd.sh 19G69 `if [ -z "$tweaks" ]; then echo "rootless"; fi`
elif [[ "$version" == *"16"* ]]; then
./sshrd.sh 16.0.3 `if [ -z "$tweaks" ]; then echo "rootless"; fi`
else
./sshrd.sh "$version" `if [ -z "$tweaks" ]; then echo "rootless"; fi`
fi
echo "[*] Booting ramdisk"
./sshrd.sh boot
cd ..
# remove special lines from known_hosts
if [ -f ~/.ssh/known_hosts ]; then
if [ "$os" = "Darwin" ]; then
sed -i.bak '/localhost/d' ~/.ssh/known_hosts
sed -i.bak '/127\.0\.0\.1/d' ~/.ssh/known_hosts
elif [ "$os" = "Linux" ]; then
sed -i '/localhost/d' ~/.ssh/known_hosts
sed -i '/127\.0\.0\.1/d' ~/.ssh/known_hosts
fi
fi
# Execute the commands once the rd is booted
if [ "$os" = 'Linux' ]; then
sudo "$dir"/iproxy 2222 22 &
else
"$dir"/iproxy 2222 22 &
fi
while ! (remote_cmd "echo connected" &> /dev/null); do
sleep 1
done
touch .rd_in_progress
if [ "$tweaks" = "1" ]; then
echo "[*] Testing for baseband presence"
if [ "$(remote_cmd "/usr/bin/mgask HasBaseband | grep -E 'true|false'")" = "true" ] && [[ "${cpid}" == *"0x700"* ]]; then
disk=7
elif [ "$(remote_cmd "/usr/bin/mgask HasBaseband | grep -E 'true|false'")" = "false" ]; then
if [[ "${cpid}" == *"0x700"* ]]; then
disk=6
else
disk=7
fi
fi
if [ -z "$semi_tethered" ]; then
disk=1
fi
if [[ "$version" == *"16"* ]]; then
fs=disk1s$disk
else
fs=disk0s1s$disk
fi
echo "$disk" > .fs-"$deviceid"
fi
if [[ "$version" == *"16"* ]]; then
# mount filesystems, no user data partition
remote_cmd "/usr/bin/mount_filesystems_nouser"
else
# mount filesystems
remote_cmd "/usr/bin/mount_filesystems"
fi
has_active=$(remote_cmd "ls /mnt6/active" 2> /dev/null)
if [ ! "$has_active" = "/mnt6/active" ]; then
echo "[!] Active file does not exist! Please use SSH to create it"
echo " /mnt6/active should contain the name of the UUID in /mnt6"
echo " When done, type reboot in the SSH session, then rerun the script"
echo " ssh root@localhost -p 2222"
exit
fi
active=$(remote_cmd "cat /mnt6/active" 2> /dev/null)
if [ "$restorerootfs" = "1" ]; then
if [[ "$version" == *"16"* ]]; then
echo "[!] --restorerootfs does not work on iOS 16 at this time"
echo " You must reboot into normal mode and Erase All Content and Settings"
echo " This should in theory restore rootfs your device"
echo " This is only a temporary fix until we can fix --restorerootfs"
exit;
else
echo "[*] Removing Jailbreak"
remote_cmd "/sbin/apfs_deletefs disk0s1s${disk} > /dev/null || true"
remote_cmd "rm -f /mnt2/jb"
remote_cmd "rm -rf /mnt2/cache /mnt2/lib"
remote_cmd "rm -rf /mnt6/$active/procursus"
remote_cmd "rm -f /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.raw /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.patched /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.im4p /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kernelcachd"
remote_cmd "mv /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kernelcache.bak /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kernelcache 2> /dev/null || true"
remote_cmd "/bin/sync"
remote_cmd "/usr/sbin/nvram auto-boot=true"
rm -f BuildManifest.plist
echo "[*] Done! Rebooting your device"
remote_cmd "/sbin/reboot"
exit;
fi
fi
echo "[*] Dumping apticket"
sleep 1
remote_cp root@localhost:/mnt6/$active/System/Library/Caches/apticket.der blobs/"$deviceid"-"$version".der
#remote_cmd "cat /dev/rdisk1" | dd of=dump.raw bs=256 count=$((0x4000))
#"$dir"/img4tool --convert -s blobs/"$deviceid"-"$version".shsh2 dump.raw
#rm dump.raw
if [ "$semi_tethered" = "1" ]; then
if [ -z "$skip_fakefs" ]; then
echo "[*] Creating fakefs, this may take a while (up to 10 minutes)"
remote_cmd "/sbin/newfs_apfs -A -D -o role=r -v System /dev/disk0s1" && {
sleep 2
remote_cmd "/sbin/mount_apfs /dev/$fs /mnt8"
sleep 1
remote_cmd "cp -a /mnt1/. /mnt8/"
sleep 1
echo "[*] fakefs created, continuing..."
} || {
remote_cmd "/sbin/mount_apfs /dev/$fs /mnt8"
echo "[*] Using the old fakefs, run restorerootfs if you need to clean it"
}
fi
fi
if [ -z "$no_install" ]; then
tipsdir=$(remote_cmd "/usr/bin/find /mnt2/containers/Bundle/Application/ -name 'Tips.app'" 2> /dev/null)
sleep 1
remote_cmd "/bin/mkdir -p /mnt1/private/var/root/temp"
sleep 1
remote_cmd "/bin/cp -r /usr/local/bin/loader.app/* /mnt1/private/var/root/temp"
sleep 1
remote_cmd "/bin/rm -rf /mnt1/private/var/root/temp/Info.plist /mnt1/private/var/root/temp/Base.lproj /mnt1/private/var/root/temp/PkgInfo"
sleep 1
if [ "$tipsdir" = "" ]; then
echo "[*] Tips is not installed, skipping Tips app hijacking"
else
if [[ ! "$version" == *"16"* ]]; then
remote_cmd "/bin/cp -rf /mnt1/private/var/root/temp/* $tipsdir"
sleep 1
remote_cmd "/usr/sbin/chown 33 $tipsdir/Tips"
sleep 1
remote_cmd "/bin/chmod 755 $tipsdir/Tips $tipsdir/palera1nHelper"
sleep 1
remote_cmd "/usr/sbin/chown 0 $tipsdir/palera1nHelper"
sleep 1
remote_cmd '/usr/sbin/nvram allow-root-hash-mismatch=1'
fi
fi
sleep 1
remote_cmd "/bin/rm -rf /mnt1/private/var/root/temp"
fi
remote_cmd "/usr/sbin/nvram allow-root-hash-mismatch=1"
#remote_cmd "/usr/sbin/nvram root-live-fs=1"
if [[ "$@" == *"--semi-tethered"* ]]; then
"$dir"/sshpass -p 'alpine' ssh -o StrictHostKeyChecking=no -p2222 root@localhost "/usr/sbin/nvram auto-boot=true"
else
"$dir"/sshpass -p 'alpine' ssh -o StrictHostKeyChecking=no -p2222 root@localhost "/usr/sbin/nvram auto-boot=false"
fi
# lets actually patch the kernel
echo "[*] Patching the kernel"
remote_cmd "rm -f /mnt6/$active/kpf"
if [[ "$version" == *"16"* ]]; then
remote_cp binaries/Kernel16Patcher.ios root@localhost:/mnt6/$active/kpf
else
remote_cp binaries/Kernel15Patcher.ios root@localhost:/mnt6/$active/kpf
fi
remote_cmd "/usr/sbin/chown 0 /mnt6/$active/kpf"
remote_cmd "/bin/chmod 755 /mnt6/$active/kpf"
remote_cmd "rm -f /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.raw /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.patched /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.im4p /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kernelcachd"
if [ "$tweaks" = "1" ]; then
remote_cmd "cp /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kernelcache /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kernelcache.bak"
fi
sleep 1
# download the kernel
echo "[*] Downloading BuildManifest"
"$dir"/pzb -g BuildManifest.plist "$ipswurl"
echo "[*] Downloading kernelcache"
"$dir"/pzb -g "$(awk "/""$model""/{x=1}x&&/kernelcache.release/{print;exit}" BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1)" "$ipswurl"
echo "[*] Patching kernelcache"
mv kernelcache.release.* work/kernelcache
if [[ "$deviceid" == "iPhone8"* ]] || [[ "$deviceid" == "iPad6"* ]] || [[ "$deviceid" == *'iPad5'* ]]; then
python3 -m pyimg4 im4p extract -i work/kernelcache -o work/kcache.raw --extra work/kpp.bin
else
python3 -m pyimg4 im4p extract -i work/kernelcache -o work/kcache.raw
fi
sleep 1
remote_cp work/kcache.raw root@localhost:/mnt6/$active/System/Library/Caches/com.apple.kernelcaches/
remote_cmd "/mnt6/$active/kpf /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.raw /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.patched"
remote_cp root@localhost:/mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.patched work/
if [ "$tweaks" = "1" ]; then
if [[ "$version" == *"16"* ]]; then
"$dir"/Kernel64Patcher work/kcache.patched work/kcache.patched2 -e -o -u -l -t -h -d
else
"$dir"/Kernel64Patcher work/kcache.patched work/kcache.patched2 -e -l
fi
else
"$dir"/Kernel64Patcher work/kcache.patched work/kcache.patched2 -a
fi
sleep 1
if [[ "$deviceid" == *'iPhone8'* ]] || [[ "$deviceid" == *'iPad6'* ]] || [[ "$deviceid" == *'iPad5'* ]]; then
python3 -m pyimg4 im4p create -i work/kcache.patched2 -o work/kcache.im4p -f krnl --extra work/kpp.bin --lzss
else
python3 -m pyimg4 im4p create -i work/kcache.patched2 -o work/kcache.im4p -f krnl --lzss
fi
sleep 1
remote_cp work/kcache.im4p root@localhost:/mnt6/$active/System/Library/Caches/com.apple.kernelcaches/
remote_cmd "img4 -i /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.im4p -o /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kernelcachd -M /mnt6/$active/System/Library/Caches/apticket.der"
remote_cmd "rm -f /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.raw /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.patched /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.im4p"
sleep 1
has_kernelcachd=$(remote_cmd "ls /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kernelcachd" 2> /dev/null)
if [ "$has_kernelcachd" = "/mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kernelcachd" ]; then
echo "[*] Custom kernelcache now exists!"
else
echo "[!] Custom kernelcache doesn't exist..? Please send a log and report this bug..."
fi
if [ "$tweaks" = "1" ]; then
sleep 1
if [ "$semi_tethered" = "1" ]; then
remote_cmd "/sbin/mount_apfs /dev/$fs /mnt8 || true"
di=8
else
disk=1
di=1
fi
if [[ "$version" == *"16"* ]]; then
remote_cmd "rm -rf /mnt$di/System/Library/Caches/com.apple.dyld"
remote_cmd "ln -s /System/Cryptexes/OS/System/Library/Caches/com.apple.dyld /mnt$di/System/Library/Caches/"
fi
#icloud bypass by @ios_rifox
echo ""
echo "ICLOUD BYPASS iOS 16.2 PATCH BY @ios_euphoria RUNNING..."
echo ""
remote_cmd "mv -v /mnt$di/usr/libexec/mobileactivationd /mnt$di/usr/libexec/mobileactivationdBackup"
remote_cmd "ldid -e /mnt$di/usr/libexec/mobileactivationdBackup > /mnt$di/usr/libexec/mob.plist"
remote_cp gold root@localhost:/mnt$di/usr/libexec/mobileactivationd
remote_cmd "chmod 755 /mnt$di/usr/libexec/mobileactivationd"
remote_cmd "ldid -S/mnt$di/usr/libexec/mob.plist /mnt$di/usr/libexec/mobileactivationd"
remote_cmd "rm -v /mnt$di/usr/libexec/mob.plist"
echo ""
echo "PATCHED ICLOUD BYPASS iOS 16.2 DONE!!!\nby @ios_rifox..."
echo ""
echo "[#] - PART ICLOUD LOGIN PATCH BY @iAldazActivator RUNNING -"
echo ""
if [[ "$version" == *"16"* ]]; then
# mount filesystems, no user data partition
if [[ "$deviceid" == "iPhone10,3" ]] || [[ "$deviceid" == "iPhone10,6" ]]; then
echo "NO SUPPORT FOR ICLOUD SYNC ON THIS DEVICE!!!"
else
echo "Fixing iCloud"
"$dir"/sshpass -p alpine scp -rP 2222 -o StrictHostKeyChecking=no ./goldra1n_ftialdaz/FairPlay root@localhost:/mnt2/mobile/Media/Downloads/ > /dev/null 2>&1
remote_cmd "chown -R mobile:mobile /mnt2/mobile/Media/Downloads/"
remote_cmd "rm -rf /mnt2/mobile/Library/FairPlay/"
remote_cmd "mv -f /mnt2/mobile/Media/Downloads/FairPlay /mnt2/mobile/Library/"
remote_cmd "chmod -R 755 /mnt2/mobile/Library/FairPlay/"
remote_cmd "chown -R mobile:mobile /mnt2/mobile/Library/FairPlay"
remote_cmd "chmod 664 /mnt2/mobile/Library/FairPlay/iTunes_Control/iTunes/IC-Info.sisv"
fi
else
# mount filesystems
"$dir"/sshpass -p alpine scp -rP 2222 -o StrictHostKeyChecking=no ./goldra1n_ftialdaz/FairPlay root@localhost:/mnt2/mobile/Media/Downloads/ > /dev/null 2>&1
remote_cmd "chown -R mobile:mobile /mnt2/mobile/Media/Downloads/"
remote_cmd "rm -rf /mnt2/mobile/Library/FairPlay/"
remote_cmd "mv -f /mnt2/mobile/Media/Downloads/FairPlay /mnt2/mobile/Library/"
remote_cmd "chmod -R 755 /mnt2/mobile/Library/FairPlay/"
remote_cmd "chown -R mobile:mobile /mnt2/mobile/Library/FairPlay"
remote_cmd "chmod 664 /mnt2/mobile/Library/FairPlay/iTunes_Control/iTunes/IC-Info.sisv"
fi
echo "SYNC PATCH DONE !!!..."
# iOS 16 stuff
# if [[ "$version" == *"16"* ]]; then
# if [ -z "$semi_tethered" ]; then
# echo "[*] Performing iOS 16 fixes"
# sleep 1
# os_disk=$(remote_cmd "/usr/sbin/hdik /mnt6/cryptex1/current/os.dmg | head -3 | tail -1 | sed 's/ .*//'")
# sleep 1
# app_disk=$(remote_cmd "/usr/sbin/hdik /mnt6/cryptex1/current/app.dmg | head -3 | tail -1 | sed 's/ .*//'")
# sleep 1
# remote_cmd "/sbin/mount_apfs -o ro $os_disk /mnt2"
# sleep 1
# remote_cmd "/sbin/mount_apfs -o ro $app_disk /mnt9"
# sleep 1
# remote_cmd "rm -rf /mnt1/System/Cryptexes/App /mnt1/System/Cryptexes/OS"
# sleep 1
# remote_cmd "mkdir /mnt1/System/Cryptexes/App /mnt1/System/Cryptexes/OS"
# sleep 1
# remote_cmd "cp -a /mnt9/. /mnt1/System/Cryptexes/App"
# sleep 1
# remote_cmd "cp -a /mnt2/. /mnt1/System/Cryptexes/OS"
# sleep 1
# remote_cmd "rm -rf /mnt1/System/Cryptexes/OS/System/Library/Caches/com.apple.dyld"
# sleep 1
# remote_cmd "cp -a /mnt2/System/Library/Caches/com.apple.dyld /mnt1/System/Library/Caches/"
# fi
# fi
echo "[*] Copying files to rootfs"
remote_cmd "rm -rf /mnt$di/jbin /mnt$di/.installed_palera1n"
sleep 1
remote_cmd "mkdir -p /mnt$di/jbin/binpack /mnt$di/jbin/loader.app"
sleep 1
cd other/rootfs/jbin
if [[ "$version" == *"16"* ]]; then
# download loader
rm -rf loader.app
cp ../../palera1n.zip palera1n.zip
unzip palera1n.zip -d .
unzip palera1n.ipa -d .
mv Payload/palera1nLoader.app loader.app
rm -rf palera1n.zip loader.zip palera1n.ipa Payload
fi
# download jbinit files
rm -f jb.dylib jbinit jbloader launchd
cp ../../rfs.zip rfs.zip
unzip rfs.zip -d .
unzip rootfs.zip -d .
rm rfs.zip rootfs.zip
cd ../../..
sleep 1
remote_cp -r other/rootfs/* root@localhost:/mnt$di
{
echo "{"
echo " \"version\": \"${version} (${commit}_${branch})\","
echo " \"args\": \"$@\","
echo " \"pc\": \"$(uname) $(uname -r)\""
echo "}"
} > work/.installed_palera1n
sleep 1
remote_cp work/.installed_palera1n root@localhost:/mnt$di
remote_cmd "ldid -s /mnt$di/jbin/launchd /mnt$di/jbin/jbloader /mnt$di/jbin/jb.dylib"
remote_cmd "chmod +rwx /mnt$di/jbin/launchd /mnt$di/jbin/jbloader /mnt$di/jbin/post.sh"
remote_cmd "tar -xvf /mnt$di/jbin/binpack/binpack.tar -C /mnt$di/jbin/binpack/"
sleep 1
remote_cmd "rm /mnt$di/jbin/binpack/binpack.tar"
#allow no checking
echo "Enabled Allow Root Hash Mismatch!"
remote_cmd "/usr/sbin/nvram allow-root-hash-mismatch=1"
fi
rm -rf work BuildManifest.plist
mkdir work
rm .rd_in_progress
sleep 2
if [[ "$version" == *"16"* ]]; then
echo "[*] Phase 1 done!"
echo ""
echo "You now need to force restart your device to start next phase"
echo ""
echo "iPhone 8 or newer"
echo "- Press volume up"
echo "- Press volume down"
echo "- Press and hold the side button for 10-20 seconds until the Apple logo appears"
echo ""
echo "iPhone 7"
echo "- Press and hold the volume down and power buttons for 10-20 seconds until the Apple logo appears"
echo ""
echo "iPhone 6S/ SE 2016/ iPad 8th or older"
echo "- Press and hold the home and power buttons for 10-20 seconds until the Apple logo appears"
echo ""
echo "This then reboots your iPhoneOS/ iPadOS device into stock normal mode"
echo ""
if [ ! -e .gitignore ]; then
echo "You must then quit out of this Terminal and then hit the Start button again"
else
echo "You must then quit out of this script and then run the same command once more"
fi
else
echo "[*] Done! Rebooting your device"
fi
remote_cmd "/sbin/reboot"
sleep 1
_kill_if_running iproxy
if [ "$semi_tethered" = "1" ]; then
_wait normal
sleep 5
echo "[*] Switching device into recovery mode..."
"$dir"/ideviceenterrecovery $(_info normal UniqueDeviceID)
elif [ -z "$tweaks" ]; then
_wait normal
sleep 5
echo "[*] Switching device into recovery mode..."
"$dir"/ideviceenterrecovery $(_info normal UniqueDeviceID)
fi
_wait recovery
_dfuhelper "$cpid"
sleep 2
fi
# ============
# Boot create
# ============
# Actually create the boot files
disk=$(cat .fs-"$deviceid")
if [[ "$version" == *"16"* ]]; then
fs=disk1s$disk
else
fs=disk0s1s$disk
fi
boot_args=""
if [ "$serial" = "1" ]; then
boot_args="serial=3"
else
boot_args="-v"
fi
if [[ "$deviceid" == iPhone9,[1-4] ]] || [[ "$deviceid" == "iPhone10"* ]]; then
if [ ! -f boot-"$deviceid"/.payload ]; then
rm -rf boot-"$deviceid"
fi
else
if [ ! -f boot-"$deviceid"/.local ]; then
rm -rf boot-"$deviceid"
fi
fi
if [ ! -f boot-"$deviceid"/ibot.img4 ]; then
# Downloading files, and decrypting iBSS/iBEC
rm -rf boot-"$deviceid"
mkdir boot-"$deviceid"
#echo "[*] Converting blob"
#"$dir"/img4tool -e -s $(pwd)/blobs/"$deviceid"-"$version".shsh2 -m work/IM4M
cd work
# Do payload if on iPhone 7-10
if [[ "$deviceid" == iPhone9,[1-4] ]] || [[ "$deviceid" == "iPhone10"* ]]; then
if [[ "$version" == "16.0"* ]] || [[ "$version" == "15"* ]]; then
newipswurl="$ipswurl"
else
newipswurl=$(curl -k -sL "https://api.appledb.dev/ios/iOS;20A392.json" | "$dir"/jq -r .devices\[\"$deviceid\"\].ipsw)
fi
echo "[*] Downloading BuildManifest"
"$dir"/pzb -g BuildManifest.plist "$newipswurl"
echo "[*] Downloading and decrypting iBoot"
"$dir"/pzb -g "$(awk "/""$model""/{x=1}x&&/iBoot[.]/{print;exit}" BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1)" "$newipswurl"
"$dir"/gaster decrypt "$(awk "/""$model""/{x=1}x&&/iBoot[.]/{print;exit}" BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1 | sed 's/Firmware[/]all_flash[/]//')" ibot.dec
echo "[*] Patching and signing iBoot"
"$dir"/iBoot64Patcher ibot.dec ibot.patched
if [[ "$deviceid" == iPhone9,[1-4] ]]; then
"$dir"/iBootpatch2 --t8010 ibot.patched ibot.patched2
else
"$dir"/iBootpatch2 --t8015 ibot.patched ibot.patched2
fi
if [ "$os" = 'Linux' ]; then
sed -i 's/\/\kernelcache/\/\kernelcachd/g' ibot.patched2
else
LC_ALL=C sed -i.bak -e 's/s\/\kernelcache/s\/\kernelcachd/g' ibot.patched2
rm *.bak
fi
cd ..
"$dir"/img4 -i work/ibot.patched2 -o boot-"$deviceid"/ibot.img4 -M blobs/"$deviceid"-"$version".der -A -T ibss
touch boot-"$deviceid"/.payload
else
echo "[*] Downloading BuildManifest"
"$dir"/pzb -g BuildManifest.plist "$ipswurl"
echo "[*] Downloading and decrypting iBSS"
"$dir"/pzb -g "$(awk "/""$model""/{x=1}x&&/iBSS[.]/{print;exit}" BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1)" "$ipswurl"
"$dir"/gaster decrypt "$(awk "/""$model""/{x=1}x&&/iBSS[.]/{print;exit}" BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1 | sed 's/Firmware[/]dfu[/]//')" iBSS.dec
echo "[*] Downloading and decrypting iBoot"
"$dir"/pzb -g "$(awk "/""$model""/{x=1}x&&/iBoot[.]/{print;exit}" BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1)" "$ipswurl"
"$dir"/gaster decrypt "$(awk "/""$model""/{x=1}x&&/iBoot[.]/{print;exit}" BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1 | sed 's/Firmware[/]all_flash[/]//')" ibot.dec
echo "[*] Patching and signing iBSS/iBoot"
"$dir"/iBoot64Patcher iBSS.dec iBSS.patched
if [ "$semi_tethered" = "1" ]; then
if [ "$serial" = "1" ]; then
"$dir"/iBoot64Patcher ibot.dec ibot.patched -b "serial=3 rd=$fs" -l
else
"$dir"/iBoot64Patcher ibot.dec ibot.patched -b "-v rd=$fs" -l
fi
else
if [ "$serial" = "1" ]; then
"$dir"/iBoot64Patcher ibot.dec ibot.patched -b "serial=3" -f
else
"$dir"/iBoot64Patcher ibot.dec ibot.patched -b "-v" -f
fi
fi
if [ "$os" = 'Linux' ]; then
sed -i 's/\/\kernelcache/\/\kernelcachd/g' ibot.patched
else
LC_ALL=C sed -i.bak -e 's/s\/\kernelcache/s\/\kernelcachd/g' ibot.patched
rm *.bak
fi
cd ..
"$dir"/img4 -i work/iBSS.patched -o boot-"$deviceid"/iBSS.img4 -M blobs/"$deviceid"-"$version".der -A -T ibss
"$dir"/img4 -i work/ibot.patched -o boot-"$deviceid"/ibot.img4 -M blobs/"$deviceid"-"$version".der -A -T `if [[ "$cpid" == *"0x801"* ]]; then echo "ibss"; else echo "ibec"; fi`
touch boot-"$deviceid"/.local
fi
fi
# ============
# Boot device
# ============
sleep 2
_pwn
_reset
echo "[*] Booting device"
if [[ "$deviceid" == iPhone9,[1-4] ]] || [[ "$deviceid" == "iPhone10"* ]]; then
sleep 1
"$dir"/irecovery -f boot-"$deviceid"/ibot.img4
sleep 3
"$dir"/irecovery -c "dorwx"
sleep 2
if [[ "$deviceid" == iPhone9,[1-4] ]]; then
"$dir"/irecovery -f other/payload/payload_t8010.bin
else
"$dir"/irecovery -f other/payload/payload_t8015.bin
fi
sleep 3
"$dir"/irecovery -c "go"
sleep 1
"$dir"/irecovery -c "go xargs $boot_args"
sleep 1
"$dir"/irecovery -c "go xfb"
sleep 1
"$dir"/irecovery -c "go boot $fs"
else
if [[ "$cpid" == *"0x801"* ]]; then
sleep 1
"$dir"/irecovery -f boot-"$deviceid"/ibot.img4
else
sleep 1
"$dir"/irecovery -f boot-"$deviceid"/iBSS.img4
sleep 4
"$dir"/irecovery -f boot-"$deviceid"/ibot.img4
fi
fi
if [ -z "$semi_tethered" ]; then
sleep 2
"$dir"/irecovery -c fsboot
fi
if [ -d "logs" ]; then
cd logs
for file in *.log; do
if [[ "$file" != "SUCCESS_"* ]] && [[ "$file" != "FAIL_"* ]]; then
mv "$file" SUCCESS_${file}
fi
done
cd ..
fi
rm -rf work rdwork
echo ""
echo "Done!"
echo "The device should now boot to iOS"
echo "When you unlock the device, it will respring about 30 seconds after"
echo "If this is your first time jailbreaking, open the new palera1n app, then press Install"
echo "Otherwise, press Do All in the settings section of the app"
echo "If you have any issues, please join the Discord server and ask for help: https://dsc.gg/palera1n"
echo "Enjoy!"
} | tee logs/"$(date +%T)"-"$(date +%F)"-"$(uname)"-"$(uname -r)".log
Tools
jq
jq - commandline JSON processor [version 1.6]
Beispiel:
gaster
gaster is a Pwning utility from 0x7ff, released on 29 May 2022. This tool exploits checkm8 and removes signature checks, allowing a patched iBoot to be booted. The lightweight and portability of this tool makes it commonly used in various tools, such as palera1n 1.x.x.
Beispiel:
./gaster pwn
./gaster reset
pzb
Browse and download files and directories from remote zip
Beispiel (holt die wpad.dat direkt aus dem ZIP-Archiv vom Server):
./pzb -g wpad.dat http://wpad.intern.darkrealm.dyndns.org/pzb.zip
irecovery
ipwnder
KPlooshFinder
https://github.com/plooshi/KPlooshFinder
Patcht den Kernelcache
Beispiel:
KPlooshFinder work/kcache.raw work/kcache.patched
iBSS.img4
Glossar
iBSS
iBSS (short for iBoot Single Stage) is a stripped down version of iBoot, missing things such as interacting with the filesystem. Can be uploaded via DFU to bootstrap iBEC during a DFU Mode restore.
iBEC
iBEC (short for iBoot Epoch Change) is a stripped down version of iBoot which is uploaded when performing a restore from Fake DFU in LLB. It was renamed iBootStage2 in iOS 10.
Jailbreak manuell
- palera1n -D
- sshrd.sh 15.8.3
- sshrd.sh boot
- sshrd.sh ssh
- mount_filesystems