Pingzi

If anything is incorrect, just modify it and make a pull request. 😄

github.com/Pingzi610/iloa… So, I released this little thing. I don’t have any idea controlling iPhone 4s’ R0, but this tool really can load iBoot-1537.9.55 and readp is working fine. @synackuk

@Xernium @SashaKirichenko @synackuk @dora2ios not easy since r0 is hard to control，according to my progress.

@SashaKirichenko @synackuk @dora2ios That ... could be used to untether downgrade any iPhone 4S (since 6.1.3 is signed)

De Rebus Antiquis on iOS 6.1.6 (iPod touch 4G)! Thanks to @dora2ios, I’ll release this at some point if anyone’s interested.

DRA for 4s is hard No matter iOS 6 or iOS 7.0.x Last time I’m doing work for iPhone3,2 I noticed that disable_interrupt function offset isn’t correct. So I changed it into the right one and it worked. But for S5L8940 devices, I cannot make the exploit working in real bootchain.

@synackuk @dora2ios mmm

@synackuk @dora2ios Maybe I can make the diff using my iloader’s dump and take ios 7’s diff for reference

@synackuk @dora2ios Umm I have a problem running kdumper and it won’t dump a correct iBoot on iPhone 4s 6.1.3. And don’t know how to control r0 I’m using iloader

@Pingzi610 @dora2ios What’s the problem you’re facing?

原来是t4啊🤔 我记得A5+是要借助wtf_addr来实现iboot的重启的，A4设备没这个函数，当时我看iloader里3,1写的是pop pc

见鬼了 收了一台7.0.3的iPhone 4s，打算再熟悉熟悉derebusantiquis的利用，然后就偷懒直接借了@mizoleeee 的iloader代码，在iloader中运行确实很不错；然而实机运行却出现了bootloop。 我不明白！ 还有感觉iOS 6的合适路径有那么一点小难找

@synackuk @ShadowLee19 @xerub not iloader.o，nettoyeur.o is，open with binary editor and you can find the correct version of arm-none-eabi-gcc

@synackuk @ShadowLee19 @xerub I remember that xerub used an older version of arm-none-eabi-gcc, you can see it from iloader.o Since dora2ios’ exploit used an netto but didn’t work and I recompiled it using that specific version.

I'm currently making a writeup of almost everything I know about @xerub's De Rebus Antiquis iBoot exploit, see pmbonneau.com/de-rebus-antiq… to read the introduction!

@synackuk @ShadowLee19 @xerub That netto is for iPad 4th

@synackuk @ShadowLee19 @xerub I haven’t add any breakpoints or debugging _memalign. Just only can make iloader running and let readp() work.

@Pingzi610 @ShadowLee19 @xerub Can we DM? I didn’t manage to get iloader working, but have been playing about with patching breakpoints into an iBoot image and booting it to achieve the same thing, would be good to compare notes?

@synackuk @ShadowLee19 @xerub Yes，that’s a good thing.

@synackuk @ShadowLee19 @xerub I can fake-run iBoot 1537-9.55（iOS 6.1.3）using iloader，but I have no idea utilizing the exploit since I can’t control r0. I can send you the modified iloader if you need.

@ShadowLee19 @xerub Are you still working on this? I'm interested in exploring getting DRA running on iOS 6, for iPhone4s, iTouch4G (and possibly other devices?)

So, started iOS 6’s iBoot. No idea about the following thing.

Hey! I tried to load iBoot 1537.9.55 in iloader but it went to an error after printing “battery voltage 0mV power supply batt” I just wonder how to load iBoot properly (Printing “iBoot for n94ap, 2012…”)

I want an iPhone SE 64GB with iOS 9

还有iPad mini也已经做出来了 iPad 2:请输入文本

我将完成iPad 3 11B554a、iPad 4 11D257的derebusantiquis适配。 至于iPad 2，相信后人的智慧😋