LukeZGD
commented
10 months ago I already know that the blob dumping is broken on A4 and older devices, I don't really have plans to fix this since the blob dump feature is meant for A5/A6 devices only and I haven't really figure out how iFaith does it for A4 and older
Legacy iOS Kit
Version: v24.01.18 (6fd336f)
Platform: macos (10.15.7)
Device: iPod3,1 (n18ap) in DFU mode
iOS Version: Unknown
To get iOS version, go to: Other Utilities -> Get iOS Version
ECID: 3876310488428
Legacy iOS Kit
Version: v24.01.18 (6fd336f)
Platform: macos (10.15.7)
Device: iPod3,1 (n18ap) in DFU mode
iOS Version: Unknown
To get iOS version, go to: Other Utilities -> Get iOS Version
ECID: 3876310488428
Dumping onboard blobs might not work for this device, proceed with caution
Legacy iOS Kit only fully supports dumping onboard blobs for A5(X) and A6(X) devices
Legacy iOS Kit
Version: v24.01.18 (6fd336f)
Platform: macos (10.15.7)
Device: iPod3,1 (n18ap) in DFU mode
iOS Version: Unknown
To get iOS version, go to: Other Utilities -> Get iOS Version
ECID: 3876310488428
Dumping onboard blobs might not work for this device, proceed with caution
Legacy iOS Kit only fully supports dumping onboard blobs for A5(X) and A6(X) devices
Select IPSW of your current iOS version to continue
[Log] Selected IPSW file: /Users/apple/Downloads/iPSW/iPod Touch 3G iPSW/iPod3,1_3.1.3_7E18_Restore.ipsw [Log] Getting version from IPSW Archive: /Users/apple/Downloads/iPSW/iPod Touch 3G iPSW/iPod3,1_3.1.3_7E18_Restore.ipsw inflating: ./Restore.plist
[Log] Verifying /Users/apple/Downloads/iPSW/iPod Touch 3G iPSW/iPod3,1_3.1.3_7E18_Restore.ipsw... [Log] IPSW SHA1sum matches
Legacy iOS Kit
Version: v24.01.18 (6fd336f)
Platform: macos (10.15.7)
Device: iPod3,1 (n18ap) in DFU mode
iOS Version: Unknown
To get iOS version, go to: Other Utilities -> Get iOS Version
ECID: 3876310488428
Dumping onboard blobs might not work for this device, proceed with caution
Legacy iOS Kit only fully supports dumping onboard blobs for A5(X) and A6(X) devices
Selected IPSW: /Users/apple/Downloads/iPSW/iPod Touch 3G iPSW/iPod3,1_3.1.3_7E18_Restore.ipsw
IPSW Version: 3.1.3-7E18
Select tool to be used for entering pwned DFU mode.
This option is set to ipwnder32 by default (1). Select this option if unsure.
If the first option does not work, try many times and/or try the other option(s). [Input] Select your option: 1) ipwnder32 2) ipwnder_lite
? 1
[Log] Placing device to pwnDFU mode using: ../bin/macos/ipwnder32 -p ** iPwnder32 - RELEASE v3.2.0 [3C152] by @dora2ios Waiting for device in DFU mode... DFU device infomation iPod Touch (3rd gen) [iPod3,1] CPID:0x8922 CPRV:0x02 BDID:0x02 ECID:0x00000386861C156C CPFM:0x03 SCEP:0x01 IBFL:0x00 SRTG:[iBoot-359.5] exploiting with limera1n
based on limera1n exploit (heap overflow) by geohot Device is now in pwned DFU mode! [Log] Checking firmware keys in ../resources/firmware/iPod3,1/9B206 [Log] Decrypting iBSS... /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 2d33ec74ba116554ada0111fda428abbb673341ab602986e8558a3ebdd5f6248596e277ea42a6095ec3ea8bc4ac07bf9 [Log] Patching iBSS... main: Starting... main: iBoot-1219 inputted. patch_rsa_check: Entering... find_bl_verify_shsh_5_6_7: Entering... find_bl_verify_shsh_5_6_7: Found MOVW instruction at 0x4b32 find_bl_verify_shsh_5_6_7: Found BL verify_shsh at 0x50c4 find_bl_verify_shsh_5_6_7: Leaving... patch_rsa_check: Patching BL verify_shsh at 0x50c4... patch_rsa_check: Leaving... main: Writing out patched file to pwnediBSS... main: Quitting... /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 2d33ec74ba116554ada0111fda428abbb673341ab602986e8558a3ebdd5f6248596e277ea42a6095ec3ea8bc4ac07bf9 /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 2d33ec74ba116554ada0111fda428abbb673341ab602986e8558a3ebdd5f6248596e277ea42a6095ec3ea8bc4ac07bf9 [Log] Pwned iBSS saved at: saved/iPod3,1/pwnediBSS [Log] Pwned iBSS img3 saved at: saved/iPod3,1/pwnediBSS.dfu [Log] Sending iBSS... [==================================================] 100.0% [Log] Checking firmware keys in ../resources/firmware/iPod3,1/9B206 [Log] Decrypting iBEC... /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 9b70ca72ec8b82c03689e89b8a8739a1affa08373736c00ce771063d875c6f2c297953785182c87249e1fbe3baea570b [Log] Patching iBEC... main: Starting... main: iBoot-1219 inputted. patch_boot_args: Entering... patch_boot_args: Default boot-args string is at 0x284a7 patch_boot_args: boot-args xref is at 0x12e68 patch_boot_args: Relocating boot-args string... patch_boot_args: "Reliance on this certificate" string found at 0x2c438 patch_boot_args: Pointing default boot-args xref to 0x4ff2c438... patch_boot_args: Applying custom boot-args "rd=md0 -v amfi=0xff cs_enforcement_disable=1" patch_boot_args: Found LDR R6, =boot_args at 0x12bd0 patch_boot_args: Found CMP R4, #0 at 0x12c0e patch_boot_args: Found IT EQ/IT NE at 0x12c10 patch_boot_args: Found MOV R6, R1 at 0x12c12 patch_boot_args: Found LDR R1, =null_str at 0x12c0c patch_boot_args: Pointing LDR R1, =null_str to boot-args xref... patch_boot_args: Leaving... patch_debug_enabled: Entering... find_dtre_get_value_bl_insn: Entering... find_dtre_get_value_bl_insn: debug-enabled string is at 0x27f1a find_dtre_get_value_bl_insn: "debug-enabled" xref is at 0x1275c find_dtre_get_value_bl_insn: Found LDR R0, ="debug-enabled" at 0x11f32 find_dtre_get_value_bl_insn: Found BL instruction at 0x11f48 find_dtre_get_value_bl_insn: Leaving... patch_debug_enabled: Patching BL insn at 0x11f48... patch_debug_enabled: Leaving... patch_cmd_handler: Entering... patch_cmd_handler: Found the cmd string at 0x24cab patch_cmd_handler: Found the cmd string reference at 0x2b804 patch_cmd_handler: Pointing "go" from 0x4ff00f1d to 0x40000000... patch_cmd_handler: Leaving... patch_rsa_check: Entering... find_bl_verify_shsh_5_6_7: Entering... find_bl_verify_shsh_5_6_7: Found MOVW instruction at 0x1112a find_bl_verify_shsh_5_6_7: Found BL verify_shsh at 0x11944 find_bl_verify_shsh_5_6_7: Leaving... patch_rsa_check: Patching BL verify_shsh at 0x11944... patch_rsa_check: Leaving... main: Writing out patched file to iBEC.patched... main: Quitting... /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 9b70ca72ec8b82c03689e89b8a8739a1affa08373736c00ce771063d875c6f2c297953785182c87249e1fbe3baea570b /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 9b70ca72ec8b82c03689e89b8a8739a1affa08373736c00ce771063d875c6f2c297953785182c87249e1fbe3baea570b [Log] Pwned iBEC img3 saved at: saved/iPod3,1/pwnediBEC.dfu [Log] Sending iBEC... [==================================================] 100.0% [Log] Finding device in Recovery mode... [Log] Found device in Recovery mode. [Log] Dumping blobs now iRecovery - Version: 2.0.5 - For LIBUSB: 1.0 by westbaer. Thanks to pod2g, tom3q, planetbeing, geohot, posixninja, iH8sn0w. Rewrite by GreySyntax. Improved by xerub.
[Device] Connected. [Program] Attached to Recovery Console. [NAND] h2fmiPrintConfig:423 Chip ID 98 DE 95 32 7A 54 on FMI0:CE0 [NAND] h2fmiPrintConfig:423 Chip ID 98 DE 95 32 7A 54 on FMI0:CE1 [NAND] h2fmiPrintConfig:423 Chip ID 98 DE 95 32 7A 54 on FMI0:CE2 [NAND] h2fmiPrintConfig:423 Chip ID 98 DE 95 32 7A 54 on FMI0:CE3 [NAND] h2fmiPrintConfig:423 Chip ID 98 DE 95 32 7A 54 on FMI1:CE8 [NAND] h2fmiPrintConfig:423 Chip ID 98 DE 95 32 7A 54 on FMI1:CE9 [NAND] h2fmiPrintConfig:423 Chip ID 98 DE 95 32 7A 54 on FMI1:CE10 [NAND] h2fmiPrintConfig:423 Chip ID98 DE 95 32 7A 54 on FMI1:CE11
======================================= :: :: iBEC for n18ap, Copyright 2011, Apple Inc. :: :: BUILD_TAG: iBoot-1219.62.15 :: :: BUILD_STYLE: RELEASE :: :: USB_SERIAL_NUMBER: CPID:8922 CPRV:02 CPFM:03 SCEP:02 BDID:02 ECID:00000386861C156C IBFL:02 SRNM:[9C011BQJ6K4] ::
[FTL:MSG] Apple NAND Driver (AND) RO [NAND] h2fmiPrintConfig:423 Chip ID 98 DE 95 32 7A 54 on FMI0:CE0 [NAND] h2fmiPrintConfig:423 Chip ID98 DE 95 32 7A 54 on FMI0:CE1 [NAND] h2fmiPrintConfig:423 Chip ID 98 DE 95 32 7A 54 on FMI0:CE2 [NAND] h2fmiPrintConfig:423 Chip ID 98 DE 95 32 7A 54 on FMI0:CE3 [NAND] h2fmiPrintConfig:423 Chip ID 98 DE 95 32 7A 54 on FMI1:CE8 [NAND] h2fmiPrintConfig:423 Chip ID 98 DE 95 32 7A 54 on FMI1:CE9 [NAND] h2fmiPrintConfig:423 Chip ID 98 DE 95 32 7A 54 on FMI1:CE10 [NAND] h2fmiPrintConfig:423 Chip ID 98 DE 95 32 7A 54 on FMI1:CE11 [FTL:MSG] FIL_Init [OK] [FTL:MSG] BUF_Init [OK [FTL:MSG] FPart Init [OK] read new style signature 0x43313131 (line:389) [FTL:MSG] VSVFL Register [OK] [FTL:MSG] VFL Init [OK] [FTL:MSG] VFL_Open [OK] [FTL:MSG] YAFTL Register [OK] yaFTL::YAFTL_Open(l:3335): CXT is not valid . Performing full NAND R/O restore ...
[FTL:MSG] FTL_Open [OK] Boot Failure Count: 7 Panic Fail Count: 0 Delaying boot for 0 seconds. Hit enter to break into the command prompt... boot-command 'fsboot' not supported ntering recovery mode, starting command prompt Sent: 7080 bytes - 7080 of 7080 [Device] Successfully uploaded file. unresolved h2fmi_select h2fmi err HFSInitPartition: 0x4ff9ce00 Blobs copied at 4ffad200 - 4ffad8e8
[Device] Closing Connection. iRecovery - Version: 2.0.5 - For LIBUSB: 1.0 by westbaer. Thanks to pod2g, tom3q, planetbeing, geohot, posixninja, iH8sn0w. Rewrite by GreySyntax. Improved by xerub.
[Device] Connected. [Program] Attached to Recovery Console. end-of-transmission
[Device] Closing Connection. loading: .fseventsd/ (0) loading: .fseventsd/63657330b00ebde4 (189) loading: .fseventsd/fseventsd-uuid (36) loading: BuildManifest.plist (21192) loading: Firmware/ (0) loading: Firmware/all_flash/ (0) loading: Firmware/all_flash/all_flash.n18ap.production/ (0) loading: Firmware/all_flash/all_flash.n18ap.production/applelogo.s5l8922x.img3 (9668) loading: Firmware/all_flash/all_flash.n18ap.production/batterycharging0.s5l8922x.img3 (19780) loading: Firmware/all_flash/all_flash.n18ap.production/batterycharging1.s5l8922x.img3 (24964) loading: Firmware/all_flash/all_flash.n18ap.production/batteryfull.s5l8922x.img3 (76164) loading: Firmware/all_flash/all_flash.n18ap.production/batterylow0.s5l8922x.img3 (56836) loading: Firmware/all_flash/all_flash.n18ap.production/batterylow1.s5l8922x.img3 (65348) loading: Firmware/all_flash/all_flash.n18ap.production/DeviceTree.n18ap.img3 (35844) loading: Firmware/all_flash/all_flash.n18ap.production/glyphcharging.s5l8922x.img3 (20420) loading: Firmware/all_flash/all_flash.n18ap.production/glyphplugin.s5l8922x.img3 (19396) loading: Firmware/all_flash/all_flash.n18ap.production/LLB.n18ap.RELEASE.img3 (80260) loading: Firmware/all_flash/all_flash.n18ap.production/manifest (341) loading: Firmware/all_flash/all_flash.n18ap.production/needservice.s5l8922x.img3 (20484) loading: Firmware/all_flash/all_flash.n18ap.production/recoverymode.s5l8922x.img3 (47940) loading: Firmware/dfu/ (0) loading: Firmware/dfu/iBEC.n18ap.RELEASE.dfu (121220) loading: Firmware/dfu/iBSS.n18ap.RELEASE.dfu (121220) loading: Restore.plist (1766) FATAL: LLB blob corrupted or not found FATAL: cannot open myblob.shsh [WARNING] Saved SHSH blobs might be invalid. Did you select the correct IPSW? [Error] Saving onboard SHSH blobs failed.