Last active
May 21, 2025 02:15
-
-
Save chris-pcguy/5ddb2c5b4c44cce635b4699e8eecd331 to your computer and use it in GitHub Desktop.
sepemu_dist0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -xeu | |
| #cp /home/ios/lzfse.pc /home/ios/ioslibs-prefix/lib/pkgconfig/ | |
| BUILD_DIR="/home/ios/git/qemu-t8030.swsep6/build/" | |
| rm -rf /home/ios/qemu-t8030-prefix ${BUILD_DIR} | |
| mkdir -p ${BUILD_DIR} | |
| cd ${BUILD_DIR} | |
| LIBRARY_PATH=/home/ios/ioslibs-prefix/lib64/ ../configure --target-list=aarch64-softmmu,x86_64-softmmu --disable-capstone --enable-lzfse --disable-werror --extra-cflags="-I/home/ios/ioslibs-prefix/include -L/home/ios/ioslibs-prefix/lib64/ -O0" --enable-nettle --enable-debug | |
| #make -j16 all install | |
| make -j16 all | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -eu | |
| DEST="$1" | |
| mkdir -p "$DEST" ; cd "$DEST" | |
| #/home/ios/git/qemu-t8030/build/qemu-img create -f raw nvme.1 32G | |
| /home/ios/git/qemu-t8030/build/qemu-img create -f raw nvme.1 16G | |
| #/home/ios/git/qemu-t8030/build/qemu-img create -f raw nvme.1 8G | |
| /home/ios/git/qemu-t8030/build/qemu-img create -f raw nvme.2 8M | |
| /home/ios/git/qemu-t8030/build/qemu-img create -f raw nvme.3 128K | |
| /home/ios/git/qemu-t8030/build/qemu-img create -f raw nvme.4 8K | |
| /home/ios/git/qemu-t8030/build/qemu-img create -f raw nvram 8K | |
| /home/ios/git/qemu-t8030/build/qemu-img create -f raw nvme.6 4K | |
| /home/ios/git/qemu-t8030/build/qemu-img create -f raw nvme.7 1M | |
| /home/ios/git/qemu-t8030/build/qemu-img create -f raw nvme.8 3M | |
| /home/ios/git/qemu-t8030/build/qemu-img create -f raw sep_nvram 2K # only 2K for T8020, 64K for T8015 | |
| #/home/ios/git/qemu-t8030/build/qemu-img create -f raw sep_nvram 64K # only 2K for T8020, 64K for T8015 | |
| /home/ios/git/qemu-t8030/build/qemu-img create -f raw sep_ssc 128K # increased to 128K, might still not be enough in case that multilynx would ever be implemented | |
| ## | |
| sync # Very important for the following Qemu run, for whatever reason!!! | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # AP t8030/n104ap v14beta5 ; SEPROM t8030/AppleSEPROM-A13-...AP/AppleSEPROM-Cebu-B1 ; SEPFW t8030/n104ap AzulD 18G82 (iPhone12,1) v14.7.1 | |
| # sep-firmware.n104.RELEASE.im4p.out is decrypted, img4 -i sep-firmware.n104.RELEASE.im4p -o sep-firmware.n104.RELEASE.im4p.out -k ... | |
| set -eux | |
| SEPDIR=/home/ios/satamnt_1/qemu_t8030_data_0/ios_t8030_v14.7.1_0/iphone/Firmware/all_flash | |
| SEPVER=ff86cbb5e06c820266308202621604696d706c31820258ff87a3e8e0730e300c1604747a3073020407e78000ff868bc9da730e300c160461726d73020400d84000ff87a389da7382010e3082010a160474626d730482010036373166326665363234636164373234643365353332633464666361393732373734353966613362326232366635643962323032383061643961303037666635323834393936383138653962303461336434633034393061663833313630633464356330313832396536633635303836313230666133346539663263323165373237316265623231636139386237386464303064363037326530366464393962666163623262616362623261373830613465636161303363326361333930303931636334613461666231623737326238646234623865653566663365636437373135306531626566333633303034336637373665666265313130316538623433ff87a389da7282010e3082010a160474626d720482010034626631393164373134353637356364306264643131616166373734386138663933373363643865666234383830613130353237633938393833666636366538396438333330623730626237623561333530393864653735353265646635373762656166363137353235613831663161393838373838613865346665363734653936633439353066346136366136343231366561356438653333613833653530353962333536346564633533393664353539653337623030366531633637343633623736306336333164393163306339363965366662373130653962333061386131396338333166353565636365393835363331643032316134363361643030 | |
| SEPFW=sep-firmware.n104.RELEASE.im4p | |
| cd $SEPDIR | |
| SEPTICKET='/home/ios/t8030_sep_root_ticket.der' | |
| #SHSH='/home/ios/ios_verbose_booting_workdir0/___.shsh2' | |
| #TYPE='sepi' | |
| TYPE='rsep' | |
| # BuildManifest from AP (v14beta5) | |
| python3 /home/ios/create_septicket.py n104ap /home/ios/satamnt_1/qemu_t8030_data_0/ios_0/iphone/BuildManifest.plist /home/ios/git/qemu-t8030-tools/bootstrap_scripts/ticket.shsh2 "${SEPTICKET}" | |
| img4tool -t "${TYPE}" -d "$SEPVER" -c ${SEPFW}.out.new ${SEPFW}.out | |
| img4 -F -o ${SEPFW}.out.new.img4 -i ${SEPFW}.out.new -M "${SEPTICKET}" | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # adapted from Trung's create_apticket.py | |
| import sys, plistlib | |
| from pyasn1.type import constraint | |
| from pyasn1.type.univ import * | |
| from pyasn1.type.char import * | |
| from pyasn1.type.namedtype import * | |
| from pyasn1.type.tag import * | |
| from pyasn1.type.opentype import * | |
| from pyasn1.codec.der.decoder import decode | |
| from pyasn1.codec.der.encoder import encode | |
| from binascii import hexlify | |
| from pyasn1_modules import rfc5280 | |
| class APTicketMANB(Sequence): | |
| componentType = NamedTypes( | |
| NamedType('type', IA5String()), | |
| NamedType('payload', Set()), | |
| ) | |
| tagSet = Sequence.tagSet.tagExplicitly( | |
| Tag(192, 32, 1296125506) | |
| ) | |
| class APTicket(Sequence): | |
| componentType = NamedTypes( | |
| NamedType('type', IA5String()), | |
| NamedType('ver', Integer()), | |
| NamedType('manb', SetOf(APTicketMANB())), | |
| NamedType('unk', OctetString()), | |
| #NamedType('unk2', Any()), | |
| NamedType('cert', SequenceOf(rfc5280.Certificate())), | |
| #NamedType('unk4', OctetString()) | |
| ) | |
| def find_build_identity(manifest, model): | |
| for o in manifest['BuildIdentities']: | |
| if o['Info']['DeviceClass'] == model and 'RestoreBehavior' in o['Info'] and o['Info']['RestoreBehavior'] == "Erase": | |
| return o | |
| return None | |
| def create_seq(name, value): | |
| name_hex_int = int(hexlify(name.encode()), 16) | |
| seq = Sequence().subtype(explicitTag=Tag(tagClassPrivate, tagFormatSimple, name_hex_int)) | |
| seq.setComponentByPosition(0, IA5String(name)) | |
| seq.setComponentByPosition(1, value) | |
| return seq | |
| def modifying_func(b, first=True): | |
| for i in range(len(b)): | |
| if str(b[i][0]) == 'rosi': | |
| b[i][1][0][1] = plist['Manifest']['OS']['Digest'] | |
| elif str(b[i][0]) == 'krnl': | |
| b[i][1][0][1] = plist['Manifest']['KernelCache']['Digest'] | |
| elif str(b[i][0]) == 'dtre': | |
| b[i][1][0][1] = plist['Manifest']['DeviceTree']['Digest'] | |
| elif str(b[i][0]) == 'trst': | |
| b[i][1][0][1] = plist['Manifest']['StaticTrustCache']['Digest'] | |
| elif str(b[i][0]) == 'rtsc': | |
| b[i][1][0][1] = plist['Manifest']['RestoreTrustCache']['Digest'] | |
| elif str(b[i][0]) == 'sepi': | |
| b[i][1][0][1] = plist['Manifest']['SEP']['Digest'] | |
| elif str(b[i][0]) == 'rsep': | |
| b[i][1][0][1] = plist['Manifest']['RestoreSEP']['Digest'] | |
| #elif str(b[i][0]) == 'mtfw': | |
| # b[i][1][0][1] = plist['Manifest']['Multitouch']['Digest'] | |
| #elif str(b[i][0]) == 'rfta': | |
| # # Corrupt this | |
| # b[i][0] = 'atrf' | |
| #elif str(b[i][0]) == 'ftap': | |
| # # Corrupt this | |
| # b[i][0] = 'patf' | |
| elif str(b[i][0]) in ('rfta', 'ftap', 'rfts', 'ftsp'): | |
| #b[i][1][0][1] = '5340b6a059bdb732e715e7bb1b292edcd45c2a8d1d07e6039d3f338d7c4428ab' | |
| b[i][0] = b[i][0][::-1] | |
| elif str(b[i][0]) == 'MANP': | |
| manp = b[i][1] | |
| manp_length = len(manp) | |
| #if (not first): | |
| # print(manp) | |
| for j in range(len(manp)): | |
| pass | |
| if str(manp[j][0]) == 'CHIP': | |
| #manp[j][1] = 0x1234 | |
| #manp[j][1] = 0x8015 | |
| #manp[j][1] = 0x8020 | |
| manp[j][1] = 0x8030 | |
| if str(manp[j][0]) == 'ECID' and first: | |
| manp[j][1] = 0x1122334455667788 | |
| if str(manp[j][0]) == 'snon' and first: # data_2422147c8_nonce | |
| #manp[j][1] = b'\x00'*20 | |
| manp[j][1] = b'\xfe\xed\xfa\xce'*(20//4) | |
| #manp[j][1] = b'\xef\xbe\xad\xde'*(20//4) | |
| #print(manp[j]) | |
| #seq0 = create_seq('BORD', Integer(4)) | |
| #manp.setComponentByPosition(5, seq0) | |
| #seq0 = create_seq('DGST', OctetString('a'*48)) | |
| #manp.setComponentByPosition(manp_length+0, seq0) | |
| #seq1 = create_seq('EKEY', Boolean(True)) | |
| #manp.setComponentByPosition(manp_length+0, seq1) | |
| #seq2 = create_seq('EPRO', Boolean(True)) | |
| #manp.setComponentByPosition(manp_length+1, seq2) | |
| #seq3 = create_seq('ESEC', Boolean(True)) | |
| #manp.setComponentByPosition(manp_length+2, seq3) | |
| ## data_2422147c8_nonce | |
| ##seq4 = create_seq('snon', OctetString('a'*20)) | |
| #seq4 = create_seq('snon', OctetString(b'\xfe\xed\xfa\xce'*(20//4))) | |
| #manp.setComponentByPosition(manp_length+4, seq4) | |
| #seq4 = create_seq('AMNM', OctetString('a'*0x30)) | |
| #seq4 = create_seq('AMNM', OctetString(b'\xfe\xed\xfa\xce'*(0x30//4))) | |
| seq4 = create_seq('AMNM', OctetString(b'\xde\xad\xbe\xef'*(0x30//4))) | |
| #manp.setComponentByPosition(manp_length+0, seq4) | |
| #print(manp.prettyPrint()) | |
| #print(b[i]) | |
| #print(type(b[i][1])) | |
| #print(b[i][1][0][0]) | |
| #print(type(b[i][1][0][0])) | |
| #print(repr(b[i][1][0][1])) | |
| #print(type(b[i][1][0][1])) | |
| if __name__ == "__main__": | |
| if len(sys.argv) < 4: | |
| print(F"{sys.argv[0]} [model] [BuildManifest.plist] [ticket.shsh2] [root_ticket.der]") | |
| exit(1) | |
| model = sys.argv[1].lower() | |
| fd = open(sys.argv[2], "rb") | |
| manifest = plistlib.load(fd) | |
| fd.close() | |
| plist = find_build_identity(manifest, model) | |
| if plist == None: | |
| print(F"Cannot find {model} in BuildManifest.plist") | |
| exit(1) | |
| fd = open(sys.argv[3], "rb") | |
| shsh = plistlib.load(fd) | |
| ticket = shsh['ApImg4Ticket'] | |
| fd.close() | |
| res = None | |
| res = decode(ticket, asn1Spec=APTicket()) | |
| a = res[0] | |
| ###print(res) | |
| b = a['manb'][0]['payload'] | |
| modifying_func(b, True) | |
| c = a['cert'][0]['tbsCertificate']['extensions'][4]['extnValue'] | |
| #print(type(c), repr(c)) | |
| res = decode(c, asn1Spec=Set())[0] | |
| #print(res) | |
| ##print(res[0]) | |
| #print(res) | |
| modifying_func(res, False) | |
| #print(res) | |
| a['cert'][0]['tbsCertificate']['extensions'][4]['extnValue'] = encode(res) | |
| fd = open(sys.argv[4], "wb") | |
| print(a.prettyPrint()) | |
| fd.write(encode(a)) | |
| fd.close() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| # adapted from Trung's create_trustcache.py | |
| import sys | |
| import struct | |
| import urllib | |
| def create_tc(hashes): | |
| tc = b"" | |
| #write the header | |
| #version | |
| tc += struct.pack("<I", 1) | |
| #unknown header properties | |
| #tc += struct.pack("<I", 0) | |
| #tc += struct.pack("<I", 0) | |
| #tc += struct.pack("<I", 0) | |
| #tc += struct.pack("<I", 0) | |
| #uuid | |
| tc += bytes.fromhex(sys.argv[3]).ljust(16, b'\x00') | |
| #number of hashes in the trust cache | |
| tc += struct.pack("<I", len(hashes)) | |
| for hash_txt in hashes: | |
| if len(hash_txt) == 0: | |
| continue | |
| assert(len(hash_txt) >= 40) | |
| cdhash = bytes.fromhex(hash_txt.decode('ascii'))[:20] | |
| #write the hash itself | |
| tc += cdhash | |
| # for i in range(5): | |
| # four_bytes = hash_txt[i * 8 : (i + 1) * 8] | |
| # number = int(four_bytes, 16) | |
| # tc += struct.pack(">I", number) | |
| #hash type | |
| tc += struct.pack("B", 2) | |
| #hash flags | |
| tc += struct.pack("B", 0) | |
| return tc | |
| if __name__ == "__main__": | |
| hashes_txt = open(sys.argv[1], "rb").read() | |
| hashes = hashes_txt.splitlines() | |
| hashes = [hash.strip() for hash in hashes] | |
| #the kernel does a binary search for the hash so they must be sorted | |
| hashes = sorted(hashes) | |
| tc = create_tc(hashes) | |
| open(sys.argv[2], "wb").write(tc) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -eux | |
| QEMUDIR=/home/ios/git/qemu-t8030.swsep6/build/ | |
| cd "${QEMUDIR}" | |
| #make -j16 all install | |
| make -j16 all | |
| #DEST="$1" | |
| #shift 1 | |
| OPTS="$*" | |
| cd /home/ios/satamnt_1/qemu_t8030_data_0/ios_0/iphone/ # t8030/n104ap v14beta5 | |
| #cd "$DEST" | |
| DEVNAME=n104ap | |
| #DEVNAME=n841ap | |
| RELTYPE=research | |
| #RELTYPE=release | |
| RDPATH=$(get_entries_from_plist.py BuildManifest.plist RestoreRamDisk "$DEVNAME" "$RELTYPE") | |
| KERNELCACHE=$(get_entries_from_plist.py BuildManifest.plist KernelCache "$DEVNAME" "$RELTYPE") | |
| KERNELCACHE=/home/ios/.../kernelcache.research.iphone12b.decompressed__patched_output | |
| #echo $KERNELCACHE | |
| #echo $RDPATH | |
| INITRD=${RDPATH} | |
| #INITRD=${RDPATH}.out | |
| #TRUSTCACHE=Firmware/${RDPATH}.trustcache | |
| TRUSTCACHE=Firmware/${RDPATH}.trustcache.custom | |
| #TRUSTCACHE=$(get_entries_from_plist.py BuildManifest.plist StaticTrustCache "$DEVNAME" "$RELTYPE") | |
| #TRUSTCACHE=$(get_entries_from_plist.py BuildManifest.plist RestoreTrustCache "$DEVNAME" "$RELTYPE") | |
| #TRUSTCACHE=${TRUSTCACHE}.custom | |
| DTB=$(get_entries_from_plist.py BuildManifest.plist DeviceTree "$DEVNAME" "$RELTYPE") | |
| #DTB=$(get_entries_from_plist.py BuildManifest.plist DeviceTree "$DEVNAME" "$RELTYPE").out.dts.dtb | |
| custom_trustcache() { | |
| # combine all hashes from all ramdisks, and also from a strap archive, if you feel like it. | |
| RDISK="Firmware/038-44135-124" | |
| cat full_tc_hashes_0 tc_hashes strap_cdhashes_unsorted custom0_cdhashes_unsorted custom1_cdhashes_unsorted | sort > tc_hashes_complete | |
| python3 /home/ios/create_trustcache_uuid.py tc_hashes_complete "${RDISK}.dmg.raw_trustcache" '0f1a7ccce14a48f98ebfdf7d82278ea8' | |
| img4tool -t rtsc -d 1 -c "${RDISK}.dmg.trustcache.custom" "${RDISK}.dmg.raw_trustcache" | |
| } | |
| #custom_trustcache | |
| CORES=5 | |
| #CORES=4 | |
| #CORES=3 | |
| CORES=2 | |
| #CORES=1 | |
| MMSIZE=4G | |
| ###MMSIZE=1G | |
| GDB= | |
| #GDB="gdb --args" | |
| #GDB="valgrind" | |
| QEMU="${QEMUDIR}/qemu-system-aarch64" | |
| #QEMU="${QEMUDIR}/aarch64-softmmu/qemu-system-aarch64" | |
| echo $DTB | grep -q '\.dts' && /home/ios/ios_dtc.py $(echo $DTB | sed 's/\.dtb$//g') | |
| NVME1=nvme.1 | |
| #NVME1=nvme.1.onlybash | |
| #NVME1=nvme.bak0/nvme.1.onlybash | |
| SEPROM="/home/ios/.../AppleSEPROM-A13-Cebu-B1" | |
| SEPFW="/home/ios/satamnt_1/qemu_t8030_data_0/ios_t8030_v14.7.1_0/iphone/Firmware/all_flash/sep-firmware.n104.RELEASE.im4p.out.new.img4" | |
| $GDB $QEMU -s -M "t8030,trustcache=$TRUSTCACHE,ticket=/home/ios/satamnt_1/qemu_t8030_data_0/ios_0/iphone/root_ticket.der,kaslr-off=on,sepfw=${SEPFW},seprom=${SEPROM},boot-mode=auto" \ | |
| -kernel "$KERNELCACHE" \ | |
| -dtb $DTB \ | |
| -append "debug=-1 kextlog=-1 serial=3 wdt=-1 launchd_unsecure_cache=1 -disable_aslr slide=0 sep_tracing=1 sep-trace-size=0x10000 ioasm_behavior=0 -vm_compressor_wk_sw -vm_compressor_wk_barriers agm-genuine=1 agm-authentic=1 agm-trusted=1 vm_compressor_codec=1 cs_debug=1 vm_shared_region_reslide_aslr=0 -aes_spew wdt_test=thermal" \ | |
| -initrd "$INITRD" \ | |
| -cpu max -smp $CORES \ | |
| -d unimp,guest_errors,cpu_reset,mmu \ | |
| -m $MMSIZE -serial mon:stdio \ | |
| -net none \ | |
| --trace '*aes*' --trace '*sep*' --trace '*gpio*' --trace '*i2c*' \ | |
| -drive file="$NVME1",format=raw,if=none,id=drive.1 \ | |
| -device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=nvme.2,format=raw,if=none,id=drive.2 \ | |
| -device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=nvme.3,format=raw,if=none,id=drive.3 \ | |
| -device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=nvme.4,format=raw,if=none,id=drive.4 \ | |
| -device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=nvram,if=none,format=raw,id=nvram \ | |
| -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=nvme.6,format=raw,if=none,id=drive.6 \ | |
| -device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=nvme.7,format=raw,if=none,id=drive.7 \ | |
| -device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=sep_nvram,if=pflash,format=raw \ | |
| -drive file=sep_ssc,if=pflash,format=raw \ | |
| -monitor telnet:127.0.0.1:1235,server,nowait $OPTS #\ | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -eux | |
| QEMUDIR=/home/ios/git/qemu-t8030.swsep4/build/ | |
| cd "${QEMUDIR}" | |
| #make -j16 all install | |
| make -j16 all | |
| OPTS="$*" | |
| cd /home/ios/satamnt_3/qemu_t8030_swsep_nosep_0/ | |
| DEVNAME=n104ap | |
| RELTYPE=research | |
| #RELTYPE=release | |
| RDPATH=$(get_entries_from_plist.py BuildManifest.plist RestoreRamDisk "$DEVNAME" "$RELTYPE") | |
| KERNELCACHE=$(get_entries_from_plist.py BuildManifest.plist KernelCache "$DEVNAME" "$RELTYPE") | |
| KERNELCACHE=/home/ios/.../kernelcache.research.iphone12b.decompressed__patched_output | |
| #echo $KERNELCACHE | |
| #echo $RDPATH | |
| INITRD=${RDPATH} | |
| #INITRD=${RDPATH}.out | |
| #TRUSTCACHE=Firmware/${RDPATH}.trustcache | |
| TRUSTCACHE=Firmware/${RDPATH}.trustcache.custom | |
| #TRUSTCACHE=$(get_entries_from_plist.py BuildManifest.plist StaticTrustCache "$DEVNAME" "$RELTYPE") | |
| #TRUSTCACHE=$(get_entries_from_plist.py BuildManifest.plist RestoreTrustCache "$DEVNAME" "$RELTYPE") | |
| #TRUSTCACHE=${TRUSTCACHE}.custom | |
| #DTB=/home/ios/satamnt_1/qemu_t8030_data_0/ios_0/iphone/Firmware/all_flash/DeviceTree.n104ap.im4p.out.dts.dtb | |
| DTB=$(get_entries_from_plist.py BuildManifest.plist DeviceTree "$DEVNAME" "$RELTYPE") | |
| #DTB=$(get_entries_from_plist.py BuildManifest.plist DeviceTree "$DEVNAME" "$RELTYPE").out.dts.dtb | |
| custom_trustcache() { | |
| RDISK="Firmware/038-44135-124" | |
| #cat tc_hashes strap_cdhashes_unsorted custom0_cdhashes_unsorted | sort > tc_hashes_complete | |
| cat full_tc_hashes_0 tc_hashes strap_cdhashes_unsorted custom0_cdhashes_unsorted custom1_cdhashes_unsorted | sort > tc_hashes_complete | |
| python3 /home/ios/ios_workdir_s8003_v14beta5_0/create_trustcache_uuid.py tc_hashes_complete "${RDISK}.dmg.raw_trustcache" '0f1a7ccce14a48f98ebfdf7d82278ea8' | |
| img4tool -t rtsc -d 1 -c "${RDISK}.dmg.trustcache.custom" "${RDISK}.dmg.raw_trustcache" | |
| } | |
| custom_trustcache | |
| #CORES=5 | |
| CORES=4 | |
| #CORES=3 | |
| #CORES=2 | |
| #CORES=1 | |
| MMSIZE=4G | |
| ###MMSIZE=1G | |
| GDB= | |
| GDB="gdb --args" | |
| #GDB="valgrind" | |
| #GDB="prlimit --as=$((11*1024*1024*1024))" | |
| #QEMU="qemu-system-aarch64" | |
| #QEMU="/home/ios/git/qemu-t8030.springboardorig/build/qemu-system-aarch64" | |
| #QEMU="/home/ios/git/qemu-t8030.springboardmod0/build/qemu-system-aarch64" | |
| #QEMU="/home/ios/git/qemu-t8030.springboardmod1/build/qemu-system-aarch64" | |
| #QEMU="/home/ios/git/qemu-t8030.springboardmod2/build/qemu-system-aarch64" | |
| #QEMU="/home/ios/git/qemu-t8030.springboardmod3/build/qemu-system-aarch64" | |
| #QEMU="/home/ios/git/qemu-t8030.springboardmod4/build/qemu-system-aarch64" | |
| #QEMU="/home/ios/git/qemu-t8030.springboardmod5/build/qemu-system-aarch64" | |
| #QEMU="/home/ios/git/qemu-t8030.springboardmod6/build/qemu-system-aarch64" | |
| #QEMU="/home/ios/git/qemu-t8030.springboardmod7/build/qemu-system-aarch64" | |
| #QEMU="/home/ios/git/qemu-t8030-ChefKissInc-SpringBoard.test1/build/qemu-system-aarch64" | |
| #QEMU="/home/ios/git/origs/qemu-t8030_1/build/qemu-system-aarch64" | |
| #QEMU="/home/ios/git/qemutest00/build/qemu-system-aarch64" | |
| #QEMU="qemu-system-aarch64" | |
| QEMU="${QEMUDIR}/qemu-system-aarch64" | |
| #QEMU="${QEMUDIR}/aarch64-softmmu/qemu-system-aarch64" | |
| #/home/ios/ios_dtc.py $(echo $DTB | sed 's/\.dtb$//g') | |
| NVME1=nvme.1 | |
| #NVME1=nvme.1.bak0 | |
| #NVME1=nvme.1.onlybash | |
| #NVME1=nvme.bak0/nvme.1.onlybash | |
| #NVME1=nvme.1.mod0_ARGB | |
| #NVME1=nvme.1.mod1 | |
| $GDB $QEMU -s -M "t8030,trustcache=$TRUSTCACHE,ticket=/home/ios/satamnt_1/qemu_t8030_data_0/ios_0/iphone/root_ticket.der,kaslr-off=on,boot-mode=auto" \ | |
| -kernel "$KERNELCACHE" \ | |
| -dtb $DTB \ | |
| -append "-v debug=-1 kextlog=-1 serial=3 wdt=-1 launchd_unsecure_cache=1 -disable_aslr slide=0 sep_tracing=1 sep-trace-size=0x10000 ioasm_behavior=0 -vm_compressor_wk_sw -vm_compressor_wk_barriers agm-genuine=1 agm-authentic=1 agm-trusted=1 vm_compressor_codec=1 cs_debug=1 vm_shared_region_reslide_aslr=0 -aes_spew" \ | |
| -initrd "$INITRD" \ | |
| -cpu max -smp $CORES \ | |
| -d unimp,guest_errors,cpu_reset,mmu \ | |
| -m $MMSIZE -serial mon:stdio \ | |
| -net none \ | |
| --trace '*aes*' --trace '*sep*' --trace '*gpio*' --trace '*i2c*' \ | |
| -drive file="$NVME1",format=raw,if=none,id=drive.1 \ | |
| -device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=nvme.2,format=raw,if=none,id=drive.2 \ | |
| -device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=nvme.3,format=raw,if=none,id=drive.3 \ | |
| -device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=nvme.4,format=raw,if=none,id=drive.4 \ | |
| -device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=nvram,if=none,format=raw,id=nvram \ | |
| -device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=nvme.6,format=raw,if=none,id=drive.6 \ | |
| -device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \ | |
| -drive file=nvme.7,format=raw,if=none,id=drive.7 \ | |
| -device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \ | |
| -monitor telnet:127.0.0.1:1235,server,nowait $OPTS #\ | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment