Skip to content

Instantly share code, notes, and snippets.

@deepfriedfilth deepfriedfilth/instructions.md Secret
Last active Aug 23, 2017

Embed
What would you like to do?
Roll your own 9.1 - 9.3.4 JB

Roll Your Own 9.1 - 9.3.4 Untether

Writing this tutorial for those who are comfortable with the command line, git, semi-advanced computer literacy and/or following directions.

No warranty is implied, and I cannot provide much support beyond what I hope is this easy-to-follow write-up.

PS I'm using a Mac and my iPhone 5,2 (iPhone 5 World/CDMA) with an IP of 192.168.1.254. Make sure to swap out pertinent values/filenames before running any relevant commands listed

Things you'll need

Hardware

  • Mac/Linux computer or Windows with cygwin, maybe? Again, I'm on a Mac. YMMV
  • 32-bit iOS device running 9.1 - 9.3.4

Software

Reference Material

Patience

Steps

  1. Download your IPSW

  2. Create a directory to work in somewhere on your 'puter, how about your desktop for simplicity?

    cd ~/Desktop; mkdir betterhomedepot; cd betterhomedepot
    
  3. Throw your IPSW in the directory you just made

    mv ~/Downloads/iPhone5,2_9.3.3_13G34_Restore.ipsw .
    
  4. Download kcache from here, follow README.md to build

    git clone https://github.com/badeip/kcache; cd kcache
    
  5. Unzip the IPSW

    7z x ../iPhone5,2_9.3.3_13G34_Restore.ipsw
    
  6. Let it do it's thang. Should be new files in your kcache folder: 3 dmg's, BuildManifest.plist, inflated Firmware folder, kernelcache.release.nXX (.n42 in my case), and Restore.plist

  7. Grab your IV and Key for your device's kernelcache from the iPhone wiki link above

  8. Decrypt your kernelcache, bruh

    kcache --in kernelcache.release.n42 --iv 2e9e6833bc783d1d0f88c218d1dec0ac --key ef2b869d97123287274bb7f208ca726805e256b5df77fda9113612738e584338
    
  9. Kcache-ception. There should now be a kcache directory inside your kcache directory. The important file in there is the binary kernelcache.bin

  10. Open up Hopper. Proceed in Trial Mode or buy a license since it's only $99, I don't care. Select File > Read Executable to Disassemble (⌘⇧O). Select the kernelcache.bin we just created. Let Hopper do it's thang. moar RAM = moar fast.

  11. Follow instructions in Karen's Trident writeup to find the first 12 pieces to the puzzle (offsets). You can search non-hex strings in the sidebar search, but will need to use Find > Find... (⌘F) (set to Hex Values) for Hex String values listed! Subtractions can be calculated using Calculator.app if you set mode to Programmer using View > Programmer. Always subtract 0x80001000, as she states, even for find_vm_kernel_addrperm() step. Save these values in order in a text editor.

  12. You should have 14 hexadecimal values there. We still need 5 more. Following tihmstar's tweet, we revisit Karen's section on find_clock_ops(), which should point you to hex address 8040c428. Follow @stek29's tutorial to grab these last 5 values. Add those to the text file with your other offsets.

  13. Next we're gonna copy offsets.json from your device using SSH. Run the following command or connect using an app like CyberDuck if you prefer a GUI. (Default password is alpine when prompted.)

    scp root@192.168.1.254:/untether/offsets.json .
    
  14. Open offsets.json in your favorite text editor (or the default one, if you use the following command)

    open offsets.json
    
  15. From your terminal, SSH into your device. Enter the password when prompted

    ssh root@192.168.1.254
    
  16. Once connected to the device, we'll create a writeable log file in case we run into issues with the untether later

    touch /var/mobile/Media/betterhomedepot.log; chmod +w /var/mobile/Media/betterhomedepot.log
    
  17. We'll need a identify your device when providing offsets for the untether. Run:

    uname -a
    
  18. Copy the output of that command. Paste it in a blank text file for now. Close SSH connection.

    exit
    
  19. In offsets.json, add a comma after the closing square bracket. Copy from line 2 (after initial curly bracket) until the comma you just added. Paste. Swap out the output from step 16 in this newly created, second entry. Change MarijuanARM to RELEASE_ARM.

  20. Now we're gonna swap in the first 11 offsets you found with Hopper. Skip entering the next one found (find_flush_dcache() ), but enter the following one (find_invalidate_tlb()). See wall.supplies custom offsets, referenced above, to find the next 2 values. (First of these will be 0x458904 for 9.1, 0x457264 for 9.2.x, and 0x45F2C8/0x45717C for 9.3.x. Second will be 0x98 for 9.1-9.2.x and 0xa4 for 9.3.x.) After that, add the last five from your text file. Should look something like so:

    {
      "Darwin Kernel Version 15.6.0: Mon Jun 20 20:10:21 PDT 2016; root:xnu-3248.60.9~1/RELEASE_ARM_S5L8940X":
       ["0x318388",
        "0x31ab90",
        "0x1e200",
        "0xd9838",
        "0x403428",
        "0xc76b4",
        "0xd983a",
        "0xc73e8",
        "0x455844",
        "0x3f6454",
        "0xc7440",
        "0x45717c",
        "0xa4",
        "0x8001f1d5",
        "0x0",
        "0x0",
        "0x8001f201",
        "0x8001f221"
      ],
      "Darwin Kernel Version 15.6.0: Mon Jun 20 20:10:21 PDT 2016; root:xnu-3248.60.9~1/RELEASE_ARM_S5L8950X":
       ["0x31F13C",
        "0x3219FC",
        "0x1EEAC",
        "0xDEA48",
        "0x40B428",
        "0xCB7DC",
        "0xDEA4A",
        "0xCB508",
        "0x45D978",
        "0x3FE454",
        "0xCB560",
        "0x45F2C8",
        "0xA4",
        "0x8001FE7D",
        "0x0",
        "0x0",
        "0x8001FEAD",
        "0x8001FECD"
      ]
    }
    
  21. Validate JSON. Select all contents of offsets.json, copy+paste into form on JSONlint.com

  22. Copy your new version of offsets.json back to your device's /untether directory.. (Enter password when prompted)

    scp offsets.json root@192.168.1.254:/untether
    
  23. Reboot your device. If you bootloop, you probably got some offsets wrong. Be patient. After 11 failed attempts at boot, the untether will not execute the kernel exploit. Number of boots is checked from /var/mobile/Media/betterhomedepot.txt, a file which gets deleted on successful boot+untether. Delete the file upon boot after failure to enable untether/try again. To disable your untether later for some reason, you can run this line after SSHing your device

    echo '10' > /var/mobile/Media/betterhomedepot.txt
    
  24. Enjoy your untethered JB (Note: You will need to reinstall OpenSSH via Cydia or dpkg -i the .deb to be able to connect to your device again, but you were used to that with Home Depot JB sans untether, anyway)

BONUS STEP Skip finding the first 11 offsets needed by referencing Custom offsets format and gathering them from Trident/offsetfinder.c after a git clone https://github.com/benjamin-42/Trident.git ...but what's the fun in that? <3 Hopper

@stek29

This comment has been minimized.

Copy link

stek29 commented Aug 23, 2017

You will need to reinstall OpenSSH via Cydia or dpkg -i the .deb to be able to connect to your device again, but you were used to that with Home Depot JB sans untether, anyway

Just launchctl load /Library/LaunchDaemons/com.openssh.sshd.plist as root is enough :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.