iPhone X 15.6无SHSH降级IOS14笔记

我的环境:
1、MacOS Monterey 12.4
2、iPhone X 15.6系统
iPhone X 15.6无SHSH降级IOS14笔记

iPhone X 15.6无SHSH降级IOS14笔记

参考项目: https://github.com/mineek/sunst0rm

1、MacOS 系统安卓brew

[lookback@DT_LookBack_MacBookPro ~/Desktop]# /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

2、MacOS系统安装相关依赖包

[lookback@DT_LookBack_MacBookPro ~/Desktop]# brew install automake autoconf pkg-config libtool libusb poetry libpng

3、libirecovery

[lookback@DT_LookBack_MacBookPro ~/Desktop]# brew install libimobiledevice libirecovery

4、futurerestore

[lookback@DT_LookBack_MacBookPro ~/Desktop]# mkdir -p ~/GIT && cd ~/GIT
[lookback@DT_LookBack_MacBookPro ~/GIT]# git clone https://github.com/futurerestore/futurerestore.git && cd futurerestore
[lookback@DT_LookBack_MacBookPro ~/GIT/futurerestore]# wget https://nightly.link/futurerestore/futurerestore/workflows/ci/main/futurerestore-macOS-RELEASE.zip
[lookback@DT_LookBack_MacBookPro ~/GIT/futurerestore]# unzip futurerestore-macOS-RELEASE.zip
[lookback@DT_LookBack_MacBookPro ~/GIT/futurerestore]# tar xf futurerestore-macOS-v2.0.0-test-Build_290-RELEASE.tar.xz
[lookback@DT_LookBack_MacBookPro ~/GIT/futurerestore]# chmod +x futurerestore
[lookback@DT_LookBack_MacBookPro ~/GIT/futurerestore]# mv futurerestore /usr/local/bin/

5、iBoot64Patcher

[lookback@DT_LookBack_MacBookPro ~/GIT/futurerestore]# cd ../ && git clone https://github.com/Cryptiiiic/iBoot64Patcher.git && cd iBoot64Patcher
[lookback@DT_LookBack_MacBookPro ~/GIT/iBoot64Patcher]# wget https://nightly.link/Cryptiiiic/iBoot64Patcher/workflows/ci/main/iBoot64Patcher-macOS-x86_64-RELEASE.zip
[lookback@DT_LookBack_MacBookPro ~/GIT/iBoot64Patcher]# unzip iBoot64Patcher-macOS-x86_64-RELEASE.zip
[lookback@DT_LookBack_MacBookPro ~/GIT/iBoot64Patcher]# tar xf iBoot64Patcher-macOS-x86_64-Build_16-RELEASE.tar.xz
[lookback@DT_LookBack_MacBookPro ~/GIT/iBoot64Patcher]# chmod +x iBoot64Patcher
[lookback@DT_LookBack_MacBookPro ~/GIT/iBoot64Patcher]# mv iBoot64Patcher /usr/local/bin/

6、Kernel64Patcher

[lookback@DT_LookBack_MacBookPro ~/GIT/iBoot64Patcher]# cd ../ && git clone https://github.com/iSuns9/Kernel64Patcher.git && cd Kernel64Patcher
[lookback@DT_LookBack_MacBookPro ~/GIT/Kernel64Patcher]# gcc Kernel64Patcher.c -o Kernel64Patcher
[lookback@DT_LookBack_MacBookPro ~/GIT/Kernel64Patcher]# mv Kernel64Patcher /usr/local/bin/

7、img4tool

[lookback@DT_LookBack_MacBookPro ~/GIT/Kernel64Patcher]# cd ../ && mkdir -p img4tool && cd img4tool
[lookback@DT_LookBack_MacBookPro ~/GIT/img4tool]# wget https://github.com/tihmstar/img4tool/releases/download/197/buildroot_macos-latest.zip
[lookback@DT_LookBack_MacBookPro ~/GIT/img4tool]# unzip buildroot_macos-latest.zip && cd buildroot_macos-latest
[lookback@DT_LookBack_MacBookPro ~/GIT/img4tool/buildroot_macos-latest]# cp -r usr/local/* /usr/local/
[lookback@DT_LookBack_MacBookPro ~/GIT/img4tool/buildroot_macos-latest]# chmod +x /usr/local/bin/img4tool

8、img4

[lookback@DT_LookBack_MacBookPro ~/GIT/img4tool/buildroot_macos-latest]# cd ../ && git clone https://github.com/xerub/img4lib.git --recursive && cd img4lib
[lookback@DT_LookBack_MacBookPro ~/GIT/img4tool/img4lib]# make -C lzfse
[lookback@DT_LookBack_MacBookPro ~/GIT/img4tool/img4lib]# make COMMONCRYPTO=1
[lookback@DT_LookBack_MacBookPro ~/GIT/img4tool/img4lib]# cp img4 /usr/local/bin
[lookback@DT_LookBack_MacBookPro ~/GIT/img4tool/img4lib]# cp libimg4.a /usr/local/lib

9、ldid

[lookback@DT_LookBack_MacBookPro ~/GIT/img4tool/img4lib]# brew install ldid

10、restored_external64_patcher

[lookback@DT_LookBack_MacBookPro ~/GIT/img4tool/img4lib]# cd ../../ && git clone https://github.com/iSuns9/restored_external64patcher.git && cd restored_external64patcher
[lookback@DT_LookBack_MacBookPro ~/GIT/restored_external64patcher]# make
[lookback@DT_LookBack_MacBookPro ~/GIT/restored_external64patcher]# mv restored_external64_patcher /usr/local/bin/

11、asr64_patcher

[lookback@DT_LookBack_MacBookPro ~/GIT/restored_external64patcher]# cd ../ && git clone https://github.com/exploit3dguy/asr64_patcher.git && cd asr64_patcher
[lookback@DT_LookBack_MacBookPro ~/GIT/asr64_patcher]# make
[lookback@DT_LookBack_MacBookPro ~/GIT/asr64_patcher]# mv asr64_patcher /usr/local/bin

12、Python3 pyenv

[lookback@DT_LookBack_MacBookPro ~/Desktop]# brew install pyenv
[lookback@DT_LookBack_MacBookPro ~]# pyenv install --list | grep '^..3.10..*'
  3.10.0
  3.10-dev
  3.10.1
  3.10.2
  3.10.3
  3.10.4
  3.10.5
  3.10.6
[lookback@DT_LookBack_MacBookPro ~]# pyenv install 3.10.6
[lookback@DT_LookBack_MacBookPro ~]# pyenv global 3.10.6
[lookback@DT_LookBack_MacBookPro ~]# pyenv local 3.10.6
[lookback@DT_LookBack_MacBookPro ~]# pyenv shell 3.10.6

13、克隆sunst0rm项目

[lookback@DT_LookBack_MacBookPro ~]# cd ~/GIT && git clone https://github.com/mineek/sunst0rm.git && cd sunst0rm
[lookback@DT_LookBack_MacBookPro ~/GIT/sunst0rm]# pip3 install -r requirements.txt

14、gaster编译安装和ipwndfu安装

[lookback@DT_LookBack_MacBookPro ~/GIT/sunst0rm]# cd ../ && git clone https://github.com/0x7ff/gaster && cd gaster
[lookback@DT_LookBack_MacBookPro ~/GIT/gaster]# make
[lookback@DT_LookBack_MacBookPro ~/GIT/gaster]# mv gaster /usr/local/bin/gaster
[lookback@DT_LookBack_MacBookPro ~/GIT/gaster]# cd ../ && git clone https://github.com/hack-different/ipwndfu.git && cd ipwndfu
[lookback@DT_LookBack_MacBookPro ~/GIT/ipwndfu]# ./dev_install.sh
[lookback@DT_LookBack_MacBookPro ~/GIT/ipwndfu]# ~/GIT/sunst0rm

15、手机进入DFU模式然后用工具进入pwndfu模式且删除sigchecks

[lookback@DT_LookBack_MacBookPro ~/GIT/sunst0rm]# gaster pwn
usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:001635DE26C0002E IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: RESET
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:001635DE26C0002E IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: SPRAY
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:001635DE26C0002E IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: SETUP
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:001635DE26C0002E IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: PATCH
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:001635DE26C0002E IBFL:3C SRTG:[iBoot-3332.0.0.1.23] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
[lookback@DT_LookBack_MacBookPro ~/GIT/sunst0rm]# 
[lookback@DT_LookBack_MacBookPro ~/GIT/sunst0rm]# ipwndfu -p && ipwndfu --patch-sigchecks && ipwndfu --repair-heap

好了 现在是我在这里与错 不能删除sigchecks

[lookback@DT_LookBack_MacBookPro ~/GIT/sunst0rm]# ipwndfu -p
*** checkm8 exploit by axi0mX ***
Found: CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:001635DE26C0002E IBFL:3C SRTG:[iBoot-3332.0.0.1.23] PWND:[gaster]
Device is already in pwned DFU Mode. Not executing exploit.
[lookback@DT_LookBack_MacBookPro ~/GIT/sunst0rm]# ipwndfu --patch-sigchecks
Traceback (most recent call last):
  File "/usr/local/bin/ipwndfu", line 8, in <module>
    sys.exit(main())
  File "/Users/lookback/.local/lib/python3.10/site-packages/ipwndfu/main.py", line 136, in main
    patch_sigchecks(device, match_device=args.match_device)
  File "/Users/lookback/.local/lib/python3.10/site-packages/ipwndfu/main.py", line 644, in patch_sigchecks
    pwned = usbexec.PwnedUSBDevice()
  File "/Users/lookback/.local/lib/python3.10/site-packages/ipwndfu/usbexec.py", line 343, in __init__
    info = self.read_memory(self.image_base() + 0x200, 0x100).decode("ascii")
  File "/Users/lookback/.local/lib/python3.10/site-packages/ipwndfu/usbexec.py", line 279, in read_memory
    assert response[:8] == DONE_MAGIC
AssertionError
[lookback@DT_LookBack_MacBookPro ~/GIT/sunst0rm]# ipwndfu --repair-heap
Traceback (most recent call last):
  File "/usr/local/bin/ipwndfu", line 8, in <module>
    sys.exit(main())
  File "/Users/lookback/.local/lib/python3.10/site-packages/ipwndfu/main.py", line 133, in main
    repair_heap(device, match_device=args.match_device)
  File "/Users/lookback/.local/lib/python3.10/site-packages/ipwndfu/main.py", line 604, in repair_heap
    pwned = usbexec.PwnedUSBDevice()
  File "/Users/lookback/.local/lib/python3.10/site-packages/ipwndfu/usbexec.py", line 343, in __init__
    info = self.read_memory(self.image_base() + 0x200, 0x100).decode("ascii")
  File "/Users/lookback/.local/lib/python3.10/site-packages/ipwndfu/usbexec.py", line 279, in read_memory
    assert response[:8] == DONE_MAGIC
AssertionError
[lookback@DT_LookBack_MacBookPro ~/GIT/sunst0rm]# 

所以这里尝试刷机也是刷不进去的。

[lookback@DT_LookBack_MacBookPro ~/GIT/sunst0rm]# python3 sunstorm.py -i 'iPhone10,3,iPhone10,6_14.6_18F72_Restore.ipsw' -t '6251677736763438_iPhone10,3_d22ap_15.6-19G71_27325c8258be46e69d9ee57fa9a8fbc28b873df434e5e702a8b27999551138ae.shsh2' -r -d d22ap

iPhone X 15.6无SHSH降级IOS14笔记

MacOS最后更新:2022-9-14
lookback
  • 本文由 发表于 2022年8月31日21:53:42
  • 除非特殊声明,本站文章均为原创,转载请务必保留本文链接
匿名

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: