iOS 13.5 / iPhone10,1 / Unable to load ramdisk

[ajpayne1]

Device: iPhone10,1 / d20ap Currently installed version: iOS 13.5 Attempted boot version: iOS 13.5 SHSH2 Blob: 13.7

This project is awesome, love your work. I'm able to create an image, although the following issues do crop up during build with ./make_telnet_rd.php -d 'iPhone10,1' -b D20AP -v 13.5 -s ./iPhone10,1_13.7.shsh2:

[+] Couldn't find devicetree at Firmware/all_flash/DeviceTree.d20ap.im4p, selecting closest other one

Warning: min(): When only one parameter is given, it must be an array in telnetd_ramdisk/make_telnet_rd.php on line 356

Warning: array_search() expects parameter 2 to be array, null given in telnetd_ramdisk/make_telnet_rd.php on line 356

The output for the image creation otherwise seems uneventful, and those warnings don't seem fatal. The problem really comes when trying to boot the image. Here's the directory:

WD_iPhone10,1-D20AP-13.5_telnet_rd $ ls -lha
total 959008
-rw-r--r--   1    99M Mar 30 16:52 038-35648-088.dmg
-rw-r--r--   1   579K Mar 30 16:52 BuildManifest.plist
-rw-r--r--   1   441K Mar 30 16:52 iBEC.d10.RELEASE.im4p
-rw-r--r--   1   441K Mar 30 16:52 iBSS.d10.RELEASE.im4p
-rw-r--r--   1    35M Mar 30 16:52 kcache.patched
-rw-r--r--   1    35M Mar 30 16:52 kcache.raw
-rw-r--r--   1    17M Mar 30 16:52 kernelcache.im4p
-rw-r--r--   1    13M Mar 30 16:52 kernelcache.release.iphone10
-rw-r--r--   1   150M Mar 30 16:54 ramdisk
-rw-r--r--   1   150M Mar 30 16:54 ramdisk.dmg

The boot script doesn't name the files correctly; well, that's fine, I can do it manually. (Not shown: entering pwned DFU)

WD_iPhone10,1-D20AP-13.5_telnet_rd $ irecovery -f ./iBSS.d10.RELEASE.im4p
[==================================================] 100.0%
WD_iPhone10,1-D20AP-13.5_telnet_rd $ irecovery -f ./iBEC.d10.RELEASE.im4p
[==================================================] 100.0%
WD_iPhone10,1-D20AP-13.5_telnet_rd $ irecovery -c go
WD_iPhone10,1-D20AP-13.5_telnet_rd $ irecovery -f ./ramdisk
[=                                                 ] 1.2%

That's as far as I get. The progress bar goes to 1.2%, then the command quits. When I enable verbose output:

WD_iPhone10,1-D20AP-13.5_telnet_rd $ irecovery -v -f ./ramdisk
Attempting to connect...
opening device xxxx:xxxx @ 0x14200000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPhone10,1, model d20ap, cpid 0x8015, bdid 0x02
[=                                                 ] 1.2%Unable to upload data to device

Uploading iBSS and iBEC work just fine, however:

WD_iPhone10,1-D20AP-13.5_telnet_rd $ irecovery -v -f ./iBSS.d10.RELEASE.im4p
Attempting to connect...
opening device xxxx:xxxx @ 0x14200000...
Setting to configuration 1
Setting to interface 0:0
Connected to iPhone10,1, model d20ap, cpid 0x8015, bdid 0x02
[==================================================] 100.0%
Command completed successfully

I'm successfully in pwned DFU:

telnetd_ramdisk $ irecovery -q
CPID: 0x8015
CPRV: 0x11
BDID: 0x02
...
PWND: checkm8
MODE: DFU

Any ideas? Really hoping to get this to work so I can fix my wallpaper cache.

[ajpayne1]

I was able to sign my own images manually and use the ramdisk built by telnetd_ramdisk, and I had much more success with the boot setup process. I was able to push all the images / commands with irecovery. When booting with bootx, the device showed a verbose boot for about 1 second and then went black, and rebooted. No luck yet, although I may try building my own ramdisk next. Is there sort of a minimum viable ramdisk that I can use to test booting? Would booting an unmodified ramdisk work?

[ajpayne1]

I was able to cook my own ramdisk and while I never got telnetd working, I got SSH going on mine. I still have a lot of broken pieces and I feel like I'm completely reinventing the wheel here... I may end up remaking this whole project on my own repo from scratch, since none of the parts from this project have worked for me yet.

[XP1]

@ajpayne1 Can you elaborate on your steps to get SSH? I'm still trying to boot a ramdisk on iPhone 6s.

[ajpayne1]

I can put together a writeup in the next day or two if you’d find it useful. My SSH ramdisk did the trick for me and I was able to solve my problem. I suspect it could help you as well. (Using PongOS might be the Right Way to go about this but I only played with it for a little bit and didn’t get anything to work.)

It’s been noted by @danieltroger in other issues that when your disk is full, apfs does not let you delete files because it takes space to be able to delete a file. I don’t think the same issue would apply to truncating a file, however, so if you get things booted and can’t rm due to a full disk, I would try that.

[jillbill556]

Can you link it please

[radical-banana]

I can put together a writeup in the next day or two if you’d find it useful. My SSH ramdisk did the trick for me and I was able to solve my problem. I suspect it could help you as well. (Using PongOS might be the Right Way to go about this but I only played with it for a little bit and didn’t get anything to work.)

It’s been noted by @danieltroger in other issues that when your disk is full, apfs does not let you delete files because it takes space to be able to delete a file. I don’t think the same issue would apply to truncating a file, however, so if you get things booted and can’t rm due to a full disk, I would try that.

Add me to that list @ajpayne1,

Having the same issue with a couple of phones (mainly an iPhone10,3). I managed to finally get all the files in order and can finally boot but the device just reboots back into recovery just like how you described.

What was the silver bullet to get it booting in the end? was only the ramdisk an issue?

@danieltroger there appear to be a few issues with the script removing the trustcache and devicetree from /Firmware during the build process, hence it whinging as per AJ's first post.

[ajpayne1]

Sorry for the wait. I worked with an old friend in the jailbreak community to clean up the process tremendously and get the writeup on his blog. Hopefully you guys will find some success! https://compilingentropy.blogspot.com/2021/05/long-live-ssh-ramdisk.html

[radical-banana]

Sorry for the wait. I worked with an old friend in the jailbreak community to clean up the process tremendously and get the writeup on his blog. Hopefully you guys will find some success! https://compilingentropy.blogspot.com/2021/05/long-live-ssh-ramdisk.html

Thanks mate, you're a legend. Props to your friend as well!

I'm keen to see how much the script differs over the manual steps and if the issue just comes down to the ramdisk itself.