├── PwnBootCLI
├── .vs
│ └── PwnBootCLI
│ │ └── v15
│ │ ├── .suo
│ │ └── Server
│ │ └── sqlite3
│ │ ├── db.lock
│ │ └── storage.ide
├── PwnBootCLI.sln
└── PwnBootCLI
│ ├── App.config
│ ├── Program.cs
│ ├── Properties
│ └── AssemblyInfo.cs
│ ├── PwnBootCLI.csproj
│ ├── bin
│ └── Debug
│ │ ├── PwnBootCLI.exe
│ │ ├── PwnBootCLI.exe.config
│ │ └── PwnBootCLI.pdb
│ ├── dl.bat
│ ├── jailbreak.bat
│ ├── obj
│ └── Debug
│ │ ├── DesignTimeResolveAssemblyReferencesInput.cache
│ │ ├── PwnBootCLI.csproj.CoreCompileInputs.cache
│ │ ├── PwnBootCLI.csproj.FileListAbsolute.txt
│ │ ├── PwnBootCLI.csprojAssemblyReference.cache
│ │ ├── PwnBootCLI.csprojResolveAssemblyReference.cache
│ │ ├── PwnBootCLI.exe
│ │ ├── PwnBootCLI.pdb
│ │ ├── TemporaryGeneratedFile_036C0B5B-1481-4323-8D20-8F5ADCB23D92.cs
│ │ ├── TemporaryGeneratedFile_5937a670-0e60-4077-877b-f7221da3dda1.cs
│ │ └── TemporaryGeneratedFile_E7A71F73-0F8D-4B9B-B56E-8E70B10BC5D3.cs
│ ├── prep.bat
│ ├── prep33.bat
│ └── prepverbose.bat
├── README.md
├── binaries
└── PwnBootCLI.exe
├── index.html
└── writeup.pdf
/PwnBootCLI/.vs/PwnBootCLI/v15/.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iBoot32/PwnBoot/5ba33335607e1081864345cb007d5f7fdf2ccd73/PwnBootCLI/.vs/PwnBootCLI/v15/.suo
--------------------------------------------------------------------------------
/PwnBootCLI/.vs/PwnBootCLI/v15/Server/sqlite3/db.lock:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iBoot32/PwnBoot/5ba33335607e1081864345cb007d5f7fdf2ccd73/PwnBootCLI/.vs/PwnBootCLI/v15/Server/sqlite3/db.lock
--------------------------------------------------------------------------------
/PwnBootCLI/.vs/PwnBootCLI/v15/Server/sqlite3/storage.ide:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iBoot32/PwnBoot/5ba33335607e1081864345cb007d5f7fdf2ccd73/PwnBootCLI/.vs/PwnBootCLI/v15/Server/sqlite3/storage.ide
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.27130.2036
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PwnBootCLI", "PwnBootCLI\PwnBootCLI.csproj", "{753F2D8E-1CA9-4912-96B7-781A7A144832}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {753F2D8E-1CA9-4912-96B7-781A7A144832}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {753F2D8E-1CA9-4912-96B7-781A7A144832}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {753F2D8E-1CA9-4912-96B7-781A7A144832}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {753F2D8E-1CA9-4912-96B7-781A7A144832}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {2FB19FC9-4CA0-4094-97DF-F499B300CFC0}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Diagnostics;
4 | using System.IO;
5 | using System.Linq;
6 | using System.Reflection;
7 | using System.Text;
8 | using System.Threading.Tasks;
9 |
10 | namespace PwnBootCLI
11 | {
12 | class Program
13 | {
14 | /*
15 | * PwnBoot by iBoot32
16 | *
17 | * A CLI tool to boot a SSH Ramdisk
18 | * from scratch, and subsequently barebones
19 | * jailbreak the device booted with a SSH
20 | * Ramdisk. This tool also supports booting
21 | * a SSH Ramdisk with iBEC patched for
22 | * verbose boot, and finally, it supportsdw
23 | * pwning dfu via irecovery.
24 | *
25 | * This tool may be used in any other program,
26 | * wrapper, or tool provided the proper credit
27 | * is given, meaning my name (iBoot32) and
28 | * a link to PwnBoot's project's GitHub is shown
29 | * in your readme or website or place of software
30 | * release.
31 | *
32 | * Enjoy!
33 | * - iBoot32
34 | */
35 |
36 | public static string[] validArgs = { "-p", "-b", "-vb", "-j" };
37 | static bool SetUp()
38 | {
39 | if (File.Exists("C:/PwnBoot/setup"))
40 | {
41 | return true;
42 | }
43 | else
44 | {
45 | return false;
46 | }
47 | }
48 |
49 |
50 | static void Main(string[] args)
51 | {
52 | Console.WriteLine("");
53 | Console.WriteLine(" PwnBoot CLI by u/iBoot32");
54 | Console.WriteLine(" -------------------------------");
55 | Console.WriteLine("");
56 |
57 | if (!SetUp())
58 | {
59 | Console.WriteLine("PwnBoot has not been set up yet... downloading required files...");
60 |
61 | //get batch file from resources
62 | Stream stream = Assembly.GetExecutingAssembly().GetManifestResourceStream("PwnBootCLI.dl.bat");
63 | string workdir = Directory.GetCurrentDirectory();
64 | if (File.Exists(workdir + "\\dl.bat"))
65 | {
66 | File.Delete("dl.bat");
67 | }
68 | FileStream fileStream = new FileStream("dl.bat", FileMode.CreateNew);
69 | for (int i = 0; i < stream.Length; i++)
70 | fileStream.WriteByte((byte)stream.ReadByte());
71 | fileStream.Close();
72 |
73 | var p = new Process();
74 | p.StartInfo = new ProcessStartInfo("dl.bat", "")
75 | {
76 | UseShellExecute = false
77 | };
78 |
79 | p.Start();
80 | p.WaitForExit();
81 | var exitCode = p.ExitCode;
82 | p.Close();
83 |
84 | if (exitCode != 0)
85 | {
86 | Console.WriteLine("error");
87 | File.Delete("dl.bat");
88 | }
89 | if (exitCode == 0)
90 | {
91 | File.Delete("dl.bat");
92 | Console.WriteLine("done setting up");
93 | File.Create("C:/PwnBoot/setup");
94 | }
95 |
96 | }
97 |
98 |
99 |
100 | if (args == null || args.Length == 0 || args[0] == "-help") //if no args provided or passed -help option, display help
101 | {
102 | Console.WriteLine("");
103 | Console.WriteLine(" Usage:");
104 | Console.WriteLine(" pwnboot.exe [device] [options]");
105 | Console.WriteLine("");
106 | Console.WriteLine("");
107 | Console.WriteLine(" Valid [device] entries");
108 | Console.WriteLine(" iPhone2,1");
109 | Console.WriteLine("");
110 | Console.WriteLine("");
111 | Console.WriteLine(" Options:");
112 | Console.WriteLine(" -p Just Pwn DFU");
113 | Console.WriteLine(" -b Boot SSH Ramdisk");
114 | Console.WriteLine(" -vb Boot SSH Ramdisk with Verbose Boot");
115 | Console.WriteLine(" -j Barebones Jailbreak over Booted SSH Ramdisk");
116 | Environment.Exit(1);
117 | }
118 | else
119 | {
120 | try
121 | {
122 | //First we're just gonna validate the passed args to make sure there aren't too many, the device is valid, and the mode arg is valid.
123 | if (args.Length > 2)
124 | {
125 | Console.WriteLine(" You provided too many args");
126 | }
127 |
128 | if (args[0] != "iPhone2,1")
129 | {
130 | Console.WriteLine(" Your selected device model, '" + args[0] + "' is not a valid device.");
131 | Environment.Exit(1);
132 | }
133 |
134 | if (!validArgs.Contains(args[1]))
135 | {
136 | Console.WriteLine(" Your selected option of '" + args[1] + "'is not a valid option.");
137 | Environment.Exit(1);
138 | }
139 | }
140 |
141 | catch (Exception)
142 | {
143 | Console.WriteLine(" The args you provided were incorrect.");
144 | Environment.Exit(1);
145 | }
146 |
147 | //Since args are validated, get the mode arg (args[1]) and jump to correct mode
148 |
149 | if (args[1] == "-p")
150 | {
151 | PwnDFU();
152 | }
153 |
154 | if (args[1] == "-b")
155 | {
156 | BootRamdisk();
157 | }
158 |
159 | if (args[1] == "-vb")
160 | {
161 | VerboseBootRamdisk();
162 | }
163 |
164 | if (args[1] == "-j")
165 | {
166 | JailbreakViaSSHRamdisk();
167 | }
168 | }
169 | }
170 |
171 | static void PwnDFU()
172 | {
173 | var p = new Process();
174 | p.StartInfo = new ProcessStartInfo("C:/PwnBoot/irec.exe", "-e")
175 | {
176 | UseShellExecute = false
177 | };
178 |
179 | p.Start();
180 | p.WaitForExit();
181 | }
182 |
183 | static void BootRamdisk()
184 | {
185 | Console.WriteLine("");
186 | Console.WriteLine("");
187 |
188 | //extract prep.bat from resources
189 | File.Delete("C:/PwnBoot/prep.bat");
190 |
191 | Program pro = new Program();
192 | string resource = "PwnBootCLI.prep.bat";
193 | string path = "C:/PwnBoot/prep.bat";
194 | Stream stream = pro.GetType().Assembly.GetManifestResourceStream(resource);
195 | byte[] bytes = new byte[(int)stream.Length];
196 | stream.Read(bytes, 0, bytes.Length);
197 | File.WriteAllBytes(path, bytes);
198 |
199 | var p = new Process();
200 | p.StartInfo = new ProcessStartInfo("cmd.exe", "/c cd C:/PwnBoot && prep.bat")
201 | {
202 | UseShellExecute = false
203 | };
204 |
205 | p.Start();
206 | p.WaitForExit();
207 | var exitCode = p.ExitCode;
208 | p.Close();
209 |
210 | Console.WriteLine("");
211 | Console.WriteLine("If successful, your device should now be showing an Apple Logo and a blank progress bar, indicating that the patched ramdisk has been booted and the ssh service is running.");
212 | Console.WriteLine("If not, please try PwnBoot again or file a bug report.");
213 | Console.WriteLine("");
214 | }
215 |
216 | static void VerboseBootRamdisk()
217 | {
218 | Console.WriteLine("");
219 | Console.WriteLine("");
220 |
221 | //extract prep.bat from resources
222 | File.Delete("C:/PwnBoot/prepverbose.bat");
223 |
224 | Program pro = new Program();
225 | string resource = "PwnBootCLI.prepverbose.bat";
226 | string path = "C:/PwnBoot/prepverbose.bat";
227 | Stream stream = pro.GetType().Assembly.GetManifestResourceStream(resource);
228 | byte[] bytes = new byte[(int)stream.Length];
229 | stream.Read(bytes, 0, bytes.Length);
230 | File.WriteAllBytes(path, bytes);
231 |
232 | var p = new Process();
233 | p.StartInfo = new ProcessStartInfo("cmd.exe", "/c cd C:/PwnBoot && prepverbose.bat")
234 | {
235 | UseShellExecute = false
236 | };
237 |
238 | p.Start();
239 | p.WaitForExit();
240 | var exitCode = p.ExitCode;
241 | p.Close();
242 |
243 | Console.WriteLine("");
244 | Console.WriteLine("If successful, your device should now be showing an Apple Logo and a blank progress bar, indicating that the patched ramdisk has been booted and the ssh service is running.");
245 | Console.WriteLine("If not, please try PwnBoot again or file a bug report.");
246 | Console.WriteLine("");
247 | }
248 |
249 | static void JailbreakViaSSHRamdisk()
250 | {
251 | Console.WriteLine("PwnBoot currently only supports booting a custom SSH ramdisk and forwarding the connection over USB for full filesystem access. Jailbreaking will come in a near update.");
252 | Console.WriteLine("");
253 | Console.WriteLine("Forwarding SSH Service Over USB");
254 | Console.WriteLine("");
255 | Console.WriteLine("Leave this window open until you're done with SSH. Close the window once you're done.");
256 | Console.WriteLine("");
257 | Console.WriteLine("");
258 | var p = new Process();
259 | p.StartInfo = new ProcessStartInfo("cmd.exe", "/c cd C:/PwnBoot && itunnel_mux --lport 2022")
260 | {
261 | UseShellExecute = false
262 | };
263 |
264 | p.Start();
265 | p.WaitForExit();
266 | var exitCode = p.ExitCode;
267 | p.Close();
268 | }
269 | }
270 |
271 | }
272 |
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("PwnBootCLI")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("PwnBootCLI")]
13 | [assembly: AssemblyCopyright("Copyright © 2019")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("753f2d8e-1ca9-4912-96b7-781a7a144832")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/PwnBootCLI.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {753F2D8E-1CA9-4912-96B7-781A7A144832}
8 | Exe
9 | PwnBootCLI
10 | PwnBootCLI
11 | v4.6.1
12 | 512
13 | true
14 |
15 |
16 | AnyCPU
17 | true
18 | full
19 | false
20 | bin\Debug\
21 | DEBUG;TRACE
22 | prompt
23 | 4
24 |
25 |
26 | AnyCPU
27 | pdbonly
28 | true
29 | bin\Release\
30 | TRACE
31 | prompt
32 | 4
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/bin/Debug/PwnBootCLI.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iBoot32/PwnBoot/5ba33335607e1081864345cb007d5f7fdf2ccd73/PwnBootCLI/PwnBootCLI/bin/Debug/PwnBootCLI.exe
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/bin/Debug/PwnBootCLI.exe.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/bin/Debug/PwnBootCLI.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iBoot32/PwnBoot/5ba33335607e1081864345cb007d5f7fdf2ccd73/PwnBootCLI/PwnBootCLI/bin/Debug/PwnBootCLI.pdb
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/dl.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 |
3 | echo.
4 | echo.
5 | echo Downloading wget
6 | mkdir "C:/PwnBoot"
7 | powershell.exe -Command (new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/iBoot32/JailbreakTool/master/wget.exe', 'C:/PwnBoot/wget.exe') 2> nul
8 | cd "C:/PwnBoot"
9 |
10 | echo Downloading 7z.exe
11 | wget.exe https://raw.githubusercontent.com/iBoot32/JailbreakTool/master/7z.exe 2> nul
12 |
13 | echo Downloading 7z.dll
14 | wget.exe https://raw.githubusercontent.com/iBoot32/JailbreakTool/master/7z.dll 2> nul
15 |
16 | echo Downloading Binaries
17 | wget.exe https://github.com/iBoot32/JailbreakTool/archive/master.zip 2> nul
18 |
19 | echo Unzipping binaries
20 | 7z.exe x master.zip > nul 2>&1
21 | cd JailbreakTool-master
22 | move * .. > nul 2>&1
23 | move otherfiles .. > nul 2>&1
24 | cd ..
25 | del master.zip
26 | del /f /s /q "JailbreakTool-master" 1>nul && rmdir /s /q "JailbreakTool-master"
27 | exit
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/jailbreak.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 |
3 | echo Waiting 10 seconds for SSH Service to be forwarded over USB...
4 | timeout /t 10 /nobreak > NUL
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iBoot32/PwnBoot/5ba33335607e1081864345cb007d5f7fdf2ccd73/PwnBootCLI/PwnBootCLI/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/obj/Debug/PwnBootCLI.csproj.CoreCompileInputs.cache:
--------------------------------------------------------------------------------
1 | 9e4ca083d0bcc867cb810577ccc1ac35c95dbf7d
2 |
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/obj/Debug/PwnBootCLI.csproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
1 | C:\Users\yello\source\repos\PwnBootCLI\PwnBootCLI\bin\Debug\PwnBootCLI.exe.config
2 | C:\Users\yello\source\repos\PwnBootCLI\PwnBootCLI\bin\Debug\PwnBootCLI.exe
3 | C:\Users\yello\source\repos\PwnBootCLI\PwnBootCLI\bin\Debug\PwnBootCLI.pdb
4 | C:\Users\yello\source\repos\PwnBootCLI\PwnBootCLI\obj\Debug\PwnBootCLI.csprojResolveAssemblyReference.cache
5 | C:\Users\yello\source\repos\PwnBootCLI\PwnBootCLI\obj\Debug\PwnBootCLI.csproj.CoreCompileInputs.cache
6 | C:\Users\yello\source\repos\PwnBootCLI\PwnBootCLI\obj\Debug\PwnBootCLI.exe
7 | C:\Users\yello\source\repos\PwnBootCLI\PwnBootCLI\obj\Debug\PwnBootCLI.pdb
8 | C:\Users\Tom O'Donnell\source\repos\PwnBootCLI\PwnBootCLI\bin\Debug\PwnBootCLI.exe.config
9 | C:\Users\Tom O'Donnell\source\repos\PwnBootCLI\PwnBootCLI\bin\Debug\PwnBootCLI.exe
10 | C:\Users\Tom O'Donnell\source\repos\PwnBootCLI\PwnBootCLI\bin\Debug\PwnBootCLI.pdb
11 | C:\Users\Tom O'Donnell\source\repos\PwnBootCLI\PwnBootCLI\obj\Debug\PwnBootCLI.csproj.CoreCompileInputs.cache
12 | C:\Users\Tom O'Donnell\source\repos\PwnBootCLI\PwnBootCLI\obj\Debug\PwnBootCLI.exe
13 | C:\Users\Tom O'Donnell\source\repos\PwnBootCLI\PwnBootCLI\obj\Debug\PwnBootCLI.pdb
14 | C:\Users\Tom O'Donnell\Desktop\PwnBootGit\PwnBootCLI\PwnBootCLI\bin\Debug\PwnBootCLI.exe.config
15 | C:\Users\Tom O'Donnell\Desktop\PwnBootGit\PwnBootCLI\PwnBootCLI\bin\Debug\PwnBootCLI.exe
16 | C:\Users\Tom O'Donnell\Desktop\PwnBootGit\PwnBootCLI\PwnBootCLI\bin\Debug\PwnBootCLI.pdb
17 | C:\Users\Tom O'Donnell\Desktop\PwnBootGit\PwnBootCLI\PwnBootCLI\obj\Debug\PwnBootCLI.csprojAssemblyReference.cache
18 | C:\Users\Tom O'Donnell\Desktop\PwnBootGit\PwnBootCLI\PwnBootCLI\obj\Debug\PwnBootCLI.csproj.CoreCompileInputs.cache
19 | C:\Users\Tom O'Donnell\Desktop\PwnBootGit\PwnBootCLI\PwnBootCLI\obj\Debug\PwnBootCLI.exe
20 | C:\Users\Tom O'Donnell\Desktop\PwnBootGit\PwnBootCLI\PwnBootCLI\obj\Debug\PwnBootCLI.pdb
21 |
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/obj/Debug/PwnBootCLI.csprojAssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iBoot32/PwnBoot/5ba33335607e1081864345cb007d5f7fdf2ccd73/PwnBootCLI/PwnBootCLI/obj/Debug/PwnBootCLI.csprojAssemblyReference.cache
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/obj/Debug/PwnBootCLI.csprojResolveAssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iBoot32/PwnBoot/5ba33335607e1081864345cb007d5f7fdf2ccd73/PwnBootCLI/PwnBootCLI/obj/Debug/PwnBootCLI.csprojResolveAssemblyReference.cache
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/obj/Debug/PwnBootCLI.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iBoot32/PwnBoot/5ba33335607e1081864345cb007d5f7fdf2ccd73/PwnBootCLI/PwnBootCLI/obj/Debug/PwnBootCLI.exe
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/obj/Debug/PwnBootCLI.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iBoot32/PwnBoot/5ba33335607e1081864345cb007d5f7fdf2ccd73/PwnBootCLI/PwnBootCLI/obj/Debug/PwnBootCLI.pdb
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/obj/Debug/TemporaryGeneratedFile_036C0B5B-1481-4323-8D20-8F5ADCB23D92.cs:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iBoot32/PwnBoot/5ba33335607e1081864345cb007d5f7fdf2ccd73/PwnBootCLI/PwnBootCLI/obj/Debug/TemporaryGeneratedFile_036C0B5B-1481-4323-8D20-8F5ADCB23D92.cs
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/obj/Debug/TemporaryGeneratedFile_5937a670-0e60-4077-877b-f7221da3dda1.cs:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iBoot32/PwnBoot/5ba33335607e1081864345cb007d5f7fdf2ccd73/PwnBootCLI/PwnBootCLI/obj/Debug/TemporaryGeneratedFile_5937a670-0e60-4077-877b-f7221da3dda1.cs
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/obj/Debug/TemporaryGeneratedFile_E7A71F73-0F8D-4B9B-B56E-8E70B10BC5D3.cs:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iBoot32/PwnBoot/5ba33335607e1081864345cb007d5f7fdf2ccd73/PwnBootCLI/PwnBootCLI/obj/Debug/TemporaryGeneratedFile_E7A71F73-0F8D-4B9B-B56E-8E70B10BC5D3.cs
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/prep.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 |
3 |
4 | echo Downloading iBSS, iBEC, DeviceTree, and Kernelcache. (This could take a while)
5 | echo.
6 | partialzip "http://appldnld.apple.com/iOS5.1.1/041-4347.20120427.o2yov/iPhone2,1_5.1.1_9B206_Restore.ipsw" "Firmware/dfu/iBEC.n88ap.RELEASE.dfu" "ibec.dfu"
7 | partialzip "http://appldnld.apple.com/iOS5.1.1/041-4347.20120427.o2yov/iPhone2,1_5.1.1_9B206_Restore.ipsw" "Firmware/dfu/iBSS.n88ap.RELEASE.dfu" "ibss.dfu"
8 | partialzip "http://appldnld.apple.com/iOS5.1.1/041-4347.20120427.o2yov/iPhone2,1_5.1.1_9B206_Restore.ipsw" "kernelcache.release.n88" "kern.n88"
9 | partialzip "http://appldnld.apple.com/iOS5.1.1/041-4347.20120427.o2yov/iPhone2,1_5.1.1_9B206_Restore.ipsw" "Firmware/all_flash/all_flash.n88ap.production/DeviceTree.n88ap.img3" "devicetree.img3"
10 | partialzip "http://appldnld.apple.com/iOS5.1.1/041-4347.20120427.o2yov/iPhone2,1_5.1.1_9B206_Restore.ipsw" "038-4349-020.dmg" "ramdisk.dmg"
11 |
12 | ::
13 | ::First we patch all the components (except devicetree) using ssh_rd's patches, and for the ramdisk untar ssh_rd's ssh.tar
14 | ::
15 |
16 | ::Ramdisk
17 | echo.
18 | echo Preparing Ramdisk...
19 | xpwntool ramdisk.dmg ramdisk.dmg.dec -iv 26ec90f47073acaa0826c55bdeddf4bb -k 7af575ca159ba58b852dfe1c6f30c68220a7a94be47ef319ce4f46ba568b7a81 >nul 2>&1
20 | hfsplus ramdisk.dmg.dec grow 45000000 >nul 2>&1
21 | hfsplus ramdisk.dmg.dec untar ssh.tar "/" >nul 2>&1
22 | move ramdisk.dmg ramdisk.dmg.orig >nul 2>&1
23 | xpwntool ramdisk.dmg.dec ramdisk.dmg -t ramdisk.dmg.orig -k 7af575ca159ba58b852dfe1c6f30c68220a7a94be47ef319ce4f46ba568b7a81 -iv 26ec90f47073acaa0826c55bdeddf4bb >nul 2>&1
24 |
25 | ::iBSS
26 | echo Preparing iBSS...
27 | xpwntool ibss.dfu ibss.dfu.dec -iv 0cbb6ea94192ba4c4f215d3f503279f6 -k 36782ee3df23e999ffa955a0f0e0872aa519918a256a67799973b067d1b4f5e0 >nul 2>&1
28 | fuzzy_patcher --patch --orig ibss.dfu.dec --patched ibss.dfu.dec.p --delta ibss.patch >nul 2>&1
29 | move ibss.dfu ibss.dfu.orig >nul 2>&1
30 | xpwntool ibss.dfu.dec.p ibss.dfu -t ibss.dfu.orig -iv 0cbb6ea94192ba4c4f215d3f503279f6 -k 36782ee3df23e999ffa955a0f0e0872aa519918a256a67799973b067d1b4f5e0 >nul 2>&1
31 |
32 | ::iBEC
33 | echo Preparing iBEC...
34 | xpwntool ibec.dfu ibec.dfu.dec -iv 1fe15472e85b169cd226ce18fe6de524 -k 677be330d799ffafad651b3edcb34eb787c2d6c56c07e6bb60a753eb127ffa75 >nul 2>&1
35 | fuzzy_patcher --patch --orig ibec.dfu.dec --patched ibec.dfu.dec.p --delta ibec.patch >nul 2>&1
36 | move ibec.dfu ibec.dfu.orig >nul 2>&1
37 | xpwntool ibec.dfu.dec.p ibec.dfu -t ibec.dfu.orig -iv 1fe15472e85b169cd226ce18fe6de524 -k 677be330d799ffafad651b3edcb34eb787c2d6c56c07e6bb60a753eb127ffa75 >nul 2>&1
38 |
39 | ::Kernelcache
40 | echo Preparing Kernelcache...
41 | xpwntool kern.n88 kern.n88.dec -iv 0dc795a64cb411c21033f97bceb96546 -k 0cc1dcb2c811c037d6647225ec48f5f19e14f2068122e8c03255ffe1da25dec3 >nul 2>&1
42 | fuzzy_patcher --patch --orig kern.n88.dec --patched kern.n88.dec.p --delta kern.n88.patch >nul 2>&1
43 | move kern.n88 kern.n88.orig >nul 2>&1
44 | xpwntool kern.n88.dec.p kern.n88 -t kern.n88.orig -iv 0dc795a64cb411c21033f97bceb96546 -k 0cc1dcb2c811c037d6647225ec48f5f19e14f2068122e8c03255ffe1da25dec3 >nul 2>&1
45 | echo.
46 |
47 | echo Connect your iPhone2,1 in DFU mode to continue
48 | echo.
49 | ufd.exe
50 | timeout /t 5 /nobreak > NUL
51 |
52 | echo.
53 | echo Exploiting with limera1n
54 | irec -e
55 | timeout /t 5 /nobreak > NUL
56 | echo.
57 | echo Sending iBSS
58 | irecovery -f "ibss.dfu"
59 | timeout /t 5 /nobreak > NUL
60 | echo Sending iBEC
61 | irecovery -f "ibec.dfu"
62 | timeout /t 5 /nobreak > NUL
63 | rdetector.exe
64 | timeout /t 5 /nobreak > NUL
65 | echo Sending DeviceTree
66 | irecovery -f "devicetree.img3"
67 | irecovery -c devicetree
68 | timeout /t 5 /nobreak > NUL
69 | echo Sending Ramdisk
70 | irecovery -f "ramdisk.dmg"
71 | timeout /t 5 /nobreak > NUL
72 | irecovery -c ramdisk 0x90000000
73 | timeout /t 5 /nobreak > NUL
74 | echo Sending Kernelcache
75 | irecovery -f "kern.n88
76 | timeout /t 5 /nobreak > NUL
77 | echo Booting kernelcache
78 | irecovery -c bootx
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/prep33.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 |
3 |
4 | echo Downloading iBSS, iBEC, DeviceTree, and Kernelcache. (This could take a while)
5 | echo.
6 | partialzip "http://appldnld.apple.com/iOS7/031-1864.20131114.P3wE4/iPhone3,3_7.0.4_11B554a_Restore.ipsw" "Firmware/dfu/iBSS.n92ap.RELEASE.dfu" ibss.dfu
7 | partialzip "http://appldnld.apple.com/iOS7/031-1864.20131114.P3wE4/iPhone3,3_7.0.4_11B554a_Restore.ipsw" "Firmware/dfu/iBEC.n92ap.RELEASE.dfu" ibec.dfu
8 | partialzip "http://appldnld.apple.com/iOS7/031-1864.20131114.P3wE4/iPhone3,3_7.0.4_11B554a_Restore.ipsw" "Firmware/all_flash/all_flash.n92ap.production/DeviceTree.n92ap.img3" devicetree.img3
9 | partialzip "http://appldnld.apple.com/iOS7/031-1864.20131114.P3wE4/iPhone3,3_7.0.4_11B554a_Restore.ipsw" "kernelcache.release.n92" kern.n92
10 | partialzip "http://appldnld.apple.com/iOS7/031-1864.20131114.P3wE4/iPhone3,3_7.0.4_11B554a_Restore.ipsw" "058-1056-002.dmg" ramdisk.dmg
11 |
12 | ::
13 | ::First we patch all the components (except devicetree) using ssh_rd's patches, and for the ramdisk untar ssh_rd's ssh.tar
14 | ::
15 |
16 | ::Ramdisk
17 | xpwntool "ramdisk.dmg" "decramdisk.dmg" -iv 5d018cef7bd97e01d3f461c41a9ded19 -k 9638e18a42cbe483bd8e6794c18807141923e53c61cf5a2ae3f1238ae3e2723d
18 | hfsplus "decramdisk.dmg" grow 45000000
19 | hfsplus "decramdisk.dmg" untar "ssh.tar" "/"
20 | xpwntool "decramdisk.dmg" "encramdisk.dmg" -t "ramdisk.dmg" -iv 5d018cef7bd97e01d3f461c41a9ded19 -k 9638e18a42cbe483bd8e6794c18807141923e53c61cf5a2ae3f1238ae3e2723d
21 |
22 | ::iBSS
23 | xpwntool ibss.dfu ibss.dfu.dec -iv 6fb11b195173e9cb5326df526098be97 -k 6c9942847b842a6cb169e42f1e9405ff86a6d9aa522708ef7087b28ee71b223f
24 | fuzzy_patcher --patch --orig ibss.dfu.dec --patched ibss.dfu.dec.p --delta ibss.ssh.patch
25 | move ibss.dfu ibss.dfu.orig
26 | xpwntool ibss.dfu.dec.p ibss.dfu -t ibss.dfu.orig -iv 6fb11b195173e9cb5326df526098be97 -k 6c9942847b842a6cb169e42f1e9405ff86a6d9aa522708ef7087b28ee71b223f
27 |
28 | ::iBEC
29 | xpwntool ibec.dfu ibec.dfu.dec -iv a97a1bb44a7b1b0d3d66693b31b331ec -k a96a1e4bcfff0652a09524c2827362b3979ffc5eb0e17f17cc8dffc0488c0c94
30 | fuzzy_patcher --patch --orig ibec.dfu.dec --patched ibec.dfu.dec.p --delta ibec.ssh.patch
31 | move ibec.dfu ibec.dfu.orig
32 | xpwntool ibec.dfu.dec.p ibec.dfu -t ibec.dfu.orig -iv a97a1bb44a7b1b0d3d66693b31b331ec -k a96a1e4bcfff0652a09524c2827362b3979ffc5eb0e17f17cc8dffc0488c0c94
33 |
34 | ::Kernelcache
35 | xpwntool kern.n92 kern.n92.dec -iv ba71ffa1cf3d22a39ca6d5161bb315c7 -k f4a4bca780761ccb3424a3a206d243f17498d5a3fdd990a1861da9f1acf75ef8
36 | fuzzy_patcher --patch --orig kern.n92.dec --patched kern.n92.dec.p --delta kern.ssh.patch
37 | move kern.n92 kern.n92.orig
38 | xpwntool kern.n92.dec.p kern.n92 -t kern.n92.orig -iv ba71ffa1cf3d22a39ca6d5161bb315c7 -k f4a4bca780761ccb3424a3a206d243f17498d5a3fdd990a1861da9f1acf75ef8
39 |
40 | echo Connect your iPhone3,3 in DFU mode to continue
41 | echo.
42 | ufd.exe
43 | timeout /t 5 /nobreak > NUL
44 |
45 | echo Exploiting with limera1n
46 | irec -e
47 | timeout /t 5 /nobreak > NUL
48 | irecovery -f "ibss.dfu"
49 | timeout /t 5 /nobreak > NUL
50 | irecovery -f "ibec.dfu"
51 | timeout /t 5 /nobreak > NUL
52 | rdetector.exe
53 | timeout /t 5 /nobreak > NUL
54 | irecovery -f "devicetree.img3"
55 | irecovery -c devicetree
56 | timeout /t 5 /nobreak > NUL
57 | irecovery -f "encramdisk.dmg"
58 | irecovery -c ramdisk 0x90000000
59 | timeout /t 5 /nobreak > NUL
60 | irecovery -f "kern.n92"
61 | timeout /t 5 /nobreak > NUL
62 | irecovery -c bootx
--------------------------------------------------------------------------------
/PwnBootCLI/PwnBootCLI/prepverbose.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 |
3 |
4 | echo Downloading iBSS, iBEC, DeviceTree, and Kernelcache. (This could take a while)
5 | echo.
6 | partialzip "http://appldnld.apple.com/iOS5.1.1/041-4347.20120427.o2yov/iPhone2,1_5.1.1_9B206_Restore.ipsw" "Firmware/dfu/iBEC.n88ap.RELEASE.dfu" "ibec.dfu"
7 | partialzip "http://appldnld.apple.com/iOS5.1.1/041-4347.20120427.o2yov/iPhone2,1_5.1.1_9B206_Restore.ipsw" "Firmware/dfu/iBSS.n88ap.RELEASE.dfu" "ibss.dfu"
8 | partialzip "http://appldnld.apple.com/iOS5.1.1/041-4347.20120427.o2yov/iPhone2,1_5.1.1_9B206_Restore.ipsw" "kernelcache.release.n88" "kern.n88"
9 | partialzip "http://appldnld.apple.com/iOS5.1.1/041-4347.20120427.o2yov/iPhone2,1_5.1.1_9B206_Restore.ipsw" "Firmware/all_flash/all_flash.n88ap.production/DeviceTree.n88ap.img3" "devicetree.img3"
10 | partialzip "http://appldnld.apple.com/iOS5.1.1/041-4347.20120427.o2yov/iPhone2,1_5.1.1_9B206_Restore.ipsw" "038-4349-020.dmg" "ramdisk.dmg"
11 |
12 | ::
13 | ::First we patch all the components (except devicetree) using ssh_rd's patches, and for the ramdisk untar ssh_rd's ssh.tar
14 | ::
15 |
16 | ::Ramdisk
17 | echo.
18 | echo Preparing Ramdisk...
19 | xpwntool ramdisk.dmg ramdisk.dmg.dec -iv 26ec90f47073acaa0826c55bdeddf4bb -k 7af575ca159ba58b852dfe1c6f30c68220a7a94be47ef319ce4f46ba568b7a81 >nul 2>&1
20 | hfsplus ramdisk.dmg.dec grow 45000000 >nul 2>&1
21 | hfsplus ramdisk.dmg.dec untar ssh.tar "/" >nul 2>&1
22 | move ramdisk.dmg ramdisk.dmg.orig >nul 2>&1
23 | xpwntool ramdisk.dmg.dec ramdisk.dmg -t ramdisk.dmg.orig -k 7af575ca159ba58b852dfe1c6f30c68220a7a94be47ef319ce4f46ba568b7a81 -iv 26ec90f47073acaa0826c55bdeddf4bb >nul 2>&1
24 |
25 | ::iBSS
26 | echo Preparing iBSS...
27 | xpwntool ibss.dfu ibss.dfu.dec -iv 0cbb6ea94192ba4c4f215d3f503279f6 -k 36782ee3df23e999ffa955a0f0e0872aa519918a256a67799973b067d1b4f5e0 >nul 2>&1
28 | fuzzy_patcher --patch --orig ibss.dfu.dec --patched ibss.dfu.dec.p --delta ibss.patch >nul 2>&1
29 | move ibss.dfu ibss.dfu.orig >nul 2>&1
30 | xpwntool ibss.dfu.dec.p ibss.dfu -t ibss.dfu.orig -iv 0cbb6ea94192ba4c4f215d3f503279f6 -k 36782ee3df23e999ffa955a0f0e0872aa519918a256a67799973b067d1b4f5e0 >nul 2>&1
31 |
32 | ::iBEC
33 | echo Preparing iBEC
34 | xpwntool ibec.dfu ibec.dfu.dec -iv 1fe15472e85b169cd226ce18fe6de524 -k 677be330d799ffafad651b3edcb34eb787c2d6c56c07e6bb60a753eb127ffa75 >nul 2>&1
35 | fuzzy_patcher --patch --orig ibec.dfu.dec --patched ibec.dfu.dec.p --delta ibec.verbose.patch >nul 2>&1
36 | move ibec.dfu ibec.dfu.orig >nul 2>&1
37 | xpwntool ibec.dfu.dec.p ibec.dfu -t ibec.dfu.orig -iv 1fe15472e85b169cd226ce18fe6de524 -k 677be330d799ffafad651b3edcb34eb787c2d6c56c07e6bb60a753eb127ffa75 >nul 2>&1
38 |
39 | ::Kernelcache
40 | echo Preparing Kernelcache
41 | xpwntool kern.n88 kern.n88.dec -iv 0dc795a64cb411c21033f97bceb96546 -k 0cc1dcb2c811c037d6647225ec48f5f19e14f2068122e8c03255ffe1da25dec3 >nul 2>&1
42 | fuzzy_patcher --patch --orig kern.n88.dec --patched kern.n88.dec.p --delta kern.n88.patch >nul 2>&1
43 | move kern.n88 kern.n88.orig >nul 2>&1
44 | xpwntool kern.n88.dec.p kern.n88 -t kern.n88.orig -iv 0dc795a64cb411c21033f97bceb96546 -k 0cc1dcb2c811c037d6647225ec48f5f19e14f2068122e8c03255ffe1da25dec3 >nul 2>&1
45 | echo.
46 |
47 | echo Connect your iPhone2,1 in DFU mode to continue
48 | echo.
49 | ufd.exe
50 | timeout /t 5 /nobreak > NUL
51 |
52 | echo.
53 | echo Exploiting with limera1n
54 | irec -e
55 | timeout /t 5 /nobreak > NUL
56 | echo.
57 | echo Sending iBSS
58 | irecovery -f "ibss.dfu"
59 | timeout /t 5 /nobreak > NUL
60 | echo Sending iBEC
61 | irecovery -f "ibec.dfu"
62 | timeout /t 5 /nobreak > NUL
63 | rdetector.exe
64 | timeout /t 5 /nobreak > NUL
65 | echo Sending DeviceTree
66 | irecovery -f "devicetree.img3"
67 | irecovery -c devicetree
68 | timeout /t 5 /nobreak > NUL
69 | echo Sending Ramdisk
70 | irecovery -f "ramdisk.dmg"
71 | irecovery -c ramdisk 0x90000000
72 | timeout /t 5 /nobreak > NUL
73 | echo Sending Kernelcache
74 | irecovery -f "kern.n88
75 | timeout /t 5 /nobreak > NUL
76 | echo Booting kernelcache
77 | irecovery -c bootx
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # PwnBoot
2 | An Open-Source Work-In-Progress iOS 6 Jailbreak Using a Custom Ramdisk
3 |
4 | ***
5 |
6 | # What this Tool Can Do
7 |
8 | This tool allows you to Verbose Boot a SSH Ramdisk, and hence get full RootFS access on your device. From here you can modify the RootFS in any way you please.
9 |
10 |
11 |
12 | # How To Use
13 |
14 | 1. Set up a Window 7 Virtual Machine (this is a requirement)
15 | 2. Download the latest release of PwnBoot (www.pwnboot.tk) to your Windows 7 VM
16 | 3. Connect your iPhone2,1 to your VM in DFU mode
17 | 4. Run `PwnBootCLI` to see a list of uses of PwnBoot
18 |
19 | # Common Uses
20 |
21 | 1. Booting a Custom SSH Ramdisk on your iPhone2,1 (`PwnBootCLI iPhone2,1 -b`)
22 | 2. VERBOSE BOOTING a Custom SSH Ramdisk on your iPhone2,1 (`PwnBootCLI iPhone2,1 -vb`)
23 | 3. Forwarding the resulting SSH connection over USB (`PwnBootCLI iPhone2,1 -j`) (This must be run AFTER booting the SSH Ramdisk using one of the above commands)
24 |
25 | # How to Boot a Custom SSH Ramdisk and get full filesystem access on your iPhone2,1
26 |
27 | 1. `PwnBootCLI iPhone2,1 -vb`
28 | 2. `PwnBootCLI iPhone2,1 -j`
29 | 3. `C:/PwnBoot/itunnel_mux --lport 2022`
30 | 4. SSH into the device **in a new CMD window** (root@127.0.0.1 over port 2022 with password `alpine`). Don't close itunnel_mux window until you're done.
31 | 5. Over SSH run `mount.sh` and you will now be able to access the full root filesystem of your device
32 |
33 | # Future Plans for this tool
34 |
35 | - Support **FULLY JAILBREAKING YOUR DEVICE** (Cydia, etc.) (Just requires more kernel patches by me)
36 | - Support more devices (iPhone 4 tethered, iPhone 3G untethered, etc.)
37 | - Add custom bootlogos
38 | - Utilize the `launchd.conf` untether bug for some cool stuff :)
39 |
--------------------------------------------------------------------------------
/binaries/PwnBootCLI.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iBoot32/PwnBoot/5ba33335607e1081864345cb007d5f7fdf2ccd73/binaries/PwnBootCLI.exe
--------------------------------------------------------------------------------
/index.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | PwnBoot
6 |
7 |
8 |
9 |
10 |
11 |
28 |
29 |
30 |
31 | PwnBoot
32 |
33 |
34 | A work-in-progress jailbreak for limera1n devices on any iOS version (and potentially all checkm8 devices)!
35 | Currently only supports the iPhone 3GS, however support for more devices is coming soon :)
36 |
37 |
38 |
39 |
40 |
41 | Features
42 |
43 | Verbose boots a custom SSH Ramdisk
44 | Achieves a root shell over SSH
45 | Verbose Boots and grants a root shell
46 | Grants full access to the root filesystem over SSH
47 | Allows you to recover any data from a locked 3GS
48 | Pwn DFU on any Limera1n device (not only iPhone2,1)
49 | Manually barebones jailbreak (fstab and Services.plist patch)
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 | Credits
68 |
69 | iBoot32 for creating PwnBoot
70 | westbaer for irecovery
71 | geohot for limera1n
72 | planetbeing for xpwn
73 | The team behind "puTTY" for plink
74 |
75 |
76 |
77 |
78 |
83 |
84 |
85 |
86 |
87 |
--------------------------------------------------------------------------------
/writeup.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/iBoot32/PwnBoot/5ba33335607e1081864345cb007d5f7fdf2ccd73/writeup.pdf
--------------------------------------------------------------------------------