From 9df34f0e351b8af4036838154291de36027824c4 Mon Sep 17 00:00:00 2001 From: LukeZGD <26163116+LukeZGD@users.noreply.github.com> Date: Sat, 20 Jan 2024 01:11:26 +0800 Subject: [PATCH] 64-bit onboard blob dump just some deverser thing here (again, might as well with img4tool) --- restore.sh | 93 +++++++++++++++++++++++++++++++++++------------------- 1 file changed, 60 insertions(+), 33 deletions(-) diff --git a/restore.sh b/restore.sh index fc818f3..9b5041b 100755 --- a/restore.sh +++ b/restore.sh @@ -937,6 +937,13 @@ device_sshpass() { ssh="$dir/sshpass -p $pass $ssh2" } +device_iproxy() { + log "Running iproxy for SSH..." + $iproxy 2222 22 >/dev/null & + iproxy_pid=$! + sleep 1 +} + device_find_all() { # find device stuff from palera1n legacy local opt @@ -1081,10 +1088,7 @@ device_enter_mode() { fi patch_ibss - log "Running iproxy for SSH..." - $iproxy 2222 22 >/dev/null & - iproxy_pid=$! - sleep 1 + device_iproxy log "Please read the message below:" print "* Follow these instructions to enter kDFU mode." @@ -3788,10 +3792,7 @@ device_ramdisk64() { $irecovery -f $ramdisk_path/Kernelcache.img4 $irecovery -c bootx - log "Running iproxy for SSH..." - $iproxy 2222 22 >/dev/null & - iproxy_pid=$! - sleep 1 + device_iproxy device_sshpass alpine print "* Booted SSH ramdisk is based on: https://github.com/verygenericname/SSHRD_Script" @@ -4020,10 +4021,7 @@ device_ramdisk() { device_find_mode Restore 25 fi - log "Running iproxy for SSH..." - $iproxy 2222 22 >/dev/null & - iproxy_pid=$! - sleep 1 + device_iproxy device_sshpass alpine case $mode in @@ -4259,7 +4257,7 @@ menu_ramdisk() { "reboot" ) $ssh -p 2222 root@127.0.0.1 "$reboot"; loop=1;; "exit" ) loop=1;; "dump-blobs" ) - shsh="../saved/shsh/$device_type-$(date +%Y-%m-%d-%H%M).shsh2" + local shsh="../saved/shsh/$device_ecid-$device_type-$(date +%Y-%m-%d-%H%M).shsh2" $ssh -p 2222 root@127.0.0.1 "cat /dev/rdisk1" | dd of=dump.raw bs=256 count=$((0x4000)) "$dir/img4tool" --convert -s $shsh dump.raw log "Onboard blobs should be dumped to $shsh" @@ -4270,8 +4268,35 @@ menu_ramdisk() { done } +shsh_save_onboard64() { + log "Proceeding to dump onboard blobs on normal mode" + print "* There are other ways for dumping onboard blobs for 64-bit devices as listed below:" + print "* For A7 devices, you can use SSH Ramdisk to dump onboard blobs: Other Utilities -> SSH Ramdisk" + print "* For A8 devices and newer, use SSHRD_Script: https://github.com/verygenericname/SSHRD_Script" + if [[ $device_mode != "Normal" ]]; then + warn "Device must be in normal mode and jailbroken, cannot continue." + return + fi + print "* Make sure to have OpenSSH and Core Utilities installed on your iOS device." + print "* Only proceed if you have these requirements installed using Cydia/Zebra/Sileo." + print "* You will be prompted to enter the root password of your iOS device." + print "* The default root password is: alpine" + device_iproxy + device_sshpass + local shsh="../saved/shsh/$device_ecid-$device_type-$device_vers-$device_build.shsh2" + $ssh -p 2222 root@127.0.0.1 "cat /dev/disk1" | dd of=dump.raw bs=256 count=$((0x4000)) + "$dir/img4tool" --convert -s $shsh dump.raw + if [[ ! -s $shsh ]]; then + error "Saving onboard SHSH blobs failed." + fi + log "Successfully saved $device_vers blobs: $shsh" +} + shsh_save_onboard() { - if [[ $device_proc == 4 ]] || [[ $device_proc == 6 && $platform == "macos" ]]; then + if (( device_proc >= 7 )); then + shsh_save_onboard64 + return + elif [[ $device_proc == 4 ]] || [[ $device_proc == 6 && $platform == "macos" ]]; then device_buttons else device_enter_mode kDFU @@ -4298,8 +4323,9 @@ shsh_save_onboard() { if [[ ! -s myblob.shsh ]]; then error "Saving onboard SHSH blobs failed." fi - mv myblob.shsh ../saved/shsh/$device_ecid-$device_type-$device_target_vers.shsh - log "Successfully saved $device_target_vers blobs: saved/shsh/$device_ecid-$device_type-$device_target_vers.shsh" + local shsh="../saved/shsh/$device_ecid-$device_type-$device_target_vers-$device_target_build.shsh" + mv myblob.shsh $shsh + log "Successfully saved $device_target_vers blobs: $shsh" } shsh_save_cydia() { @@ -4390,7 +4416,7 @@ menu_main() { menu_items+=("Jailbreak Device") fi fi - if (( device_proc < 8 )) && [[ $device_proc != 1 ]]; then + if [[ $device_proc != 1 ]]; then menu_items+=("Save SHSH Blobs") fi if [[ $device_mode == "Normal" ]]; then @@ -4489,10 +4515,10 @@ menu_shsh() { iPad2,[123] | iPhone4,1 ) menu_items+=("iOS 6.1.3");; esac + if [[ $device_mode != "none" ]]; then + menu_items+=("Onboard Blobs") + fi if (( device_proc < 7 )); then - if [[ $device_mode != "none" ]]; then - menu_items+=("Onboard Blobs") - fi menu_items+=("Cydia Blobs") fi menu_items+=("Go Back") @@ -4537,6 +4563,9 @@ menu_shsh_onboard() { local back ipsw_path= + if (( device_proc >= 7 )); then + mode="save-onboard-blobs" + fi while [[ -z "$mode" && -z "$back" ]]; do menu_items=("Select IPSW") menu_print_info @@ -5219,17 +5248,19 @@ menu_other() { esac menu_items+=("Get iOS Version") fi - if [[ $device_type == "iPhone"* ]]; then + if [[ $device_type == "iPhone"* && $device_mode == "Normal" ]]; then menu_items+=("Dump Baseband") fi - menu_items+=("Clear NVRAM") + menu_items+=("Clear NVRAM" "Activation Records") if [[ $device_type != "iPod2,1" ]]; then menu_items+=("Just Boot") fi else menu_items+=("Enter pwnDFU Mode") fi - menu_items+=("Activation Records") + if [[ $device_mode == "Normal" ]]; then + menu_items+=("Activation Records") + fi case $device_type in iPhone3,[13] | iPad1,1 | iPod3,1 ) menu_items+=("Disable/Enable Exploit");; iPhone2,1 ) menu_items+=("Install alloc8 Exploit");; @@ -5412,10 +5443,7 @@ device_dump() { print "* Only proceed if you have these requirements installed using Cydia/Zebra." print "* You will be prompted to enter the root password of your iOS device." print "* The default root password is: alpine" - log "Running iproxy for SSH..." - $iproxy 2222 22 >/dev/null & - iproxy_pid=$! - sleep 1 + device_iproxy device_sshpass log "Creating $arg.tar" if [[ $arg == "activation" ]]; then @@ -5476,10 +5504,7 @@ device_hacktivate() { print "* This will use SSH to patch lockdownd on your device for hacktivation." print "* Hacktivation is for iOS versions 3.1 to 6.1.6." pause - log "Running iproxy for SSH..." - $iproxy 2222 22 >/dev/null & - iproxy_pid=$! - sleep 1 + device_iproxy device_sshpass log "Getting lockdownd" $scp -P 2222 root@127.0.0.1:/usr/libexec/lockdownd . @@ -5732,8 +5757,10 @@ main() { "actrec" ) device_dump activation log "Activation records dumping is done" - print "* To stitch records to IPSW, run Legacy iOS Kit with --activation-records argument:" - print " > ./restore.sh --activation-records" + if (( device_proc < 7 )); then + print "* To stitch records to IPSW, run Legacy iOS Kit with --activation-records argument:" + print " > ./restore.sh --activation-records" + fi ;; "save-ota-blobs" ) shsh_save;; "kdfu" ) device_enter_mode kDFU;;