Making ramdisks for iOS 8.0 – 16.3.1 on 64-bit checkm8 devices
A guide for manually creating ramdisks for iOS 8.0 – 16.3.1 on 64-bit checkm8 devices
Note:
When you see angle brackets (< >), they indicate placeholders. Do not include the brackets in your input. For example,<enter>means press the Enter key, and<default value - 4>means input the default value minus 4.
Credits
- verygenericname for SSHRD_Script which this guide used some commands from, and also for sshtars
- iArchive for iram.tar which some binaires were taken from
- mcg29 and Ralph0045 for dualbootfun which this guide used some commands from
Note:
For the rest of the credits, see Prerequisites
Prerequisites
- A macOS device
(You can do this on Linux using hfsplus from xpwn, but this guide focuses on macOS.) - An iPSW for your target ramdisk version
(Get these from The Apple Wiki. For targets 11.4.2 or below, you will also need an iOS 12.0 iPSW for your device.) - Firmware keys and file names for your target ramdisk version
(Obtain these from The Apple Wiki. If file names aren’t provided, check the BuildManifest.plist in the iPSW or refer to The iPhone Wiki.) - A tool to put your device in pwned-DFU mode
(Recommended: gaster or ipwnder_lite.) - Python 3.6 or above
- zstd by Meta
- img4lib by xerub
- img4tool by tihmstar
- tsschecker by tihmstar
- libirecovery by libimobiledevice
- kairos by dayt0n
- KPlooshFinder by plooshi and palera1n
- kerneldiff by mcg29
- ssh.tar.zst by verygenericname
(Modified by me to add a few HFS+ tools.)
Preparations
- Get device info:
Run the following with your device connected in DFU or recovery mode:1
irecovery -q - Fetch SHSH blobs:
1
tsschecker -d <PRODUCT> -l -e <ECID> -B <MODEL> -l -s
- Convert blob to IM4M:
1
img4tool -e -s *.shsh2 -m IM4M
Patching Bootchain
- Decrypt iBSS and iBEC from the target iPSW:
1 2
img4 -i <iBSS> -o iBSS.dec -k <ivkey> img4 -i <iBEC> -o iBEC.dec -k <ivkey>
- Patch with kairos:
1 2
kairos iBSS.dec iBSS.patched kairos iBEC.dec iBEC.patched -b "rd=md0 debug=0x2014e -v wdt=-1"
Note:
If your device CPID is0x8960,0x7000, or0x7001, addnand-enable-reformat=1 -restoreto iBEC boot args.
For iOS 9 and below, also addamfi=0xff cs_enforcement_disable=1. - Pack the patched images:
1 2
img4 -i iBSS.patched -o iBSS.img4 -M IM4M -A -T ibss img4 -i iBEC.patched -o iBEC.img4 -M IM4M -A -T ibec
Decrypting & Patching Components
Kernelcache
For iOS 10 and up
- Decrypt the kernelcache:
1
img4 -i <kernelcache> -o kcache.raw
- Patch the kernelcache:
1 2 3
KPlooshFinder kcache.raw kcache.patched python kerneldiff.py kcache.raw kcache.patched img4 -i <kernelcache> -o kernelcache.img4 -M IM4M -T rkrn -P kc.bpatch
For iOS 9 and below
For iOS 9 and below, skip the patching step and instead use:
1
2
img4 -i <kernelcache> -o kernelcache.im4p -k <ivkey> -D
img4 -i kernelcache.im4p -o kernelcache.img4 -M IM4M -T rkrn
DeviceTree
For iOS 10 and up
- Decrypt the devicetree:
1
img4 -i <devicetree> -o devicetree.img4 -M IM4M -T rdtr
For iOS 9 and below
- Decrypt using the IV key:
1 2
img4 -i <devicetree> -o dtree.raw -k <ivkey> img4 -i dtree.raw -o devicetree.img4 -A -M IM4M -T rdtr
Restore Ramdisk
For iOS 10 and up
- Decrypt the restore ramdisk:
1
img4 -i <restore_ramdisk> -o ramdisk.dmg
For iOS 9 and below
- Decrypt using the IV key:
1
img4 -i <restore_ramdisk> -o ramdisk.dmg -k <ivkey>
Trustcache (iOS 12.0+ ramdisks only)
- Decrypt the trustcache:
1
img4 -i <restore_ramdisk_trustcache> -o trustcache.img4 -M IM4M -T rtsc
Making the Ramdisk
Extract the SSH ramdisk tar to the restore ramdisk:
- Resize the disk image:
1
hdiutil resize -size 210MB ramdisk.dmg - Attach the ramdisk:
1 2
hdiutil attach ramdisk.dmg -mountpoint /tmp/rd sudo diskutil enableOwnership /tmp/rd
- Extract the tarball:
1
sudo tar --zstd -xvf ssh.tar.zst -C /tmp/rd
- Resize the disk image:
Additional step for targets 11.4.2 or below
(Run this after the SSH tar has been extracted, if applicable)If your target ramdisk version is 11.4.2 or below, copy some dylibs from an iOS 12.0 restore ramdisk:
- Decrypt the 12.0 restore ramdisk:
1
img4 -i <12_restore_ramdisk> -o ramdisk12.dmg
- Mount the 12.0 restore ramdisk and copy libraries:
1 2 3
hdiutil attach ramdisk12.dmg -mountpoint /tmp/rd12 sudo diskutil enableOwnership /tmp/rd12 sudo cp -a /tmp/rd12/usr/lib/libiconv.2.dylib /tmp/rd12/usr/lib/libcharset.1.dylib /tmp/rd/usr/lib
- Detach any mounted ramdisks:
1 2
hdiutil detach /tmp/rd12 hdiutil detach /tmp/rd
If you did not perform the additional step, be sure to detach the primary ramdisk after extraction:
1
hdiutil detach /tmp/rd
- Decrypt the 12.0 restore ramdisk:
Optimize the ramdisk image size:
Before packing the ramdisk into img4, usehdiutil resize -limitsto determine the minimal size needed and then resize the image accordingly. For example:1
hdiutil resize -limits ramdisk.dmgReview the output to find the minimum size required, and then run:
1
hdiutil resize -size <MINIMUM_SIZE> ramdisk.dmgReplace
<MINIMUM_SIZE>with the smallest size value provided in the limits output.Pack the ramdisk into img4:
1
img4 -i ramdisk.dmg -o ramdisk.img4 -M IM4M -A -T rdsk
Booting the Ramdisk
Put the device into pwned-DFU mode.
Send bootchain components in order:
- Send iBSS:
1
irecovery -f iBSS.img4 - Send iBEC:
1
irecovery -f iBEC.img4 - Send the ramdisk:
1
irecovery -f ramdisk.img4 - Execute the ramdisk:
1
irecovery -c ramdisk - Send the DeviceTree:
1
irecovery -f devicetree.img4 - Execute the DeviceTree:
1
irecovery -c devicetree - (For iOS 12.0+ only) Send the Trustcache:
1
irecovery -f trustcache.img4 - (For iOS 12.0+ only) Execute the Trustcache:
1
irecovery -c trustcache - Send the Kernelcache:
1
irecovery -f kernelcache.img4
- Send iBSS:
Boot the device:
1
irecovery -c bootx
SSH into the Device
- Start an iproxy tunnel in one terminal:
1
iproxy 2222 22
- Open another terminal and SSH:
1
ssh -p2222 -oStrictHostKeyChecking=no root@localhost
Done!