PongoOS icon indicating copy to clipboard operation
PongoOS copied to clipboard
verified publisher icon checkra1n

checkra1n doesn't work but pongoOS does

Open mbesemann opened this issue 4 years ago • 12 comments

checkra1n ran normally gives me usbmux error -79 (Linux) or error -20 (Mac).

However, building pongoOS and specifying it with

checkra1n -k Pongo.bin

brings me to a PongoOS shell.

I have 2 questions:

  1. How do I load the checkra1n module to continue the exploit and get a jailbreak?
  2. If that fails, can I set a nonce with pongoterm in nvram to restore to 14.3?

mbesemann avatar May 05 '21 21:05 mbesemann

Just to check - specifiying PongoConsolidated.bin doesn't work?

Siguza avatar May 05 '21 21:05 Siguza

Okay, so:

  1. Extract the ramdisk from the macOS binary (__CONST.__rdsk segment, or use this one: rdsk.dmg.gz)
  2. Have both the ramdisk and checkra1n-kpf-pongo in an accessible path.
  3. Get pongoterm from latest git master.
  4. Create a command file (I'll call it cmd.txt) with the following contents: 
    sep auto
/send path/to/checkra1n-kpf-pongo
modload
/send path/to/rdsk.dmg
ramdisk
xargs rootdev=md0
bootx
  5. Run pongoterm <cmd.txt and let it wait
  6. Run checkra1n.

Siguza avatar May 06 '21 02:05 Siguza

This is what I get:

#==================
#
# pongoOS 2.5.0-0cb6126f
#
# https://checkra.in
#
#==================
Booted by: iBoot-6723.102.4
Built with: Clang 12.0.5 (clang-1205.0.22.9)
Running on: Apple A8X (T7001)
pongoOS> Bad command: /send
pongoOS> [modload_macho:i] Attempting to load a module
[modload_macho:!] load module: short read
pongoOS> Bad command: /send
pongoOS> please upload a ramdisk before issuing this command
pongoOS> set xnu boot arg cmdline to: [rootdev=md0]
pongoOS> %

For reference, my cmd.txt looks like this, and the 2 files are in the same directory (I tried both with ./ and without):

sep auto
/send ./checkra1n-kpf-pongo
modload
/send ./rdsk.dmg.gz
ramdisk
xargs rootdev=md0
bootx

UPDATE: I'm dumb, I forgot to recompile pongoterm after doing a pull... I think it worked this time, I just had to reopen pongoterm and hit enter since "bootx" wasn't run (maybe I needed a carriage return in the script after that line). Now I'm booted into iOS but I don't see a checkra1n icon yet. Maybe I can try the SSH workaround to get that in place.

UPDATE 2: Still no checkra1n icon - tried to SSH to port 44 and that doesn't work either. How can I tell if the device is in a jailbroken state?

UPDATE 3: I just realized your ramdisk is not gzipped - should I be extracting it and sending it as a .dmg?

UPDATE 4: Ok I definitely had to unzip it. However, I get this error message in pongoterm (even though checkra1n now says "All done" at the end of the process:

pongoOS> Uploaded 1048576 bytes
pongoOS> set xnu boot arg cmdline to: [rootdev=md0]
pongoOS> USBControlTransfer: (iokit/common) not ready

UPDATE 5: The above error doesn't seem to happen every time. However, when it doesn't, it seems like the iPad is hanging indefinitely at the "Booting" stage. I guess it's a matter of trial and error at this point.

UPDATE 6: I got it to boot once so far past the checkra1n screen, by launching pongoterm after the pongoOS shell was booted (not sure if that made a difference). The device booted fairly quickly and had a flash of red/pink on the entire screen, but still no checkra1n icon. SSH on port 44 is also unavailable.

mbesemann avatar May 06 '21 13:05 mbesemann

Ok this deserves its own post because I finally did it :)

  1. Run checkra1n with the following args: checkra1n -csvk Pongo.bin

  2. Only once at the PongoOS shell, run pongoterm with the aforementioned cmd.txt

  3. Success - checkra1n icon is on the home screen :)

Log of run:

 - [05/06/21 10:05:41] <Info>: Waiting for DFU devices
 - [05/06/21 10:05:41] <Verbose>: DFU mode device found
 - [05/06/21 10:05:41] <Info>: Exploiting
 - [05/06/21 10:05:41] <Verbose>: Attempting to perform checkm8 on 7001 1...
 - [05/06/21 10:05:41] <Info>: Checking if device is ready
 - [05/06/21 10:05:41] <Verbose>: == Checkm8 Preparation stage ==
 - [05/06/21 10:05:41] <Verbose>: DFU mode device found
 - [05/06/21 10:05:41] <Info>: Setting up the exploit (this is the heap spray)
 - [05/06/21 10:05:41] <Verbose>: == Checkm8 Setup stage ==
 - [05/06/21 10:05:41] <Info>: Right before trigger (this is the real bug setup)
 - [05/06/21 10:05:41] <Verbose>: Entered initial checkm8 state after 3 steps, issuing DFU abort..
 - [05/06/21 10:05:42] <Verbose>: DFU device disconnected
 - [05/06/21 10:05:42] <Verbose>: DFU mode device found
 - [05/06/21 10:05:42] <Verbose>: == Checkm8 Trigger stage ==
 - [05/06/21 10:05:42] <Verbose>: Checkmate!
 - [05/06/21 10:05:42] <Verbose>: DFU device disconnected
 - [05/06/21 10:05:42] <Verbose>: DFU mode device found
 - [05/06/21 10:05:42] <Verbose>: == Checkm8 Trying to run payload... ==
 - [05/06/21 10:05:42] <Verbose>: If everything went correctly, you should now have code execution.
 - [05/06/21 10:05:42] <Verbose>: DFU device disconnected
 - [05/06/21 10:05:43] <Info>: Entered download mode
 - [05/06/21 10:05:43] <Verbose>: Download mode device found
 - [05/06/21 10:05:43] <Info>: Booting...
 - [05/06/21 10:05:43] <Verbose>: Setting bootargs to: rootdev=md0
 - [05/06/21 10:05:44] <Verbose>: Download mode device disconnected
 - [05/06/21 10:06:13] <Info>: All Done
 - [05/06/21 10:06:13] <Verbose>: Bootstrap already installed, done

UPDATE: Bad news - Installing Cydia worked, then I realized I actually wanted to install oddysseyra1n, so I restored the system from the checkra1n app, and now I can't even get to the pongoOS shell. I'll keep trying I guess!

UPDATE 2: It seems that checkra1n doesnt like -k with other options, so I just got rid of the csv part and I was able to follow all the steps again and install oddysseyra1n. Finally jailbroken w/ Sileo!

mbesemann avatar May 06 '21 14:05 mbesemann

I have same issue, and https://github.com/checkra1n/pongoOS/issues/72#issuecomment-833177765 workaround is worked. Thanks!

in my case:

  • simply run checkra1n (without -k), then I got -20 (timeout) error. I also got similar error with -k PongoConsolidated.bin
  • attached rdsk.dmg.gz will not work (even ungzipped) in my environment, then I extracted from checkra1n 0.12.4 with this tool https://gist.github.com/C0deH4cker/80b53de22012146ea9d8
  • pongocmd sometimes freezes until disconnect and reconnect Lightning cable

rinsuki avatar May 15 '21 09:05 rinsuki

Okay, so:

  1. Extract the ramdisk from the macOS binary (__CONST.__rdsk segment, or use this one: rdsk.dmg.gz)
  2. Have both the ramdisk and checkra1n-kpf-pongo in an accessible path.
  3. Get pongoterm from latest git master.
  4. Create a command file (I'll call it cmd.txt) with the following contents: 
    sep auto
/send path/to/checkra1n-kpf-pongo
modload
/send path/to/rdsk.dmg
ramdisk
xargs rootdev=md0
bootx
  5. Run pongoterm <cmd.txt and let it wait
  6. Run checkra1n.

that rdsk doesn't have the binpack files. may you please tell where we could find them.

edwin170 avatar May 27 '23 04:05 edwin170

@edwin170 __CONST.__overlay

Siguza avatar May 28 '23 09:05 Siguza

@edwin170 __CONST.__overlay

idk if it is a dmg file but i tried it and the dmg was corrupted so i used file command "overlay.dmg: zlib compressed data" so i extracted it then it was just data. so i think that was extracted bad, however i did good i use otool to know the offset and the size, well could you share me the file as a zip or dmg or something similar ?

edwin170 avatar May 30 '23 12:05 edwin170

@edwin170 sudo hdik overlay.dmg

Siguza avatar May 30 '23 13:05 Siguza

@edwin170 sudo hdik overlay.dmg

haha oh thanks let me try it :)

edwin170 avatar May 30 '23 13:05 edwin170

@edwin170 sudo hdik overlay.dmg

sir may you please say who is responsible for mounting the overlay.dmg image?

edwin170 avatar Jun 03 '23 17:06 edwin170

@edwin170 The payload binary.

Siguza avatar Jun 03 '23 18:06 Siguza