Add "Save Onboard Blobs" option

linux and macos only for now

README.md

@@ -1,6 +1,6 @@
 # iOS-OTA-Downgrader
 
-- **Downgrade/restore and jailbreak supported legacy iOS devices to signed OTA firmwares**
+- **A multi-purpose script to downgrade/restore and jailbreak supported legacy iOS devices**
 - **iPhone4Down: Downgrade your iPhone 4 on Linux/Windows (using powdersn0w)**
 - **Linux, macOS, and Windows** are supported
     - Windows usage is not recommended
@@ -16,6 +16,7 @@
 - This script can also be used to enter kDFU mode for 32-bit devices
 - This script can also be used to restore your iPhone 4 back to iOS 7.1.2 with the option to jailbreak the install
 - This script can also be used to restore supported devices to their latest versions
+- This script can also be used to save on-board SHSH blobs for 32-bit devices
 
 ## Supported devices
 - [Identify your device here](https://ipsw.me/device-finder)

resources/firmware/iPad2,2/11D257/url

@@ -0,0 +1 @@
+http://appldnld.apple.com/iOS7.1/031-4791.20140627.5r2nx/iPad2,2_7.1.2_11D257_Restore.ipsw

resources/firmware/iPad2,4/10B329/url

@@ -0,0 +1 @@
+http://appldnld.apple.com/iOS6.1/091-2633.20130319.Xd54r/iPad2,4_6.1.3_10B329_Restore.ipsw

resources/firmware/iPad2,5/10B329/url

@@ -0,0 +1 @@
+http://appldnld.apple.com/iOS6.1/091-2417.20130319.Nh23w/iPad2,5_6.1.3_10B329_Restore.ipsw

resources/firmware/iPad3,1/10B146/url

@@ -0,0 +1 @@
+http://appldnld.apple.com/iOS6.1/091-0736.20130215.Wwft4/iPad3,1_6.1.2_10B146_Restore.ipsw

resources/firmware/iPad3,3/10B329/url

@@ -0,0 +1 @@
+http://appldnld.apple.com/iOS6.1/091-2592.20130319.64uy6/iPad3,3_6.1.3_10B329_Restore.ipsw

resources/firmware/iPad3,4/10B329/url

@@ -0,0 +1 @@
+http://appldnld.apple.com/iOS6.1/091-2407.20130319.vs6yt/iPad3,4_6.1.3_10B329_Restore.ipsw

resources/firmware/iPad3,6/10B329/url

@@ -0,0 +1 @@
+http://appldnld.apple.com/iOS6.1/091-2347.20130319.Aqwe3/iPad3,6_6.1.3_10B329_Restore.ipsw

resources/firmware/iPhone5,1/10B329/url

@@ -0,0 +1 @@
+http://appldnld.apple.com/iOS6.1/091-2341.20130319.C24tg/iPhone5,1_6.1.3_10B329_Restore.ipsw

resources/firmware/iPhone5,2/10B329/url

@@ -0,0 +1 @@
+http://appldnld.apple.com/iOS6.1/091-2516.20130319.7164R/iPhone5,2_6.1.3_10B329_Restore.ipsw

resources/firmware/iPhone5,3/11B511/url

@@ -0,0 +1 @@
+http://appldnld.apple.com/iOS7/031-0943.20131022.Mestt/iPhone5,3_7.0.3_11B511_Restore.ipsw

resources/firmware/iPhone5,4/11B651/url

@@ -0,0 +1 @@
+http://appldnld.apple.com/iOS7/031-3516.20140221.8j5GW/iPhone5,4_7.0.6_11B651_Restore.ipsw

restore.sh

@@ -257,7 +257,7 @@ install_depends() {
 
     elif (( ubuntu_ver >= 22 )) || (( debian_ver >= 12 )) || [[ $debian_ver == "sid" ]]; then
         sudo apt update
-        sudo apt install -y bsdiff curl jq libimobiledevice6 openssh-client python3 unzip usbmuxd usbutils xmlstarlet xxd zenity zip
+        sudo apt install -y bsdiff curl jq libimobiledevice6 libirecovery-common openssh-client python3 unzip usbmuxd usbutils xmlstarlet xxd zenity zip
         sudo systemctl enable --now udev systemd-udevd usbmuxd 2>/dev/null
 
     elif [[ $ID == "fedora" || $ID == "nobara" ]] && (( VERSION_ID >= 36 )); then
@@ -289,6 +289,7 @@ install_depends() {
         sudo chown root:root /etc/udev/rules.d/39-libirecovery.rules
         sudo chmod 0644 /etc/udev/rules.d/39-libirecovery.rules
         sudo udevadm control --reload-rules
+        sudo udevadm trigger
     fi
 
     uname > "../resources/firstrun"
@@ -876,6 +877,7 @@ main_menu() {
             else
                 tmp_items+=("Send Pwned iBSS")
             fi
+            tmp_items+=("Save Onboard Blobs")
         fi
         # SSH Ramdisk for iPhone 4 GSM only
         if [[ $device_type == "iPhone3,1" ]]; then
@@ -904,6 +906,7 @@ main_menu() {
             "Restore to Latest iOS" ) mode="restore-latest"; break;;
             "SSH Ramdisk" ) mode="ramdisk4"; break;;
             "Send Pwned iBSS" ) mode="pwned-ibss"; break;;
+            "Save Onboard Blobs" ) mode="save-onboard-blobs"; break;;
             "(Re-)Install Dependencies" ) install_depends;;
             * ) break;;
         esac
@@ -1020,11 +1023,28 @@ device_fw_key_check() {
     device_fw_key="$(cat $keys_path/index.html)"
 }
 
+download_comp() {
+    # usage: download_comp [build_id] [comp]
+    local build_id="$1"
+    local comp="$2"
+    download_targetfile="$comp.$device_model"
+    if [[ $build_id != "12"* ]]; then
+        download_targetfile+="ap"
+    fi
+    download_targetfile+=".RELEASE"
+
+    if [[ -e "../saved/$device_type/${comp}_$build_id.dfu" ]]; then
+        cp "../saved/$device_type/${comp}_$build_id.dfu" ${comp}
+    else
+        log "Downloading ${comp}..."
+        "$dir/partialzip" $(cat "$device_fw_dir/$build_id/url") "Firmware/dfu/$download_targetfile.dfu" ${comp}
+        cp ${comp} "../saved/$device_type/${comp}_$build_id.dfu"
+    fi
+}
+
 patch_ibss() {
     # creates file pwnediBSS to be sent to device
-    local targetfile="iBSS."
     local build_id
-
     case $device_type in
         iPad3,1 | iPhone3,[123] )
             build_id="11D257"
@@ -1036,27 +1056,59 @@ patch_ibss() {
 
         * )
             build_id="12H321"
-            targetfile+="${device_model}.RELEASE"
             ;;
     esac
-
-    if [[ $build_id != "12"* ]]; then
-        targetfile+="${device_model}ap.RELEASE"
-    fi
-
-    if [[ -e "../saved/$device_type/iBSS_$build_id.dfu" ]]; then
-        cp "../saved/$device_type/iBSS_$build_id.dfu" iBSS
-    else
-        log "Downloading iBSS..."
-        "$dir/partialzip" $(cat "$device_fw_dir/$build_id/url") "Firmware/dfu/$targetfile.dfu" iBSS
-        cp iBSS "../saved/$device_type/iBSS_$build_id.dfu"
-    fi
+    download_comp $build_id iBSS
     log "Patching iBSS..."
-    $bspatch iBSS pwnediBSS "../resources/patch/$targetfile.patch"
+    $bspatch iBSS pwnediBSS "../resources/patch/$download_targetfile.patch"
     cp pwnediBSS ../saved/$device_type
     log "Pwned iBSS saved at: saved/$device_type/pwnediBSS"
 }
 
+patch_ibec() {
+    # creates file pwnediBEC to be sent to device for blob dumping
+    local build_id
+    case $device_type in
+        iPad2,[145] | iPad3,[346] | iPhone4,1 | iPhone5,[12] | iPod5,1 )
+            build_id="10B329"
+            ;;
+
+        iPad2,2 | iPhone3,[123] )
+            build_id="11D257"
+            ;;
+
+        iPad2,[367] | iPad3,[25] )
+            build_id="12H321"
+            ;;
+
+        iPad3,1 )
+            build_id="10B146"
+            ;;
+
+        iPhone5,3 )
+            build_id="11B511"
+            ;;
+
+        iPhone5,4 )
+            build_id="11B651"
+            ;;
+    esac
+    download_comp $build_id iBEC
+    device_target_build=$build_id
+    device_fw_key_check
+    local name=$(echo $device_fw_key | $jq -j '.keys[] | select(.image | startswith("iBEC")) | .filename')
+    local iv=$(echo $device_fw_key | $jq -j '.keys[] | select(.image | startswith("iBEC")) | .iv')
+    local key=$(echo $device_fw_key | $jq -j '.keys[] | select(.image | startswith("iBEC")) | .key')
+    log "Decrypting iBEC"
+    mv iBEC $name.orig
+    "$dir/xpwntool" $name.orig $name.dec -iv $iv -k $key -decrypt
+    "$dir/xpwntool" $name.dec $name.raw
+    log "Patching iBEC"
+    $bspatch $name.raw $name.patched "../resources/patch/$download_targetfile.patch"
+    "$dir/xpwntool" $name.patched pwnediBEC -t $name.dec
+    rm $name.dec $name.orig $name.raw $name.patched
+}
+
 ipsw_path_set() {
     : '
     set variable ipsw_path, ipsw_custom, also ipsw_path_712 for iphone 4
@@ -2145,6 +2197,31 @@ device_ramdisk4() {
     print "    reboot_bak"
 }
 
+shsh_save_onboard() {
+    if [[ $platform == "windows" ]]; then
+        log "Saving onboard SHSH is not (yet) supported on Windows"
+        return
+    fi
+    device_target_other=1
+    ipsw_path_set
+    device_enter_mode kDFU
+    patch_ibec
+    $irecovery -f pwnediBEC
+    sleep 5
+    device_find_mode Recovery
+    (echo -e "/send ../resources/payload\ngo blobs\n/exit") | ${irecovery}2 -s
+    ${irecovery}2 -g myblob.dump
+    $irecovery -n
+    "$dir/ticket" myblob.dump myblob.plist "$ipsw_path.ipsw" -z
+    "$dir/validate" myblob.plist "$ipsw_path.ipsw" -z
+    if [[ ! -s myblob.plist ]]; then
+        warn "Saving onboard blobs failed."
+        return
+    fi
+    mv myblob.plist ../saved/shsh/$device_ecid-$device_type-$device_target_vers.shsh
+    log "Successfully saved $device_target_vers blobs: saved/shsh/$device_ecid-$device_type-$device_target_vers.shsh"
+}
+
 main() {
     clear
     print "******* iOS-OTA-Downgrader *******"
@@ -2227,6 +2304,10 @@ main() {
             device_enter_mode pwnDFU
             ;;
 
+        "save-onboard-blobs" )
+            shsh_save_onboard
+            ;;
+
         * )
             log "No valid option selected."
             ;;