checkra1n / PongoOS

pongoOS
https://checkra.in
Other
2.51k stars 409 forks source link

T2 ssh #165

Open graphine27 opened 1 year ago

graphine27 commented 1 year ago

Since my T2 machine is on bridgeOS 7.5, Checkra1n is not working and I don't think this is a priority for you right now.

I can however start PongoOS using 1337 and iOS15 but I don't fully understand it, how did Checkra1n achieve the ssh on previous versions? Latest kpf does not seem to help in booting bridgeos with ssh.

I think my second option is to use sshrd_script which cannot create correct image for 7.5 and 5.x image is not booting. This script has some files which are appended to the ramdisk image https://github.com/verygenericname/sshtars/tree/main but they might also be incompatible with 7.5 and I can not get any logs from when it tries to boot.

Maybe if I understand how ssh was achieved on lower bridgeos with Checkra1n I could try to see why it's not working for 7.5, could you help?

Siguza commented 1 year ago

The missing parts are ramdisk and overlay.

graphine27 commented 1 year ago

Can you give a quick overview of how it works? I think I found the ramdisk image.

Siguza commented 1 year ago

If you have a ramdisk, you can pass it to checkra1n with -r. But the one from 0.12.4 won't work here, because basically everything changed.

graphine27 commented 1 year ago

Can PongoOS load a normal downgrade ramdisk + devicetree + kernelcache? I need to either somehow downgrade bridgeos, even temporary (in memory) so 0.12.4 works or make ssh work on 7.5 by other mears.

graphine27 commented 1 year ago

Assuming there are no SEP incompatibilities, could I just create a ramdisk for bridgeos 5.x and put the checkra1n ramdisk and overlay files into the bridgeos ramdisk, would that work? I see there is a payload and patch_dylid.bridgeos, what do these do exactly?

Siguza commented 1 year ago

PongoOS cannot currently load a new kernelcache. In theory that's possible, but it requires careful handling of the physical address space, and neither that nor any of the rebasing logic has been written.

The payload binary holds a bunch of different code required by checkra1n at runtime. Using this in another context is unlikely to work, or be useful in any way.
The patch_dyld.* binaries exist to copy dyld to a new location and apply a patch to remove the same-platform restriction (so we can run binaries compiled against the iOS SDK on tvOS and bridgeOS). Without this, you'll have to patch the LC_BUILD_VERSION command of all Mach-Os to say bridgeOS.

Essentially what we do is boot off a ramdisk, have a custom binary in /usr/lib/dyld that can run without any libraries, and from there we either union mount the rootfs over / (on 14.x and below) or we mount it to /fs/orig and bind-mount all folders to places on / (15.0 and up, hasn't been publicly released). Then we invoke the dyld patcher, and after that we hand off to launchd, but we inject a dylib to run code at various stages. It's... quite a bit of work.

graphine27 commented 1 year ago

Thanks for the info. Looks like it would be easier use sshrd and put the right files (it seems all the executables there have LC_BUILD_VERSION for bridge os).

Did checkra1n do anything special to get ssh to work? I see some launchdaemons like dropbear-bridgeos-ncm.plist and dropbear.plist, is it enough to place these files on the ramdisk? Does not seem to work for me. Also tried compiling https://github.com/verygenericname/sshrd_SSHRD_Script and replace MacEFIUtil with it so launchd calls it. And also used https://github.com/iSuns9/restored_external64patcher

image

alhaithammsar commented 1 year ago

Hi, i have T2 jailbreak like checkra1n one that works on bridgeOS from 6.0 to 7.6+, also I have ssh ramdisk , lmk what you need these things for? Telegram @SDunlocks_91

graphine27 commented 4 months ago

Then we invoke the dyld patcher, and after that we hand off to launchd, but we inject a dylib to run code at various stages. It's... quite a bit of work

Hi @Siguza can PongoOS patch dyld_shared_cache_arm64.01? I could only find how to patch kernelcache with kpf.