forked from ramytuki/ios-kexec-utils
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfwpatch.sh
executable file
·44 lines (38 loc) · 1.59 KB
/
fwpatch.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#!/bin/sh
unzip -j iPhone3,1_7.1.2_11D257_Restore.ipsw \
kernelcache.release.n90 \
Firmware/dfu/iBEC.n90ap.RELEASE.dfu \
Firmware/dfu/iBSS.n90ap.RELEASE.dfu \
Firmware/all_flash/all_flash.n90ap.production/DeviceTree.n90ap.img3
# Decrypt the DeviceTree
xpwntool DeviceTree.n90ap.img3 DeviceTree.n90ap.img3.dec \
-iv d2f224a2d7e04461ec12ac81f91d657a \
-k b93c3a564dc36e184871e246fa8df725ecebafb38c042b6302b333c39e7d1787 \
-decrypt
# Decrypt the kernel:
xpwntool kernelcache.release.n90 kernelcache.release.n90.dec \
-iv a1aee41423e11a44135233dd345433ce \
-k 9b05ef79c63c59e71f253219ffaa952f25f6810d3863aac2b49628e64f9f0869 \
-decrypt
# Extract and patch iBSS
xpwntool iBSS.n90ap.RELEASE.dfu iBSS.n90ap.RELEASE.dec \
-iv a5854328e525031dc205d6e476a8b1bb \
-k 23dda7990807b4225d589dc11099a4a8bd122089b93759d6356e9525f986584c
iboot_patcher iBSS.n90ap.RELEASE.dec iBSS.n90ap.RELEASE.pwn
# Extract, patch and repack iBEC
xpwntool iBEC.n90ap.RELEASE.dfu iBEC.n90ap.RELEASE.dec \
-iv ca528426065da305c19476477a39ed18 \
-k 3273904a1cfd111a20d6a53f2636902db1193dad5f0acf3837dd7c79fb3b795f
iboot_patcher iBEC.n90ap.RELEASE.dec iBEC.n90ap.RELEASE.pwn
sed -i 's|-v amfi=0xff cs_enforcement_disable=1 |-v |' iBEC.n90ap.RELEASE.pwn
img3maker -b 0 -y 8930 -s s5l8930x \
-f iBEC.n90ap.RELEASE.pwn -o iBEC.n90ap.RELEASE.dfu.pwn \
-t ibec -v `grep -ao 'iBoot-[0-9.]*' iBEC.n90ap.RELEASE.dfu`
# Create batchfile for irecovery:
cat <<EOF > bootstrap.irs
/send DeviceTree.n90ap.img3.dec
devicetree
/send kernelcache.release.n90.dec
bootx
/exit
EOF