A set of tools that can make a ssh ramdisk for 32-bit iDevices.
macOS supported only. Will never support other OSes.

pzb: Download firmware partially, only download a part of it. Saves your bandwidth and time. You just need to download restoreramdisk, ibss, ibec, devicetree and kernelcache.

iBoot32Patcher: Patch iBEC and iBSS for removing sigchecks and adding boot-args.

mount.sh: Used for mounting ramdisk. The ramdisk should be renamed to RestoreRamdisk.dmg

unmount.sh: Used for unmounting ramdisk. The ramdisk should be renamed to RestoreRamdisk.dmg

xpwntool: Decrypt firmware components. Used to decrypt ibss, ibec, and other things.

packimg3.sh: Pack ramdisk to a img3 container. For an iOS device, only img3 format is suitable for booting.

irecovery: A tool for communicating with device in DFU mode

1. Goto ipsw.me/keys (Requires login) or theiphonewiki.com/wiki/Firmware_Keys to find keys and ivs. Write down the filename of RestoreRamdisk.
   
2. Use pzb to download:
   ./pzb [LINK TO IPSW]
   Files needed to download:
   (1) XXX-XXXX-XXX.dmg (the name of RestoreRamdisk)
   (2) Firmware/dfu/iBEC.xxx.RELEASE.dfu
   (3) Firmware/dfu/iBSS.xxx.RELEASE.dfu
   (4) kernelcache.release.xxx
   (5) Firmware/all_flash/all_flash.xxx.production/DeviceTree.xxx.img3
   
3. Decrypt all the files using xpwntool
   ./xpwntool [devicetree/kernelcache] [out_file] -iv [iv] -k [key] -decrypt
   ./xpwntool [ramdisk/iBEC/iBSS] [out_file] -iv [iv] -k [key]
   
4. Patch iBSS and iBEC
   ./iBoot32Patcher [decrypted_ibss] [patched_file]
   ./iBoot32Patcher [decrypted_ibec] [patched_file] -b "rd=md0 -v amfi=0xff cs_enforcement_disable=1"
   
5. Resize and mount the ramdisk
   hdiutil resize -size 32M RestoreRamdisk.dmg
   mkdir mp
   ./mount.sh
   
6. Extract sshd to ramdisk
   tar -xvf ssh.tar -C mp
   You can modify mp/etc/rc.boot for doing something when booting ramdisk.
   
7. Unmount the ramdisk, then make the img3 image of ramdisk.
   ./unmount.sh
   ./packimg3.sh
   
8. Boot the ramdisk
   Let your device enter pwned DFU mode.
   for iPhone, send kloader and patched iBSS to the root directory of your device. for iPad, send iBEC instead of iBSS.
   ssh into your device and run: /kloader /[Your ibss or ibec]
   {
   ./image3maker -t ibec -f [patched_ibec] -o pwnediBEC
   ./irecovery -f pwnediBEC
   }
   Skip these command in {} if it is an iPad
   ./irecovery -s
   On the shell, type:
   /send [devicetree]
   devicetree
   /send [ramdisk]
   ramdisk
   /send [kernelcache]
   bootx
   Then your ramdisk will be successfully booted!

ida_patcher and restored_external_verbose_patch.dif is made for booting in verbose mode.
If you don't want apple logo shown when booted, please patch mp/usr/local/bin/restored_external using this command:
./ida_patcher -i restored_external -p restored_external_verbose_patch.dif