verygenericname / sshrd_script Goto Github PK

View Code? Open in Web Editor NEW

384.0 29.0 154.0 47.72 MB

Shell script that creates a ssh ramdisk

License: BSD 3-Clause "New" or "Revised" License

Shell 100.00%

sshrd_script's Introduction

SSH Ramdisk Script

Create and boot a SSH ramdisk on checkm8 devices

Prerequsites

A computer running macOS/linux
A checkm8 device (A7-A11)

Usage

Clone and cd into this repository: git clone https://github.com/verygenericname/SSHRD_Script --recursive && cd SSHRD_Script
- If you have cloned this before, run cd SSHRD_Script && git pull to pull new changes
Run ./sshrd.sh <iOS version for ramdisk>, without the <>.
- The iOS version doesn't have to be the version you're currently on, but it should be close enough, and SEP has to be compatible
- If you're on Linux, you will not be able to make a ramdisk for 16.1+, please use something lower instead, like 16.0
  - This is due to ramdisks switching to APFS over HFS+, and another dmg library would have to be used
Place your device into DFU mode
- A11 users, go to recovery first, then DFU.
Run ./sshrd.sh boot to boot the ramdisk
Run ./sshrd.sh ssh to connect to SSH on your device
Finally, to mount the filesystems, run mount_filesystems
- /var is mounted to /mnt2 in the ssh session.
- /private/preboot is mounted to /mnt6.
- DO NOT RUN THIS IF THE DEVICE IS ON A REALLY OLD VERSION!!!!!!!
Have fun!

Linux notes

On Linux, usbmuxd will have to be restarted. On most distros, it's as simple as these 2 commands in another terminal:

sudo systemctl stop usbmuxd
sudo usbmuxd -p -f

Other commands

Reboot your device: ./sshrd.sh reboot
Erase all data from your device: ./sshrd.sh reset
Dump onboard SHSH blobs: ./sshrd.sh dump-blobs
Delete old SSH ramdisk: ./sshrd.sh clean

Other Stuff

Reddit Post

Credits

tihmstar for pzb/original iBoot64Patcher/img4tool
xerub for img4lib and restored_external in the ramdisk
Cryptic for iBoot64Patcher fork
opa334 for TrollStore
Nebula for a bunch of QOL fixes to this script
OpenAI for converting kerneldiff into C
Ploosh for KPlooshFinder

sshrd_script's People

Contributors

Stargazers

Watchers

Forkers

markkey014 itsnebulalol jerry-maheswara-github satyamisme mineek pharaoh1 ausha1 matdanh p5-2005 karamzaki2020 yunxuan0530 adityainsanw vanhvungve potatonc lustime linhbg1998 boomzero ksavipksa1234 adrmyid alexchenjun kowtham2002 chinagucheng bofhell planktonwhc asdfugil bthedorff palera1n ploosho chinatrojan xmamonx k0mraid3 vuong07 baimour zz9420 xxroot zulinsu le369 li317 sadotn dahoomdody naiff654321 streemline masbog gennnarino viteswallet beetle1981 dualra1n qtlunya soe7t8e7 ph4ntonn zupinguk fengdaokanhai bcultmediallc kenkit justnondev unknown0xff aaronlee3364 cowboy-shuai junepark678 itisghastly ttotal thianzganz rifern112 shraktotal yosoyhendrix ghosthalston emreblky afastaudir8 addisjackson orangera1n sachinsenals thk34 nerosow donnach gb000000 lgq2015 dl0s lukezgd 0xyf77 zihaozi0 mine556 llama254 xuezh01 mauwi81 jerry-nusatrip-edge nocontent06 corruptbandit hackt1vator tomdom420 kotorichan-1 huangjiaju traviszech mistuhhpalmer zll2317463866 mrclintons aihuohua macaty codeahmed agricu quanxingyyds

sshrd_script's Issues

install trollstore tho linuxmint (error init field)

Tried to install trollstore on my SE1 ios15.4.1,what is wrong?

Terninal1 as:
.......
iOS 15 iBoot detected!
getting get_boot_arg_patch(rd=md0 debug=0x2014e -v wdt=-1 ) patch
getting get_debug_enabled_patch() patch
getting get_unlock_nvram_patch() patch
getting get_sigcheck_patch() patch
applying patch=0x87000ca6c : 000080d2
applying patch=0x87000ca28 : 000080d2
applying patch=0x870001d28 : 000080d2c0035fd6
applying patch=0x870001d80 : 000080d2c0035fd6
applying patch=0x8700305f0 : 000080d2c0035fd6
applying patch=0x87000e630 : 200080d2
applying patch=0x87000fc50 : 5a930610
applying patch=0x87001ceb8 : 72643d6d64302064656275673d30783230313465202d76207764743d2d312000
applying patch=0x870013708 : 1f2003d5
main: Writing out patched file to work/iBEC.patched...
main: Quitting...
none
krnl
main: Starting...
Kernel: Adding AMFI_get_out_of_my_way patch...
get_amfi_out_of_my_way_patch: Entering ...
get_amfi_out_of_my_way_patch: Kernel-8020 inputted
get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str loc at 0x973ee1
get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str ref at 0x106ec64
get_amfi_out_of_my_way_patch: Patching AMFI at 0x106a2a8
main: Writing out patched file to work/kcache.patched...
main: Quitting...
0x106a2a8 0xfd 0xe0
0x106a2a9 0x7b 0x3
0x106a2aa 0xbf 0x0
0x106a2ab 0xa9 0x32
0x106a2ac 0xfd 0xc0
0x106a2ae 0x0 0x5f
0x106a2af 0x91 0xd6
krnl
dtre
rtsc
rdsk
/dev/disk2 /private/tmp/SSHRD
"disk2" ejected.
none
we are done, please use ./sshrd.sh boot to boot your device
cleanup...
lj407@MacBook-Pro SSHRD_Script % ./sshrd.sh boot
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
device should show text on screen now.
lj407@MacBook-Pro SSHRD_Script % ssh -p2222 root@localhost
The authenticity of host '[localhost]:2222 ([::1]:2222)' can't be established.
ECDSA key fingerprint is SHA256:lb9y8xaKPkXl5gUgA+WHH5TbDlRwWZ6Io7BBLbX+PuE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts.
root@localhost's password:
localhost:~ root# mount_filesystems
seputil: Gigalocker file (/mnt7/09FB8747-67E6-548A-87FE-431C84849C10.gl) exists
seputil: Gigalocker initialization completed
sepi digest (20 bytes): bd669d2359bfbddc0ae2aec6a7018b3de1d32d5c
sepi nonce (20 bytes): 0a8803721c85f286229b26111d69f87d4096c825
rsep digest (20 bytes): 552913c6de9925f4e1e1caf47eefd5cdce2829f5
rsep nonce (20 bytes): 0a8803721c85f286229b26111d69f87d4096c825
localhost:~ root# trollstoreinstaller tips
-sh: trollstoreinstaller: command not found

terminal2 as:

lj407@MacBook-Pro ~ % iproxy 2222 22
Creating listening port 2222 for device port 22
waiting for connection
New connection for 2222->22, fd = 5
waiting for connection
Requesting connecion to USB device handle 1645 (serial: ramdisk tool Aug 14 2022 11:28:57), port 22

ssh problem after modify restored_external please have a look on image

I manage to make it restored_external working but cant connect to ssh can u please check whats wrong here

Failing to boot after doing ./sshrd (ipsw) TrollStore Tips

iPhone 7 on iOS 14.6 (i don't want to use the jailbroken Trollstore, I want my device clean) after doing ./sshrd.sh boot, it gets stuck at

Btw using iOS 15.7 IPSW, if this is the issue then ill try my own version 14.6.
edit: booting stops at SEP EP 18 ENABLED

Edit 2: Solved! Used iOS 14.6 ipsw and successfully booted with TrollStore installed, Thank you 'verygenericname' for this tool!! <3

[Question] Can I install ONE tweak?

Hi! I have an iPhone X with iOS 15.6.1 without ANY SHSH blobs saved. I can't jailbreak it unless I do a tethered downgrade to iOS 14.3 with sunst0rm. I want to jailbreak it to ONLY use Frida.

So is it possible to use this script to manually install Frida DEB: copying & pasting its content (modifying FS) over SSH?

Thanks in advance.

Error when installing TrollStore via this script

I'm getting an error when installing the app with the script.

[*] Getting device info... this may take a second
jq: error (at <stdin>:1): Cannot index number with string "firmwares"
parse error: Invalid numeric literal at line 1, column 9
[-] An error occurred

The command I'm running is sudo ./sshrd.sh 15.4.1 TrollStore Tips
I'm installing it onto iOS 15.5 Beta 4 on my iPhone 8 (10,4)
I'm using Linux Mint 20.3

Windows?

Is there some way I can use this on my windows computer? Would I be able to use a linux vm? I just don't have a linux or macos computer, and I want to install trollstore on my ipad.

Can't ssh into ramdisk

First of all, i love your work. This project is amazing.
It worked fine on my iPhone 6 but i could not manage to use it with my iPad:

After booting to the ramdisk i cannot connect to my iPad. Only thing i can do is to hard reset it.

iPad 5 (iPad 6,11) on iOS 15.5

What i ran:
Installed prerequisites and cloned repo

./sshrd.sh https://updates.cdn-apple.com/2021FallFCS/fullrestores/071-98156/BB24CD59-96C7-472C-BDFE-B40C0DED2370/iPad_64bit_TouchID_ASTC_14.8_18H17_Restore.ipsw

(iOS 14.8 IPSW)

./sshrd.sh boot

Then this appeared on my iPad (sorry for that quality):

New terminal window:

iproxy 2222 22

Original terminal:

$ssh -p2222 root@localhost
kex_exchange_identification: Connection closed by remote host
Connection closed by 127.0.0.1 port 2222

In iproxy terminal:

$iproxy 2222 22
Creating listening port 2222 for device port 22
waiting for connection
New connection for 2222->22, fd=5
waiting for connection
Connecting to usbmuxd failed, terminating.

Everything was done on Ubuntu 22.04.1 LTS
So far i have tried to

use ipsw 15.6.1 & 14.6 link
use different usb port
boot pc from live usb

Thanks in advance,
Uckermark

iPad 7 Failed Install of TrollStore Helper

I'm unable to get TrollStore Helper installed. I used this command:

./sshrd.sh https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-52155/B842569C-B688-44DA-9058-9B8DC5936A52/iPad_10.2_15.6.1_19G82_Restore.ipsw TrollStore Tips

This seems to be where it failed:

get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str loc at 0x9a7061
get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str ref at 0x10bcc64

Click to view full output

boolean@boolean:~/Documents/SSHRD_Script$ ./sshrd.sh https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-52155/B842569C-B688-44DA-9058-9B8DC5936A52/iPad_10.2_15.6.1_19G82_Restore.ipsw TrollStore Tips
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
100 1259k    0 1259k    0     0   589k      0 --:--:--  0:00:02 --:--:-- 4616k
Archive:  gaster-Linux.zip
  inflating: gaster                  
waiting for dfu mode device
waiting for dfu mode device
waiting for dfu mode device
waiting for dfu mode device
usb_timeout: 5
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:1C ECID:000130901EBA8026 IBFL:3C SRTG:[iBoot-2696.0.0.1.33]
Found the USB handle.
Stage: RESET
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:1C ECID:000130901EBA8026 IBFL:3C SRTG:[iBoot-2696.0.0.1.33]
Found the USB handle.
Stage: SPRAY
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:1C ECID:000130901EBA8026 IBFL:3C SRTG:[iBoot-2696.0.0.1.33]
Found the USB handle.
Stage: SETUP
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:1C ECID:000130901EBA8026 IBFL:3C SRTG:[iBoot-2696.0.0.1.33]
Found the USB handle.
Stage: PATCH
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:1C ECID:000130901EBA8026 IBFL:3C SRTG:[iBoot-2696.0.0.1.33] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f-RELEASE
Compiled with plist: YES
Saved IM4M to work/IM4M
Version: 3fc8c093f4660f6c6e07c0c9214618733da01ffc - 36
libfragmentzip version: 0.60-120447d0f410dffb49948fa155467fc5d91ca3c8
init pzb: https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-52155/B842569C-B688-44DA-9058-9B8DC5936A52/iPad_10.2_15.6.1_19G82_Restore.ipsw
init done
getting: BuildManifest.plist
100% [===================================================================================================>]
download succeeded
Version: 3fc8c093f4660f6c6e07c0c9214618733da01ffc - 36
libfragmentzip version: 0.60-120447d0f410dffb49948fa155467fc5d91ca3c8
init pzb: https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-52155/B842569C-B688-44DA-9058-9B8DC5936A52/iPad_10.2_15.6.1_19G82_Restore.ipsw
init done
getting: Firmware/dfu/iBSS.ipad7c.RELEASE.im4p
100% [===================================================================================================>]
download succeeded
Version: 3fc8c093f4660f6c6e07c0c9214618733da01ffc - 36
libfragmentzip version: 0.60-120447d0f410dffb49948fa155467fc5d91ca3c8
init pzb: https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-52155/B842569C-B688-44DA-9058-9B8DC5936A52/iPad_10.2_15.6.1_19G82_Restore.ipsw
init done
getting: Firmware/all_flash/DeviceTree.j171ap.im4p
100% [===================================================================================================>]
download succeeded
Version: 3fc8c093f4660f6c6e07c0c9214618733da01ffc - 36
libfragmentzip version: 0.60-120447d0f410dffb49948fa155467fc5d91ca3c8
init pzb: https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-52155/B842569C-B688-44DA-9058-9B8DC5936A52/iPad_10.2_15.6.1_19G82_Restore.ipsw
init done
getting: Firmware/078-34285-081.dmg.trustcache
100% [===================================================================================================>]
download succeeded
Version: 3fc8c093f4660f6c6e07c0c9214618733da01ffc - 36
libfragmentzip version: 0.60-120447d0f410dffb49948fa155467fc5d91ca3c8
init pzb: https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-52155/B842569C-B688-44DA-9058-9B8DC5936A52/iPad_10.2_15.6.1_19G82_Restore.ipsw
init done
getting: kernelcache.release.ipad7c
100% [===================================================================================================>]
download succeeded
Version: 3fc8c093f4660f6c6e07c0c9214618733da01ffc - 36
libfragmentzip version: 0.60-120447d0f410dffb49948fa155467fc5d91ca3c8
init pzb: https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-52155/B842569C-B688-44DA-9058-9B8DC5936A52/iPad_10.2_15.6.1_19G82_Restore.ipsw
init done
getting: 078-34285-081.dmg
100% [===================================================================================================>]
download succeeded
usb_timeout: 5
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:1C ECID:000130901EBA8026 IBFL:3C SRTG:[iBoot-2696.0.0.1.33] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
main: Starting...
iOS 15 iBoot detected!
getting get_boot_arg_patch(rd=md0 debug=0x2014e -v wdt=-1 TrollStore=Tips) patch
getting get_debug_enabled_patch() patch
getting get_unlock_nvram_patch() patch
getting get_sigcheck_patch() patch
applying patch=0x1800c457c : 000080d2
applying patch=0x1800c45c4 : 000080d2
applying patch=0x1800b1f64 : 000080d2c0035fd6
applying patch=0x1800b1fbc : 000080d2c0035fd6
applying patch=0x1800ef6e4 : 000080d2c0035fd6
applying patch=0x1800c61b4 : 200080d2
applying patch=0x1800c7718 : d8100b50
applying patch=0x1800dd932 : 72643d6d64302064656275673d30783230313465202d76207764743d2d312054726f6c6c53746f72653d5469707300
applying patch=0x1800cba78 : 1f2003d5
main: Writing out patched file to work/iBSS.patched...
main: Quitting...
none
krnl
main: Starting...
main: Detected fat macho kernel
Kernel: Adding AMFI_get_out_of_my_way patch...
get_amfi_out_of_my_way_patch: Entering ...
get_amfi_out_of_my_way_patch: Kernel-8020 inputted
get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str loc at 0x9a7061
get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str ref at 0x10bcc64
get_amfi_out_of_my_way_patch: Patching AMFI at 0x10b82a8
main: Writing out patched file to work/kcache.patched...
main: Quitting...
0x10b82c4 0xfd 0xe0
0x10b82c5 0x7b 0x3
0x10b82c6 0xbf 0x0
0x10b82c7 0xa9 0x32
0x10b82c8 0xfd 0xc0
0x10b82ca 0x0 0x5f
0x10b82cb 0x91 0xd6
krnl
dtre
rtsc
rdsk
none
we are done, please use ./sshrd.sh boot to boot your device
cleanup...
boolean@boolean:~/Documents/SSHRD_Script$ ./sshrd.sh boot
[==================================================] 100.0%
ERROR: Unable to connect to device
failed

Device

Device: iPad 7
OS: iPadOS 15.1

Additional Details

I am running this on an Ubuntu 22.04 USB (not live) because I had trouble getting the dependencies installed on the live usb version.

how to make purple mode file?

iv key fixed

Darwin/gtar: sshtars/ssh.tar: Cannot open: No such file or directory
Darwin/gtar: Error is not recoverable: exiting now
failed

Can I write permanently `/mnt1` with iOS 15?

After mount_filesystems I created a directory with mkdir -p /mnt1/usr/lib/frida/ then I used reboot command to reboot device in normal mode. Anyway when I runned again ./sshrd.sh boot to check if directory was present I discovered that it was gone. Why? Maybe because I can't write to / in iOS 15?

i need contact you

Bro i need talk with you, is important TELEGRAM: (+52 477 555 13 96)

other thing
In your mount_filesystems file, you need add => /sbin before mount_apfs

what is ipsw

./sshrd.sh
what is ipsw?
Can you give an example? ios14.3

Cannot connect to device - iPad 6th gen

Bus 008 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 007 Device 005: ID 1ea7:0907 SHARKOON Technologies GmbH Keyboard Bus 007 Device 004: ID 046d:0836 Logitech, Inc. B525 HD Webcam Bus 007 Device 003: ID 1532:0083 Razer USA, Ltd RC30-0315, Gaming Mouse [Basilis k X HyperSpeed] Bus 007 Device 002: ID Obda:5411 Realtek Semiconductor Corp. RTS5411 Hub Bus 007 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 003 Device 006: ID 264a:1fb4 Thermaltake Bus 003 Device 005: ID 0424:2512 Microchip Technology, Inc. (formerly SMSC) USB 2.0 Hub Bus 003 Device 004: ID 1e71:2007 NZXT NZXT USB Device Bus 003 Device 003: ID 05e3:0608 Genesys Logic, Inc. Hub Bus 003 Device 002: ID 1462:7c37 Micro Star International MYSTIC LIGHT Bus 003 Device 020: ID 05ac:1227 Apple, Inc. Mobile Device (FU Mode) Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 003: ID 8087:0aa7 Intel Corp. Wireless-AC 3168 Bluetooth Bus 001 Device 002: ID 1532:0083 Razer USA, Ltd RC30-0315, Gaming Mouse [Basilis k X HyperSpeed] Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

I keep running into an error saying it can’t connect to the device. I checked the only place I know (I’m n00b) and it looks like the device is connected, in DFU mode, and has the right device ID(?), but I keep running into this error in the screenshot. iPad 6th Gen cellular, 15.4. I have libusb installed and am running the latest release of Ubuntu, freshly installed.

No boot from iPad Mini 2

I tried your script with my iPhone X with no problems. But it doesn't work (see output below) with my iPad Mini 2

% ./sshrd.sh boot && ./sshrd.sh ssh
[*] Waiting for device in DFU mode
[*] Getting device info... this may take a second
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==                                                ] 3.9%[*] Device should now show text on screen # NO OUTPUT ONLY BLACK SCREEN
kex_exchange_identification: Connection closed by remote host
Connection closed by ::1 port 2222
[-] An error occurred

Note to create SSH ramdisk I used this ./sshrd.sh 12.5.6 and to send components I compiled irecovery 1.0.1.
I have a similar (or maybe the same I don't know) problem with futurerestore because it reports an error when it tries to send iBEC.img4.

Problem on mount_filesystem

/sshpass -p 'alpine' ssh -o StrictHostKeyChecking=no -p2222 root@localhost '/usr/bin/mount_filesystems'

Failed to mount file system By sshpass automatic :v

need to access via sftp protocol

Dear Nathan,

please put /usr/lib/libresolv.9.dylib in ssh.tar so that we can access via sftp protocol.

I did it in my experiment, and it worked.

Thanks.

iphone x cannot boot into custom ramdisk

./sshrd.sh https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-52718/E165707F-2AA7-40C8-B1A5-0BB94E3F845A/iPhone10,3,iPhone10,6_15.6.1_19G82_Restore.ipsw
usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:0011052210FBC02E IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: RESET
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:0011052210FBC02E IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: SPRAY
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:0011052210FBC02E IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: SETUP
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:0011052210FBC02E IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: PATCH
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:0011052210FBC02E IBFL:3C SRTG:[iBoot-3332.0.0.1.23] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f
Compiled with plist: YES
Saved IM4M to work/IM4M
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-52718/E165707F-2AA7-40C8-B1A5-0BB94E3F845A/iPhone10,3,iPhone10,6_15.6.1_19G82_Restore.ipsw
init done
getting: BuildManifest.plist
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-52718/E165707F-2AA7-40C8-B1A5-0BB94E3F845A/iPhone10,3,iPhone10,6_15.6.1_19G82_Restore.ipsw
init done
getting: Firmware/dfu/iBSS.d22.RELEASE.im4p
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-52718/E165707F-2AA7-40C8-B1A5-0BB94E3F845A/iPhone10,3,iPhone10,6_15.6.1_19G82_Restore.ipsw
init done
getting: Firmware/all_flash/DeviceTree.d22ap.im4p
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-52718/E165707F-2AA7-40C8-B1A5-0BB94E3F845A/iPhone10,3,iPhone10,6_15.6.1_19G82_Restore.ipsw
init done
getting: Firmware/078-34285-081.dmg.trustcache
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-52718/E165707F-2AA7-40C8-B1A5-0BB94E3F845A/iPhone10,3,iPhone10,6_15.6.1_19G82_Restore.ipsw
init done
getting: kernelcache.release.iphone10b
100% [===================================================================================================>]
download succeeded
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-52718/E165707F-2AA7-40C8-B1A5-0BB94E3F845A/iPhone10,3,iPhone10,6_15.6.1_19G82_Restore.ipsw
init done
getting: 078-34285-081.dmg
100% [===================================================================================================>]
download succeeded
usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:0011052210FBC02E IBFL:3C SRTG:[iBoot-3332.0.0.1.23] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
main: Starting...
iOS 15 iBoot detected!
getting get_boot_arg_patch(rd=md0 debug=0x2014e -v wdt=-1) patch
getting get_debug_enabled_patch() patch
getting get_unlock_nvram_patch() patch
getting get_sigcheck_patch() patch
applying patch=0x180030ad0 : 000080d2
applying patch=0x180030b18 : 000080d2
applying patch=0x18001df64 : 000080d2c0035fd6
applying patch=0x18001dfbc : 000080d2c0035fd6
applying patch=0x180063144 : 000080d2c0035fd6
applying patch=0x18003289c : 200080d2
applying patch=0x180033e14 : 78b80c10
applying patch=0x18004d520 : 72643d6d64302064656275673d30783230313465202d76207764743d2d3100
applying patch=0x1800389bc : 1f2003d5
main: Writing out patched file to work/iBSS.patched...
main: Quitting...
none
krnl
main: Starting...
Kernel: Adding AMFI_get_out_of_my_way patch...
get_amfi_out_of_my_way_patch: Entering ...
get_amfi_out_of_my_way_patch: Kernel-8020 inputted
get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str loc at 0x39a7b5
get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str ref at 0x12d2da4
get_amfi_out_of_my_way_patch: Patching AMFI at 0x12cf5e0
main: Writing out patched file to work/kcache.patched...
main: Quitting...
0x12cf5e0 0xfd 0xe0
0x12cf5e1 0x7b 0x3
0x12cf5e2 0xbf 0x0
0x12cf5e3 0xa9 0x32
0x12cf5e4 0xfd 0xc0
0x12cf5e6 0x0 0x5f
0x12cf5e7 0x91 0xd6
krnl
dtre
rtsc
rdsk
/dev/disk4 /private/tmp/SSHRD
"disk4" ejected.
none
we are done, please use ./sshrd.sh boot to boot your device
cleanup...
loadnl@loadnls-iMac SSHRD_Script % ./sshrd.sh boot
[==================================================] 100.0%
ERROR: Unable to connect to device
failed

Iphone 6s plus

what's wrong

Gaster just waits

gaster just waits like that --- the other pwndfu's working perfectly.

does iphone 4 (rev a) ios 7.1.2 supported?

hi, i have a iphone 4 (rev a) running on ios 7.1.2 and that can't activate
now i want use ssh_rd for ssh to my iphone and delete setup

so does iphone 4 (rev a) ios 7.1.2 supported? and how to ssh to this?

REQ: Please add restored_external source

Please add the source of restored_external thanks

Can't boot ramdisk

3 and 4 steps from readme complete without errors, but on the device it stops with something like this:
Bootstrap path: path = /AppleInternal/Library/LaunchDaemons, error = 2: No such file or directory.
Hence iProxy also doesn't work: in SSH terminal it says, "connection reset by peer", and in iProxy terminal -- "No connected device found. Terminating"
I'm using LiveUSB with Ubuntu-22.04, installed libimobiledevice-utils, libirecovery-common, libirecovery-1.0-3, irecovery and libusbmuxd-tools as dependences, trying to boot iPhone SE on iOS 15.4.1, as ipsw for step 3 using iOS 15.6.1 (also tried with iOS 15.4.1 link). Before step 3 iPhone successfully paired with PC using "idevicepair pair".

ios 16 mount issue iphone 8

ssh is okay and when im trying to mount_filesystems iget this error

how to use auto command: sshpass -p 'alpine' ssh -o StrictHostKeyChecking=no root@localhost mount_filesystems

how to use auto command: sshpass -p 'alpine' ssh -o StrictHostKeyChecking=no root@localhost mount_filesystems
I have to manually type ssh -p2222 root@localhost and then enter mount_filesystems which is very inconvenient

n71 error

Version: 3fc8c093f4660f6c6e07c0c9214618733da01ffc - 36
libfragmentzip version: 0.60-120447d0f410dffb49948fa155467fc5d91ca3c8
init pzb: https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-41736/19A1E631-3FB4-4F85-BE5B-266C40FACEEB/iPhone_4.7_15.6_19G71_Restore.ipsw
init done
Error: file Firmware/.trustcache does not exist, or is a directory
failed

does ipad support

ipad mini4

Create New Auto Mount on script

Failure to mount partition using mount_filesystems

Can i mount manually the partition? This happens when trying to mount_filesystems for A11 device iOS16 , iPhone10,1 , iPhone 8.

What will be the mounting syntax for manual mounting? Thanks in advance for your help

loading ramdisk to device failing

i have an iphone 8 on 15.5b4 and i have the ramdisk with trollstore on it but when using the boot command it times out after the first file is sent i have run each of the commands and the one wich sends the ram disk get stuck at 1.2% regardless of wich ios version the image is based on i am not sure what else to try after every try booting the device losses usb connection and replugging causeis it to boot into ios

Failed to mount on renci ssh but on manual terminal okay

Im doing .net but when i try to call mount on renci ssh i got error but when i try manually on cmd mount success do you have any idea of this bro?

Full Root Access?

OS: Mac OS Monterey 12.5
Device: iPhone 8 (Global)
IOS: Was 15.6 but downgraded to 14.8 using sunst0rm (also tried 14.4.2)
Possible Issue: Not having full root access?

When I attempt to move/edit a file to/mnt2/mobile/containers/Data/Applicationor /mnt2/containers/Bundle/Application I always get "operator not permitted. I have tried through the terminal, Cyberduck and Termius. I have tried giving all folders needed all permissions using chmod 777. Any ideas?

Can't boot into SSH

OS: Mac OS Monterey 12.5
Device: iPhone 8 (Global)
IOS: 15.6
Issue: Not able to boot into SSH mode anymore. I have done a git pull and retried numerous times. I have tried both linking to iOS 14.8 and 15.6 IPSW both with and without blobs from 15.6. I have also tried using my master to pwn, the built in pwn and ipwnder-lite (my usual go to that works). When I try ./sshrd.sh boot while pwned, there is no output given, it just ends.

Below is how it ends. Idk if the usb_time is an error or not.
100% [===================================================================================================>] download succeeded usb_timeout: 5 [IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227 CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:02 ECID:001129EE08D3A02E IBFL:3C SRTG:[iBoot-3332.0.0.1.23] PWND:[ipwnder] Found the USB handle. Now you can boot untrusted images. [IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227 Found the USB handle.

mount iPad Air2 and mini4

I test 2 iPad model air2 & mini4 have partition problem: Permission denied
Can this problem be fixed bro?

same here: https://www.reddit.com/r/setupapp/comments/vc30t0/ipad_air_2_success_boot_on_ramdisk_but_cannot/

localhost:~ root# /sbin/mount_apfs /dev/disk0s1s4 /mnt4
mount_apfs: volume could not be mounted: Permission denied
localhost:~ root# /sbin/mount_apfs /dev/disk0s1s5 /mnt5
mount_apfs: volume could not be mounted: Permission denied
localhost:~ root# /sbin/mount_apfs /dev/disk0s1s3 /mnt7
mount_apfs: volume could not be mounted: Permission denied
localhost:~ root# /usr/libexec/seputil --gigalocker-init
seputil: Gigalocker not needed on platform, skipping initialization
<xec/seputil --load /mnt4//usr/standalone/firmware/sep
seputil: can't open '/mnt4//usr/standalone/firmware/sep', errno: No such file or directory(2)
seputil: rejecting zero-byte firmware
seputil: failed to load /mnt4//usr/standalone/firmware/sep in mode
localhost:~ root# /sbin/mount_apfs /dev/disk0s1s2 /mnt2
mount_apfs: volume could not be mounted: Permission denied
localhost:~ root#

iPad partition mount problem

I tried iPad gen 6, gen 7, iPad pro2 12.9, iPad Pro 10.5 all have no system partition to mount as shown in the picture
Please help me fix this problem, thank you!

Sorry. I don’t have telegram, I will add the /sbin/ part later

How i can contact you?

https://github.com/Brayan-Villa/sshtars/blob/main/ssh.tar.lzma

sshrd iOS13

If i want to ramdisk iOS 13 i need link ipsw ios13 or .shsh ios13 or link ipsw 15.6.1 compatible all iOS 11-15?
Thank you brother for your support

Failure to use boot command

Note: coming from TrollStore install methods

From Issue #40:

I just tried it again without running ./sshrd.sh boot afterwards and it turned itself on after a few seconds. It seems to be turning itself on before ./sshrd.sh boot can run/finish.

This also seems to be the case for me; The boot command has been run many times and has always caused the device to restart right after the second loading bar reaches 100%.

The initial command seems to run fine but cannot boot the device without "./sshrd.sh boot", which restarts the target device before it itself can finish the boot process.

One thing of note is that the first time I used this script it worked fine without problems, but I already had an Xcode test app by the same name of "TrollInstaller", so I assume it blocked the new one from installing.

Info: iPad 6,11 / Gen 5 WiFi / iOS 15.1 / A9 architecture

Exec format error

When i run the script it shows this:
./sshrd.sh: 43: ./sshrd.sh: Linux/irecovery: Exec format error
./sshrd.sh: 44: ./sshrd.sh: Linux/irecovery: Exec format error
./sshrd.sh: 133: ./sshrd.sh: Linux/gaster: Exec format error
failed

What's wrong?

iPhone 10,6 init pzb failed

I'm getting the message

init pzb ../iPhone10,3,iPhone10,6_15.6.1_19G82_Restore.ipsw 

Error init failed

failed

Everything preceeding seems to run fine.

I'm running on Linux

init failed

@verygenericname yo im trynna use your tool on a ubuntu based distro but im getting this weird issue

sudo ./sshrd.sh /home/berti/Downloads/iPhone_4.7_P3_15.6.1_19G82_Restore.ipsw
[sudo] password for berti:
usb_timeout: 5
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:000A114A3A3A0026 IBFL:3C SRTG:[iBoot-2696.0.0.1.33] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f-RELEASE
Compiled with plist: YES
Saved IM4M to work/IM4M
Version: 3fc8c093f4660f6c6e07c0c9214618733da01ffc - 36
libfragmentzip version: 0.60-120447d0f410dffb49948fa155467fc5d91ca3c8
init pzb: /home/berti/Downloads/iPhone_4.7_P3_15.6.1_19G82_Restore.ipsw
Error init failed
failed

Small problem mount_filesystems

Everything works fine if the device is not passcode, or the device state "hello screen" when mount using mount_filesystems

if device disabled, passcode when mount_filesystems will be disconnected and reboot

Tested iPad Pro 9.7

Req: May i know some modifications in xerub restored_external.c

Hello brother im sorry to bother you but may i know the modification in restored_external.c when i try to modify it it failing to open the ssh i already signed the binary with ldid2

Failed to read shshFile

Im trying to install TrollStore on an iPhone 6s but it fails and not sure what to do
Output:

sudo ./sshrd.sh https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-52552/90DDC844-B111-4CBF-8C86-E2A8B604B3D2/iPhone_4.7_15.6.1_19G82_Restore.ipsw TrollStore Tips
waiting for dfu mode device
waiting for dfu mode device
waiting for dfu mode device
waiting for dfu mode device
waiting for dfu mode device
Linux/irecovery: error while loading shared libraries: libplist-2.0.so.3: cannot open shared object file: No such file or directory
Linux/irecovery: error while loading shared libraries: libplist-2.0.so.3: cannot open shared object file: No such file or directory
usb_timeout: 5
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8003 CPRV:01 CPFM:03 SCEP:01 BDID:04 ECID:0011643604B8EC26 IBFL:1C SRTG:[iBoot-2234.0.0.2.22]
Found the USB handle.
Stage: RESET
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8003 CPRV:01 CPFM:03 SCEP:01 BDID:04 ECID:0011643604B8EC26 IBFL:1C SRTG:[iBoot-2234.0.0.2.22]
Found the USB handle.
Stage: SETUP
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8003 CPRV:01 CPFM:03 SCEP:01 BDID:04 ECID:0011643604B8EC26 IBFL:1C SRTG:[iBoot-2234.0.0.2.22]
Found the USB handle.
Stage: PATCH
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8003 CPRV:01 CPFM:03 SCEP:01 BDID:04 ECID:0011643604B8EC26 IBFL:1C SRTG:[iBoot-2234.0.0.2.22] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f-RELEASE
Compiled with plist: YES
img4tool: failed with exception:
[exception]:
what=Failed to read shshFile
code=19529736
line=298
file=main.cpp
commit count=197
commit sha  =aca6cf005c94caf135023263cbb5c61a0081804f
failed

Ssh iphone 6

How mount disk iphone 6 and mount mnt4 sir!!!

Setting Nonce

OS: Mac OS Monterey 12.5
Device: iPhone 8 (Global)
IOS: 15.6.1
I received the following permissions/privilege error when trying to set nonce

localhost:/ root# nvram com.apple.System.boot-nonce=0x1111111111111111
Error setting variable - 'com.apple.System.boot-nonce': (iokit/common) privilege violation.

Invalid iv key boss

Invalid IV Key
failed…

create ssramdisk fail

OS:ubuntu
iphonex , ios15.1.1
use checkra1n to boot into recovery and dfu

stop at this step for a long time:

chengzi@cheng:~/SSHRD_Script$ sudo ./sshrd.sh https://updates.cdn-apple.com/2021FallFCS/fullrestores/071-63899/6CAB53E5-5411-4140-BA83-0E37B1397558/iPhone10,3,iPhone10,6_15.1_19B74_Restore.ipsw
usb_timeout: 5
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:000474141032402E IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: RESET
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:06 ECID:000474141032402E IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Found the USB handle.
Stage: SPRAY

iPhone6p ssh ok, mount failed

iPhone 6p iOS 12.5.5 ssh via ramdisk (sshrd.sh)
Everything worked fine until I used the mount_filesystems command (renamed it to mount_party)
and try to enter it manually still error.
Partitions are always empty
Really need help bro!