dual-boot iOS 10.3.3-14.x with latest SEP.
This is a tool that will patch the kernel to make the latest SEP "compatible" with lower versions, all SEP related things like passcode, TouchID, FaceID, etc. are broken, and there are other caveats, read below. This is a proof of concept, and I'm sure a lot of these patches are unnecessary, but I'm just publishing what I used to get it working.
I am not responsible for any damage caused to anything, use at your own risk, this is not meant to be end-user friendly, and I'm not going to provide support for this.
- Does NOT work on 16 GB devices, because we are dual-booting iOS, and 2 iOS installations take up around 16 GB of space, which makes both iOS installations impossible to use. Unless you're already on iOS 12 for example, which uses lower storage.
- Encrypted WiFi networks will always say "incorrect password" when trying to connect, use a open network.
- TouchID / Passcode / FaceID are all broken, you can't use them.
- You have a NULL passcode, every time you're asked for a passcode, any input should be accepted.
First boot ( the one with progress bar ) can take upto 1 hour on some versions, subsequent boots are normal.( this has since been fixed, ymmv )- For some reason, your mainOS has a VERY high chance of bootlooping, please only use this on a test device you're comfortable losing data off. ( Also, ymmv, it may or may not bootloop. )
-
Begin with downloading a IPSW for your desired iOS version, and extract it.
-
Run
asr -source "ipsw/$(/usr/bin/plutil -extract "BuildIdentities".0."Manifest"."OS"."Info"."Path" xml1 -o - ipsw/BuildManifest.plist | grep '<string>' |cut -d\> -f2 |cut -d\< -f1 | head -1)" -target out.dmg --embed -erase -noprompt --chunkchecksum --puppetstringsto create a asr image. -
Clone sshrd_script and boot into the SSH ramdisk, make sure you create the ssh ramdisk with the version you're currently on.
-
Run
/usr/bin/mount_filesystemsin the SSH ramdisk to mount the filesystems. -
Create new partitions for dual-booted iOS:
/sbin/newfs_apfs -o role=i -A -v SystemX /dev/disk0s1/sbin/newfs_apfs -o role=0 -A -v DataX /dev/disk0s1
-
Mount the new partitions, you may need to replace disk0s1s8 and disk0s1s9 if you don't have a baseband partition:
/sbin/mount_apfs /dev/disk0s1s8 /mnt8//sbin/mount_apfs /dev/disk0s1s9 /mnt9/
-
Copy the keybags:
cp -av /mnt2/keybags /mnt9/ -
On your mac, in another terminal, SCP over the asr image you created earlier:
scp -P2222 -r out.dmg root@localhost:/mnt8/ -
Reboot your device
/usr/sbin/nvram auto-boot=false/sbin/reboot
-
Boot into the SSH ramdisk again, and run
/System/Library/Filesystems/apfs.fs/apfs_invert -d /dev/disk0s1 -s 8 -n out.dmgto apply the asr image to the new partition. -
Mount the filesystems again:
/usr/bin/mount_filesystems/sbin/mount_apfs /dev/disk0s1s8 /mnt8//sbin/mount_apfs /dev/disk0s1s9 /mnt9/
-
Move over
/varfrom the rootfs partition to the var partition:mv -v /mnt8/private/var/* /mnt9/ -
Copy over preboot:
cp -av /mnt6/$(cat /mnt6/active)/* /mnt8/ -
Create some folders required for booting:
mkdir -p /mnt8/private/xartsmkdir -p /mnt8/private/preboot
-
Remove AOP firmware:
rm -v /mnt8/usr/standalone/firmware/FUD/AOP.img4 -
Copy over preboot again:
cp -av /mnt6/* /mnt8/private/preboot/ -
Replace the factorydata with the factorydata from the main OS:
rm -rv /mnt8/System/Library/Caches/com.apple.factorydata/sbin/mount_apfs /dev/disk0s1s5 /mnt5/cp -av /mnt5/FactoryData/* /mnt8/
-
Change fstab to point to the new partition, and change
hfstoapfs:nano /mnt8/etc/fstab -
We're almost done installing! At this point, you'll boot into the Setup screen and are unable to activate, to get SpringBoard you'll need a way to skip Setup, I won't be linking to any of these methods, so figure it out yourself.
-
Finally, reboot:
/usr/sbin/nvram auto-boot=false/sbin/reboot
- Extract your IM4M file from your shsh blob using
img4tool -e -s blob -m IM4M - Create a img4 from your trustcache and devicetree using:
img4 -i trustcache -o trustcache.img4 -M IM4M -T rtscimg4 -i devicetree -o devicetree.img4 -M IM4M -T rdtr
- Decrypt your iBSS and iBEC using
gaster decrypt iBSS.im4p iBSS.decandgaster decrypt iBEC.im4p iBEC.dec - Patch your iBSS using
iBoot64Patcher iBSS.dec iBSS.patched - Patch your iBEC, change the
rd=argument to point to your new partition, and you can replaceserial=3with-vif you don't have a serial cable:iBoot64Patcher iBEC.dec iBEC.patched -b "rd=disk0s1s8 debug=0x2014e wdt=-1 serial=3" - Create img4s from your patched iBSS and iBEC using:
img4 -i iBSS.patched -o iBSS.img4 -M IM4M -A -T ibssimg4 -i iBEC.patched -o iBEC.img4 -M IM4M -A -T ibec
- Extract your kernelcache using
img4 -i kernelcache -o kcache.raw - Now, use seprmvr64:
gcc seprmvr64/seprmvr64.c -o seprmvr64./seprmvr64 kcache.raw kcache.patched
- Create a kc.bpatch using
kerneldiff kcache.raw kcache.patched kc.bpatch - Create a img4 from your kernelcache using
img4 -i kernelcache -o kernelcache.img4 -M IM4M -T rkrn -P kc.bpatch
- Use
gasterto pwn your device:gaster pwngaster reset
- Send over your iBSS and iBEC using
irecovery -f iBSS.img4andirecovery -f iBEC.img4 - Send over your devicetree using
irecovery -f devicetree.img4, then useirecovery -c devicetreeto load it. - If you have a trustcache, send it over using
irecovery -f trustcache.img4, then useirecovery -c firmwareto load it. - Finally, send over your kernelcache using
irecovery -f kernelcache.img4, then useirecovery -c bootxto boot, reminder that first boot with progress bar can take upto 1 hour, so be patient.
I've provided some scripts in the scripts folder to help automate the booting and development process.
- Ralph0045 for the AMFI patch and base of Kernel64Patcher