search

mcampetta / t8012-DTS

T8012 Data Transfer Setup Tool - A tool that mounts the internal storage of a T2 machine as a volume. Particularly useful when that machine is inoperable or not functioning due to bad graphics or processor (provided the boards faults aren't shorting out lines that power the FLASH or the T2 co-processor). Based on PyBoot and the checkm8 exploit. .
26 stars 7 forks source link

Help with T2 Macbook16,1 #3

Open DengueTim opened 2 years ago

DengueTim commented 2 years ago

What went wrong? The MacBook16,1 ends up as an USB iPhone recovery device:

 Apple Mobile Device (Recovery Mode):

  Product ID:   0x1281
  Vendor ID:    0x05ac (Apple Inc.)
  Version:  0.00
  Serial Number:    SDOM:01 CPID:8012 CPRV:10 CPFM:03 SCEP:01 BDID:3A ECID:001448A90AF28026 IBFL:3C SRNM:[C02CX15VMD6T]
  Speed:    Up to 480 Mb/s
  Manufacturer: Apple Inc.
  Location ID:  0x14200000 / 40
  Current Available (mA):   500
  Current Required (mA):    500
  Extra Operating Current (mA): 0

Don't see any errors..

hack@Crumpet t8012-DTS % ./odts.py -b resources/bootlogo.png -i iBridge2,14 6.6
Ontrack_T2Boot - A tool for tether booting Checkm8 vulnerable Mac devices by Martin, @mhotshotmc

Current version is: Beta 0.0.1
Make sure your device is connected in DFU mode
Retrieved ECID for device is: 0x001448a90af28026
Retrieved BDID for device is: 0x3a

Looking up board configuration based on retrieved BDID of 0x3a

Found match at j152fap
subprocess: ./resources/bin/tsschecker -d iBridge2,14 -e 0x001448a90af28026 --boardconfig j152fap -i 6.6 -s
Signing ticket for iBridge2,14 with 0x001448a90af28026 on iOS 6.6 saved successfully at ./resources/shsh.shsh.. Moving on...
PWNing T2 device to extract GID keys.. If this fails for more than a few seconds please restart the device and start over..
Device already in PWNDFU mode, not re-running exploit..
Downloading 6.6's BuildManifest.plist
Extracting: BuildManifest.plist, from iBridge2,1,iBridge2,10,iBridge2,12,iBridge2,14,iBridge2,15,iBridge2,16,iBridge2,19,iBridge2,20,iBridge2,21,iBridge2,22,iBridge2,3,iBridge2,4,iBridge2,5,iBridge2,6,iBridge2,7,iBridge2,8_6.6_19P6067_Restore.ipsw
Device set to j152fap
iBEC.j152f.RELEASE.im4p
iBSS.j152f.RELEASE.im4p
Getting SHSH for signing images
001448A90AF28026
Downloading and patching 6.6's iBSS/iBEC
Extracting: Firmware/dfu/iBEC.j152f.RELEASE.im4p, from iBridge2,1,iBridge2,10,iBridge2,12,iBridge2,14,iBridge2,15,iBridge2,16,iBridge2,19,iBridge2,20,iBridge2,21,iBridge2,22,iBridge2,3,iBridge2,4,iBridge2,5,iBridge2,6,iBridge2,7,iBridge2,8_6.6_19P6067_Restore.ipsw
Extracting: Firmware/dfu/iBSS.j152f.RELEASE.im4p, from iBridge2,1,iBridge2,10,iBridge2,12,iBridge2,14,iBridge2,15,iBridge2,16,iBridge2,19,iBridge2,20,iBridge2,21,iBridge2,22,iBridge2,3,iBridge2,4,iBridge2,5,iBridge2,6,iBridge2,7,iBridge2,8_6.6_19P6067_Restore.ipsw
iBSSKBAG is aee5e3d544de752c7f10f418cfdbff40e06e687c73b27d4bcae33c8bb1b05488c7101a5620b5fbb7dc65922f4f73f0aa
iBECKBAG is 16bc1afa7df1076bd9934ca53d8e2faf50e047fe9230cfc24913afa359767607bbc0d63f1f99ff2c9a80f44e6eaf43c3
Boot arguments for iBec set to rd=md0 -v
Downloading 6.6's KernelCache
Extracting: kernelcache.release.ibridge2p, from iBridge2,1,iBridge2,10,iBridge2,12,iBridge2,14,iBridge2,15,iBridge2,16,iBridge2,19,iBridge2,20,iBridge2,21,iBridge2,22,iBridge2,3,iBridge2,4,iBridge2,5,iBridge2,6,iBridge2,7,iBridge2,8_6.6_19P6067_Restore.ipsw
Downloading 6.6's DeviceTree
Extracting: Firmware/all_flash/DeviceTree.j152fap.im4p, from iBridge2,1,iBridge2,10,iBridge2,12,iBridge2,14,iBridge2,15,iBridge2,16,iBridge2,19,iBridge2,20,iBridge2,21,iBridge2,22,iBridge2,3,iBridge2,4,iBridge2,5,iBridge2,6,iBridge2,7,iBridge2,8_6.6_19P6067_Restore.ipsw
Downloading 6.6's TrustCache
Extracting: Firmware/078-33004-072.dmg.trustcache, from iBridge2,1,iBridge2,10,iBridge2,12,iBridge2,14,iBridge2,15,iBridge2,16,iBridge2,19,iBridge2,20,iBridge2,21,iBridge2,22,iBridge2,3,iBridge2,4,iBridge2,5,iBridge2,6,iBridge2,7,iBridge2,8_6.6_19P6067_Restore.ipsw
Patching TrustCache's type from trst to rtsc
Patching Devicetree's type from dtre to rdtr
Signing boot files
Signing firmware images before attempting to upload them to the device
IBSS and IBEC staged in StagedFiles dir
Removed image_load call; all incoming images will be loaded as raw
iBSS sent! Device should be booting into recovery
/Users/hack/src/t8012-DTS/resources
[==================================================] 100.0%
iBEC sent! Device should initializing iBEC
[==================================================] 100.0%
Bootx command send. This is needed to prevent Devicetree related issues later on
[==================================================] 100.0%
Stopping here as this is all we have implemented!

[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
Device should be booting!
hack@Crumpet t8012-DTS %
jtechgr commented 1 year ago

What whent wrong here?

./odts.py -i iBridge2,4 7.2

20230226_202323

alhaithammsar commented 11 months ago

after lots of trying & fixes got it to work, finally I can sleep :)

TannerDrake commented 3 months ago

How'd you get this to work

AlexeyInwerp commented 2 months ago

iBSS patching part is removed from the script. dude above sells it as a solution, however i believe and hope it will go public in few months.