diff --git a/DeviceSupport/iPad3_1/partition.py b/DeviceSupport/iPad3_1/partition.py
index 3af0f41..0399e1a 100644
--- a/DeviceSupport/iPad3_1/partition.py
+++ b/DeviceSupport/iPad3_1/partition.py
@@ -5,7 +5,6 @@
import time
import paramiko
-import ioscrypto
import osinfo
import mountDevice
import ssh
@@ -18,9 +17,19 @@
SystemPartitionPadding = ""
+def decrypt_ramdisk(osInfo: osinfo.OSInfo, key, iv):
+ print("Trying to get SystemPartitionSize from RestoreRamdisk")
+ plist = readPlist(os.path.join(os.path.abspath("."), "firmware/Restore.plist"))
+ print("RestoreRamdisk: " + plist['RestoreRamDisks']['User'])
+ print("-> Decrypting RestoreRamdisk")
+ os.system("./tools/" + osInfo.getosplatform() + "/xpwntool firmware/" +
+ plist['RestoreRamDisks']['User'] + " RestoreRamdisk.dmg -k " +
+ key + " -iv " + iv)
+
+
def partitionDevice_stage1(osInfo: osinfo.OSInfo, shell, storage: int, key, iv):
global guid_data, guid_system, attributeFlags_data, SystemPartitionPadding
- shell.send("gptfdisk\n/dev/rdisk0s1\ni\n1\n")
+ shell.send("gptfdisk /dev/rdisk0s1\ni\n1\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
@@ -54,13 +63,7 @@ def partitionDevice_stage1(osInfo: osinfo.OSInfo, shell, storage: int, key, iv):
line = shell.recv(1024)
if line:
break
- print("Trying to get SystemPartitionSize from RestoreRamdisk")
- plist = readPlist(os.path.join(os.path.abspath("."), "firmware/Restore.plist"))
- print("RestoreRamdisk: " + plist['RestoreRamDisks']['User'])
- print("-> Decrypting RestoreRamdisk")
- ioscrypto.decryptImg3(osInfo, os.path.join(os.path.abspath("."),
- "firmware/" + plist['RestoreRamDisks']['User']),
- os.path.abspath(".") + "/RestoreRamdisk.dmg", key, iv)
+ decrypt_ramdisk(osInfo, key, iv)
print("-> Mounting RestoreRamdisk")
mountDevice.mountDevice(osInfo, os.path.join(os.path.abspath("."), "RestoreRamdisk.dmg"), "mountpoint")
plist = readPlist(os.path.join("./DeviceSupport/iPad3_1", "mountpoint/usr/local/share/restore/options.j1.plist"))
@@ -84,7 +87,7 @@ def partitionDevice_stage1(osInfo: osinfo.OSInfo, shell, storage: int, key, iv):
line = shell.recv(1024)
if line:
break
- print(line.decode('utf-8'))
+ # print(line.decode('utf-8'))
print("Setting up attribute flags. FLAG=" + attributeFlags_data)
if attributeFlags_data == "0000000000000000":
shell.send("\n")
@@ -108,33 +111,21 @@ def partitionDevice_stage1(osInfo: osinfo.OSInfo, shell, storage: int, key, iv):
line = shell.recv(1024)
if line:
break
- # For testing purposes, I commented this.
- '''
- choice = input("WARNING: !!! Your data will ALL LOST after this operation. !!!"
- "\nHere is a confirmation for this operation. Enter Y to continue, Enter N to abort.\n"
- "Your choice (Make sure you know what you are doing): ")
- if choice == "Y":
- shell.send("w\nY\n")
- else:
- print("You have Entered N or other content. exiting.")
- shell.send("q\n")
- exit(1)
- '''
- shell.send("q\n")
+ shell.send("w\nY\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
if line:
break
print("Scanning partitions.")
- shell.send("sync; sync; sync; fsck_hfs -q /dev/disk0s1s1")
+ shell.send("sync; sync; sync; fsck_hfs -q /dev/disk0s1s1\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
if line or line.endswith(b'# '):
break
print(line.decode('utf-8'))
- shell.send("fsck_hfs -q /dev/disk0s1s2")
+ shell.send("fsck_hfs -q /dev/disk0s1s2\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
@@ -151,17 +142,19 @@ def partitionDevice_stage2(sshClient: paramiko.SSHClient):
while True:
time.sleep(0.5)
line = shell.recv(1024)
- if line:
+ if line.endswith(b'# '):
break
ssh.scp_transfer_file(sshClient, os.path.abspath(".") + "/firmware/kernelcache.release.j1",
"/mnt1/kernelcache.release.j1")
- shell.send("df -B1")
+ shell.send("df -B1\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
- if line:
+ if line.endswith(b'# '):
+ line_stored = line
+ print(line_stored.decode('utf-8'))
break
- lines = line.decode('utf-8').split('\n')
+ lines = line_stored.decode('utf-8').split('\n')
fslist = []
try:
for i in lines:
@@ -170,18 +163,21 @@ def partitionDevice_stage2(sshClient: paramiko.SSHClient):
while '' in fslist[x]:
fslist[x].remove('')
for i in range(0, len(fslist) - 1):
- if list[i][0] == "/dev/disk0s1s1":
- resizedPartitionSize = int(fslist[i][2]) + SystemPartitionPadding
- if resizedPartitionSize == SystemPartitionPadding:
+ if fslist[i][0] == "/dev/disk0s1s1":
+ print("/dev/disk0s1s1 used size is " + str(fslist[i][2]) + " bytes")
+ resizedPartitionSize = int(fslist[i][2]) + int(SystemPartitionPadding) * 1024 * 1024
+ if resizedPartitionSize == int(SystemPartitionPadding) * 1024 * 1024:
print("Failed to get resized partition size")
exit(1)
except Exception:
print("Unhandled exception occurred when trying to get resized partition size.")
+ import traceback
+ print(traceback.format_exc())
resizedPartitionSize = int(input("Please enter it manually.\nSIZE (in bytes): "))
print("Please make sure it is correct! Or you will fail at resizing partition!")
print("Resized Partition Size = " + str(resizedPartitionSize))
print("Resizing partition")
- shell.send("hfs_resize /mnt1 " + str(resizedPartitionSize))
+ shell.send("hfs_resize /mnt1 " + str(resizedPartitionSize) + "\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
@@ -197,7 +193,9 @@ def partitionDevice_stage2(sshClient: paramiko.SSHClient):
if line:
break
print("Creating new partitions")
- shell.send("n\n1\n\n" + str(int(resizedPartitionSize)) +
+ SystemPartitionSizeInSectors = int(resizedPartitionSize) / 4096
+ print("Sectors: " + str(int(SystemPartitionSizeInSectors)))
+ shell.send("n\n1\n\n" + str(int(SystemPartitionSizeInSectors)) +
"\n\nc\n1\nSystem\nn\n2\n\n\n\nc\n2\nData\nx\na\n2\n")
while True:
time.sleep(0.5)
@@ -228,33 +226,118 @@ def partitionDevice_stage2(sshClient: paramiko.SSHClient):
line = shell.recv(1024)
if line:
break
- choice = input("WARNING: !!! Downgrade may fail after this operation !!!"
- "\nHere is a confirmation for this operation. Enter Y to continue, Enter N to abort.\n"
- "Your choice (Make sure you know what you are doing): ")
- if choice == "Y":
- shell.send("w\nY\n")
+ shell.send("w\nY\n")
+ while True:
+ time.sleep(0.5)
+ line = shell.recv(1024)
+ if line:
+ break
+ print("Scanning partitions.")
+ shell.send("sync; sync; sync; fsck_hfs -q /dev/disk0s1s1\n")
+ while True:
+ time.sleep(0.5)
+ line = shell.recv(1024)
+ if line.endswith(b'# '):
+ break
+ print(line.decode('utf-8'))
+ shell.send("fsck_hfs -q /dev/disk0s1s2\n")
+ while True:
+ time.sleep(0.5)
+ line = shell.recv(1024)
+ if line.endswith(b'# '):
+ break
+ print(line.decode('utf-8'))
+ print("Stage 2 succeed.")
+
+
+def delete_partitions(shell):
+ print("Copying hfs_resize")
+ shell.send("cp /usr/bin/hfs_resize /mnt1\n")
+ while True:
+ time.sleep(0.5)
+ line = shell.recv(1024)
+ if line.endswith(b'# '):
+ break
+ print("Copying kloader")
+ shell.send("cp /usr/bin/kloader /mnt1\n")
+ while True:
+ time.sleep(0.5)
+ line = shell.recv(1024)
+ if line.endswith(b'# '):
+ break
+ global guid_data, guid_system, attributeFlags_data, SystemPartitionPadding
+ shell.send("gptfdisk /dev/rdisk0s1\n")
+ print("NOTE: These following operations won't write to disk at this moment.")
+ print("Deleting partitions")
+ shell.send("d\n2\nd\n3\nd\n4\n")
+ while True:
+ time.sleep(0.5)
+ line = shell.recv(1024)
+ if line:
+ break
+ print("Creating new partitions")
+ shell.send("n\n2\n\n\n\nc\n2\nData\nx\na\n2\n")
+ while True:
+ time.sleep(0.5)
+ line = shell.recv(1024)
+ if line:
+ break
+ print(line.decode('utf-8'))
+
+ print("Setting up attribute flags. FLAG=" + attributeFlags_data)
+ if attributeFlags_data == "0000000000000000":
+ shell.send("\n")
+ elif attributeFlags_data == "0001000000000000":
+ shell.send("48\n\n")
+ elif attributeFlags_data == "0003000000000000":
+ shell.send("48\n49\n\n")
else:
- print("You have Entered N or other content. exiting.")
- shell.send("q\n")
+ print("Unrecognized attribute flags for partition \"Data\".")
+ print("exiting")
exit(1)
- shell.send("q\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
if line:
break
- print("Scanning partitions.")
- shell.send("sync; sync; sync; fsck_hfs -q /dev/disk0s1s1")
+ print("Setting up GUID.")
+ shell.send("c\n2\n" + guid_data + "\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
- if line or line.endswith(b'# '):
+ if line:
+ break
+ print("Requesting partition size.")
+ shell.send("i\n2\n")
+ while True:
+ time.sleep(0.5)
+ line = shell.recv(1024)
+ if line:
+ pos = line.decode('utf-8').find('Partition size: ')
+ pos2 = line.decode('utf-8').find(' sectors')
+ print(line.decode('utf-8')[pos+16:pos2])
+ partition_size = int(line.decode('utf-8')[pos+16:pos2])
+ if partition_size == 0:
+ print("Failed to get partition size! Exiting")
+ exit(1)
+ break
+ partition_size_in_bytes = partition_size * 4096
+ print("Size for partition \"Data\": " + str(partition_size))
+ print(" In bytes: " + str(partition_size_in_bytes))
+ shell.send("w\nY\n")
+ while True:
+ time.sleep(0.5)
+ line = shell.recv(1024)
+ if line:
break
print(line.decode('utf-8'))
- shell.send("fsck_hfs -q /dev/disk0s1s2")
+ print("Partition has been deleted. The device will freeze! Don't do anything on the device!")
+ print("Resizing partition")
+ shell.send("/mnt1/hfs_resize /dev/disk0s1s2 " + str(partition_size_in_bytes) + "\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
if line or line.endswith(b'# '):
break
- print(line.decode('utf-8'))
+ print("Successfully resized partition")
+ print("DONE")
\ No newline at end of file
diff --git a/DeviceSupport/iPad3_1/recovery.py b/DeviceSupport/iPad3_1/recovery.py
index b03761c..ab523cc 100644
--- a/DeviceSupport/iPad3_1/recovery.py
+++ b/DeviceSupport/iPad3_1/recovery.py
@@ -1,4 +1,5 @@
import os
+import time
import osinfo
@@ -6,6 +7,7 @@
def waitForConnection(osInfo: osinfo.OSInfo):
print("Waiting for DFU/Recovery connection. Please unplug and replug your device.")
while True:
+ time.sleep(2)
res = os.system("./tools/" + osInfo.getosplatform() + "/irecovery -c /exit")
if res == 0:
break
@@ -29,6 +31,10 @@ def send_iBEC(osInfo: osinfo.OSInfo, path):
def tether_boot_up_device(osInfo: osinfo.OSInfo):
print("Trying to tether boot up device.")
+ print("Sending applelogo")
+ os.system("./tools/" + osInfo.getosplatform() + "/irecovery -c /send applelogo")
+ print("Setting applelogo")
+ os.system("./tools/" + osInfo.getosplatform() + "/irecovery -c setpicture")
print("Sending DeviceTree")
os.system("./tools/" + osInfo.getosplatform() + "/irecovery -c /send DeviceTree")
print("Executing DeviceTree")
diff --git a/DeviceSupport/iPad3_1/restore.py b/DeviceSupport/iPad3_1/restore.py
index 7b522dc..e79e172 100644
--- a/DeviceSupport/iPad3_1/restore.py
+++ b/DeviceSupport/iPad3_1/restore.py
@@ -16,43 +16,42 @@ def restore(sshClient: paramiko.SSHClient, restoreImage, device):
print("Sending Root filesystem to your device. This may take a long time...")
ssh.scp_transfer_file(sshClient, restoreImage, "/var/RootFilesystem.dmg")
print("Restore new root filesystem to your partition. Please wait with patience.")
- shell.send("asr restore -source /var/RootFilesystem.dmg -target " + device + " -erase -noprompt")
+ shell.send("asr restore -source /var/RootFilesystem.dmg -target " + device + " -erase -noprompt\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
print(line.decode('utf-8'))
- if line or line.endswith(b'# '):
+ if line.endswith(b'# '):
break
print("Restore: Done")
def formatSystem(shell):
- shell.send("newfs_hfs -s -v System -J -b 4096 -n a=4096,c=4096,e=4096 /dev/disk0s1s1")
+ shell.send("newfs_hfs -s -v System -J -b 4096 -n a=4096,c=4096,e=4096 /dev/disk0s1s1\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
- if line or line.endswith(b'# '):
+ if line.endswith(b'# '):
break
print(line.decode('utf-8'))
def formatData(shell):
- shell.send("newfs_hfs -s -v Data -J -P -b 4096 -n a=4096,c=4096,e=4096 /dev/disk0s1s2")
+ shell.send("newfs_hfs -s -v Data -J -P -b 4096 -n a=4096,c=4096,e=4096 /dev/disk0s1s2\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
- if line or line.endswith(b'# '):
+ if line.endswith(b'# '):
break
print(line.decode('utf-8'))
def scanPartition(shell, device):
- shell.send("fsck_hfs -f " + device)
+ shell.send("fsck_hfs -f " + device + "\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
- if line or line.endswith(b'# '):
+ if line.endswith(b'# '):
break
print(line.decode('utf-8'))
-
diff --git a/DeviceSupport/iPad3_1/setup.py b/DeviceSupport/iPad3_1/setup.py
index be29358..d8f10e1 100644
--- a/DeviceSupport/iPad3_1/setup.py
+++ b/DeviceSupport/iPad3_1/setup.py
@@ -7,17 +7,14 @@
import ssh
-def send_kloader_and_iBSS_iBEC(sshClient: paramiko.SSHClient):
+def send_iBSS(sshClient: paramiko.SSHClient):
print("Sending iBSS")
ssh.scp_transfer_file(sshClient, os.path.abspath(".") + "/pwnediBSS", "/mnt1/pwnediBSS")
- print("Sending iBEC")
- ssh.scp_transfer_file(sshClient, os.path.abspath(".") + "/pwnediBEC", "/mnt1/pwnediBEC")
- print("Sending kloader")
- ssh.scp_transfer_file(sshClient, os.path.abspath(".") + "/tools/kloader", "/mnt1/kloader")
def createMountPoint(shell, mountpoint):
- shell.send("mkdir " + mountpoint)
+ print("Creating mount point " + mountpoint)
+ shell.send("mkdir " + mountpoint + "\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
@@ -26,25 +23,30 @@ def createMountPoint(shell, mountpoint):
def mountDevice(shell, device, mountpoint):
- shell.send("mount -t hfs " + device + " " + mountpoint)
+ print("Mounting " + mountpoint)
+ shell.send("mount_hfs " + device + " " + mountpoint + "\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
+ print(line.decode('utf-8'))
if line or line.endswith(b'# '):
break
def fixupvar(shell):
- shell.send("mv -v /mnt1/private/var/* /mnt2")
+ print("Fixing up /var")
+ shell.send("mv -v /mnt1/private/var/* /mnt2\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
- if line or line.endswith(b'# '):
+ print(line.decode('utf-8'))
+ if line.endswith(b'# '):
break
def copyfstab(shell):
- shell.send("cp /var/fstab /mnt1/private/etc/fstab")
+ print("Copying fstab to partition.")
+ shell.send("cp /var/fstab /mnt1/private/etc/fstab\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
@@ -53,7 +55,8 @@ def copyfstab(shell):
def copyfstab_toSecOS(shell):
- shell.send("cp /mnt1/private/etc/fstab /var/fstab")
+ print("Copying fstab.")
+ shell.send("cp /mnt1/private/etc/fstab /var/fstab\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
@@ -62,16 +65,30 @@ def copyfstab_toSecOS(shell):
def unmountDevice(shell, mountpoint):
- shell.send("unmount " + mountpoint)
+ print("Unmounting " + mountpoint)
+ shell.send("umount " + mountpoint + "\n")
+ while True:
+ time.sleep(0.5)
+ line = shell.recv(1024)
+ if line or line.endswith(b'# '):
+ break
+
+
+def send_keybag(sshClient: paramiko.SSHClient):
+ print("Sending keybag.")
+ shell = sshClient.invoke_shell()
+ shell.send("mkdir /mnt2/keybags\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
if line or line.endswith(b'# '):
break
+ ssh.scp_transfer_file(sshClient, "systembag.kb", "/mnt2/keybags/systembag.kb")
def kloader_iBSS(shell):
- shell.send("/mnt1/kloader /mnt1/pwnediBSS")
+ print("kloader iBSS!")
+ shell.send("/mnt1/kloader /mnt1/pwnediBSS\n")
while True:
time.sleep(0.5)
line = shell.recv(1024)
diff --git a/DeviceSupport/iPad3_1_Support.py b/DeviceSupport/iPad3_1_Support.py
index 836b7dd..ccb2273 100644
--- a/DeviceSupport/iPad3_1_Support.py
+++ b/DeviceSupport/iPad3_1_Support.py
@@ -16,27 +16,30 @@ def startDowngrade(osInfo: osinfo.OSInfo, version, storage: int, sshClient: para
if line:
break
print("Device Support for iPad3,1 version iOS " + version + " started")
- setup.createMountPoint("/mnt1")
- setup.createMountPoint("/mnt2")
+ setup.createMountPoint(shell, "/mnt1")
+ setup.createMountPoint(shell, "/mnt2")
setup.mountDevice(shell, "/dev/disk0s1s1", "/mnt1")
setup.copyfstab_toSecOS(shell)
- setup.unmountDevice("/mnt1")
+ setup.unmountDevice(shell, "/mnt1")
partition.partitionDevice_stage1(osInfo, shell, storage, keys['restoreRamdisk'], ivs['restoreRamdisk'])
restore.formatData(shell)
restore.formatSystem(shell)
restore.restore(sshClient, "RootFileSystem.dmg", "/dev/disk0s1s1")
+ # The code below hasn't been tested yet. Please stop at here!
restore.scanPartition(shell, "/dev/disk0s1s1")
- partition.partitionDevice_stage2(sshClient)
setup.mountDevice(shell, "/dev/disk0s1s1", "/mnt1")
setup.mountDevice(shell, "/dev/disk0s1s2", "/mnt2")
setup.fixupvar(shell)
setup.copyfstab(shell)
- setup.send_kloader_and_iBSS_iBEC(sshClient)
+ setup.send_keybag(sshClient)
+ setup.send_iBSS(sshClient)
+ partition.partitionDevice_stage2(sshClient)
+ partition.delete_partitions(shell)
setup.kloader_iBSS(shell)
sshClient.close()
- recovery.waitForConnection()
- recovery.send_iBEC(osinfo, "pwnediBEC")
- recovery.tether_boot_up_device()
+ recovery.waitForConnection(osInfo)
+ recovery.send_iBEC(osInfo, "pwnediBEC")
+ recovery.tether_boot_up_device(osInfo)
if __name__ == "__main__":
diff --git a/debs/Packages b/debs/Packages
index 9288254..5c82a4d 100644
--- a/debs/Packages
+++ b/debs/Packages
@@ -1,3 +1,20 @@
+Package: com.MyWorkstation.MakeItTethered
+Version: 0.1-1
+Architecture: iphoneos-arm
+Depends: firmware (>= 5.0), mobilesubstrate
+Filename: ./com.MyWorkstation.MakeItTethered_0.1-1_iphoneos-arm.deb
+Size: 44240
+MD5sum: 8fd931ce7e17fcd35323c150cbfdb017
+SHA1: d38288363c604d0385804414791c8a649de0714c
+SHA256: b84147cb4552d964d857b9f1e27cbfcd0047d96af2908fd2d88913b39e85951f
+Section: Tweaks
+Priority: important
+Homepage: https://github.com/102464/iOS-downgrade-tethered
+Description: This tweak will automatically load iBSS using kloader when you are powering down your device. It is helpful for anyone who has downgraded their device using iOS-downgrade-tethered tool.
+Author: 102464
+Depiction: NOTE THIS PACKAGE WILL NOT WORK IN SAFE MODE! DO NOT POWER OFF YOUR DEVICE IN SAFE MODE!
+Name: MakeItTethered
+
Package: com.coolbooter.coolbootercli
Version: 0.8.2-release
Architecture: iphoneos-arm
@@ -29,6 +46,57 @@ Author: @danzatt, @winocm, @xerub, @JonathanSeals, @axi0mX, @Apple, @comex, Rode
Depiction: http://nyansatan.github.io/apt/depictions/dualbootstuff.html
Name: dualbootstuff
+Package: diskdev-cmds
+Version: 421.7-4
+Architecture: iphoneos-arm
+Maintainer: Jay Freeman (saurik)
+Installed-Size: 848
+Pre-Depends: dpkg (>= 1.14.25-8)
+Depends: firmware-sbin
+Filename: ./diskdev-cmds_421.7-4_iphoneos-arm.deb
+Size: 114822
+MD5sum: 2211d78fb6bede91ba9004aad776eacf
+SHA1: 57017a698fa3ecaac06b2a1d5dbb41b8eb206bfd
+SHA256: b5d7a6f34ce77182faaa0f2de90b348497c9c1aa66a5472cc813616c01244a88
+Section: System
+Priority: required
+Description: mount, quota, fsck, fstyp, fdisk, tunefs
+
+Package: gettext
+Version: 0.17-7
+Architecture: iphoneos-arm
+Maintainer: Jay Freeman (saurik)
+Installed-Size: 3336
+Pre-Depends: dpkg (>= 1.14.25-8)
+Depends: ncurses
+Filename: ./gettext_0.17-7_iphoneos-arm.deb
+Size: 768352
+MD5sum: 9e48b67c077de8eff4ab17e2008a157a
+SHA1: f237be39156e580a56372e6319c213be09b1f77e
+SHA256: bb58396c9323b3d72e4526d9e1266c453a3000a0b0c6b12aff61b602e451427a
+Section: System
+Priority: optional
+Homepage: http://www.gnu.org/software/gettext/
+Description: internationalization helper for strings
+
+Package: ldid
+Version: 610-5
+Architecture: iphoneos-arm
+Maintainer: Jay Freeman (saurik)
+Installed-Size: 92
+Pre-Depends: dpkg (>= 1.14.25-8)
+Depends: odcctools
+Filename: ./ldid_610-5_iphoneos-arm.deb
+Size: 13804
+MD5sum: 3e03b4f68f7f7d17b479cbf2f76aedce
+SHA1: 8bdfe89a023fa5b19ba64cab3438d16850a802e4
+SHA256: 9330a1de783cccce2b66d1c0b4ca9c649c5664847533990132389bd53b93ce53
+Section: Development
+Priority: optional
+Description: pseudo-codesign Mach-O files
+Depiction: http://cydia.saurik.com/info/ldid/
+Name: Link Identity Editor
+
Package: openssh
Version: 6.7p1-13
Architecture: iphoneos-arm
@@ -63,3 +131,82 @@ Priority: standard
Description: SSL library and cryptographic tools
Name: OpenSSL
+Package: png
+Version: 1.2.24-3
+Architecture: iphoneos-arm
+Maintainer: Jay Freeman (saurik)
+Installed-Size: 692
+Filename: ./png_1.2.24-3_iphoneos-arm.deb
+Size: 259150
+MD5sum: dc0f2be05c709d4c248ce643b8ab1909
+SHA1: a92bf82c52d869a711e989955c8fb28920b6b9dc
+SHA256: d8f21fff0d6e0ed012b19283356c61bbb27ecd00db59fa279179bb2eda01e20b
+Section: Multimedia
+Priority: optional
+Description: library for manipulating PNG files
+
+Package: unzip
+Version: 5.52-6
+Architecture: iphoneos-arm
+Maintainer: Jay Freeman (saurik)
+Installed-Size: 428
+Pre-Depends: dpkg (>= 1.14.25-8)
+Filename: ./unzip_5.52-6_iphoneos-arm.deb
+Size: 95822
+MD5sum: 326830d4b5e67d6bc2fc25b6c4a71baa
+SHA1: 313cbc1e164f2816cd202dec91a9c266505db259
+SHA256: 04329d078f3394dbb72abe9f19c893a178ecc22704342efbedf0c9021a9cbdf8
+Section: Archiving
+Priority: important
+Description: de-compesses files in zip format
+
+Package: wget
+Version: 1.16-4
+Architecture: iphoneos-arm
+Maintainer: Jay Freeman (saurik)
+Installed-Size: 480
+Pre-Depends: dpkg (>= 1.14.25-8)
+Depends: gettext, openssl
+Filename: ./wget_1.16-4_iphoneos-arm.deb
+Size: 210290
+MD5sum: 9221072b359a2c526e0f07467d30cc10
+SHA1: 784a5c74d502f51c2bd0f8278315e99aa196b49d
+SHA256: e35a50a6e4d9be59c46b822062c2aead1fe48512bb2fd4b6c8e646b8de08bd64
+Section: Networking
+Priority: important
+Description: simple HTTP file transfer client
+
+Package: xpwn
+Version: 1247875200-1
+Architecture: iphoneos-arm
+Maintainer: Jay Freeman (saurik)
+Installed-Size: 468
+Pre-Depends: dpkg (>= 1.14.25-8)
+Depends: openssl, png
+Filename: ./xpwn_1247875200-1_iphoneos-arm.deb
+Size: 67870
+MD5sum: 45555ac749e5979fcfb2d5f630655ba3
+SHA1: 2a76a82c00a4549b877dd53c598a64793deaa493
+SHA256: e0d5cde22a02d865de64988302fa42c18bf058ed3dc6a8b31132f0d804da501d
+Section: Archiving
+Priority: optional
+Homepage: http://github.com/planetbeing/xpwn/tree/master
+Description: portable, barebones PwnageTool implementation
+Author: planetbeing
+Name: XPwn
+
+Package: zip
+Version: 2.32-6
+Architecture: iphoneos-arm
+Maintainer: Jay Freeman (saurik)
+Installed-Size: 368
+Pre-Depends: dpkg (>= 1.14.25-8)
+Filename: ./zip_2.32-6_iphoneos-arm.deb
+Size: 58550
+MD5sum: 1eebf2ba9ab0dc7cf445bf7cba0fa49e
+SHA1: 8925200a7cbf25852f5d6d45346be7dfeba26779
+SHA256: b2fa431b03ffd2f926dc4972c684c90c8a5f63af92b2674f634252d26c717d19
+Section: Archiving
+Priority: important
+Description: standard Windows compression tool
+
diff --git a/debs/Packages.bz2 b/debs/Packages.bz2
index a5cc631..67300fe 100644
Binary files a/debs/Packages.bz2 and b/debs/Packages.bz2 differ
diff --git a/debs/com.MyWorkstation.MakeItTethered_0.1-1_iphoneos-arm.deb b/debs/com.MyWorkstation.MakeItTethered_0.1-1_iphoneos-arm.deb
new file mode 100644
index 0000000..0752c25
Binary files /dev/null and b/debs/com.MyWorkstation.MakeItTethered_0.1-1_iphoneos-arm.deb differ
diff --git a/debs/diskdev-cmds_421.7-4_iphoneos-arm.deb b/debs/diskdev-cmds_421.7-4_iphoneos-arm.deb
new file mode 100644
index 0000000..970155d
Binary files /dev/null and b/debs/diskdev-cmds_421.7-4_iphoneos-arm.deb differ
diff --git a/debs/gettext_0.17-7_iphoneos-arm.deb b/debs/gettext_0.17-7_iphoneos-arm.deb
new file mode 100644
index 0000000..f6bf023
Binary files /dev/null and b/debs/gettext_0.17-7_iphoneos-arm.deb differ
diff --git a/debs/ldid_610-5_iphoneos-arm.deb b/debs/ldid_610-5_iphoneos-arm.deb
new file mode 100644
index 0000000..4236b7f
Binary files /dev/null and b/debs/ldid_610-5_iphoneos-arm.deb differ
diff --git a/debs/png_1.2.24-3_iphoneos-arm.deb b/debs/png_1.2.24-3_iphoneos-arm.deb
new file mode 100644
index 0000000..402986f
Binary files /dev/null and b/debs/png_1.2.24-3_iphoneos-arm.deb differ
diff --git a/debs/unzip_5.52-6_iphoneos-arm.deb b/debs/unzip_5.52-6_iphoneos-arm.deb
new file mode 100644
index 0000000..0aa1f85
Binary files /dev/null and b/debs/unzip_5.52-6_iphoneos-arm.deb differ
diff --git a/debs/wget_1.16-4_iphoneos-arm.deb b/debs/wget_1.16-4_iphoneos-arm.deb
new file mode 100644
index 0000000..fa8db46
Binary files /dev/null and b/debs/wget_1.16-4_iphoneos-arm.deb differ
diff --git a/debs/xpwn_1247875200-1_iphoneos-arm.deb b/debs/xpwn_1247875200-1_iphoneos-arm.deb
new file mode 100644
index 0000000..299e1c5
Binary files /dev/null and b/debs/xpwn_1247875200-1_iphoneos-arm.deb differ
diff --git a/debs/zip_2.32-6_iphoneos-arm.deb b/debs/zip_2.32-6_iphoneos-arm.deb
new file mode 100644
index 0000000..489d529
Binary files /dev/null and b/debs/zip_2.32-6_iphoneos-arm.deb differ
diff --git a/downgrade.py b/downgrade.py
index 5d475e5..081880c 100755
--- a/downgrade.py
+++ b/downgrade.py
@@ -88,6 +88,7 @@
print(" ID SUPPORTED DEVICE LIST ")
print(" 1 iPad3,1 ")
+deviceidentifier = ""
devicenum = input("Enter ID: ")
if devicenum == "1":
deviceidentifier = "iPad3,1"
@@ -100,6 +101,7 @@
print(" 3 64G ")
print(" 4 128G ")
storageid = input("Enter ID: ")
+storage = 0
if storageid == "1":
print("Warning! 16G devices is reported that it may have issues about free space.")
print(" So we suggest that you should erase all data on your device.")
@@ -131,6 +133,7 @@
totalnum = len(data['firmwares'])
print("API: total " + str(totalnum) + " firmwares")
print(" ID Firmware List ")
+num712 = 0
for i in range(0, totalnum - 1):
print(" " + str(i + 1) + " " + data['firmwares'][i]['version'] + " (" +
data['firmwares'][i]['buildid'] + ")")
@@ -173,7 +176,6 @@
md5sum712 = data['firmwares'][num712]['md5sum']
if not os.path.exists(os.path.join(os.path.abspath("."), os.path.basename(firmware712))):
downloader.download(firmware712)
- # The code below hasn't been tested yet. Please stop at here!
else:
print("Firmware already exists!")
downloader.checkHash(firmwarefile, md5sum)
@@ -195,31 +197,31 @@
"DeviceTree", keys['devicetree'], ivs['devicetree'], False)
ioscrypto.decryptImg3(osInfo, "firmware/kernelcache.release.*", "kernelcache",
keys['kernelcache'], ivs['kernelcache'], False)
-
print("Reading Restore.plist")
plist = readPlist("firmware/Restore.plist")
rootfsfile = plist['SystemRestoreImages']['User']
print("RootFS: " + rootfsfile)
print("Decrypting RootFileSystem")
ioscrypto.decryptRootFS(osInfo, "firmware/" + rootfsfile, keys['rootfs'])
+# PROBLEMS: iBSS headers always corrupts (first 16 bytes)
+iboot.fix_iBSS() # Fix the header of iBSS (first 16 bytes)
print("iBoot32Patcher: Patching iBSS")
iboot.patch_iBoot(osInfo, "iBSS", "pwnediBSS")
print("iBoot32Patcher: Patching iBEC")
iboot.patch_iBoot(osInfo, "iBEC", "iBEC.x", "rd=disk0s1s1 -v cs_enforcement_disable=1 amfi_get_out_of_my_way=1")
-print("Repacking iBSS and iBEC")
+print("Repacking iBEC")
# ioscrypto.repackImg3(osInfo, "iBSS.x", "pwnediBSS", "ibss") iBSS doesn't need to be repacked.
ioscrypto.repackImg3(osInfo, "iBEC.x", "pwnediBEC", "ibec")
print("Part II already prepared.")
-
print(" PART III ")
ssh.killPort(2222)
ssh.killPort(8000)
-
ssh.setPassword(sshpass)
ssh.setIPAndPort("127.0.0.1", "2222")
ssh.setUsername("root")
ssh.startUsbmuxd()
ssh.startHTTPServer()
+
ip = ssh.getMyIPAddress()
print("Open Cydia, add source http://" + ip + ":8000, install OpenSSH and CoolBooter, then")
print("please connect your device with a USB cable.")
@@ -233,7 +235,8 @@
print("Backing up keybag.")
ssh.scp_get_file(sshClient, "/var/keybags/systembag.kb", "systembag.kb")
-print("Sending iOS 7.1.2 firmware. This may need a long time...")
+print("Sending iOS 6.1.3 firmware. This may need a long time...")
+sshClient.exec_command("mkdir /var/cbooter")
ssh.scp_transfer_file(sshClient, os.path.basename(firmware712),
"/var/cbooter/" + os.path.basename(firmware712))
print("CoolBooter: Installing iOS 7.1.2, please wait...")
@@ -273,17 +276,16 @@
print("End Part III.")
print(" PART IV ")
ssh.startHTTPServer()
-print("Open Cydia, add source http://" + ip + ":8000, install OpenSSH and dualbootstuff.")
+print("Open Cydia, add source http://" + ip + ":8000, install OpenSSH, diskdev-cmds, and dualbootstuff.")
input("Enter if finished. Ctrl-C to stop.")
print("Stopping HTTP service.")
ssh.killPort(8000)
print("--[Waiting for connection]---")
sshClient = ssh.connect()
-
print("+----------------------------[ D A N G E R ]----------------------------+")
print("| DANGER! You have entered the most dangerous part. |")
print("| We will partition this device and restore the firmware |")
-print("| to device. The device may be bricked at any time and data cannot |")
+print("| to device. The device may BRICK at any time and data cannot |")
print("| be recovered. If your device bricks or entered boot loop, |")
print("| please manually let your device enter DFU mode, and restore |")
print("| it using iTunes. |")
@@ -298,7 +300,8 @@
iPad3_1_Support.startDowngrade(osInfo, firmwareversion, storage, sshClient, keys, ivs)
print("Congratulations, Your device has been successfully booted.")
-print(" ENJOY YOUR DOWNGRADED DEVICE!")
-print(" ---[END]---")
+print("Note: If you want to enable \"Slide to power off\", Install MakeItTethered in debs/ directory.")
+print("ENJOY YOUR DOWNGRADED DEVICE!")
+print("---[END]---")
exit(0)
diff --git a/firmwareapi.py b/firmwareapi.py
index 774c72d..2b2417b 100644
--- a/firmwareapi.py
+++ b/firmwareapi.py
@@ -12,4 +12,3 @@ def getfirmwarejson(deviceidentifier):
code.write(f.read())
else:
print("API: file \"firmware-api.json\" already exists. Please remove for update.")
-
diff --git a/iboot.py b/iboot.py
index 5485909..bb0d1a3 100644
--- a/iboot.py
+++ b/iboot.py
@@ -10,3 +10,17 @@ def patch_iBoot(osInfo: osinfo.OSInfo, path, filename, bootargs=""):
os.system("cd " + os.path.abspath(".") + "; " +
"./tools/" + osInfo.getosplatform() + "/iBoot32Patcher " + path + " " + filename +
" " + args)
+
+
+def fix_iBSS():
+ # Why iBSS always corrupted after decrypting in python os.system() function,
+ # but decrypting using command line is OK???
+
+ # Corrupted header: bd 99 d0 cb a7 dc cd e7 19 65 07 38 81 2b bc c6
+ # Normal header: 0e 00 00 ea 18 f0 9f e5 18 f0 9f e5 18 f0 9f e5
+ print("Fixing iBSS.")
+ ibss_normal_header = b'\x0e\x00\x00\xea\x18\xf0\x9f\xe5\x18\xf0\x9f\xe5\x18\xf0\x9f\xe5'
+ ibss = open("iBSS", "r+b")
+ ibss.write(ibss_normal_header)
+ ibss.close()
+ print("DONE")
diff --git a/ioscrypto.py b/ioscrypto.py
index 462dbf7..178f749 100644
--- a/ioscrypto.py
+++ b/ioscrypto.py
@@ -26,31 +26,31 @@ def getKeyAndIV(firmwareversion, deviceidentifier):
KeyTypes = JClass("KeyTypes")
utils_class = Utils()
print("iOSUtils: Getting iBSS key for version " + firmwareversion + ", device " + deviceidentifier)
- ibss_key = utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.IBSS).getKey()
+ ibss_key = str(utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.IBSS).getKey())
print("iOSUtils: Getting iBEC key for version " + firmwareversion + ", device " + deviceidentifier)
- ibec_key = utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.IBEC).getKey()
+ ibec_key = str(utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.IBEC).getKey())
print("iOSUtils: Getting AppleLogo key for version " + firmwareversion + ", device " + deviceidentifier)
- applelogo_key = utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.APPLE_LOGO).getKey()
+ applelogo_key = str(utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.APPLE_LOGO).getKey())
print("iOSUtils: Getting DeviceTree key for version " + firmwareversion + ", device " + deviceidentifier)
- devicetree_key = utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.DEVICETREE).getKey()
+ devicetree_key = str(utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.DEVICETREE).getKey())
print("iOSUtils: Getting RestoreRamdisk key for version " + firmwareversion + ", device " + deviceidentifier)
- restoreramdisk_key = utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.RESTORE_RD).getKey()
+ restoreramdisk_key = str(utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.RESTORE_RD).getKey())
print("iOSUtils: Getting kernelcache key for version " + firmwareversion + ", device " + deviceidentifier)
- kernelcache_key = utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.KERNELCACHE).getKey()
+ kernelcache_key = str(utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.KERNELCACHE).getKey())
print("iOSUtils: Getting RootFS key for version " + firmwareversion + ", device " + deviceidentifier)
- rootfs_key = utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.ROOTFS).getKey()
+ rootfs_key = str(utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.ROOTFS).getKey())
print("iOSUtils: Getting iBSS IV for version " + firmwareversion + ", device " + deviceidentifier)
- ibss_iv = utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.IBSS).getIv()
+ ibss_iv = str(utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.IBSS).getIv())
print("iOSUtils: Getting iBEC IV for version " + firmwareversion + ", device " + deviceidentifier)
- ibec_iv = utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.IBEC).getIv()
+ ibec_iv = str(utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.IBEC).getIv())
print("iOSUtils: Getting AppleLogo IV for version " + firmwareversion + ", device " + deviceidentifier)
- applelogo_iv = utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.APPLE_LOGO).getIv()
+ applelogo_iv = str(utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.APPLE_LOGO).getIv())
print("iOSUtils: Getting DeviceTree IV for version " + firmwareversion + ", device " + deviceidentifier)
- devicetree_iv = utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.DEVICETREE).getIv()
+ devicetree_iv = str(utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.DEVICETREE).getIv())
print("iOSUtils: Getting RestoreRamdisk IV for version " + firmwareversion + ", device " + deviceidentifier)
- restoreramdisk_iv = utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.RESTORE_RD).getIv()
+ restoreramdisk_iv = str(utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.RESTORE_RD).getIv())
print("iOSUtils: Getting kernelcache IV for version " + firmwareversion + ", device " + deviceidentifier)
- kernelcache_iv = utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.KERNELCACHE).getIv()
+ kernelcache_iv = str(utils_class.getKeyFor(deviceidentifier, firmwareversion, KeyTypes.KERNELCACHE).getIv())
print(" iBSS Key: " + ibss_key)
print(" IV: " + ibss_iv)
print(" iBEC Key: " + ibec_key)
@@ -79,7 +79,7 @@ def decryptImg3(osInfo: osinfo.OSInfo, path, destination, key, iv, extractrawdat
else:
flag = ""
os.system("cd " + os.path.abspath("") + "; " +
- "./tools/" + osInfo.getosplatform() + "/reimagine" + path + " " +
+ "./tools/" + osInfo.getosplatform() + "/reimagine " + path + " " +
destination + " " + " -k " + key +
" -iv " + iv + flag)
@@ -91,14 +91,14 @@ def repackImg3(osInfo: osinfo.OSInfo, path, destination, tag):
def decryptRootFS(osInfo: osinfo.OSInfo, path, key):
- newfile = os.path.basename(path).split(".")[0] + ".decrypted.dmg"
+ newfile = str(os.path.basename(path).split(".")[0] + ".decrypted.dmg")
os.system("cd " + os.path.abspath(".") + "; " +
"./tools/" + osInfo.getosplatform() + "/dmg extract " + path + " " +
newfile + " -k " + key)
if osInfo.getosplatform() == "macosx":
- print("hdiutil: converting format")
+ print("dmg: converting format")
os.system("cd " + os.path.abspath(".") + "; " +
- "hdiutil convert -format UDZO -o RootFilesystem.dmg " + newfile)
+ "./tools/" + osInfo.getosplatform() + "/dmg build " + newfile + " RootFilesystem.dmg")
print("ASR: Scanning image")
ret = os.system("cd " + os.path.abspath(".") + "; " +
"asr -imagescan RootFilesystem.dmg")
diff --git a/tools/macosx/xpwntool b/tools/macosx/xpwntool
new file mode 100755
index 0000000..7954b5d
Binary files /dev/null and b/tools/macosx/xpwntool differ