[Bug] Unable to boot IPSW from Ramiel: disk booting nor IPSW booting works. about ramiel HOT 12 OPEN

Why are you setting the bootargs to anything to do with disk0s1/s2? You shouldn’t be setting that at all. Also can you run Ramiel from terminal, enable debugging mode and send me the full output in terminal?

from ramiel.

Why are you setting the bootargs to anything to do with disk0s1/s2? You shouldn’t be setting that at all. Also can you run Ramiel from terminal, enable debugging mode and send me the full output in terminal?

Alright, will test terminal as soon as I am home.

from ramiel.

Why are you setting the bootargs to anything to do with disk0s1/s2? You shouldn’t be setting that at all. Also can you run Ramiel from terminal, enable debugging mode and send me the full output in terminal?

Hold up, how do you run it in terminal?
running the core file at /Contents/macos/Ramiel just opens the app.

from ramiel.

That's all you need to do, running it like this just allows more information to be seen in the terminal window that normally is hidden.

from ramiel.

Why are you setting the bootargs to anything to do with disk0s1/s2? You shouldn’t be setting that at all. Also can you run Ramiel from terminal, enable debugging mode and send me the full output in terminal?

admin@Fedors-MBP macos % ./ramiel
2021-03-20 09:04:01.091 ramiel[3334:85329] 12
2021-03-20 09:04:01.091 ramiel[3334:85329] 47
2021-03-20 09:04:01.203 ramiel[3334:85329] This application is trying to draw a very large combo box, 31 points tall. Vertically resizable combo boxes are not supported, but it happens that 10.4 and previous drew something that looked kind of sort of okay. The art in 10.5 does not break up in a way that supports that drawing. This application should be revised to stop using large combo boxes. This warning will appear once per app launch.
2021-03-20 09:05:22.868 ramiel[3334:85380] Waiting
/bin/bash: /usr/local/bin/gtar: No such file or directory
/bin/bash: /usr/local/bin/ldid2: No such file or directory
[+] Patching /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibss.raw
[+] Base address: 0x1800b0000
[+] Does have kernel load
[+] Patching boot-args...
[+] Image base address at 0x1800b0000
[+] Searching for alternate boot-args
[+] Found boot-arg string at 0x63a9e
[+] Found boot-arg xref at 0x15398
[+] Changed CSEL to MOV
[+] Found branch pointing to 0x1800c5494 at 0x15388
[+] Changed ADR X19, 0x180111d00 to ADR X19, 0x180113a9e
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x633d0
[+] Found debug-enabled xref at 0x13d30
[+] Found second bl after debug-enabled xref at 0x13d44
[+] Wrote MOVZ X0, #1 to 0x1800c3d44
[+] Enabled kernel debug
[+] Unlocking nvram...
[+] Found debug-uarts string at 0x180111eda
[+] Found debug-uarts reference at 0x65298
[+] setenv whitelist begins at 0x65288
[+] Found ref to setenv whitelist at 0x30dc
[+] Forcing sub_1800b30c0 to return immediately
[+] Found env whitelist at 0x652b8
[+] Found ref to env whitelist at 0x3128
[+] Forcing sub_1800b3110 to return immediately
[+] Found "com.apple.System." string at 0x180114c9a
[+] Found reference to "com.apple.System." at 0x4050c
[+] Forcing sub_1800f0504 to return immediately
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x6329c
[+] Found IMG4 xref at 0x1193c
[+] Found beginning of _image4_get_partial at 0x118cc
[+] Found xref to _image4_get_partial at 0x124e0
[+] Found start of sub_1800c2400
[+] Found ADR X2, 0x1801158a0 at 0x12a60
[+] Call to 0x11be0
[+] RET found for sub_1800c1be0 at 0x123c4
[+] Did MOV r0, #0 and RET
[+] Wrote patched image to /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibss.pwn
[+] Patching /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibec.raw
[+] Base address: 0x1800b0000
[+] Does have kernel load
[+] Patching boot-args...
[+] Image base address at 0x1800b0000
[+] Searching for alternate boot-args
[+] Found boot-arg string at 0x63a9e
[+] Found boot-arg xref at 0x15398
[+] Changed CSEL to MOV
[+] Found branch pointing to 0x1800c5494 at 0x15388
[+] Changed ADR X19, 0x180111d00 to ADR X19, 0x180113a9e
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x633d0
[+] Found debug-enabled xref at 0x13d30
[+] Found second bl after debug-enabled xref at 0x13d44
[+] Wrote MOVZ X0, #1 to 0x1800c3d44
[+] Enabled kernel debug
[+] Unlocking nvram...
[+] Found debug-uarts string at 0x180111eda
[+] Found debug-uarts reference at 0x65298
[+] setenv whitelist begins at 0x65288
[+] Found ref to setenv whitelist at 0x30dc
[+] Forcing sub_1800b30c0 to return immediately
[+] Found env whitelist at 0x652b8
[+] Found ref to env whitelist at 0x3128
[+] Forcing sub_1800b3110 to return immediately
[+] Found "com.apple.System." string at 0x180114c9a
[+] Found reference to "com.apple.System." at 0x4050c
[+] Forcing sub_1800f0504 to return immediately
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x6329c
[+] Found IMG4 xref at 0x1193c
[+] Found beginning of _image4_get_partial at 0x118cc
[+] Found xref to _image4_get_partial at 0x124e0
[+] Found start of sub_1800c2400
[+] Found ADR X2, 0x1801158a0 at 0x12a60
[+] Call to 0x11be0
[+] RET found for sub_1800c1be0 at 0x123c4
[+] Did MOV r0, #0 and RET
[+] Wrote patched image to /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibec.pwn
2021-03-20 09:06:01.051 ramiel[3334:85380] Waiting
2021-03-20 09:08:05.296 ramiel[3334:85329] Booted device successfully!
// The SHSH dump error happens here
Creating listening port 2222 for device port 44
bind(): Address already in use
Error creating socket for listen port 2222: Address already in use
Traceback (most recent call last):
File "/Applications/Ramiel.app/Contents/Resources/ssh/dump.py", line 3, in
import paramiko
ModuleNotFoundError: No module named 'paramiko'
Traceback (most recent call last):
File "/Applications/Ramiel.app/Contents/Resources/ssh/dump.py", line 3, in
import paramiko
ModuleNotFoundError: No module named 'paramiko'
[+] Patching /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibss.raw
[+] Base address: 0x1800b0000
[+] Does have kernel load
[+] Patching boot-args...
[+] Image base address at 0x1800b0000
[+] Searching for alternate boot-args
[+] Found boot-arg string at 0x63a9e
[+] Found boot-arg xref at 0x15398
[+] Changed CSEL to MOV
[+] Found branch pointing to 0x1800c5494 at 0x15388
[+] Changed ADR X19, 0x180111d00 to ADR X19, 0x180113a9e
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x633d0
[+] Found debug-enabled xref at 0x13d30
[+] Found second bl after debug-enabled xref at 0x13d44
[+] Wrote MOVZ X0, #1 to 0x1800c3d44
[+] Enabled kernel debug
[+] Unlocking nvram...
[+] Found debug-uarts string at 0x180111eda
[+] Found debug-uarts reference at 0x65298
[+] setenv whitelist begins at 0x65288
[+] Found ref to setenv whitelist at 0x30dc
[+] Forcing sub_1800b30c0 to return immediately
[+] Found env whitelist at 0x652b8
[+] Found ref to env whitelist at 0x3128
[+] Forcing sub_1800b3110 to return immediately
[+] Found "com.apple.System." string at 0x180114c9a
[+] Found reference to "com.apple.System." at 0x4050c
[+] Forcing sub_1800f0504 to return immediately
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x6329c
[+] Found IMG4 xref at 0x1193c
[+] Found beginning of _image4_get_partial at 0x118cc
[+] Found xref to _image4_get_partial at 0x124e0
[+] Found start of sub_1800c2400
[+] Found ADR X2, 0x1801158a0 at 0x12a60
[+] Call to 0x11be0
[+] RET found for sub_1800c1be0 at 0x123c4
[+] Did MOV r0, #0 and RET
[+] Wrote patched image to /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibss.pwn
[+] Patching /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibec.raw
[+] Base address: 0x1800b0000
[+] Does have kernel load
[+] Patching boot-args...
[+] Image base address at 0x1800b0000
[+] Searching for alternate boot-args
[+] Found boot-arg string at 0x63a9e
[+] Found boot-arg xref at 0x15398
[+] Changed CSEL to MOV
[+] Found branch pointing to 0x1800c5494 at 0x15388
[+] Changed ADR X19, 0x180111d00 to ADR X19, 0x180113a9e
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x633d0
[+] Found debug-enabled xref at 0x13d30
[+] Found second bl after debug-enabled xref at 0x13d44
[+] Wrote MOVZ X0, #1 to 0x1800c3d44
[+] Enabled kernel debug
[+] Unlocking nvram...
[+] Found debug-uarts string at 0x180111eda
[+] Found debug-uarts reference at 0x65298
[+] setenv whitelist begins at 0x65288
[+] Found ref to setenv whitelist at 0x30dc
[+] Forcing sub_1800b30c0 to return immediately
[+] Found env whitelist at 0x652b8
[+] Found ref to env whitelist at 0x3128
[+] Forcing sub_1800b3110 to return immediately
[+] Found "com.apple.System." string at 0x180114c9a
[+] Found reference to "com.apple.System." at 0x4050c
[+] Forcing sub_1800f0504 to return immediately
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x6329c
[+] Found IMG4 xref at 0x1193c
[+] Found beginning of _image4_get_partial at 0x118cc
[+] Found xref to _image4_get_partial at 0x124e0
[+] Found start of sub_1800c2400
[+] Found ADR X2, 0x1801158a0 at 0x12a60
[+] Call to 0x11be0
[+] RET found for sub_1800c1be0 at 0x123c4
[+] Did MOV r0, #0 and RET
[+] Wrote patched image to /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibec.pwn

from ramiel.

I see what's going wrong, should be fixed in v1.0.3 which I'll be publishing soon. Just waiting to hear back from someone as to whether or not it works for them. Actually I could send you a copy here to try before its out if you'd like? Link is here

from ramiel.

I see what's going wrong, should be fixed in v1.0.3 which I'll be publishing soon. Just waiting to hear back from someone as to whether or not it works for them. Actually I could send you a copy here to try before its out if you'd like? Link is here

I will beta-test. Will tell you if something goes wrong.

from ramiel.

I see what's going wrong, should be fixed in v1.0.3 which I'll be publishing soon. Just waiting to hear back from someone as to whether or not it works for them. Actually I could send you a copy here to try before its out if you'd like? Link is here

Nope, nothing good or new or whatever. SHSH dump error except now it doesn't clear the Yoshi shsh dump screen.

from ramiel.

Can you show the terminal log from the new build please?

from ramiel.

Also can you run pip3 install --user paramiko for me to ensure that the library is installed? It should have been installed by Ramiel on first launch but it seems like it hasn't been

from ramiel.

Had a little struggle, once again, problems.
admin@Fedors-MBP macos % ./ramiel
2021-03-25 17:01:20.877 ramiel[5818:191511] Setting closedState to: 0
2021-03-25 17:01:20.878 ramiel[5818:191501] 11
2021-03-25 17:01:20.878 ramiel[5818:191501] 69
2021-03-25 17:01:20.973 ramiel[5818:191501] This application is trying to draw a very large combo box, 31 points tall. Vertically resizable combo boxes are not supported, but it happens that 10.4 and previous drew something that looked kind of sort of okay. The art in 10.5 does not break up in a way that supports that drawing. This application should be revised to stop using large combo boxes. This warning will appear once per app launch.
2021-03-25 17:01:34.000 ramiel[5818:191560] Waiting
//Request to dump SHSH happens here.
/bin/bash: /usr/local/bin/gtar: No such file or directory
ldid.cpp(3004): _assert(): errno=2
ldid.cpp(3004): _assert(): errno=2
/bin/bash: /usr/local/bin/ldid2: No such file or directory
[+] Patching /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibss.raw
[+] Base address: 0x1800b0000
[+] Does have kernel load
[+] Patching boot-args...
[+] Image base address at 0x1800b0000
[+] Searching for alternate boot-args
[+] Found boot-arg string at 0x63a9e
[+] Found boot-arg xref at 0x15398
[+] Changed CSEL to MOV
[+] Found branch pointing to 0x1800c5494 at 0x15388
[+] Changed ADR X19, 0x180111d00 to ADR X19, 0x180113a9e
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x633d0
[+] Found debug-enabled xref at 0x13d30
[+] Found second bl after debug-enabled xref at 0x13d44
[+] Wrote MOVZ X0, #1 to 0x1800c3d44
[+] Enabled kernel debug
[+] Unlocking nvram...
[+] Found debug-uarts string at 0x180111eda
[+] Found debug-uarts reference at 0x65298
[+] setenv whitelist begins at 0x65288
[+] Found ref to setenv whitelist at 0x30dc
[+] Forcing sub_1800b30c0 to return immediately
[+] Found env whitelist at 0x652b8
[+] Found ref to env whitelist at 0x3128
[+] Forcing sub_1800b3110 to return immediately
[+] Found "com.apple.System." string at 0x180114c9a
[+] Found reference to "com.apple.System." at 0x4050c
[+] Forcing sub_1800f0504 to return immediately
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x6329c
[+] Found IMG4 xref at 0x1193c
[+] Found beginning of _image4_get_partial at 0x118cc
[+] Found xref to _image4_get_partial at 0x124e0
[+] Found start of sub_1800c2400
[+] Found ADR X2, 0x1801158a0 at 0x12a60
[+] Call to 0x11be0
[+] RET found for sub_1800c1be0 at 0x123c4
[+] Did MOV r0, #0 and RET
[+] Wrote patched image to /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibss.pwn
[+] Patching /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibec.raw
[+] Base address: 0x1800b0000
[+] Does have kernel load
[+] Patching boot-args...
[+] Image base address at 0x1800b0000
[+] Searching for alternate boot-args
[+] Found boot-arg string at 0x63a9e
[+] Found boot-arg xref at 0x15398
[+] Changed CSEL to MOV
[+] Found branch pointing to 0x1800c5494 at 0x15388
[+] Changed ADR X19, 0x180111d00 to ADR X19, 0x180113a9e
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x633d0
[+] Found debug-enabled xref at 0x13d30
[+] Found second bl after debug-enabled xref at 0x13d44
[+] Wrote MOVZ X0, #1 to 0x1800c3d44
[+] Enabled kernel debug
[+] Unlocking nvram...
[+] Found debug-uarts string at 0x180111eda
[+] Found debug-uarts reference at 0x65298
[+] setenv whitelist begins at 0x65288
[+] Found ref to setenv whitelist at 0x30dc
[+] Forcing sub_1800b30c0 to return immediately
[+] Found env whitelist at 0x652b8
[+] Found ref to env whitelist at 0x3128
[+] Forcing sub_1800b3110 to return immediately
[+] Found "com.apple.System." string at 0x180114c9a
[+] Found reference to "com.apple.System." at 0x4050c
[+] Forcing sub_1800f0504 to return immediately
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x6329c
[+] Found IMG4 xref at 0x1193c
[+] Found beginning of _image4_get_partial at 0x118cc
[+] Found xref to _image4_get_partial at 0x124e0
[+] Found start of sub_1800c2400
[+] Found ADR X2, 0x1801158a0 at 0x12a60
[+] Call to 0x11be0
[+] RET found for sub_1800c1be0 at 0x123c4
[+] Did MOV r0, #0 and RET
[+] Wrote patched image to /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibec.pwn
//iBSS gets sent from here
2021-03-25 17:03:29.395 ramiel[5818:191560] Waiting
2021-03-25 17:03:29.843 ramiel[5818:191501] Booted device successfully!
// Hangs on "Waiting for device" and still, SHSH dump error.
Creating listening port 2222 for device port 44
bind(): Address already in use
Error creating socket for listen port 2222: Address already in use
Exception: Error reading SSH protocol banner[Errno 54] Connection reset by peer
Traceback (most recent call last):
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2211, in _check_banner
buf = self.packetizer.readline(timeout)
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/packet.py", line 380, in readline
buf += self._read_timeout(timeout)
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/packet.py", line 607, in _read_timeout
x = self.__socket.recv(128)
ConnectionResetError: [Errno 54] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2039, in run
self._check_banner()
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2215, in _check_banner
raise SSHException(
paramiko.ssh_exception.SSHException: Error reading SSH protocol banner[Errno 54] Connection reset by peer

Traceback (most recent call last):
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2211, in _check_banner
buf = self.packetizer.readline(timeout)
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/packet.py", line 380, in readline
buf += self._read_timeout(timeout)
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/packet.py", line 607, in _read_timeout
x = self.__socket.recv(128)
ConnectionResetError: [Errno 54] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/Applications/Ramiel.app/Contents/Resources/ssh/dump.py", line 9, in
client.connect(hostname="localhost", password="alpine", username="root", port=2222)
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/client.py", line 406, in connect
t.start_client(timeout=timeout)
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 660, in start_client
raise e
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2039, in run
self._check_banner()
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2215, in _check_banner
raise SSHException(
paramiko.ssh_exception.SSHException: Error reading SSH protocol banner[Errno 54] Connection reset by peer
Exception: Error reading SSH protocol banner[Errno 54] Connection reset by peer
Traceback (most recent call last):
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2211, in _check_banner
buf = self.packetizer.readline(timeout)
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/packet.py", line 380, in readline
buf += self._read_timeout(timeout)
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/packet.py", line 607, in _read_timeout
x = self.__socket.recv(128)
ConnectionResetError: [Errno 54] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2039, in run
self._check_banner()
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2215, in _check_banner
raise SSHException(
paramiko.ssh_exception.SSHException: Error reading SSH protocol banner[Errno 54] Connection reset by peer

Traceback (most recent call last):
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2211, in _check_banner
buf = self.packetizer.readline(timeout)
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/packet.py", line 380, in readline
buf += self._read_timeout(timeout)
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/packet.py", line 607, in _read_timeout
x = self.__socket.recv(128)
ConnectionResetError: [Errno 54] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/Applications/Ramiel.app/Contents/Resources/ssh/dump.py", line 9, in
client.connect(hostname="localhost", password="alpine", username="root", port=2222)
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/client.py", line 406, in connect
t.start_client(timeout=timeout)
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 660, in start_client
raise e
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2039, in run
self._check_banner()
File "/Users/admin/Library/Python/3.9/lib/python/site-packages/paramiko/transport.py", line 2215, in _check_banner
raise SSHException(
paramiko.ssh_exception.SSHException: Error reading SSH protocol banner[Errno 54] Connection reset by peer
[+] Patching /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibss.raw
[+] Base address: 0x1800b0000
[+] Does have kernel load
[+] Patching boot-args...
[+] Image base address at 0x1800b0000
[+] Searching for alternate boot-args
[+] Found boot-arg string at 0x63a9e
[+] Found boot-arg xref at 0x15398
[+] Changed CSEL to MOV
[+] Found branch pointing to 0x1800c5494 at 0x15388
[+] Changed ADR X19, 0x180111d00 to ADR X19, 0x180113a9e
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x633d0
[+] Found debug-enabled xref at 0x13d30
[+] Found second bl after debug-enabled xref at 0x13d44
[+] Wrote MOVZ X0, #1 to 0x1800c3d44
[+] Enabled kernel debug
[+] Unlocking nvram...
[+] Found debug-uarts string at 0x180111eda
[+] Found debug-uarts reference at 0x65298
[+] setenv whitelist begins at 0x65288
[+] Found ref to setenv whitelist at 0x30dc
[+] Forcing sub_1800b30c0 to return immediately
[+] Found env whitelist at 0x652b8
[+] Found ref to env whitelist at 0x3128
[+] Forcing sub_1800b3110 to return immediately
[+] Found "com.apple.System." string at 0x180114c9a
[+] Found reference to "com.apple.System." at 0x4050c
[+] Forcing sub_1800f0504 to return immediately
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x6329c
[+] Found IMG4 xref at 0x1193c
[+] Found beginning of _image4_get_partial at 0x118cc
[+] Found xref to _image4_get_partial at 0x124e0
[+] Found start of sub_1800c2400
[+] Found ADR X2, 0x1801158a0 at 0x12a60
[+] Call to 0x11be0
[+] RET found for sub_1800c1be0 at 0x123c4
[+] Did MOV r0, #0 and RET
[+] Wrote patched image to /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibss.pwn
[+] Patching /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibec.raw
[+] Base address: 0x1800b0000
[+] Does have kernel load
[+] Patching boot-args...
[+] Image base address at 0x1800b0000
[+] Searching for alternate boot-args
[+] Found boot-arg string at 0x63a9e
[+] Found boot-arg xref at 0x15398
[+] Changed CSEL to MOV
[+] Found branch pointing to 0x1800c5494 at 0x15388
[+] Changed ADR X19, 0x180111d00 to ADR X19, 0x180113a9e
[+] Enabling kernel debug...
[+] Found debug-enabled string at 0x633d0
[+] Found debug-enabled xref at 0x13d30
[+] Found second bl after debug-enabled xref at 0x13d44
[+] Wrote MOVZ X0, #1 to 0x1800c3d44
[+] Enabled kernel debug
[+] Unlocking nvram...
[+] Found debug-uarts string at 0x180111eda
[+] Found debug-uarts reference at 0x65298
[+] setenv whitelist begins at 0x65288
[+] Found ref to setenv whitelist at 0x30dc
[+] Forcing sub_1800b30c0 to return immediately
[+] Found env whitelist at 0x652b8
[+] Found ref to env whitelist at 0x3128
[+] Forcing sub_1800b3110 to return immediately
[+] Found "com.apple.System." string at 0x180114c9a
[+] Found reference to "com.apple.System." at 0x4050c
[+] Forcing sub_1800f0504 to return immediately
[+] Patching out RSA signature check...
[+] Found IMG4 string at 0x6329c
[+] Found IMG4 xref at 0x1193c
[+] Found beginning of _image4_get_partial at 0x118cc
[+] Found xref to _image4_get_partial at 0x124e0
[+] Found start of sub_1800c2400
[+] Found ADR X2, 0x1801158a0 at 0x12a60
[+] Call to 0x11be0
[+] RET found for sub_1800c1be0 at 0x123c4
[+] Did MOV r0, #0 and RET
[+] Wrote patched image to /Applications/Ramiel.app/Contents/Resources/RamielFiles/ibec.pwn

the exploit worked once with paramiko, have no luck with it. keeps reporting that it failed.

from ramiel.

p.s. had some time struggles

from ramiel.