-
Notifications
You must be signed in to change notification settings - Fork 3
/
palera1n.sh
executable file
·330 lines (293 loc) · 13.2 KB
/
palera1n.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
#!/usr/bin/env bash
set -e
# Variables
version="1.0.0"
os=$(uname)
dir="$(pwd)/binaries/$os"
if [[ "$@" == *"--debug"* ]]; then
out=/dev/stdout
else
out=/dev/null
fi
# Functions
step() {
for i in $(seq "$1" -1 1); do
printf '\r\e[1;36m%s (%d) ' "$2" "$i"
sleep 1
done
printf '\r\e[0m%s (0)\n' "$2"
}
# Error handler
ERR_HANDLER () {
[ $? -eq 0 ] && exit
echo "[-] An error occurred"
if [ "$os" = 'Darwin' ]; then
if [ ! "$2" = '--dfu' ]; then
defaults write -g ignore-devices -bool false
defaults write com.apple.AMPDevicesAgent dontAutomaticallySyncIPods -bool false
killall Finder
fi
fi
}
trap ERR_HANDLER EXIT
if [ "$1" = 'clean' ]; then
rm -rf boot-* work
echo "[*] Removed the created boot files"
exit
fi
# Download gaster
if [ ! -e "$dir"/gaster ]; then
curl -sLO https://nightly.link/verygenericname/gaster/workflows/makefile/main/gaster-"$os".zip
unzip gaster-"$os".zip >> /dev/null
mv gaster "$dir"/
rm -rf gaster gaster-"$os".zip
fi
# Check for pyimg4
if ! python3 -c 'import pkgutil; exit(not pkgutil.find_loader("pyimg4"))'; then
echo '[-] pyimg4 not installed. Press any key to install it, or press ctrl + c to cancel'
read -n 1 -s
python3 -m pip install pyimg4 > "$out"
fi
# Re-create work dir if it exists, else, make it
if [ -e work ]; then
rm -rf work
mkdir work
else
mkdir work
fi
chmod +x "$dir"/*
echo "palera1n | Version $version"
echo "Written by Nebula | Some code by Nathan | Patching commands and ramdisk by Mineek | Loader app by Amy"
echo ""
# Get device's iOS version from ideviceinfo if in normal mode
if [ "$2" = '--dfu' ]; then
if [ -z "$3" ]; then
echo "[-] When using --dfu, please pass the version you're device is on"
exit
else
version=$3
fi
else
if [ "$os" = 'Darwin' ]; then
if ! (system_profiler SPUSBDataType 2> /dev/null | grep 'Manufacturer: Apple Inc.' >> /dev/null); then
echo "[*] Waiting for device in normal mode"
fi
while ! (system_profiler SPUSBDataType 2> /dev/null | grep 'Manufacturer: Apple Inc.' >> /dev/null); do
sleep 1
done
defaults write -g ignore-devices -bool true
defaults write com.apple.AMPDevicesAgent dontAutomaticallySyncIPods -bool true
killall Finder
else
if ! (lsusb 2> /dev/null | grep ' Apple, Inc.' >> /dev/null); then
echo "[*] Waiting for device in normal mode"
fi
while ! (lsusb 2> /dev/null | grep ' Apple, Inc.' >> /dev/null); do
sleep 1
done
fi
version=$(ideviceinfo | grep "ProductVersion: " | sed 's/ProductVersion: //')
arch=$(ideviceinfo | grep "CPUArchitecture: " | sed 's/CPUArchitecture: //')
if [ ! "$arch" = "arm64" ]; then
echo "[-] palera1n doesn't, and never will, work on non-checkm8 devices"
exit
fi
echo "Hello, $(ideviceinfo | grep "ProductType: " | sed 's/ProductType: //') on $version!"
fi
# Put device into recovery mode, and set auto-boot to true
if [ ! "$2" = '--dfu' ]; then
echo "[*] Switching device into recovery mode..."
ideviceenterrecovery $(ideviceinfo | grep "UniqueDeviceID: " | sed 's/UniqueDeviceID: //') > "$out"
if [ "$os" = 'Darwin' ]; then
if ! (system_profiler SPUSBDataType 2> /dev/null | grep ' Apple Mobile Device (Recovery Mode):' >> /dev/null); then
echo "[*] Waiting for device to reconnect in recovery mode"
fi
while ! (system_profiler SPUSBDataType 2> /dev/null | grep ' Apple Mobile Device (Recovery Mode):' >> /dev/null); do
sleep 1
done
else
if ! (lsusb 2> /dev/null | grep ' Apple, Inc.' >> /dev/null); then
echo "[*] Waiting for device to reconnect in recovery mode"
fi
while ! (lsusb 2> /dev/null | grep ' Apple, Inc.' >> /dev/null); do
sleep 1
done
fi
"$dir"/irecovery -c "setenv auto-boot true"
"$dir"/irecovery -c "saveenv"
fi
# Grab more info
echo "[*] Getting device info..."
cpid=$("$dir"/irecovery -q | grep CPID | sed 's/CPID: //')
model=$("$dir"/irecovery -q | grep MODEL | sed 's/MODEL: //')
deviceid=$("$dir"/irecovery -q | grep PRODUCT | sed 's/PRODUCT: //')
ipswurl=$(curl -sL "https://api.ipsw.me/v4/device/$deviceid?type=ipsw" | "$dir"/jq '.firmwares | .[] | select(.version=="'"$version"'") | .url' --raw-output)
# Have the user put the device into DFU
if [ ! "$2" = '--dfu' ]; then
echo "[*] Press any key when ready for DFU mode"
read -n 1 -s
step 3 "Get ready"
step 4 "Hold volume down + side button" &
sleep 3
"$dir"/irecovery -c "reset"
step 1 "Keep holding"
step 10 'Release side button, but keep holding volume down'
sleep 1
fi
# Check if device entered dfu
if [ ! "$2" = '--dfu' ]; then
if [ "$os" = 'Darwin' ]; then
if ! (system_profiler SPUSBDataType 2> /dev/null | grep ' Apple Mobile Device (DFU Mode):' >> /dev/null); then
echo "[-] Device didn't go in DFU mode, please rerun the script and try again"
exit
fi
else
if ! (lsusb 2> /dev/null | grep ' Apple Mobile Device (DFU Mode):' >> /dev/null); then
echo "[-] Device didn't go in DFU mode, please rerun the script and try again"
exit
fi
fi
echo "[*] Device entered DFU!"
fi
if [ ! -e boot-"$deviceid" ]; then
sleep 2
echo "[*] Pwning device"
"$dir"/gaster pwn > "$out"
sleep 1
# Downloading files, and decrypting iBSS/iBEC
mkdir boot-"$deviceid"
cd work
echo "[*] Downloading BuildManifest"
"$dir"/pzb -g BuildManifest.plist "$ipswurl" > "$out"
"$dir"/img4tool -e -s "$1" -m IM4M > "$out"
echo "[*] Downloading and decrypting iBSS"
"$dir"/pzb -g "$(awk "/""$cpid""/{x=1}x&&/iBSS[.]/{print;exit}" BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1)" "$ipswurl" > "$out"
"$dir"/gaster decrypt "$(awk "/""$cpid""/{x=1}x&&/iBSS[.]/{print;exit}" BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1 | sed 's/Firmware[/]dfu[/]//')" iBSS.dec > "$out"
echo "[*] Downloading and decrypting iBEC"
"$dir"/pzb -g "$(awk "/""$cpid""/{x=1}x&&/iBEC[.]/{print;exit}" BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1)" "$ipswurl" > "$out"
"$dir"/gaster decrypt "$(awk "/""$cpid""/{x=1}x&&/iBEC[.]/{print;exit}" BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1 | sed 's/Firmware[/]dfu[/]//')" iBEC.dec > "$out"
echo "[*] Downloading DeviceTree"
#$dir/pzb -g "$(awk "/""$cpid""/{x=1}x&&/DeviceTree[.]/{print;exit}" BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1)" $ipswurl > "$out"
"$dir"/pzb -g Firmware/all_flash/DeviceTree."$model".im4p "$ipswurl" > "$out"
echo "[*] Downloading trustcache"
if [ "$os" = 'Darwin' ]; then
"$dir"/pzb -g "$(/usr/bin/plutil -extract "BuildIdentities".0."Manifest"."StaticTrustCache"."Info"."Path" xml1 -o - BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1 | head -1)" "$ipswurl" > "$out"
else
"$dir"/pzb -g "$("$dir"/PlistBuddy BuildManifest.plist -c "Print BuildIdentities:0:Manifest:StaticTrustCache:Info:Path" | sed 's/"//g')" "$ipswurl" > "$out"
fi
#if [[ "$@" == *"install"* ]]; then
# echo "[*] Downloading ramdisk"
# if [ "$os" = 'Darwin' ]; then
# $dir/pzb -g "$(/usr/bin/plutil -extract "BuildIdentities".0."Manifest"."RestoreRamDisk"."Info"."Path" xml1 -o - BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1 | head -1)" $ipswurl > "$out"
# else
# $dir/pzb -g "$($dir/PlistBuddy BuildManifest.plist -c "Print BuildIdentities:0:Manifest:RestoreRamDisk:Info:Path" | sed 's/"//g')" $ipswurl > "$out"
# fi
#fi
echo "[*] Downloading kernelcache"
"$dir"/pzb -g "$(awk "/""$cpid""/{x=1}x&&/kernelcache.release/{print;exit}" BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1)" "$ipswurl" > "$out"
echo "[*] Patching and repacking iBSS/iBEC"
"$dir"/iBoot64Patcher iBSS.dec iBSS.patched > "$out"
"$dir"/iBoot64Patcher iBEC.dec iBEC.patched -b '-v keepsyms=1 debug=0xfffffffe panic-wait-forever=1 wdt=-1' > "$out"
#if [[ "$@" == *"install"* ]]; then
# $dir/iBoot64Patcher iBEC.patched restore_ibec.patched -b '-v rd=md0 debug=0x2014e wdt=-1' > "$out"
#fi
cd ..
"$dir"/img4 -i work/iBSS.patched -o boot-"$deviceid"/iBSS.img4 -M work/IM4M -A -T ibss > "$out"
"$dir"/img4 -i work/iBEC.patched -o boot-"$deviceid"/iBEC.img4 -M work/IM4M -A -T ibec > "$out"
#if [[ "$@" == *"install"* ]]; then
# $dir/img4 -i work/restore_ibec.patched -o boot-"$deviceid"/restore_ibec.img4 -M work/IM4M -A -T ibec > "$out"
#fi
echo "[*] Patching and converting kernelcache"
if [[ "$deviceid" == *'iPhone8'* ]]; then
python3 -m pyimg4 im4p extract -i work/"$(awk "/""$model""/{x=1}x&&/kernelcache.release/{print;exit}" work/BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1)" -o work/kcache.raw --extra work/kpp.bin > "$out"
else
python3 -m pyimg4 im4p extract -i work/"$(awk "/""$model""/{x=1}x&&/kernelcache.release/{print;exit}" work/BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1)" -o work/kcache.raw > "$out"
fi
"$dir"/Kernel64Patcher work/kcache.raw work/kcache.patched -a -o > "$out"
if [[ "$deviceid" == *'iPhone8'* ]]; then
python3 -m pyimg4 im4p create -i work/kcache.patched -o work/krnlboot.im4p --extra work/kpp.bin -f rkrn --lzss > "$out"
else
python3 -m pyimg4 im4p create -i work/kcache.patched -o work/krnlboot.im4p -f rkrn --lzss > "$out"
fi
python3 -m pyimg4 img4 create -p work/krnlboot.im4p -o boot-"$deviceid"/kernelcache.img4 -m work/IM4M > "$out"
echo "[*] Converting DeviceTree"
"$dir"/img4 -i work/"$(awk "/""$model""/{x=1}x&&/DeviceTree[.]/{print;exit}" work/BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1 | sed 's/Firmware[/]all_flash[/]//')" -o boot-"$deviceid"/devicetree.img4 -M work/IM4M -T rdtr > "$out"
echo "[*] Patching and converting trustcache"
if [ "$os" = 'Darwin' ]; then
"$dir"/img4 -i work/"$(/usr/bin/plutil -extract "BuildIdentities".0."Manifest"."StaticTrustCache"."Info"."Path" xml1 -o - work/BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1 | head -1 | sed 's/Firmware\///')" -o boot-"$deviceid"/trustcache.img4 -M work/IM4M -T rtsc > "$out"
else
"$dir"/img4 -i work/"$("$dir"/PlistBuddy work/BuildManifest.plist -c "Print BuildIdentities:0:Manifest:StaticTrustCache:Info:Path" | sed 's/"//g'| sed 's/Firmware\///')" -o boot-"$deviceid"/trustcache.img4 -M work/IM4M -T rtsc > "$out"
fi
#if [[ "$@" == *"install"* ]]; then
# echo "[*] Making ramdisk... this may take awhile"
# if [ "$os" = 'Darwin' ]; then
# $dir/img4 -i work/"$(/usr/bin/plutil -extract "BuildIdentities".0."Manifest"."RestoreRamDisk"."Info"."Path" xml1 -o - work/BuildManifest.plist | grep '<string>' | cut -d\> -f2 | cut -d\< -f1 | head -1)" -o work/ramdisk.dmg > "$out"
# else
# $dir/img4 -i work/"$(Linux/PlistBuddy work/BuildManifest.plist -c "Print BuildIdentities:0:Manifest:RestoreRamDisk:Info:Path" | sed 's/"//g')" -o work/ramdisk.dmg > "$out"
# fi
# $dir/hfsplus work/ramdisk.dmg grow 300000000 > "$out"
# $dir/hfsplus work/ramdisk.dmg untar other/ramdisk.tar.gz > "$out"
# $dir/img4 -i work/ramdisk.dmg -o boot-"$deviceid"/ramdisk.img4 -M work/IM4M -A -T rdsk > "$out"
#fi
fi
echo "[*] Pwning device"
sleep 2
"$dir"/gaster pwn > "$out"
sleep 2
"$dir"/gaster reset > "$out"
sleep 3
echo "[*] Booting device"
"$dir"/irecovery -f boot-"$deviceid"/iBSS.img4
sleep 3
#if [[ "$@" == *"install"* ]]; then
# $dir/irecovery -f boot-"$deviceid"/restore_ibec.img4
# sleep 2
#else
"$dir"/irecovery -f boot-"$deviceid"/iBEC.img4
sleep 2
#fi
if [[ "$cpid" == *"0x80"* ]]; then
#if [[ "$@" == *"install"* ]]; then
# $dir/irecovery -f boot-"$deviceid"/restore_ibec.img4
#else
# $dir/irecovery -f boot-"$deviceid"/iBEC.img4
#fi
sleep 2
"$dir"/irecovery -c "go"
sleep 3
fi
#if [[ "$@" == *"install"* ]]; then
# $dir/irecovery -f boot-"$deviceid"/ramdisk.img4
# sleep 2
# $dir/irecovery -c "ramdisk"
# sleep 2
#fi
"$dir"/irecovery -f boot-"$deviceid"/devicetree.img4
sleep 1
"$dir"/irecovery -c "devicetree"
sleep 1
"$dir"/irecovery -f boot-"$deviceid"/trustcache.img4
sleep 1
"$dir"/irecovery -c "firmware"
sleep 1
"$dir"/irecovery -f boot-"$deviceid"/kernelcache.img4
sleep 2
"$dir"/irecovery -c "bootx"
if [ "$os" = 'Darwin' ]; then
if [ ! "$2" = '--dfu' ]; then
defaults write -g ignore-devices -bool false
defaults write com.apple.AMPDevicesAgent dontAutomaticallySyncIPods -bool false
killall Finder
fi
fi
rm -rf work
echo ""
echo "Done!"
#if [[ "$@" == *"install"* ]]; then
# echo "The device should now reboot after about 30 seconds, then you can rerun the script without the install arg"
#else
echo "The device should now boot to iOS"
echo "If you already have installed Pogo, click uicache and remount preboot in the tools section"
echo "If not, get an IPA from the latest action build of Pogo and install with TrollStore"
echo "Add the repo mineek.github.io/repo for Procursus"
#fi