powdersn0w 7.0.x 5c and ipad 4 (untested)

and fix other stuff like dfu ipsw for iphone 5/ipad, and pwndfu stuff

README.md

@@ -12,8 +12,7 @@
 - Restore iPhone 4 GSM and CDMA (iPhone3,1 and 3,3) to lower iOS versions **(powdersn0w)**
 - Restore iPhone 3GS and iPod touch 2 to lower iOS versions **(24Kpwn/alloc8)**
 - Restore 32-bit devices to lower iOS versions **with SHSH blobs**
-- Restore 32-bit devices to lower iOS versions **with iOS 7.1.x blobs (powdersn0w)**
-    - For iPhone 5 (not 5C), 7.0.x blobs can also be used
+- Restore 32-bit devices to lower iOS versions **with iOS 7 blobs (powdersn0w)**
     - Device support is limited, see below
 - Hacktivation for iPhone 2G, 3G, 3GS (activate without valid SIM card)
 - Option to **jailbreak** all 32-bit iOS devices
@@ -82,8 +81,10 @@
 - Restoring with powdersn0w is supported on the following devices:
     - iPhone 4 GSM - targets iOS 4.3 to 7.1.1
     - iPhone 4 CDMA - targets iOS 5.0 to 7.1.1
-    - iPhone 4S, 5, 5C, iPad 2 Rev A, iPod touch 5 - targets iOS 5.0 to 9.3.5
-    - Using powdersn0w requires iOS 7.1.x blobs for your device (7.0.x blobs can also be used for iPhone 5)
+    - iPhone 4S, 5, 5C, iPad 2 Rev A, iPad 4, iPod touch 5 - targets iOS 5.0 to 9.3.5
+    - Using powdersn0w requires iOS 7.1.x blobs for your device
+        - For iPhone 5 and 5C, 7.0.x blobs can also be used
+        - For iPad 4, only 7.0.x blobs can be used
 - Restoring with 24Kpwn/alloc8 is supported on the following devices:
     - iPhone 3GS - targets iOS 3.1.3 to 5.1.1
     - iPod touch 2 - targets iOS 3.1.3 to 4.1
@@ -111,6 +112,7 @@
 - bspatch
 - [powdersn0w_pub](https://github.com/dora2-iOS/powdersn0w_pub) - dora2ios; [LukeZGD fork](https://github.com/LukeZGD/powdersn0w_pub)
     - [Exploits used are from kok3shidoll's repo](https://github.com/kok3shidoll/untitled)
+    - [5C 7.0.x exploit is from Ralph0045's repo](https://github.com/Ralph0045/iloader)
 - [ipwndfu](https://github.com/LukeZGD/ipwndfu) - axi0mX, Linus Henze, synackuk; LukeZGD fork
 - [ipwnder_lite](https://github.com/dora2-iOS/ipwnder_lite/tree/7265a06d184e433989db640d5e83ea58d5862609) - dora2ios (used on macOS)
 - [iPwnder32](https://github.com/dora2-iOS/iPwnder32/tree/243ea5c6d1bd15f8bdd0b3a1ff4a7729bc14bac4) - dora2ios (old version with libusb used on Linux)

resources/firmware/iPhone5,2/11B651/sha1sum

@@ -0,0 +1 @@
+5d053695d6423943f17a91efbdc17ca39df12c3b

resources/firmware/iPhone5,2/11D201/sha1sum

@@ -0,0 +1 @@
+ca1af5ff972215cb62cbe9c259b77d406a6b7ba7

resources/firmware/iPhone5,2/13B143/sha1sum

@@ -0,0 +1 @@
+84d4b5ba31e634d5c463ba1284987f4d7608dcfb

resources/firmware/iPhone5,2/13G35/sha1sum

@@ -0,0 +1 @@
+e1aedabdeec392c9ec3f98bbb04d7deb7fd5e4fc

resources/firmware/iPhone5,2/13G35/url

@@ -0,0 +1 @@
+http://appldnld.apple.com/ios9.3.4/031-71268-2016008004-B0C7B2BA-578A-11E6-B432-F022D39E04FA/iPhone5,2_9.3.4_13G35_Restore.ipsw

resources/firmware/iPhone5,2/14G61/index.html

@@ -0,0 +1 @@
+{"identifier":"iPhone5,2","buildid":"14G61","codename":"Greensburg","restoreramdiskexists":true,"updateramdiskexists":true,"keys":[{"image":"RootFS","filename":"058-74968-065.dmg","date":"2023-10-12T01:18:03.501680"},{"image":"UpdateRamdisk","filename":"058-75393-065.dmg","date":"2023-10-12T01:18:03.501799"},{"image":"RestoreRamdisk","filename":"058-75249-065.dmg","date":"2023-10-12T01:18:03.501866"}]}

resources/firmware/src/target/ipad3b/11B554a/partition

@@ -0,0 +1,85 @@
+#!/bin/bash
+
+mount_hfs /dev/disk0s1s1 /mnt1
+mount_hfs /dev/disk0s1s2 /mnt1/private/var
+
+sleep 1s
+
+rm -rf /mnt1/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist
+rm -rf /mnt1/System/Library/LaunchDaemons/com.apple.softwareupdateservicesd.plist
+
+if [ -e "/ios8" ]; then
+  # step1
+  mv -v /mnt1/System/Library/LaunchDaemons/* /mnt1/Library/LaunchDaemons/
+  sleep 3s
+
+  # step2
+  mv -v /mnt1/Library/LaunchDaemons/bootps.plist /mnt1/System/Library/LaunchDaemons/
+  mv -v /mnt1/Library/LaunchDaemons/com.apple.CrashHousekeeping.plist /mnt1/System/Library/LaunchDaemons/
+  mv -v /mnt1/Library/LaunchDaemons/com.apple.MobileFileIntegrity.plist /mnt1/System/Library/LaunchDaemons/
+  mv -v /mnt1/Library/LaunchDaemons/com.apple.jetsamproperties.*.plist /mnt1/System/Library/LaunchDaemons/
+  mv -v /mnt1/Library/LaunchDaemons/com.apple.mDNSResponder.plist /mnt1/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist__
+  sleep 3s
+
+  # step3
+  mv -v /mnt1/usr/libexec/CrashHousekeeping /mnt1/usr/libexec/CrashHousekeeping_
+  mv -v /mnt1/reloader /mnt1/usr/libexec/CrashHousekeeping
+  sleep 1s
+fi
+
+if [ -e "/ios9" ]; then
+  # step1
+  mv -v /mnt1/System/Library/LaunchDaemons/* /mnt1/Library/LaunchDaemons/
+  sleep 3s
+
+  # step2
+  mv -v /mnt1/Library/LaunchDaemons/bootps.plist /mnt1/System/Library/LaunchDaemons/
+  mv -v /mnt1/Library/LaunchDaemons/com.apple.CrashHousekeeping.plist /mnt1/System/Library/LaunchDaemons/
+  mv -v /mnt1/Library/LaunchDaemons/com.apple.MobileFileIntegrity.plist /mnt1/System/Library/LaunchDaemons/
+  mv -v /mnt1/Library/LaunchDaemons/com.apple.jetsamproperties.*.plist /mnt1/System/Library/LaunchDaemons/
+  sleep 3s
+
+   # step3
+  mv -v /mnt1/usr/libexec/CrashHousekeeping /mnt1/usr/libexec/CrashHousekeeping_
+  mv -v /mnt1/reloader /mnt1/usr/libexec/CrashHousekeeping
+  sleep 1s
+fi
+
+sleep 1s
+
+Data_GUID="$((echo -e "i\n2\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*Partition unique GUID: //p')"
+LogicalSector="$((echo -e "p\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*Logical sector size: //p' | sed 's/ .*//')"
+System_LastSector="$((echo -e "i\n1\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*Last sector: //p' | sed 's/ .*//')"
+Data_LastSector="$((echo -e "i\n2\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*Last sector: //p' | sed 's/ .*//')"
+Data_Attributeflags="$((echo -e "i\n2\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*flags: //p')"
+Exploit_LastSector="$((524288/$LogicalSector))"
+New_Data_LastSector="$(($Data_LastSector-$Exploit_LastSector))"
+New_Data_SectorSize="$(($New_Data_LastSector-$System_LastSector))"
+New_Data_Size="$(($New_Data_SectorSize*$LogicalSector))"
+
+hfs_resize /mnt1/private/var $New_Data_Size
+sleep 1s
+
+if [ "$Data_Attributeflags" = "0001000000000000" ]; then
+echo -e "d\n2\nn\n\n$New_Data_LastSector\n\nc\n2\nData\nx\na\n2\n48\n\nc\n2\n$Data_GUID\ns\n4\nm\nn\n3\n\n$Data_LastSector\n\nw\nY\n" | gptfdisk /dev/rdisk0s1
+else
+echo -e "d\n2\nn\n\n$New_Data_LastSector\n\nc\n2\nData\nx\na\n2\n48\n49\n\nc\n2\n$Data_GUID\ns\n4\nm\nn\n3\n\n$Data_LastSector\n\nw\nY\n" | gptfdisk /dev/rdisk0s1
+fi
+
+sleep 1s
+
+newfs_hfs -s -v exploit /dev/rdisk0s1s3
+sleep 1s
+fsck_hfs -f /dev/rdisk0s1s3
+sleep 2s
+
+dd of=/dev/rdisk0s1s3 if=/exploit bs=512k count=1
+sleep 1s
+
+nvram -c
+nvram boot-partition=2
+nvram boot-ramdisk="/a/b/c/d/e/f/g/h/i/j/k/l/m/disk.dmg"
+
+sleep 1s
+
+reboot_

resources/firmware/src/target/iphone5b/11B554a/partition

@@ -0,0 +1,91 @@
+#!/bin/bash
+
+mount_hfs /dev/disk0s1s1 /mnt1
+mount_hfs /dev/disk0s1s2 /mnt1/private/var
+
+sleep 1s
+
+rm -rf /mnt1/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist
+rm -rf /mnt1/System/Library/LaunchDaemons/com.apple.softwareupdateservicesd.plist
+
+if [ -e "/ios8" ]; then
+  # step1
+  mv -v /mnt1/System/Library/LaunchDaemons/* /mnt1/Library/LaunchDaemons/
+  sleep 3s
+
+  # step2
+  mv -v /mnt1/Library/LaunchDaemons/bootps.plist /mnt1/System/Library/LaunchDaemons/
+  mv -v /mnt1/Library/LaunchDaemons/com.apple.CrashHousekeeping.plist /mnt1/System/Library/LaunchDaemons/
+  mv -v /mnt1/Library/LaunchDaemons/com.apple.MobileFileIntegrity.plist /mnt1/System/Library/LaunchDaemons/
+  mv -v /mnt1/Library/LaunchDaemons/com.apple.jetsamproperties.*.plist /mnt1/System/Library/LaunchDaemons/
+  mv -v /mnt1/Library/LaunchDaemons/com.apple.mDNSResponder.plist /mnt1/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist__
+  sleep 3s
+
+  # step3
+  mv -v /mnt1/usr/libexec/CrashHousekeeping /mnt1/usr/libexec/CrashHousekeeping_
+  mv -v /mnt1/reloader /mnt1/usr/libexec/CrashHousekeeping
+  sleep 1s
+fi
+
+
+if [ -e "/ios9" ]; then
+  # step1
+  mv -v /mnt1/System/Library/LaunchDaemons/* /mnt1/Library/LaunchDaemons/
+  sleep 3s
+
+  # step2
+  mv -v /mnt1/Library/LaunchDaemons/bootps.plist /mnt1/System/Library/LaunchDaemons/
+  mv -v /mnt1/Library/LaunchDaemons/com.apple.CrashHousekeeping.plist /mnt1/System/Library/LaunchDaemons/
+  mv -v /mnt1/Library/LaunchDaemons/com.apple.MobileFileIntegrity.plist /mnt1/System/Library/LaunchDaemons/
+  mv -v /mnt1/Library/LaunchDaemons/com.apple.jetsamproperties.*.plist /mnt1/System/Library/LaunchDaemons/
+  sleep 3s
+
+  # step3
+  mv -v /mnt1/usr/libexec/CrashHousekeeping /mnt1/usr/libexec/CrashHousekeeping_
+  mv -v /mnt1/reloader /mnt1/usr/libexec/CrashHousekeeping
+  sleep 1s
+fi
+
+sleep 1s
+
+Data_GUID="$((echo -e "i\n2\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*Partition unique GUID: //p')"
+LogicalSector="$((echo -e "p\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*Logical sector size: //p' | sed 's/ .*//')"
+System_LastSector="$((echo -e "i\n1\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*Last sector: //p' | sed 's/ .*//')"
+Data_LastSector="$((echo -e "i\n2\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*Last sector: //p' | sed 's/ .*//')"
+Data_Attributeflags="$((echo -e "i\n2\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*flags: //p')"
+Exploit_LastSector="$((524288/$LogicalSector))"
+BOOTLOADER="$((8388608/$LogicalSector))"
+NOTSD="$(($Exploit_LastSector+$BOOTLOADER))"
+Data_LastSectorSD="$(($Data_LastSector-$BOOTLOADER))"
+New_Data_LastSector="$(($Data_LastSector-$NOTSD))"
+New_Data_SectorSize="$(($New_Data_LastSector-$System_LastSector))"
+New_Data_Size="$(($New_Data_SectorSize*$LogicalSector))"
+
+hfs_resize /mnt1/private/var $New_Data_Size
+sleep 1s
+
+echo -e "d\n2\nn\n\n$New_Data_LastSector\n\nc\n2\nData\nx\na\n2\n48\n49\n\nc\n2\n$Data_GUID\ns\n4\nm\nn\n3\n\n$Data_LastSectorSD\n\nn\n4\n\n$Data_LastSector\n\nw\nY\n" | gptfdisk /dev/rdisk0s1
+sleep 1s
+
+sleep 1s
+newfs_hfs -s -v exploit /dev/rdisk0s1s3
+newfs_hfs -s -v bootloader /dev/rdisk0s1s4
+sleep 1s
+fsck_hfs -f /dev/rdisk0s1s3
+fsck_hfs -f /dev/rdisk0s1s4
+sleep 2s
+
+dd of=/dev/rdisk0s1s3 if=/exploit bs=512k count=1
+sleep 1s
+mount_hfs /dev/disk0s1s4 /mnt2
+
+nvram -c
+nvram boot-partition=2
+nvram boot-ramdisk="/a/b/c/d/e/f/g/h/i/j/k/l/m/disk.dmg"
+sleep 1s
+
+dd of=/mnt2/iBEC if=/mnt1/iBoot bs=512k
+rm /mnt1/iBoot
+sleep 1s
+
+reboot_

restore.sh

@@ -2056,7 +2056,7 @@ ipsw_prepare_bundle() {
     local NewPlist=$FirmwareBundle/Info.plist
     mkdir -p $FirmwareBundle
 
-    log "Generating firmware bundle..."
+    log "Generating firmware bundle for $device_type-$vers ($build) $1..."
     local IPSWSHA256=$($sha256sum "${ipsw_p//\\//}.ipsw" | awk '{print $1}')
     log "IPSWSHA256: $IPSWSHA256"
     unzip -o -j "$ipsw_p.ipsw" Firmware/all_flash/all_flash.${device_model}ap.production/manifest
@@ -2086,6 +2086,7 @@ ipsw_prepare_bundle() {
         case $device_type in
             iPhone5,[12] ) hw="iphone5";;
             iPhone5,[34] ) hw="iphone5b";;
+            iPad3,[456] )  hw="ipad3b";;
         esac
         case $device_base_build in
             "11A"* | "11B"* ) base_build="11B554a";;
@@ -2369,6 +2370,32 @@ ipsw_prepare_powder() {
             ExtraArgs+=" $jelbrek/sshdeb.tar"
         fi
     fi
+    if [[ $device_type == "iPhone5,3" || $device_type == "iPhone5,4" ]] && [[ $device_base_vers == "7.0"* ]]; then
+        # do this stuff because these use ramdiskH (jump to /boot/iBEC) instead of jump ibot to ibob
+        device_fw_key_check
+        local iboot_name=$(echo $device_fw_key | $jq -j '.keys[] | select(.image | startswith("iBoot")) | .filename')
+        local iboot_iv=$(echo $device_fw_key | $jq -j '.keys[] | select(.image | startswith("iBoot")) | .iv')
+        local iboot_key=$(echo $device_fw_key | $jq -j '.keys[] | select(.image | startswith("iBoot")) | .key')
+        local ExtraArgs2="--boot-partition"
+        if [[ $device_target_vers == "9"* ]]; then
+            ExtraArgs2+="9"
+        fi
+        ExtraArgs2+=" --boot-ramdisk "
+        if [[ $ipsw_verbose == 1 ]]; then
+            ExtraArgs2+="-b -v"
+        fi
+        log "Patch iBoot"
+        unzip -o -j "$ipsw_path.ipsw" Firmware/all_flash/all_flash.${device_model}ap.production/$iboot_name
+        mv $iboot_name ibot
+        "$dir/xpwntool" ibot ibot.dec -iv $iboot_iv -k $iboot_key
+        "$dir/iBoot32Patcher" ibot.dec ibot.pwned --rsa $ExtraArgs2
+        "$dir/xpwntool" ibot.pwned iBoot -t ibot
+        rm ibot*
+        echo "0000010: 6365" | xxd -r - iBoot
+        echo "0000020: 6365" | xxd -r - iBoot
+        tar -cvf iBoot.tar iBoot
+        ExtraArgs+=" iBoot.tar"
+    fi
     log "Preparing custom IPSW: $dir/powdersn0w $ipsw_path.ipsw temp.ipsw -base $ipsw_base_path.ipsw $ExtraArgs"
     "$dir/powdersn0w" "$ipsw_path.ipsw" temp.ipsw -base "$ipsw_base_path.ipsw" $ExtraArgs
 
@@ -2938,7 +2965,7 @@ restore_prepare() {
                 elif [[ $device_target_vers == "4.1" || $device_target_vers == "$device_latest_vers" ]]; then
                     if [[ $ipsw_jailbreak == 1 ]]; then
                         shsh_save version $device_target_vers
-                        device_target_mode pwnDFU
+                        device_enter_mode pwnDFU
                         restore_idevicerestore
                     else
                         restore_latest
@@ -3777,7 +3804,7 @@ menu_restore() {
             menu_items+=("Latest iOS ($device_latest_vers)")
         fi
         case $device_type in
-            iPhone4,1 | iPhone5,[1234] | iPad2,4 | iPod5,1 )
+            iPhone4,1 | iPhone5,[1234] | iPad2,4 | iPad3,[456] | iPod5,1 )
                 menu_items+=("Other (powdersn0w 7.x blobs)");;
             iPhone3,[13] )
                 menu_items+=("powdersn0w (any iOS)");;
@@ -3945,7 +3972,8 @@ menu_ipsw() {
             local text2="(iOS 7.1.x)"
             case $device_type in
                 iPhone3,[13] ) text2="(iOS 7.1.2)";;
-                iPhone5,[12] ) text2="(iOS 7.x)";;
+                iPhone5,[1234] ) text2="(iOS 7.x)";;
+                iPad3,[456] ) text2="(iOS 7.0.x)";;
             esac
             if [[ -n $ipsw_base_path ]]; then
                 print "* Selected Base $text2 IPSW: $ipsw_base_path.ipsw"
@@ -4153,13 +4181,20 @@ menu_ipsw_browse() {
         "3.1.3" ) versionc="3.1.3";;
         "Latest iOS"* ) versionc="$device_latest_vers";;
         "base" )
-            if [[ $device_type == "iPhone5,1" || $device_type == "iPhone5,2" ]]; then
+            if [[ $device_type == "iPhone5"* ]]; then
                 if [[ $device_base_vers != "7"* ]]; then
                     log "Selected IPSW is not for iOS 7.x."
                     print "* You need iOS 7.x IPSW and SHSH blobs for this device to use powdersn0w."
                     pause
                     return
                 fi
+            elif [[ $device_type == "iPad3"* ]]; then
+                if [[ $device_base_vers != "7.0"* ]]; then
+                    log "Selected IPSW is not for iOS 7.0.x."
+                    print "* You need iOS 7.0.x IPSW and SHSH blobs for this device to use powdersn0w."
+                    pause
+                    return
+                fi
             elif [[ $device_base_vers != "7.1"* ]]; then
                 log "Selected IPSW is not for iOS 7.1.x."
                 print "* You need iOS 7.1.x IPSW and SHSH blobs for this device to use powdersn0w."
@@ -4451,7 +4486,13 @@ restore_dfuipsw() {
     pause
     device_target_vers="$device_latest_vers"
     device_target_build="$device_latest_build"
-    local ipsw_p="../${device_type}_${device_target_vers}_${device_target_build}"
+    local ipsw_p="../"
+    case $device_type in
+        iPhone5,[1234] ) ipsw_p+="iPhone_4.0_32bit";;
+        iPad3,[456] ) ipsw_p+="iPad_32bit";;
+        * ) ipsw_p+="${device_type}";;
+    esac
+    ipsw_p+="_${device_target_vers}_${device_target_build}"
     local ipsw_dfuipsw="${ipsw_p}_DFUIPSW"
     ipsw_path="${ipsw_p}_Restore"
     if [[ -s "$ipsw_path.ipsw" && ! -e "$ipsw_dfuipsw.ipsw" ]]; then
@@ -4465,8 +4506,21 @@ restore_dfuipsw() {
         cp $ipsw_path.ipsw temp.ipsw
         device_fw_key_check
         local applelogo=$(echo $device_fw_key | $jq -j '.keys[] | select(.image | startswith("AppleLogo")) | .filename')
-        local llb=$(echo $device_fw_key | $jq -j '.keys[] | select(.image | startswith("LLB")) | .filename')
-        local all="Firmware/all_flash/all_flash.${device_model}ap.production"
+        local llb="LLB.${device_model}ap.RELEASE.img3"
+        local all="Firmware/all_flash"
+        if [[ $device_latest_vers == "10"* ]]; then
+            case $device_type in
+                iPhone5,[1234] ) applelogo="applelogo@2x~iphone.s5l8950x.img3";;
+                iPad3,[456] ) applelogo="applelogo@2x~ipad.s5l8955x.img3";;
+            esac
+            case $device_type in
+                iPhone5,[12] ) llb="LLB.iphone5.RELEASE.img3";;
+                iPhone5,[34] ) llb="LLB.iphone5b.RELEASE.img3";;
+                iPad3,[456] ) llb="LLB.ipad3b.RELEASE.img3";;
+            esac
+        else
+            all+="/all_flash.${device_model}ap.production"
+        fi
         mkdir -p $all
         unzip -o -j temp.ipsw $all/$applelogo -d .
         mv $applelogo $all/$llb