Created
October 26, 2021 17:49
-
-
Save teelekkung/3d15b317f1c0595a7b0b9b251a24c364 to your computer and use it in GitHub Desktop.
Set nonce generator when you mess-up (ckeckm8) A11 iphone10,4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Hello you tf is reading this | |
| My English is bad as mush as my mind so don't expect much | |
| I messup upgrade to ios 15 (auto-matical update over night) | |
| I fk hate when i forgot to turnoff autoupdate and install ota block | |
| So what to do | |
| I do and search how to set nonce generator on ios 15 without jail | |
| What do you expect from me?? lol i just a teenage find a solution online | |
| i saw a lot of tool like checkm8-nonce-setter: https://github.com/MatthewPierson/checkm8-nonce-setter | |
| ramiel.app : https://github.com/MatthewPierson/Ramiel | |
| checkm8-nonce-setter didn't work for me because i have 10,4 | |
| In another hand ramiel.app half work | |
| what happened ??? | |
| ramiel able to make my device pwn but it isn't enough | |
| when ramiel set apnonce i saw in log that it create a ibss ibec patch that make device boot before apple logo | |
| the rest of it code is working but nonce still randomize ????? | |
| wthf is happening ??? | |
| I saw in checkm8-nonce-setter.sh and ramiel that they are using irecovery to send some commands to device in common | |
| witch are | |
| irecovery -c "setenv com.apple.System.boot-nonce $generator" | |
| irecovery -c "saveenv" | |
| irecovery -c "setenv auto-boot false" | |
| irecovery -c "saveenv" | |
| irecovery -c "reset" | |
| So i search in reddit about create patch ibec ibss and found this 2 post | |
| https://www.reddit.com/r/jailbreak/comments/g261pr/tutorial_verbose_booting_manually_with_checkm8_on/ | |
| https://www.reddit.com/r/jailbreak/comments/dfi6nk/tutorial_set_generator_in_any_ios_version_by/ | |
| i use down guide to test first but fail becacue old command and arg is a little bit weird | |
| so i try top post to do so and ..... | |
| I able to crate ibss and ibes , send to device and do irecovery stuff and ....... | |
| apnonce still randomized again ???? | |
| after that i try kairos ibec.raw ibec.pwn -b "0x1111111111111111" -n (things common in 2 guide kairos and iBoot64patcher) | |
| then it work ???? | |
| so i will write every command i use doun here | |
| tsschecker -d <model identifier> -l -e <ECID> -s | |
| img4tool -e -s *.shsh2 -m IM4M | |
| img4 -i iBSS.*.RELEASE.im4p -b | |
| img4 -i iBEC.*.RELEASE.im4p -b | |
| ./ipwndfu -p | |
| ./ipwndfu --decrypt-gid=<kbag> <kbag> from top line that output from 3,4 | |
| img4 -i iBSS.*.RELEASE.im4p -o ibss.raw -k <dkbag> <dkbag> from thing came after you use 6from3 | |
| img4 -i iBEC.*.RELEASE.im4p -o ibec.raw -k <dkbag> <dkbag> from thing came after you use 6from4 | |
| kairos ibss.raw ibss.pwn | |
| kairos ibec.raw ibec.pwn -b "0x1111111111111111" -n (you can use your own gen here) | |
| img4 -i ibss.pwn -o ibss -M IM4M -A -T ibss | |
| img4 -i ibec.pwn -o ibec -M IM4M -A -T ibec | |
| irecovery -c "setenv com.apple.System.boot-nonce 0x1111111111111111" (must same as your gen that you put in ibec) | |
| irecovery -c "saveenv" | |
| irecovery -c "setenv auto-boot false" | |
| irecovery -c "saveenv" | |
| irecovery -c "reset" | |
| Profit |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment