Created Adding binaries to the restored system (markdown)
TrungNguyen1909
1 year ago
parent
e09d58eb70
commit
e8bc7b1a7b
@ -0,0 +1,155 @@
|
||||
# Modifying the RootFS after restore
|
||||
|
||||
After [a successful restore](#Restore-iOS-firmware), you might want to add your binaries on the system.
|
||||
|
||||
|
||||
## Mount the disk image
|
||||
```sh
|
||||
hdiutil attach -imagekey diskimage-class=CRawDiskImage nvme.1
|
||||
|
||||
# enable ownership
|
||||
sudo diskutil enableownership /Volumes/AzulSeed18A5351d.N104N841DeveloperOS
|
||||
|
||||
# mount with RW
|
||||
mount -urw /Volumes/AzulSeed18A5351d.N104N841DeveloperOS
|
||||
```
|
||||
|
||||
|
||||
## Add precompiled system binaries
|
||||
```sh
|
||||
sudo rsync -av strap/ /Volumes/AzulSeed18A5351d.N104N841DeveloperOS
|
||||
```
|
||||
|
||||
|
||||
## Create trustcache
|
||||
|
||||
This step is no longer needed as we now patch AMFI
|
||||
|
||||
### Bundled trustcache
|
||||
```sh
|
||||
python3 qemu-t8030-tools/bootstrap_scripts/asn1trustcachedecode.py Firmware/038-44337-083.dmg.trustcache Firmware/038-44337-083.dmg.trustcache.out
|
||||
python3 qemu-t8030-tools/bootstrap_scripts/dump_trustcache.py Firmware/038-44337-083.dmg.trustcache.out | grep cdhash | cut -d' ' -f2 > tchashes
|
||||
```
|
||||
|
||||
### Create trustcache for system binaries
|
||||
```sh
|
||||
for filename in $(find strap/ -type f); do jtool2 --sig $filename 2>/dev/null; done | grep CDHash | cut -d' ' -f6 | cut -c 1-40 >> ./tchashes
|
||||
```
|
||||
|
||||
### Serialize trustcache
|
||||
```sh
|
||||
python3 qemu-t8030-tools/bootstrap_scripts/create_trustcache.py tchashes static_tc
|
||||
```
|
||||
|
||||
|
||||
## Configure LaunchDaemons
|
||||
|
||||
Either use `setup-ios/launchd.plist`, or customize it from iOS firmware as follows.
|
||||
|
||||
- Copy `/Volumes/AzulSeed18A5351d.N104N841DeveloperOS/System/Library/xpc/launchd.plist` to somewhere else to work with.
|
||||
- Convert to xml1 format: `plutil -convert xml1 /path/to/launchd.plist`
|
||||
- Use Xcode or your preferred xml editor
|
||||
- Remove all entries in `LaunchDaemons` (may be optional)
|
||||
- Add an entry for bash in `LaunchDaemons`
|
||||
```xml
|
||||
<key>/System/Library/LaunchDaemons/bash.plist</key>
|
||||
<dict>
|
||||
<key>EnablePressuredExit</key>
|
||||
<false/>
|
||||
<key>Label</key>
|
||||
<string>com.apple.bash</string>
|
||||
<key>POSIXSpawnType</key>
|
||||
<string>Interactive</string>
|
||||
<key>ProgramArguments</key>
|
||||
<array>
|
||||
<string>/bin/bash</string>
|
||||
</array>
|
||||
<key>RunAtLoad</key>
|
||||
<true/>
|
||||
<key>StandardErrorPath</key>
|
||||
<string>/dev/console</string>
|
||||
<key>StandardInPath</key>
|
||||
<string>/dev/console</string>
|
||||
<key>StandardOutPath</key>
|
||||
<string>/dev/console</string>
|
||||
<key>Umask</key>
|
||||
<integer>0</integer>
|
||||
<key>UserName</key>
|
||||
<string>root</string>
|
||||
</dict>
|
||||
```
|
||||
|
||||
- Copy back
|
||||
```sh
|
||||
sudo cp /path/to/launchd.plist /Volumes/AzulSeed18A5351d.N104N841DeveloperOS/System/Library/xpc/launchd.plist
|
||||
```
|
||||
|
||||
|
||||
## Unmount the disk image
|
||||
```
|
||||
hdiutil detach /Volumes/AzulSeed18A5351d.N104N841DeveloperOS
|
||||
```
|
||||
|
||||
|
||||
----
|
||||
# Add a new binary to firmware
|
||||
|
||||
## Build binary - require Xcode on macOS
|
||||
|
||||
```sh
|
||||
xcrun -sdk iphoneos clang -arch arm64 -mcpu=apple-a13 -o hello hello.c
|
||||
```
|
||||
|
||||
Then sign the binary
|
||||
|
||||
```
|
||||
codesign -f -s - hello
|
||||
```
|
||||
|
||||
|
||||
## Copy binary to firmware
|
||||
|
||||
```sh
|
||||
# attach image
|
||||
hdiutil attach -imagekey diskimage-class=CRawDiskImage nvme.1
|
||||
|
||||
# enable ownership
|
||||
sudo diskutil enableownership /Volumes/AzulSeed18A5351d.N104N841DeveloperOS
|
||||
|
||||
# mount with RW
|
||||
mount -urw /Volumes/AzulSeed18A5351d.N104N841DeveloperOS
|
||||
```
|
||||
|
||||
Then copy the signed binary to image
|
||||
|
||||
```sh
|
||||
sudo cp hello /Volumes/AzulSeed18A5351d.N104N841DeveloperOS/bin
|
||||
```
|
||||
|
||||
Also copy the binary to the local `strap` directory
|
||||
|
||||
```sh
|
||||
cp hello strap/bin
|
||||
```
|
||||
|
||||
## Re-generate trustcache
|
||||
|
||||
This step is no longer needed as we now patch AMFI
|
||||
|
||||
```sh
|
||||
# dump trustcache from firmware
|
||||
python3 qemu-t8030-tools/bootstrap_scripts/dump_trustcache.py Firmware/038-44337-083.dmg.trustcache.out | grep cdhash | cut -d' ' -f2 > tchashes
|
||||
|
||||
# update trustcache with new binaries from strap
|
||||
for filename in $(find strap/ -type f); do jtool2 --sig $filename 2>/dev/null; done | grep CDHash | cut -d' ' -f6 | cut -c 1-40 >> ./tchashes
|
||||
|
||||
# re-serialize updated trustcache
|
||||
python3 qemu-t8030-tools/bootstrap_scripts/create_trustcache.py tchashes static_tc
|
||||
```
|
||||
|
||||
## Unmount the image
|
||||
Finally, unmount the firmware image - now with new binary inserted
|
||||
|
||||
```sh
|
||||
hdiutil detach /Volumes/AzulSeed18A5351d.N104N841DeveloperOS
|
||||
```
|
||||
Loading…
Reference in New Issue