Add support for T8002, T8004 and S7002 (iWatch)

[xinzhizao]

Would love to see iWatch support in gaster :-)

[P5-2005]

last commit, seem work :

C:\Users\BH11040\Desktop\img4tool-winx64-static>gaster.exe pwn
usb_timeout: 50
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8002
Found the USB handle.
Stage: RESET
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8002
Found the USB handle.
Stage: SPRAY
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8002
Found the USB handle.
Stage: SETUP
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8002
Found the USB handle.
Stage: PATCH
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8002
Found the USB handle.
Now you can boot untrusted images.

C:\Users\BH11040\Desktop\img4tool-winx64-static>irecovery.exe -q
CPID: 0x8002
CPRV: 0x10
BDID: 0x0e
ECID: 0x001XXXXXXXXXXXX
CPFM: 0x03
SCEP: 0x01
IBFL: 0x3c
SRTG: IBOOT-2651.0.0.1.31
SRNM: N/A
IMEI: N/A
NONC: bfcd928fab5e8ff877e641f34fdd0d058bf2cd5cdb1025488fd879a7bb9538fb
SNON: a91c617b076f21f857fe0b047b6079b2cc9f30d2
PWND: GASTER
MODE: DFU
PRODUCT: Watch2,4
MODEL: n75ap
NAME: Apple Watch Series 2 (42mm)

[j4nf4b3l]

Series 0 is stuck at exploiting, Series 1, 2 and 3 works fine so far. But loading bootchain doesn't seem to work yet 😅

[P5-2005]

i think gaster dont accept raw files like checkm8_bootkit(from john), first time on iphone im4m per soc and img4 is required, but i dont know about refactoring the code if same now like ipwndfu or like gaster(first code) with other iphones/ipads

[j4nf4b3l]

i think gaster dont accept raw files like checkm8_bootkit(from john), first time on iphone im4m per soc and img4 is required, but i dont know about refactoring the code if same now like ipwndfu or like gaster(first code) with other iphones/ipads

I know. Tried with properly signed ibss with valid im4m but it's just doing nothing. Model used: Watch3,1 (Series 3 38mm Cellular) SHSH used: 3818140031638636_Watch3,1_n111sap_8.6-19T572_eb56bb53cfc4383dd2d723666e985482cccb8c52b1665d7ea6d6129f010e7cee.shsh2 iBSS used: iBSS.n111s.RELEASE.im4p (watchOS8.6), decrypted, patched, fake-signed

[0x7ff]

@P5-2005 @j4nf4b3l Please try the latest commit.

[P5-2005]

@P5-2005 @j4nf4b3l Please try the latest commit.

s2-8002 pwn all fine and first try(with last commit), but cannot load pwned ibss(maybe not patched well i guess?), only @j4nf4b3l can confirm about pwned ibss

[j4nf4b3l]

@P5-2005 @j4nf4b3l Please try the latest commit.

s2-8002 pwn all fine and first try(with last commit), but cannot load pwned ibss(maybe not patched well i guess?), only @j4nf4b3l can confirm about pwned ibss

PWNing S1-3 works fine so far but I was still not able to load any bootchain. Tried raw bootchain, tried "properly fake-signed" one but still stuck in DFU. Series 0 went into endless pwning loop for me.

[0x7ff]

@P5-2005 @j4nf4b3l Please try the latest commit.

[j4nf4b3l]

@P5-2005 @j4nf4b3l Please try the latest commit.

Only tested S3 yet but it seems to be still the same issue. Everything else I'll test tonight hopefully and let you know the results :)

[0x7ff]

The signature patch method will not work as TEXT_BASE is read-only and I made a mistake when replacing ROM's TTB register with the VROM's TTB register. After fixing the mistake, I see that the device hangs after flushing the TLB's so please use checkm8_bootkit for booting the iBSS for these devices. I changed PWND string from gaster to checkm8 for using the tool but S7002 still needs to be tested.

[j4nf4b3l]

The signature patch method will not work as TEXT_BASE is read-only and I made a mistake when replacing ROM's TTB register with the VROM's TTB register. After fixing the mistake, I see that the device hangs after flushing the TLB's so please use checkm8_bootkit for booting the iBSS for these devices. I changed PWND string from gaster to checkm8 for using the tool but S7002 still needs to be tested.

Alright. So I tested on S3 now and it's now hanging here:

found: CPID:8004 CPRV:10 CPFM:03 SCEP:01 BDID:1C ECID:0019496111D80026 IBFL:3C SRTG:[iBoot-2651.0.0.3.3] PWND:[checkm8]
constructing command...
constructing payload...
writing 0x488ce031 to 0x48806178...
sending command...
reading 32-bits from 0x48806178...
sending command...
ERROR: invalid response from device
ERROR: failed to re-read value
ERROR: failed to overwrite function pointer

This is the output of checkm8_bootkit-watch. It seems like there is a still something different. I hope this helps as log. Otherwise feel free to ping me over discord or twitter.

[0x7ff]

I made gaster compatible with the checkm8 tools so the issue should be fixed.

[j4nf4b3l]

I made gaster compatible with the checkm8 tools so the issue should be fixed.

Works ☺️ Thank you very much!