dayt0n / kairos Goto Github PK

iOS 11.4.1
iPhone 5S BoardID N69AP
Both line tried:
../bin/kairos ibss.raw ibss.pwn -b "rd=md0 debug=0x14e"
../bin/kairos ibec.raw iibec.pwn -b "rd=md0 debug=0x14e"

Others args tested, even tested Ramiel app: not mount partitions any
rd=md0
rd=md0 -v
rd=md0 serial=3 debug=0x14e

boot args for kairos "rd=md0 -v"
Not success on iOS 11-12

Flash order dummy
iBSS
IBEC
Ramdisk
DeviceTree
iOS 11 dont have trustcache
Kernel

kairos ./iBSS.13.4.1.dec ibss.13.4.1.pat
[+] Patching ./iBSS.13.4.1.dec
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x2c66d
[+] Found IMG4 xref at 0xf0ec
[+] Found beginning of _image4_get_partial at 0xf07c
[+] Found xref to _image4_get_partial at 0x10694
[+] Found start of sub_1803905c8
[+] Found ADR X2, 0x1803b30ac at 0x30f2c
[+] Call to 0x7ffe7fc80000
Segmentation fault: 11

Kyles-MacBook-Air:ipad 13.1 kyletill$ kairos ./iBEC.13.4.1.dec ibec.13.4.1.pat.im4p
[+] Patching ./iBEC.13.4.1.dec
[+] Does have kernel load
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x47a2a
[+] Found debug-enabled xref at 0x11634
[+] Found second bl after debug-enabled xref at 0x11648
[+] Wrote MOVZ X0, #1 to 0x870011648
[+] Enabled kernel debug
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x478e5
[+] Found IMG4 xref at 0xf464
[+] Found beginning of _image4_get_partial at 0xf3f4
[+] Found xref to _image4_get_partial at 0x11374
[+] Found start of sub_870011234
[+] Found ADR X2, 0x87005369b at 0x4a510
[+] Call to 0xfffffff790000000
Segmentation fault: 11

This doesn't happen with other boot loaders such as 13.1

Test 13.1

kairos ./ibec.13.1.dec ibec.del
[+] Patching ./ibec.pat
[+] Does have kernel load
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x4a1c8
[+] Found debug-enabled xref at 0x1202c
[+] Found second bl after debug-enabled xref at 0x12084
[+] Wrote MOVZ X0, #1 to 0x870012084
[+] Enabled kernel debug
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x4a083
[+] Found IMG4 xref at 0xfc7c
[+] Found beginning of _image4_get_partial at 0xfbf0
[+] Found xref to _image4_get_partial at 0x10af4
[+] Found start of sub_8700108d4
[+] Found ADR X2, 0x87004b848 at 0x10c34
[+] Call to 0xff1c
[+] RET found for sub_87000ff1c at 0x1055c
[+] Did MOV r0, #0 and RET
[+] Wrote patched image to ibec.del

############

Seems to be replicated on two different Macs running Mojave and Catalina.

Specifics are iPad6,11 J71tap 13.4.1 iBSS and iBEC
Keys aren't on the wiki so here they are.

iBSS = Decrypting with s8003si GID key.
eb3e08750649eb98ca95d92878bac99b4d117078a1e06514cf8a8342366d2cae2b372acd34283968302c6cf299c3818d

iBEC = Decrypting with s8003si GID key.
f7a10fada9b3dae80afbc53450551686abbaf5935a82eb2cdb5495d8799989e3319a2f90a0cc893a61cad744d53a8931

Hi,
I follow the README， wrong

 ss$ ./kairos kernelcache.dec iBEC.patched -n -b "-v debug=0x09" -c "go" 0x830000300
[+] Patching kernelcache.dec
Segmentation fault: 11

kernelcache.dec is decrypted and unpacked
version : iOS13.2.2
Thx

I am trying to patch an macOS 12.3.1 iBoot for Apple Virtual Machine 1 (VirtualMac2,1). The -b option appears to be ignored.

nick@NickdeMacBook-Pro vm % ~/Documents/kairos/kairos iBEC.raw iBEC.patched -b '-v keepsyms=1 serial=3 debug=0xfffffffe launchd_unsecure_cache=1 launchd_missing_exec_no_panic=1 amfi=0xff amfi_allow_any_signature=1 amfi_get_out_of_my_way=1 amfi_allow_research=1 amfi_unrestrict_task_for_pid=1 amfi_unrestricted_local_signing=1 cs_enforcement_disable=1 pmap_cs_allow_modified_code_pages=1 pmap_cs_enforce_coretrust=0 pmap_cs_unrestrict_pmap_cs_disable=1 -unsafe_kernel_text dtrace_dof_mode=1 panic-wait-forever=1 -panic_notify cs_debug=1 PE_i_can_has_debugger=1 wdt=-1 nand-enable-reformat=1 rd=md0 -restore -progress' -n
[+] Patching iBEC.raw
[+] Base address: 0x7006c000
[!] PAC bootloader detected
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x4bfe1
[+] Found IMG4 xref at 0x3e7c
[+] Found beginning of _image4_get_partial at 0x3e08
[+] Found xref to _image4_get_partial at 0x4a20
[+] Found start of sub_7007093c
[+] Found ADR X2, 0x700cba1b at 0x48bf0
[+] Call to sub_700cba1b
[+] ret0 gadget at 0x4918
[+] Did MOV r0, #0 and RET
[+] Wrote patched image to iBEC.patched
nick@NickdeMacBook-Pro vm % strings iBEC.patched | grep restore
aborting autoboot due to tethered restore.
M = 0x4: restore mode image
restore-security-overrides0
restore-security-overrides1
restore-security-overrides2
restore-security-overrides3
 -restore

since the last update it seems that kairos can almost complete the patching on decrypted iOS 9 bootloader.

I don't think this is an easy task and if its not possible then let me know and I will close this as its not really an issue per-say, more of a future request.

this is the log on 9.3 iPhone 6,1

MacBook-Air:9.3 kyletill$ kairos iBSS.dec iBSS.pat
[+] Patching iBSS.dec
[+] Base address: 0x180380000
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x1c03f
[+] Found IMG4 xref at 0xa7e4
[+] Found beginning of _image4_get_partial at 0xa768
[!] Could not find correct xref for _image4_get_partial.
[!] RSA PATCH FAILED
[+] Wrote patched image to iBSS.pat

This is the old log prior to the last update
[+] Patching iBSS.dec
[+] Base address: 0x180380000
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x1c03f
[+] Found IMG4 xref at 0xa7e4
[+] Found beginning of _image4_get_partial at 0xa768
[+] Found xref to _image4_get_partial at 0xac60
[+] Found start of sub_18038aa64
Segmentation fault: 11

in IDA sub_18038aa64 doesn't exist so I could see why it segfaults

[+] Patching ./iBEC
[+] Base address: 0xf8f9b2b253eed5a3
[+] Patching out RSA signature check...
[!] Could not find IMG4 string
[!] Error patching out RSA signature check
[+] Wrote patched image to ./ibec.patched
did i do something wrong?

Hi. I used kairos to patch iBSS for a10 device, then sent it to iPhone via irecovery. After that, I sent device tree, ramdisk, kernelcache to my iPhone, iBSS accepted all images:
loaded device tree at of size 0x100000, from image at
loaded ramdisk at of size 0x6350800, from image at

Then I used "bootx" to boot the device, but it didn't work, it returned this:
ea0f64a4253252:443
7ab90c923dae682:792
9905b4edc794469:695
9905b4edc794469:695
62039c63193986a:212
a60aa294185a059:578
a60aa294185a059:581
e51893b627f0e6e:1291
dce7b01f6ef60a3:1198
7ab90c923dae682:743

And the iPhone wasn't booted, at all. I tried one more time, re-upload all images but this time It didn't accept any images anymore:
Ramdisk image not valid

Howdy, Hope all is well, I know this is a long shot here, but was using a script that is built using kairos.
I see that this only supports iOS 15, but in the event, you end up updating this when you get time.

Seems like both iBoot64Patcher and this have the same RSA Patching issue. So might just be S.O.L. but in the event. Thought I'd share the log of where the script fails using Karios.

Device: iPad Pro (ipad6,3 - A9(X) - 9.3 inch WiFI)
mast3rz3ro/SSHRD_Script_Lite#8 (comment)

[-] Patching iBoot files using kairos ...
[+] Patching 2_ssh_ramdisk/temp_files/iBSS.dec
[+] Base address: 0x180000000
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x323af
[+] Found IMG4 xref at 0xf6d0
[+] Found beginning of _image4_get_partial at 0xf624
[+] Found xref to _image4_get_partial at 0x10074
[+] Found start of sub_18000ffa0
[+] Found ADR X2, 0x180030f70 at 0x104d4
[+] Call to sub_18000f90c
[+] Did MOV r0, #0 and RET
[+] Wrote patched image to 2_ssh_ramdisk/temp_files/iBSS.patched
[+] Patching 2_ssh_ramdisk/temp_files/iBEC.dec
[+] Base address: 0x870000000
[+] Does have kernel load
[+] Patching boot-args...
[+] Image base address at 0x870000000
[+] Found boot-arg string at 0x5ac36
[+] Relocating from 0x870015260...
[+] Found boot-arg xref at 0x8700152c8
[+] Pointing boot-arg xref to large string at: 0x8700242c8
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x5a5ce
[+] Found debug-enabled xref at 0x13b38
[+] Found second bl after debug-enabled xref at 0x13b4c
[+] Wrote MOVZ X0, #1 to 0x870013b4c
[+] Enabled kernel debug
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x5a3e1
[+] Found IMG4 xref at 0xd908
[+] Found beginning of _image4_get_partial at 0xd7e8
[!] Could not find correct xref for _image4_get_partial.
[!] RSA PATCH FAILED
[+] Wrote patched image to 2_ssh_ramdisk/temp_files/iBEC.patched
[+] Patching 2_ssh_ramdisk/temp_files/iBoot.dec
[+] Base address: 0x870000000
[+] Does have kernel load
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x5a5ce
[+] Found debug-enabled xref at 0x13b38
[+] Found second bl after debug-enabled xref at 0x13b4c
[+] Wrote MOVZ X0, #1 to 0x870013b4c
[+] Enabled kernel debug
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x5a3e1
[+] Found IMG4 xref at 0xd908
[+] Found beginning of _image4_get_partial at 0xd7e8
[!] Could not find correct xref for _image4_get_partial.
[!] RSA PATCH FAILED
[+] Wrote patched image to 2_ssh_ramdisk/temp_files/iBoot.patched
none
none
none
krnl
Starting KPlooshFinder
patch_trustcache_new: Found trustcache
patch_developer_mode: Found developer mode
patch_launch_constraints: Found launch constraints
patch_amfi_sha1: Found AMFI hashtype check
patch_vnode_lookup: Found vnode_lookup
patch_sbops: Found sbops
patch_shellcode_area: Found shellcode area
patch_ret0_gadget: Found ret0 gadget
patch_vnode_getpath: Found vnode_getpath
patch_vnode_getaddr: Found vnode_getattr
patch_vnode_open_close: Found vnode_open/vnode_close
Patching completed successfully.
[-] Searching for kernel differents...
[!] this could take a while please wait...
0x5e20d4 0x48 0xfffffffb
0x5e20d5 0xffffffd9 0xffffffff
0x5e20d7 0xfffffff0 0x17
0x11e5a34 0xffffffff 0x20
0x11e5a35 0xffffffc3 0x0
0x11e5a36 0x0 0xffffff80
0x11e5a37 0xffffffd1 0xffffffd2
0x11e5a38 0xfffffff4 0x42
0x11e5a39 0x4f 0x0
0x11e5a3a 0x1 0x0
0x11e5a3b 0xffffffa9 0xffffffb4
0x11e5a3c 0xfffffffd 0x40
0x11e5a3d 0x7b 0x0
0x11e5a3e 0x2 0x0
0x11e5a3f 0xffffffa9 0xfffffff9
0x11e5a40 0xfffffffd 0xffffffc0
0x11e5a41 0xffffff83 0x3
0x11e5a42 0x0 0x5f
0x11e5a43 0xffffff91 0xffffffd6
0x11e8bb4 0xfffffffc 0x0
0x11e8bb5 0x6f 0x0
0x11e8bb6 0xffffffba 0xffffff80
0x11e8bb7 0xffffffa9 0x52
0x11e8bb8 0xfffffffa 0xffffffc0
0x11e8bb9 0x67 0x3
0x11e8bba 0x1 0x5f
0x11e8bbb 0xffffffa9 0xffffffd6
0x11ef6f9 0x8 0x0
0x11ef6fb 0x71 0x6b
krnl
[-] Patching kernel completed !
dtre
[!] Found trustcache file : 1_prepare_ramdisk/087-86622-021.dmg.trustcache
rtsc
rdsk
/dev/disk2          	                               	
/dev/disk3          	EF57347C-0000-11AA-AA11-0030654	
/dev/disk3s1        	41504653-0000-11AA-AA11-0030654	/private/tmp/SSHRD
.............................................................
created: /Users/panduh/Desktop/SSHRD_Script_Lite/2_ssh_ramdisk/temp_files/reassigned_ramdisk.dmg
"disk2" ejected.
/dev/disk2          	                               	/private/tmp/SSHRD
"disk2" ejected.
[-] Packing ramdisk into img4 ...
[-] Packing using img4 utility ...
none
none
[-] Cleaning temp directory ...
[!] All Tasks Completed !
[-] To boot this SSHRD please use: ./boot_sshrd.sh

I noticed in commit 52358b3 you made that specific method of interposer patch for iOS 12 and lower only. Why exactly? In my testing this will cause some SEP panics on 13/14/15. I'm specifically refering to this if block: HERE If I comment out this if, it won't panic on 13/14/15. Btw this method of patching ensures the interposer function fully executes before we modify the return value. I assume the function sets up some stuff needed by SEP?

hello,

trying to patch ibss/ibec(decrypted with img4tool, and iv/key dumped from ipwndfu decrypt gid) of watchos 6.3(serie 2 42mm), used last kairos build, i got error segmentation fault

watchos is not supported? or im doing something wrong?

here decrypted ibec of iwatch s2 :

thanks

iOS 14.0 Segmentation fault: 11 when patching ibss/ibec

kairos ibss.raw ibss.pat
[+] Patching ibss.raw
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x30184
[+] Found IMG4 xref at 0x1083c
[+] Found beginning of _image4_get_partial at 0x107cc
[+] Found xref to _image4_get_partial at 0x11248
[+] Found start of sub_1803c96b4
[+] Found ADR X2, 0x1803ef234 at 0x11658
[+] Call to 0xfffffffffffd8594
Segmentation fault: 11

kairos ibec.raw ibec.pat
[+] Patching ibec.raw
[+] Does have kernel load
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x4de10
[+] Found debug-enabled xref at 0x131bc
[+] Found second bl after debug-enabled xref at 0x131d0
[+] Wrote MOVZ X0, #1 to 0x8700738c0
[+] Enabled kernel debug
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x4dce3
[+] Found IMG4 xref at 0x10e64
[+] Found beginning of _image4_get_partial at 0x10df4
[+] Found xref to _image4_get_partial at 0x119cc
[+] Found start of sub_870071fdc
[+] Found ADR X2, 0x8700b0048 at 0x11f1c
[+] Call to 0xfffffffffffb0a18
Segmentation fault: 11

no keys publicly available so here they are.

iPad6,11 - J71tap

iBSS - Decrypting with s8003si GID key.
1a3192c05f2771c53684f1f2b9fd9fe3c96b94f7190c9b6967526be7ba7ecdade317dd5af2dade79b9fea54912c1df41

iBEC - Decrypting with s8003si GID key.
70549102334416c32d4f57d113c77c83bb0bd05ffc35b508ff247186e7793045f841ce43491361d9303cf7d8c957ca24

Works on 13.4.1 for example
kairos ibec.raw ibecTEST.pat -b "-v"
[+] Patching ibec.raw
[+] Does have kernel load
[+] Patching boot-args...
[+] Image base address at 0x870000000
[+] Searching for alternate boot-args
[+] Found boot-arg string at 0x47f32
[+] Found boot-arg xref at 0x12bfc
[+] Changed CSEL to MOV
[+] Found branch pointing to 0x870012cbc at 0x12bec
[+] Changed ADR X21, 0x870046900 to ADR X21, 0x870047f32
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x47a2a
[+] Found debug-enabled xref at 0x11634
[+] Found second bl after debug-enabled xref at 0x11648
[+] Wrote MOVZ X0, #1 to 0x870011648
[+] Enabled kernel debug
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x478e5
[+] Found IMG4 xref at 0xf464
[+] Found beginning of _image4_get_partial at 0xf3f4
[+] Found xref to _image4_get_partial at 0xfe58
[+] Found start of sub_87000fd78
[+] Found ADR X2, 0x8700490d0 at 0x1037c
[+] Call to 0xf708
[+] RET found for sub_87000f708 at 0xfcd4
[+] Did MOV r0, #0 and RET
[+] Wrote patched image to ibecTEST.pat