Site Tools


Hotfix release available: 2024-02-06a "Kaos". upgrade now! [55.1] (what's this?)
New release available: 2024-02-06 "Kaos". upgrade now! [55] (what's this?)
iphone7

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
iphone7 [2020/04/22 11:22] – [new writeup (18.04.20)] 2a02:8071:3eba:0:6267:20ff:fe89:d800iphone7 [2021/10/31 10:42] (current) – external edit 127.0.0.1
Line 1: Line 1:
 +  * checkra.in
 +  * https://projectsandcastle.org
 +  * https://www.reddit.com/r/jailbreak/comments/fdk68w/tutorial_using_project_sandcastle_on_linux/
 +<code bash>
 +pacman -S usbmuxd libusbmuxd checkra1n-cli sshpass wget git unzip
 +iproxy 2222 44
 +cd /tmp
 +git clone https://github.com/corellium/projectsandcastle
 +cd projectsandcastle/loader
 +wget https://assets.checkra.in/downloads/sandcastle/0175ae56bcba314268d786d1239535bca245a7b126d62a767e12de48fd20f470/linux-sandcastle.zip
 +unzip linux-sandcastle.zip
 +sshpass -p "alpine" scp -P2222 android-sandcastle/isetup root@localhost:/tmp
 +sshpass -p "alpine" ssh -p2222 root@localhost "chmod 755 /tmp/isetup && /tmp/isetup"
 +make
 +# enter dfu
 +checkra1n -cp
 +./load-linux linux-sandcastle/Linux.lzma linux-sandcastle/dtbpack
 +</code>
 +  * some commands need root access
 +===== linux-buildroot =====
 +<code bash>
 +pacman -S cpio rsync bc
 +git clone https://github.com/corellium/sandcastle-buildroot.git
 +cd sandcastle-buildroot
 +make menuconfig # exit and save
 +make
 +lzma -z output/images/Image
 +mv output/images/Image.lzma output/images/Linux.lzma
 +</code>
  
 +===== linux-sandcastle =====
 +<code bash>
 +pacman -S arm-none-eabi-gcc
 +git clone https://github.com/corellium/linux-sandcastle.git
 +cd linux-sandcastle
 +#export PATH="/home/onny/projects/x-tools8/aarch64-unknown-linux-gnu/bin:$PATH"
 +export ARCH=arm64
 +#export CROSS_COMPILE=arm-none-eabi-
 +export CROSS_COMPILE=aarch64-unknown-linux-gnu-
 +make hx_h9p_defconfig
 +make -j6
 +make dtbs
 +</code>
 +new
 +<code bash>
 +pacman -S aarch64-linux-gnu-gcc 
 +git clone https://github.com/corellium/linux-sandcastle.git
 +cd linux-sandcastle
 +export ARCH=arm64
 +export CROSS_COMPILE=aarch64-linux-gnu-
 +make hx_h9p_defconfig
 +# copy ramdisk.cpio.gz from buildroot (file has maybe other name)
 +make -j4
 +lzma -z arch/arm64/boot/Image # Linux.lzma
 +# make dtbs
 +</code>
 +
 +===== custom rootfs =====
 +<code bash>
 +find . -print0 | cpio --null --create --verbose --format=newc | gzip --best > /boot/custom-initramfs.cpio.gz
 +</code>
 +extract cpio
 +<code bash>
 +cpio --extract --make-directories --format=newc --no-absolute-filenames < initramfs.cpio
 +</code>
 +
 +===== complete new writeup =====
 +create rootfs
 +<code bash>
 +sudo pacman -S pmbootstrap
 +[onny@onnuex postmarketos_rootfs]$ pmbootstrap init
 +[10:16:43] Location of the 'work' path. Multiple chroots (native, device arch, device rootfs) will be created in there.
 +[10:16:43] Work path [/home/onny/.local/var/pmbootstrap]: 
 +[10:16:45] NOTE: pmaports path: /home/onny/.local/var/pmbootstrap/cache_git/pmaports
 +[10:16:45] Choose your target device vendor (either an existing one, or a new one for porting).
 +[10:16:45] Available vendors (48): alcatel, amazon, asus, bq, chuwi, fairphone, finepower, fujitsu, google, gp, hisense, htc, huawei, infocus, jolla, leeco, lenovo, lg, medion, meizu, motorola, nextbit, nobby, nokia, oneplus, oppo, ouya, pine64, planet, purism, qemu, raspberry, samsung, semc, sharp, sony, surftab, t2m, tablet, teclast, tokio, wiko, wileyfox, wingtech, xiaomi, yu, zte, zuk
 +[10:16:45] Vendor [qemu]: 
 +[10:16:47] Available codenames (2): aarch64, amd64
 +[10:16:47] Device codename [aarch64]: 
 +[10:16:49] Which kernel do you want to use with your device?
 +[10:16:49] Available kernels (2):
 +[10:16:49] * lts: Alpine LTS kernel
 +[10:16:49] * virt: Alpine Virt kernel (minimal, no audio)
 +[10:16:49] Kernel [lts]: virt
 +[10:17:07] Username [onny]: 
 +[10:17:08] Available user interfaces (12): 
 +[10:17:08] * none: No graphical environment
 +[10:17:08] * gnome: (Wayland) Gnome Shell (not for armhf)
 +[10:17:08] * i3wm: (X11) Tiling WM (keyboard required)
 +[10:17:08] * kodi: (Wayland) 10-foot UI useful on TV's
 +[10:17:08] * mate: (X11) MATE Desktop Environment, fork of GNOME2 (stylus recommended)
 +[10:17:08] * phosh: (Wayland) Mobile UI developed for the Librem 5 (works only with numeric passwords!)
 +[10:17:08] * plasma-desktop: (X11/Wayland) KDE Desktop Environment (works well with tablets)
 +[10:17:08] * plasma-mobile: (Wayland) Mobile variant of KDE Plasma (slow without hardware acceleration, allows only numeric passwords!)
 +[10:17:08] * plasma-mobile-extras: Plasma Mobile with more apps pre-installed (video and music players, pdf reader, etc.)
 +[10:17:08] * shelli: Plain console with touchscreen gesture support
 +[10:17:08] * sway: (Wayland) Tiling WM, drop-in replacement for i3wm (DOES NOT RUN WITHOUT HW ACCELERATION!)
 +[10:17:08] * weston: (Wayland) Reference compositor (demo, not a phone interface)
 +[10:17:08] * xfce4: (X11) Lightweight GTK+2 desktop (stylus recommended)
 +[10:17:08] User interface [weston]: phosh
 +[10:17:19] Build options: Parallel jobs: 5, ccache per arch: 5G
 +[10:17:19] Change them? (y/n) [n]: 
 +[10:17:24] Additional packages that will be installed to rootfs. Specify them in a comma separated list (e.g.: vim,file) or "none"
 +[10:17:24] Extra packages [none]: 
 +[10:17:31] Your host timezone: Europe/Berlin
 +[10:17:31] Use this timezone instead of GMT? (y/n) [y]: 
 +[10:17:35] Device hostname (short form, e.g. 'foo') [qemu-aarch64]: 
 +[10:17:38] Zap existing chroots to apply configuration? (y/n) [y]: 
 +[sudo] password for onny: 
 +[10:17:46] % rm -rf /home/onny/.local/var/pmbootstrap/chroot_native
 +[10:17:46] % rm -rf /home/onny/.local/var/pmbootstrap/chroot_rootfs_qemu-aarch64
 +[10:17:47] Cleared up ~1223 MB of space
 +[10:17:47] WARNING: The chroots and git repositories in the work dir do not get updated automatically.
 +[10:17:47] Run 'pmbootstrap status' once a day before working with pmbootstrap to make sure that everything is up-to-date.
 +[10:17:47] Done!
 +pmbootstrap install
 +cd ~/.local/var/pmbootstrap/chroot_rootfs_qemu-aarch64
 +sudo find . -print0 | cpio --null --create --verbose --format=newc | gzip --best > /tmp/ramdisk.cpio.gz
 +</code>
 +compile kernel
 +<code bash>
 +sudo pacman -S aarch64-linux-gnu-gcc 
 +cd /tmp
 +git clone https://github.com/corellium/linux-sandcastle.git
 +cd linux-sandcastle
 +export ARCH=arm64
 +export CROSS_COMPILE=aarch64-linux-gnu-
 +make hx_h9p_defconfig
 +cp /tmp/ramdisk.cpio.gz .
 +make -j4
 +</code>
 +flash kernel
 +<code bash>
 +sudo pacman -S checkra1n-cli git unzip # custom pi repo required
 +cd /tmp
 +git clone https://github.com/corellium/projectsandcastle
 +cd projectsandcastle/loader
 +wget https://assets.checkra.in/downloads/sandcastle/0175ae56bcba314268d786d1239535bca245a7b126d62a767e12de48fd20f470/linux-sandcastle.zip
 +unzip linux-sandcastle.zip
 +make
 +sudo checkra1n -cp # reboot into pogo, might require dfu mode on phone
 +cp /tmp/linux-sandcastle/arch/arm64/boot/Image linux-sandcastle/Linux
 +lzma -z linux-sandcastle/Linux
 +sudo ./load-linux linux-sandcastle/Linux.lzma linux-sandcastle/dtbpack
 +</code>
 +kernel boot args
 +<code>
 +earlycon=hx_uart,0x20a0c0000 console=tty0 console=ttyHX0 selinux=1 enforcing=0 androidboot.selinux=permissive printk.devkmsg=on androidboot.hardware=ranchu
 +
 +CONFIG_CMDLINE="earlycon=hx_uart,0x20a0c0000 console=ttyHX0 root=/dev/ram0"
 +</code>
 +===== boot from nand and apfs partition =====
 +<code>
 +/dev/block/nvme0n3
 +mount apfs /dev/block/nvme0n1p1+0 /hostfs ro
 +/apfs/nand
 +
 ++#define LOOP_SET_FD             0x4C00
 ++#define LOOP_SET_STATUS         0x4C02
 ++#define LOOP_SET_BLOCK_SIZE     0x4C09
 ++
 ++#define LOOP_DEVICE_NAME        "loop0"
 ++#define LOOP_BACKING_FILE       "/apfs/nand"
 ++
 ++#define APFS_MOUNT_POINT        "/apfs"
 ++#define APFS_DEVICE_NAME        "nvme0n1p1"
 ++#define APFS_MAX_VOL            16
 +
 +</code>
 +  * look for
 +    * nvme
 +    * fstab
 +    * apfs
 +<code>
 +ls /dev/disk0s1s*
 +/System/Library/Filesystems/apfs.fs/apfs.util -p /dev/disk0s1s* # look for label "ANDROID"
 +create new: newfs_apfs -A -v Android -e /dev/disk0s1
 +mkdir -p /tmp/mnt
 +mount -t apfs ${DISK} /tmp/mnt 
 +/tmp/mnt/nand
 +/System/Library/Filesystems/apfs.fs/apfs.util -p VOLUME_HERE # has to say ANDROID
 +# reclaiming space, just mount volume and remove nand
 +</code>
 +
 +===== new writeup (18.04.20) =====
 +access dfu
 +<code bash>
 +checkra1n -c
 +iproxy 2222 44 # leave this process running in the background during ssh access
 +</code>
 +Wait until reboot, than access the iPhone via ssh
 +<code bash>
 +sshpass -p "alpine" ssh -p2222 root@localhost
 +newfs_apfs -A -v Android -e /dev/disk0s1
 +/System/Library/Filesystems/apfs.fs/apfs.util -p /dev/disk0s1s7
 +mkdir /tmp/mnt
 +mount -t apfs /dev/disk0s1s7 /tmp/mnt
 +umount /tmp/mnt
 +</code>
 +on host
 +<code bash>
 +pmbootstrap init
 +pmbootszrap install
 +sshpass -p "alpine"  scp -P2222 -v ~/.local/var/pmbootstrap/chroot_native/home/pmos/rootfs/qemu-aarch64.img root@localhost:/tmp/mnt/
 +</code>
 +  * access dfu mode (volume + power ...)
 +bla
 +  * next steps
 +    * xterm mount partition
 +    * list files
 +    * ssh via wifi
 +<code bash>
 +pacman -S create_ap
 +create_ap wlan0 wlan0 test
 +</code>
 +<code bash>
 +/bin/mount -t apfs -o ro,relatime,vol=6 /dev/nvme0n1p1 /mnt
 +/bin/ls /mnt
 +/bin/mknod -m755 loop0 b 7 0
 +/bin/mount -t ext4 -o loop,offset=60817408 /mnt/qemu-aarch64.img /hostfs
 +/bin/ls /hostfs
 +/bin/cat /sys/class/block/loop0/dev
 +</code>
 +try
 +<code bash>
 +/bin/mknod -m755 /dev/block/loop0 b 7 0
 +</code>
 +  * next mount image
 +  * init pivot_root
 +  * initrd
 +possible kernel boot arguments
 +<code bash>
 +/vmlinuz ro initrd=/initrd.img root=/dev/md0 rootflags=offset=2564014080
 +kernel ... root=/dev/sdb5 loop=/somedir/myownrootfs ...
 +</code>
 +<file - custom-cpio/initramfs_org/init>
 +#!/bin/sh
 +# devtmpfs does not get automounted for initramfs
 +/bin/mount -t devtmpfs devtmpfs /dev
 +
 +/bin/mount -t apfs -o ro,relatime,vol=6 /dev/nvme0n1p1 /mnt
 +/sbin/losetup /dev/loop0 /mnt/qemu-aarch64.img -o 60817408 -r
 +mkdir /tmp/hostfs
 +/bin/mount -t ext4 -o ro /dev/loop0 /tmp/hostfs
 +
 +exec 0</dev/console
 +exec 1>/dev/console
 +exec 2>/dev/console
 +exec /sbin/init "$@"
 +</file>
 +<file - init>
 +#!/bin/sh
 +# devtmpfs does not get automounted for initramfs
 +/bin/mount -t devtmpfs devtmpfs /dev
 +
 +/bin/mkdir -p /proc /dev /sys /mnt /tmp
 +/bin/mount -t proc proc /proc
 +/bin/mount -t sysfs sysfs /sys
 +/bin/mknod /dev/misc/rtc0 c 254 0
 +/sbin/mdev -s
 +/bin/mkdir -p /new_root
 +
 +/bin/mount -t apfs -o ro,relatime,vol=6 /dev/nvme0n1p1 /mnt
 +/sbin/losetup /dev/loop0 /mnt/qemu-aarch64.img -o 60817408 -r
 +/bin/mount -t ext4 -o ro /dev/loop0 /new_root
 +
 +exec 0</dev/console
 +exec 1>/dev/console
 +exec 2>/dev/console
 +
 +exec /sbin/switch_root -c /dev/console /new_root /new_root/sbin/init
 +#exec /sbin/init "$@"
 +</file>
 +  * init reference postmarketos https://github.com/postmarketOS/pmbootstrap/blob/master/aports/main/postmarketos-mkinitfs/init.sh.in
 +  * http://weng-blog.com/2015/05/Build-Linux-kernel-rootfs-from-scratch/
 +  * next
 +    * use small postmarketos initramfs
 +    * https://unix.stackexchange.com/questions/27449/mount-a-filesystem-read-only-and-redirect-writes-to-ram
 +    * steps mounting tmpfs, overlayfs https://unix.stackexchange.com/questions/364262/freeing-initramfs-ram-after-switching-root-when-using-overlayfs
 +    * (nich so wichtig, custom initramfs bootstrap https://unix.stackexchange.com/questions/66050/how-do-i-build-a-read-only-linux-system-that-only-writes-to-the-ram/93031#93031)
 +    * overlayfs script https://gist.github.com/niun/34c945d70753fc9e2cc7
 +  * notes on entering dfu
 +    * turn off phone
 +    * press 4+10 seconds after logo appears
 +<file - custom-cpio/initramfs_org/init>
 +#!/bin/sh
 +# devtmpfs does not get automounted for initramfs
 +/bin/mount -t devtmpfs devtmpfs /dev
 +
 +/bin/mkdir -p /proc /dev /sys /mnt /tmp
 +/bin/mount -t proc proc /proc
 +/bin/mount -t sysfs sysfs /sys
 +/bin/mknod /dev/misc/rtc0 c 254 0
 +/sbin/mdev -s
 +
 +/bin/mkdir -p /mnt/apfs /mnt/ro /mnt/rw
 +
 +/bin/mount -t apfs -o ro,relatime,vol=6 /dev/nvme0n1p1 /mnt/apfs
 +
 +/sbin/losetup /dev/loop0 /mnt/apfs/qemu-aarch64.img -o 60817408 -r
 +/bin/mount -t ext4 -o ro /dev/loop0 /mnt/ro
 +
 +/bin/mount -t tmpfs tmpfs /mnt/rw
 +/bin/mkdir -p /mnt/rw/data /mnt/rw/work
 +/bin/mkdir -p /sysroot
 +
 +/bin/mount -t overlay -o lowerdir=/mnt/ro,upperdir=/mnt/rw/data,workdir=/mnt/rw/work overlay /sysroot
 +
 +exec 0</dev/console
 +exec 1>/dev/console
 +exec 2>/dev/console
 +
 +killall telnetd mdev msm-fb-refresher 2>/dev/null
 +umount /boot
 +umount /proc
 +umount /sys
 +umount /dev/pts
 +umount /dev
 +
 +exec switch_root /sysroot /sbin/init
 +#exec /sbin/init "$@"
 +</file>
 +uncompress initramfs
 +<code bash>
 +sfdisk -l ~/.local/var/pmbootstrap/chroot_native/home/pmos/rootfs/qemu-aarch64.img
 +mount -t ext4 -o loop,offset=60817408 /home/onny/.local/var/pmbootstrap/chroot_native/home/pmos/rootfs/qemu-aarch64.img /mnt
 +zcat /boot/initrd-$(uname -r).img | cpio -idmv
 +</code>
 +<code>
 +CONFIG_USB_ETH=y
 +CONFIG_USB_RNDIS=y
 +</code>
 +  * next debug initramfs bootup via usb ethernet
 +  * https://wiki.postmarketos.org/wiki/USB_Network
 +<code bash>
 +echo MESSAGE > /dev/kmsg
 +dmesg > /root/root/initramfs.dmesg # write to apfs volume ?
 +</code>
 +  * telnet debug shell https://wiki.postmarketos.org/wiki/Inspecting_the_initramfs
 +  * https://www.kernel.org/doc/html/latest/usb/gadget_serial.html
 +usb cdc acm
 +  * https://mcuoneclipse.com/2015/12/26/usb-cdc-with-the-raspberry-pi/
 +  * CONFIG_USB_G_SERIAL https://openwrt.org/docs/guide-user/hardware/usb_gadget
 +on iphone
 +<code bash>
 +modprobe g_serial
 +</code>
 +on archlinux
 +<code bash>
 +modprobe cdc_acm
 +</code>
 +next
 +<code bash>
 +make hx_h9p_defconfig_2
 +</code>
 +  * console=ttyGS0,115200 https://wiki.postmarketos.org/wiki/Mainlining_FAQ
 +<code bash>
 +pmbootstrap chroot -r
 +$ echo "ttyGS0" >> /etc/securetty
 +</code>
 +  * https://github.com/ckuethe/usbarmory/wiki/Serial-Console
 +<code bash>
 +echo 'GS0::respawn:/sbin/getty -L ttyGS0 115200 vt100' >> /etc/inittab
 +
 +ttyGS0::respawn:/sbin/getty -n -l /bin/sh ttyGS0 9600 linux
 +</code>
 +<code bash>
 +sudo minicom -D /dev/ttyACM0 -b 115200
 +</code>
 +===== new =====
 +<code bash>
 +rc-service lightdm restart
 +logread
 +/usr/share/phosh/rootston.ini
 +/usr/bin/phoc -C /usr/share/phosh/rootston.ini -E bash -lc 'gnome-session --builtin --disable-acceleration-check --session=phosh'
 +</code>
 +
 +<file - /usr/bin/phosh>
 +[...]
 +# Run gnome-session through a login shell so it picks
 +# variables from /etc/profile.d (XDG_*)
 +[ -z "WLR_BACKENDS" ] || WLR_BACKENDS=drm,libinput
 +export WLR_BACKENDS
 +exec "${COMPOSITOR}" -C "${ROOTSTON_INI}" -E "bash -lc 'gnome-session $(gnome_session_args)'"
 +</file>
 +<code bash>
 +dbus-run-session /usr/bin/phosh
 +</code>
 +  * fbdev
 +  * llvmpipe, LIBGL_ALWAYS_SOFTWARE=1 + mesa
 +  * softpipe
 +<code bash>
 +LIBGL_ALWAYS_SOFTWARE=1 SKIP_GNOME_SESSION=1 /usr/bin/phoc -E '/usr/bin/phosh -U'
 +</code>
 +  * https://gitlab.com/postmarketOS/pmaports/-/tree/device/iphone-sandcastle