Skip to content
This repository has been archived by the owner on Apr 14, 2023. It is now read-only.

Adding binaries to the restored system

Jump to bottom
TrungNguyen1909 edited this page Mar 3, 2022 · 7 revisions

Modifying the RootFS after restore

After a successful restore, you might want to add your binaries on the system.

Mount the disk image

hdiutil attach -imagekey diskimage-class=CRawDiskImage nvme.1

# enable ownership
sudo diskutil enableownership /Volumes/AzulSeed18A5351d.N104N841DeveloperOS

# mount with RW
mount -urw /Volumes/AzulSeed18A5351d.N104N841DeveloperOS

Add precompiled system binaries

sudo rsync -av strap/ /Volumes/AzulSeed18A5351d.N104N841DeveloperOS

Create trustcache

This step is no longer needed as we now patch AMFI

Bundled trustcache

python3 qemu-t8030-tools/bootstrap_scripts/asn1trustcachedecode.py Firmware/038-44337-083.dmg.trustcache Firmware/038-44337-083.dmg.trustcache.out
python3 qemu-t8030-tools/bootstrap_scripts/dump_trustcache.py Firmware/038-44337-083.dmg.trustcache.out | grep cdhash | cut -d' ' -f2 > tchashes

Create trustcache for system binaries

for filename in $(find strap/  -type f); do jtool2 --sig $filename 2>/dev/null; done | grep CDHash | cut -d' ' -f6 | cut -c 1-40 >> ./tchashes

Serialize trustcache

python3 qemu-t8030-tools/bootstrap_scripts/create_trustcache.py tchashes static_tc

Configure LaunchDaemons

Either use setup-ios/launchd.plist, or customize it from iOS firmware as follows.

  • Copy /Volumes/AzulSeed18A5351d.N104N841DeveloperOS/System/Library/xpc/launchd.plist to somewhere else to work with.
  • Convert to xml1 format: plutil -convert xml1 /path/to/launchd.plist
  • Use Xcode or your preferred xml editor
    • Remove all entries in LaunchDaemons (may be optional)
    • Add an entry for bash in LaunchDaemons 
		<key>/System/Library/LaunchDaemons/bash.plist</key>
		<dict>
			<key>EnablePressuredExit</key>
			<false/>
			<key>Label</key>
			<string>com.apple.bash</string>
			<key>POSIXSpawnType</key>
			<string>Interactive</string>
			<key>ProgramArguments</key>
			<array>
				<string>/bin/bash</string>
			</array>
			<key>RunAtLoad</key>
			<true/>
			<key>StandardErrorPath</key>
			<string>/dev/console</string>
			<key>StandardInPath</key>
			<string>/dev/console</string>
			<key>StandardOutPath</key>
			<string>/dev/console</string>
			<key>Umask</key>
			<integer>0</integer>
			<key>UserName</key>
			<string>root</string>
		</dict>
  • Copy back
sudo cp /path/to/launchd.plist /Volumes/AzulSeed18A5351d.N104N841DeveloperOS/System/Library/xpc/launchd.plist

Unmount the disk image

hdiutil detach /Volumes/AzulSeed18A5351d.N104N841DeveloperOS

Add a new binary to firmware

Build binary - require Xcode on macOS

xcrun -sdk iphoneos clang -arch arm64 -mcpu=apple-a13 -o hello hello.c

Then sign the binary

codesign -f -s - hello

Copy binary to firmware

# attach image
hdiutil attach -imagekey diskimage-class=CRawDiskImage nvme.1

# enable ownership
sudo diskutil enableownership /Volumes/AzulSeed18A5351d.N104N841DeveloperOS

# mount with RW
mount -urw /Volumes/AzulSeed18A5351d.N104N841DeveloperOS

Then copy the signed binary to image

sudo cp hello /Volumes/AzulSeed18A5351d.N104N841DeveloperOS/bin

Also copy the binary to the local strap directory

cp hello strap/bin

Re-generate trustcache

This step is no longer needed as we now patch AMFI

# dump trustcache from firmware
python3 qemu-t8030-tools/bootstrap_scripts/dump_trustcache.py Firmware/038-44337-083.dmg.trustcache.out | grep cdhash | cut -d' ' -f2 > tchashes

# update trustcache with new binaries from strap
for filename in $(find strap/  -type f); do jtool2 --sig $filename 2>/dev/null; done | grep CDHash | cut -d' ' -f6 | cut -c 1-40 >> ./tchashes

# re-serialize updated trustcache
python3 qemu-t8030-tools/bootstrap_scripts/create_trustcache.py tchashes static_tc

Unmount the image

Finally, unmount the firmware image - now with new binary inserted

hdiutil detach /Volumes/AzulSeed18A5351d.N104N841DeveloperOS
Clone this wiki locally