Closed klapanen closed 1 month ago
klapanen
commented
1 month ago I'm on a Mac mini running macOS 12.7.6 also, using the most up to date version of the toolkit.
Noticed this reddit user's comment has the same issue as well: https://www.reddit.com/r/LegacyJailbreak/comments/1f5eduo/comment/lktttvv
klapanen
commented
1 month ago Here's a full start to finish output from trying to jailbreak the iOS 7 iPhone 5: Legacy iOS Kit
Version: v24.09.08 (d6ecc62)
Platform: macos (12.7.6 - x86_64)
Device: iPhone 5 (Global) (iPhone5,2 - n42ap) in Normal mode
iOS Version: 7.0.2 (11A501)
ECID: 3813328915753
Main Menu [Input] Select an option: 1) Restore/Downgrade 4) App Management 7) Exit 2) Jailbreak Device 5) Data Management 3) Save SHSH Blobs 6) Other Utilities
? 2
[Log] Checking if your device and version is supported...
For more details, go to: https://github.com/LukeZGD/Legacy-iOS-Kit/wiki/Jailbreaking
By selecting Jailbreak Device, your device will be jailbroken using Ramdisk Method.
Before continuing, make sure that your device does not have a jailbreak yet.
No data will be lost, but please back up your data just in case. [Input] Press Enter/Return to continue (or press Ctrl+C to cancel) [Log] Checking firmware keys in ../resources/firmware/iPhone5,2/10B329 [Log] Checking URL in ../resources/firmware/iPhone5,2/10B329/url [Log] iBSS /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 8d25aba0d538112746ea4a919ba3b047f93734be4227c96adb75385ba31b57ed6933278f6159001e9e08fab727a0179e /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 8d25aba0d538112746ea4a919ba3b047f93734be4227c96adb75385ba31b57ed6933278f6159001e9e08fab727a0179e /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 8d25aba0d538112746ea4a919ba3b047f93734be4227c96adb75385ba31b57ed6933278f6159001e9e08fab727a0179e [Log] iBEC /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 72d529c649e3d6bd8f8fd016132297f0e86e5391d7e6d72b84dcf1f4453ebc0034fad90cd15abb83096dacc5ff1ab165 /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 72d529c649e3d6bd8f8fd016132297f0e86e5391d7e6d72b84dcf1f4453ebc0034fad90cd15abb83096dacc5ff1ab165 /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 72d529c649e3d6bd8f8fd016132297f0e86e5391d7e6d72b84dcf1f4453ebc0034fad90cd15abb83096dacc5ff1ab165 [Log] DeviceTree /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 10c7092fdbd04b311f22438c552f3c9f86eb171bc97ae581cfd95dd22574c7b1398bc46bdf748e288ca734f9da1f2e46 /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 10c7092fdbd04b311f22438c552f3c9f86eb171bc97ae581cfd95dd22574c7b1398bc46bdf748e288ca734f9da1f2e46 /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 10c7092fdbd04b311f22438c552f3c9f86eb171bc97ae581cfd95dd22574c7b1398bc46bdf748e288ca734f9da1f2e46 [Log] Kernelcache /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 060809e96c5cb972f1e91d4d2696146b09ab43aa11bd661fc4022a74f2adacdf849c030600caec5cf34b47696298266b /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 060809e96c5cb972f1e91d4d2696146b09ab43aa11bd661fc4022a74f2adacdf849c030600caec5cf34b47696298266b /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 060809e96c5cb972f1e91d4d2696146b09ab43aa11bd661fc4022a74f2adacdf849c030600caec5cf34b47696298266b [Log] RestoreRamdisk /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 31431b4794073061867eed20c8ae828e80be9aa2588960ab3418570e59eeb344a41e45532fb4395ebb71ca2fc8b90ef0 /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 31431b4794073061867eed20c8ae828e80be9aa2588960ab3418570e59eeb344a41e45532fb4395ebb71ca2fc8b90ef0 /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 31431b4794073061867eed20c8ae828e80be9aa2588960ab3418570e59eeb344a41e45532fb4395ebb71ca2fc8b90ef0 [Log] Patch RestoreRamdisk grew volume: 30000000 file: com.apple.springboard.plist (0644), size = 333 ignoring bin, type = 5 file: bin/bash (0755), size = 546768 file: bin/ls (0755), size = 152096 file: bin/mount.sh (0755), size = 1366 symlink: bin/sh (0777) -> bash file: bin/tar (0755), size = 430304 file: bin/dd (0755), size = 124896 file: bin/cp (0755), size = 162560 file: bin/chmod (0755), size = 125168 file: bin/chown (0755), size = 125616 ignoring sbin, type = 5 file: sbin/sshd (0755), size = 722848 file: sbin/umount (4755), size = 22784 ignoring usr, type = 5 ignoring usr/bin, type = 5 file: usr/bin/device_infos (0755), size = 75936 file: usr/bin/scp (0755), size = 49008 file: usr/bin/gptfdisk (0755), size = 164368 file: usr/bin/hfs_resize (0755), size = 12960 file: usr/bin/ibsspatch (0755), size = 51840 file: usr/bin/df (0755), size = 143296 file: usr/bin/du (0755), size = 178736 file: usr/bin/nano (0755), size = 209008 symlink: usr/bin/rnano (0777) -> nano ignoring usr/lib, type = 5 symlink: usr/lib/libncurses.5.dylib (0777) -> libncurses.5.4.dylib file: usr/lib/libncurses.5.4.dylib (0755), size = 335968 file: usr/lib/libhistory.6.0.dylib (0755), size = 54752 file: usr/lib/libreadline.6.0.dylib (0755), size = 198112 file: usr/lib/libcrypto.0.9.8.dylib (0755), size = 1604336 file: usr/lib/libiconv.2.dylib (0755), size = 1022528 directory: usr/libexec (0755) file: usr/libexec/sftp-server (0755), size = 44240 ignoring private, type = 5 ignoring private/etc, type = 5 replacing private/etc/rc.boot file: private/etc/rc.boot (0755), size = 369 directory: private/etc/ssh (0700) file: private/etc/ssh/ssh_host_rsa_key (0600), size = 1675 file: private/etc/ssh/ssh_host_dsa_key.pub (0644), size = 590 file: private/etc/ssh/sshd_config (0644), size = 3227 file: private/etc/ssh/ssh_host_key.pub (0644), size = 627 file: private/etc/ssh/ssh_config (0644), size = 1526 file: private/etc/ssh/ssh_host_dsa_key (0600), size = 668 file: private/etc/ssh/ssh_host_rsa_key.pub (0644), size = 382 file: private/etc/ssh/moduli (0644), size = 125811 file: private/etc/ssh/ssh_host_key (0600), size = 963 ignoring private/var, type = 5 directory: private/var/root (0700) file: private/var/root/.profile (0644), size = 391 [Log] Patch iBSS main: Starting... main: iBoot-1537 inputted. patch_rsa_check: Entering... find_bl_verify_shsh_5_6_7: Entering... find_bl_verify_shsh_5_6_7: Found MOVW instruction at 0x636a find_bl_verify_shsh_5_6_7: Found BL verify_shsh at 0x66f8 find_bl_verify_shsh_5_6_7: Leaving... patch_rsa_check: Patching BL verify_shsh at 0x66f8... patch_rsa_check: Leaving... main: Writing out patched file to iBSS.patched... main: Quitting... [Log] Patch iBEC main: Starting... main: iBoot-1537 inputted. patch_boot_args: Entering... patch_boot_args: Default boot-args string is at 0x3b4df patch_boot_args: boot-args xref is at 0x1cc8c patch_boot_args: Relocating boot-args string... patch_boot_args: "Reliance on this certificate" string found at 0x420f4 patch_boot_args: Pointing default boot-args xref to 0xbff420f4... patch_boot_args: Applying custom boot-args "rd=md0 -v amfi=0xff amfi_get_out_of_my_way=1 cs_enforcement_disable=1 pio-error=0" patch_boot_args: Found LDR R1, =boot_args at 0x1ca3a patch_boot_args: Found CMP R4, #0 at 0x1ca3c patch_boot_args: Found IT EQ/IT NE at 0x1ca40 patch_boot_args: Found MOV R6, R1 at 0x1ca42 patch_boot_args: Found LDR R6, =null_str at 0x1ca3e patch_boot_args: Pointing LDR R6, =null_str to boot-args xref... patch_boot_args: Leaving... patch_debug_enabled: Entering... find_dtre_get_value_bl_insn: Entering... find_dtre_get_value_bl_insn: debug-enabled string is at 0x3b06f find_dtre_get_value_bl_insn: "debug-enabled" xref is at 0x1c684 find_dtre_get_value_bl_insn: Found LDR R0, ="debug-enabled" at 0x1bd56 find_dtre_get_value_bl_insn: Found BL instruction at 0x1bd6e find_dtre_get_value_bl_insn: Leaving... patch_debug_enabled: Patching BL insn at 0x1bd6e... patch_debug_enabled: Leaving... patch_rsa_check: Entering... find_bl_verify_shsh_5_6_7: Entering... find_bl_verify_shsh_5_6_7: Found MOVW instruction at 0x1ad56 find_bl_verify_shsh_5_6_7: Found BL verify_shsh at 0x1b3a0 find_bl_verify_shsh_5_6_7: Leaving... patch_rsa_check: Patching BL verify_shsh at 0x1b3a0... patch_rsa_check: Leaving... main: Writing out patched file to iBEC.patched... main: Quitting...
The device needs to be in recovery/DFU mode before proceeding. [Input] Send device to recovery mode? (Y/n): y [Log] Entering recovery mode...
If the device does not enter recovery mode automatically:
Press Ctrl+C to cancel for now and try putting the device in DFU/Recovery mode manually [Log] Finding device in Recovery mode... [Log] Found device in Recovery mode.
Get ready to enter DFU mode.
If you already know how to enter DFU mode, you may do so right now before continuing. [Input] Select Y to continue, N to exit recovery mode (Y/n) y
Get ready... 02 01
Hold TOP and HOME buttons. 10 09 08 07 06 05 04 03 02 01
Release TOP button and keep holding HOME button. 08 07 06 05 04 03 02 01 [Log] Finding device in DFU mode... [Log] Found device in DFU mode. [Log] Placing device to pwnDFU mode using ipwnder_lite [main] enabled: debug log [main] Waiting for device in DFU mode... [io_get_serial] Found serial number! [main] CONNECTED [main] CPID: 0x8950, BDID: 0x02, STRG: [iBoot-1145.3] [main] Making directory: image3/ [dl_file] Downloading image: image3/ibss.n42 ... ** exploiting with checkm8 [checkm8_s5l8950x] reconnecting [io_reset] ResetDevice: 0 [io_reset] USBDeviceReEnumerate: 0 [checkm8_s5l8950x] running heap_spray() [heap_spray] (1/3) e000404f [heap_spray] (2/3) e0004051 [heap_spray] (3/3) e0004051 [checkm8_s5l8950x] reconnecting [io_reset] ResetDevice: 0 [io_reset] USBDeviceReEnumerate: 0 [checkm8_s5l8950x] running set_global_state() [set_global_state] (1/3) sent: 0, val: 640 [set_global_state] (2/3) e000404f [set_global_state] (3/3) e000404f [checkm8_s5l8950x] reconnecting [checkm8_s5l8950x] running heap_occupation() [heap_occupation] (1/3) e000404f [heap_occupation] (2/3) e0004051 [heap_occupation] (3/3) e0004051 [checkm8_s5l8950x] reconnecting [io_reset] USBDeviceReEnumerate: 0 [checkm8_s5l8950x] ERROR:Failed to reconnect to device [Log] Checking for device ERROR: Unable to connect to device [Error] Failed to enter pwnDFU mode. Please run the script again.
Exit DFU mode first by holding the TOP and HOME buttons for about 10 seconds.
For more details, read the "Troubleshooting" wiki page in GitHub
Troubleshooting links:
Legacy iOS Kit v24.09.08 (d6ecc62)
Platform: macos (12.7.6 - x86_64)
Saving session... ...copying shared history... ...saving history...truncating history files... ...completed.
[Process completed]
LukeZGD
commented
1 month ago Pushed a test update where you can select ipwndfu instead of ipwnder: https://github.com/LukeZGD/Legacy-iOS-Kit/archive/refs/heads/test.zip
Version should say v24.09.08 (000test)
Test it out and let me know how it goes
klapanen
commented
1 month ago Thanks for such quick response! It didn't fail within terminal at least, and it did boot into an Evasion screen, but when it booted into iOS it was not jailbroken -- no Cydia or Evasion, unless I'm missing something. Log below, insanely long, I'm sorry!
LukeZGD
commented
1 month ago hmm, does cydia not open thru safari? by going to cydia://
an alternative solution if you are willing to do a restore is to do this: dump onboard blobs by going to save shsh blobs -> onboard blobs. then restore/downgrade using those blobs with jailbreak option enabled
klapanen
commented
1 month ago So, weirdly, it didn't give me an instruction to restart. Once I did, the device got absolutely molasses slow. And, I got a low storage warning. Those things make me think it's jailbroken...ish? But no typing Cydia:// into the safari bar doesn't open it, and still no app.
I will try that. I was struggling badly to extract blobs without being jailbroken, but it was causing the initial issue, so perhaps it will work now.
My end goal is just backing up my 7.0.2 blobs and downgrading to the latest supported version of 6 with a jailbreak on it. The 5c's I would jailbreak, but really they were just sanity checks.
LukeZGD
commented
1 month ago Those seem like the issues that ios 7 users do face when using jailbreak device. So yeah doing the jailbreak thru a restore/downgrade is better in this case
You should be able to do it now that pwndfu is working with ipwndfu, let me know if you encounter any other issues
I'll be closing the issue now and push the update to main
klapanen
commented
1 month ago ipwnder + pwndfu has same issue as initial when doing SHSH blob save as you described.
ipwndfu + pwndfu does not detect 'a device in dfu mode' when doing SHSH blob save as you described.
Have restarted the iPhone and Mac, downloaded latest update, etc. The unplug, plug, unplug, plug doesn't do anything. Phone is clearly in DFU when not being detected as being in DFU.
Putting iPhone in DFU manually/beforehand does not change anything either. iTunes does appropriately detect it.
Log:
Legacy iOS Kit
Version: v24.09.09 (05227b9)
Platform: macos (12.7.6 - x86_64)
Device: iPhone 5 (Global) (iPhone5,2 - n42ap) in Normal mode
iOS Version: 7.0.2 (11A501)
ECID: 3813328915753
Selected IPSW: /Users/camwebber/Downloads/iOS IPSWs/iPhone5,2_7.0.2_11A501_Restore.ipsw
IPSW Version: 7.0.2-11A501
Main Menu > Save SHSH Blobs > Onboard Blobs [Input] Select an option: 1) Select IPSW 2) Save Onboard Blobs 3) Go Back
? 2
This device needs to be in pwnDFU/kDFU mode before proceeding.
Select Y for pwnDFU mode, N for kDFU mode. Select Y if unsure. [Input] Are both your home and power buttons working properly? (Y/n): y
The device needs to be in recovery/DFU mode before proceeding. [Input] Send device to recovery mode? (Y/n): y [Log] Entering recovery mode...
If the device does not enter recovery mode automatically:
Press Ctrl+C to cancel for now and try putting the device in DFU/Recovery mode manually [Log] Finding device in Recovery mode... [Log] Found device in Recovery mode.
Get ready to enter DFU mode.
If you already know how to enter DFU mode, you may do so right now before continuing. [Input] Select Y to continue, N to exit recovery mode (Y/n) y
Get ready... 02 01
Hold TOP and HOME buttons. 10 09 08 07 06 05 04 03 02 01
Release TOP button and keep holding HOME button. 08 07 06 05 04 03 02 01 [Log] Finding device in DFU mode... [Log] Found device in DFU mode. [Input] PwnDFU Tool Option
Select tool to be used for entering pwned DFU mode.
This option is set to ipwnder by default (1). Select this option if unsure.
If the first option does not work, try the other option(s). [Input] Select your option: 1) ipwnder 2) ipwndfu
[Log] Placing device to pwnDFU mode using ipwndfu [Log] python2 from pyenv detected, this will be used [Log] Placing device to pwnDFU Mode using ipwndfu Acquiring device handle. Releasing device handle. checkm8 exploit by axi0mX modified version by Linus Henze and synackuk Acquiring device handle. Found: CPID:8950 CPRV:20 CPFM:03 SCEP:10 BDID:02 ECID:00000377DC1D8D29 IBFL:00 SRTG:[iBoot-1145.3] Performing USB port reset. Releasing device handle. Acquiring device handle. Releasing device handle. Acquiring device handle. Performing USB port reset. Releasing device handle. Acquiring device handle. ERROR: No Apple device in DFU Mode 0x1227 detected after 10.00 second timeout. Exiting. [Log] You may see the langid error above. This is normal, let's try to make it work
If it is any other error, it may have failed. Just continue, re-enter DFU, and retry [Log] Please read the message below:
Unplug and replug the device 2 times
After doing this, continue by pressing Enter/Return [Input] Press Enter/Return to continue (or press Ctrl+C to cancel) [Log] Checking for device [Error] Failed to enter pwnDFU mode. Please run the script again.
Exit DFU mode first by holding the TOP and HOME buttons for about 10 seconds.
For more details, read the "Troubleshooting" wiki page in GitHub
Troubleshooting links:
Legacy iOS Kit v24.09.09 (05227b9)
Platform: macos (12.7.6 - x86_64)
Saving session... ...copying shared history... ...saving history...truncating history files... ...completed.
[Process completed]
klapanen
commented
1 month ago I've tried 4 or 5x with same result.
klapanen
commented
1 month ago Confirmed exact same result starting from iOS, recovery mode, or DFU mode. Same exact error. Am I supposed to be taking it out & reinserting it both times in the span of 1/2 a second? I never got this error prior, it has always detected the devices in DFU.
LukeZGD
commented
1 month ago Here's the thing: ipwndfu has a lower success rate than ipwnder when it comes to pwning. But with ipwnder having a weird issue on your end that I don't know about, you will have to make do with ipwndfu. The various errors you will get just mean that it failed, including the No Apple device in DFU Mode error you mentioned. What you want is the result that you got earlier in log.txt which was Device is now in pwned DFU Mode. (x seconds)
klapanen
commented
1 month ago I haven't had any success since the jailbreak install that's funky and doesn't have access to Cydia. But, my fear is ruining my install before I get blobs by resetting it. It just seems to be related to that. But, I guess I don't really have another option besides continuing to try, so, I suppose I will keep tying. I'm 12+ hours into this, but I have a forced inability to stop working on a project as I know I will never pick it back up if I don't finish it in a sitting. Here's hoping.
klapanen
commented
1 month ago I really do appreciate your help. It isn't your fault, but there's certainly a good reason I work in hardware repair and typically don't handle SW issues, lol. I like physical objective solutions to things, I'm not one of tremendous patience.
I have 3 devices: an iOS 7.0.2 iPhone 5, iOS 8.1.2 iPhone 5c, and iOS 9.3 iPhone 5c. Regardless of what I try to do with what device, I am having the same problem. Tested confirmed working on two A5 devices, exact same things I'm trying to do with these A6 models.
What I've tried: Restarting Phone Restarting Mac 3 Different A6 Devices Different USB Cables Different USB Ports Putting in DFU beforehand and letting program guide me from recovery mode
What I'm trying to do: Jailbreak, save blobs, then downgrade iOS version
The output I'm getting, last pretty substantial amount at least: [checkm8_s5l8950x] running set_global_state() [set_global_state] (1/3) sent: 0, val: 640 [set_global_state] (2/3) e000404f [set_global_state] (3/3) e000404f [checkm8_s5l8950x] reconnecting [checkm8_s5l8950x] running heap_occupation() [heap_occupation] (1/3) e000404f [heap_occupation] (2/3) e0004051 [heap_occupation] (3/3) e0004051 [checkm8_s5l8950x] reconnecting [io_reset] USBDeviceReEnumerate: 0 [checkm8_s5l8950x] ERROR:Failed to reconnect to device [Log] Checking for device ERROR: Unable to connect to device [Error] Failed to enter pwnDFU mode. Please run the script again.
Should note that I did try while successfully in pwnDFU mode and the exact same error happens. Also happens regardless of what exactly I am aiming to accomplish.
Really, this is where it falls apart: [checkm8_s5l8950x] reconnecting [io_reset] USBDeviceReEnumerate: 0 [checkm8_s5l8950x] ERROR:Failed to reconnect to device [Log] Checking for device ERROR: Unable to connect to device [Error] Failed to enter pwnDFU mode. Please run the script again.
I have no idea what in the name of the lord I am doing wrong. Help, please :(