search

mast3rz3ro / SSHRD_Script_Lite

A lite fork of SSH RAMDISK Script
BSD 3-Clause "New" or "Revised" License
10 stars 3 forks source link

9.7 iPad Pro (WIFI - ipad6,3): hdiutil: create failed + RSA PATCH FAILED #8

Closed frankpanduh closed 1 month ago

frankpanduh commented 7 months ago

Howdy hope this finds you well, I pulled the latest version to test with this device:

iPad Pro 9.7 (WIFI - 1st Gen) [iPad6,3 / A9X - j127ap]

It looks like the script hit a wall at:

[!] Could not find correct xref for _image4_get_partial.
[!] RSA PATCH FAILED

And the HDUtil stage:

/dev/disk2                                              
/dev/disk3              EF57347C-0000-11AA-AA11-0030654 
/dev/disk3s1            41504653-0000-11AA-AA11-0030654 /private/tmp/SSHRD
hdiutil: create failed - user interaction required for authorization
"disk2" ejected.
hdiutil: attach failed - No such file or directory
hdiutil: detach failed - No such file or directory
hdiutil: resize: failed. No such file or directory (2)
[-] Packing ramdisk into img4 ...
[-] Packing using img4 utility ...
[e] cannot open '2_ssh_ramdisk/temp_files/reassigned_ramdisk.dmg'

Happy to provide more logs and tests if you need be. Thanks in advance for your time!

Full Log:

./sshrd_lite.sh -p iPad6,3 -b 20H320 -g
[-] Setting-up ifirmware parser (for first run) ...
[!] Required tools are missing !
[!] Downloading into: './Darwin_pack.tar.xz' ...
[-] URL: 'https://raw.githubusercontent.com/mast3rz3ro/sshrd_tools/main/Darwin_pack.tar.xz' 
[-] Download completed !
[!] Extracting './Darwin_pack.tar.xz' ...
x ./tools/Darwin/
x ./tools/Darwin/gaster
x ./tools/Darwin/gtar
x ./tools/Darwin/iBoot64Patcher
x ./tools/Darwin/img4
x ./tools/Darwin/img4tool
x ./tools/Darwin/iproxy
x ./tools/Darwin/ipwnder
x ./tools/Darwin/irecovery
x ./tools/Darwin/jq
x ./tools/Darwin/kairos
x ./tools/Darwin/kerneldiff
x ./tools/Darwin/KPlooshFinder
x ./tools/Darwin/pzb
x ./tools/Darwin/sshpass
[!] Removing './Darwin_pack.tar.xz' ...
[-] Extracting sshtars ...
x ssh.tar
[-] Compressing sshtars into gz ...
[!] Special step for Darwin users (hdutil)
[-] START:iFirmware-Parser
[-] Parsing device info (from firmwares.json)...
[!] Downloading: BuildManifest.plist ...
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: BuildManifest.plist
100% [===================================================================================================>]
download succeeded
[!] PZB in Darwin cannot write output to another directory
[-] Moving from: ./iPad6,3_16.7.6_20H320.plist
[-] Getting list of ramdisk files ...
debug: ./tools/Darwin/pzb -l https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw > ./misc/firmware_keys/iPad6,3_20H320.log
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
4211686011 f 087-86615-021.dmg
 109051931 f 087-86622-021.dmg
  10485760 f 087-86715-021.dmg
 106954779 f 087-86719-021.dmg
2678063104 f 087-86757-021.dmg
    359679 f BuildManifest.plist
         0 d Firmware/
  20032349 f Firmware/087-86615-021.dmg.mtree
       229 f Firmware/087-86615-021.dmg.root_hash
     60215 f Firmware/087-86615-021.dmg.trustcache
      5767 f Firmware/087-86622-021.dmg.trustcache
       229 f Firmware/087-86715-021.dmg.root_hash
       767 f Firmware/087-86715-021.dmg.trustcache
      5569 f Firmware/087-86719-021.dmg.trustcache
       229 f Firmware/087-86757-021.dmg.root_hash
      1511 f Firmware/087-86757-021.dmg.trustcache
         0 d Firmware/AOP/
    500309 f Firmware/AOP/aopfw-ipad6baop.im4p
         0 d Firmware/all_flash/
     25872 f Firmware/all_flash/DeviceTree.j127ap.im4p
     26422 f Firmware/all_flash/DeviceTree.j128ap.im4p
    238148 f Firmware/all_flash/LLB.ipad6b.RELEASE.im4p
       292 f Firmware/all_flash/LLB.ipad6b.RELEASE.im4p.plist
     21587 f Firmware/all_flash/applelogo@2x~ipad.im4p
      9450 f Firmware/all_flash/batterycharging0@2x~ipad.im4p
     34594 f Firmware/all_flash/batterycharging1@2x~ipad.im4p
     98966 f Firmware/all_flash/batteryfull@2x~ipad.im4p
    119708 f Firmware/all_flash/batterylow0@2x~ipad.im4p
      3827 f Firmware/all_flash/batterylow1@2x~ipad.im4p
     31502 f Firmware/all_flash/glyphplugin@2x~ipad-lightning.im4p
    447636 f Firmware/all_flash/iBoot.ipad6b.RELEASE.im4p
       292 f Firmware/all_flash/iBoot.ipad6b.RELEASE.im4p.plist
   1867252 f Firmware/all_flash/recoverymode@2x~ipad-lightning.im4p
   3408126 f Firmware/all_flash/sep-firmware.j127.RELEASE.im4p
       396 f Firmware/all_flash/sep-firmware.j127.RELEASE.im4p.plist
   3408126 f Firmware/all_flash/sep-firmware.j128.RELEASE.im4p
       396 f Firmware/all_flash/sep-firmware.j128.RELEASE.im4p.plist
         0 d Firmware/dfu/
    447636 f Firmware/dfu/iBEC.ipad6b.RELEASE.im4p
       292 f Firmware/dfu/iBEC.ipad6b.RELEASE.im4p.plist
    238148 f Firmware/dfu/iBSS.ipad6b.RELEASE.im4p
       292 f Firmware/dfu/iBSS.ipad6b.RELEASE.im4p.plist
  31768516 f Firmware/vinyl_01_Mav13-10.00.00.Release.bbfw
      2369 f Firmware/vinyl_01_Mav13-10.00.00.Release.plist
      1416 f Restore.plist
       360 f RestoreVersion.plist
       492 f SystemVersion.plist
  22949492 f kernelcache.release.ipad6b
[-] Parsing... filenames
[!] Start downloading the ramdisk files...
[!] Downloading into: 1_prepare_ramdisk/iBEC.ipad6b.RELEASE.im4p
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: Firmware/dfu/iBEC.ipad6b.RELEASE.im4p
100% [===================================================================================================>]
download succeeded
[!] Downloading into: 1_prepare_ramdisk/iBSS.ipad6b.RELEASE.im4p
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: Firmware/dfu/iBSS.ipad6b.RELEASE.im4p
100% [===================================================================================================>]
download succeeded
[!] Downloading into: 1_prepare_ramdisk/iBoot.ipad6b.RELEASE.im4p
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: Firmware/all_flash/iBoot.ipad6b.RELEASE.im4p
100% [===================================================================================================>]
download succeeded
[!] Downloading into: 1_prepare_ramdisk/DeviceTree.j127ap.im4p
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: Firmware/all_flash/DeviceTree.j127ap.im4p
100% [===================================================================================================>]
download succeeded
[!] Downloading into: 1_prepare_ramdisk/087-86622-021.dmg.trustcache
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: Firmware/087-86622-021.dmg.trustcache
100% [===================================================================================================>]
download succeeded
[!] Downloading into: 1_prepare_ramdisk/kernelcache.release.ipad6b
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: kernelcache.release.ipad6b
100% [===================================================================================================>]
download succeeded
[!] Downloading into: 1_prepare_ramdisk/087-86622-021.dmg
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: 087-86622-021.dmg
100% [===================================================================================================>]
download succeeded
[!] PZB in Darwin cannot write output to another directory
[-] Moving downloaded files into: 1_prepare_ramdisk
[!] Checking downloaded files...
[!] Download completed !
[-] END:iFirmware-Parser
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f
Compiled with plist: YES
Saved IM4M to 2_ssh_ramdisk/temp_files/shsh.bin
[!] Decrypting with gaster...
[!] Please make sure to put your device into DFU mode
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
- Copying iboot files to: './'
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
[-] Patching iBoot files using kairos ...
[+] Patching 2_ssh_ramdisk/temp_files/iBSS.dec
[+] Base address: 0x180000000
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x323af
[+] Found IMG4 xref at 0xf6d0
[+] Found beginning of _image4_get_partial at 0xf624
[+] Found xref to _image4_get_partial at 0x10074
[+] Found start of sub_18000ffa0
[+] Found ADR X2, 0x180030f70 at 0x104d4
[+] Call to sub_18000f90c
[+] Did MOV r0, #0 and RET
[+] Wrote patched image to 2_ssh_ramdisk/temp_files/iBSS.patched
[+] Patching 2_ssh_ramdisk/temp_files/iBEC.dec
[+] Base address: 0x870000000
[+] Does have kernel load
[+] Patching boot-args...
[+] Image base address at 0x870000000
[+] Found boot-arg string at 0x5ac36
[+] Relocating from 0x870015260...
[+] Found boot-arg xref at 0x8700152c8
[+] Pointing boot-arg xref to large string at: 0x8700242c8
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x5a5ce
[+] Found debug-enabled xref at 0x13b38
[+] Found second bl after debug-enabled xref at 0x13b4c
[+] Wrote MOVZ X0, #1 to 0x870013b4c
[+] Enabled kernel debug
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x5a3e1
[+] Found IMG4 xref at 0xd908
[+] Found beginning of _image4_get_partial at 0xd7e8
[!] Could not find correct xref for _image4_get_partial.
[!] RSA PATCH FAILED
[+] Wrote patched image to 2_ssh_ramdisk/temp_files/iBEC.patched
[+] Patching 2_ssh_ramdisk/temp_files/iBoot.dec
[+] Base address: 0x870000000
[+] Does have kernel load
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x5a5ce
[+] Found debug-enabled xref at 0x13b38
[+] Found second bl after debug-enabled xref at 0x13b4c
[+] Wrote MOVZ X0, #1 to 0x870013b4c
[+] Enabled kernel debug
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x5a3e1
[+] Found IMG4 xref at 0xd908
[+] Found beginning of _image4_get_partial at 0xd7e8
[!] Could not find correct xref for _image4_get_partial.
[!] RSA PATCH FAILED
[+] Wrote patched image to 2_ssh_ramdisk/temp_files/iBoot.patched
none
none
none
krnl
Starting KPlooshFinder
patch_trustcache_new: Found trustcache
patch_developer_mode: Found developer mode
patch_launch_constraints: Found launch constraints
patch_amfi_sha1: Found AMFI hashtype check
patch_vnode_lookup: Found vnode_lookup
patch_sbops: Found sbops
patch_shellcode_area: Found shellcode area
patch_ret0_gadget: Found ret0 gadget
patch_vnode_getpath: Found vnode_getpath
patch_vnode_getaddr: Found vnode_getattr
patch_vnode_open_close: Found vnode_open/vnode_close
Patching completed successfully.
[-] Searching for kernel differents...
[!] this could take a while please wait...
0x5e20d4 0x48 0xfffffffb
0x5e20d5 0xffffffd9 0xffffffff
0x5e20d7 0xfffffff0 0x17
0x11e5a34 0xffffffff 0x20
0x11e5a35 0xffffffc3 0x0
0x11e5a36 0x0 0xffffff80
0x11e5a37 0xffffffd1 0xffffffd2
0x11e5a38 0xfffffff4 0x42
0x11e5a39 0x4f 0x0
0x11e5a3a 0x1 0x0
0x11e5a3b 0xffffffa9 0xffffffb4
0x11e5a3c 0xfffffffd 0x40
0x11e5a3d 0x7b 0x0
0x11e5a3e 0x2 0x0
0x11e5a3f 0xffffffa9 0xfffffff9
0x11e5a40 0xfffffffd 0xffffffc0
0x11e5a41 0xffffff83 0x3
0x11e5a42 0x0 0x5f
0x11e5a43 0xffffff91 0xffffffd6
0x11e8bb4 0xfffffffc 0x0
0x11e8bb5 0x6f 0x0
0x11e8bb6 0xffffffba 0xffffff80
0x11e8bb7 0xffffffa9 0x52
0x11e8bb8 0xfffffffa 0xffffffc0
0x11e8bb9 0x67 0x3
0x11e8bba 0x1 0x5f
0x11e8bbb 0xffffffa9 0xffffffd6
0x11ef6f9 0x8 0x0
0x11ef6fb 0x71 0x6b
krnl
[-] Patching kernel completed !
dtre
[!] Found trustcache file : 1_prepare_ramdisk/087-86622-021.dmg.trustcache
rtsc
rdsk
/dev/disk2                                              
/dev/disk3              EF57347C-0000-11AA-AA11-0030654 
/dev/disk3s1            41504653-0000-11AA-AA11-0030654 /private/tmp/SSHRD
hdiutil: create failed - user interaction required for authorization
"disk2" ejected.
hdiutil: attach failed - No such file or directory
hdiutil: detach failed - No such file or directory
hdiutil: resize: failed. No such file or directory (2)
[-] Packing ramdisk into img4 ...
[-] Packing using img4 utility ...
[e] cannot open '2_ssh_ramdisk/temp_files/reassigned_ramdisk.dmg'
none
[-] Cleaning temp directory ...
[!] All Tasks Completed !
[-] To boot this SSHRD please use: ./boot_sshrd.sh
frankpanduh commented 7 months ago

If it helps forgot to mention my setup for testing:

OS: macOS 13.6.5 22G621 x86_64 Kernel: 22.6.0 Host: MacMini6,1 (OpenCore Legacy patched to use Ventura) Shell: zsh 5.9 CPU: Intel i5-3210M (4) @ 2.50GHz GPU: Intel HD Graphics 4000 Memory: 8790MiB / 16384MiB

Didn't see any hardware requirement stuff in case I should use a different device. I have a 22.04 buntu' box and a 2019 MBP to test on as well. Using the mac mini for USB-A ports ease of access.

mast3rz3ro commented 7 months ago

Hi,

Sorry for late respond...

hdiutil: create failed - user interaction required for authorization

This issue are happened when the script are run in normal mode. To solve this you will have to run the script in root mode, try again with this sudo ./sshrd_lite.sh -p iPad6,3 -b 20H320 -g and this issue will be solved.

[!] Could not find correct xref for _image4_get_partial. [!] RSA PATCH FAILED

This issue are expected to happened since kairos patcher haven't been updated in while. However If understood correctly what have been written in this report here this error message shouldn't cause you any big problem when using the patched image, furthermore you better test it and If see you are getting any issues while you are trying to boot with it.

I'll be waiting for your updates. Thanks!

frankpanduh commented 7 months ago

Okay tested with sudo:

sudo ./sshrd_lite.sh -p iPad6,3 -b 20H320 -g
Password:
[-] START:iFirmware-Parser
[-] Parsing device info (from firmwares.json)...
[-] Parsing... filenames
[!] Start downloading the ramdisk files...
[!] PZB in Darwin cannot write output to another directory
[-] Moving downloaded files into: 1_prepare_ramdisk
mv: rename ./ to 1_prepare_ramdisk/./: Invalid argument
mv: rename ./ to 1_prepare_ramdisk/./: Invalid argument
mv: rename ./ to 1_prepare_ramdisk/./: Invalid argument
[!] Checking downloaded files...
[!] Download completed !
[-] END:iFirmware-Parser
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f
Compiled with plist: YES
Saved IM4M to 2_ssh_ramdisk/temp_files/shsh.bin
[!] Decrypting with gaster...
[!] Please make sure to put your device into DFU mode
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Stage: RESET
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Stage: SETUP
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Stage: SPRAY
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Stage: PATCH
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
- Copying iboot files to: './'
cp: 1_prepare_ramdisk/ is a directory (not copied).
cp: 1_prepare_ramdisk/ is a directory (not copied).
cp: 1_prepare_ramdisk/ is a directory (not copied).
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
[-] Patching iBoot files using kairos ...
[+] Patching 2_ssh_ramdisk/temp_files/iBSS.dec
[+] Base address: 0x180000000
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x323af
[+] Found IMG4 xref at 0xf6d0
[+] Found beginning of _image4_get_partial at 0xf624
[+] Found xref to _image4_get_partial at 0x10074
[+] Found start of sub_18000ffa0
[+] Found ADR X2, 0x180030f70 at 0x104d4
[+] Call to sub_18000f90c
[+] Did MOV r0, #0 and RET
[+] Wrote patched image to 2_ssh_ramdisk/temp_files/iBSS.patched
[+] Patching 2_ssh_ramdisk/temp_files/iBEC.dec
[+] Base address: 0x870000000
[+] Does have kernel load
[+] Patching boot-args...
[+] Image base address at 0x870000000
[+] Found boot-arg string at 0x5ac36
[+] Relocating from 0x870015260...
[+] Found boot-arg xref at 0x8700152c8
[+] Pointing boot-arg xref to large string at: 0x8700242c8
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x5a5ce
[+] Found debug-enabled xref at 0x13b38
[+] Found second bl after debug-enabled xref at 0x13b4c
[+] Wrote MOVZ X0, #1 to 0x870013b4c
[+] Enabled kernel debug
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x5a3e1
[+] Found IMG4 xref at 0xd908
[+] Found beginning of _image4_get_partial at 0xd7e8
[!] Could not find correct xref for _image4_get_partial.
[!] RSA PATCH FAILED
[+] Wrote patched image to 2_ssh_ramdisk/temp_files/iBEC.patched
[+] Patching 2_ssh_ramdisk/temp_files/iBoot.dec
[+] Base address: 0x870000000
[+] Does have kernel load
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x5a5ce
[+] Found debug-enabled xref at 0x13b38
[+] Found second bl after debug-enabled xref at 0x13b4c
[+] Wrote MOVZ X0, #1 to 0x870013b4c
[+] Enabled kernel debug
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x5a3e1
[+] Found IMG4 xref at 0xd908
[+] Found beginning of _image4_get_partial at 0xd7e8
[!] Could not find correct xref for _image4_get_partial.
[!] RSA PATCH FAILED
[+] Wrote patched image to 2_ssh_ramdisk/temp_files/iBoot.patched
none
none
none
krnl
Starting KPlooshFinder
patch_trustcache_new: Found trustcache
patch_developer_mode: Found developer mode
patch_launch_constraints: Found launch constraints
patch_amfi_sha1: Found AMFI hashtype check
patch_vnode_lookup: Found vnode_lookup
patch_sbops: Found sbops
patch_shellcode_area: Found shellcode area
patch_ret0_gadget: Found ret0 gadget
patch_vnode_getpath: Found vnode_getpath
patch_vnode_getaddr: Found vnode_getattr
patch_vnode_open_close: Found vnode_open/vnode_close
Patching completed successfully.
[-] Searching for kernel differents...
[!] this could take a while please wait...
0x5e20d4 0x48 0xfffffffb
0x5e20d5 0xffffffd9 0xffffffff
0x5e20d7 0xfffffff0 0x17
0x11e5a34 0xffffffff 0x20
0x11e5a35 0xffffffc3 0x0
0x11e5a36 0x0 0xffffff80
0x11e5a37 0xffffffd1 0xffffffd2
0x11e5a38 0xfffffff4 0x42
0x11e5a39 0x4f 0x0
0x11e5a3a 0x1 0x0
0x11e5a3b 0xffffffa9 0xffffffb4
0x11e5a3c 0xfffffffd 0x40
0x11e5a3d 0x7b 0x0
0x11e5a3e 0x2 0x0
0x11e5a3f 0xffffffa9 0xfffffff9
0x11e5a40 0xfffffffd 0xffffffc0
0x11e5a41 0xffffff83 0x3
0x11e5a42 0x0 0x5f
0x11e5a43 0xffffff91 0xffffffd6
0x11e8bb4 0xfffffffc 0x0
0x11e8bb5 0x6f 0x0
0x11e8bb6 0xffffffba 0xffffff80
0x11e8bb7 0xffffffa9 0x52
0x11e8bb8 0xfffffffa 0xffffffc0
0x11e8bb9 0x67 0x3
0x11e8bba 0x1 0x5f
0x11e8bbb 0xffffffa9 0xffffffd6
0x11ef6f9 0x8 0x0
0x11ef6fb 0x71 0x6b
krnl
[-] Patching kernel completed !
dtre
[!] Found trustcache file : 1_prepare_ramdisk/087-86622-021.dmg.trustcache
rtsc
rdsk
/dev/disk2                                              
/dev/disk3              EF57347C-0000-11AA-AA11-0030654 
/dev/disk3s1            41504653-0000-11AA-AA11-0030654 /private/tmp/SSHRD
....................................
created: /Users/panduh/Desktop/SSHRD_Script_Lite/2_ssh_ramdisk/temp_files/reassigned_ramdisk.dmg
"disk2" ejected.
/dev/disk2                                              /private/tmp/SSHRD
"disk2" ejected.
[-] Packing ramdisk into img4 ...
[-] Packing using img4 utility ...
none
none
[-] Cleaning temp directory ...
[!] All Tasks Completed !
[-] To boot this SSHRD please use: ./boot_sshrd.sh

Tested with ./boot_sshrd.sh:


./boot_sshrd.sh
1: ./2_ssh_ramdisk/iPad6,3_j127ap_20H320/
[-] Please select a directory:1
[-] Reading connected device info ...
[!] Please make sure to put your device into DFU mode
[!] Starting SSHRD booting...
[-] Sending iBSS ...
Attempting to connect... 
opening device 05ac:1227 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
Unexpected state 8, issuing ABORT
Unable to upload data to device
Attempting to connect... 
opening device 05ac:1227 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
[==================================================] 100.0%
Command completed successfully
[-] Sending iBEC ...
Attempting to connect... 
opening device 05ac:1227 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
[==================================================] 100.0%
Command completed successfully
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
[==================================================] 100.0%
Command completed successfully
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
Command completed successfully
[-] Sending ramdisk ...
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
[==================================================] 100.0%
Command completed successfully
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
Command completed successfully
[-] Sending devicetree ...
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
[==================================================] 100.0%
Command completed successfully
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
Command completed successfully
[-] Sending trustcache ...
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
[==================================================] 100.0%
Command completed successfully
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
Command completed successfully
[-] Sending kernelcache ...
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
[==================================================] 100.0%
Command completed successfully
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
Command completed successfully
[!] SSHRD Booting has completed!

Just can't seem to ssh after.

./sshrd_lite.sh -c
kex_exchange_identification: read: Connection reset by peer
Connection reset by ::1 port 2222
./sshrd_lite.sh: line 67: [: =: unary operator expected
[-] Force closing usbmuxd ...
sudo: systemctl: command not found
sudo: usbmuxd: command not found
mast3rz3ro commented 7 months ago

[!] SSHRD Booting has completed!

Please make a verbose output are shown in your iPad screen otherwise this would indicate that the sshrd boot has failed.

kex_exchange_identification: read: Connection reset by peer

Please open new terminal windows and try removing the previous auth keys with this command: rm -Rf ./.ssh

sudo: systemctl: command not found sudo: usbmuxd: command not found

You shouldn't seen this message since you are using macOS, I have pushed a commit to fix this mistake.

frankpanduh commented 7 months ago

[!] SSHRD Booting has completed!

Please make a verbose output are shown in your iPad screen otherwise this would indicate that the sshrd boot has failed.

Howdy, Thanks again for your time.

How do I set a verbose output? I didn't see that option.

No output on the screen after ./boot_sshrd to clarify if you meant to verify if there was a verbose output after the "booting has completed!" stage.

Create Log:

sudo ./sshrd_lite.sh -p iPad6,3 -b 20H320 -g
[-] START:iFirmware-Parser
[-] Parsing device info (from firmwares.json)...
[-] Parsing... filenames
[!] Start downloading the ramdisk files...
[!] PZB in Darwin cannot write output to another directory
[-] Moving downloaded files into: 1_prepare_ramdisk
mv: rename ./ to 1_prepare_ramdisk/./: Invalid argument
mv: rename ./ to 1_prepare_ramdisk/./: Invalid argument
mv: rename ./ to 1_prepare_ramdisk/./: Invalid argument
[!] Checking downloaded files...
[!] Download completed !
[-] END:iFirmware-Parser
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f
Compiled with plist: YES
Saved IM4M to 2_ssh_ramdisk/temp_files/shsh.bin
[!] Decrypting with gaster...
[!] Please make sure to put your device into DFU mode
[Hint] If you stuck here then close the script and run it again with sudo
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Stage: RESET
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Stage: SETUP
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Stage: SPRAY
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Stage: PATCH
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
- Copying iboot files to: './'
cp: 1_prepare_ramdisk/ is a directory (not copied).
cp: 1_prepare_ramdisk/ is a directory (not copied).
cp: 1_prepare_ramdisk/ is a directory (not copied).
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
[-] Patching iBoot files using kairos ...
[+] Patching 2_ssh_ramdisk/temp_files/iBSS.dec
[+] Base address: 0x180000000
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x323af
[+] Found IMG4 xref at 0xf6d0
[+] Found beginning of _image4_get_partial at 0xf624
[+] Found xref to _image4_get_partial at 0x10074
[+] Found start of sub_18000ffa0
[+] Found ADR X2, 0x180030f70 at 0x104d4
[+] Call to sub_18000f90c
[+] Did MOV r0, #0 and RET
[+] Wrote patched image to 2_ssh_ramdisk/temp_files/iBSS.patched
[+] Patching 2_ssh_ramdisk/temp_files/iBEC.dec
[+] Base address: 0x870000000
[+] Does have kernel load
[+] Patching boot-args...
[+] Image base address at 0x870000000
[+] Found boot-arg string at 0x5ac36
[+] Relocating from 0x870015260...
[+] Found boot-arg xref at 0x8700152c8
[+] Pointing boot-arg xref to large string at: 0x8700242c8
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x5a5ce
[+] Found debug-enabled xref at 0x13b38
[+] Found second bl after debug-enabled xref at 0x13b4c
[+] Wrote MOVZ X0, #1 to 0x870013b4c
[+] Enabled kernel debug
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x5a3e1
[+] Found IMG4 xref at 0xd908
[+] Found beginning of _image4_get_partial at 0xd7e8
[!] Could not find correct xref for _image4_get_partial.
[!] RSA PATCH FAILED
[+] Wrote patched image to 2_ssh_ramdisk/temp_files/iBEC.patched
[+] Patching 2_ssh_ramdisk/temp_files/iBoot.dec
[+] Base address: 0x870000000
[+] Does have kernel load
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x5a5ce
[+] Found debug-enabled xref at 0x13b38
[+] Found second bl after debug-enabled xref at 0x13b4c
[+] Wrote MOVZ X0, #1 to 0x870013b4c
[+] Enabled kernel debug
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x5a3e1
[+] Found IMG4 xref at 0xd908
[+] Found beginning of _image4_get_partial at 0xd7e8
[!] Could not find correct xref for _image4_get_partial.
[!] RSA PATCH FAILED
[+] Wrote patched image to 2_ssh_ramdisk/temp_files/iBoot.patched
none
none
none
krnl
Starting KPlooshFinder
patch_trustcache_new: Found trustcache
patch_developer_mode: Found developer mode
patch_launch_constraints: Found launch constraints
patch_amfi_sha1: Found AMFI hashtype check
patch_vnode_lookup: Found vnode_lookup
patch_sbops: Found sbops
patch_shellcode_area: Found shellcode area
patch_ret0_gadget: Found ret0 gadget
patch_vnode_getpath: Found vnode_getpath
patch_vnode_getaddr: Found vnode_getattr
patch_vnode_open_close: Found vnode_open/vnode_close
Patching completed successfully.
[-] Searching for kernel differents...
[!] this could take a while please wait...
0x5e20d4 0x48 0xfffffffb
0x5e20d5 0xffffffd9 0xffffffff
0x5e20d7 0xfffffff0 0x17
0x11e5a34 0xffffffff 0x20
0x11e5a35 0xffffffc3 0x0
0x11e5a36 0x0 0xffffff80
0x11e5a37 0xffffffd1 0xffffffd2
0x11e5a38 0xfffffff4 0x42
0x11e5a39 0x4f 0x0
0x11e5a3a 0x1 0x0
0x11e5a3b 0xffffffa9 0xffffffb4
0x11e5a3c 0xfffffffd 0x40
0x11e5a3d 0x7b 0x0
0x11e5a3e 0x2 0x0
0x11e5a3f 0xffffffa9 0xfffffff9
0x11e5a40 0xfffffffd 0xffffffc0
0x11e5a41 0xffffff83 0x3
0x11e5a42 0x0 0x5f
0x11e5a43 0xffffff91 0xffffffd6
0x11e8bb4 0xfffffffc 0x0
0x11e8bb5 0x6f 0x0
0x11e8bb6 0xffffffba 0xffffff80
0x11e8bb7 0xffffffa9 0x52
0x11e8bb8 0xfffffffa 0xffffffc0
0x11e8bb9 0x67 0x3
0x11e8bba 0x1 0x5f
0x11e8bbb 0xffffffa9 0xffffffd6
0x11ef6f9 0x8 0x0
0x11ef6fb 0x71 0x6b
krnl
[-] Patching kernel completed !
dtre
[!] Found trustcache file : 1_prepare_ramdisk/087-86622-021.dmg.trustcache
rtsc
rdsk
/dev/disk2                                              
/dev/disk3              EF57347C-0000-11AA-AA11-0030654 
/dev/disk3s1            41504653-0000-11AA-AA11-0030654 /private/tmp/SSHRD
.............................................................
created: /Users/panduh/Desktop/SSHRD_Script_Lite/2_ssh_ramdisk/temp_files/reassigned_ramdisk.dmg
"disk2" ejected.
/dev/disk2                                              /private/tmp/SSHRD
"disk2" ejected.
[-] Packing ramdisk into img4 ...
[-] Packing using img4 utility ...
none
none
[-] Cleaning temp directory ...
[!] All Tasks Completed !
[-] To boot this SSHRD please use: ./boot_sshrd.sh

Test ./boot_sshrd.sh:

 ./boot_sshrd.sh -d
1: ./2_ssh_ramdisk/iPad6,3_j127ap_20H320/
[-] Please select a directory:
[-] Reading connected device info ...
[!] Please make sure to put your device into DFU mode
[!] Starting SSHRD booting...
[-] Sending iBSS ...
Attempting to connect... 
opening device 05ac:1227 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
Unexpected state 8, issuing ABORT
Unable to upload data to device
Attempting to connect... 
opening device 05ac:1227 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
[==================================================] 100.0%
Command completed successfully
[-] Sending iBEC ...
Attempting to connect... 
opening device 05ac:1227 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
[==================================================] 100.0%
Command completed successfully
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
[==================================================] 100.0%
Command completed successfully
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
Command completed successfully
[-] Sending ramdisk ...
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
[==================================================] 100.0%
Command completed successfully
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
Command completed successfully
[-] Sending devicetree ...
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
[==================================================] 100.0%
Command completed successfully
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
Command completed successfully
[-] Sending trustcache ...
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
[==================================================] 100.0%
Command completed successfully
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
Command completed successfully
[-] Sending kernelcache ...
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
[==================================================] 100.0%
Command completed successfully
Attempting to connect... 
opening device 05ac:1281 @ 0x14300000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPad6,3, model j127ap, cpid 0x8001, bdid 0x08
Command completed successfully
[!] SSHRD Booting has completed!

At this stage: pure black with backlight screen on the ipad, no output text on the screen. So I tested: ./sshrd_lite.sh -c

SSH test with new commit:

./sshrd_lite.sh -c kex_exchange_identification: read: Connection reset by peer Connection reset by ::1 port 2222

So I would assume since there is no output on the screen after the ./boot_sshrd.sh stage and manually ssh attempts after testing ./sshrd_lite.sh -c didn't connect. That it didn't create a proper ramdisk? Or do i need to reconfigure something to get it to boot in verbose?

mast3rz3ro commented 7 months ago

No output on the screen after ./boot_sshrd to clarify if you meant to verify if there was a verbose output after the "booting has completed!" stage.

Opa, I meant to check If verbose output are shown in your ipad screen, e.g see this picture: 4mc47oprhiwy

At this stage: pure black with backlight screen on the ipad, no output text on the screen

Unfortunately this means boot has failed i.e something are wrong with the ssh ramdisk files.

do i need to reconfigure something to get it to boot in verbose?

Now your only option will be to try make ramdisk for lower ios version. Go to TheAppleWiki page and find the first same major but stable iOS firmware and then try with the exact build version you found.

mast3rz3ro commented 7 months ago

[!] Could not find correct xref for _image4_get_partial. [!] RSA PATCH FAILED

I would recommend to report this to kairos author, so hopefully this issue will get solved in nearest feature.

mast3rz3ro commented 7 months ago

@frankpanduh Please try booting with 20B82 build-version and let me know If it's work.