I will be basing this guide on iPhone3,1 (iPhone 4 GSM) on iOS 6.0 (10A403). Patches will vary on different versions, but may be the same or very similar.
Also, please contact me if you have questions and or need help on something. But, before you ask me about something, please try to figure you mistakes first.
If something in the guide looks different, just enter what you think it'll be. Most of the time you will be correct. Don't expect you to not fail, you will.
There's no guarantee you will get this first try, as I didn't. If you do, you did better than me! If you succeed, try patching another iOS and learn some more!
Open dtre.raw with your hex editor of choice.
Copy this string. Yes, and the blank spacing highlighted.
Make sure you are in "insert" mode. You can find this by going to the top of the taskbar, edit, mode.
Press Ctrl + F, and insert "use-lwvm" (without the quotes). Afterwards, you should be here.
Paste the string we copied before "use-lwvm". Now go back to modes and now change it to overwrite.
Now, overwrite "firmware-min-capacity" with "no-effaceable-storage."
After you overwrite the string, scroll up until you find the string containing AAPL
or something about kernel.hibernation. Look for a value such as 8, 9, A, B, and so on.
Change A to B, then Ctrl + S, Ctrl + w.
Now, we need to repack dtre.raw into an img3 container.
./image3maker -f dtre.raw -t dtre -o devicetree
Now run devicetree with imagine to verify our patches are correct.
./imagine -d devicetree
If you get a segfault 11, you did something wrong.
Look for "defaults". If you see no-effaceable-storage, you patched correctly.
Now, we need to patch out essential things in iBoot.
./iBoot32Patcher iBSS.raw iBSS.prepatched -r
Open IDA Pro, select iBSS.prepatched, change processor type to ARM Little-Endian, click ok.
Go to the taskbar, edit, select all, press c, and select analyze.
We need to figure out what the segment value is of our iBoot image.
Once you have analyzed, go to the top of the assembly, and there will be a DCD 0x84000010.
This is our rebase value. Go to the taskbar, edit, segments, rebase program, and enter your value.
Make sure to remove the 0x10 from the value. Our value will then be: 0x84000000
Press Shift + F12, which will open the "Strings" window.
Go to the taskbar, search, enter "ibss ready", double-click on the highlighted string.
Double-click on "DATA XREF: sub_xxx"
Should have something like this
"MOVT.W R4, #0x4FE0" is the address we need to change in order for kloader to load correctly.
Change 0x4FE0 to 0x7FD0: Go to hex window, press F2, change "C4 F6 E0 74" to "C7 F6 D0 74."
Press F2 again to exit "overwrite" mode.
You should have a change like this
While in the hex window, remove these instructions (BL and BLT) with a NOP "00 BF". The BL will be two NOP's.
Note: Not all devices use that address when using kloader. iPhone 3GS and iPhone 4S have different addresses we need to change.
For S5L8920 devices we need to replace "MOVS R1, #0x3FF00000" with "MOVS R1, #0x6FD00000" (C3 -> C6, F0 -> D0).
For S5L8940 devices replace with "MOVT.W R4, #0xBFD0 (CB F6 D0 74)"
We're now done patching iBSS! All we have to do is produce a dif file and apply the patches.
IDA does not apply patches directly by default, so we have to use ida_patcher to do so.
To produce a dif file, go to the taskbar, file, produce a dif file, create a dif file, save.
./ida_patcher -i iBSS.prepatched -p iBSS.dif
./iBoot32Patcher iBEC.raw iBEC.prepatched -r -d -b "rd=disk0s1s3 -v amfi=0xff cs_enforcement_disable=1
Same process of opening iBSS and find the segment, but remember, the segment value will be different.
Our value above, for the segment rebase is 0x5FF00000. Enter this the same way we rebased the program with iBSS.
Open up the strings windows, search for "fsboot." Double-click the highlighted string, double-click the string,
double-click the xref.
Above is where you will find fsboot. If IDA doesn't show the string references and just leaves them as addresses, click the address
and press o. We need to change fsboot to upgrade. To do this, go back to strings windows and scroll up a bit and find "upgrade."
In this case, the address of upgrade is: 5FF35215. Make sure you're on the link of fsboot and enter hex view. We are going to
change the value to upgrade. In order to do this we have to go from right to left, because of Little-Endian. Address of fsboot
is 5FF354DA, press F2, enter "15 52" and then press F2 again. Go back to IDA-View and fsboot should now be upgrade. Here is picture.
Now, boot-command=upgrade is now completed. We now need to tell iBEC to boot, since apple sets auto-boot=false. Otherwise, we will boot
into recovery after loading upgrade boot-command. In strings window, search for "failed to mount upgrade partition." It will look like this.
We need to change address of false to true. Go into strings windows and true should usually be under fsboot. Address of true is 5FF354E3.
Enter hex view, press F2 and enter "E3 54." It should look like this after.
Remember earlier about not using a ramdisk? We really don't need ramdisk. It doesn't serve much of a purpose. It's just there because of the routine.
Go to this webpage and change ARM64 to ARMv7 THUMB - New Engine.
Below, there is a python cli we can use, as we need to do some calculations. We are going to load the kernelcache by replacing the loading of ramdisk.
If you want to make it easier for yourself, you can name functions in IDA to whatever you want. To do this click a function as below and then press n.
It will show a prompt asking to enter a name. You cannot duplicate function names. This will help you to easily see where and what to change. Look below.
We need to calculate values in order to complete in skipping ramdisk loading. We do this by grabbing the offset of "upgrade_load_kernelcache" (0x1344)
then the same for "upgrade_load_ramdisk," (0x1332) except we want the CBZ R0 instruction's offset. Enter them as seen below, in the cli.
Subtract the offsets in the Python cli below and turn it into a hex value so we can figure out our THUMB instruction to enter.
Press enter and you should get 18. Now in the cli, enter hex(18) or whatever offset of whatever version you are using. You should get 0x12.
In the webpage, add in the offset of where we want to load our instruction (0x1332) on the left. Enter the instruction I entered.
It should look like this.
This is what we need to replace the loading of the ramdisk and instead load the kernelcache. Enter hex view and replace "CBZ R0, upgrade_load_ramdisk"
with "38 B1." This will completely remove the loading of the ramdisk and load the kernelcache instead. It should look like this.
Like what we did with the iBSS, we need to produce a dif file and then apply the patches from the file.
./ida_patcher -f iBEC.prepatched -p iBEC.dif
We need to repack our patched iBEC back into a img3 format
./image3maker -f iBEC.prepatched -t ibec -o iBEC
iBEC patching is done!
It's now time to partition!