Adding binaries to the restored system
After a successful restore, you might want to add your binaries on the system.
# attach
hdiutil attach -imagekey diskimage-class=CRawDiskImage -blocksize 4096 nvme.1
# enable ownership
sudo diskutil enableownership /Volumes/System
# mount with RW
mount -urw /Volumes/SystemFor every installation, iOS will create a snapshot (com.apple.os.update-*) for the RootFS and will always boot from it.
For filesystem changes to show up, we need to rename that snapshot so that iOS doesn't boot from it.
Open Disk Utility, select the System disk image (be careful to not rename the snapshot of the host),
rename the only APFS snapshot to orig-fs. Accept the warning.
Eject the disk:
hdiutil eject /Volumes/System
Then follow the steps to remount the disk. You only need to rename the snapshot ONCE.
sudo rsync -av strap/ /Volumes/SystemThis step is no longer needed as we now patch AMFI
python3 qemu-t8030-tools/bootstrap_scripts/asn1trustcachedecode.py Firmware/038-44337-083.dmg.trustcache Firmware/038-44337-083.dmg.trustcache.out
python3 qemu-t8030-tools/bootstrap_scripts/dump_trustcache.py Firmware/038-44337-083.dmg.trustcache.out | grep cdhash | cut -d' ' -f2 > tchashesfor filename in $(find strap/ -type f); do jtool2 --sig $filename 2>/dev/null; done | grep CDHash | cut -d' ' -f6 | cut -c 1-40 >> ./tchashespython3 qemu-t8030-tools/bootstrap_scripts/create_trustcache.py tchashes static_tcEither use setup-ios/launchd.plist, or customize it from iOS firmware as follows.
- Copy
/Volumes/System/System/Library/xpc/launchd.plistto somewhere else to work with. - Convert to xml1 format:
plutil -convert xml1 /path/to/launchd.plist - Use Xcode or your preferred xml editor
- Remove all entries in
LaunchDaemons(may be optional, addwdt=-1to the boot args if you do this) - Add an entry for bash in
LaunchDaemons
- Remove all entries in
<key>/System/Library/LaunchDaemons/bash.plist</key>
<dict>
<key>EnablePressuredExit</key>
<false/>
<key>Label</key>
<string>com.apple.bash</string>
<key>POSIXSpawnType</key>
<string>Interactive</string>
<key>ProgramArguments</key>
<array>
<string>/bin/bash</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StandardErrorPath</key>
<string>/dev/console</string>
<key>StandardInPath</key>
<string>/dev/console</string>
<key>StandardOutPath</key>
<string>/dev/console</string>
<key>Umask</key>
<integer>0</integer>
<key>UserName</key>
<string>root</string>
</dict>- Copy back
sudo cp /path/to/launchd.plist /Volumes/System/System/Library/xpc/launchd.plisthdiutil detach /Volumes/System
xcrun -sdk iphoneos clang -arch arm64 -mcpu=apple-a13 -o hello hello.cThen sign the binary
codesign -f -s - hello
# attach image
hdiutil attach -imagekey diskimage-class=CRawDiskImage -blocksize 4096 nvme.1
# enable ownership
sudo diskutil enableownership /Volumes/System
# mount with RW
mount -urw /Volumes/SystemThen copy the signed binary to image
sudo cp hello /Volumes/System/binAlso copy the binary to the local strap directory
cp hello strap/binThis step is no longer needed as we now patch AMFI
# dump trustcache from firmware
python3 qemu-t8030-tools/bootstrap_scripts/dump_trustcache.py Firmware/038-44337-083.dmg.trustcache.out | grep cdhash | cut -d' ' -f2 > tchashes
# update trustcache with new binaries from strap
for filename in $(find strap/ -type f); do jtool2 --sig $filename 2>/dev/null; done | grep CDHash | cut -d' ' -f6 | cut -c 1-40 >> ./tchashes
# re-serialize updated trustcache
python3 qemu-t8030-tools/bootstrap_scripts/create_trustcache.py tchashes static_tcFinally, unmount the firmware image - now with new binary inserted
hdiutil detach /Volumes/System