Project-Insanity

Site Tools

Trace: iphone7
iphone7

Table of Contents

pacman -S usbmuxd libusbmuxd checkra1n-cli sshpass wget git unzip
iproxy 2222 44
cd /tmp
git clone https://github.com/corellium/projectsandcastle
cd projectsandcastle/loader
wget https://assets.checkra.in/downloads/sandcastle/0175ae56bcba314268d786d1239535bca245a7b126d62a767e12de48fd20f470/linux-sandcastle.zip
unzip linux-sandcastle.zip
sshpass -p "alpine" scp -P2222 android-sandcastle/isetup root@localhost:/tmp
sshpass -p "alpine" ssh -p2222 root@localhost "chmod 755 /tmp/isetup && /tmp/isetup"
make
# enter dfu
checkra1n -cp
./load-linux linux-sandcastle/Linux.lzma linux-sandcastle/dtbpack
  • some commands need root access

linux-buildroot

pacman -S cpio rsync bc
git clone https://github.com/corellium/sandcastle-buildroot.git
cd sandcastle-buildroot
make menuconfig # exit and save
make
lzma -z output/images/Image
mv output/images/Image.lzma output/images/Linux.lzma

linux-sandcastle

pacman -S arm-none-eabi-gcc
git clone https://github.com/corellium/linux-sandcastle.git
cd linux-sandcastle
#export PATH="/home/onny/projects/x-tools8/aarch64-unknown-linux-gnu/bin:$PATH"
export ARCH=arm64
#export CROSS_COMPILE=arm-none-eabi-
export CROSS_COMPILE=aarch64-unknown-linux-gnu-
make hx_h9p_defconfig
make -j6
make dtbs

new 

pacman -S aarch64-linux-gnu-gcc 
git clone https://github.com/corellium/linux-sandcastle.git
cd linux-sandcastle
export ARCH=arm64
export CROSS_COMPILE=aarch64-linux-gnu-
make hx_h9p_defconfig
# copy ramdisk.cpio.gz from buildroot (file has maybe other name)
make -j4
lzma -z arch/arm64/boot/Image # Linux.lzma
# make dtbs

custom rootfs

find . -print0 | cpio --null --create --verbose --format=newc | gzip --best > /boot/custom-initramfs.cpio.gz

extract cpio 

cpio --extract --make-directories --format=newc --no-absolute-filenames < initramfs.cpio

complete new writeup

create rootfs 

sudo pacman -S pmbootstrap
[onny@onnuex postmarketos_rootfs]$ pmbootstrap init
[10:16:43] Location of the 'work' path. Multiple chroots (native, device arch, device rootfs) will be created in there.
[10:16:43] Work path [/home/onny/.local/var/pmbootstrap]: 
[10:16:45] NOTE: pmaports path: /home/onny/.local/var/pmbootstrap/cache_git/pmaports
[10:16:45] Choose your target device vendor (either an existing one, or a new one for porting).
[10:16:45] Available vendors (48): alcatel, amazon, asus, bq, chuwi, fairphone, finepower, fujitsu, google, gp, hisense, htc, huawei, infocus, jolla, leeco, lenovo, lg, medion, meizu, motorola, nextbit, nobby, nokia, oneplus, oppo, ouya, pine64, planet, purism, qemu, raspberry, samsung, semc, sharp, sony, surftab, t2m, tablet, teclast, tokio, wiko, wileyfox, wingtech, xiaomi, yu, zte, zuk
[10:16:45] Vendor [qemu]: 
[10:16:47] Available codenames (2): aarch64, amd64
[10:16:47] Device codename [aarch64]: 
[10:16:49] Which kernel do you want to use with your device?
[10:16:49] Available kernels (2):
[10:16:49] * lts: Alpine LTS kernel
[10:16:49] * virt: Alpine Virt kernel (minimal, no audio)
[10:16:49] Kernel [lts]: virt
[10:17:07] Username [onny]: 
[10:17:08] Available user interfaces (12): 
[10:17:08] * none: No graphical environment
[10:17:08] * gnome: (Wayland) Gnome Shell (not for armhf)
[10:17:08] * i3wm: (X11) Tiling WM (keyboard required)
[10:17:08] * kodi: (Wayland) 10-foot UI useful on TV's
[10:17:08] * mate: (X11) MATE Desktop Environment, fork of GNOME2 (stylus recommended)
[10:17:08] * phosh: (Wayland) Mobile UI developed for the Librem 5 (works only with numeric passwords!)
[10:17:08] * plasma-desktop: (X11/Wayland) KDE Desktop Environment (works well with tablets)
[10:17:08] * plasma-mobile: (Wayland) Mobile variant of KDE Plasma (slow without hardware acceleration, allows only numeric passwords!)
[10:17:08] * plasma-mobile-extras: Plasma Mobile with more apps pre-installed (video and music players, pdf reader, etc.)
[10:17:08] * shelli: Plain console with touchscreen gesture support
[10:17:08] * sway: (Wayland) Tiling WM, drop-in replacement for i3wm (DOES NOT RUN WITHOUT HW ACCELERATION!)
[10:17:08] * weston: (Wayland) Reference compositor (demo, not a phone interface)
[10:17:08] * xfce4: (X11) Lightweight GTK+2 desktop (stylus recommended)
[10:17:08] User interface [weston]: phosh
[10:17:19] Build options: Parallel jobs: 5, ccache per arch: 5G
[10:17:19] Change them? (y/n) [n]: 
[10:17:24] Additional packages that will be installed to rootfs. Specify them in a comma separated list (e.g.: vim,file) or "none"
[10:17:24] Extra packages [none]: 
[10:17:31] Your host timezone: Europe/Berlin
[10:17:31] Use this timezone instead of GMT? (y/n) [y]: 
[10:17:35] Device hostname (short form, e.g. 'foo') [qemu-aarch64]: 
[10:17:38] Zap existing chroots to apply configuration? (y/n) [y]: 
[sudo] password for onny: 
[10:17:46] % rm -rf /home/onny/.local/var/pmbootstrap/chroot_native
[10:17:46] % rm -rf /home/onny/.local/var/pmbootstrap/chroot_rootfs_qemu-aarch64
[10:17:47] Cleared up ~1223 MB of space
[10:17:47] WARNING: The chroots and git repositories in the work dir do not get updated automatically.
[10:17:47] Run 'pmbootstrap status' once a day before working with pmbootstrap to make sure that everything is up-to-date.
[10:17:47] Done!
pmbootstrap install
cd ~/.local/var/pmbootstrap/chroot_rootfs_qemu-aarch64
sudo find . -print0 | cpio --null --create --verbose --format=newc | gzip --best > /tmp/ramdisk.cpio.gz

compile kernel 

sudo pacman -S aarch64-linux-gnu-gcc 
cd /tmp
git clone https://github.com/corellium/linux-sandcastle.git
cd linux-sandcastle
export ARCH=arm64
export CROSS_COMPILE=aarch64-linux-gnu-
make hx_h9p_defconfig
cp /tmp/ramdisk.cpio.gz .
make -j4

flash kernel 

sudo pacman -S checkra1n-cli git unzip # custom pi repo required
cd /tmp
git clone https://github.com/corellium/projectsandcastle
cd projectsandcastle/loader
wget https://assets.checkra.in/downloads/sandcastle/0175ae56bcba314268d786d1239535bca245a7b126d62a767e12de48fd20f470/linux-sandcastle.zip
unzip linux-sandcastle.zip
make
sudo checkra1n -cp # reboot into pogo, might require dfu mode on phone
cp /tmp/linux-sandcastle/arch/arm64/boot/Image linux-sandcastle/Linux
lzma -z linux-sandcastle/Linux
sudo ./load-linux linux-sandcastle/Linux.lzma linux-sandcastle/dtbpack

kernel boot args 

earlycon=hx_uart,0x20a0c0000 console=tty0 console=ttyHX0 selinux=1 enforcing=0 androidboot.selinux=permissive printk.devkmsg=on androidboot.hardware=ranchu

CONFIG_CMDLINE="earlycon=hx_uart,0x20a0c0000 console=ttyHX0 root=/dev/ram0"

boot from nand and apfs partition

/dev/block/nvme0n3
mount apfs /dev/block/nvme0n1p1+0 /hostfs ro
/apfs/nand

+#define LOOP_SET_FD             0x4C00
+#define LOOP_SET_STATUS         0x4C02
+#define LOOP_SET_BLOCK_SIZE     0x4C09
+
+#define LOOP_DEVICE_NAME        "loop0"
+#define LOOP_BACKING_FILE       "/apfs/nand"
+
+#define APFS_MOUNT_POINT        "/apfs"
+#define APFS_DEVICE_NAME        "nvme0n1p1"
+#define APFS_MAX_VOL            16
  • look for
    • nvme
    • fstab
    • apfs
ls /dev/disk0s1s*
/System/Library/Filesystems/apfs.fs/apfs.util -p /dev/disk0s1s* # look for label "ANDROID"
create new: newfs_apfs -A -v Android -e /dev/disk0s1
mkdir -p /tmp/mnt
mount -t apfs ${DISK} /tmp/mnt 
/tmp/mnt/nand
/System/Library/Filesystems/apfs.fs/apfs.util -p VOLUME_HERE # has to say ANDROID
# reclaiming space, just mount volume and remove nand

new writeup (18.04.20)

access dfu 

checkra1n -c
iproxy 2222 44 # leave this process running in the background during ssh access

Wait until reboot, than access the iPhone via ssh 

sshpass -p "alpine" ssh -p2222 root@localhost
newfs_apfs -A -v Android -e /dev/disk0s1
/System/Library/Filesystems/apfs.fs/apfs.util -p /dev/disk0s1s7
mkdir /tmp/mnt
mount -t apfs /dev/disk0s1s7 /tmp/mnt
umount /tmp/mnt

on host 

pmbootstrap init
pmbootszrap install
sshpass -p "alpine"  scp -P2222 -v ~/.local/var/pmbootstrap/chroot_native/home/pmos/rootfs/qemu-aarch64.img root@localhost:/tmp/mnt/
  • access dfu mode (volume + power …)

bla

  • next steps
    • xterm mount partition
    • list files
    • ssh via wifi
pacman -S create_ap
create_ap wlan0 wlan0 test
/bin/mount -t apfs -o ro,relatime,vol=6 /dev/nvme0n1p1 /mnt
/bin/ls /mnt
/bin/mknod -m755 loop0 b 7 0
/bin/mount -t ext4 -o loop,offset=60817408 /mnt/qemu-aarch64.img /hostfs
/bin/ls /hostfs
/bin/cat /sys/class/block/loop0/dev

try 

/bin/mknod -m755 /dev/block/loop0 b 7 0
  • next mount image
  • init pivot_root
  • initrd

possible kernel boot arguments 

/vmlinuz ro initrd=/initrd.img root=/dev/md0 rootflags=offset=2564014080
kernel ... root=/dev/sdb5 loop=/somedir/myownrootfs ...
custom-cpio/initramfs_org/init
#!/bin/sh
# devtmpfs does not get automounted for initramfs
/bin/mount -t devtmpfs devtmpfs /dev

/bin/mount -t apfs -o ro,relatime,vol=6 /dev/nvme0n1p1 /mnt
/sbin/losetup /dev/loop0 /mnt/qemu-aarch64.img -o 60817408 -r
mkdir /tmp/hostfs
/bin/mount -t ext4 -o ro /dev/loop0 /tmp/hostfs

exec 0</dev/console
exec 1>/dev/console
exec 2>/dev/console
exec /sbin/init "$@"
init
#!/bin/sh
# devtmpfs does not get automounted for initramfs
/bin/mount -t devtmpfs devtmpfs /dev

/bin/mkdir -p /proc /dev /sys /mnt /tmp
/bin/mount -t proc proc /proc
/bin/mount -t sysfs sysfs /sys
/bin/mknod /dev/misc/rtc0 c 254 0
/sbin/mdev -s
/bin/mkdir -p /new_root

/bin/mount -t apfs -o ro,relatime,vol=6 /dev/nvme0n1p1 /mnt
/sbin/losetup /dev/loop0 /mnt/qemu-aarch64.img -o 60817408 -r
/bin/mount -t ext4 -o ro /dev/loop0 /new_root

exec 0</dev/console
exec 1>/dev/console
exec 2>/dev/console

exec /sbin/switch_root -c /dev/console /new_root /new_root/sbin/init
#exec /sbin/init "$@"
custom-cpio/initramfs_org/init
#!/bin/sh
# devtmpfs does not get automounted for initramfs
/bin/mount -t devtmpfs devtmpfs /dev

/bin/mkdir -p /proc /dev /sys /mnt /tmp
/bin/mount -t proc proc /proc
/bin/mount -t sysfs sysfs /sys
/bin/mknod /dev/misc/rtc0 c 254 0
/sbin/mdev -s

/bin/mkdir -p /mnt/apfs /mnt/ro /mnt/rw

/bin/mount -t apfs -o ro,relatime,vol=6 /dev/nvme0n1p1 /mnt/apfs

/sbin/losetup /dev/loop0 /mnt/apfs/qemu-aarch64.img -o 60817408 -r
/bin/mount -t ext4 -o ro /dev/loop0 /mnt/ro

/bin/mount -t tmpfs tmpfs /mnt/rw
/bin/mkdir -p /mnt/rw/data /mnt/rw/work
/bin/mkdir -p /sysroot

/bin/mount -t overlay -o lowerdir=/mnt/ro,upperdir=/mnt/rw/data,workdir=/mnt/rw/work overlay /sysroot

exec 0</dev/console
exec 1>/dev/console
exec 2>/dev/console

killall telnetd mdev msm-fb-refresher 2>/dev/null
umount /boot
umount /proc
umount /sys
umount /dev/pts
umount /dev

exec switch_root /sysroot /sbin/init
#exec /sbin/init "$@"

uncompress initramfs 

sfdisk -l ~/.local/var/pmbootstrap/chroot_native/home/pmos/rootfs/qemu-aarch64.img
mount -t ext4 -o loop,offset=60817408 /home/onny/.local/var/pmbootstrap/chroot_native/home/pmos/rootfs/qemu-aarch64.img /mnt
zcat /boot/initrd-$(uname -r).img | cpio -idmv
CONFIG_USB_ETH=y
CONFIG_USB_RNDIS=y
echo MESSAGE > /dev/kmsg
dmesg > /root/root/initramfs.dmesg # write to apfs volume ?

usb cdc acm

on iphone 

modprobe g_serial

on archlinux 

modprobe cdc_acm

next 

make hx_h9p_defconfig_2
pmbootstrap chroot -r
$ echo "ttyGS0" >> /etc/securetty
echo 'GS0::respawn:/sbin/getty -L ttyGS0 115200 vt100' >> /etc/inittab
 
ttyGS0::respawn:/sbin/getty -n -l /bin/sh ttyGS0 9600 linux
sudo minicom -D /dev/ttyACM0 -b 115200

new

rc-service lightdm restart
logread
/usr/share/phosh/rootston.ini
/usr/bin/phoc -C /usr/share/phosh/rootston.ini -E bash -lc 'gnome-session --builtin --disable-acceleration-check --session=phosh'
/usr/bin/phosh
[...]
# Run gnome-session through a login shell so it picks
# variables from /etc/profile.d (XDG_*)
[ -z "WLR_BACKENDS" ] || WLR_BACKENDS=drm,libinput
export WLR_BACKENDS
exec "${COMPOSITOR}" -C "${ROOTSTON_INI}" -E "bash -lc 'gnome-session $(gnome_session_args)'"
dbus-run-session /usr/bin/phosh
  • fbdev
  • llvmpipe, LIBGL_ALWAYS_SOFTWARE=1 + mesa
  • softpipe
LIBGL_ALWAYS_SOFTWARE=1 SKIP_GNOME_SESSION=1 /usr/bin/phoc -E '/usr/bin/phosh -U'
iphone7.txt · Last modified: 2021/10/31 10:42 by 127.0.0.1

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki