verygenericname
main: Error doing patch_rsa_check()!
ipados 16.5, ipad 6th gen cellular
download succeeded usb_timeout: 5 usb_abort_timeout_min: 0 [IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227 CPID: 0x8003 Found the USB handle. Now you can boot untrusted images. [IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227 Found the USB handle. usb_timeout: 5 usb_abort_timeout_min: 0 [IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227 CPID: 0x8003 Found the USB handle. Now you can boot untrusted images. [IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227 Found the USB handle. main: Starting... iOS 16 iBoot detected! getting get_sigcheck_patch() patch main: Error doing patch_rsa_check()! [-] An error occurred
I found a solution, there is something wrong with the 'Darwin/iBoot64Patcher’ file, after replacing it with the ramdisk from normalgreg in post https://www.reddit.com/r/jailbreak/comments/ztlr2i/comment/j1x4sf4/ I got it to create an iOS 16.5 Ramdisk, can you try to see what the differences are?
I found a solution, there is something wrong with the 'Darwin/iBoot64Patcher’ file, after replacing it with the ramdisk from normalgreg in post https://www.reddit.com/r/jailbreak/comments/ztlr2i/comment/j1x4sf4/ I got it to create an iOS 16.5 Ramdisk, can you try to see what the differences are?
nah, does not work. I replaced the one in the Darwin folder with the one you linked and it's still the same
I found a solution, there is something wrong with the 'Darwin/iBoot64Patcher’ file, after replacing it with the ramdisk from normalgreg in post https://www.reddit.com/r/jailbreak/comments/ztlr2i/comment/j1x4sf4/ I got it to create an iOS 16.5 Ramdisk, can you try to see what the differences are?
nah, does not work. I replaced the one in the Darwin folder with the one you linked and it's still the same
No problems at all here to create and boot rdsk. You're facing that issue at which point? While creating the rdsk files? Pwning DFU? Booting Ramdisk? Help us to help you!
Which version of iBoot64Patcher are you using? Tested with 3a0f72d8ecedcd064028002c373bc9e4a638131c-42 and working:
Version: 3a0f72d8ecedcd064028002c373bc9e4a638131c-42 main: Starting... iOS 16 iBoot detected! getting get_debug_enabled_patch() patch getting get_sigcheck_patch() patch applying patch=0x1800c5da0 : 000080d2 applying patch=0x1800c5e44 : 000080d2 applying patch=0x1800c79b8 : 200080d2 main: Writing out patched file to work/iBSS.patched... main: Quitting... none Version: 3a0f72d8ecedcd064028002c373bc9e4a638131c-42 main: Starting... iOS 16 iBoot detected! getting get_boot_arg_patch(rd=md0 debug=0x2014e -v wdt=-1 ) patch getting get_debug_enabled_patch() patch getting get_unlock_nvram_patch() patch getting get_sigcheck_patch() patch applying patch=0x1800c5da0 : 000080d2 applying patch=0x1800c5e44 : 000080d2 applying patch=0x1800b2210 : 000080d2c0035fd6 applying patch=0x1800b2268 : 000080d2c0035fd6 applying patch=0x1800eef9c : 000080d2c0035fd6 applying patch=0x1800c79b8 : 200080d2 applying patch=0x1800c9004 : 17443430 applying patch=0x180131885 : 72643d6d64302064656275673d30783230313465202d76207764743d2d31202000 applying patch=0x1800cd81c : 1f2003d5 main: Writing out patched file to work/iBEC.patched... main: Quitting...
I found a solution, there is something wrong with the 'Darwin/iBoot64Patcher’ file, after replacing it with the ramdisk from normalgreg in post https://www.reddit.com/r/jailbreak/comments/ztlr2i/comment/j1x4sf4/ I got it to create an iOS 16.5 Ramdisk, can you try to see what the differences are?
It still does not work for me even after replacing 'Darwin/iBoot64Patcher’ file
I'm using an iPhone 7 on iOS 10.1.1 in DFU mode then running "./sshrd.sh 10.1.1", I don't see why any problems should be occurring.
Similar issue here: on iPad Pro 9.7-inch (WiFi) - iOS 16.7.4 Everything downloads but fails on Getting Sig Patch / Doing patch_rsa_check. Anyone on 16.7.6 manage to get this work?
Log:
download succeeded
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
main: Starting...
iOS 16 iBoot detected!
getting get_sigcheck_patch() patch
main: Error doing patch_rsa_check()!
[-] An error occurred
Full Error log: https://pastebin.com/Jnhy3r4U
-EDITED:
- ment 16.7.6, not 16.7.4. (dyscalculia failure on my part)
@frankpanduh Try using different iBoot64Patcher version If issue still occurs then try using SSHRD Lite
@frankpanduh Try using different iBoot64Patcher version If issue still occurs then try using SSHRD Lite
I tried pulling the newer version of IBoot64Patcher from palera1n but no dice. SSHRD Lite doesn't pull activation files just makes the ram disk correct? Only asking because i need to pull activation files so i can downgrade. I even tried pulling most recent gaster to see if that worked.
SSHRD Lite doesn't pull activation files just makes the ram disk correct?
Yes, it's doesn't but you can fork it and edit so it can suit your needs ;).
Only asking because i need to pull activation files so i can downgrade.
It's very important to keep backup of your device records since I assume that you have a locked one, I can't imagine a situation where you have lost these records :O that will be a pain.
Only asking because i need to pull activation files so i can downgrade.
It's very important to keep a backup of your device records since I assume that you have a locked one, I can't imagine a situation where you have lost these records :O that will be a pain.
Sorry in advance for being slow, but It's not iCloud locked BTW, it's just the activation nag screen doing a fresh install downgrade, loops at setup trying to activate over wifi or itunes. I tried to do a downgrade preserving data to avoid it but it fails during iBSS stage. Works fine on 16.7.6 jailbroken just wanted to downgrade to not have to use a computer to re-jailbreak when I forget to charge my iPad.
I can activate it just fine on iOS 16.7.6 (stock), but when I try to downgrade to 15.7 it won't connect to wifi for activation or iTunes during the setup process if I wipe when downgrading from 16.7.4.
I'm just lost and missing a step, I'm sure. I tried using futurerestore-gui (V1.98.3 + nightly) with blobs I saved for 15.7 since all my iOS 16 blobs are betas and during futurerestore, it fails to pull keys. I can future restore to 15.7 with the blob I have but again the loop issue once I do that.
Might need to use a different device to try this on, mostly because at this point I'm starting to think it's my Mac Mini (2011) since it's older and I use openboot patcher to run on Ventura. Or just settle on iOS 16.7.6.
The only blobs I have are:
- iOS 16.1 (beta 1) - (Fails to find public keys futurerestore-gui)
- iOS 16.1 (beta 2) - (Fails to find public keys futurerestore-gui)
- iOS 16.1 (beta 3) - (Untested)
- iOS 15.7 (19H12) - (Works, but setup screen loop, maybe due to [SEP]
- iOS 15.6 (19G69) - (Fails to pull keys futurerestore-gui)
When attempting beta downgrades I get this, so unsure if betas are even a route for me as the information I found on betas is unclear to me:
DEBUG: restore_send_firmware_updater_data: Got FirmwareUpdaterData request:
Request URL set to https://gs.apple.com/TSS/controller?action=2
TSS server returned: STATUS=94&MESSAGE=This device isn't eligible for the requested build.
ERROR: TSS request failed (status=94, message=This device isn't eligible for the requested build.)
ERROR: Unable to fetch Cryptex1 ticket
Request URL set to https://gs.apple.com/TSS/controller?action=2
TSS server returned: STATUS=94&MESSAGE=This device isn't eligible for the requested build.
ERROR: TSS request failed (status=94, message=This device isn't eligible for the requested build.)
ERROR: Unable to fetch Cryptex1 ticket
ERROR: restore_send_firmware_updater_data: Couldn't get Cryptex1 firmware data a second time even using latest build manifest, this is not normal, RIPERONI :(
What I've tried:
- https://ios.cfw.guide/futurerestore/ (15.7 worked but loop and betas won't restore that I've tested)
- https://gist.github.com/mineek/bd8d0e002ce67e82831a23a8d7eceb3c (failed to compile on mac mini "2011" Ventura-openboot)
- https://gist.github.com/Orangera1n/fa3ca03d6aa9f5be963fd3b72c3f4225
- https://gist.github.com/pixdoet/2b58cce317a3bc7158dfe10c53e3dd32
Was going off this: Spreadsheet that recommends this route.
https://docs.google.com/spreadsheets/d/1Mb1UNm6g3yvdQD67M413GYSaJ4uoNhLgpkc7YKi3LBs/edit#gid=555362102
I apologize in advance for the novice factor, information is so all over the place, and hard to pin down what is accurate and working. Been out of JB scene for a while so unsure where to find solid info anymore. But thanks for your time anyhow.
but when I try to downgrade to 15.7 it won't connect to wifi for activation or iTunes during the setup process
Since you are using an patched mobileactivationd this issue are expected to be happen tho maybe I could be wrong. Follow the same instructions again but ignore the part which replaces the mobileactivationd instead activate with your already backed-up records.
When attempting beta downgrades I get this, so unsure if betas are even a route for me as the information I found on betas is unclear to me
Probably it's incompatible the https://ios.cfw.guide/futurerestore page says:
Note that if you are on a device that supports iOS 16 (which includes A12+), you will not be able to follow this guide due to Cryptex1 and SEP/BB incompatibility
Thanks you for fixing my typo :).
Been trying because according to the SEP/BB spreadsheet in that same future restore tutorial post, claims it's technically possible for my device.
https://docs.google.com/spreadsheets/d/1Mb1UNm6g3yvdQD67M413GYSaJ4uoNhLgpkc7YKi3LBs/edit#gid=555362102
With regularly pulled iBoot64Patcher I get:
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: 087-86719-021.dmg
100% [===================================================================================================>]
download succeeded
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
Version: 26bee8a5fe80f874a590b776da450cac62c01328-26
main: Starting...
iOS 16 iBoot detected!
getting get_sigcheck_patch() patch
main: Error doing patch_rsa_check()! (img4interposercallback couldn't find branch for ret2!)
[-] An error occurred
No matching processes belonging to you were found
If I use this version of Iboot64Patcher i get this:
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: 087-86719-021.dmg
100% [===================================================================================================>]
download succeeded
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
Version: fd9abaed266a0ad2a119f481700230202000d2aa-25
main: Starting...
[DEBUG] iBoot-8422 inputted
iOS 16 iBoot detected!
[DEBUG] mode=RELEASE
[DEBUG] iBoot base at=0x0000000180038000
[DEBUG] iBoot-8422 inputted
[DEBUG] iBoot base at=0x0000000180000000
getting get_sigcheck_patch() patch
[DEBUG] img4decodemanifestexists=0x180028c50
[DEBUG] img4decodemanifestexistsref=0x1800104a4
[DEBUG] img4interposercallbackptr=0x180030f70
[DEBUG] img4interposercallback=0x18000f90c
[DEBUG] img4interposercallbackret=0x18000ff9c
main: Error doing patch_rsa_check()! (img4interposercallback couldn't find branch for ret2!)
Saw that @iam-theKid managed to get it to work with "3a0f72d8ecedcd064028002c373bc9e4a638131c-42" but can't find that version. Been trying ones from: https://github.com/Cryptiiiic/iBoot64Patcher/actions and https://nightly.link/Cryptiiiic/iBoot64Patcher/workflows/ci/main/iBoot64Patcher-macOS-x86_64-RELEASE
Tried compiling this one: https://github.com/haiyuidesu/iBoot64Patcher But looks like the "-n" flag was removed so this script didn't work with it and didn't dive enough into the variations of this from the Cryptiiiic builds.
but can't find that version "3a0f72d8ecedcd064028002c373bc9e4a638131c-42"
This commit are from palera1n's fork of iBoot64Patcher, I doubt this commit will work with you but anyways here's the link: 3a0f72d
Tried compiling this one: https://github.com/haiyuidesu/iBoot64Patcher But looks like the "-n" flag was removed so this script didn't work with it and didn't dive enough into the variations of this from the Cryptiiiic builds.
The main difference between Cryptiiiic's fork and haiyuidesu's fork are that haiyuidesu's fork are a rebooted version of which requires less dependency so it's ease to build. In the other hand Cryptiiiic's has forked from tihmstar's and this fork requires more libraries e.g libgeneral and it's kinda hard to build in Linux/Windows.
Btw, I have just checked Cryptiiiic's fork and it's seems like he has early updated his fork to add support for iOS 17.x versions.
Bizzare, fd9abaed266a0ad2a119f481700230202000d2aa-25 gave me at least some debug info,
Version: fd9abaed266a0ad2a119f481700230202000d2aa-25
main: Starting...
[DEBUG] iBoot-8422 inputted
iOS 16 iBoot detected!
[DEBUG] mode=RELEASE
[DEBUG] iBoot base at=0x0000000180038000
[DEBUG] iBoot-8422 inputted
[DEBUG] iBoot base at=0x0000000180000000
getting get_sigcheck_patch() patch
[DEBUG] img4decodemanifestexists=0x180028c50
[DEBUG] img4decodemanifestexistsref=0x1800104a4
[DEBUG] img4interposercallbackptr=0x180030f70
[DEBUG] img4interposercallback=0x18000f90c
[DEBUG] img4interposercallbackret=0x18000ff9c
main: Error doing patch_rsa_check()! (img4interposercallback couldn't find branch for ret2!)
however, the newest 26bee8a5fe80f874a590b776da450cac62c01328-26 gives less debug info when it fails @ main: Error doing patch_rsa_check()! (img4interposercallback couldn't find branch for ret2!)
Note: iOS 16.7.6 and 16.7.7 are the only two currently signed versions right now since this device isn't getting iOS 17. (1st gen iPad Pro -iPad6,3 - WIFI- 9.7 inch)
https://github.com/Cryptiiiic/iBoot64Patcher/commit/26bee8a5fe80f874a590b776da450cac62c01328
./sshrd.sh 16.7.6
[*] Getting device info and pwning... this may take a second
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f
Compiled with plist: YES
Saved IM4M to work/IM4M
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: BuildManifest.plist
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: Firmware/dfu/iBSS.ipad6b.RELEASE.im4p
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: Firmware/dfu/iBEC.ipad6b.RELEASE.im4p
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: Firmware/all_flash/DeviceTree.j127ap.im4p
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: Firmware/087-86719-021.dmg.trustcache
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: kernelcache.release.ipad6b
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: 087-86719-021.dmg
100% [===================================================================================================>]
download succeeded
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
Version: 26bee8a5fe80f874a590b776da450cac62c01328-26
main: Starting...
iOS 16 iBoot detected!
getting get_sigcheck_patch() patch
main: Error doing patch_rsa_check()! (img4interposercallback couldn't find branch for ret2!)
[-] An error occurred
No matching processes belonging to you were found
@frankpanduh I would recommand you that to try with latest commit of haiyuidesu's fork and If problem still presents then open a new issue, this will help to solve the issue in nearest feature.
@mast3rz3ro I Already tried that like I said earlier, haiyuidesu's fork removed the "-n" flag so the script fails.
./sshrd.sh 16.7.6
Archive: gaster-Darwin.zip
inflating: gaster
[*] Waiting for device in DFU mode
[*] Getting device info and pwning... this may take a second
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f
Compiled with plist: YES
Saved IM4M to work/IM4M
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: BuildManifest.plist
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: Firmware/dfu/iBSS.ipad6b.RELEASE.im4p
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: Firmware/dfu/iBEC.ipad6b.RELEASE.im4p
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: Firmware/all_flash/DeviceTree.j127ap.im4p
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: Firmware/087-86719-021.dmg.trustcache
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: kernelcache.release.ipad6b
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: 087-86719-021.dmg
100% [===================================================================================================>]
download succeeded
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
[main]: starting...
[main]: detected iBoot-8422.142.2.700.1!
[main]: base_addr = 0x180000000
[main]: applying generic iBoot patches...
[rmv_signature_check]: removing signatures checks...
[rmv_signature_check]: found '_image4_validate_property_cb_interposer' beginning!
[rmv_signature_check]: patched to MOVZ x0, #0 insn = 0x18000f90c
[rmv_signature_check]: patched to RET insn = 0x18000f910
[rmv_signature_check]: successfully removed signatures checks!
[main]: writing work/iBSS.patched...
[main]: done!
none
warning: unrecognized argument: -n
usage: iBoot64Patcher <in> <out> [-e] [-b <boot-args>]
default apply the generics patches,
-e apply the extra patches,
-b apply custom boot-args.
[-] An error occurred
No matching processes belonging to you were found
haiyuidesu's fork removed the "-n" flag
This option shouldn't be necessary, try editing the script by removing this parameter from it.
haiyuidesu's fork removed the "-n" flag
This option shouldn't be necessary, try editing the script by removing this parameter from it.
Tested removing "-n" flag with haiyuidesu's iboot64patcher looks like it built a ramdisk but failed to boot it.
./sshrd.sh 16.7.6
[*] Getting device info and pwning... this may take a second
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f
Compiled with plist: YES
Saved IM4M to work/IM4M
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: BuildManifest.plist
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: Firmware/dfu/iBSS.ipad6b.RELEASE.im4p
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: Firmware/dfu/iBEC.ipad6b.RELEASE.im4p
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: Firmware/all_flash/DeviceTree.j127ap.im4p
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: Firmware/087-86719-021.dmg.trustcache
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: kernelcache.release.ipad6b
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2023WinterFCS/fullrestores/052-60113/D4EAAC6E-5005-4854-92E3-80D7B7517529/iPadPro_9.7_16.7.6_20H320_Restore.ipsw
init done
getting: 087-86719-021.dmg
100% [===================================================================================================>]
download succeeded
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
usb_timeout: 5
usb_abort_timeout_min: 0
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID: 0x8001
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
[main]: starting...
[main]: detected iBoot-8422.142.2.700.1!
[main]: base_addr = 0x180000000
[main]: applying generic iBoot patches...
[rmv_signature_check]: removing signatures checks...
[rmv_signature_check]: found '_image4_validate_property_cb_interposer' beginning!
[rmv_signature_check]: patched to MOVZ x0, #0 insn = 0x18000f90c
[rmv_signature_check]: patched to RET insn = 0x18000f910
[rmv_signature_check]: successfully removed signatures checks!
[main]: writing work/iBSS.patched...
[main]: done!
none
[main]: starting...
[main]: detected iBoot-8422.142.2.700.1!
[main]: base_addr = 0x870000000
[main]: applying generic iBoot patches...
[rmv_signature_check]: removing signatures checks...
[rmv_signature_check]: found '_image4_validate_property_cb_interposer' beginning!
[rmv_signature_check]: patched to MOVZ x0, #0 insn = 0x870011990
[rmv_signature_check]: patched to RET insn = 0x870011994
[rmv_signature_check]: successfully removed signatures checks!
[enable_kernel_debug]: enabling kernel debugging...
[enable_kernel_debug]: found the BL to '_security_allow_modes' function
[enable_kernel_debug]: patched to MOVZ x0, #1 insn = 0x870013b4c
[enable_kernel_debug]: successfully enabled kernel debugging!
[set_custom_bootargs]: setting "rd=md0 debug=0x2014e -v wdt=-1 " boot-args...
[set_custom_bootargs]: found boot-args string = 0x870015260
[set_custom_bootargs]: patched the ADR instruction = 0x870015260
[set_custom_bootargs]: found the CBZ instruction = 0x87001525c
[set_custom_bootargs]: replaced the ADR instruction pointing address = 0x8700152b8
[set_custom_bootargs]: successfully set new bootargs!
[main]: writing work/iBEC.patched...
[main]: done!
none
krnl
Starting KPlooshFinder
patch_trustcache_new: Found trustcache
patch_developer_mode: Found developer mode
patch_launch_constraints: Found launch constraints
patch_amfi_sha1: Found AMFI hashtype check
patch_vnode_lookup: Found vnode_lookup
patch_sbops: Found sbops
patch_shellcode_area: Found shellcode area
patch_ret0_gadget: Found ret0 gadget
patch_vnode_getpath: Found vnode_getpath
patch_vnode_getaddr: Found vnode_getattr
patch_vnode_open_close: Found vnode_open/vnode_close
Patching completed successfully.
0x5e20d4 0x48 0xfffffffb
0x5e20d5 0xffffffd9 0xffffffff
0x5e20d7 0xfffffff0 0x17
0x11e5a34 0xffffffff 0x20
0x11e5a35 0xffffffc3 0x0
0x11e5a36 0x0 0xffffff80
0x11e5a37 0xffffffd1 0xffffffd2
0x11e5a38 0xfffffff4 0x42
0x11e5a39 0x4f 0x0
0x11e5a3a 0x1 0x0
0x11e5a3b 0xffffffa9 0xffffffb4
0x11e5a3c 0xfffffffd 0x40
0x11e5a3d 0x7b 0x0
0x11e5a3e 0x2 0x0
0x11e5a3f 0xffffffa9 0xfffffff9
0x11e5a40 0xfffffffd 0xffffffc0
0x11e5a41 0xffffff83 0x3
0x11e5a42 0x0 0x5f
0x11e5a43 0xffffff91 0xffffffd6
0x11e8bb4 0xfffffffc 0x0
0x11e8bb5 0x6f 0x0
0x11e8bb6 0xffffffba 0xffffff80
0x11e8bb7 0xffffffa9 0x52
0x11e8bb8 0xfffffffa 0xffffffc0
0x11e8bb9 0x67 0x3
0x11e8bba 0x1 0x5f
0x11e8bbb 0xffffffa9 0xffffffd6
0x11ef6f9 0x8 0x0
0x11ef6fb 0x71 0x6b
krnl
dtre
rtsc
rdsk
/dev/disk8
/dev/disk9 EF57347C-0000-11AA-AA11-0030654
/dev/disk9s1 41504653-0000-11AA-AA11-0030654 /private/tmp/SSHRD
..........................................................................................................
created: /Users/panduh/Desktop/sshrd-tests/test-haiyuidesu/SSHRD_Script/work/ramdisk1.dmg
"disk2" ejected.
/dev/disk2 /private/tmp/SSHRD
"disk2" ejected.
none
none
[*] Cleaning up work directory
[*] Finished! Please use ./sshrd.sh boot to boot your device
Then tested with ./sshrd.sh boot but it failed:
./sshrd.sh boot
[*] Getting device info and pwning... this may take a second
[==================================================] 100.0%
[==================================================] 100.0%
ERROR: Unable to connect to device
[-] An error occurred
No matching processes belonging to you were found
After this stage fails the iPad restarts.
ERROR: Unable to connect to device
Try extending the timeout into 10 seconds after iBEC gets flashed.
Try extending the timeout into 10 seconds after iBEC gets flashed.
I encountered the same problem and increasing it to 10 seconds doesn't work
./sshrd.sh boot
[*] Getting device info and pwning... this may take a second
[==================================================] 100.0%
[==================================================] 100.0%
ERROR: Unable to connect to device
[-] An error occurred
No matching processes belonging to you were found
I use dualra1n --downgrade and process it until SSHRD screen come up and when dualra1n display in terminal " --downgrade option detected, this will destroy the main ios" I press control+c to stop dualra1n process and do my job in SSHRD
