hax/DownRa1n
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

CHECKRA1N

Browse source
This commit is contained in:
edwin 2023-06-18 23:44:02 -04:00
parent 1182c0c0a5
commit 0a3b68513f
4 changed files with 53 additions and 83 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -1,7 +1,6 @@
# downr1n # downr1n
downgrade tethered checkm8 idevices ios 14, 15.
IOS 16 NOT SUPPORTED A MOD VERSION OF DOWNR1N TO TEST CHECKRA1N ON IT, CURRENTLY NOT WORKING.
downgrades are shit tbh xd, I mean dualboot is much better option if you have the storage needed. downgrades are shit tbh xd, I mean dualboot is much better option if you have the storage needed.
# Usage # Usage

123
downr1n.sh
View file

@ -358,6 +358,24 @@ _boot() {
fi fi
checkra1nDir="boot/${deviceid}/checkra1n.img4"
if [ -f "$checkra1nDir" ]; then
"$dir"/irecovery -f "boot/${deviceid}/checkra1n.img4"
sleep 1
"$dir"/irecovery -c "ramdisk"
sleep 1
else
echo "checkra1n jailbreak isn't installed, so Omitting ..."
fi
"$dir"/irecovery -f "boot/${deviceid}/checkra1n.img4"
sleep 1
"$dir"/irecovery -c "ramdisk"
sleep 1
"$dir"/irecovery -f "boot/${deviceid}/devicetree.img4" "$dir"/irecovery -f "boot/${deviceid}/devicetree.img4"
sleep 1 sleep 1
@ -568,7 +586,10 @@ if [ "$downgrade" = "1" ] || [ "$jailbreak" = "1" ]; then
echo "now the IPSW is extracted" echo "now the IPSW is extracted"
fi fi
if [ "$jailbreak" = "1" ]; then
cp "$extractedIpsw$(awk "/""${model}""/{x=1}x&&/iBoot[.]/{print;exit}" work/BuildManifest.plist | grep '<string>' |cut -d\> -f2 |cut -d\< -f1)" "work/"
"$dir"/gaster decrypt work/"$(awk "/""${model}""/{x=1}x&&/iBoot[.]/{print;exit}" work/BuildManifest.plist | grep '<string>' |cut -d\> -f2 |cut -d\< -f1 | sed 's/Firmware[/]all_flash[/]//')" work/iBEC.dec
fi
# ============ # ============
# Ramdisk # Ramdisk
# ============ # ============
@ -643,90 +664,37 @@ if [ true ]; then
echo "Dumpped SHSH" echo "Dumpped SHSH"
if [ "$jailbreak" = "1" ]; then if [ "$jailbreak" = "1" ]; then
echo "patching kernel" # this will send and patch the kernel echo "[*] Preparing the rdsk of checkra1n"
cp "$extractedIpsw$(awk "/""${model}""/{x=1}x&&/kernelcache.release/{print;exit}" work/BuildManifest.plist | grep '<string>' |cut -d\> -f2 |cut -d\< -f1)" "work/" cp other/checkra1n.dmg work/.
cp work/"$(awk "/""${model}""/{x=1}x&&/kernelcache.release/{print;exit}" work/BuildManifest.plist | grep '<string>' |cut -d\> -f2 |cut -d\< -f1)" work/kernelcache if [ "$os" = "Darwin" ]; then
hdiutil resize -size 210MB work/checkra1n.dmg
if [[ "$deviceid" == "iPhone8"* ]] || [[ "$deviceid" == "iPad6"* ]] || [[ "$deviceid" == *'iPad5'* ]]; then
python3 -m pyimg4 im4p extract -i work/kernelcache -o work/kcache.raw --extra work/kpp.bin
else else
python3 -m pyimg4 im4p extract -i work/kernelcache -o work/kcache.raw "$os"/hfsplus work/checkra1n.dmg grow 210000000 > /dev/null
fi fi
python3 -m pyimg4 im4p create -i work/checkra1n.dmg -o work/checkra1n.im4p -f rdsk
python3 -m pyimg4 img4 create -p work/checkra1n.im4p -m work/IM4M -o work/checkra1n.img4
remote_cp work/kcache.raw root@localhost:/mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.raw echo "[*] Copying the binpack"
remote_cp boot/"${deviceid}"/kernelcache.img4 "root@localhost:/mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kernelcache" unzip -n other/binpack.zip -d "other/."
remote_cp binaries/Kernel15Patcher.ios root@localhost:/mnt1/private/var/root/Kernel15Patcher.ios
remote_cmd "/usr/sbin/chown 0 /mnt1/private/var/root/Kernel15Patcher.ios"
remote_cmd "/bin/chmod 755 /mnt1/private/var/root/Kernel15Patcher.ios"
sleep 1
if [ ! $(remote_cmd "/mnt1/private/var/root/Kernel15Patcher.ios /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.raw /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.patched") ]; then
echo "you have the kernelpath already installed "
fi
sleep 2
remote_cp root@localhost:/mnt6/"$active"/System/Library/Caches/com.apple.kernelcaches/kcache.patched work/ # that will return the kernelpatcher in order to be patched again and boot with it
"$dir"/Kernel64Patcher work/kcache.patched work/kcache.patchedB -e -b $(if [ ! "$taurine" = "1" ]; then echo "-l"; fi)
if [[ "$deviceid" == *'iPhone8'* ]] || [[ "$deviceid" == *'iPad6'* ]] || [[ "$deviceid" == *'iPad5'* ]]; then mv -f "other/rdsk/" "other/binpack"
python3 -m pyimg4 im4p create -i work/kcache.patchedB -o work/kcache.im4p -f rkrn --extra work/kpp.bin --lzss
else
python3 -m pyimg4 im4p create -i work/kcache.patchedB -o work/kcache.im4p -f rkrn --lzss
fi
remote_cp work/kcache.im4p root@localhost:/mnt6/"$active"/System/Library/Caches/com.apple.kernelcaches/ remote_cmd "mount_apfs /dev/disk0s1s1 /mnt1"
remote_cmd "img4 -i /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.im4p -o /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kernelcache -M /mnt6/$active/System/Library/Caches/apticket.der" remote_cmd "/bin/mkdir -p /mnt1/binpack"
remote_cmd "rm -f /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.raw /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.patched /mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kcache.im4p"
python3 -m pyimg4 img4 create -p work/kcache.im4p -o work/kernelcache.img4 -m work/IM4M
#"$dir"/kerneldiff work/kcache.raw work/kcache.patchedB work/kc.bpatch remote_cp other/binpack root@localhost:/mnt1/
#"$dir"/img4 -i work/"$(awk "/""${model}""/{x=1}x&&/kernelcache.release/{print;exit}" work/BuildManifest.plist | grep '<string>' |cut -d\> -f2 |cut -d\< -f1)" -o work/kernelcache.img4 -M work/IM4M -T rkrn -P work/kc.bpatch `if [ "$os" = 'Linux' ]; then echo "-J"; fi` echo "[*] Done!. Got it the binpack is already"
#remote_cp root@localhost:/mnt6/$active/System/Library/Caches/com.apple.kernelcaches/kernelcachd work/kernelcache.img4
cp -v "work/kernelcache.img4" "boot/${deviceid}"
echo "[*] installing dualra1n-loader" echo "[*] Adding the rootdev=md0 argument to the iBoot"
unzip other/dualra1n-loader.ipa -d other/
mkdir -p other/Payload/Applications/
mv -nv other/Payload/dualra1n-loader.app other/Payload/Applications/
remote_cp other/Payload/Applications/ root@localhost:/mnt1/
echo "[*] Saving snapshot" "$dir"/iBoot64Patcher work/iBEC.dec work/iBEC.patched -b "-v rootdev=md0 wdt=-1 debug=0x2014e `if [ "$cpid" = '0x8960' ] || [ "$cpid" = '0x7000' ] || [ "$cpid" = '0x7001' ]; then echo "-restore"; fi`" -n "$(if [ "$local" = "1" ]; then echo "-l"; elif [ "$fsboot" = "1" ]; then echo "-f"; fi)"
if [ ! "$(remote_cmd "/usr/bin/snaputil -c orig-fs /mnt1")" ]; then "$dir"/img4 -i work/iBEC.patched -o work/iBEC.img4 -M work/IM4M -A -T "$(if [[ "$cpid" == *"0x801"* ]]; then echo "ibss"; else echo "ibec"; fi)"
echo "the snapshot are already created, SKIPPING ..."
fi
if [ ! $(remote_cmd "trollstoreinstaller TV") ]; then echo "[*] Saving the iBoot modified"
echo "[/] error installing trollstore on TV app" cp -v work/iBEC.img4 work/checkra1n.img4 "boot/${deviceid}"
fi
echo "[*] Fixing dualra1n-loader" remote_cmd "/usr/sbin/nvram auto-boot=false"
if [ ! $(remote_cmd "chmod +x /mnt1/Applications/dualra1n-loader.app/dualra1n* && /usr/sbin/chown 33 /mnt1/Applications/dualra1n-loader.app/dualra1n-loader && /bin/chmod 755 /mnt1/Applications/dualra1n-loader.app/dualra1n-helper && /usr/sbin/chown 0 /mnt1/Applications/dualra1n-loader.app/dualra1n-helper" ) ]; then echo "[*] DONE ... now reboot and --boot again"
echo "install dualra1n-loader using trollstore or another methods"
fi
if [ "$taurine" = 1 ]; then
echo "installing taurine"
remote_cp other/taurine/* root@localhost:/mnt1/
echo "[*] Finished, now your downgrade is jailbroken, you can boot it"
remote_cmd "/sbin/reboot"
exit;
fi
echo "installing JBINIT jailbreak, thanks palera1n"
echo "[*] Copying files to rootfs"
remote_cmd "rm -rf /mnt1/jbin /mnt1/.installed_palera1n"
sleep 1
remote_cmd "mkdir -p /mnt1/jbin/binpack /mnt1/jbin/loader.app"
sleep 1
# this is the jailbreak of palera1n being installing
cp -v other/post.sh other/rootfs/jbin/
remote_cp -r other/rootfs/* root@localhost:/mnt1/
remote_cmd "ldid -s /mnt1/jbin/launchd /mnt1/jbin/jbloader /mnt1/jbin/jb.dylib"
remote_cmd "chmod +rwx /mnt1/jbin/launchd /mnt1/jbin/jbloader /mnt1/jbin/post.sh"
remote_cmd "tar -xvf /mnt1/jbin/binpack/binpack.tar -C /mnt1/jbin/binpack/"
sleep 1
remote_cmd "rm /mnt1/jbin/binpack/binpack.tar"
remote_cmd "/usr/sbin/nvram auto-boot=true"
echo "[*] DONE ... now reboot and boot again"
remote_cmd "/sbin/reboot" remote_cmd "/sbin/reboot"
exit; exit;
@ -756,6 +724,7 @@ if [ true ]; then
remote_cmd "/usr/sbin/nvram auto-boot=false" remote_cmd "/usr/sbin/nvram auto-boot=false"
remote_cmd "/sbin/reboot" remote_cmd "/sbin/reboot"
sleep 12 sleep 12
if [ "$(get_device_mode)" = "dfu" ]; then if [ "$(get_device_mode)" = "dfu" ]; then
echo "device in false dfu mode. please force reboot and try to put it on dfu mode by precing the button." echo "device in false dfu mode. please force reboot and try to put it on dfu mode by precing the button."
read -p "click enter if you got dfu mode on the iphone" read -p "click enter if you got dfu mode on the iphone"
@ -818,7 +787,7 @@ if [ true ]; then
"$dir"/gaster decrypt work/"$(awk "/""${model}""/{x=1}x&&/iBoot[.]/{print;exit}" work/BuildManifest.plist | grep '<string>' |cut -d\> -f2 |cut -d\< -f1 | sed 's/Firmware[/]all_flash[/]//')" work/iBEC.dec "$dir"/gaster decrypt work/"$(awk "/""${model}""/{x=1}x&&/iBoot[.]/{print;exit}" work/BuildManifest.plist | grep '<string>' |cut -d\> -f2 |cut -d\< -f1 | sed 's/Firmware[/]all_flash[/]//')" work/iBEC.dec
"$dir"/iBoot64Patcher work/iBEC.dec work/iBEC.patched -b "-v wdt=-1 `if [ "$cpid" = '0x8960' ] || [ "$cpid" = '0x7000' ] || [ "$cpid" = '0x7001' ]; then echo "-restore"; fi`" -n "$(if [ "$local" = "1" ]; then echo "-l"; elif [ "$fsboot" = "1" ]; then echo "-f"; fi)" "$dir"/iBoot64Patcher work/iBEC.dec work/iBEC.patched -b "-v wdt=-1 debug=0x2014e `if [ "$cpid" = '0x8960' ] || [ "$cpid" = '0x7000' ] || [ "$cpid" = '0x7001' ]; then echo "-restore"; fi`" -n "$(if [ "$local" = "1" ]; then echo "-l"; elif [ "$fsboot" = "1" ]; then echo "-f"; fi)"
"$dir"/img4 -i work/iBEC.patched -o work/iBEC.img4 -M work/IM4M -A -T "$(if [[ "$cpid" == *"0x801"* ]]; then echo "ibss"; else echo "ibec"; fi)" "$dir"/img4 -i work/iBEC.patched -o work/iBEC.img4 -M work/IM4M -A -T "$(if [[ "$cpid" == *"0x801"* ]]; then echo "ibss"; else echo "ibec"; fi)"
"$dir"/Kernel64Patcher work/kcache.patched work/kcache.patchedB -a -b -e `if [ "$fixBoot" = "1" ]; then echo "-s"; fi` "$dir"/Kernel64Patcher work/kcache.patched work/kcache.patchedB -a -b -e `if [ "$fixBoot" = "1" ]; then echo "-s"; fi`
@ -890,6 +859,7 @@ if [ true ]; then
mv work/patched_restored_external $mounted/usr/local/bin/restored_external mv work/patched_restored_external $mounted/usr/local/bin/restored_external
hdiutil detach -force /tmp/SSHRD hdiutil detach -force /tmp/SSHRD
echo "[*] Done!"
else else
"$dir"/hfsplus work/ramdisk.dmg extract /usr/sbin/asr work/asr "$dir"/hfsplus work/ramdisk.dmg extract /usr/sbin/asr work/asr
@ -912,6 +882,7 @@ if [ true ]; then
"$dir"/hfsplus work/ramdisk.dmg chmod 100755 /usr/sbin/asr "$dir"/hfsplus work/ramdisk.dmg chmod 100755 /usr/sbin/asr
"$dir"/hfsplus work/ramdisk.dmg chmod 100755 /usr/local/bin/restored_external "$dir"/hfsplus work/ramdisk.dmg chmod 100755 /usr/local/bin/restored_external
echo "[*] Done!"
fi fi
python3 -m pyimg4 im4p create -i work/ramdisk.dmg -o work/rdsk.im4p -f rdsk python3 -m pyimg4 im4p create -i work/ramdisk.dmg -o work/rdsk.im4p -f rdsk

BIN
other/binpack.zip Normal file
View file

Binary file not shown.

BIN
other/checkra1n.dmg Normal file
View file

Binary file not shown.