You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to recover my own iPad Mini 1 (A5, iOS 9.3.5) that I've forgotten the alphanumeric password to. I've been using Legacy iOS Kit's SSH Ramdisk feature successfully to access the filesystem.
My goal is to patch the SpringBoard binary (specifically NOP a branch in SBLockScreenManager::_attemptUnlockWithPasscode:finishUIUnlock: at offset 0x00460490) to bypass the lock screen UI, and then upload it back to /mnt1. The patch itself works in Ghidra.
The problem is code signing enforcement on normal boot. Since:
checkra1n does NOT support iPad Mini 1 (A5) on iOS 9.3.5
Legacy iOS Kit's "Jailbreak Device" only supports up to iOS 9.3.4
Phoenix requires UI access (circular problem)
...I have no way to disable code signing verification for the modified SpringBoard to run on normal boot.
Legacy iOS Kit already patches the kernel for the SSH ramdisk boot (disabling codesign in that context). My question is:
Is there a way to use Legacy iOS Kit's existing checkm8/iBoot infrastructure to perform a semi-tethered boot of normal iOS with kernel codesign patches applied? (i.e. every boot uses checkm8 to load a patched kernel, which then boots the real iOS with codesign disabled)
Would it be feasible to extend support to iOS 9.3.5 for this use case, even if full jailbreak features aren't available?
I'm technically comfortable and happy to test or contribute. Any guidance appreciated.
Device: iPad Mini 1 (iPad2,5 / A5 / 8942)
iOS: 9.3.5
Setup: checkm8-a5 (LukeZGD fork) + Arduino Uno / Raspberry Pi Pico
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I'm trying to recover my own iPad Mini 1 (A5, iOS 9.3.5) that I've forgotten the alphanumeric password to. I've been using Legacy iOS Kit's SSH Ramdisk feature successfully to access the filesystem.
My goal is to patch the SpringBoard binary (specifically NOP a branch in
SBLockScreenManager::_attemptUnlockWithPasscode:finishUIUnlock:at offset 0x00460490) to bypass the lock screen UI, and then upload it back to /mnt1. The patch itself works in Ghidra.The problem is code signing enforcement on normal boot. Since:
...I have no way to disable code signing verification for the modified SpringBoard to run on normal boot.
Legacy iOS Kit already patches the kernel for the SSH ramdisk boot (disabling codesign in that context). My question is:
Is there a way to use Legacy iOS Kit's existing checkm8/iBoot infrastructure to perform a semi-tethered boot of normal iOS with kernel codesign patches applied? (i.e. every boot uses checkm8 to load a patched kernel, which then boots the real iOS with codesign disabled)
Would it be feasible to extend support to iOS 9.3.5 for this use case, even if full jailbreak features aren't available?
I'm technically comfortable and happy to test or contribute. Any guidance appreciated.
Device: iPad Mini 1 (iPad2,5 / A5 / 8942)
iOS: 9.3.5
Setup: checkm8-a5 (LukeZGD fork) + Arduino Uno / Raspberry Pi Pico
Beta Was this translation helpful? Give feedback.
All reactions