Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iOS 13.5 / iPhone10,1 / Unable to load ramdisk #9

Open
ajpayne1 opened this issue Mar 30, 2021 · 8 comments
Open

iOS 13.5 / iPhone10,1 / Unable to load ramdisk #9

ajpayne1 opened this issue Mar 30, 2021 · 8 comments

Comments

@ajpayne1
Copy link

ajpayne1 commented Mar 30, 2021
edited
Loading

Device: iPhone10,1 / d20ap
Currently installed version: iOS 13.5
Attempted boot version: iOS 13.5
SHSH2 Blob: 13.7

This project is awesome, love your work. I'm able to create an image, although the following issues do crop up during build with ./make_telnet_rd.php -d 'iPhone10,1' -b D20AP -v 13.5 -s ./iPhone10,1_13.7.shsh2:

[+] Couldn't find devicetree at Firmware/all_flash/DeviceTree.d20ap.im4p, selecting closest other one

Warning: min(): When only one parameter is given, it must be an array in telnetd_ramdisk/make_telnet_rd.php on line 356

Warning: array_search() expects parameter 2 to be array, null given in telnetd_ramdisk/make_telnet_rd.php on line 356

The output for the image creation otherwise seems uneventful, and those warnings don't seem fatal. The problem really comes when trying to boot the image. Here's the directory:

WD_iPhone10,1-D20AP-13.5_telnet_rd $ ls -lha
total 959008
-rw-r--r--   1    99M Mar 30 16:52 038-35648-088.dmg
-rw-r--r--   1   579K Mar 30 16:52 BuildManifest.plist
-rw-r--r--   1   441K Mar 30 16:52 iBEC.d10.RELEASE.im4p
-rw-r--r--   1   441K Mar 30 16:52 iBSS.d10.RELEASE.im4p
-rw-r--r--   1    35M Mar 30 16:52 kcache.patched
-rw-r--r--   1    35M Mar 30 16:52 kcache.raw
-rw-r--r--   1    17M Mar 30 16:52 kernelcache.im4p
-rw-r--r--   1    13M Mar 30 16:52 kernelcache.release.iphone10
-rw-r--r--   1   150M Mar 30 16:54 ramdisk
-rw-r--r--   1   150M Mar 30 16:54 ramdisk.dmg

The boot script doesn't name the files correctly; well, that's fine, I can do it manually. (Not shown: entering pwned DFU)

WD_iPhone10,1-D20AP-13.5_telnet_rd $ irecovery -f ./iBSS.d10.RELEASE.im4p
[==================================================] 100.0%
WD_iPhone10,1-D20AP-13.5_telnet_rd $ irecovery -f ./iBEC.d10.RELEASE.im4p
[==================================================] 100.0%
WD_iPhone10,1-D20AP-13.5_telnet_rd $ irecovery -c go
WD_iPhone10,1-D20AP-13.5_telnet_rd $ irecovery -f ./ramdisk
[=                                                 ] 1.2%

That's as far as I get. The progress bar goes to 1.2%, then the command quits. When I enable verbose output:

WD_iPhone10,1-D20AP-13.5_telnet_rd $ irecovery -v -f ./ramdisk
Attempting to connect...
opening device xxxx:xxxx @ 0x14200000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPhone10,1, model d20ap, cpid 0x8015, bdid 0x02
[=                                                 ] 1.2%Unable to upload data to device

Uploading iBSS and iBEC work just fine, however:

WD_iPhone10,1-D20AP-13.5_telnet_rd $ irecovery -v -f ./iBSS.d10.RELEASE.im4p
Attempting to connect...
opening device xxxx:xxxx @ 0x14200000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPhone10,1, model d20ap, cpid 0x8015, bdid 0x02
[==================================================] 100.0%
Command completed successfully

I'm successfully in pwned DFU:

telnetd_ramdisk $ irecovery -q
CPID: 0x8015
CPRV: 0x11
BDID: 0x02
...
PWND: checkm8
MODE: DFU

Any ideas? Really hoping to get this to work so I can fix my wallpaper cache.
@ajpayne1
Copy link
Author

ajpayne1 commented Mar 31, 2021
edited
Loading

I was able to sign my own images manually and use the ramdisk built by telnetd_ramdisk, and I had much more success with the boot setup process. I was able to push all the images / commands with irecovery. When booting with bootx, the device showed a verbose boot for about 1 second and then went black, and rebooted. No luck yet, although I may try building my own ramdisk next. Is there sort of a minimum viable ramdisk that I can use to test booting? Would booting an unmodified ramdisk work?

@ajpayne1
Copy link
Author

ajpayne1 commented Apr 2, 2021

I was able to cook my own ramdisk and while I never got telnetd working, I got SSH going on mine. I still have a lot of broken pieces and I feel like I'm completely reinventing the wheel here... I may end up remaking this whole project on my own repo from scratch, since none of the parts from this project have worked for me yet.

@XP1
Copy link

XP1 commented Apr 12, 2021

@ajpayne1 Can you elaborate on your steps to get SSH? I'm still trying to boot a ramdisk on iPhone 6s.

@XP1 XP1 mentioned this issue Apr 13, 2021
Open
@ajpayne1
Copy link
Author

I can put together a writeup in the next day or two if you’d find it useful. My SSH ramdisk did the trick for me and I was able to solve my problem. I suspect it could help you as well. (Using PongOS might be the Right Way to go about this but I only played with it for a little bit and didn’t get anything to work.)

It’s been noted by @danieltroger in other issues that when your disk is full, apfs does not let you delete files because it takes space to be able to delete a file. I don’t think the same issue would apply to truncating a file, however, so if you get things booted and can’t rm due to a full disk, I would try that.

@jillbill556
Copy link

Can you link it please

@radical-banana
Copy link

radical-banana commented May 6, 2021
edited
Loading

I can put together a writeup in the next day or two if you’d find it useful. My SSH ramdisk did the trick for me and I was able to solve my problem. I suspect it could help you as well. (Using PongOS might be the Right Way to go about this but I only played with it for a little bit and didn’t get anything to work.)

It’s been noted by @danieltroger in other issues that when your disk is full, apfs does not let you delete files because it takes space to be able to delete a file. I don’t think the same issue would apply to truncating a file, however, so if you get things booted and can’t rm due to a full disk, I would try that.

Add me to that list @ajpayne1,

Having the same issue with a couple of phones (mainly an iPhone10,3). I managed to finally get all the files in order and can finally boot but the device just reboots back into recovery just like how you described.

What was the silver bullet to get it booting in the end? was only the ramdisk an issue?

@danieltroger there appear to be a few issues with the script removing the trustcache and devicetree from /Firmware during the build process, hence it whinging as per AJ's first post.

@ajpayne1
Copy link
Author

ajpayne1 commented May 7, 2021

Sorry for the wait. I worked with an old friend in the jailbreak community to clean up the process tremendously and get the writeup on his blog. Hopefully you guys will find some success!
https://compilingentropy.blogspot.com/2021/05/long-live-ssh-ramdisk.html

@radical-banana
Copy link

Sorry for the wait. I worked with an old friend in the jailbreak community to clean up the process tremendously and get the writeup on his blog. Hopefully you guys will find some success!
https://compilingentropy.blogspot.com/2021/05/long-live-ssh-ramdisk.html

Thanks mate, you're a legend. Props to your friend as well!

I'm keen to see how much the script differs over the manual steps and if the issue just comes down to the ramdisk itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@XP1 @ajpayne1 @jillbill556 @radical-banana