Patches does not removes signatures checks

[krisanovdev]

I've decrypted iBSS, then patched it with iBoot64Patcher and pack it back to img4. Then I've uploaded it to device via: irecovery -f ibss.patched.img4 So far so good, I can speak with iBSS, for example execute some commands like irecovery -c 'bgcolor 100 100 250' The problems begins when I'm uploading original apple bootlogo: irecovery -f bootlogo.img4 irecovery -c setpicture irecovery -c 'bgcolor 0 0 0' Apple logo not appearing and I can make a conclusion that iBSS fails to validate logo signature.

[krisanovdev]

I should say that I have iPhone 7 iOS 12.1.2 and sign iBSS and logo by random Ap-Ticket to test signature checks bypass. I've chosen Ap-Ticket for iPhone 7 iOS 13.1.2 (saved it with tsssaver).

[krisanovdev]

@tihmstar Any idea?

[cakarlen]

@MrKris99 Were you able to to solve this? I'm experiencing the same issue

[Merculous]

It definitely patches the checks. I have loaded patched iBoot multiple times and even downgraded to 10.3.3 with iBoot64Patcher.

[cakarlen]

@Merculous Whenever I upload my pwned iBSS/iBEC and devicetree, I get an invalid image error(?). How did you manage to boot your device?

On Oct 23, 2019, at 00:23, Brandon notifications@github.com wrote:

It definitely patches the checks. I have loaded patched iBoot multiple times and even downgraded to 10.3.3 with iBoot64Patcher.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[Merculous]

You should check out my 10.3.3 downgrade fork. https://github.com/Merculous/1033-OTA-Downgrader

[krisanovdev]

Looks like it is only works for some specific ios versions set or device models.

[tihmstar]

The way the sigpatches work is that IM4M checks are skipped. This means you still need to have a valid apticket. However the apticket does not need to belog to the ECID or to the iOS

The way you would need to use the sigpatches is to get a fresh ticket with tsschecker for your device for the latest signed iOS. (or any valid APTicket really) Then use img4tool to pack your custom im4p together with that APTicket to an img4. That, together with the sigcheckpatches, should make it successfully validate the image

[krisanovdev]

@tihmstar Yeah, I've got latest apticket from Apple tss server and sign patched im4p with it (im4p + im4m = img4). But patched iBSS still fails to validate later images (ramdisk for example) . Your code works for 2-step devices (A9 procrssors and lower). But it will not work on A10 iBSS for example. I had to write own patches to make it work.

[tihmstar]

You need to pack the APTicket to later images like ramdisk, not the iBSS itself

[krisanovdev]

@tihmstar Lets analyze it once again. I've patched iBSS and signed it with latest apticket (with the help of your img4 tool). Then I've signed original ramdisk with same ticket but when I load it - I see error Invalid ramdisk image. I'm sure that your code contain bug because I was able to patch sigchecks by my own algorithm (patch few opcodes in Img4DecodePerformTrustEvaluation func). Once again, your code works perfectly on 2-step devices. But not working on 1-step. I can help to investigate issues by sending exact images to you.

[tihmstar]

yea i guess best would be if you send a link to the ipsw and let me know what exact images you use. Also while you're on it can you get the patches that iBoot64Patcher applies and the ones you apply. Maybe it's worth updating the patchfinder