ALL INFORMATION IN THIS TUTORIAL IS LEGAL AND CANNOT BE USED FOR ILLEGAL/UNETHICAL PURPOSES. JAILBREAKING IS LEGAL. The goal of this tutorial is to create a barebones jailbreak for iOS 6. Typically, this means gaining read/write access on the root filesystem, and also patching Services.plist to set up AFC2. This procedure is inspired by ssh_rd and geeksn0w (obviously this process and those tools are going to be very similar).
This tutorial will be written with the iPhone 3GS on 6.1.6 in mind (also only on Windows), but this can be adapted with minimal effort to support other devices.
YOU WILL NEED A WINDOWS 7 MACHINE IN ONE WAY OR ANOTHER (VIRTUAL MACHINES WILL WORK) DUE TO LIMERA1N BEING BROKEN IN WINDOWS 10 FOR SOME REASON)**
Download all the needed binaries from here and unzip them to your chosen working directory for this project.
Download the iBSS, iBEC, Kernelcache, DeviceTree, and Restore Ramdisk straight from Apple
partialzip "http://appldnld.apple.com/iOS5.1.1/041-4347.20120427.o2yov/iPhone2,1_5.1.1_9B206_Restore.ipsw" "Firmware/dfu/iBEC.n88ap.RELEASE.dfu" "ibec.dfu"
partialzip "http://appldnld.apple.com/iOS5.1.1/041-4347.20120427.o2yov/iPhone2,1_5.1.1_9B206_Restore.ipsw" "Firmware/dfu/iBSS.n88ap.RELEASE.dfu" "ibss.dfu"
partialzip "http://appldnld.apple.com/iOS5.1.1/041-4347.20120427.o2yov/iPhone2,1_5.1.1_9B206_Restore.ipsw" "kernelcache.release.n88" "kern.n88"
partialzip "http://appldnld.apple.com/iOS5.1.1/041-4347.20120427.o2yov/iPhone2,1_5.1.1_9B206_Restore.ipsw" "Firmware/all_flash/all_flash.n88ap.production/DeviceTree.n88ap.img3" "devicetree.img3"
partialzip "http://appldnld.apple.com/iOS5.1.1/041-4347.20120427.o2yov/iPhone2,1_5.1.1_9B206_Restore.ipsw" "038-4349-020.dmg" "ramdisk.dmg"
xpwntool.xpwntool ibss.dfu ibss.dfu.dec -iv 0cbb6ea94192ba4c4f215d3f503279f6 -k 36782ee3df23e999ffa955a0f0e0872aa519918a256a67799973b067d1b4f5e0xpwntool ibec.dfu ibec.dfu.dec -iv 1fe15472e85b169cd226ce18fe6de524 -k 677be330d799ffafad651b3edcb34eb787c2d6c56c07e6bb60a753eb127ffa75xpwntool kern.n88 kern.n88.dec -iv 0dc795a64cb411c21033f97bceb96546 -k 0cc1dcb2c811c037d6647225ec48f5f19e14f2068122e8c03255ffe1da25dec3xpwntool ramdisk.dmg ramdisk.dmg.dec -iv 26ec90f47073acaa0826c55bdeddf4bb -k 7af575ca159ba58b852dfe1c6f30c68220a7a94be47ef319ce4f46ba568b7a81fuzzy_patcher --patch --orig ibss.dfu.dec --patched ibss.dfu.dec.p --delta ibss.patchfuzzy_patcher --patch --orig ibec.dfu.dec --patched ibec.dfu.dec.p --delta ibec.patchfuzzy_patcher --patch --orig kern.n88.dec --patched kern.n88.dec.p --delta kern.n88.patchNow we just have to re-encrypt them:
move ibss.dfu ibss.dfu.orig
move ibec.dfu ibec.dfu.orig
move kern.n88 kern.n88.orig
xpwntool ibss.dfu.dec.p ibss.dfu -t ibss.dfu.orig -iv 0cbb6ea94192ba4c4f215d3f503279f6 -k 36782ee3df23e999ffa955a0f0e0872aa519918a256a67799973b067d1b4f5e0
xpwntool ibec.dfu.dec.p ibec.dfu -t ibec.dfu.orig -iv 1fe15472e85b169cd226ce18fe6de524 -k 677be330d799ffafad651b3edcb34eb787c2d6c56c07e6bb60a753eb127ffa75
xpwntool kern.n88.dec.p kern.n88 -t kern.n88.orig -iv 0dc795a64cb411c21033f97bceb96546 -k 0cc1dcb2c811c037d6647225ec48f5f19e14f2068122e8c03255ffe1da25dec3
The ssh.tar I use is from ssh_rd, I just modified it to include a few more binaries we need.
/ on the ramdiskhfsplus ramdisk.dmg.dec grow 25000000hfsplus ramdisk.dmg.dec untar ssh.tar "/"move ramdisk.dmg ramdisk.dmg.origxpwntool ramdisk.dmg.dec ramdisk.dmg -t ramdisk.dmg.orig -k 7af575ca159ba58b852dfe1c6f30c68220a7a94be47ef319ce4f46ba568b7a81 -iv 26ec90f47073acaa0826c55bdeddf4bbMake sure your device is in DFU mode as well.
We start by pwning dfu:
irec -e
After the above command, your device should still be at a blank black screen. If not, reboot your 3GS and try Part 5 again.
Now we send ibss and ibec:
irecovery -f ibss.dfu
irecovery -f ibec.dfu
At this point, your device should have reconnected in recovery mode (or at least had its screen light up and display a black image)
Send all necessary bootchain components:
irecovery -f devicetree.img3
irecovery -c devicetree
irecovery -f ramdisk.dmg
irecovery -c ramdisk 0x90000000
irecovery -f kern.n88
And the final step:
irecovery -c bootx
Now, your device’s screen should be on, and be displaying an Apple logo and a blank progress bar.
Bein by forwarding the SSH connection we created over USB:
itunnel_mux --lport 2022
Leave the previous CMD window open, and open a new CMD window in your working directory.
plink -batch -pw alpine -P 2022 mount.sh
pscp -batch -pw alpine -P 2022 Services.plist root@127.0.0.1:/bin/Services.plist
plink -batch -pw alpine -P 2022 root@127.0.0.1 mv /mnt1/System/Library/Lockdown/Services.plist /mnt1/System/Library/Lockdown/Services.plist.old
plink -batch -pw alpine -P 2022 root@127.0.0.1 mv /bin/Services.plist /mnt1/System/Library/Lockdown/Services.plist
plink -batch -pw alpine -P 2022 root@127.0.0.1 sed -i -e 's/rw/ro/g' "/mnt1/etc/fstab"
Here, we mounted the RootFS, overwrote Services.plist to run AFC2, and patched fstab for R/W on the RootFS
Now feel free to make any additional RootFS modifications you want (such as plink -batch -pw alpine -P 2022 root@127.0.0.1 rm -rf /mnt1/Applications/Setup.app), then when you’re done, run plink -batch -pw alpine -P 2022 root@127.0.0.1 kill 1 and your device will reboot.
If you want to patch a decrypted iBEC for verbose boot, at offset 00024A20 there is in hex:
72 64 3D 6D 64 30 20 6E 61 6E 64 2D 65 6E 61 62 6C 65 2D 72 65 66 6F 72 6D 61 74 3D 31 20 2D 70 72 6F 67 72 65 73 73
(or in text, rd=md0 nand-enable-reformat=1 -progress)
With a hex editor you can change the hex to 2D 76 20 72 64 3D 6D 64 30 20 2D 70 72 6F 67 72 65 73 73 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
Congrats, you have barebones jailbroken your iPhone 3GS! fstab is patched for RootFS R/W, and AFC2 is installed.
Credits:
pscp and plinkssh_rd and sn0wbreeze for patchesxpwntool, irecovery, itunnel_mux, hfsplus, etc.)