Add full t8010 support by Cryptiiiic · Pull Request #3 · LinusHenze/ipwndfu_public

Cryptiiiic · 2019-10-06T22:05:18Z

Tested by many people and works on all a10(so 7 and 7 plus, etc)(t8010).

ghost · 2019-10-06T23:28:40Z

Hi @Cryptiiiic, how did you check the upload of unsigned images?

Cryptiiiic · 2019-10-06T23:48:01Z

@kellermanrivero I had full control in irecovery. I set my nonce. (device is on 13.0).

krisanovdev · 2019-10-07T16:10:57Z

@Cryptiiiic I still can't send custom ibss via -f flag (iPhone 7).

ghost · 2019-10-07T16:28:05Z

Me too, I tried upload both signed and unsigned iBSS / iBEC without success.

Cryptiiiic · 2019-10-07T17:16:06Z

@kellermanrivero @Mrkris99 @kellermanrivero need to decrypt with img4 left decrypted, extract the raw from the decrypted, do the patches, change the info for the bootloader specific tag and output the im4p. Sign the im4p using an shsh blob. Tihmstar was talking about this on twitter.

krisanovdev · 2019-10-08T07:51:40Z

Why do i need to sign it? I mean if we in pwned dfu Mode then no shsh blobs should be required? Can you give us some details??

Halo-Michael · 2019-10-08T17:04:38Z

Also works for me(iPhone7).

krisanovdev · 2019-10-08T18:40:26Z

@Nalo-Michael
How did you realize what boot-nonce should you pass in sentenv to got NONC equals 8f3d00......?

krisanovdev · 2019-10-08T18:42:58Z

Also when I send custom ramdisk (3.4 GB, with irecovery -f) it stucks on 15%.

513697696 · 2019-10-13T14:14:08Z

也适用于我（iPhone7）。

Can you give me a detailed tutorial? It's too difficult for a novice.

krisanovdev · 2019-10-21T18:28:20Z

Works for me.

cakarlen · 2019-10-21T18:41:20Z

@Mrkris99 What steps did you follow?

sitay1 · 2019-11-26T08:31:27Z

@Mrkris99 can you provide more details?

krisanovdev · 2019-12-02T13:44:23Z

@cakarlen @sitay1 I've just fakesigned ibss bootloader from iOS firmware (like #3 (comment))
and verified that it was consumed by securerom correctly.

krisanovdev · 2019-12-02T13:48:33Z

@Cryptiiiic Looks like there is an issue with writing to bootrom memory. I've tried next script:
`
BOOTSTRAP_TASK_LR = 0x1800a9f68 # address in stack where the code should return to, after calling getDFUImage
DFU_BOOL = 0x180088AC0 # dfu_done (see handle_interface_request)
DFU_NOTIFY = 0x10000AEE8 # event_signal (see handle_interface_request)
DFU_STATE = 0x180088AF0 # dfu_event (see handle_interface_request)
TRAMPOLINE = 0x1800AC000 # see L_boot_trampoline_dst --> last const after main or the value returned by platform_get_boot_trampoline()

device.write_memory(TRAMPOLINE, checkm8.asm_arm64_branch(TRAMPOLINE, TRAMPOLINE + 0x400))
device.write_memory(TRAMPOLINE + 0x400, open('bin/t8010_shellcode_arm64.bin').read())
device.write_memory_ptr(BOOTSTRAP_TASK_LR, NAND_BOOT_JUMP)
device.write_memory(DFU_BOOL, '\x01')
device.execute(0, DFU_NOTIFY, DFU_STATE)
print 'Booted.'
`
And there is fail on device.write_memory(TRAMPOLINE, checkm8.asm_arm64_branch(TRAMPOLINE, TRAMPOLINE + 0x400))

Cryptiiiic · 2019-12-02T18:25:14Z

./ipwndfu -p
python rmsigchks.py
irecovery -f RANDOMFILE_TO_RESET_TRANSFER
irecovery -f iBSS.patched.img4
wait 5ish seconds
irecovery -f iBEC.patched.img4
irecovery -c "go"
wait 5ish seconds
profit
@Mrkris99 should work fine, for that type of bootrom thing, you will need offsets and sizes only obtainable by dynamic analysis. Most likely need a debug cable.

sitay1 · 2019-12-04T18:53:23Z

on what device / ios version did you run that?

…

On Mon, Dec 2, 2019 at 8:25 PM Liam(Cryptic) ***@***.***> wrote: ./ipwndfu -p python rmsigchks.py irecovery -f RANDOMFILE_TO_RESET_TRANSFER irecovery -f iBSS.patched.img4 wait 5ish seconds irecovery -f iBEC.patched.img4 irecovery -c "go" wait 5ish seconds profit @Mrkris99 <https://github.com/MrKris99> should work fine — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3?email_source=notifications&email_token=AACBABAGUQ2PRCTETBAUZCLQWVHIXA5CNFSM4I556BE2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFUNROI#issuecomment-560519353>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACBABD7KCSYRILJO2ZBSOLQWVHIXANCNFSM4I556BEQ> .

-- *Thanks,* *Itay Levin*

Cryptiiiic · 2019-12-04T18:58:16Z

@sitay1 t8010 iPhone9,1 (7) 13.0 using 13.0 bootloaders(iBSS, iBEC)

sitay1 · 2019-12-05T17:52:05Z

Thanks, i will try as well.

…

On Wed, Dec 4, 2019 at 8:58 PM Liam(Cryptic) ***@***.***> wrote: @sitay1 <https://github.com/sitay1> iPhone9,1 (7) 13.0 using 13.0 bootloaders(iBSS, iBEC) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3?email_source=notifications&email_token=AACBABB2M7FOCMSXLBTPEULQW74UTA5CNFSM4I556BE2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEF6DW2Y#issuecomment-561789803>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACBABGUSF22U64YIVU7PI3QW74UTANCNFSM4I556BEQ> .

-- *Thanks,* *Itay Levin*

pharaoh1 · 2020-10-28T02:32:19Z

./ipwndfu -p
python rmsigchks.py
irecovery -f RANDOMFILE_TO_RESET_TRANSFER
irecovery -f iBSS.patched.img4
wait 5ish seconds
irecovery -f iBEC.patched.img4
irecovery -c "go"
wait 5ish seconds
profit
@Mrkris99 should work fine, for that type of bootrom thing, you will need offsets and sizes only obtainable by dynamic analysis. Most likely need a debug cable.

Are the same steps working with Iph X???

Cryptiiiic · 2020-10-28T09:56:00Z

@pharaoh1 stop

[WIP] Myriad changes, see comments

frankl1m · 2022-05-06T11:40:21Z

Exploit for t8011 is a full headache, 1 lucky attempt of 30 :( work too bad on pad7,4

Sawen1981 · 2022-10-14T20:32:01Z

Does anyone know where I can find documentation on patching DeviceTree?

Add full t8010 support

8c0f20d

Cryptiiiic mentioned this pull request Oct 6, 2019

Add image loading support for t8010 #1

Closed

Add iPhone X verbose boot demo

5d5ec3f

ghost pushed a commit to lunaynx/ipwndfu that referenced this pull request Feb 18, 2022

Merge pull request LinusHenze#3 from cxnder/master

50daf55

[WIP] Myriad changes, see comments

Conversation

Cryptiiiic commented Oct 6, 2019

Uh oh!

ghost commented Oct 6, 2019

Uh oh!

Cryptiiiic commented Oct 6, 2019

Uh oh!

krisanovdev commented Oct 7, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ghost commented Oct 7, 2019

Uh oh!

Cryptiiiic commented Oct 7, 2019

Uh oh!

krisanovdev commented Oct 8, 2019

Uh oh!

Halo-Michael commented Oct 8, 2019

Uh oh!

krisanovdev commented Oct 8, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

krisanovdev commented Oct 8, 2019

Uh oh!

513697696 commented Oct 13, 2019

Uh oh!

krisanovdev commented Oct 21, 2019

Uh oh!

cakarlen commented Oct 21, 2019

Uh oh!

sitay1 commented Nov 26, 2019

Uh oh!

krisanovdev commented Dec 2, 2019

Uh oh!

krisanovdev commented Dec 2, 2019

Uh oh!

Cryptiiiic commented Dec 2, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

sitay1 commented Dec 4, 2019 via email

Uh oh!

Cryptiiiic commented Dec 4, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

sitay1 commented Dec 5, 2019 via email

Uh oh!

pharaoh1 commented Oct 28, 2020

Uh oh!

Cryptiiiic commented Oct 28, 2020

Uh oh!

frankl1m commented May 6, 2022

Uh oh!

Sawen1981 commented Oct 14, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

10 participants

krisanovdev commented Oct 7, 2019 •

edited

Loading

krisanovdev commented Oct 8, 2019 •

edited

Loading

Cryptiiiic commented Dec 2, 2019 •

edited

Loading

Cryptiiiic commented Dec 4, 2019 •

edited

Loading