mirror/iwannabrute
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

finally fix ioaesaccelerator 2

Browse Source
This commit is contained in:
platinumstufff
2025-05-02 01:26:13 +03:00
parent 7f84ee709a
commit b32a8bfd36
13 changed files with 82 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored Normal file
View File

@@ -0,0 +1,5 @@
.DS_Store
ramdisks/*/
resources/ipwndfu/
resources/firstrun
ipwndfu.zip

4
README.md
View File

@@ -5,7 +5,7 @@ Bruteforce A5-A6 numeric password with ease.
# Prerequsites
1. A computer running macOS.
1. A x86 computer running macOS.
2. A compatible device (A5-A6)
# Usage
@@ -39,7 +39,7 @@ The tool will use the AES engine as much as possible with no restrictions at the
# Other Stuff
- [Reddit Post]()
- [Reddit Post](https://www.reddit.com/r/setupapp/comments/1jn09d5/release_iwannabrute_bruteforce_a5a6_with_ease/)
# Credits
- [AJAIZ](https://github.com/AsyJAIZ) for original bruteforce method.

BIN
bin/Darwin/aespatched Executable file
View File

Binary file not shown.

32
bin/Darwin/compareFiles.py
View File

@@ -1,32 +0,0 @@
#Copyright (c) 2020, @mcg29_
#!/usr/local/bin/python3
import os
import sys
if __name__ == "__main__":
args = sys.argv
if len(args) < 3:
print("Usage: kcache.raw kcache.patched")
sys.exit(0)
patched = open(args[2], "rb").read()
original = open(args[1], "rb").read()
lenP = len(patched)
lenO = len(original)
if lenP != lenO:
print("size does not match, can't compare files! exiting...")
sys.exit(1)
diff = []
for i in range(lenO):
originalByte = original[i]
patchedByte = patched[i]
if originalByte != patchedByte:
diff.append([hex(i),hex(originalByte), hex(patchedByte)])
diffFile = open('kc.bpatch', 'w+')
diffFile.write('#AMFI\n\n')
for d in diff:
data = str(d[0]) + " " + (str(d[1])) + " " + (str(d[2]))
diffFile.write(data+ '\n')
print(data)

0
bin/Darwin/iBoot32Patcher Normal file → Executable file
View File

0
bin/Darwin/irecovery Normal file → Executable file
View File

0
bin/Darwin/jq Normal file → Executable file
View File

BIN
bin/Darwin/lzssdec
View File

Binary file not shown.

0
bin/Darwin/partialZipBrowser Normal file → Executable file
View File

0
bin/Darwin/xpwntool Normal file → Executable file
View File

7
resources/setup.sh
View File

@@ -32,13 +32,12 @@ echo "Starting bruteforce..." > /dev/console
echo "Fixing disabled"
cd /mnt2/mobile/Library/Preferences/ > /mnt1/private/etc/antilock.txt
cd /mnt2/mobile/Library/Preferences/
for file in com.apple.springboard.plist.???????; do
if [ -f "$file" ]; then
rm "$file"
echo "Deleted: $file"
rm "$file" > /dev/null
fi
done
mv /mnt2/mobile/Library/Preferences/com.apple.springboard.plist /mnt2/mobile/Library/Preferences/com.apple.springboard.plist.bak
mv /mnt2/mobile/Library/Preferences/com.apple.springboard.plist /mnt2/mobile/Library/Preferences/com.apple.springboard.plist.bak > /dev/null
rm /mnt2/mobile/Library/Preferences/com.apple.springboard.plist > /dev/null
rm /mnt2/mobile/Library/SpringBoard/LockoutStateJournal.plist > /dev/null

37
ssh_config Normal file
View File

@@ -0,0 +1,37 @@
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

70
start.sh Normal file → Executable file
View File

@@ -1,6 +1,6 @@
#!/bin/bash
script_version="1.0"
script_version="1.1.0"
mk_bruteforce_ramdisk() {
device=$1
@@ -148,33 +148,10 @@ mk_bruteforce_ramdisk() {
echo "Patching kernel..."
#offset for lzssdec
OFFSET=$(xxd -p kernelcache | tr -d '\n' | grep -bo "cefaedfe" | awk -F: 'NR==1 {print $1}')
../../bin/Darwin/aespatched kernelcache kernelcache.dec
if [ -z "$OFFSET" ]; then
echo "Cannot find offset for lzssdec"
exit 1
fi
DECIMAL_OFFSET=$(($OFFSET / 2))
ADJUSTED_OFFSET=$(($DECIMAL_OFFSET - 1))
../../bin/Darwin/lzssdec -o "$ADJUSTED_OFFSET" < kernelcache > kernelcache.dec
mv kernelcache kernelcache.orig
PATTERN="b0f5fa6f00f0"
HEX_PATTERN=$(echo "$PATTERN" | sed 's/\?/./g')
MATCH_OFFSET=$(xxd -p kernelcache.dec | tr -d '\n' | grep -abo "$HEX_PATTERN" | awk -F: 'NR==1 {print $1}')
if [ -z "$MATCH_OFFSET" ]; then
echo "Cannot find offset for IOAESAccelerator patch"
exit 1
fi
ADJUSTED_MATCH_OFFSET=$((MATCH_OFFSET / 2 + 4))
dd if=/dev/zero bs=1 count=4 conv=notrunc of=kernelcache.dec seek=$ADJUSTED_MATCH_OFFSET 2>/dev/null
printf '\x0C\x46\x0C\x46' | dd of=kernelcache.dec bs=1 seek=$ADJUSTED_MATCH_OFFSET conv=notrunc 2>/dev/null
../../bin/Darwin/xpwntool kernelcache.dec kernelcache -t kernelcache.orig
cd ../../
@@ -321,10 +298,16 @@ check_ramdisk_cache(){
pwn_device() {
if [ "$is_fake_device" = true ]; then
echo "device is fake, exiting"
exit
fi
if [[ -z "${is_a5+x}" ]]; then
echo "Detected $device_name ($deviceid)."
if (system_profiler SPUSBDataType 2> /dev/null | grep ' Apple Mobile Device (DFU Mode)' >> /dev/null | bin/Darwin/irecovery -q 2> /dev/null | grep 'PWND' >> /dev/null); then
echo "Device already in pwnDFU. Continuing..."
ipwndfu send_ibss
else
case $pwnder in
"ipwndfu") ipwndfu pwn ;;
@@ -493,14 +476,29 @@ download_file() {
}
get_device_info() {
if ! (system_profiler SPUSBDataType 2> /dev/null | grep ' Apple Mobile Device (DFU Mode)' >> /dev/null); then
echo "[*] Waiting for device in DFU mode"
fi
while ! (system_profiler SPUSBDataType 2> /dev/null | grep ' Apple Mobile Device (DFU Mode)' >> /dev/null); do
sleep 1
fake_deviceid=""
for arg in "$@"; do
case $arg in
fake-deviceid=*)
fake_deviceid="${arg#*=}"
;;
esac
done
deviceid=$(bin/Darwin/irecovery -q | grep PRODUCT | sed 's/PRODUCT: //')
if [[ -n "$fake_deviceid" ]]; then
echo "[*] Using fake device: $fake_deviceid"
is_fake_device=true
deviceid="$fake_deviceid"
else
if ! (system_profiler SPUSBDataType 2> /dev/null | grep ' Apple Mobile Device (DFU Mode)' > /dev/null); then
echo "[*] Waiting for device in DFU mode"
fi
while ! (system_profiler SPUSBDataType 2> /dev/null | grep ' Apple Mobile Device (DFU Mode)' > /dev/null); do
sleep 1
done
deviceid=$(bin/Darwin/irecovery -q | grep PRODUCT | sed 's/PRODUCT: //')
fi
case $deviceid in
# "iPhone3,1") device_name="iPhone 4 (GSM)" pwnder="ipwnder32" ;;
# "iPhone3,2") device_name="iPhone 4 (GSM, Rev A)" pwnder="ipwnder32" ;;
@@ -570,6 +568,9 @@ send_ramdisk() {
../../bin/Darwin/irecovery -f kernelcache
echo "Booting device now..."
../../bin/Darwin/irecovery -c bootx
echo ""
echo "Device should show text on screen now."
echo "After passcode is found please reboot using home + power button."
}
version_check() {
@@ -743,8 +744,7 @@ done
if [[ ! -e "./resources/firstrun" || $(cat "./resources/firstrun") != "$platform_ver" || $check_fail == 1 ]]; then
install_depends
fi
get_device_info
get_device_info "$@"
echo ""
echo "Enter ramdisk version (9.0.2 is default)"
echo ""
@@ -772,4 +772,4 @@ othertmp=$(ls "$(dirname "$0")" | grep -c tmp)
pushd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null
main
main "$@"