Mirrors/Legacy-iOS-Kit
2
0
Fork 0
mirror of https://github.com/LukeZGD/Legacy-iOS-Kit.git synced 2024-11-27 10:24:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Some fixes and add more exploits for powdersn0w

Browse Source
This commit is contained in:
LukeZGD 2023-06-29 20:52:43 +08:00
parent b9e027a75e
commit 923c205506
7 changed files with 211 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@ -13,6 +13,7 @@
- Restore iPhone 3GS and iPod touch 2 to lower iOS versions **(24Kpwn/alloc8)**
- Restore 32-bit devices to lower iOS versions **with SHSH blobs**
- Restore 32-bit devices to lower iOS versions **with iOS 7.1.x blobs (powdersn0w)**
- For iPhone 5 (not 5C), 7.0.x blobs can also be used
- Device support is limited, see below
- Option to **jailbreak** all of the above devices
- Including latest iOS versions for some devices (4.2.1, 5.1.1, 6.1.6, 7.1.2)
@ -81,8 +82,8 @@
- Restoring with powdersn0w is supported on the following devices:
- iPhone 4 GSM - targets iOS 4.3 to 6.1.3
- iPhone 4 CDMA - targets iOS 5.0 to 6.1.3
- iPhone 4S, iPhone 5 (not 5C), iPad 2 Rev A, iPod 5th generation - targets iOS 5.0 to 6.1.3, 8.0 to 9.3.5
- Using powdersn0w requires iOS 7.1.x blobs for your device
- iPhone 4S, 5, 5C, iPad 2 Rev A, iPod touch 5 - targets iOS 5.0 to 9.3.5 (not iOS 7)
- Using powdersn0w requires iOS 7.1.x blobs for your device (7.0.x can also be used for iPhone 5)
- Restoring with 24Kpwn/alloc8 is supported on the following devices:
- iPhone 3GS - targets iOS 3.1.3 to 5.1.1
- iPod touch 2 - targets iOS 3.1.3 to 4.0
@ -109,6 +110,7 @@
- curl
- bspatch
- [powdersn0w_pub](https://github.com/dora2-iOS/powdersn0w_pub) - dora2ios; [LukeZGD fork](https://github.com/LukeZGD/powdersn0w_pub)
- [Exploits used are from kok3shidoll's repo](https://github.com/kok3shidoll/untitled)
- [ipwndfu](https://github.com/LukeZGD/ipwndfu) - axi0mX, Linus Henze, synackuk; LukeZGD fork
- [ipwnder_lite](https://github.com/dora2-iOS/ipwnder_lite/tree/7265a06d184e433989db640d5e83ea58d5862609) - dora2ios (used on macOS)
- [iPwnder32](https://github.com/dora2-iOS/iPwnder32/tree/243ea5c6d1bd15f8bdd0b3a1ff4a7729bc14bac4) - dora2ios (old version with libusb, used on Linux)
@ -132,6 +134,8 @@
- 32-bit bundles from [OdysseusOTA](https://www.youtube.com/watch?v=Wo7mGdMcjxw), [OdysseusOTA2](https://www.youtube.com/watch?v=fh0tB6fp0Sc), [alitek12](https://www.mediafire.com/folder/b1z64roy512wd/FirmwareBundles), [gjest](https://www.reddit.com/r/jailbreak/comments/6yrzzj/release_firmware_bundles_for_ios_841_ipad21234567/) (modified bundles for daibutsuCFW)
- A7 patches from [MatthewPierson](https://github.com/MatthewPierson/iPhone-5s-OTA-Downgrade-Patches)
- iPad 2 iOS 4.3.x bundles from [selfisht, Ralph0045](https://www.reddit.com/r/LegacyJailbreak/comments/1172ulo/release_ios_4_ipad_2_odysseus_firmware_bundles/)
- [sshpass](https://sourceforge.net/project/sshpass)
- Bootstrap tar from [SpiritNET](https://invoxiplaygames.uk/projects/spiritnet/)
- [EtasonJB](https://www.theiphonewiki.com/wiki/EtasonJB)
- [Pangu](https://www.theiphonewiki.com/wiki/Pangu)
- [p0sixspwn](https://www.theiphonewiki.com/wiki/p0sixspwn)
@ -141,4 +145,3 @@
- [greenpois0n](https://github.com/OpenJailbreak/greenpois0n/tree/0f1eac8e748abb200fc36969e616aaad009f7ebf)
- Some patches from [PwnageTool](https://www.theiphonewiki.com/wiki/PwnageTool) and [sn0wbreeze](https://www.theiphonewiki.com/wiki/sn0wbreeze)
- SSH Ramdisk tar from [SSH-Ramdisk-Maker-and-Loader](https://github.com/Ralph0045/SSH-Ramdisk-Maker-and-Loader) and [msftguy's ssh-rd](https://github.com/msftguy/ssh-rd)
- Bootstrap tar from [SpiritNET](https://invoxiplaygames.uk/projects/spiritnet/)

BIN
resources/firmware/src/target/iphone5/11B554a/exploit Normal file
View File

Binary file not shown.

85
resources/firmware/src/target/iphone5/11B554a/partition Normal file
View File

@ -0,0 +1,85 @@
#!/bin/bash
mount_hfs /dev/disk0s1s1 /mnt1
mount_hfs /dev/disk0s1s2 /mnt1/private/var
sleep 1s
rm -rf /mnt1/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist
rm -rf /mnt1/System/Library/LaunchDaemons/com.apple.softwareupdateservicesd.plist
if [ -e "/ios8" ]; then
# step1
mv -v /mnt1/System/Library/LaunchDaemons/* /mnt1/Library/LaunchDaemons/
sleep 3s
# step2
mv -v /mnt1/Library/LaunchDaemons/bootps.plist /mnt1/System/Library/LaunchDaemons/
mv -v /mnt1/Library/LaunchDaemons/com.apple.CrashHousekeeping.plist /mnt1/System/Library/LaunchDaemons/
mv -v /mnt1/Library/LaunchDaemons/com.apple.MobileFileIntegrity.plist /mnt1/System/Library/LaunchDaemons/
mv -v /mnt1/Library/LaunchDaemons/com.apple.jetsamproperties.*.plist /mnt1/System/Library/LaunchDaemons/
mv -v /mnt1/Library/LaunchDaemons/com.apple.mDNSResponder.plist /mnt1/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist__
sleep 3s
# step3
mv -v /mnt1/usr/libexec/CrashHousekeeping /mnt1/usr/libexec/CrashHousekeeping_
mv -v /mnt1/reloader /mnt1/usr/libexec/CrashHousekeeping
sleep 1s
fi
if [ -e "/ios9" ]; then
# step1
mv -v /mnt1/System/Library/LaunchDaemons/* /mnt1/Library/LaunchDaemons/
sleep 3s
# step2
mv -v /mnt1/Library/LaunchDaemons/bootps.plist /mnt1/System/Library/LaunchDaemons/
mv -v /mnt1/Library/LaunchDaemons/com.apple.CrashHousekeeping.plist /mnt1/System/Library/LaunchDaemons/
mv -v /mnt1/Library/LaunchDaemons/com.apple.MobileFileIntegrity.plist /mnt1/System/Library/LaunchDaemons/
mv -v /mnt1/Library/LaunchDaemons/com.apple.jetsamproperties.*.plist /mnt1/System/Library/LaunchDaemons/
sleep 3s
# step3
mv -v /mnt1/usr/libexec/CrashHousekeeping /mnt1/usr/libexec/CrashHousekeeping_
mv -v /mnt1/reloader /mnt1/usr/libexec/CrashHousekeeping
sleep 1s
fi
sleep 1s
Data_GUID="$((echo -e "i\n2\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*Partition unique GUID: //p')"
LogicalSector="$((echo -e "p\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*Logical sector size: //p' | sed 's/ .*//')"
System_LastSector="$((echo -e "i\n1\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*Last sector: //p' | sed 's/ .*//')"
Data_LastSector="$((echo -e "i\n2\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*Last sector: //p' | sed 's/ .*//')"
Data_Attributeflags="$((echo -e "i\n2\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*flags: //p')"
Exploit_LastSector="$((524288/$LogicalSector))"
New_Data_LastSector="$(($Data_LastSector-$Exploit_LastSector))"
New_Data_SectorSize="$(($New_Data_LastSector-$System_LastSector))"
New_Data_Size="$(($New_Data_SectorSize*$LogicalSector))"
hfs_resize /mnt1/private/var $New_Data_Size
sleep 1s
if [ "$Data_Attributeflags" = "0001000000000000" ]; then
echo -e "d\n2\nn\n\n$New_Data_LastSector\n\nc\n2\nData\nx\na\n2\n48\n\nc\n2\n$Data_GUID\ns\n4\nm\nn\n3\n\n$Data_LastSector\n\nw\nY\n" | gptfdisk /dev/rdisk0s1
else
echo -e "d\n2\nn\n\n$New_Data_LastSector\n\nc\n2\nData\nx\na\n2\n48\n49\n\nc\n2\n$Data_GUID\ns\n4\nm\nn\n3\n\n$Data_LastSector\n\nw\nY\n" | gptfdisk /dev/rdisk0s1
fi
sleep 1s
newfs_hfs -s -v exploit /dev/rdisk0s1s3
sleep 1s
fsck_hfs -f /dev/rdisk0s1s3
sleep 2s
dd of=/dev/rdisk0s1s3 if=/exploit bs=512k count=1
sleep 1s
nvram -c
nvram boot-partition=2
nvram boot-ramdisk="/a/b/c/d/e/f/g/h/i/j/k/l/m/disk.dmg"
sleep 1s
reboot_

BIN
resources/firmware/src/target/iphone5c/11D257/exploit Normal file
View File

Binary file not shown.

86
resources/firmware/src/target/iphone5c/11D257/partition Normal file
View File

@ -0,0 +1,86 @@
#!/bin/bash
mount_hfs /dev/disk0s1s1 /mnt1
mount_hfs /dev/disk0s1s2 /mnt1/private/var
sleep 1s
rm -rf /mnt1/System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist
rm -rf /mnt1/System/Library/LaunchDaemons/com.apple.softwareupdateservicesd.plist
if [ -e "/ios8" ]; then
# step1
mv -v /mnt1/System/Library/LaunchDaemons/* /mnt1/Library/LaunchDaemons/
sleep 3s
# step2
mv -v /mnt1/Library/LaunchDaemons/bootps.plist /mnt1/System/Library/LaunchDaemons/
mv -v /mnt1/Library/LaunchDaemons/com.apple.CrashHousekeeping.plist /mnt1/System/Library/LaunchDaemons/
mv -v /mnt1/Library/LaunchDaemons/com.apple.MobileFileIntegrity.plist /mnt1/System/Library/LaunchDaemons/
mv -v /mnt1/Library/LaunchDaemons/com.apple.jetsamproperties.*.plist /mnt1/System/Library/LaunchDaemons/
mv -v /mnt1/Library/LaunchDaemons/com.apple.mDNSResponder.plist /mnt1/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist__
sleep 3s
# step3
mv -v /mnt1/usr/libexec/CrashHousekeeping /mnt1/usr/libexec/CrashHousekeeping_
mv -v /mnt1/reloader /mnt1/usr/libexec/CrashHousekeeping
sleep 1s
fi
if [ -e "/ios9" ]; then
# step1
mv -v /mnt1/System/Library/LaunchDaemons/* /mnt1/Library/LaunchDaemons/
sleep 3s
# step2
mv -v /mnt1/Library/LaunchDaemons/bootps.plist /mnt1/System/Library/LaunchDaemons/
mv -v /mnt1/Library/LaunchDaemons/com.apple.CrashHousekeeping.plist /mnt1/System/Library/LaunchDaemons/
mv -v /mnt1/Library/LaunchDaemons/com.apple.MobileFileIntegrity.plist /mnt1/System/Library/LaunchDaemons/
mv -v /mnt1/Library/LaunchDaemons/com.apple.jetsamproperties.*.plist /mnt1/System/Library/LaunchDaemons/
sleep 3s
# step3
mv -v /mnt1/usr/libexec/CrashHousekeeping /mnt1/usr/libexec/CrashHousekeeping_
mv -v /mnt1/reloader /mnt1/usr/libexec/CrashHousekeeping
sleep 1s
fi
sleep 1s
Data_GUID="$((echo -e "i\n2\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*Partition unique GUID: //p')"
LogicalSector="$((echo -e "p\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*Logical sector size: //p' | sed 's/ .*//')"
System_LastSector="$((echo -e "i\n1\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*Last sector: //p' | sed 's/ .*//')"
Data_LastSector="$((echo -e "i\n2\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*Last sector: //p' | sed 's/ .*//')"
Data_Attributeflags="$((echo -e "i\n2\nq") | gptfdisk /dev/rdisk0s1 2>/dev/null | sed -n -e 's/^.*flags: //p')"
Exploit_LastSector="$((524288/$LogicalSector))"
New_Data_LastSector="$(($Data_LastSector-$Exploit_LastSector))"
New_Data_SectorSize="$(($New_Data_LastSector-$System_LastSector))"
New_Data_Size="$(($New_Data_SectorSize*$LogicalSector))"
hfs_resize /mnt1/private/var $New_Data_Size
sleep 1s
if [ "$Data_Attributeflags" = "0001000000000000" ]; then
echo -e "d\n2\nn\n\n$New_Data_LastSector\n\nc\n2\nData\nx\na\n2\n48\n\nc\n2\n$Data_GUID\ns\n4\nm\nn\n3\n\n$Data_LastSector\n\nw\nY\n" | gptfdisk /dev/rdisk0s1
else
echo -e "d\n2\nn\n\n$New_Data_LastSector\n\nc\n2\nData\nx\na\n2\n48\n49\n\nc\n2\n$Data_GUID\ns\n4\nm\nn\n3\n\n$Data_LastSector\n\nw\nY\n" | gptfdisk /dev/rdisk0s1
fi
sleep 1s
newfs_hfs -s -v exploit /dev/rdisk0s1s3
sleep 1s
fsck_hfs -f /dev/rdisk0s1s3
sleep 2s
dd of=/dev/rdisk0s1s3 if=/exploit bs=512k count=1
sleep 1s
nvram -c
nvram boot-partition=2
nvram boot-ramdisk="/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/disk.dmg"
sleep 1s
reboot_

BIN
resources/jailbreak/freeze_old.tar
View File

Binary file not shown.

65
restore.sh
View File

@ -1275,7 +1275,7 @@ patch_ibec() {
ipsw_preference_set() {
# sets ipsw variables: ipsw_jailbreak, ipsw_jailbreak_tool, ipsw_memory, ipsw_verbose
case $device_latest_vers in
7* | 6* | 5* | 4.2.1 | 4.1 ) ipsw_canjailbreak=1;;
7* | 6* | 5* | 4.2.1 ) ipsw_canjailbreak=1;;
esac
if [[ $device_target_vers == "$device_latest_vers" && $ipsw_canjailbreak != 1 ]] || (( device_proc >= 7 )); then
@ -1725,6 +1725,7 @@ ipsw_prepare_bundle() {
local vers="$device_target_vers"
local build="$device_target_build"
local hw="$device_model"
local base_build="11D257"
local RootSize
FirmwareBundle="FirmwareBundles/"
@ -1779,10 +1780,14 @@ ipsw_prepare_bundle() {
if [[ $1 == "base" ]]; then
case $device_type in
iPhone5,[12] ) hw="iphone5";;
iPhone5,[34] ) hw="iphone5c";;
esac
case $device_base_build in
"11A"* | "11B"* ) base_build="11B554a";;
esac
echo -e "<key>RamdiskExploit</key><dict>" >> $NewPlist
echo -e "<key>exploit</key><string>src/target/$hw/11D257/exploit</string>" >> $NewPlist
echo -e "<key>inject</key><string>src/target/$hw/11D257/partition</string></dict>" >> $NewPlist
echo -e "<key>exploit</key><string>src/target/$hw/$base_build/exploit</string>" >> $NewPlist
echo -e "<key>inject</key><string>src/target/$hw/$base_build/partition</string></dict>" >> $NewPlist
elif [[ $1 == "target" && $vers == "5"* ]]; then
echo -e "<key>FilesystemPackage</key><dict/><key>RamdiskPackage</key><dict><key>package</key><string>src/bin.tar</string><key>ios</key><string>ios5</string></dict>" >> $NewPlist
elif [[ $1 == "target" ]]; then
@ -1896,10 +1901,7 @@ ipsw_prepare_32bit() {
7* ) JBFiles+=("fstab7.tar");;
* ) JBFiles+=("fstab_rw.tar");;
esac
case $device_target_vers in
5* ) JBFiles+=("freeze_old.tar");;
* ) JBFiles+=("freeze.tar");;
esac
JBFiles+=("freeze.tar")
for i in {0..2}; do
JBFiles[i]=../resources/jailbreak/${JBFiles[$i]}
done
@ -2616,10 +2618,14 @@ device_remove4() {
device_ramdisktar() {
local jelbrek="../resources/jailbreak"
local target="/mnt1"
if [[ $2 == "data" ]]; then
target+="/private/var"
fi
log "Sending $1"
$scp -P 2222 $jelbrek/$1 root@127.0.0.1:/mnt1
$scp -P 2222 $jelbrek/$1 root@127.0.0.1:$target
log "Extracting $1"
$ssh -p 2222 root@127.0.0.1 "tar -xvf /mnt1/$1 -C /mnt1; rm /mnt1/$1"
$ssh -p 2222 root@127.0.0.1 "tar -xvf $target/$1 -C /mnt1; rm $target/$1"
}
device_ramdisk() {
@ -2803,6 +2809,7 @@ device_ramdisk() {
log "Nice, iOS $vers is compatible."
log "Sending $untether"
$scp -P 2222 $jelbrek/$untether root@127.0.0.1:/mnt1
# 3.2.2-4.1 untether needs to be extracted early (before data partition is mounted)
case $vers in
4.1 | 4.0* | 3.2.2 )
untether="${device_type}_${build}.tar"
@ -2810,7 +2817,7 @@ device_ramdisk() {
$ssh -p 2222 root@127.0.0.1 "tar -xvf /mnt1/$untether -C /mnt1; rm /mnt1/$untether"
;;
esac
log "Mounting filesystems"
log "Mounting data partition"
$ssh -p 2222 root@127.0.0.1 "mount.sh pv"
case $vers in
8* ) device_ramdisktar fstab8.tar;;
@ -2837,10 +2844,8 @@ device_ramdisk() {
$ssh -p 2222 root@127.0.0.1 "tar -xvf /mnt1/$untether -C /mnt1; rm /mnt1/$untether"
;;
esac
case $vers in
8* | 7* | 6* ) device_ramdisktar freeze.tar;;
5* | 4* | 3* ) device_ramdisktar freeze_old.tar;;
esac
device_ramdisktar freeze.tar data
sleep 3
log "Rebooting"
$ssh -p 2222 root@127.0.0.1 "reboot_bak"
log "Cool, done and jailbroken (hopefully)"
@ -3126,8 +3131,8 @@ menu_restore() {
menu_items+=("iOS 6.1.3");;
esac
case $device_type in
iPhone4,1 | iPhone5,[12] | iPad2,4 | iPod5,1 )
menu_items+=("Other (powdersn0w 7.1.x blobs)");;
iPhone4,1 | iPhone5,[1234] | iPad2,4 | iPod5,1 )
menu_items+=("Other (powdersn0w 7.x blobs)");;
iPhone3,[13] )
menu_items+=("powdersn0w (any iOS)");;
iPhone2,1 )
@ -3275,9 +3280,10 @@ menu_ipsw() {
fi
echo
local text2="(iOS 7.1.x)"
if [[ $device_type == "iPhone3,1" || $device_type == "iPhone3,3" ]]; then
text2="(iOS 7.1.2)"
fi
case $device_type in
iPhone3,[13] ) text2="(iOS 7.1.2)";;
iPhone5,[12] ) text2="(iOS 7.x)";;
esac
if [[ -n $ipsw_base_path ]]; then
print "* Selected Base $text2 IPSW: $ipsw_base_path.ipsw"
print "* Base Version: $device_base_vers-$device_base_build"
@ -3445,8 +3451,9 @@ menu_ipsw_browse() {
"iPhoneOS 3.1.3" ) versionc="3.1.3";;
"Latest iOS"* ) versionc="$device_latest_vers";;
"base" )
if [[ $device_base_vers != "7.1"* ]]; then
if [[ $device_base_vers != "7.1"* && $device_type != "iPhone5,1" && $device_target_type != "iPhone5,2" ]]; then
log "Selected IPSW is not for iOS 7.1.x."
print "* You need iOS 7.1.x IPSW and SHSH blobs for this device to use powdersn0w."
pause
return
fi
@ -3480,6 +3487,7 @@ menu_ipsw_browse() {
menu_shsh_browse() {
local newpath
local text="target"
local val="$ipsw_path.ipsw"
[[ $1 == "base" ]] && text="base"
input "Select your $text SHSH file in the file selection window."
@ -3489,17 +3497,12 @@ menu_shsh_browse() {
log "Selected SHSH file: $newpath"
log "Validating..."
if [[ $1 == "base" ]]; then
"$dir/validate" "$newpath" "$ipsw_base_path.ipsw" -z
if [[ $? != 0 ]]; then
warn "Validation failed. Did you select the correct IPSW/SHSH?"
pause
fi
else
"$dir/validate" "$newpath" "$ipsw_path.ipsw" -z
if [[ $? != 0 ]]; then
warn "Validation failed. Did you select the correct IPSW/SHSH?"
pause
fi
val="$ipsw_base_path.ipsw"
fi
"$dir/validate" "$newpath" "$val" -z
if [[ $? != 0 ]]; then
warn "Validation failed. Did you select the correct IPSW/SHSH?"
pause
fi
shsh_path="$newpath"
}