MatthewPierson / Ramiel

An open-source, multipurpose macOS GUI utility for checkm8-vulnerable iOS/iPadOS devices
GNU General Public License v3.0
176 stars 27 forks source link

[Bug] Unable to boot IPSW from Ramiel: disk booting nor IPSW booting works. #17

Closed team-orangeBlue closed 3 months ago

team-orangeBlue commented 3 years ago

Describe the bug Attempting to boot an IPSW/local drive just says "device booting" but the device is stuck on a blank screen.

To Reproduce

  1. Get a 14.0 IPSW; make the args boot from disk0s1s1/2
  2. Keep doing stuff until it reports "need onboards to boot 14.0"
  3. Try dumping, an error about dump fail will return. Try again. End. Ramiel reports "Done" but the device is on a blank screen.

Expected behavior A 14.0 boot should happen, to the setup screen, after a Divise TD.

Screenshots N/A

Desktop

iOS/iPadOS Device(please complete the following information):

MatthewPierson commented 3 years ago

Why are you setting the bootargs to anything to do with disk0s1/s2? You shouldn’t be setting that at all. Also can you run Ramiel from terminal, enable debugging mode and send me the full output in terminal?

team-orangeBlue commented 3 years ago

Why are you setting the bootargs to anything to do with disk0s1/s2? You shouldn’t be setting that at all. Also can you run Ramiel from terminal, enable debugging mode and send me the full output in terminal?

Alright, will test terminal as soon as I am home.

team-orangeBlue commented 3 years ago

Why are you setting the bootargs to anything to do with disk0s1/s2? You shouldn’t be setting that at all. Also can you run Ramiel from terminal, enable debugging mode and send me the full output in terminal?

Hold up, how do you run it in terminal? running the core file at /Contents/macos/Ramiel just opens the app.

MatthewPierson commented 3 years ago

That's all you need to do, running it like this just allows more information to be seen in the terminal window that normally is hidden.

team-orangeBlue commented 3 years ago

Why are you setting the bootargs to anything to do with disk0s1/s2? You shouldn’t be setting that at all. Also can you run Ramiel from terminal, enable debugging mode and send me the full output in terminal?

admin@Fedors-MBP macos % ./ramiel
2021-03-20 09:04:01.091 ramiel[3334:85329] 12 2021-03-20 09:04:01.091 ramiel[3334:85329] 47 2021-03-20 09:04:01.203 ramiel[3334:85329] This application is trying to draw a very large combo box, 31 points tall. Vertically resizable combo boxes are not supported, but it happens that 10.4 and previous drew something that looked kind of sort of okay. The art in 10.5 does not break up in a way that supports that drawing. This application should be revised to stop using large combo boxes. This warning will appear once per app launch. 2021-03-20 09:05:22.868 ramiel[3334:85380] Waiting /bin/bash: /usr/local/bin/gtar: No such file or directory /bin/bash: /usr/local/bin/ldid2: No such file or directory [+] Patching /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibss.raw [+] Base address: 0x1800b0000 [+] Does have kernel load [+] Patching boot-args... [+] Image base address at 0x1800b0000 [+] Searching for alternate boot-args [+] Found boot-arg string at 0x63a9e [+] Found boot-arg xref at 0x15398 [+] Changed CSEL to MOV [+] Found branch pointing to 0x1800c5494 at 0x15388 [+] Changed ADR X19, 0x180111d00 to ADR X19, 0x180113a9e [+] Enabling kernel debug... [+] Found debug-enabled string at 0x633d0 [+] Found debug-enabled xref at 0x13d30 [+] Found second bl after debug-enabled xref at 0x13d44 [+] Wrote MOVZ X0, #1 to 0x1800c3d44 [+] Enabled kernel debug [+] Unlocking nvram... [+] Found debug-uarts string at 0x180111eda [+] Found debug-uarts reference at 0x65298 [+] setenv whitelist begins at 0x65288 [+] Found ref to setenv whitelist at 0x30dc [+] Forcing sub_1800b30c0 to return immediately [+] Found env whitelist at 0x652b8 [+] Found ref to env whitelist at 0x3128 [+] Forcing sub_1800b3110 to return immediately [+] Found "com.apple.System." string at 0x180114c9a [+] Found reference to "com.apple.System." at 0x4050c [+] Forcing sub_1800f0504 to return immediately [+] Patching out RSA signature check... [+] Found IMG4 string at 0x6329c [+] Found IMG4 xref at 0x1193c [+] Found beginning of _image4_get_partial at 0x118cc [+] Found xref to _image4_get_partial at 0x124e0 [+] Found start of sub_1800c2400 [+] Found ADR X2, 0x1801158a0 at 0x12a60 [+] Call to 0x11be0 [+] RET found for sub_1800c1be0 at 0x123c4 [+] Did MOV r0, #0 and RET [+] Wrote patched image to /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibss.pwn [+] Patching /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibec.raw [+] Base address: 0x1800b0000 [+] Does have kernel load [+] Patching boot-args... [+] Image base address at 0x1800b0000 [+] Searching for alternate boot-args [+] Found boot-arg string at 0x63a9e [+] Found boot-arg xref at 0x15398 [+] Changed CSEL to MOV [+] Found branch pointing to 0x1800c5494 at 0x15388 [+] Changed ADR X19, 0x180111d00 to ADR X19, 0x180113a9e [+] Enabling kernel debug... [+] Found debug-enabled string at 0x633d0 [+] Found debug-enabled xref at 0x13d30 [+] Found second bl after debug-enabled xref at 0x13d44 [+] Wrote MOVZ X0, #1 to 0x1800c3d44 [+] Enabled kernel debug [+] Unlocking nvram... [+] Found debug-uarts string at 0x180111eda [+] Found debug-uarts reference at 0x65298 [+] setenv whitelist begins at 0x65288 [+] Found ref to setenv whitelist at 0x30dc [+] Forcing sub_1800b30c0 to return immediately [+] Found env whitelist at 0x652b8 [+] Found ref to env whitelist at 0x3128 [+] Forcing sub_1800b3110 to return immediately [+] Found "com.apple.System." string at 0x180114c9a [+] Found reference to "com.apple.System." at 0x4050c [+] Forcing sub_1800f0504 to return immediately [+] Patching out RSA signature check... [+] Found IMG4 string at 0x6329c [+] Found IMG4 xref at 0x1193c [+] Found beginning of _image4_get_partial at 0x118cc [+] Found xref to _image4_get_partial at 0x124e0 [+] Found start of sub_1800c2400 [+] Found ADR X2, 0x1801158a0 at 0x12a60 [+] Call to 0x11be0 [+] RET found for sub_1800c1be0 at 0x123c4 [+] Did MOV r0, #0 and RET [+] Wrote patched image to /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibec.pwn 2021-03-20 09:06:01.051 ramiel[3334:85380] Waiting 2021-03-20 09:08:05.296 ramiel[3334:85329] Booted device successfully! // The SHSH dump error happens here Creating listening port 2222 for device port 44 bind(): Address already in use Error creating socket for listen port 2222: Address already in use Traceback (most recent call last): File "/Applications/Ramiel.app/Contents/Resources/ssh/dump.py", line 3, in import paramiko ModuleNotFoundError: No module named 'paramiko' Traceback (most recent call last): File "/Applications/Ramiel.app/Contents/Resources/ssh/dump.py", line 3, in import paramiko ModuleNotFoundError: No module named 'paramiko' [+] Patching /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibss.raw [+] Base address: 0x1800b0000 [+] Does have kernel load [+] Patching boot-args... [+] Image base address at 0x1800b0000 [+] Searching for alternate boot-args [+] Found boot-arg string at 0x63a9e [+] Found boot-arg xref at 0x15398 [+] Changed CSEL to MOV [+] Found branch pointing to 0x1800c5494 at 0x15388 [+] Changed ADR X19, 0x180111d00 to ADR X19, 0x180113a9e [+] Enabling kernel debug... [+] Found debug-enabled string at 0x633d0 [+] Found debug-enabled xref at 0x13d30 [+] Found second bl after debug-enabled xref at 0x13d44 [+] Wrote MOVZ X0, #1 to 0x1800c3d44 [+] Enabled kernel debug [+] Unlocking nvram... [+] Found debug-uarts string at 0x180111eda [+] Found debug-uarts reference at 0x65298 [+] setenv whitelist begins at 0x65288 [+] Found ref to setenv whitelist at 0x30dc [+] Forcing sub_1800b30c0 to return immediately [+] Found env whitelist at 0x652b8 [+] Found ref to env whitelist at 0x3128 [+] Forcing sub_1800b3110 to return immediately [+] Found "com.apple.System." string at 0x180114c9a [+] Found reference to "com.apple.System." at 0x4050c [+] Forcing sub_1800f0504 to return immediately [+] Patching out RSA signature check... [+] Found IMG4 string at 0x6329c [+] Found IMG4 xref at 0x1193c [+] Found beginning of _image4_get_partial at 0x118cc [+] Found xref to _image4_get_partial at 0x124e0 [+] Found start of sub_1800c2400 [+] Found ADR X2, 0x1801158a0 at 0x12a60 [+] Call to 0x11be0 [+] RET found for sub_1800c1be0 at 0x123c4 [+] Did MOV r0, #0 and RET [+] Wrote patched image to /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibss.pwn [+] Patching /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibec.raw [+] Base address: 0x1800b0000 [+] Does have kernel load [+] Patching boot-args... [+] Image base address at 0x1800b0000 [+] Searching for alternate boot-args [+] Found boot-arg string at 0x63a9e [+] Found boot-arg xref at 0x15398 [+] Changed CSEL to MOV [+] Found branch pointing to 0x1800c5494 at 0x15388 [+] Changed ADR X19, 0x180111d00 to ADR X19, 0x180113a9e [+] Enabling kernel debug... [+] Found debug-enabled string at 0x633d0 [+] Found debug-enabled xref at 0x13d30 [+] Found second bl after debug-enabled xref at 0x13d44 [+] Wrote MOVZ X0, #1 to 0x1800c3d44 [+] Enabled kernel debug [+] Unlocking nvram... [+] Found debug-uarts string at 0x180111eda [+] Found debug-uarts reference at 0x65298 [+] setenv whitelist begins at 0x65288 [+] Found ref to setenv whitelist at 0x30dc [+] Forcing sub_1800b30c0 to return immediately [+] Found env whitelist at 0x652b8 [+] Found ref to env whitelist at 0x3128 [+] Forcing sub_1800b3110 to return immediately [+] Found "com.apple.System." string at 0x180114c9a [+] Found reference to "com.apple.System." at 0x4050c [+] Forcing sub_1800f0504 to return immediately [+] Patching out RSA signature check... [+] Found IMG4 string at 0x6329c [+] Found IMG4 xref at 0x1193c [+] Found beginning of _image4_get_partial at 0x118cc [+] Found xref to _image4_get_partial at 0x124e0 [+] Found start of sub_1800c2400 [+] Found ADR X2, 0x1801158a0 at 0x12a60 [+] Call to 0x11be0 [+] RET found for sub_1800c1be0 at 0x123c4 [+] Did MOV r0, #0 and RET [+] Wrote patched image to /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibec.pwn

MatthewPierson commented 3 years ago

I see what's going wrong, should be fixed in v1.0.3 which I'll be publishing soon. Just waiting to hear back from someone as to whether or not it works for them. Actually I could send you a copy here to try before its out if you'd like? Link is here

team-orangeBlue commented 3 years ago

I see what's going wrong, should be fixed in v1.0.3 which I'll be publishing soon. Just waiting to hear back from someone as to whether or not it works for them. Actually I could send you a copy here to try before its out if you'd like? Link is here

I will beta-test. Will tell you if something goes wrong.

team-orangeBlue commented 3 years ago

I see what's going wrong, should be fixed in v1.0.3 which I'll be publishing soon. Just waiting to hear back from someone as to whether or not it works for them. Actually I could send you a copy here to try before its out if you'd like? Link is here

Nope, nothing good or new or whatever. SHSH dump error except now it doesn't clear the Yoshi shsh dump screen.

MatthewPierson commented 3 years ago

Can you show the terminal log from the new build please?

MatthewPierson commented 3 years ago

Also can you run pip3 install --user paramiko for me to ensure that the library is installed? It should have been installed by Ramiel on first launch but it seems like it hasn't been

team-orangeBlue commented 3 years ago

Had a little struggle, once again, problems. admin@Fedors-MBP macos % ./ramiel 2021-03-25 17:01:20.877 ramiel[5818:191511] Setting closedState to: 0 2021-03-25 17:01:20.878 ramiel[5818:191501] 11 2021-03-25 17:01:20.878 ramiel[5818:191501] 69 2021-03-25 17:01:20.973 ramiel[5818:191501] This application is trying to draw a very large combo box, 31 points tall. Vertically resizable combo boxes are not supported, but it happens that 10.4 and previous drew something that looked kind of sort of okay. The art in 10.5 does not break up in a way that supports that drawing. This application should be revised to stop using large combo boxes. This warning will appear once per app launch. 2021-03-25 17:01:34.000 ramiel[5818:191560] Waiting //Request to dump SHSH happens here. /bin/bash: /usr/local/bin/gtar: No such file or directory ldid.cpp(3004): _assert(): errno=2 ldid.cpp(3004): _assert(): errno=2 /bin/bash: /usr/local/bin/ldid2: No such file or directory [+] Patching /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibss.raw [+] Base address: 0x1800b0000 [+] Does have kernel load [+] Patching boot-args... [+] Image base address at 0x1800b0000 [+] Searching for alternate boot-args [+] Found boot-arg string at 0x63a9e [+] Found boot-arg xref at 0x15398 [+] Changed CSEL to MOV [+] Found branch pointing to 0x1800c5494 at 0x15388 [+] Changed ADR X19, 0x180111d00 to ADR X19, 0x180113a9e [+] Enabling kernel debug... [+] Found debug-enabled string at 0x633d0 [+] Found debug-enabled xref at 0x13d30 [+] Found second bl after debug-enabled xref at 0x13d44 [+] Wrote MOVZ X0, #1 to 0x1800c3d44 [+] Enabled kernel debug [+] Unlocking nvram... [+] Found debug-uarts string at 0x180111eda [+] Found debug-uarts reference at 0x65298 [+] setenv whitelist begins at 0x65288 [+] Found ref to setenv whitelist at 0x30dc [+] Forcing sub_1800b30c0 to return immediately [+] Found env whitelist at 0x652b8 [+] Found ref to env whitelist at 0x3128 [+] Forcing sub_1800b3110 to return immediately [+] Found "com.apple.System." string at 0x180114c9a [+] Found reference to "com.apple.System." at 0x4050c [+] Forcing sub_1800f0504 to return immediately [+] Patching out RSA signature check... [+] Found IMG4 string at 0x6329c [+] Found IMG4 xref at 0x1193c [+] Found beginning of _image4_get_partial at 0x118cc [+] Found xref to _image4_get_partial at 0x124e0 [+] Found start of sub_1800c2400 [+] Found ADR X2, 0x1801158a0 at 0x12a60 [+] Call to 0x11be0 [+] RET found for sub_1800c1be0 at 0x123c4 [+] Did MOV r0, #0 and RET [+] Wrote patched image to /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibss.pwn [+] Patching /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibec.raw [+] Base address: 0x1800b0000 [+] Does have kernel load [+] Patching boot-args... [+] Image base address at 0x1800b0000 [+] Searching for alternate boot-args [+] Found boot-arg string at 0x63a9e [+] Found boot-arg xref at 0x15398 [+] Changed CSEL to MOV [+] Found branch pointing to 0x1800c5494 at 0x15388 [+] Changed ADR X19, 0x180111d00 to ADR X19, 0x180113a9e [+] Enabling kernel debug... [+] Found debug-enabled string at 0x633d0 [+] Found debug-enabled xref at 0x13d30 [+] Found second bl after debug-enabled xref at 0x13d44 [+] Wrote MOVZ X0, #1 to 0x1800c3d44 [+] Enabled kernel debug [+] Unlocking nvram... [+] Found debug-uarts string at 0x180111eda [+] Found debug-uarts reference at 0x65298 [+] setenv whitelist begins at 0x65288 [+] Found ref to setenv whitelist at 0x30dc [+] Forcing sub_1800b30c0 to return immediately [+] Found env whitelist at 0x652b8 [+] Found ref to env whitelist at 0x3128 [+] Forcing sub_1800b3110 to return immediately [+] Found "com.apple.System." string at 0x180114c9a [+] Found reference to "com.apple.System." at 0x4050c [+] Forcing sub_1800f0504 to return immediately [+] Patching out RSA signature check... [+] Found IMG4 string at 0x6329c [+] Found IMG4 xref at 0x1193c [+] Found beginning of _image4_get_partial at 0x118cc [+] Found xref to _image4_get_partial at 0x124e0 [+] Found start of sub_1800c2400 [+] Found ADR X2, 0x1801158a0 at 0x12a60 [+] Call to 0x11be0 [+] RET found for sub_1800c1be0 at 0x123c4 [+] Did MOV r0, #0 and RET [+] Wrote patched image to /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibec.pwn //iBSS gets sent from here 2021-03-25 17:03:29.395 ramiel[5818:191560] Waiting 2021-03-25 17:03:29.843 ramiel[5818:191501] Booted device successfully! // Hangs on "Waiting for device" and still, SHSH dump error. Creating listening port 2222 for device port 44 bind(): Address already in use Error creating socket for listen port 2222: Address already in use Exception: Error reading SSH protocol banner[Errno 54] Connection reset by peer Traceback (most recent call last): File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2211, in _check_banner buf = self.packetizer.readline(timeout) File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/packet.py", line 380, in readline buf += self._read_timeout(timeout) File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/packet.py", line 607, in _read_timeout x = self.__socket.recv(128) ConnectionResetError: [Errno 54] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2039, in run self._check_banner() File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2215, in _check_banner raise SSHException( paramiko.ssh_exception.SSHException: Error reading SSH protocol banner[Errno 54] Connection reset by peer

Traceback (most recent call last): File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2211, in _check_banner buf = self.packetizer.readline(timeout) File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/packet.py", line 380, in readline buf += self._read_timeout(timeout) File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/packet.py", line 607, in _read_timeout x = self.__socket.recv(128) ConnectionResetError: [Errno 54] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/Applications/Ramiel.app/Contents/Resources/ssh/dump.py", line 9, in client.connect(hostname="localhost", password="alpine", username="root", port=2222) File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/client.py", line 406, in connect t.start_client(timeout=timeout) File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 660, in start_client raise e File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2039, in run self._check_banner() File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2215, in _check_banner raise SSHException( paramiko.ssh_exception.SSHException: Error reading SSH protocol banner[Errno 54] Connection reset by peer Exception: Error reading SSH protocol banner[Errno 54] Connection reset by peer Traceback (most recent call last): File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2211, in _check_banner buf = self.packetizer.readline(timeout) File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/packet.py", line 380, in readline buf += self._read_timeout(timeout) File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/packet.py", line 607, in _read_timeout x = self.__socket.recv(128) ConnectionResetError: [Errno 54] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2039, in run self._check_banner() File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2215, in _check_banner raise SSHException( paramiko.ssh_exception.SSHException: Error reading SSH protocol banner[Errno 54] Connection reset by peer

Traceback (most recent call last): File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2211, in _check_banner buf = self.packetizer.readline(timeout) File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/packet.py", line 380, in readline buf += self._read_timeout(timeout) File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/packet.py", line 607, in _read_timeout x = self.__socket.recv(128) ConnectionResetError: [Errno 54] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/Applications/Ramiel.app/Contents/Resources/ssh/dump.py", line 9, in client.connect(hostname="localhost", password="alpine", username="root", port=2222) File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/client.py", line 406, in connect t.start_client(timeout=timeout) File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 660, in start_client raise e File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2039, in run self._check_banner() File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2215, in _check_banner raise SSHException( paramiko.ssh_exception.SSHException: Error reading SSH protocol banner[Errno 54] Connection reset by peer [+] Patching /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibss.raw [+] Base address: 0x1800b0000 [+] Does have kernel load [+] Patching boot-args... [+] Image base address at 0x1800b0000 [+] Searching for alternate boot-args [+] Found boot-arg string at 0x63a9e [+] Found boot-arg xref at 0x15398 [+] Changed CSEL to MOV [+] Found branch pointing to 0x1800c5494 at 0x15388 [+] Changed ADR X19, 0x180111d00 to ADR X19, 0x180113a9e [+] Enabling kernel debug... [+] Found debug-enabled string at 0x633d0 [+] Found debug-enabled xref at 0x13d30 [+] Found second bl after debug-enabled xref at 0x13d44 [+] Wrote MOVZ X0, #1 to 0x1800c3d44 [+] Enabled kernel debug [+] Unlocking nvram... [+] Found debug-uarts string at 0x180111eda [+] Found debug-uarts reference at 0x65298 [+] setenv whitelist begins at 0x65288 [+] Found ref to setenv whitelist at 0x30dc [+] Forcing sub_1800b30c0 to return immediately [+] Found env whitelist at 0x652b8 [+] Found ref to env whitelist at 0x3128 [+] Forcing sub_1800b3110 to return immediately [+] Found "com.apple.System." string at 0x180114c9a [+] Found reference to "com.apple.System." at 0x4050c [+] Forcing sub_1800f0504 to return immediately [+] Patching out RSA signature check... [+] Found IMG4 string at 0x6329c [+] Found IMG4 xref at 0x1193c [+] Found beginning of _image4_get_partial at 0x118cc [+] Found xref to _image4_get_partial at 0x124e0 [+] Found start of sub_1800c2400 [+] Found ADR X2, 0x1801158a0 at 0x12a60 [+] Call to 0x11be0 [+] RET found for sub_1800c1be0 at 0x123c4 [+] Did MOV r0, #0 and RET [+] Wrote patched image to /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibss.pwn [+] Patching /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibec.raw [+] Base address: 0x1800b0000 [+] Does have kernel load [+] Patching boot-args... [+] Image base address at 0x1800b0000 [+] Searching for alternate boot-args [+] Found boot-arg string at 0x63a9e [+] Found boot-arg xref at 0x15398 [+] Changed CSEL to MOV [+] Found branch pointing to 0x1800c5494 at 0x15388 [+] Changed ADR X19, 0x180111d00 to ADR X19, 0x180113a9e [+] Enabling kernel debug... [+] Found debug-enabled string at 0x633d0 [+] Found debug-enabled xref at 0x13d30 [+] Found second bl after debug-enabled xref at 0x13d44 [+] Wrote MOVZ X0, #1 to 0x1800c3d44 [+] Enabled kernel debug [+] Unlocking nvram... [+] Found debug-uarts string at 0x180111eda [+] Found debug-uarts reference at 0x65298 [+] setenv whitelist begins at 0x65288 [+] Found ref to setenv whitelist at 0x30dc [+] Forcing sub_1800b30c0 to return immediately [+] Found env whitelist at 0x652b8 [+] Found ref to env whitelist at 0x3128 [+] Forcing sub_1800b3110 to return immediately [+] Found "com.apple.System." string at 0x180114c9a [+] Found reference to "com.apple.System." at 0x4050c [+] Forcing sub_1800f0504 to return immediately [+] Patching out RSA signature check... [+] Found IMG4 string at 0x6329c [+] Found IMG4 xref at 0x1193c [+] Found beginning of _image4_get_partial at 0x118cc [+] Found xref to _image4_get_partial at 0x124e0 [+] Found start of sub_1800c2400 [+] Found ADR X2, 0x1801158a0 at 0x12a60 [+] Call to 0x11be0 [+] RET found for sub_1800c1be0 at 0x123c4 [+] Did MOV r0, #0 and RET [+] Wrote patched image to /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibec.pwn

the exploit worked once with paramiko, have no luck with it. keeps reporting that it failed.

team-orangeBlue commented 3 years ago

p.s. had some time struggles

team-orangeBlue commented 3 months ago

Closed as device is no longer in my possession. Sorry. I had a lot of blobs for it for 14.2-latest 14 versions, but sadly no 13.

I only have another air 2 left on 12.4.1 and I am not touching it.