Add SSH ramdisk support for A8, A9, A10 devices

README.md

@@ -7,7 +7,8 @@
 - **Read the ["Troubleshooting" wiki page](https://github.com/LukeZGD/Legacy-iOS-Kit/wiki/Troubleshooting) for tips, frequent questions, and troubleshooting**
 
 ## Features
-- Legacy iOS Kit supports all 32-bit iOS devices, and some A7/A8 64-bit devices
+- Legacy iOS Kit supports all 32-bit iOS devices, and some 64-bit (A7/A8/A9/A10) devices
+    - Devices that received iOS 16 and newer are not supported and only have limited functionality (such as sideload on Linux etc.)
 - Restore to signed OTA versions (iOS 8.4.1 and/or 6.1.3) on A5/A6 devices
 - Restore some 32-bit devices to other iOS versions without blobs
     - This includes downgrading iPhone 3GS, iPhone 4 GSM and CDMA, iPod touch 2, touch 3, iPad 1
@@ -25,10 +26,12 @@
 - Save onboard and Cydia SHSH blobs for 32-bit devices
 - Save onboard SHSH blobs for jailbroken 64-bit devices (deverser)
 - Enter pwned iBSS/kDFU mode for supported 32-bit devices
-- Boot SSH Ramdisk for 32-bit and A7 devices
+- Boot SSH Ramdisk for supported 32-bit and 64-bit devices
+- Save onboard SHSH blobs using SSH Ramdisk for the supported 64-bit devices
+- Install [TrollStore](https://github.com/opa334/TrollStore) using SSH Ramdisk for the supported 64-bit devices on iOS 14/15
 - Clear NVRAM for 32-bit devices
 - Device activation using ideviceactivation (useful for iOS 4 and lower)
-- The latest baseband will be flashed for A5/A6 devices (iPhone 4S, 5, 5C, iPad 4, mini 1)
+- The latest baseband will be flashed for A5/A6 devices (for iPhone 4S, 5, 5C, iPad 4, mini 1)
 - Dumping and stitching baseband to IPSW (requires `--disable-bbupdate`)
 - Dumping and stitching activation records to IPSW (requires `--activation-records`)
 
@@ -158,6 +161,6 @@
 - Some patches from [PwnageTool](https://www.theiphonewiki.com/wiki/PwnageTool), [sn0wbreeze](https://www.theiphonewiki.com/wiki/sn0wbreeze), [redsn0w](https://www.theiphonewiki.com/wiki/redsn0w)
 - Some patches made using patchers from [Bundle-Creation](https://github.com/Merculous/Bundle-Creation)
 - SSH Ramdisk tars from [SSH-Ramdisk-Maker-and-Loader](https://github.com/Ralph0045/SSH-Ramdisk-Maker-and-Loader) and [msftguy's ssh-rd](https://github.com/msftguy/ssh-rd)
-- A7 SSH Ramdisk stuff is based on [SSHRD_Script](https://github.com/verygenericname/SSHRD_Script) (iOS 12) and [iarchive.app](https://ios7.iarchive.app/downgrade/making-ramdisk.html) (iOS 8)
+- 64-bit SSH Ramdisk stuff is based on [SSHRD_Script](https://github.com/verygenericname/SSHRD_Script) (iOS 12+) and [iarchive.app](https://ios7.iarchive.app/downgrade/making-ramdisk.html) (iOS 8)
     - [img4lib](https://github.com/xerub/img4lib) - xerub
     - [img4tool](https://github.com/tihmstar/img4tool) - tihmstar

resources/sshrd/kernelcache.release.ipad5.bpatch

@@ -0,0 +1,13 @@
+#AMFI
+
+0x231db0 0xffffffff 0x20
+0x231db1 0xffffff83 0x20
+0x231db2 0x0 0xffffff80
+0x231db3 0xffffffd1 0xffffffd2
+0x231db4 0xfffffffd 0xffffffc0
+0x231db5 0x7b 0x3
+0x231db6 0x1 0x5f
+0x231db7 0xffffffa9 0xffffffd6
+0xb76412 0x63 0x78
+0xe30f19 0x8 0x0
+0xe30f1b 0x71 0x6b

resources/sshrd/kernelcache.release.ipad5b.bpatch

@@ -0,0 +1,13 @@
+#AMFI
+
+0x231db0 0xffffffff 0x20
+0x231db1 0xffffff83 0x20
+0x231db2 0x0 0xffffff80
+0x231db3 0xffffffd1 0xffffffd2
+0x231db4 0xfffffffd 0xffffffc0
+0x231db5 0x7b 0x3
+0x231db6 0x1 0x5f
+0x231db7 0xffffffa9 0xffffffd6
+0xb67852 0x63 0x78
+0xe2cf19 0x8 0x0
+0xe2cf1b 0x71 0x6b

resources/sshrd/kernelcache.release.iphone7.bpatch

@@ -0,0 +1,13 @@
+#AMFI
+
+0x21e918 0x63 0x78
+0x8304d4 0xffffffff 0x20
+0x8304d5 0xffffffc3 0x20
+0x8304d6 0x0 0xffffff80
+0x8304d7 0xffffffd1 0xffffffd2
+0x8304d8 0xfffffff4 0xffffffc0
+0x8304d9 0x4f 0x3
+0x8304da 0x1 0x5f
+0x8304db 0xffffffa9 0xffffffd6
+0xe98359 0x8 0x0
+0xe9835b 0x71 0x6b

resources/sshrd/kernelcache.release.iphone8b.bpatch

@@ -0,0 +1,13 @@
+#AMFI
+
+0x24b38c 0xffffffff 0x20
+0x24b38d 0xffffff83 0x20
+0x24b38e 0x0 0xffffff80
+0x24b38f 0xffffffd1 0xffffffd2
+0x24b390 0xfffffffd 0xffffffc0
+0x24b391 0x7b 0x3
+0x24b392 0x1 0x5f
+0x24b393 0xffffffa9 0xffffffd6
+0xbcc8d2 0x63 0x78
+0xe8ef19 0x8 0x0
+0xe8ef1b 0x71 0x6b

resources/sshrd/kernelcache.release.iphone9.bpatch

@@ -0,0 +1,13 @@
+#AMFI
+
+0x289724 0xffffffff 0x20
+0x289725 0xffffff83 0x20
+0x289726 0x0 0xffffff80
+0x289727 0xffffffd1 0xffffffd2
+0x289728 0xfffffffd 0xffffffc0
+0x289729 0x7b 0x3
+0x28972a 0x1 0x5f
+0x28972b 0xffffffa9 0xffffffd6
+0xbc54ee 0x63 0x78
+0xf78f35 0x8 0x0
+0xf78f37 0x71 0x6b

resources/sshrd/kernelcache.release.n102.bpatch

@@ -0,0 +1,13 @@
+#AMFI
+
+0x21d768 0x63 0x78
+0x8104d4 0xffffffff 0x20
+0x8104d5 0xffffffc3 0x20
+0x8104d6 0x0 0xffffff80
+0x8104d7 0xffffffd1 0xffffffd2
+0x8104d8 0xfffffff4 0xffffffc0
+0x8104d9 0x4f 0x3
+0x8104da 0x1 0x5f
+0x8104db 0xffffffa9 0xffffffd6
+0xe78309 0x8 0x0
+0xe7830b 0x71 0x6b

resources/sshrd/kernelcache.release.n112.bpatch

@@ -0,0 +1,13 @@
+#AMFI
+
+0x289724 0xffffffff 0x20
+0x289725 0xffffff83 0x20
+0x289726 0x0 0xffffff80
+0x289727 0xffffffd1 0xffffffd2
+0x289728 0xfffffffd 0xffffffc0
+0x289729 0x7b 0x3
+0x28972a 0x1 0x5f
+0x28972b 0xffffffa9 0xffffffd6
+0xb96e6e 0x63 0x78
+0xf26f35 0x8 0x0
+0xf26f37 0x71 0x6b

resources/sshrd/kernelcache.release.n66.bpatch

@@ -0,0 +1,13 @@
+#AMFI
+
+0x24b38c 0xffffffff 0x20
+0x24b38d 0xffffff83 0x20
+0x24b38e 0x0 0xffffff80
+0x24b38f 0xffffffd1 0xffffffd2
+0x24b390 0xfffffffd 0xffffffc0
+0x24b391 0x7b 0x3
+0x24b392 0x1 0x5f
+0x24b393 0xffffffa9 0xffffffd6
+0xbbfc12 0x63 0x78
+0xe96f19 0x8 0x0
+0xe96f1b 0x71 0x6b

resources/sshrd/kernelcache.release.n71.bpatch

@@ -0,0 +1,13 @@
+#AMFI
+
+0x24b38c 0xffffffff 0x20
+0x24b38d 0xffffff83 0x20
+0x24b38e 0x0 0xffffff80
+0x24b38f 0xffffffd1 0xffffffd2
+0x24b390 0xfffffffd 0xffffffc0
+0x24b391 0x7b 0x3
+0x24b392 0x1 0x5f
+0x24b393 0xffffffa9 0xffffffd6
+0xbbfc12 0x63 0x78
+0xe96f19 0x8 0x0
+0xe96f1b 0x71 0x6b

resources/sshrd/trollstore.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+app=$(find /mnt2/containers/Bundle/Application/ -name "Tips.app")
+if [[ ! -e ${app}/Tips_TROLLSTORE_BACKUP ]]; then
+    mv ${app}/Tips ${app}/Tips_TROLLSTORE_BACKUP
+    mv ${app}/PersistenceHelper_Embedded ${app}/Tips
+    /usr/sbin/chown 33 ${app}/Tips
+    chmod 755 ${app}/Tips ${app}/trollstorehelper
+    /usr/sbin/chown 0 ${app}/trollstorehelper
+    touch ${app}/.TrollStorePersistenceHelper
+fi

restore.sh

@@ -3739,7 +3739,9 @@ restore_prepare_1033() {
     device_enter_mode pwnDFU
     local attempt=1
 
-    $irecovery -f $iBSS.im4p
+    if [[ $device_proc == 7 ]]; then
+        $gaster reset
+    fi
     sleep 1
     while (( attempt <= 5 )); do
         log "Entering pwnREC mode... (Attempt $attempt of 5)"
@@ -3748,7 +3750,7 @@ restore_prepare_1033() {
         sleep 1
         log "Sending iBEC..."
         $irecovery -f $iBEC.im4p
-        sleep 5
+        sleep 3
         device_find_mode Recovery 1
         if [[ $? == 0 ]]; then
             break
@@ -3756,6 +3758,10 @@ restore_prepare_1033() {
         print "* You may also try to unplug and replug your device"
         ((attempt++))
     done
+    if [[ $device_proc == 10 ]]; then
+        $irecovery -c "go"
+        sleep 3
+    fi
 
     if (( attempt > 5 )); then
         error "Failed to enter pwnREC mode. You might have to force restart your device and start over entering pwnDFU mode again"
@@ -4026,23 +4032,34 @@ device_ramdisk64() {
     local path
     local url
     local decrypt
-    local build_id="16A366"
     local ios8
     local opt
+    local build_id="16A366"
+    if (( device_proc >= 9 )) || [[ $device_type == "iPad5"* ]]; then
+        build_id="18C66"
+    fi
 
+    if (( device_proc <= 8 )) && [[ $device_type != "iPad5,1" && $device_type != "iPad5,2" ]]; then
+        local ver="12"
+        if [[ $device_type == "iPad5"* ]]; then
+            ver="14"
+        fi
         print "* Version Selection"
-    print "* The version of the SSH Ramdisk is set to iOS 12 by default."
+        print "* The version of the SSH Ramdisk is set to iOS $ver by default."
-    print "* There is also an option to use iOS 8 ramdisk. Select N to fix devices on iOS 7 or 8 not booting after using iOS 12 ramdisk."
+        print "* There is also an option to use iOS 8 ramdisk. Select N to fix devices on iOS 7 or 8 not booting after using iOS $ver ramdisk."
         print "* If not sure, just press Enter/Return. This will select the default version."
-    read -p "$(input "Select Y to use iOS 12, select N to use iOS 8 (Y/n) ")" opt
+        read -p "$(input "Select Y to use iOS $ver, select N to use iOS 8 (Y/n) ")" opt
         if [[ $opt == 'n' || $opt == 'N' ]]; then
             ios8=1
         fi
+    fi
 
     if [[ $ios8 == 1 ]]; then
         build_id="12B410"
         if [[ $device_type == "iPhone"* ]]; then
             build_id="12B411"
+        elif [[ $device_type == "iPod7,1" ]]; then
+            build_id="12H321"
         fi
         sshtar="../saved/iram.tar"
         if [[ ! -e $sshtar ]]; then
@@ -4070,6 +4087,11 @@ device_ramdisk64() {
         name=$(echo $device_fw_key | $jq -j '.keys[] | select(.image | startswith("'$getcomp'")) | .filename')
         iv=$(echo $device_fw_key | $jq -j '.keys[] | select(.image | startswith("'$getcomp'")) | .iv')
         key=$(echo $device_fw_key | $jq -j '.keys[] | select(.image | startswith("'$getcomp'")) | .key')
+        if [[ $device_type == "iPhone8"* && $getcomp == "iB"* ]]; then
+            name=$(echo $device_fw_key | $jq -j '.keys[] | select(.image | startswith("'$getcomp'")) | select(.filename | startswith("'$getcomp'.'$device_model'.")) | .filename')
+            iv=$(echo $device_fw_key | $jq -j '.keys[] | select(.image | startswith("'$getcomp'")) | select(.filename | startswith("'$getcomp'.'$device_model'.")) | .iv')
+            key=$(echo $device_fw_key | $jq -j '.keys[] | select(.image | startswith("'$getcomp'")) | select(.filename | startswith("'$getcomp'.'$device_model'.")) | .key')
+        fi
         case $getcomp in
             "iBSS" | "iBEC" ) path="Firmware/dfu/";;
             "DeviceTree" ) path="Firmware/all_flash/";;
@@ -4083,9 +4105,16 @@ device_ramdisk64() {
             local hwmodel
             case $device_type in
                 iPhone6*    ) hwmodel="iphone6";;
+                iPhone7*    ) hwmodel="iphone7";;
+                iPhone8,4   ) hwmodel="iphone8b";;
+                iPhone8*    ) hwmodel="iphone8";;
+                iPhone9*    ) hwmodel="iphone9";;
                 iPad4,[123] ) hwmodel="ipad4";;
                 iPad4,[456] ) hwmodel="ipad4b";;
                 iPad4,[789] ) hwmodel="ipad4bm";;
+                iPad5,[12]  ) hwmodel="ipad5";;
+                iPad5,[34]  ) hwmodel="ipad5b";;
+                *           ) hwmodel="$device_model";;
             esac
             case $getcomp in
                 "iBSS" | "iBEC"  ) name="$getcomp.$hwmodel.RELEASE.im4p";;
@@ -4094,6 +4123,15 @@ device_ramdisk64() {
                 "Trustcache"     ) name="048-08497-242.dmg.trustcache";;
                 "RestoreRamdisk" ) name="048-08497-242.dmg";;
             esac
+            if [[ $device_type == "iPhone8,1" || $device_type == "iPhone8,2" ]] && [[ $getcomp == "Kernelcache" ]]; then
+                name="kernelcache.release.$device_model"
+            fi
+            if (( device_proc >= 9 )) || [[ $device_type == "iPad5"* && $ios8 != 1 ]]; then
+                case $getcomp in
+                    "Trustcache"     ) name="038-83284-083.dmg.trustcache";;
+                    "RestoreRamdisk" ) name="038-83284-083.dmg";;
+                esac
+            fi
         fi
 
         log "$getcomp"
@@ -4104,7 +4142,7 @@ device_ramdisk64() {
             cp $name $ramdisk_path/
         fi
         mv $name $getcomp.orig
-        local reco="-i $getcomp.orig -o $getcomp.img4 -M ../resources/sshrd/IM4M -T "
+        local reco="-i $getcomp.orig -o $getcomp.img4 -M ../resources/sshrd/IM4M$device_proc -T "
         case $getcomp in
             "iBSS" | "iBEC" )
                 reco+="$(echo $getcomp | tr '[:upper:]' '[:lower:]') -A"
@@ -4123,6 +4161,9 @@ device_ramdisk64() {
                     "$dir/img4" -i $getcomp.orig0 -o $getcomp.orig -k ${iv}${key} -D
                 else
                     reco+=" -P ../resources/sshrd/$name.bpatch"
+                    if [[ $platform == "linux" && $build_id == "18"* ]]; then
+                        reco+=" -J"
+                    fi
                 fi
             ;;
             "DeviceTree" )
@@ -4184,7 +4225,7 @@ device_ramdisk64() {
     print "* Mount root filesystem with this command (tested for iOS 10.3.x):"
     print "    mount_apfs /dev/disk0s1s1 /mnt1"
 
-    menu_ramdisk
+    menu_ramdisk $build_id
 }
 
 device_ramdisk() {
@@ -4594,10 +4635,13 @@ menu_ramdisk() {
     local mode
     local menu_items=("Connect to SSH")
     local reboot="reboot_bak"
-    if [[ $device_proc == 7 ]]; then
+    if (( device_proc >= 7 )); then
         menu_items+=("Dump Blobs")
         reboot="/sbin/reboot"
     fi
+    if (( device_proc >= 9 )) || [[ $device_type == "iPad5"* && $1 != "12"* ]]; then
+        menu_items+=("Install TrollStore")
+    fi
     menu_items+=("Reboot Device" "Exit")
 
     print "* Clear NVRAM with this command:"
@@ -4619,11 +4663,15 @@ menu_ramdisk() {
                 "Connect to SSH" ) mode="ssh";;
                 "Reboot Device" ) mode="reboot";;
                 "Dump Blobs" ) mode="dump-blobs";;
+                "Install TrollStore" ) mode="trollstore";;
                 "Exit" ) mode="exit";;
             esac
         done
         case $mode in
-            "ssh" ) $ssh -p $ssh_port root@127.0.0.1;;
+            "ssh" )
+                log "Use the \"exit\" command to go back to SSH Ramdisk Menu"
+                $ssh -p $ssh_port root@127.0.0.1
+            ;;
             "reboot" ) $ssh -p $ssh_port root@127.0.0.1 "$reboot"; loop=1;;
             "exit" ) loop=1;;
             "dump-blobs" )
@@ -4633,6 +4681,36 @@ menu_ramdisk() {
                 log "Onboard blobs should be dumped to $shsh"
                 pause
             ;;
+            "trollstore" )
+                print "* Make sure that your device is on iOS 14 or 15 before continuing."
+                print "* If your device is on iOS 13 or below, TrollStore will NOT work."
+                pause
+                log "Checking for latest TrollStore"
+                local troll=$(curl https://api.github.com/repos/opa334/TrollStore/releases/latest)
+                local latest="$(echo "$troll" | $jq -r ".tag_name")"
+                local current="$(cat ../saved/TrollStore_version)"
+                if [[ $current != "$latest" ]]; then
+                    rm ../saved/TrollStore.tar ../saved/PersistenceHelper_Embedded
+                fi
+                if [[ -s ../saved/TrollStore.tar && -s ../saved/PersistenceHelper_Embedded ]]; then
+                    cp ../saved/TrollStore.tar ../saved/PersistenceHelper_Embedded .
+                else
+                    rm ../saved/TrollStore.tar ../saved/PersistenceHelper_Embedded 2>/dev/null
+                    log "Downloading latest TrollStore"
+                    curl -LO $(echo "$troll" | $jq -r ".assets[] | select(.name|test(\"PersistenceHelper_Embedded\")) | .browser_download_url")
+                    curl -LO $(echo "$troll" | $jq -r ".assets[] | select(.name|test(\"TrollStore.tar\")) | .browser_download_url")
+                    cp TrollStore.tar PersistenceHelper_Embedded ../saved
+                    echo "$latest" > ../saved/TrollStore_version
+                fi
+                tar -xf TrollStore.tar
+                log "Installing TrollStore to Tips"
+                $ssh -p $ssh_port root@127.0.0.1 "mount_filesystems"
+                local tips="$($ssh -p $ssh_port root@127.0.0.1 "find /mnt2/containers/Bundle/Application/ -name \"Tips.app\"")"
+                $scp -P $ssh_port PersistenceHelper_Embedded TrollStore.app/trollstorehelper ../resources/sshrd/trollstore.sh root@127.0.0.1:$tips
+                rm -r PersistenceHelper_Embedded TrollStore*
+                $ssh -p $ssh_port root@127.0.0.1 "bash $tips/trollstore.sh; rm $tips/trollstore.sh"
+                log "Done!"
+            ;;
         esac
         mode=
     done
@@ -5695,7 +5773,7 @@ menu_other() {
             esac
         fi
         if [[ $device_mode != "none" ]]; then
-            if (( device_proc < 8 )); then
+            if (( device_proc < 11 )); then
                 menu_items+=("SSH Ramdisk")
             fi
             case $device_mode in
@@ -6041,7 +6119,7 @@ device_justboot() {
 }
 
 device_enter_ramdisk() {
-    if [[ $device_proc == 7 ]]; then
+    if (( device_proc >= 7 )); then
         device_ramdisk64
         return
     elif (( device_proc >= 5 )); then