Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

iPad6,3 iOS 16.7.6 RSA patch fails. #17

Open
frankpanduh opened this issue Mar 29, 2024 · 0 comments
Open

iPad6,3 iOS 16.7.6 RSA patch fails. #17

frankpanduh opened this issue Mar 29, 2024 · 0 comments

Comments

@frankpanduh
Copy link

Howdy, Hope all is well, I know this is a long shot here, but was using a script that is built using kairos.
I see that this only supports iOS 15, but in the event, you end up updating this when you get time.

Seems like both iBoot64Patcher and this have the same RSA Patching issue. So might just be S.O.L. but in the event. Thought I'd share the log of where the script fails using Karios.

Device: iPad Pro (ipad6,3 - A9(X) - 9.3 inch WiFI)
mast3rz3ro/SSHRD_Script_Lite#8 (comment)

[-] Patching iBoot files using kairos ...
[+] Patching 2_ssh_ramdisk/temp_files/iBSS.dec
[+] Base address: 0x180000000
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x323af
[+] Found IMG4 xref at 0xf6d0
[+] Found beginning of _image4_get_partial at 0xf624
[+] Found xref to _image4_get_partial at 0x10074
[+] Found start of sub_18000ffa0
[+] Found ADR X2, 0x180030f70 at 0x104d4
[+] Call to sub_18000f90c
[+] Did MOV r0, #0 and RET
[+] Wrote patched image to 2_ssh_ramdisk/temp_files/iBSS.patched
[+] Patching 2_ssh_ramdisk/temp_files/iBEC.dec
[+] Base address: 0x870000000
[+] Does have kernel load
[+] Patching boot-args...
[+] Image base address at 0x870000000
[+] Found boot-arg string at 0x5ac36
[+] Relocating from 0x870015260...
[+] Found boot-arg xref at 0x8700152c8
[+] Pointing boot-arg xref to large string at: 0x8700242c8
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x5a5ce
[+] Found debug-enabled xref at 0x13b38
[+] Found second bl after debug-enabled xref at 0x13b4c
[+] Wrote MOVZ X0, #1 to 0x870013b4c
[+] Enabled kernel debug
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x5a3e1
[+] Found IMG4 xref at 0xd908
[+] Found beginning of _image4_get_partial at 0xd7e8
[!] Could not find correct xref for _image4_get_partial.
[!] RSA PATCH FAILED
[+] Wrote patched image to 2_ssh_ramdisk/temp_files/iBEC.patched
[+] Patching 2_ssh_ramdisk/temp_files/iBoot.dec
[+] Base address: 0x870000000
[+] Does have kernel load
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x5a5ce
[+] Found debug-enabled xref at 0x13b38
[+] Found second bl after debug-enabled xref at 0x13b4c
[+] Wrote MOVZ X0, #1 to 0x870013b4c
[+] Enabled kernel debug
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x5a3e1
[+] Found IMG4 xref at 0xd908
[+] Found beginning of _image4_get_partial at 0xd7e8
[!] Could not find correct xref for _image4_get_partial.
[!] RSA PATCH FAILED
[+] Wrote patched image to 2_ssh_ramdisk/temp_files/iBoot.patched
none
none
none
krnl
Starting KPlooshFinder
patch_trustcache_new: Found trustcache
patch_developer_mode: Found developer mode
patch_launch_constraints: Found launch constraints
patch_amfi_sha1: Found AMFI hashtype check
patch_vnode_lookup: Found vnode_lookup
patch_sbops: Found sbops
patch_shellcode_area: Found shellcode area
patch_ret0_gadget: Found ret0 gadget
patch_vnode_getpath: Found vnode_getpath
patch_vnode_getaddr: Found vnode_getattr
patch_vnode_open_close: Found vnode_open/vnode_close
Patching completed successfully.
[-] Searching for kernel differents...
[!] this could take a while please wait...
0x5e20d4 0x48 0xfffffffb
0x5e20d5 0xffffffd9 0xffffffff
0x5e20d7 0xfffffff0 0x17
0x11e5a34 0xffffffff 0x20
0x11e5a35 0xffffffc3 0x0
0x11e5a36 0x0 0xffffff80
0x11e5a37 0xffffffd1 0xffffffd2
0x11e5a38 0xfffffff4 0x42
0x11e5a39 0x4f 0x0
0x11e5a3a 0x1 0x0
0x11e5a3b 0xffffffa9 0xffffffb4
0x11e5a3c 0xfffffffd 0x40
0x11e5a3d 0x7b 0x0
0x11e5a3e 0x2 0x0
0x11e5a3f 0xffffffa9 0xfffffff9
0x11e5a40 0xfffffffd 0xffffffc0
0x11e5a41 0xffffff83 0x3
0x11e5a42 0x0 0x5f
0x11e5a43 0xffffff91 0xffffffd6
0x11e8bb4 0xfffffffc 0x0
0x11e8bb5 0x6f 0x0
0x11e8bb6 0xffffffba 0xffffff80
0x11e8bb7 0xffffffa9 0x52
0x11e8bb8 0xfffffffa 0xffffffc0
0x11e8bb9 0x67 0x3
0x11e8bba 0x1 0x5f
0x11e8bbb 0xffffffa9 0xffffffd6
0x11ef6f9 0x8 0x0
0x11ef6fb 0x71 0x6b
krnl
[-] Patching kernel completed !
dtre
[!] Found trustcache file : 1_prepare_ramdisk/087-86622-021.dmg.trustcache
rtsc
rdsk
/dev/disk2          	                               	
/dev/disk3          	EF57347C-0000-11AA-AA11-0030654	
/dev/disk3s1        	41504653-0000-11AA-AA11-0030654	/private/tmp/SSHRD
.............................................................
created: /Users/panduh/Desktop/SSHRD_Script_Lite/2_ssh_ramdisk/temp_files/reassigned_ramdisk.dmg
"disk2" ejected.
/dev/disk2          	                               	/private/tmp/SSHRD
"disk2" ejected.
[-] Packing ramdisk into img4 ...
[-] Packing using img4 utility ...
none
none
[-] Cleaning temp directory ...
[!] All Tasks Completed !
[-] To boot this SSHRD please use: ./boot_sshrd.sh
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant