/ramdiskutil

Tools for customizing iOS restore ramdisks.

Primary LanguageShell

ramdiskutil

Description

A set of tools that can make a ssh ramdisk for 32-bit iDevices.
macOS supported only. Will never support other OSes.

Usage

pzb: Download firmware partially, only download a part of it. Saves your bandwidth and time. You just need to download restoreramdisk, ibss, ibec, devicetree and kernelcache.

iBoot32Patcher: Patch iBEC and iBSS for removing sigchecks and adding boot-args.

mount.sh: Used for mounting ramdisk. The ramdisk should be renamed to RestoreRamdisk.dmg

unmount.sh: Used for unmounting ramdisk. The ramdisk should be renamed to RestoreRamdisk.dmg

xpwntool: Decrypt firmware components. Used to decrypt ibss, ibec, and other things.

packimg3.sh: Pack ramdisk to a img3 container. For an iOS device, only img3 format is suitable for booting.

irecovery: A tool for communicating with device in DFU mode

Methods

  1. Goto ipsw.me/keys (Requires login) or theiphonewiki.com/wiki/Firmware_Keys to find keys and ivs. Write down the filename of RestoreRamdisk.
  2. Use pzb to download:
    ./pzb [LINK TO IPSW]
    Files needed to download:
    (1) XXX-XXXX-XXX.dmg (the name of RestoreRamdisk)
    (2) Firmware/dfu/iBEC.xxx.RELEASE.dfu
    (3) Firmware/dfu/iBSS.xxx.RELEASE.dfu
    (4) kernelcache.release.xxx
    (5) Firmware/all_flash/all_flash.xxx.production/DeviceTree.xxx.img3
  3. Decrypt all the files using xpwntool
    ./xpwntool [devicetree/kernelcache] [out_file] -iv [iv] -k [key] -decrypt
    ./xpwntool [ramdisk/iBEC/iBSS] [out_file] -iv [iv] -k [key]
  4. Patch iBSS and iBEC
    ./iBoot32Patcher [decrypted_ibss] [patched_file]
    ./iBoot32Patcher [decrypted_ibec] [patched_file] -b "rd=md0 -v amfi=0xff cs_enforcement_disable=1"
  5. Resize and mount the ramdisk
    hdiutil resize -size 32M RestoreRamdisk.dmg
    mkdir mp
    ./mount.sh
  6. Extract sshd to ramdisk
    tar -xvf ssh.tar -C mp
    You can modify mp/etc/rc.boot for doing something when booting ramdisk.
  7. Unmount the ramdisk, then make the img3 image of ramdisk.
    ./unmount.sh
    ./packimg3.sh
  8. Boot the ramdisk
    Let your device enter pwned DFU mode.
    for iPhone, send kloader and patched iBSS to the root directory of your device. for iPad, send iBEC instead of iBSS.
    ssh into your device and run: /kloader /[Your ibss or ibec]
    {
    ./image3maker -t ibec -f [patched_ibec] -o pwnediBEC
    ./irecovery -f pwnediBEC
    }
    Skip these command in {} if it is an iPad
    ./irecovery -s
    On the shell, type:
    /send [devicetree]
    devicetree
    /send [ramdisk]
    ramdisk
    /send [kernelcache]
    bootx
    Then your ramdisk will be successfully booted!

NOTE

ida_patcher and restored_external_verbose_patch.dif is made for booting in verbose mode.
If you don't want apple logo shown when booted, please patch mp/usr/local/bin/restored_external using this command:
./ida_patcher -i restored_external -p restored_external_verbose_patch.dif