The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

ios-kexec-utils

From The iPhone Wiki
Revision as of 12:35, 17 September 2021 by IAdam1n (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

ios-kexec-utils are a set of four iOS command line utilities written by winocm, originally designed to make booting another OS easier. Though described as “probably crap” by winocm herself, they have paved the way for a range of tools for 32-bit devices, including Odysseus (including derivative works such as OdysseusOTA and Beehind) and CoolBooter, as well as futurerestore’s ability to downgrade 32-bit devices. Use cases include dumping onboard SHSH blobs, downgrading to OTA signed firmware, downgrading to unsigned firmware with blobs and dual booting.

Utilities

Of the four utilities, kloader and multi_kloader must be executed on-device to “perform the magic”, while img3maker and ibsspatch just produce files and can be compiled for and run on any platform.

img3maker

img3maker is a tool that, offering a variety of options, makes an Img3 file container for a given file. This is needed for the decrypted boot chain.

ibsspatch

ibsspatch is a generic iBSS patcher for iOS 7.

kloader

kloader (kernel loader) is an image loader for the kernel, that loads a custom image into RAM and bootstraps it. It must be executed on the device and requires access to the kernel memory through task_for_pid(0) (tfp0), but can be adapted to use the equivalent host_get_special_port(4) instead. Needless to say, kloader is thus unable to run on unjailbroken firmware.

The three main use cases for kloader are:

  1. Downgrading: kloader is used to bootstrap a custom iBSS image that has been patched out of all integrity checks. This allows a custom ramdisk with a custom ASR to be used, which in turn allows a system restore to finish without ASR ruining the process when the signatures don’t match. The ability to use any ramdisk also makes it possible to use OTA blobs instead of regular ERASE/UPDATE blobs. It can also be abused to restore with invalid blobs and thus on purpose render the device unbootable.
  2. Dual booting: kloader is used to bootstrap custom iBSS and iBEC images that also have been patched to boot the system on partition /dev/disk0s1s3 instead of the main system. Additional patches down the bootchain are required.
  3. Dumping onboard SHSH blobs: kloader is used to bootstrap custom iBSS and iBEC images that have been patched in the same way as when downgrading. iRecovery is then used to upload xerub’s ibex payload and dump the blobs.

On iOS 6 hosts, kloader will be paused when locking the screen if run directly from MTerminal. There are ways to get around this, for example by using the GUI utility Way Out, or by launching kloader over ssh (OpenSSH must be installed and enabled): ssh root@localhost, then e.g. kloader /iBSS.

multi_kloader

multi_kloader extends kloader’s functionality by loading two images into memory instead of one. It is especially useful for dual booting iPods and iPhones, as it can load both iBSS and iBEC directly, without having to use iRecovery on a computer to bootstrap iBEC after loading iBSS. multi_kloader is used by dual boot utilities CoolBooter and Way Out.

Further development

The last commit was pushed by winocm on 31 March 2014, ten days after she announced that she would be joining Apple later that year. The project was left compatible with iOS 6 and 7 (the most recent firmware at the time) and was 32-bit only.

axi0mX later updated kloader to support iOS 4 and 5, and also introduced experimental support for 64-bit devices running iOS 7 or 8.

External links

Retrieved from "https://www.theiphonewiki.com/w/index.php?title=Ios-kexec-utils&oldid=117050"