├── resources
├── ssh.tar
├── dd_ent.plist
└── dropbear.plist
├── get_dropbear_key.sh
├── README.md
├── Ramdisk_Loader.sh
├── Requirements.sh
└── Ramdisk_Maker.sh
/resources/ssh.tar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ralph0045/SSH-Ramdisk-Maker-and-Loader/HEAD/resources/ssh.tar
--------------------------------------------------------------------------------
/get_dropbear_key.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | read -p "Please enter the local ip of your device: " ip_address
4 | echo $ip_address
5 | cd resources
6 | tar -xvf iosbinpack.tar
7 | scp iosbinpack64/usr/local/bin/dropbearkey root@$ip_address:/
8 | ssh root@$ip_address "/dropbearkey -t rsa -f /rsa_key"
9 | scp root@$ip_address:/rsa_key dropbear_rsa_host_key
10 | ssh root@$ip_address "rm -rf /dropbearkey /rsa_key"
11 | rm -rf iosbinpack64
12 |
--------------------------------------------------------------------------------
/resources/dd_ent.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | platform-application
6 |
7 | com.apple.private.security.no-container
8 |
9 | com.apple.skip-library-validation
10 |
11 | com.apple.private.security.disk-device-access
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # SSH Ramdisk maker and loader for 32/64 bit devices
2 |
3 | ## There's no warranty provided!
4 |
5 | ## How to use it
6 | Getting the requirements:
7 | ```
8 | bash Requirements.sh
9 | ```
10 | Making the ramdisk:
11 | ```
12 | bash Ramdisk_Maker.sh -d -i
13 | ```
14 | Getting a dropbear_rsa_host_key (only needed on 64 bit devices) :
15 | Booting it :
16 | ```
17 | bash get_dropbear_key.sh
18 | ```
19 | Put the device in pwned dfu (or kdfu) and:
20 | ```
21 | bash Ramdisk_Loader.sh -d
22 | ```
23 | Note: you need libirecovery
24 |
25 | # It should work with all limera1n/checkm8 devices
26 | Let me know on twitter (@Ralph0045) if it doesn't work on your device
27 |
28 | # Credits/Thanks to
29 | - @iH8sn0w for iBoot32Patcher
30 | - msftguy for ssh-rd
31 | - @daytonhasty for Odysseus and kairos
32 | - @mcg29_ for compare script
33 | - @Jakeashacks for rootlessjb
34 | - @tihmstar for partialzipbrowser
35 | - @xerub for img4lib
36 | - @tihmstar for libfragmentzip, partialZipBrowser and tsschecker
37 |
--------------------------------------------------------------------------------
/resources/dropbear.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Label
6 | dropbear
7 | Program
8 | /usr/local/bin/dropbear
9 | ProgramArguments
10 |
11 | /usr/local/bin/dropbear
12 | -i
13 | --shell
14 | /bin/bash
15 | -r
16 | /private/var/dropbear_rsa_host_key
17 |
18 | SessionCreate
19 |
20 | Sockets
21 |
22 | DropbearV4Listener
23 |
24 | SockFamily
25 | IPv4
26 | SockNodeName
27 | 127.0.0.1
28 | SockServiceName
29 | 22
30 |
31 | DropbearV6Listener
32 |
33 | SockFamily
34 | IPv6
35 | SockNodeName
36 | ::1
37 | SockServiceName
38 | 22
39 |
40 |
41 | StandardErrorPath
42 | /dev/null
43 | inetdCompatibility
44 |
45 | Wait
46 |
47 |
48 |
49 |
50 |
--------------------------------------------------------------------------------
/Ramdisk_Loader.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | ## Ramdisk_Loader - Copyright 2019-2020, @Ralph0045
4 |
5 | echo "**** SSH Ramdisk_Loader 2.0 ****"
6 | echo made by @Ralph0045
7 |
8 | if [ $# -lt 2 ]; then
9 | echo "Usage:
10 |
11 | -d specify device by model
12 |
13 | [example]
14 |
15 | ramdisk_loader -d iPhone10,6
16 | "
17 | exit
18 | fi
19 |
20 | args=("$@")
21 |
22 | for i in {0..2}
23 | do
24 | if [ "${args[i]}" = "-d" ]; then
25 | device=${args[i+1]}
26 | fi
27 | done
28 |
29 | ## Check if 32/64 bit
30 |
31 | type=$(echo ${device:0:6})
32 |
33 | if [ "$type" = "iPhone" ]; then
34 | number=$(echo ${device:6} | awk -F, '{print $1}')
35 | if [ "$number" -gt "5" ]; then
36 | is_64="true"
37 | fi
38 | else
39 | type=$(echo ${device:0:4})
40 | number=$(echo ${device:4} | awk -F, '{print $1}')
41 | if [ "$type" = "iPad" ]; then
42 | if [ "$number" -gt "3" ]; then
43 | is_64="true"
44 | fi
45 | else
46 | if [ "$type" = "iPod" ]; then
47 | if [ "$number" -gt "5" ]; then
48 | is_64="true"
49 | fi
50 | fi
51 | fi
52 | fi
53 |
54 | if [ -e "SSH-Ramdisk-"$device"" ]; then
55 | echo "SSH-Ramdisk-"$device" exists"
56 | else
57 | echo "SSH-Ramdisk-"$device" does not exist"
58 | exit
59 | fi
60 |
61 | cd SSH-Ramdisk-$device
62 |
63 | if [ "$is_64" = "true" ]; then
64 | echo Sending iBSS
65 | sleep 2s
66 | irecovery -f iBSS.img4
67 | echo Sending iBEC
68 | irecovery -f iBEC.img4
69 | sleep 2s
70 | irecovery -f iBEC.img4
71 | irecovery -c go
72 | echo Sending ramdisk
73 | irecovery -f ramdisk.img4
74 | irecovery -c ramdisk
75 | echo Sending applelogo
76 | irecovery -f applelogo.img4
77 | irecovery -c "setpicture 5"
78 | echo Sending devicetree
79 | irecovery -f devicetree.img4
80 | irecovery -c devicetree
81 |
82 | if [ -e "trustcache" ]; then
83 | echo Sending trustcache
84 | irecovery -f trustcache
85 | irecovery -c firmware
86 | fi
87 | echo Sending Kernelcache
88 | irecovery -f kernelcache.img4
89 | irecovery -c bootx
90 | else
91 | echo Sending iBSS
92 | irecovery -f iBSS
93 | echo Sending iBEC
94 | irecovery -f iBEC
95 | echo Sending ramdisk
96 | irecovery -f ramdisk.dmg
97 | irecovery -c ramdisk
98 | echo Sending devicetree
99 | irecovery -f devicetree
100 | irecovery -c devicetree
101 | echo Sending kernelcache
102 | irecovery -f kernelcache
103 | irecovery -c bootx
104 | fi
105 | echo Done
106 | cd ..
107 |
108 |
109 |
--------------------------------------------------------------------------------
/Requirements.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | mkdir bin &> /dev/null
4 |
5 | if [ -e "bin/iBoot32Patcher" ]; then
6 | echo "iBoot32Patcher is present"
7 | else
8 | git clone https://github.com/iH8sn0w/iBoot32Patcher
9 | cd iBoot32Patcher
10 | clang iBoot32Patcher.c finders.c functions.c patchers.c -Wno-multichar -I. -o ../bin/iBoot32Patcher
11 | cd ..
12 | rm -rf iBoot32Patcher
13 | fi
14 |
15 | if [ -e "bin/xpwntool" ]; then
16 | echo "xpwntool is present"
17 | else
18 | curl -LO https://dayt0n.github.io/odysseus/odysseus-0.999.zip
19 | mkdir odysseus
20 | cd odysseus
21 | unzip ../odysseus-0.999.zip
22 | cp odysseus-0.999.0/macos/xpwntool ../bin/
23 | cd ..
24 | rm -rf odysseus-0.999.zip odysseus
25 | fi
26 |
27 | if [ -e "bin/Kernel64Patcher" ]; then
28 | echo "Kernel64Patcher is present"
29 | else
30 | git clone https://github.com/Ralph0045/Kernel64Patcher.git
31 | cd Kernel64Patcher
32 | gcc Kernel64Patcher.c -o Kernel64Patcher
33 | mv -v Kernel64Patcher ../bin
34 | cd ..
35 | rm -rf Kernel64Patcher
36 | fi
37 |
38 | if [ -e "bin/kairos" ]; then
39 | echo "kairos is present"
40 | else
41 | git clone https://github.com/dayt0n/kairos.git
42 | cd kairos
43 | make
44 | mv -v kairos ../bin
45 | cd ..
46 | rm -rf kairos
47 | fi
48 |
49 | if [ -e "bin/partialZipBrowser" ]; then
50 | echo partialZipBrowser is present
51 | else
52 | echo partialZipBrowser is not present
53 | echo Downloading it
54 | curl -LO https://github.com/tihmstar/partialZipBrowser/releases/download/v1.0/partialZipBrowser.zip
55 | unzip partialZipBrowser.zip
56 | rm -rf partialZipBrowser.zip
57 | mv partialZipBrowser bin
58 | echo Done!
59 | fi
60 |
61 | if [ -e "bin/img4" ]; then
62 | echo "img4lib is present"
63 | else
64 | git clone --recursive https://github.com/xerub/img4lib.git
65 | cd img4lib
66 | git submodule init && git submodule update && make -C lzfse [CC="cross-cc"] [LD="cross-ld"]
67 | make [CC="cross-cc"] [LD="cross-ld"] [CORECRYPTO=1] [COMMONCRYPTO=1]
68 | mv -v img4 ../bin
69 | cd ..
70 | rm -rf img4lib
71 | fi
72 |
73 | if [ -e "bin/ldid2" ]; then
74 | echo "ldid2 is present"
75 | else
76 | curl -LO https://github.com/xerub/ldid/releases/download/42/ldid.zip
77 | mkdir ldid
78 | cd ldid
79 | unzip ../ldid.zip
80 | mv ldid2 ../bin
81 | cd ..
82 | rm -rf ldid ldid.zip
83 | fi
84 |
85 | if [ -e "bin/tsschecker" ]; then
86 | echo "tsschecker is present"
87 | else
88 | curl -LO https://github.com/tihmstar/tsschecker/releases/download/304/tsschecker_macOS_v304.zip
89 | mkdir tsschecker
90 | cd tsschecker
91 | unzip ../tsschecker_macOS_v304.zip
92 | mv tsschecker ../bin
93 | cd ..
94 | rm -rf tsschecker tsschecker_macOS_v304.zip
95 | fi
96 |
97 | if [ -e "resources/iosbinpack.tar" ]; then
98 | echo "iosbinpack is present"
99 | else
100 | git clone https://github.com/jakeajames/rootlessJB3.git
101 | mv -v rootlessJB3/rootlessJB/bootstrap/tars/iosbinpack.tar resources
102 | rm -rf rootlessJB3
103 | fi
104 |
105 | if [ -e "firmware.json" ]; then
106 | echo firmware.json is present
107 | else
108 | echo "firmware.json isn't present"
109 | echo Downloading it
110 | curl https://api.ipsw.me/v2.1/firmwares.json --output firmware.json &> /dev/null
111 | echo Done!
112 | fi
113 |
114 | if [ -e "bin/compareFiles.py" ]; then
115 | echo "compareFiles is present"
116 | else
117 | curl https://raw.githubusercontent.com/dualbootfun/dualbootfun.github.io/d947e2c9b6090a1e65a46ea6a58cd840986ff9d9/source/compareFiles.py --output bin/compareFiles.py
118 | fi
119 |
--------------------------------------------------------------------------------
/Ramdisk_Maker.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | ## Ramdisk_Maker - Copyright 2019-2020, @Ralph0045
4 |
5 | echo "**** SSH Ramdisk_Maker 2.0 ****"
6 | echo made by @Ralph0045
7 |
8 | if [ $# -lt 2 ]; then
9 | echo "Usage:
10 |
11 | -d specify device by model
12 | -i specify iOS version (if not specified, it will use earliest version available)
13 |
14 | [example]
15 |
16 | ramdisk_maker -d iPhone10,6 -i 14.0
17 | "
18 | exit
19 | fi
20 |
21 | args=("$@")
22 |
23 | for i in {0..4}
24 | do
25 |
26 | if [ "${args[i]}" = "-d" ]; then
27 | device=${args[i+1]}
28 | fi
29 |
30 | if [ "${args[i]}" = "-i" ]; then
31 | version=${args[i+1]}
32 | fi
33 | done
34 |
35 | ## Check if 32/64 bit
36 |
37 | type=$(echo ${device:0:6})
38 |
39 | if [ "$type" = "iPhone" ]; then
40 | number=$(echo ${device:6} | awk -F, '{print $1}')
41 | if [ "$number" -gt "5" ]; then
42 | is_64="true"
43 | fi
44 | else
45 | type=$(echo ${device:0:4})
46 | number=$(echo ${device:4} | awk -F, '{print $1}')
47 | if [ "$type" = "iPad" ]; then
48 | if [ "$number" -gt "3" ]; then
49 | is_64="true"
50 | fi
51 | else
52 | if [ "$type" = "iPod" ]; then
53 | if [ "$number" -gt "5" ]; then
54 | is_64="true"
55 | fi
56 | fi
57 | fi
58 | fi
59 |
60 | if [ "$is_64" = "true" ]; then
61 | if [ -e "resources/dropbear_rsa_host_key" ]; then
62 | echo "" &> /dev/null
63 | else
64 | echo "dropbear_rsa_host_key is not present. Please run the script to get one"
65 | exit
66 | fi
67 | fi
68 |
69 | ## Define BoardConfig
70 | boardcfg="$((cat firmware.json) | grep $device -A4 | grep BoardConfig | sed 's/"BoardConfig"//' | sed 's/: "//' | sed 's/",//' | xargs)"
71 | {
72 | if [ -z "$version" ]; then
73 | ipsw_link=$(curl "https://api.ipsw.me/v2.1/$device/earliest/url")
74 | version=$(curl "https://api.ipsw.me/v2.1/$device/earliest/info.json" | grep version | sed s+'"version": "'++ | sed s+'",'++ | xargs)
75 | BuildID=$(curl "https://api.ipsw.me/v2.1/$device/earliest/info.json" | grep buildid | sed s+'"buildid": "'++ | sed s+'",'++ | xargs)
76 | else
77 | ipsw_link=$(curl "https://api.ipsw.me/v2.1/$device/$version/url")
78 | BuildID=$(curl "https://api.ipsw.me/v2.1/$device/$version/info.json" | grep buildid | sed s+'"buildid": "'++ | sed s+'",'++ | xargs)
79 | fi
80 | } &> /dev/null
81 |
82 | iOS_Vers=`echo $version | awk -F. '{print $1}'`
83 |
84 | {
85 | ## Define RootFS name
86 |
87 | RootFS="$((curl "https://www.theiphonewiki.com/wiki/Firmware_Keys/$iOS_Vers.x") | grep "$BuildID"_"" | grep $device -m 1| awk -F_ '{print $1}' | awk -F"wiki" '{print "wiki"$2}')"
88 | } &> /dev/null
89 |
90 | mkdir -p SSH-Ramdisk-$device/work
91 | cd SSH-Ramdisk-$device/work
92 |
93 | ## Get wiki keys page
94 |
95 | echo Downloadking firmware keys...
96 |
97 | curl "https://www.theiphonewiki.com/$RootFS"_"$BuildID"_"($device)" --output temp_keys.html &> /dev/null
98 |
99 | if [ -e "temp_keys.html" ]; then
100 | echo Done!
101 | else
102 | echo Failed to download firmware keys
103 | fi
104 |
105 | # Get firmware keys, components and decrypt them
106 |
107 | ../../bin/partialZipBrowser -g BuildManifest.plist $ipsw_link &> /dev/null
108 |
109 | images="iBSS.iBEC.applelogo.DeviceTree.kernelcache.RestoreRamDisk"
110 |
111 | for i in {1..6}
112 | do
113 | temp_type="$((echo $images) | awk -v var=$i -F. '{print $var}' | awk '{print tolower($0)}')"
114 | temp_type2="$((echo $images) | awk -v var=$i -F. '{print $var}')"
115 |
116 | eval "$temp_type"_iv="$((cat temp_keys.html) | grep "$temp_type-iv" | awk -F"" '{print $1}' | awk -F"-iv\"\>" '{print $2}')"
117 | eval "$temp_type"_key="$((cat temp_keys.html) | grep "$temp_type-key" | awk -F"" '{print $1}' | awk -F"$temp_type-key\"\>" '{print $2}')"
118 | iv=$temp_type"_iv"
119 | key=$temp_type"_key"
120 |
121 | if [ "$temp_type2" = "RestoreRamDisk" ]; then
122 | component="$((cat BuildManifest.plist) | grep $boardcfg -A 3000 | grep $temp_type2 -A 100| grep dmg -m 1 | sed s+''++ | sed s+''++ | xargs)"
123 | else
124 | component="$((cat BuildManifest.plist) | grep $boardcfg -A 3000 | grep $temp_type2 | grep string -m 1 | sed s+''++ | sed s+''++ | xargs)"
125 | fi
126 |
127 | echo Downloading $component...
128 |
129 | ../../bin/partialZipBrowser -g $component $ipsw_link &> /dev/null
130 |
131 | echo Done!
132 |
133 | if [ "$is_64" = "true" ]; then
134 | if [ "$temp_type2" = "RestoreRamDisk" ]; then
135 | ../../bin/img4 -i $component -o RestoreRamDisk.raw.dmg ${!iv}${!key}
136 | if [ "$iOS_Vers" -gt "11" ]; then
137 | echo Downloading $component.trustcache...
138 | ../../bin/partialZipBrowser -g Firmware/$component.trustcache $ipsw_link &> /dev/null
139 | echo Done!
140 | fi
141 | else
142 | ../../bin/img4 -i $temp_type2* -o $temp_type2.raw ${!iv}${!key}
143 | fi
144 | else
145 |
146 | if [ "$temp_type2" = "RestoreRamDisk" ]; then
147 | ../../bin/xpwntool $component RestoreRamDisk.dec.img3 -iv ${!iv} -k ${!key} -decrypt &> /dev/null
148 | else
149 | ../../bin/xpwntool $temp_type2* $temp_type2.dec.img3 -iv ${!iv} -k ${!key} -decrypt &> /dev/null
150 | fi
151 | fi
152 | done
153 |
154 | echo Making ramdisk...
155 |
156 | {
157 | if [ "$is_64" = "true" ]; then
158 | ../../bin/tsschecker -d $device -e FFFFFFFFFFFFF -l -s
159 | plutil -extract ApImg4Ticket xml1 -o - *.shsh2 | xmllint -xpath '/plist/data/text()' - | base64 -D > apticket.der
160 | ../../bin/Kernel64Patcher kernelcache.raw kcache.patched -a
161 | python3 ../../bin/compareFiles.py kernelcache.raw kcache.patched
162 | if [ "$iOS_Vers" -gt "11" ]; then
163 | ../../bin/img4 -i *.trustcache -o trustcache -M apticket.der
164 | mv trustcache ../
165 | fi
166 | ../../bin/img4 -i kernelcache.re* -o kernelcache.img4 -T rkrn -P kc.bpatch -J -M apticket.der
167 | mv kernelcache.img4 ../
168 | ../../bin/kairos iBSS.raw iBSS.patched
169 | ../../bin/kairos iBEC.raw iBEC.patched -b "rd=md0 -v"
170 | ../../bin/img4 -i iBSS.patched -o iBSS.img4 -T ibss -A -M apticket.der
171 | ../../bin/img4 -i iBEC.patched -o iBEC.img4 -T ibec -A -M apticket.der
172 | mv -v iBSS.img4 ../
173 | mv -v iBEC.img4 ../
174 | ../../bin/img4 -i applelogo.raw -o applelogo.img4 -T logo -A -M apticket.der
175 | mv -v applelogo.img4 ../
176 | ../../bin/img4 -i DeviceTree.raw -o devicetree.img4 -T rdtr -A -M apticket.der
177 | mv -v devicetree.img4 ../
178 | hdiutil resize -size 100MB RestoreRamDisk.raw.dmg
179 | mkdir ramdisk_mountpoint
180 | hdiutil attach -mountpoint ramdisk_mountpoint/ RestoreRamDisk.raw.dmg
181 | tar -xvf ../../resources/iosbinpack.tar -C .
182 | cd iosbinpack64
183 | tar -cvf ../tar.tar bin sbin usr
184 | cd ..
185 | tar -xvf tar.tar -C ramdisk_mountpoint
186 | mkdir libs
187 | curl -LO https://www.dropbox.com/s/3mbep81xx8kmvak/dependencies.tar
188 | tar -xvf dependencies.tar -C libs
189 | cp -a libs/libncurses.5.4.dylib ramdisk_mountpoint/usr/lib
190 | cp -a ../../resources/dropbear.plist ramdisk_mountpoint/System/Library/LaunchDaemons
191 | cp -a ../../resources/dropbear_rsa_host_key ramdisk_mountpoint/private/var
192 |
193 | if [ -e "ramdisk_mountpoint/usr/lib/libiconv.2.dylib" ]; then
194 | echo ""
195 | else
196 | cp -a libs/libiconv.2.dylib ramdisk_mountpoint/usr/lib
197 | fi
198 | ../../bin/ldid2 -S../../resources/dd_ent.plist ramdisk_mountpoint/bin/dd
199 | mkdir ramdisk_mountpoint/private/var/root
200 | hdiutil detach ramdisk_mountpoint
201 | ../../bin/img4 -i RestoreRamDisk.raw.dmg -o ramdisk.img4 -T rdsk -A -M apticket.der
202 | mv ramdisk.img4 ../
203 | cd ..
204 | rm -rf work
205 | cd ..
206 | else
207 | ../../bin/xpwntool RestoreRamDisk.dec.img3 RestoreRamDisk.raw.dmg
208 | hdiutil resize -size 30MB RestoreRamDisk.raw.dmg
209 | mkdir ramdisk_mountpoint
210 | hdiutil attach -mountpoint ramdisk_mountpoint/ RestoreRamDisk.raw.dmg
211 | tar -xvf ../../resources/ssh.tar -C ramdisk_mountpoint/
212 | hdiutil detach ramdisk_mountpoint
213 | ../../bin/xpwntool RestoreRamDisk.raw.dmg ramdisk.dmg -t RestoreRamDisk.dec.img3
214 | mv -v ramdisk.dmg ../
215 | ../../bin/xpwntool iBSS.dec.img3 iBSS.raw
216 | ../../bin/iBoot32Patcher iBSS.raw iBSS.patched -r
217 | ../../bin/xpwntool iBSS.patched iBSS -t iBSS.dec.img3
218 | mv -v iBSS ../
219 | ../../bin/xpwntool iBEC.dec.img3 iBEC.raw
220 | ../../bin/iBoot32Patcher iBEC.raw iBEC.patched -r -d -b "rd=md0 -v amfi=0xff cs_enforcement_disable=1"
221 | ../../bin/xpwntool iBEC.patched iBEC -t iBEC.dec.img3
222 | mv -v iBEC ../
223 | mv -v applelogo.dec.img3 ../applelogo
224 | mv -v DeviceTree.dec.img3 ../devicetree
225 | mv -v kernelcache.dec.img3 ../kernelcache
226 | cd ..
227 | rm -rf work
228 | cd ..
229 | fi
230 |
231 | } &> /dev/null
232 |
233 | echo Done!
234 |
--------------------------------------------------------------------------------