Skip to content

Commit

Permalink
attempt fixing. if it's broken, too bad i guess. i have other things …
Browse files Browse the repository at this point in the history 
…to do
  • Loading branch information
@LukeZGD
LukeZGD committed Jun 24, 2024
1 parent 007cc29 commit 46cbdd9
Showing 1 changed file with 65 additions and 133 deletions.
198 changes: 65 additions & 133 deletions restore.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3321,8 +3321,8 @@ ipsw_prepare_ios4multipart() {
iboot="iboot"
else
log "Add $device_target_vers iBoot to all_flash"
mv iBoot $all_flash2/iBoot4.img3
echo "iBoot4.img3" >> $all_flash2/manifest
mv iBoot $all_flash2/iBoot2.img3
echo "iBoot2.img3" >> $all_flash2/manifest
fi

log "Add APTicket to all_flash"
Expand Down Expand Up @@ -3357,112 +3357,13 @@ ipsw_prepare_ios4multipart() {
popd >/dev/null

# ------ part 2 (nor flash) ends here. start creating part 1 ipsw ------
if [[ $device_type == "iPhone3,3" ]]; then
ipsw_prepare_32bit $iboot
ipsw_prepare_ios4multipart_patch=1
ipsw_prepare_multipatch
return
fi
ipsw_prepare_jailbreak $iboot
mv "$ipsw_custom.ipsw" temp.ipsw
rm asr* iBSS* iBEC* ramdisk* *.dmg 2>/dev/null
options_plist="options"
if [[ $device_type == "iPad1,1" && $device_target_vers == "4"* ]]; then
options_plist+=".$device_model"
fi
options_plist+=".plist"

vers="4.2.1"
build="8C148"
if [[ $device_type == "iPad1,1" ]] || [[ $device_type == "iPod3,1" && $device_target_vers == "3"* ]]; then
vers="$device_target_vers"
build="$device_target_build"
fi
saved_path="../saved/$device_type/$build"
url="$(cat $device_fw_dir/$build/url)"
ramdisk_name=$(echo $device_fw_key | $jq -j '.keys[] | select(.image == "RestoreRamdisk") | .filename')

mkdir -p $saved_path Downgrade Firmware/dfu 2>/dev/null
device_fw_key_check temp $build
log "Getting $vers restore components"
for getcomp in "${comps[@]}"; do
name=$(echo $device_fw_key_temp | $jq -j '.keys[] | select(.image == "'$getcomp'") | .filename')
iv=$(echo $device_fw_key_temp | $jq -j '.keys[] | select(.image == "'$getcomp'") | .iv')
key=$(echo $device_fw_key_temp | $jq -j '.keys[] | select(.image == "'$getcomp'") | .key')
case $getcomp in
"iBSS" | "iBEC" ) path="Firmware/dfu/";;
"DeviceTree" ) path="$all_flash/";;
* ) path="";;
esac
log "$getcomp"
if [[ $vers == "$device_target_vers" ]]; then
unzip -o -j "$ipsw_path.ipsw" ${path}$name
elif [[ -e $saved_path/$name ]]; then
cp $saved_path/$name .
else
"$dir/pzb" -g "${path}$name" -o "$name" "$url"
cp $name $saved_path/
fi
case $getcomp in
"DeviceTree" )
mv $name Downgrade/RestoreDeviceTree
zip -r0 temp.ipsw Downgrade/RestoreDeviceTree
;;
"Kernelcache" )
mv $name Downgrade/RestoreKernelCache
zip -r0 temp.ipsw Downgrade/RestoreKernelCache
;;
* )
mv $name $getcomp.orig
"$dir/xpwntool" $getcomp.orig $getcomp.dec -iv $iv -k $key
;;
esac
if [[ $getcomp == "iB"* ]]; then
log "Patch $getcomp"
"$dir/iBoot32Patcher" $getcomp.dec $getcomp.patched --rsa --debug -b "rd=md0 -v nand-enable-reformat=1 amfi=0xff cs_enforcement_disable=1 pio-error=0"
"$dir/xpwntool" $getcomp.patched ${path}$name -t $getcomp.orig
zip -r0 temp.ipsw ${path}$name
fi
done

log "Grow ramdisk"
"$dir/hfsplus" RestoreRamdisk.dec grow 18000000

log "Patch ASR"
cp ../resources/firmware/FirmwareBundles/Down_${device_type}_${vers}_${build}.bundle/asr.patch .
ipsw_patch_file RestoreRamdisk.dec usr/sbin asr asr.patch

log "Extract options.plist from $device_target_vers IPSW"
unzip -o -j temp.ipsw $ramdisk_name
mv $ramdisk_name ramdisk2.orig
"$dir/xpwntool" ramdisk2.orig ramdisk2.dec
"$dir/hfsplus" ramdisk2.dec extract usr/local/share/restore/$options_plist

if [[ $device_type == "iPad1,1" && $device_target_vers == "3.2"* ]]; then
options_plist="options.k48.plist"
rm $options_plist
mv options.plist $options_plist
fi

log "Modify options.plist"
"$dir/hfsplus" RestoreRamdisk.dec rm usr/local/share/restore/$options_plist
cat $options_plist | sed '$d' | sed '$d' > options2.plist
echo "<key>FlashNOR</key><false/></dict></plist>" >> options2.plist
cat options2.plist
"$dir/hfsplus" RestoreRamdisk.dec add options2.plist usr/local/share/restore/$options_plist

log "Adding exploit and partition stuff"
cp -R ../resources/firmware/src .
"$dir/hfsplus" RestoreRamdisk.dec untar src/bin4.tar
"$dir/hfsplus" RestoreRamdisk.dec mv sbin/reboot sbin/reboot_
"$dir/hfsplus" RestoreRamdisk.dec add src/target/$device_model/reboot4 sbin/reboot
"$dir/hfsplus" RestoreRamdisk.dec chmod 755 sbin/reboot
case $device_target_vers in
4.2* ) ipsw_prepare_32bit $iboot;;
* ) ipsw_prepare_jailbreak $iboot;;
esac

log "Repack Restore Ramdisk"
"$dir/xpwntool" RestoreRamdisk.dec $ramdisk_name -t RestoreRamdisk.orig
log "Add Restore Ramdisk to IPSW"
zip -r0 temp.ipsw $ramdisk_name
mv temp.ipsw "$ipsw_custom.ipsw"
ipsw_prepare_ios4multipart_patch=1
ipsw_prepare_multipatch
}

ipsw_prepare_multipatch() {
Expand Down Expand Up @@ -3560,6 +3461,7 @@ ipsw_prepare_multipatch() {
log "Patch ASR"
if [[ $ipsw_prepare_usepowder == 1 ]]; then
unzip -o -j temp.ipsw $ramdisk_name
mv $ramdisk_name ramdisk2.orig
rm RestoreRamdisk.dec
"$dir/xpwntool" ramdisk2.orig ramdisk2.dec
cp ramdisk2.dec RestoreRamdisk.dec
Expand Down Expand Up @@ -3590,21 +3492,21 @@ ipsw_prepare_multipatch() {
if [[ $device_target_powder == 1 ]] && [[ $device_target_vers == "3"* || $device_target_vers == "4"* ]]; then
log "Adding exploit and partition stuff"
cp -R ../resources/firmware/src .
rm src/bin.tar
mv src/bin4.tar src/bin.tar
tar -rvf src/bin.tar iBoot
"$dir/hfsplus" RestoreRamdisk.dec untar src/bin.tar
# reboot chain: reboot4 as reboot, activate_exploit as reboot_, original reboot as reboot__
# thanks to testingthings (@throwaway167074) this ios 4 powder nvram fix implementation, https://gist.github.com/LukeZGD/da484f6deb02edefd6689c6bf921d5d4
"$dir/hfsplus" RestoreRamdisk.dec mv sbin/reboot sbin/reboot__
case $device_target_vers in
4.3* ) "$dir/hfsplus" RestoreRamdisk.dec add src/activate_exploit sbin/reboot_;; # auto-boot=1
* ) "$dir/hfsplus" RestoreRamdisk.dec add src/activate_exploit2 sbin/reboot_;; # auto-boot=0
esac
"$dir/hfsplus" RestoreRamdisk.dec untar src/bin4.tar
"$dir/hfsplus" RestoreRamdisk.dec mv sbin/reboot sbin/reboot_
"$dir/hfsplus" RestoreRamdisk.dec add src/target/$device_model/reboot4 sbin/reboot
"$dir/hfsplus" RestoreRamdisk.dec chmod 755 sbin/reboot
"$dir/hfsplus" RestoreRamdisk.dec chmod 755 sbin/reboot_
"$dir/hfsplus" RestoreRamdisk.dec chmod 755 sbin/reboot__
if [[ $device_type != "iPhone3,1" ]]; then
"$dir/hfsplus" RestoreRamdisk.dec add iBoot iBoot
# reboot chain: reboot4 as reboot, activate_exploit as reboot_, original reboot as reboot__
# thanks to testingthings (@throwaway167074) this ios 4 powder nvram fix implementation, https://gist.github.com/LukeZGD/da484f6deb02edefd6689c6bf921d5d4
"$dir/hfsplus" RestoreRamdisk.dec mv sbin/reboot_ sbin/reboot__
case $device_target_vers in
4.3* ) "$dir/hfsplus" RestoreRamdisk.dec add src/activate_exploit sbin/reboot_;; # auto-boot=1
* ) "$dir/hfsplus" RestoreRamdisk.dec add src/activate_exploit2 sbin/reboot_;; # auto-boot=0
esac
"$dir/hfsplus" RestoreRamdisk.dec chmod 755 sbin/reboot_
fi
elif [[ $device_target_powder == 1 ]]; then
local hw="$device_model"
local base_build="11D257"
Expand Down Expand Up @@ -3774,12 +3676,26 @@ ipsw_prepare_ios4powder() {
echo "0000020: 3467" | xxd -r - $applelogo_name
mv $applelogo_name $all_flash/$applelogo_name
fi
if [[ $device_type != "iPhone3,1" ]]; then
local ramdisk_name=$(echo "$device_fw_key" | $jq -j '.keys[] | select(.image == "RestoreRamdisk") | .filename')
log "Patch RestoreRamdisk"
unzip -o -j temp.ipsw $ramdisk_name
mv $ramdisk_name ramdisk.orig
"$dir/xpwntool" ramdisk.orig ramdisk.dec
# powdersn0w adds reboot4 as sbin/reboot, and orig reboot is moved to sbin/reboot_
# these commands will add activate_exploit to sbin/reboot_, and move orig reboot to sbin/reboot__
# thanks to testingthings (@throwaway167074) this ios 4 powder nvram fix implementation, https://gist.github.com/LukeZGD/da484f6deb02edefd6689c6bf921d5d4
"$dir/hfsplus" ramdisk.dec mv sbin/reboot_ sbin/reboot__
"$dir/hfsplus" ramdisk.dec add src/activate_exploit sbin/reboot_
"$dir/hfsplus" ramdisk.dec chmod 755 sbin/reboot_
"$dir/xpwntool" ramdisk.dec $ramdisk_name -t ramdisk.orig
fi

log "Add all to custom IPSW"
if [[ $device_type != "iPad1,1" ]]; then
cp iBoot $all_flash/iBoot2.${device_model}ap.RELEASE.img3
fi
zip -r0 temp.ipsw $all_flash/* Firmware/dfu/*
zip -r0 temp.ipsw $all_flash/* Firmware/dfu/* $ramdisk_name

mv temp.ipsw "$ipsw_custom.ipsw"
}
Expand Down Expand Up @@ -4380,6 +4296,7 @@ restore_prepare_1033() {
return
fi
if [[ $device_proc == 7 ]]; then
log "gaster reset"
$gaster reset
fi
sleep 1
Expand All @@ -4399,6 +4316,7 @@ restore_prepare_1033() {
((attempt++))
done
if [[ $device_proc == 10 ]]; then
log "irecovery -c go"
$irecovery -c "go"
sleep 3
fi
Expand Down Expand Up @@ -4475,11 +4393,18 @@ restore_prepare() {
;;
* ) restore_idevicerestore;;
esac
if [[ $device_target_vers == "4"* && $device_target_powder == 1 ]] &&
[[ $device_type == "iPad1,1" || $device_type == "iPod3,1" || $device_type == "iPhone3,3" ]]; then
if [[ $device_target_vers == "3"* || $device_target_vers == "4"* ]] && [[ $device_target_powder == 1 ]]; then
log "The device may enter recovery mode after the restore"
print "* To fix this, go to: Other Utilities -> Disable/Enable Exploit -> Enable Exploit"
fi
if [[ $device_target_vers == "4.3"* && $device_target_powder == 1 ]] &&
[[ $device_type == "iPad1,1" || $device_type == "iPod3,1" ]]; then
log "Do not disconnect your device yet"
device_find_mode Recovery 50
log "Attempting to exit recovery mode"
$irecovery -n
log "Done, your device should boot now"
fi
elif [[ $device_target_other == 1 ]]; then
case $device_target_vers in
[34]* ) device_enter_mode pwnDFU;;
Expand Down Expand Up @@ -4655,11 +4580,12 @@ ipsw_prepare() {
return
fi
restore_usepwndfu64_option
if [[ $restore_usepwndfu64 == 1 ]]; then
if [[ $restore_usepwndfu64 != 1 ]]; then
ipsw_prepare_1033
fi
else
restore_usepwndfu64_option
fi
restore_usepwndfu64_option
;;

[89] | 10 ) restore_usepwndfu64_option;;
Expand All @@ -4679,15 +4605,21 @@ restore_usepwndfu64_option() {
if [[ $device_proc == 7 ]]; then
print "* This option is disabled by default (N). Select this option if unsure."
read -p "$(input 'Enable this option? (y/N): ')" opt
if [[ $opt == 'Y' || $opt == 'y' ]]; then
log "Pwned restore option enabled by user."
restore_usepwndfu64=1
else
log "Pwned restore option disabled."
fi
else
print "* This option is enabled by default (Y). Select this option if unsure."
read -p "$(input 'Enable this option? (Y/n): ')" opt
fi
if [[ $opt == 'Y' || $opt == 'y' ]]; then
log "Pwned restore option enabled."
restore_usepwndfu64=1
else
log "Pwned restore option disabled."
if [[ $opt == 'N' || $opt == 'n' ]]; then
log "Pwned restore option disabled by user."
else
log "Pwned restore option enabled."
restore_usepwndfu64=1
fi
fi
}

Expand Down Expand Up @@ -7561,11 +7493,11 @@ restore_customipsw() {
elif [[ $device_type == "iPod2,1" ]]; then
print "* You may also use this option for downgrading the device to 3.0 and lower for old bootrom models."
else
warn "* Do NOT use this option for powdersn0w or jailbreak IPSWs made with Legacy iOS Kit!"
warn "Do NOT use this option for powdersn0w or jailbreak IPSWs made with Legacy iOS Kit!"
fi
fi
if [[ $platform == "macos" ]] && [[ $device_type == "iPod2,1" || $device_proc == 1 ]]; then
warn "* Restoring to 2.x might not work on newer macOS versions."
warn "Restoring to 2.x might not work on newer macOS versions."
fi
if [[ $device_proc == 1 ]]; then
echo
Expand Down

0 comments on commit 46cbdd9

Please sign in to comment.