kwccoin
commented
2 years ago Perhaps need to get some basic idea for what is going on. I suspect that
a) one has to be in DFU mode (as reboot give you a hacked iPad) and given the dark blockchain option in the checkra1n (Mac gui mode) better reset all b) there is a need to install some module c) ... once linux is on, the progoterm is key to communicate d) ... there might be some linux version that like ubuntu touch you can use the iPad unconnected to Mac
My guess. Have to study a bit more.
For the moment to reach this stage
1) install and run checkra1n on Macos (I call this gui mode) a) on terminal (after installation of above checkra1n of course and also pongoOS (no space in directory) plus remove the warning as error above, do
/Applications/checkra1n.app/Contents/MacOS/checkra1n -v -V -p -c -k ./build/Pongo.bin
#
# Checkra1n beta 0.12.4
#
# Proudly written in nano
# (c) 2019-2021 Kim Jong Cracks
#
#======== Made by =======
# argp, axi0mx, danyl931, jaywalker, kirb, littlelailo, nitoTV
# never_released, nullpixel, pimskeks, qwertyoruiop, sbingner, siguza
#======== Thanks to =======
# haifisch, jndok, jonseals, xerub, lilstevie, psychotea, sferrini
# Cellebrite (ih8sn0w, cjori, ronyrus et al.)
#==========================
- [06/19/22 07:40:07] <Info>: Waiting for DFU devices
2) Back to the checkra1n (gui), checkra1n will guide you to boot into DFU (which is a manual process, require to do Start-home&top for 4s-home10s and later will show
USB Error (Error code: -10)b) once iPad is in DFU mode the terminal will start working with messages below
- [06/19/22 07:43:53] <Verbose>: DFU mode device found
- [06/19/22 07:43:53] <Info>: Exploiting
- [06/19/22 07:43:53] <Verbose>: Attempting to perform checkm8 on 8960 11...
- [06/19/22 07:43:53] <Info>: Checking if device is ready
- [06/19/22 07:43:53] <Verbose>: == Checkm8 Preparation stage ==
- [06/19/22 07:43:53] <Verbose>: DFU device disconnected
- [06/19/22 07:43:53] <Verbose>: DFU mode device found
- [06/19/22 07:43:54] <Info>: Setting up the exploit (this is the heap spray)
- [06/19/22 07:43:54] <Verbose>: == Checkm8 Setup stage ==
- [06/19/22 07:44:04] <Info>: Right before trigger (this is the real bug setup)
- [06/19/22 07:44:04] <Verbose>: Entered initial checkm8 state after 3 steps, issuing DFU abort..
- [06/19/22 07:44:04] <Verbose>: DFU device disconnected
- [06/19/22 07:44:04] <Verbose>: DFU mode device found
- [06/19/22 07:44:05] <Verbose>: == Checkm8 Trigger stage ==
- [06/19/22 07:44:10] <Verbose>: Checkmate!
- [06/19/22 07:44:10] <Verbose>: DFU device disconnected
- [06/19/22 07:44:10] <Verbose>: DFU mode device found
- [06/19/22 07:44:10] <Verbose>: == Checkm8 Trying to run payload... ==
- [06/19/22 07:44:10] <Verbose>: If everything went correctly, you should now have code execution.
- [06/19/22 07:44:10] <Verbose>: DFU device disconnected
- [06/19/22 07:44:11] <Info>: Entered download mode
- [06/19/22 07:44:11] <Verbose>: Download mode device found
- [06/19/22 07:44:11] <Info>: Booting...
- [06/19/22 07:44:11] <Verbose>: Setting bootargs to: rootdev=md0 -v
- [06/19/22 07:44:13] <Verbose>: Download mode device disconnected
- [06/19/22 07:45:40] <Error>: Timed out waiting for bootstrap upload (error code: -20)c) switch into another terminal
# under pongoOS
cd scripts
./pongoterm
# you are in
# and the iPad show pongoOS>
[Connected]
fbbase = 83d000000 fbwidth = 1536 fbheight = 2048 fbsize = c00000 SCTLR original from iboot: 0x30d00805
#==================
#
# pongoOS 2.5.1-f6b31be4
#
# https://checkra.in
#
#==================
Booted by: iBoot-4513.270.14
Built with: Clang 13.1.6 (clang-1316.0.21.2.5)
Running on: Apple A7 (S5L8960)
pongoOS>
pongoOS> help
aes | performs AES operations
bootargs | prints xnu bootargs struct
bootl | boots linux
bootr | boot raw image
bootux | boots unpatched xnu
bootx | boots xnu (patched, if such a module is loaded)
crash | branches to an invalid address
dt | parses loaded devicetree
dump | dumps various system registers
dumpusb | dumps various dwc2 registers for lee noocks
fbclear | clears the framebuffer output (minus banner)
fbinvert | inverts framebuffer contents
fdt | load linux fdt from usb
fix | tries to fix a7..
help | shows this help message
linux_cmdline | update linux kernel command line
loadx | loads xnu
lsdev | prints hal devices tree
md8 | memory dump
modload | loads module
paging | tests paging
panic | calls panic()
peek | 32bit mem read
physdump | dumps a page of phys
poke | 32bit mem write
ps | lists current tasks and irq handlers
ramdisk | loads a ramdisk for xnu or linux
recursion | tests stack guards
reset | resets the device
sep | sep tools
spawn | starts a usermode process
spin | spins 1 second
synopsys | prints a synopsysotg register dump
tz | trustzone info
tz0_set | change tz0 registers
tz_blackbird | trustzone blackbird attack
tz_lockdown | trustzone lockdown
xargs | prints or sets xnu boot-args
xfb | gives xnu access to the framebuffer (for -v or -s)d) I guess this is where I am not sure what to do next (with my guess in the beginning).
But all good ... It boots into something.
Just need to read HOWTO.md
For the moment I just remove that flag -Werror and let the warning be warning. It then run.
I set the device to DFU and the GUI version of checkra1n found error but the terminal command (which said it is waiting for DFU) run ok. The iPad mini now show pongoOS> (and then the terminal version show
... Not sure what to do next actually. Obviously it is not touch based. Somehow run has to ssh into it or set it to touch mode or ...
Finally cd to scripts, make and run ./pongoterm it connect to the iPad -- cheers -- and can type some commands.
Still need to find out what to do next...
The iPad mini and the Mac communicate. All good now.