├── README.md
├── iBoot32Patcher
├── ida_patcher
├── image3maker
├── irecovery
├── mount.sh
├── packimg3.sh
├── pzb
├── restored_external_verbose_patch.dif
├── ssh.tar
├── unmount.sh
└── xpwntool


/README.md:
--------------------------------------------------------------------------------
 1 | # ramdiskutil
 2 | 
 3 | ## Description
 4 | A set of tools that can make a ssh ramdisk for 32-bit iDevices. <br />
 5 | macOS supported only. Will never support other OSes. <br />
 6 | 
 7 | ## Usage
 8 | **pzb**: Download firmware partially, only download a part of it. Saves your bandwidth and time. You just need to download restoreramdisk, ibss, ibec, devicetree and kernelcache. <br />
 9 | 
10 | **iBoot32Patcher**: Patch iBEC and iBSS for removing sigchecks and adding boot-args. <br />
11 | 
12 | **mount.sh**: Used for mounting ramdisk. The ramdisk should be renamed to RestoreRamdisk.dmg <br />
13 | 
14 | **unmount.sh**: Used for unmounting ramdisk. The ramdisk should be renamed to RestoreRamdisk.dmg <br />
15 | 
16 | **xpwntool**: Decrypt firmware components. Used to decrypt ibss, ibec, and other things. <br />
17 | 
18 | **packimg3.sh**: Pack ramdisk to a img3 container. For an iOS device, only img3 format is suitable for booting. <br />
19 | 
20 | **irecovery**: A tool for communicating with device in DFU mode <br />
21 | 
22 | ## Methods
23 | 1. Goto ipsw.me/keys (Requires login) or theiphonewiki.com/wiki/Firmware\_Keys to find keys and ivs. Write down the filename of RestoreRamdisk. <br />
24 | 2. Use pzb to download: <br />
25 | ./pzb [LINK TO IPSW] <br />
26 | Files needed to download: <br />
27 | **(1) XXX-XXXX-XXX.dmg (the name of RestoreRamdisk) <br />
28 | (2) Firmware/dfu/iBEC.xxx.RELEASE.dfu <br />
29 | (3) Firmware/dfu/iBSS.xxx.RELEASE.dfu <br />
30 | (4) kernelcache.release.xxx <br />
31 | (5) Firmware/all\_flash/all\_flash.xxx.production/DeviceTree.xxx.img3 <br />**
32 | 3. Decrypt all the files using xpwntool <br />
33 | **./xpwntool \[devicetree/kernelcache\] \[out\_file\] -iv \[iv\] -k \[key\] -decrypt <br />
34 | ./xpwntool \[ramdisk/iBEC/iBSS\] \[out\_file\] -iv \[iv\] -k \[key\] <br />**
35 | 4. Patch iBSS and iBEC <br />
36 | **./iBoot32Patcher \[decrypted\_ibss\] \[patched\_file\] <br />
37 | ./iBoot32Patcher \[decrypted\_ibec\] \[patched\_file\] -b "rd=md0 -v amfi=0xff cs\_enforcement\_disable=1" <br />**
38 | 5. Resize and mount the ramdisk <br />
39 | **hdiutil resize -size 32M RestoreRamdisk.dmg <br />
40 | mkdir mp <br />
41 | ./mount.sh <br />**
42 | 6. Extract sshd to ramdisk <br />
43 | **tar -xvf ssh.tar -C mp <br />**
44 | *You can modify mp/etc/rc.boot for doing something when booting ramdisk.* <br />
45 | 7. Unmount the ramdisk, then make the img3 image of ramdisk.  <br />
46 | **./unmount.sh <br />
47 | ./packimg3.sh <br />**
48 | 8. Boot the ramdisk <br />
49 | *Let your device enter pwned DFU mode. <br />
50 | for iPhone, send kloader and patched iBSS to the root directory of your device. for iPad, send iBEC instead of iBSS. <br />
51 | ssh into your device and run: /kloader /\[Your ibss or ibec\]* <br />
52 | **\{ <br />
53 | ./image3maker -t ibec -f \[patched\_ibec\] -o pwnediBEC <br />
54 | ./irecovery -f pwnediBEC <br />
55 | } <br />**
56 | *Skip these command in* ***\{\}*** *if it is an iPad <br />*
57 | **./irecovery -s <br />
58 | On the shell, type: <br />
59 | /send \[devicetree\] <br />
60 | devicetree <br />
61 | /send \[ramdisk\] <br />
62 | ramdisk <br />
63 | /send \[kernelcache\] <br />
64 | bootx <br />**
65 | *Then your ramdisk will be successfully booted!*
66 | # NOTE
67 | ***ida_patcher and restored_external_verbose_patch.dif is made for booting in verbose mode. <br />
68 | If you don't want apple logo shown when booted, please patch mp/usr/local/bin/restored\_external using this command: <br />
69 | ./ida\_patcher -i restored\_external -p restored_external_verbose_patch.dif<br />***
70 | 


--------------------------------------------------------------------------------
/iBoot32Patcher:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cfw-project/ramdiskutil/5ae1db5da8f633529bebb4401d3b9a1ff83ef3e8/iBoot32Patcher


--------------------------------------------------------------------------------
/ida_patcher:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cfw-project/ramdiskutil/5ae1db5da8f633529bebb4401d3b9a1ff83ef3e8/ida_patcher


--------------------------------------------------------------------------------
/image3maker:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cfw-project/ramdiskutil/5ae1db5da8f633529bebb4401d3b9a1ff83ef3e8/image3maker


--------------------------------------------------------------------------------
/irecovery:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cfw-project/ramdiskutil/5ae1db5da8f633529bebb4401d3b9a1ff83ef3e8/irecovery


--------------------------------------------------------------------------------
/mount.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | echo "Start mounting"
3 | hdiutil attach RestoreRamdisk.dmg -mountpoint mp
4 | echo "DONE"
5 | 


--------------------------------------------------------------------------------
/packimg3.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | echo "packing img3"
3 | image3maker -t rdsk -f RestoreRamdisk.dmg -o ramdisk
4 | echo "DONE"
5 | 


--------------------------------------------------------------------------------
/pzb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cfw-project/ramdiskutil/5ae1db5da8f633529bebb4401d3b9a1ff83ef3e8/pzb


--------------------------------------------------------------------------------
/restored_external_verbose_patch.dif:
--------------------------------------------------------------------------------
 1 | This difference file has been created by IDA
 2 | 
 3 | restored_external
 4 | 000013B4: 0B 00
 5 | 000013B5: F0 BF
 6 | 000013B6: 1C 00
 7 | 000013B7: FC BF
 8 | 00009E80: BD F0
 9 | 00009E81: E8 BD
10 | 00009E82: F0 00
11 | 00009E83: 40 BF
12 | 


--------------------------------------------------------------------------------
/ssh.tar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cfw-project/ramdiskutil/5ae1db5da8f633529bebb4401d3b9a1ff83ef3e8/ssh.tar


--------------------------------------------------------------------------------
/unmount.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | echo "Start unmounting"
3 | hdiutil detach mp
4 | echo "DONE"
5 | 


--------------------------------------------------------------------------------
/xpwntool:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cfw-project/ramdiskutil/5ae1db5da8f633529bebb4401d3b9a1ff83ef3e8/xpwntool


--------------------------------------------------------------------------------