Writing this tutorial for those who are comfortable with the command line, git, semi-advanced computer literacy and/or following directions.
No warranty is implied, and I cannot provide much support beyond what I hope is this easy-to-follow write-up.
PS I'm using a Mac and my iPhone 5,2 (iPhone 5 World/CDMA) with an IP of 192.168.1.254. Make sure to swap out pertinent values/filenames before running any relevant commands listed
- Mac/Linux computer or Windows with cygwin, maybe? Again, I'm on a Mac. YMMV
- 32-bit iOS device running 9.1 - 9.3.4
- IPSW for your device @ its current firmware (Check ipsw.me)
- git
- Disassembler program: Hopper (free trial <3) or IDA ..I'll be using the former in this tutorial.
- kcache
- HomeDepot, OpenSSH and UntetherHomeDepot (repo: http://repo.tihmstar.net) installed on your iOS device
- 9.x Firmware Keys
- Karen's Trident writeup
- tihmstar's Tweet
- wall.supplies custom offsets
- stek29's tutorial
- Benjamin-42's Trident (particularly offsetfinder.c)
-
Download your IPSW
-
Create a directory to work in somewhere on your 'puter, how about your desktop for simplicity?
cd ~/Desktop; mkdir betterhomedepot; cd betterhomedepot
-
Throw your IPSW in the directory you just made
mv ~/Downloads/iPhone5,2_9.3.3_13G34_Restore.ipsw .
-
Download kcache from here, follow README.md to build
git clone https://github.com/badeip/kcache; cd kcache
-
Unzip the IPSW
7z x ../iPhone5,2_9.3.3_13G34_Restore.ipsw
-
Let it do it's thang. Should be new files in your
kcache
folder: 3dmg
's,BuildManifest.plist
, inflatedFirmware
folder,kernelcache.release.nXX
(.n42
in my case), andRestore.plist
-
Grab your
IV
andKey
for your device's kernelcache from the iPhone wiki link above -
Decrypt your kernelcache, bruh
kcache --in kernelcache.release.n42 --iv 2e9e6833bc783d1d0f88c218d1dec0ac --key ef2b869d97123287274bb7f208ca726805e256b5df77fda9113612738e584338
-
Kcache-ception. There should now be a
kcache
directory inside yourkcache
directory. The important file in there is the binarykernelcache.bin
-
Open up Hopper. Proceed in Trial Mode or buy a license since it's only $99, I don't care. Select
File > Read Executable to Disassemble (⌘⇧O)
. Select thekernelcache.bin
we just created. Let Hopper do it's thang. moar RAM = moar fast. -
Follow instructions in Karen's Trident writeup to find the first 12 pieces to the puzzle (offsets). You can search non-hex strings in the sidebar search, but will need to use
Find > Find... (⌘F)
(set to Hex Values) for Hex String values listed! Subtractions can be calculated using Calculator.app if you set mode to Programmer usingView > Programmer
. Always subtract 0x80001000, as she states, even for find_vm_kernel_addrperm() step. Save these values in order in a text editor. -
You should have 14 hexadecimal values there. We still need 5 more. Following tihmstar's tweet, we revisit Karen's section on
find_clock_ops()
, which should point you to hex address8040c428
. Follow @stek29's tutorial to grab these last 5 values. Add those to the text file with your other offsets. -
Next we're gonna copy
offsets.json
from your device using SSH. Run the following command or connect using an app like CyberDuck if you prefer a GUI. (Default password isalpine
when prompted.)scp root@192.168.1.254:/untether/offsets.json .
-
Open
offsets.json
in your favorite text editor (or the default one, if you use the following command)open offsets.json
-
From your terminal, SSH into your device. Enter the password when prompted
ssh root@192.168.1.254
-
Once connected to the device, we'll create a writeable log file in case we run into issues with the untether later
touch /var/mobile/Media/betterhomedepot.log; chmod +w /var/mobile/Media/betterhomedepot.log
-
We'll need a identify your device when providing offsets for the untether. Run:
uname -a
-
Copy the output of that command. Paste it in a blank text file for now. Close SSH connection.
exit
-
In
offsets.json
, add a comma after the closing square bracket. Copy from line 2 (after initial curly bracket) until the comma you just added. Paste. Swap out the output from step 16 in this newly created, second entry. ChangeMarijuanARM
toRELEASE_ARM
. -
Now we're gonna swap in the first 11 offsets you found with Hopper. Skip entering the next one found (
find_flush_dcache()
), but enter the following one (find_invalidate_tlb()
). See wall.supplies custom offsets, referenced above, to find the next 2 values. (First of these will be0x458904
for 9.1,0x457264
for 9.2.x, and0x45F2C8
/0x45717C
for 9.3.x. Second will be0x98
for 9.1-9.2.x and0xa4
for 9.3.x.) After that, add the last five from your text file. Should look something like so:{ "Darwin Kernel Version 15.6.0: Mon Jun 20 20:10:21 PDT 2016; root:xnu-3248.60.9~1/RELEASE_ARM_S5L8940X": ["0x318388", "0x31ab90", "0x1e200", "0xd9838", "0x403428", "0xc76b4", "0xd983a", "0xc73e8", "0x455844", "0x3f6454", "0xc7440", "0x45717c", "0xa4", "0x8001f1d5", "0x0", "0x0", "0x8001f201", "0x8001f221" ], "Darwin Kernel Version 15.6.0: Mon Jun 20 20:10:21 PDT 2016; root:xnu-3248.60.9~1/RELEASE_ARM_S5L8950X": ["0x31F13C", "0x3219FC", "0x1EEAC", "0xDEA48", "0x40B428", "0xCB7DC", "0xDEA4A", "0xCB508", "0x45D978", "0x3FE454", "0xCB560", "0x45F2C8", "0xA4", "0x8001FE7D", "0x0", "0x0", "0x8001FEAD", "0x8001FECD" ] }
-
Validate JSON. Select all contents of
offsets.json
, copy+paste into form on JSONlint.com -
Copy your new version of
offsets.json
back to your device's/untether
directory.. (Enter password when prompted)scp offsets.json root@192.168.1.254:/untether
-
Reboot your device. If you bootloop, you probably got some offsets wrong. Be patient. After 11 failed attempts at boot, the untether will not execute the kernel exploit. Number of boots is checked from
/var/mobile/Media/betterhomedepot.txt
, a file which gets deleted on successful boot+untether. Delete the file upon boot after failure to enable untether/try again. To disable your untether later for some reason, you can run this line after SSHing your deviceecho '10' > /var/mobile/Media/betterhomedepot.txt
-
Enjoy your untethered JB (Note: You will need to reinstall OpenSSH via Cydia or
dpkg -i
the .deb to be able to connect to your device again, but you were used to that with Home Depot JB sans untether, anyway)
BONUS STEP Skip finding the first 11 offsets needed by referencing Custom offsets format and gathering them from Trident/offsetfinder.c
after a git clone https://github.com/benjamin-42/Trident.git
...but what's the fun in that? <3 Hopper
Just
launchctl load /Library/LaunchDaemons/com.openssh.sshd.plist
as root is enough :)