palera1n / palera1n Goto Github PK
View Code? Open in Web Editor NEWJailbreak for A8 through A11, T2 devices, on iOS/iPadOS/tvOS 15.0, bridgeOS 5.0 and higher.
Home Page: https://palera.in
License: MIT License
Jailbreak for A8 through A11, T2 devices, on iOS/iPadOS/tvOS 15.0, bridgeOS 5.0 and higher.
Home Page: https://palera.in
License: MIT License
No matter what device boots out of DFU mode when attempting to use palera1n , checkra1n works fine so Ik it’s not my cables
**Isolating from #5
Devices: iPhone7 9,3 - 15.2 & iPhone7 9,3 - 15.3.1 (2 different devices)
No passcode;
Blobs from TSSaver
Command:
./palera1n.sh ~/Downloads/7399542136251174_iPhone9,3_d101ap_15.2-27325c8258be46e69d9ee57fa9a8fbc28b873df434e5e702a8b27999551138ae.shsh2 --dfu 15.2 --debug
palera1n | Version 1.0.0
Written by Nebula | Some code by Nathan | Patching commands and ramdisk by Mineek | Loader app by Amy
[*] Getting device info...
[*] Pwning device
[*] Downloading BuildManifest
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2021FCSWinter/fullrestores/071-91985/2A9A676E-4BE6-4AE4-93A6-15A8A12AD433/iPhone_4.7_P3_15.2_19C56_Restore.ipsw
init done
getting: BuildManifest.plist
100% [===================================================================================================>]
download succeeded
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f-RELEASE
Compiled with plist: YES
Saved IM4M to IM4M
[*] Downloading and decrypting iBSS
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2021FCSWinter/fullrestores/071-91985/2A9A676E-4BE6-4AE4-93A6-15A8A12AD433/iPhone_4.7_P3_15.2_19C56_Restore.ipsw
init done
getting: Firmware/dfu/iBSS.d10.RELEASE.im4p
100% [===================================================================================================>]
download succeeded
usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:001A49D828882326 IBFL:3C SRTG:[iBoot-2696.0.0.1.33]
Found the USB handle.
Stage: RESET
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:001A49D828882326 IBFL:3C SRTG:[iBoot-2696.0.0.1.33]
Found the USB handle.
Stage: SPRAY
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:001A49D828882326 IBFL:3C SRTG:[iBoot-2696.0.0.1.33]
Found the USB handle.
Stage: SETUP
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:001A49D828882326 IBFL:3C SRTG:[iBoot-2696.0.0.1.33]
Found the USB handle.
Stage: PATCH
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:001A49D828882326 IBFL:3C SRTG:[iBoot-2696.0.0.1.33] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
[*] Downloading and decrypting iBEC
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2021FCSWinter/fullrestores/071-91985/2A9A676E-4BE6-4AE4-93A6-15A8A12AD433/iPhone_4.7_P3_15.2_19C56_Restore.ipsw
init done
getting: Firmware/dfu/iBEC.d10.RELEASE.im4p
100% [===================================================================================================>]
download succeeded
usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:001A49D828882326 IBFL:3C SRTG:[iBoot-2696.0.0.1.33] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
[*] Downloading DeviceTree
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2021FCSWinter/fullrestores/071-91985/2A9A676E-4BE6-4AE4-93A6-15A8A12AD433/iPhone_4.7_P3_15.2_19C56_Restore.ipsw
init done
getting: Firmware/all_flash/DeviceTree.d101ap.im4p
100% [===================================================================================================>]
download succeeded
[*] Downloading trustcache
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2021FCSWinter/fullrestores/071-91985/2A9A676E-4BE6-4AE4-93A6-15A8A12AD433/iPhone_4.7_P3_15.2_19C56_Restore.ipsw
init done
getting: Firmware/018-73308-068.dmg.trustcache
100% [===================================================================================================>]
download succeeded
[*] Downloading kernelcache
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2021FCSWinter/fullrestores/071-91985/2A9A676E-4BE6-4AE4-93A6-15A8A12AD433/iPhone_4.7_P3_15.2_19C56_Restore.ipsw
init done
getting: kernelcache.release.iphone9
100% [===================================================================================================>]
download succeeded
[*] Patching and repacking iBSS/iBEC
main: Starting...
iOS 15 iBoot detected!
getting get_debug_enabled_patch() patch
getting get_sigcheck_patch() patch
applying patch=0x1800c0ef8 : 000080d2
applying patch=0x1800c0f40 : 000080d2
applying patch=0x1800c2b14 : 200080d2
main: Writing out patched file to iBSS.patched...
main: Quitting...
main: Starting...
iOS 15 iBoot detected!
getting get_boot_arg_patch(-v keepsyms=1 debug=0xfffffffe panic-wait-forever=1 wdt=-1) patch
getting get_debug_enabled_patch() patch
getting get_sigcheck_patch() patch
applying patch=0x1800c0ef8 : 000080d2
applying patch=0x1800c0f40 : 000080d2
applying patch=0x1800c2b14 : 200080d2
applying patch=0x1800c416c : 183e0b50
applying patch=0x1800da92e : 2d76206b65657073796d733d312064656275673d307866666666666666652070616e69632d776169742d666f72657665723d31207764743d2d3100
main: Writing out patched file to iBEC.patched...
main: Quitting...
none
none
[*] Patching and converting kernelcache
Reading work/kernelcache.release.iphone9...
[NOTE] Image4 payload data is LZFSE compressed, decompressing...
Extracted Image4 payload data to: work/kcache.raw
main: Starting...
main: Detected fat macho kernel
Kernel: Adding AMFI_get_out_of_my_way patch...
get_amfi_out_of_my_way_patch: Entering ...
get_amfi_out_of_my_way_patch: Kernel-8019 inputted
get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str loc at 0x9aaadc
get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str ref at 0x1131c84
get_amfi_out_of_my_way_patch: Patching AMFI at 0x112d2d8
Kernel: Adding could_not_authenticate_personalized_root_hash patch...
get_could_not_authenticate_personalized_root_hash_patch: Entering ...
get_could_not_authenticate_personalized_root_hash_patch: Found "successfully validated on-disk root hash" str loc at 0xd5e0bb
get_could_not_authenticate_personalized_root_hash_patch: Found "successfully validated on-disk root hash" xref at 0xc832cc
get_could_not_authenticate_personalized_root_hash_patch: Could not find previous cbz
main: Writing out patched file to work/kcache.patched...
main: Quitting...
Reading work/kcache.patched...
Compressing payload using LZSS...
IM4P outputted to: work/krnlboot.im4p
Reading work/krnlboot.im4p...
Reading work/IM4M...
Creating Image4...
Image4 file outputted to: boot-iPhone9,3/kernelcache.img4
[*] Converting DeviceTree
dtre
[*] Patching and converting trustcache
trst
[*] Pwning device
usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:001A49D828882326 IBFL:3C SRTG:[iBoot-2696.0.0.1.33] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
[*] Booting device
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
Done!
The device should now boot to iOS
If you already have installed Pogo, click uicache and remount preboot in the tools section
If not, get an IPA from the latest action build of Pogo and install with TrollStore
Add the repo mineek.github.io/repo for Procursus
I booted etc. and after I opened the Tips app on press on install I got a error Messages (Failed with -1, are you sure you have amfi patched) (Failed to prepare bootstrap -1) did I do something wrong? I know its still on process and I appreciate the work!
Log:
Hello, iPhone10,4 on 15.1!
[*] Switching device into recovery mode...
Telling device with udid 427d83098dba6da4b8a95457001b9a3471b2772f to enter recovery mode.
Failed to enter recovery mode.
Device is successfully switching to recovery mode.
[*] Waiting for device to reconnect in recovery mode
[*] Getting device info...
[*] Press any key when ready for DFU mode
Get ready (0)
Hold volume down + side button (0)
Keep holding (0)
Release side button, but keep holding volume down (0)
[*] Device entered DFU!
[*] Pwning device
usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:0A ECID:001838E00801EFAE IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: RESET
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:0A ECID:001838E00801EFAE IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: SPRAY
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:0A ECID:001838E00801EFAE IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: SETUP
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:0A ECID:001838E00801EFAE IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: PATCH
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:0A ECID:001838E00801EFAE IBFL:3C SRTG:[iBoot-3332.0.0.1.23] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
[*] Downloading BuildManifest
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2021FallFCS/fullrestores/071-64002/C820E7E5-0168-462E-923A-5C86E217D5B5/iPhone_4.7_P3_15.1_19B74_Restore.ipsw
init done
getting: BuildManifest.plist
100% [===================================================================================================>]
download succeeded
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f
Compiled with plist: YES
img4tool: failed with exception:
[exception]:
what=Failed to read shshFile
code=19529736
line=298
file=main.cpp
commit count=197:
commit sha =aca6cf005c94caf135023263cbb5c61a0081804f:
[-] An error occurred
To be noted:
iPhone X - 15.4.1 - ran in debug and normal, tried a clean run too. Hangs after starting the ramdisk script. vlan0 busy, timing out. Seems like its targeting the wrong partition?
zsh: bad CPU type in executable: ./binaries/Darwin/hfsplus
Nice project btw
When I run the script/bash file it just runs and closes on its own.
macOS High Sierra
[] Getting device info...
[] Pwning device
[*] Downloading BuildManifest
[-] An error occurred
Tested in 6s iOS 15.6 Working!
Congratulations
hey, after i run the script, it just shows apple logo and boots without patches
palera1n | Version 1.0.0
Written by Nebula | Some code and ramdisk from Nathan | Patching commands and help from Mineek | Loader app by Amy
Hello, iPhone9,4 on 15.4.1!
[*] Switching device into recovery mode...
ERROR: Unable to connect to device
ebzrvf@ebzrvrf:~/Desktop/palera1n$
[cyosai@fedora ~]$ cd palera1n
[cyosai@fedora palera1n]$ '/home/cyosai/palera1n/palera1n.sh' /home/cyosai/SSHRD_Script/shsh/
palera1n | Version 1.0.0
Written by Nebula | Some code and ramdisk from Nathan | Patching commands and help from Mineek | Loader app by Amy
/home/cyosai/palera1n/binaries/Linux/ideviceinfo: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
/home/cyosai/palera1n/binaries/Linux/ideviceinfo: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
/home/cyosai/palera1n/binaries/Linux/ideviceinfo: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
Hello, on !
[*] Switching device into recovery mode...
/home/cyosai/palera1n/binaries/Linux/ideviceinfo: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
/home/cyosai/palera1n/binaries/Linux/ideviceenterrecovery: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
[cyosai@fedora palera1n]$
The screen is definitely on but it is simply blank after verbose. Only way to exit it hard reset. The device used is a 6s n71ap on iOS 15.1
Happens both with and without install arg. :/
`babyyoda777@Azlans-Air palera1n % ./palera1n.sh /Users/babyyoda777/Downloads/7385395430905_iPhone8,1_n71ap_15.1-19B74_3a88b7c3802f2f0510abc432104a15ebd8bd7154.shsh2 --dfu 15.1
palera1n | Version 1.0.0
Written by Nebula | Some code by Nathan | Patching commands and ramdisk by Mineek | Loader app by Amy
[] Getting device version...
[] Getting device info...
[*] Booting device
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
Done!
The device should now boot to iOS, and you can open the Tips app and install Pogo (if you ran install before)
Add the repo mineek.github.io/repo for Procursus`
The terminal log shows it was successful all times.
My logs:danielshackintosh@daniels-Mini palera1n % ./palera1n.sh dumped.shsh
palera1n | Version 1.0.0
Written by Nebula | Some code by Nathan | Patching commands and ramdisk by Mineek | Loader app by Amy
Hello, iPhone9,3 on 15.0.2!
[] Switching device into recovery mode...
[] Waiting for device to reconnect in recovery mode
[] Getting device info...
[] Press any key when ready for DFU mode
Get ready (0)
Hold volume down + side button (0)
Keep holding (0)
Release side button, but keep holding volume down (0)
[] Device entered DFU!
[] Pwning device
[*] Booting device
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
Done!
The device should now boot to iOS
If you already have installed Pogo, click uicache and remount preboot in the tools section
If not, get an IPA from the latest action build of Pogo and install with TrollStore
Add the repo mineek.github.io/repo for Procursus
In the _usb_fix function for Linux, palera1n tries to kill iproxy if it was already running. If it is not running, this returns a non-zero code, making the program exit due to the set -e
at the beginning of the script. The temporary solution I used on my machine was to put set +e
before on the line before, so on the new line 120, and set -e
on the line before the line which starts usbmuxd, so on the new line 126.
Device is iPad Pro 10.5" 2017, on iPadOS 15.7
What i did is:
0. Got dumped blob from previous execution of sudo ./palera1n.sh --dfu 15.7 --debug
This is kind of a random issue, randomly successfully continues, but mostly it's just stuck at somewhere.
For example, this time it's stuck at "[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227":
[root@relafnic palera1n]# sudo ./palera1n.sh --dfu 15.7 --debug
palera1n | Version 1.0.0
Written by Nebula | Some code and ramdisk from Nathan | Patching commands and help from Mineek | Loader app by Amy[] Getting device info...
[] Pwning device
usb_timeout: 5
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:000D0D402006603A IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: RESET
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:000D0D402006603A IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: SPRAY
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:000D0D402006603A IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: SETUP
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:000D0D402006603A IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: PATCH
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
And then the device will boot into system normally, and I need to Ctrl + C to terminate it manually.
Or, it will be stuck at some other stage for a while and then stuck after PATCH stage returns true.
Saw similar issue here: https://github.com/0x7ff/gaster/issues/1
I don't know if it helps :>
rubens@rubensdev:~/palera1n$ ./palera1n.sh bub.shsh2 --dfu 15.4.1 --debug
palera1n | Version 1.0.0
Written by Nebula | Some code by Nathan | Patching commands and ramdisk by Mineek | Loader app by Amy
[] Getting device info...
[] Pwning device
usb_timeout: 5
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:000E415818EAED26 IBFL:3C SRTG:[iBoot-2696.0.0.1.33] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
[*] Downloading BuildManifest
Version: 3fc8c093f4660f6c6e07c0c9214618733da01ffc - 36
libfragmentzip version: 0.60-120447d0f410dffb49948fa155467fc5d91ca3c8
init pzb: https://updates.cdn-apple.com/2022FCSWinter/fullrestores/002-80968/632A8FE7-E1FA-4D3E-BCAC-821DA57D96DA/iPhone_4.7_P3_15.4.1_19E258_Restore.ipsw
init done
getting: BuildManifest.plist
0% [==========================================================================100% [===================================================================================================>]
download succeeded
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f-RELEASE
Compiled with plist: YES
img4tool: failed with exception:
[exception]:
what=Failed to read shshFile
code=19529736
line=298
file=main.cpp
commit count=197
commit sha =aca6cf005c94caf135023263cbb5c61a0081804f
[-] An error occurred
what is ?
i try again after run ./palera1n.sh clean
when i try to boot into amfi i get this
] Device entered DFU!
[] Pwning device
[] Downloading BuildManifest
[] Downloading and decrypting iBSS
[] Downloading and decrypting iBEC
[] Downloading DeviceTree
[] Downloading trustcache
[] Downloading kernelcache
[] Patching and repacking iBSS/iBEC
[] Patching and converting kernelcache
Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/runpy.py", line 184, in _run_module_as_main
mod_name, mod_spec, code = _get_module_details(mod_name, _Error)
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/runpy.py", line 143, in _get_module_details
return _get_module_details(pkg_main_name, error)
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/runpy.py", line 110, in _get_module_details
import(pkg_name)
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/pyimg4/init.py", line 2, in
from .parser import *
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/pyimg4/parser.py", line 7, in
from Crypto.Cipher import AES
ModuleNotFoundError: No module named 'Crypto'
[-] An error occurred
download succeeded
usb_timeout: 5
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:000319A4240B603A IBFL:3C SRTG:[iBoot-3135.0.0.2.3] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
usb_timeout: 5
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:000319A4240B603A IBFL:3C SRTG:[iBoot-3135.0.0.2.3] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
main: Starting...
iOS 14 iBoot detected!
getting get_debug_enabled_patch() patch
getting get_sigcheck_patch() patch
applying patch=0x1800c7204 : 000080d2
applying patch=0x1800c7258 : 000080d2
applying patch=0x1800c8bd4 : 200080d2
main: Writing out patched file to work/iBSS.patched...
main: Quitting...
none
main: Starting...
iOS 14 iBoot detected!
getting get_boot_arg_patch(rd=md0 debug=0x2014e -v wdt=-1 ) patch
getting get_debug_enabled_patch() patch
getting get_unlock_nvram_patch() patch
getting get_sigcheck_patch() patch
applying patch=0x1800c7204 : 000080d2
applying patch=0x1800c7258 : 000080d2
applying patch=0x1800b38c8 : 000080d2c0035fd6
applying patch=0x1800b3918 : 000080d2c0035fd6
applying patch=0x1800f2fa8 : 000080d2c0035fd6
applying patch=0x1800c8bd4 : 200080d2
applying patch=0x1800ca10c : b8032f10
applying patch=0x180128180 : 72643d6d64302064656275673d30783230313465202d76207764743d2d31202000
applying patch=0x1800cce48 : 1f2003d5
main: Writing out patched file to work/iBEC.patched...
main: Quitting...
none
krnl
main: Starting...
main: Detected fat macho kernel
Kernel: Adding AMFI_get_out_of_my_way patch...
get_amfi_out_of_my_way_patch: Entering ...
get_amfi_out_of_my_way_patch: Kernel-7195 inputted
get_amfi_out_of_my_way_patch: Found entitlements too small str loc at 0x9015f7
get_amfi_out_of_my_way_patch: Found entitlements too small str ref at 0xfeaf30
get_amfi_out_of_my_way_patch: Patching AMFI at 0xfe5df8
main: Writing out patched file to work/kcache.patched...
main: Quitting...
krnl
dtre
rtsc
rdsk
error: allocate
error: Success
[-] An error occurred
after i boot the device loads ibss and the device reboots. i use other methods the device does not restore to recovery mode but to dfu
Either the partition with the 'active' file which contains the name of the directory which contains usr/standalone/firmware/sep-firmware.img4 varies between devices or it is entered wrong in the script. On my device (6th gen iPad, A10, iOS 15.1), I have found through SSH that this partititon is at /dev/disk0s1s5, but palera1n mounts /dev/disk0s1s6. Just to note, I have never messed with partitions on this device, and palera1n is the only jailbreak/"jailbreak" I have ever installed on this device.
Hello, iPhone8,1 on 15.6!
[*] Switching device into recovery mode...
[*] Waiting for device to reconnect in recovery mode
[*] Getting device info...
[*] Press any key when ready for DFU mode
Get ready (0)
Hold volume down + side button (0)
Keep holding (0)
Release side button, but keep holding volume down (0)
[*] Device entered DFU!
[*] Pwning device
[*] Booting device
Done!
The device should now boot to iOS
However, it didn't boot and remains in DFU mode after this.
The device did boot the first time jailbreaking, the logo appeared, and iOS booted in verbose mode, but it did not enter the desktop (and remains in black screen).
When I jailbreak the device next time, it simply doesn't boot.
download succeeded
usb_timeout: 5
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:000C3090302BC02E IBFL:3C SRTG:[iBoot-3332.0.0.1.23] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
usb_timeout: 5
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:000C3090302BC02E IBFL:3C SRTG:[iBoot-3332.0.0.1.23] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
main: Starting...
iOS 14 iBoot detected!
getting get_debug_enabled_patch() patch
getting get_sigcheck_patch() patch
applying patch=0x180032bf0 : 000080d2
applying patch=0x180032c44 : 000080d2
applying patch=0x180034750 : 200080d2
main: Writing out patched file to work/iBSS.patched...
main: Quitting...
none
main: Starting...
iOS 14 iBoot detected!
getting get_boot_arg_patch(rd=md0 debug=0x2014e -v wdt=-1 ) patch
getting get_debug_enabled_patch() patch
getting get_unlock_nvram_patch() patch
getting get_sigcheck_patch() patch
applying patch=0x180032bf0 : 000080d2
applying patch=0x180032c44 : 000080d2
applying patch=0x18001f8a8 : 000080d2c0035fd6
applying patch=0x18001f8f8 : 000080d2c0035fd6
applying patch=0x18006be6c : 000080d2c0035fd6
applying patch=0x180034750 : 200080d2
applying patch=0x180035cac : 183e5430
applying patch=0x1800de46d : 72643d6d64302064656275673d30783230313465202d76207764743d2d31202000
applying patch=0x180039060 : 1f2003d5
main: Writing out patched file to work/iBEC.patched...
main: Quitting...
none
krnl
main: Starting...
Kernel: Adding AMFI_get_out_of_my_way patch...
get_amfi_out_of_my_way_patch: Entering ...
get_amfi_out_of_my_way_patch: Kernel-7195 inputted
get_amfi_out_of_my_way_patch: Found entitlements too small str loc at 0x40c7ee
get_amfi_out_of_my_way_patch: Found entitlements too small str ref at 0x11ac270
get_amfi_out_of_my_way_patch: Patching AMFI at 0x11a86e8
main: Writing out patched file to work/kcache.patched...
main: Quitting...
krnl
dtre
rtsc
rdsk
error: allocate
error: Success
[-] An error occurred
iSuns9 Kernel64Patcher has it but the one bundled has no '-o' option
main: Detected fat macho kernel
Kernel: Adding AMFI_get_out_of_my_way patch...
get_amfi_out_of_my_way_patch: Entering ...
get_amfi_out_of_my_way_patch: Kernel-8020 inputted
get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str loc at 0x9a7061
get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str ref at 0x10b0c64
get_amfi_out_of_my_way_patch: Patching AMFI at 0x10ac2a8
main: Writing out patched file to work/kcache.patched...
main: Quitting...
0x10ac2c4 0xfd 0xe0
0x10ac2c5 0x7b 0x3
0x10ac2c6 0xbf 0x0
0x10ac2c7 0xa9 0x32
0x10ac2c8 0xfd 0xc0
0x10ac2ca 0x0 0x5f
0x10ac2cb 0x91 0xd6
krnl
dtre
rtsc
rdsk
/dev/disk4 /private/tmp/SSHRD
hdiutil: couldn't eject "disk2" - Resource busy
[-] An error occurred
Cloning into '/home/kali/Downloads/palera1n/ramdisk'...
any solution..?
[*] Cleaning up work directory
[*] Booting ramdisk
[] Getting device info... this may take a second
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[] Device should now show text on screen
[*] Waiting for the ramdisk to finish booting
Hello, iPhone10,1 on 15.7!
[] Switching device into recovery mode...
[] Waiting for device to reconnect in recovery mode
[] Getting device info...
[] Press any key when ready for DFU mode
Get ready (0)
Hold volume down + side button (0)
Keep holding (0)
Release side button, but keep holding volume down (0)
[] Device entered DFU!
[] Pwning device
[*] Booting device
Done!
The device should now boot to iOS
If you already have ran palera1n, click Do All in the tools section of Pogo
If not, Pogo should be installed to Tips
blank screen. I tried./palera1n.sh clean a few times after rebooting, multiple times, and every time it still does the same thing. any pointers on what I'm doing wrong?
[] Getting device info...
[] Creating ramdisk
gzip: other/ramdisk.tar.gz: No such file or directory
[-] An error occurred
what is ?
Mac OS 12.5.1
iPhone 8 Global
iOS 15.6
I know your ramdisk branch and support for iOS 15 outside of the CT bug is still new and unstable but I wanted to give it a shot on my device and providing a log in case it helps.
Command ran, ./palera1n.sh --debug
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:02 ECID:001129EE08D3A02E IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: SETUP
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:02 ECID:001129EE08D3A02E IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: PATCH
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:02 ECID:001129EE08D3A02E IBFL:3C SRTG:[iBoot-3332.0.0.1.23] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
[*] Downloading BuildManifest
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-41763/0BC321DF-1A4E-473B-9EE0-BF126CB1CDA8/iPhone_4.7_P3_15.6_19G71_Restore.ipsw
init done
getting: BuildManifest.plist
0% [
100% [==========================================================================
3% [==>
6% [=====>
9% [========>
13% [============>
16% [===============>
19% [==================>
22% [=====================>
26% [=========================>
29% [============================>
32% [===============================>
35% [==================================>
39% [======================================>
42% [=========================================>
45% [============================================>
48% [===============================================>
52% [===================================================>
55% [======================================================>
58% [=========================================================>
61% [============================================================>
65% [================================================================>
68% [===================================================================>
70% [=====================================================================>
73% [========================================================================>
76% [==========================================================================
80% [==========================================================================
83% [==========================================================================
86% [==========================================================================
89% [==========================================================================
93% [==========================================================================
96% [==========================================================================
99% [==========================================================================
100% [===================================================================================================>]
download succeeded
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f
Compiled with plist: YES
img4tool: failed with exception:
[exception]:
what=Failed to read shshFile
code=19529736
line=298
file=main.cpp
commit count=197:
commit sha =aca6cf005c94caf135023263cbb5c61a0081804f:
[-] An error occurred
It is attempting to read an shsh file, do we need to specify this file? I saw a different open issue where they specified the shsh file but neither of the branch's readme's specifies this. Is this an unintended error or an error due to being in the early stages?
Problem:
Jailbreak installed successfully no errors but after using the phone jailbroken for some time (5-10 mins ETA), phone switches into a black screen for 5-10 minutes (ETA) then reboots with jailbreak uninstalled (or phone becomes unpatched).
hello, when i run the script, its stuck at creating ramdisk
my output:
****@Lenovo-Thinkpad-T440p:~/palera1n$ sudo ./palera1n.sh --dfu 15.2
palera1n | Version 1.0.0
Written by Nebula | Some code and ramdisk from Nathan | Patching commands and help from Mineek | Loader app by Amy
[] Getting device info...
[] Creating ramdisk
****@Lenovo-Thinkpad-T440p:~/palera1n$ sudo ./palera1n.sh --dfu 15.2
palera1n | Version 1.0.0
Written by Nebula | Some code and ramdisk from Nathan | Patching commands and help from Mineek | Loader app by Amy
[] Getting device info...
[] Creating ramdisk
Any chance to add T2 support?
So, when i ran ./palera1n.sh --debug
i got the output:
palera1n | Version 1.0.0
Written by Nebula | Some code and ramdisk from Nathan | Patching commands and help from Mineek | Loader app by Amy
Hello, iPad6,11 on 15.5!
[] Switching device into recovery mode...
Telling device with udid e8e891ba80ffcaab5b1a106c3a5d5a39314bb16d to enter recovery mode.
Device is successfully switching to recovery mode.
[] Waiting for device to reconnect in recovery mode
[] Getting device info...
[] Press any key when ready for DFU mode
Get ready (0)
Hold volume down + side button (0)
Keep holding (0)
Release side button, but keep holding volume down (0)
[-] Device didn't go in DFU mode, please rerun the script and try again
The device is in dfu mode though. I tested with SSHRD_Script.
Then i tried starting from dfu mode, so i ran ./palera1n.sh --dfu 15.5 --debug
output: https://pastebin.com/79yYmVWs
the device booted into iOS, but Tips was still Tips. So no Pogo installed.
I'm on 15.5 so i can't just use TrollStore.
I used usbmuxd2 by thimstar on Ubuntu 22.04.1 LTS btw
palera1n | Version 1.0.0
Written by Nebula | Some code and ramdisk from Nathan | Patching commands and help from Mineek | Loader app by Amy
ERROR: No device found!
ERROR: No device found!
ERROR: No device found!
Hello, on !
[*] Switching device into recovery mode...
ERROR: No device found!
ERROR: No UDID specified
Usage: ideviceenterrecovery [OPTIONS] UDID
Makes a device with the supplied UDID enter recovery mode immediately.
when i try to add this; git checkout 254b42f067893ce32a10e8a99b2dfbec2149cb54
i get this; git checkout 254b42f067893ce32a10e8a99b2dfbec2149cb54
Note: switching to '254b42f067893ce32a10e8a99b2dfbec2149cb54'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:
git switch -c
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
HEAD is now at 254b42f only include config if we have config
what should i do? linux ubuntu
Congratulations for your work.
I'm trying to test your jailbreak but it doesn't install pogo.
I tried to install via altstore but it doesn't work.
IPHONE 8 PLUS 10.5 IOS 15.6 b1 (19G5027e)
Below are the logs.
I tested both methods.
DFU and normal mode.
when he boots the camera stops working,
as if you are jailbroken.
Follow the logs.
Thanks.
log.txt
logDFU.txt
i wonder like on my iphone x (gsm) 15.2 beta 1 when i'm jailbroken with palera1n the wifi option is greyed out is that a bug or is it supposed to be like that
ebzrvf@ebzrvf:~/Desktop/palera1n$ sudo ./palera1n.sh
palera1n | Version 1.0.0
Written by Nebula | Some code and ramdisk from Nathan | Patching commands and help from Mineek | Loader app by Amy
./palera1n.sh: line 95: /home/ebzrvf/Desktop/palera1n/binaries/Linux/ideviceinfo: No such file or directory
./palera1n.sh: line 95: /home/ebzrvf/Desktop/palera1n/binaries/Linux/ideviceinfo: No such file or directory
./palera1n.sh: line 95: /home/ebzrvf/Desktop/palera1n/binaries/Linux/ideviceinfo: No such file or directory
Hello, on !
[*] Switching device into recovery mode...
./palera1n.sh: line 95: /home/ebzrvf/Desktop/palera1n/binaries/Linux/ideviceinfo: No such file or directory
./palera1n.sh: line 217: /home/ebzrvf/Desktop/palera1n/binaries/Linux/ideviceenterrecovery: No such file or directory
I have trollstore can i run palera1n on 15.5b1 ?
Hi,
If I was to run this on my 14.8 device, would it still work? Thanks a lot.
Most use TrollStore and have Persistence Helper injected into Tips
loadnl@loadnls-iMac palera1n % ./palera1n.sh /Users/loadnl/jb/palera1n/8ae.shsh2 --dfu 15.4.1 --debug
palera1n | Version 1.0.0
Written by Nebula | Some code by Nathan | Patching commands and ramdisk by Mineek | Loader app by Amy
[] Getting device info...
ERROR: Unable to connect to device
[] Pwning device
usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:0011052210FBC02E IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: RESET
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:0011052210FBC02E IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: SPRAY
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:0011052210FBC02E IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: SETUP
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:0011052210FBC02E IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: PATCH
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:0011052210FBC02E IBFL:3C SRTG:[iBoot-3332.0.0.1.23] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
[*] Booting device
Done!
The device should now boot to iOS
If you already have installed Pogo, click uicache and remount preboot in the tools section
If not, get an IPA from the latest action build of Pogo and install with TrollStore
Add the repo mineek.github.io/repo for Procursus
i successfully booted but nothing changed on ios 15.6.1
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.