Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Help with T2 Macbook16,1 #3

Open
DengueTim opened this issue Oct 20, 2022 · 4 comments
Open

Help with T2 Macbook16,1 #3

DengueTim opened this issue Oct 20, 2022 · 4 comments

Comments

@DengueTim
Copy link

DengueTim commented Oct 20, 2022
edited

What went wrong? The MacBook16,1 ends up as an USB iPhone recovery device:

 Apple Mobile Device (Recovery Mode):

  Product ID:	0x1281
  Vendor ID:	0x05ac (Apple Inc.)
  Version:	0.00
  Serial Number:	SDOM:01 CPID:8012 CPRV:10 CPFM:03 SCEP:01 BDID:3A ECID:001448A90AF28026 IBFL:3C SRNM:[C02CX15VMD6T]
  Speed:	Up to 480 Mb/s
  Manufacturer:	Apple Inc.
  Location ID:	0x14200000 / 40
  Current Available (mA):	500
  Current Required (mA):	500
  Extra Operating Current (mA):	0

Don't see any errors..

hack@Crumpet t8012-DTS % ./odts.py -b resources/bootlogo.png -i iBridge2,14 6.6
Ontrack_T2Boot - A tool for tether booting Checkm8 vulnerable Mac devices by Martin, @mhotshotmc

Current version is: Beta 0.0.1
Make sure your device is connected in DFU mode
Retrieved ECID for device is: 0x001448a90af28026
Retrieved BDID for device is: 0x3a

Looking up board configuration based on retrieved BDID of 0x3a

Found match at j152fap
subprocess: ./resources/bin/tsschecker -d iBridge2,14 -e 0x001448a90af28026 --boardconfig j152fap -i 6.6 -s
Signing ticket for iBridge2,14 with 0x001448a90af28026 on iOS 6.6 saved successfully at ./resources/shsh.shsh.. Moving on...
PWNing T2 device to extract GID keys.. If this fails for more than a few seconds please restart the device and start over..
Device already in PWNDFU mode, not re-running exploit..
Downloading 6.6's BuildManifest.plist
Extracting: BuildManifest.plist, from iBridge2,1,iBridge2,10,iBridge2,12,iBridge2,14,iBridge2,15,iBridge2,16,iBridge2,19,iBridge2,20,iBridge2,21,iBridge2,22,iBridge2,3,iBridge2,4,iBridge2,5,iBridge2,6,iBridge2,7,iBridge2,8_6.6_19P6067_Restore.ipsw
Device set to j152fap
iBEC.j152f.RELEASE.im4p
iBSS.j152f.RELEASE.im4p
Getting SHSH for signing images
001448A90AF28026
Downloading and patching 6.6's iBSS/iBEC
Extracting: Firmware/dfu/iBEC.j152f.RELEASE.im4p, from iBridge2,1,iBridge2,10,iBridge2,12,iBridge2,14,iBridge2,15,iBridge2,16,iBridge2,19,iBridge2,20,iBridge2,21,iBridge2,22,iBridge2,3,iBridge2,4,iBridge2,5,iBridge2,6,iBridge2,7,iBridge2,8_6.6_19P6067_Restore.ipsw
Extracting: Firmware/dfu/iBSS.j152f.RELEASE.im4p, from iBridge2,1,iBridge2,10,iBridge2,12,iBridge2,14,iBridge2,15,iBridge2,16,iBridge2,19,iBridge2,20,iBridge2,21,iBridge2,22,iBridge2,3,iBridge2,4,iBridge2,5,iBridge2,6,iBridge2,7,iBridge2,8_6.6_19P6067_Restore.ipsw
iBSSKBAG is aee5e3d544de752c7f10f418cfdbff40e06e687c73b27d4bcae33c8bb1b05488c7101a5620b5fbb7dc65922f4f73f0aa
iBECKBAG is 16bc1afa7df1076bd9934ca53d8e2faf50e047fe9230cfc24913afa359767607bbc0d63f1f99ff2c9a80f44e6eaf43c3
Boot arguments for iBec set to rd=md0 -v
Downloading 6.6's KernelCache
Extracting: kernelcache.release.ibridge2p, from iBridge2,1,iBridge2,10,iBridge2,12,iBridge2,14,iBridge2,15,iBridge2,16,iBridge2,19,iBridge2,20,iBridge2,21,iBridge2,22,iBridge2,3,iBridge2,4,iBridge2,5,iBridge2,6,iBridge2,7,iBridge2,8_6.6_19P6067_Restore.ipsw
Downloading 6.6's DeviceTree
Extracting: Firmware/all_flash/DeviceTree.j152fap.im4p, from iBridge2,1,iBridge2,10,iBridge2,12,iBridge2,14,iBridge2,15,iBridge2,16,iBridge2,19,iBridge2,20,iBridge2,21,iBridge2,22,iBridge2,3,iBridge2,4,iBridge2,5,iBridge2,6,iBridge2,7,iBridge2,8_6.6_19P6067_Restore.ipsw
Downloading 6.6's TrustCache
Extracting: Firmware/078-33004-072.dmg.trustcache, from iBridge2,1,iBridge2,10,iBridge2,12,iBridge2,14,iBridge2,15,iBridge2,16,iBridge2,19,iBridge2,20,iBridge2,21,iBridge2,22,iBridge2,3,iBridge2,4,iBridge2,5,iBridge2,6,iBridge2,7,iBridge2,8_6.6_19P6067_Restore.ipsw
Patching TrustCache's type from trst to rtsc
Patching Devicetree's type from dtre to rdtr
Signing boot files
Signing firmware images before attempting to upload them to the device
IBSS and IBEC staged in StagedFiles dir
Removed image_load call; all incoming images will be loaded as raw
iBSS sent! Device should be booting into recovery
/Users/hack/src/t8012-DTS/resources
[==================================================] 100.0%
iBEC sent! Device should initializing iBEC
[==================================================] 100.0%
Bootx command send. This is needed to prevent Devicetree related issues later on
[==================================================] 100.0%
Stopping here as this is all we have implemented!

[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
Device should be booting!
hack@Crumpet t8012-DTS %
@jtechgr
Copy link

jtechgr commented Feb 26, 2023
edited

What whent wrong here?

./odts.py -i iBridge2,4 7.2

20230226_202323

@alhaithammsar
Copy link

after lots of trying & fixes got it to work, finally I can sleep :)

@TannerDrake
Copy link

How'd you get this to work

@AlexeyInwerp
Copy link

iBSS patching part is removed from the script. dude above sells it as a solution, however i believe and hope it will go public in few months.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@DengueTim @TannerDrake @AlexeyInwerp @jtechgr @alhaithammsar