T2 ssh
graphine27 opened this issue · 9 comments
Since my T2 machine is on bridgeOS 7.5, Checkra1n is not working and I don't think this is a priority for you right now.
I can however start PongoOS using 1337 and iOS15 but I don't fully understand it, how did Checkra1n achieve the ssh on previous versions? Latest kpf does not seem to help in booting bridgeos with ssh.
I think my second option is to use sshrd_script which cannot create correct image for 7.5 and 5.x image is not booting.
This script has some files which are appended to the ramdisk image https://github.com/verygenericname/sshtars/tree/main but they might also be incompatible with 7.5 and I can not get any logs from when it tries to boot.
Maybe if I understand how ssh was achieved on lower bridgeos with Checkra1n I could try to see why it's not working for 7.5, could you help?
The missing parts are ramdisk and overlay.
Can you give a quick overview of how it works? I think I found the ramdisk image.
If you have a ramdisk, you can pass it to checkra1n with -r
. But the one from 0.12.4 won't work here, because basically everything changed.
Can PongoOS load a normal downgrade ramdisk + devicetree + kernelcache?
I need to either somehow downgrade bridgeos, even temporary (in memory) so 0.12.4 works or make ssh work on 7.5 by other mears.
Assuming there are no SEP incompatibilities, could I just create a ramdisk for bridgeos 5.x and put the checkra1n ramdisk and overlay files into the bridgeos ramdisk, would that work? I see there is a payload and patch_dylid.bridgeos, what do these do exactly?
PongoOS cannot currently load a new kernelcache. In theory that's possible, but it requires careful handling of the physical address space, and neither that nor any of the rebasing logic has been written.
The payload
binary holds a bunch of different code required by checkra1n at runtime. Using this in another context is unlikely to work, or be useful in any way.
The patch_dyld.*
binaries exist to copy dyld to a new location and apply a patch to remove the same-platform restriction (so we can run binaries compiled against the iOS SDK on tvOS and bridgeOS). Without this, you'll have to patch the LC_BUILD_VERSION
command of all Mach-Os to say bridgeOS.
Essentially what we do is boot off a ramdisk, have a custom binary in /usr/lib/dyld
that can run without any libraries, and from there we either union mount the rootfs over / (on 14.x and below) or we mount it to /fs/orig and bind-mount all folders to places on / (15.0 and up, hasn't been publicly released). Then we invoke the dyld patcher, and after that we hand off to launchd, but we inject a dylib to run code at various stages. It's... quite a bit of work.
Thanks for the info. Looks like it would be easier use sshrd and put the right files (it seems all the executables there have LC_BUILD_VERSION for bridge os).
Did checkra1n do anything special to get ssh to work?
I see some launchdaemons like dropbear-bridgeos-ncm.plist and dropbear.plist, is it enough to place these files on the ramdisk? Does not seem to work for me. Also tried compiling https://github.com/verygenericname/sshrd_SSHRD_Script and replace MacEFIUtil with it so launchd calls it. And also used https://github.com/iSuns9/restored_external64patcher
Hi, i have T2 jailbreak like checkra1n one that works on bridgeOS from 6.0 to 7.6+, also I have ssh ramdisk , lmk what you need these things for? Telegram @SDunlocks_91