MOUNT IOS 17
planktonwhc opened this issue · 5 comments
Im successfully boot SSHRD ios 17 on iPad 7, but cant mount disk2
when im /usr/libexec/seputil --load /mnt6//usr/standalone/firmware/sep got panic
You can’t mount user data partition on ios17 without SEP exploit
Simply for future reference to the developer concerning i(Pad)OS 17:
You'd need to load the ramdisk with something like PongoOS. Use the palera1n binary to load the ramdisk (converted to .dmg, this can be ripped from the work directory) alongside a kpf.
Once you do that, you're able to mount the User partition on i(Pad)OS 17, though mount_filesystems still won't work considering it doesn't take into account i(Pad)OS 17; you need to manually bunch together which commands are supposed to be run to mount all filesystems and paste that instead of running mount_filesystems, though it should work if you simply add a check for 17 where there's a check for 16, keep in mind it'll hang/panic if booted normally from ./sshrd.sh boot.
Until the developer addresses this problem, load the ramdisk .dmg from the work directory (can't remember if it's ramdisk.dmg or ramdisk1.dmg, one just won't boot iirc) with the kpf above after removing the commands in sshrd.sh to rm -rf the work directory. Take a look into the ssh.tar.gz for SSHRD_Script, you then have a copy of mount_filesystems and can then piece together which commands should be run based off of mount_filesystems (plaintext). For simplicities sake, keep a copy of all commands run and keep them in a note; you'll run these every time you need to mount_filesystems.
@dleovl Thanks for figuring it out!
I'm trying to recreate this on my side, but I'm failing miserably and would appreciate your help.
I'm executing palera1n as follows:
$ palera1n -r work/ramdisk1.img -K checkra1n-kpf-pongo
pongoOS loads checkra1n-kpf-pongo and attempts to boot into the ramdisk, but I get only a brief (about one second long) black screen before the screen goes off and the device reboots into normal mode. Nornal sshrd invocation also does this, but the device proceeds to load and display logo.im4 instead of rebooting.
The other file, ramdisk.img, doesn't boot and instead gets stuck at the Booting ... message in pongoOS. I even attempted to connect via SSH to rule out the possibility of it being actually booted without graphical output, but no dice.
What would be the next step to try from this point on? Thanks!
$ palera1n -r work/ramdisk1.img -K checkra1n-kpf-pongo
.img? It should be .dmg (does it matter? not sure, but the fact we don't have the same files is a bit weird). The .dmg files would be created by sshrd.sh and stored under the work directory, please remove all lines in sshrd.sh to remove the work directory. Mind sharing ls work?
@dleovl you're right, it's .dmg not .img - it's a typo since I was posting on GitHub from my phone and copied it by hand from the Mac.
The correct command is this:
$ palera1n -r work/ramdisk1.dmg -K checkra1n-kpf-pongo
The listing of the work directory is as follows:
SSHRD_Script % ls work
096-18092-362.dmg iBSS.ipad7c.RELEASE.im4p
096-18092-362.dmg.trustcache iBSS.patched
BuildManifest.plist kc.bpatch
DeviceTree.j171ap.im4p kcache.patched
IM4M kcache.raw
iBEC.dec kernelcache.release.ipad7c
iBEC.ipad7c.RELEASE.im4p ramdisk.dmg
iBEC.patched ramdisk1.dmg
iBSS.dec
Please tell me if anything else would be needed.