iPad mini 1 Cellular - Activation Records saving fail

[nmka55]

Hi, I pwned DFU my ipad with ardiono and saved the onboard blobs successfully, but when I try to Save ACTIVATION RECORDS, script is failing.
I think waiting for device in recovery mode is too short, because it's just spitting out error in 2 seconds and script stops. Can look into this issue please?

 *** Legacy iOS Kit ***
 - Script by LukeZGD -

* Version: v24.06.24 (0bc70aa)
* Platform: macos (14.5) 

* Device: iPad2,6 (p106ap) in DFU mode
* iOS Version: Unknown
* To get iOS version, go to: Other Utilities -> Get iOS Version
* ECID: 928727004619
* Pwned: checkm8

 > Main Menu > Other Utilities
[Input] Select an option:
1) Send Pwned iBSS		     8) Create Custom IPSW
2) Get iOS Version		     9) Enable disable-bbupdate flag
3) Clear NVRAM			    10) Enable activation-records flag
4) Dump Baseband		    11) Enable skip-ibss flag
5) Activation Records		    12) Enable jailbreak flag
6) Just Boot			    13) (Re-)Install Dependencies
7) SSH Ramdisk			    14) Go Back
#? 5
[Log] Dumping files for activation: /private/var/containers/Data/System/*/Library/activation_records
[Log] This operation requires an SSH ramdisk, proceeding
* I recommend dumping baseband/activation on Normal mode instead of Recovery/DFU mode if possible
* To mount /var (/mnt2) for iOS 9-10, I recommend using 9.0.2 (13A452).
* If not sure, just press Enter/Return. This will select the default version.
[Input] Enter build version (eg. 10B329): 11D257
[Log] Checking firmware keys in ../resources/firmware/iPad2,6/11D257
[Log] Checking URL in ../resources/firmware/iPad2,6/11D257/url
[Log] iBSS
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 21ee1917df2f46f0db7e3d283afa7993ea64f8de4ce90d3646f0b67c46e91daab6a6ab4bb28b394bba829ca9c5c9ff61
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 21ee1917df2f46f0db7e3d283afa7993ea64f8de4ce90d3646f0b67c46e91daab6a6ab4bb28b394bba829ca9c5c9ff61
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 21ee1917df2f46f0db7e3d283afa7993ea64f8de4ce90d3646f0b67c46e91daab6a6ab4bb28b394bba829ca9c5c9ff61
[Log] iBEC
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 4feb4e448da3921345ec15db413b003eae59ffb68497ef9c55f0cc032f25d0a75ce661cf6cda33fa04eb0e5b96c368a9
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 4feb4e448da3921345ec15db413b003eae59ffb68497ef9c55f0cc032f25d0a75ce661cf6cda33fa04eb0e5b96c368a9
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 4feb4e448da3921345ec15db413b003eae59ffb68497ef9c55f0cc032f25d0a75ce661cf6cda33fa04eb0e5b96c368a9
[Log] DeviceTree
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 20a5e344292deb75c61fff5abe94717cb5a0fa369c4b5c3657ff46a77fe3d760138f334daa7ca3e3dc2f8a569758ecdf
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 20a5e344292deb75c61fff5abe94717cb5a0fa369c4b5c3657ff46a77fe3d760138f334daa7ca3e3dc2f8a569758ecdf
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 20a5e344292deb75c61fff5abe94717cb5a0fa369c4b5c3657ff46a77fe3d760138f334daa7ca3e3dc2f8a569758ecdf
[Log] Kernelcache
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: c3e8b11ff5be802194bbc7b3b141c04c78f374d98f449e1d1d6340fba9974b7d4ad12dfe4ae2650ee2a59cbeaf7d9790
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: c3e8b11ff5be802194bbc7b3b141c04c78f374d98f449e1d1d6340fba9974b7d4ad12dfe4ae2650ee2a59cbeaf7d9790
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: c3e8b11ff5be802194bbc7b3b141c04c78f374d98f449e1d1d6340fba9974b7d4ad12dfe4ae2650ee2a59cbeaf7d9790
[Log] RestoreRamdisk
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 3d64b11a994545fc9396db30c51dd65f246d2b18752680ed1d3e5292ae7694aff70ee20031533c3c506edff725fd6c77
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 3d64b11a994545fc9396db30c51dd65f246d2b18752680ed1d3e5292ae7694aff70ee20031533c3c506edff725fd6c77
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 3d64b11a994545fc9396db30c51dd65f246d2b18752680ed1d3e5292ae7694aff70ee20031533c3c506edff725fd6c77
[Log] Patch RestoreRamdisk
grew volume: 30000000
file: com.apple.springboard.plist (0644), size = 271
ignoring bin, type = 5
file: bin/bash (0755), size = 546768
file: bin/ls (0755), size = 152096
file: bin/mount.sh (0755), size = 1366
symlink: bin/sh (0777) -> bash
file: bin/tar (0755), size = 430304
file: bin/dd (0755), size = 124896
file: bin/cp (0755), size = 162560
file: bin/chmod (0755), size = 125168
file: bin/chown (0755), size = 125616
ignoring sbin, type = 5
file: sbin/sshd (0755), size = 722848
file: sbin/umount (4755), size = 22784
ignoring usr, type = 5
ignoring usr/bin, type = 5
file: usr/bin/device_infos (0755), size = 75936
file: usr/bin/scp (0755), size = 49008
file: usr/bin/gptfdisk (0755), size = 164368
file: usr/bin/hfs_resize (0755), size = 12960
file: usr/bin/ibsspatch (0755), size = 51840
file: usr/bin/df (0755), size = 143296
file: usr/bin/du (0755), size = 178736
ignoring usr/lib, type = 5
symlink: usr/lib/libncurses.5.dylib (0777) -> libncurses.5.4.dylib
file: usr/lib/libncurses.5.4.dylib (0755), size = 335968
file: usr/lib/libhistory.6.0.dylib (0755), size = 54752
file: usr/lib/libreadline.6.0.dylib (0755), size = 198112
file: usr/lib/libcrypto.0.9.8.dylib (0755), size = 1604336
file: usr/lib/libiconv.2.dylib (0755), size = 1022528
directory: usr/libexec (0755)
file: usr/libexec/sftp-server (0755), size = 44240
ignoring private, type = 5
ignoring private/etc, type = 5
replacing private/etc/rc.boot
file: private/etc/rc.boot (0755), size = 369
directory: private/etc/ssh (0700)
file: private/etc/ssh/ssh_host_rsa_key (0600), size = 1675
file: private/etc/ssh/ssh_host_dsa_key.pub (0644), size = 590
file: private/etc/ssh/sshd_config (0644), size = 3227
file: private/etc/ssh/ssh_host_key.pub (0644), size = 627
file: private/etc/ssh/ssh_config (0644), size = 1526
file: private/etc/ssh/ssh_host_dsa_key (0600), size = 668
file: private/etc/ssh/ssh_host_rsa_key.pub (0644), size = 382
file: private/etc/ssh/moduli (0644), size = 125811
file: private/etc/ssh/ssh_host_key (0600), size = 963
ignoring private/var, type = 5
directory: private/var/root (0700)
file: private/var/root/.profile (0644), size = 391
[Log] Patch iBSS
main: Starting...
main: iBoot-1940 inputted.
patch_rsa_check: Entering...
find_bl_verify_shsh_5_6_7: Entering...
find_bl_verify_shsh_5_6_7: Found MOVW instruction at 0x68d8
find_bl_verify_shsh_5_6_7: Found BL verify_shsh at 0x6c04
find_bl_verify_shsh_5_6_7: Leaving...
patch_rsa_check: Patching BL verify_shsh at 0x6c04...
patch_rsa_check: Leaving...
main: Writing out patched file to iBSS.patched...
main: Quitting...
[Log] Patch iBEC
main: Starting...
main: iBoot-1940 inputted.
patch_boot_args: Entering...
patch_boot_args: Default boot-args string is at 0x3bd8b
patch_boot_args: boot-args xref is at 0x1c6b4
patch_boot_args: Relocating boot-args string...
patch_boot_args: "Reliance on this certificate" string found at 0x42d70
patch_boot_args: Pointing default boot-args xref to 0x9ff42d70...
patch_boot_args: Applying custom boot-args "rd=md0 -v amfi=0xff amfi_get_out_of_my_way=1 cs_enforcement_disable=1"
patch_boot_args: Found LDR R1, =boot_args at 0x1c4ba
patch_boot_args: Found CMP R5, #0 at 0x1c4bc
patch_boot_args: Found IT EQ/IT NE at 0x1c4c0
patch_boot_args: Found MOV R4, R1 at 0x1c4c2
patch_boot_args: Found LDR R4, =null_str at 0x1c4be
patch_boot_args: Pointing LDR R4, =null_str to boot-args xref...
patch_boot_args: Leaving...
patch_debug_enabled: Entering...
find_dtre_get_value_bl_insn: Entering...
find_dtre_get_value_bl_insn: debug-enabled string is at 0x3b753
find_dtre_get_value_bl_insn: "debug-enabled" xref is at 0x1c05c
find_dtre_get_value_bl_insn: Found LDR R0, ="debug-enabled" at 0x1b334
find_dtre_get_value_bl_insn: Found BL instruction at 0x1b34c
find_dtre_get_value_bl_insn: Leaving...
patch_debug_enabled: Patching BL insn at 0x1b34c...
patch_debug_enabled: Leaving...
patch_rsa_check: Entering...
find_bl_verify_shsh_5_6_7: Entering...
find_bl_verify_shsh_5_6_7: Found MOVW instruction at 0x1a25c
find_bl_verify_shsh_5_6_7: Found BL verify_shsh at 0x1a838
find_bl_verify_shsh_5_6_7: Leaving...
patch_rsa_check: Patching BL verify_shsh at 0x1a838...
patch_rsa_check: Leaving...
main: Writing out patched file to iBEC.patched...
main: Quitting...
* Select Y if your device is in pwned iBSS/kDFU mode.
* Select N if this is not the case. (pwned using checkm8-a5)
* Failing to answer correctly will cause "Sending iBEC" to fail.
[Input] Is your device already in pwned iBSS/kDFU mode? (y/N): n
* DFU mode for A5 device - Make sure that your device is in PWNED DFU mode.
* You need to have an Arduino and USB Host Shield to proceed for PWNED DFU mode.
* Also make sure that you have NOT sent a pwned iBSS yet.
* If you do not know what you are doing, select N and restart your device in normal mode.
[Input] Is your device in PWNED DFU mode using synackuk checkm8-a5? (y/N): y
[Log] python2 from pyenv detected
[Log] Checking URL in ../resources/firmware/iPad2,6/12H321/url
[Log] Checking firmware keys in ../resources/firmware/iPad2,6/12H321
[Log] Decrypting iBSS...
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: e444851abc901b7b81c6381e1940408137e960df1354cf78a0060f75b790eb4e7e4f2d891c28fff38f40468f4c057961
[Log] Patching iBSS...
main: Starting...
main: iBoot-2261 inputted.
patch_rsa_check: Entering...
find_bl_verify_shsh_generic: Entering...
find_bl_verify_shsh_generic: Found LDR instruction at 0x6574
find_bl_verify_shsh_generic: Found BL verify_shsh at 0x691a
find_bl_verify_shsh_generic: Leaving...
patch_rsa_check: Patching BL verify_shsh at 0x691a...
patch_rsa_check: Leaving...
main: Writing out patched file to pwnediBSS...
main: Quitting...
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: e444851abc901b7b81c6381e1940408137e960df1354cf78a0060f75b790eb4e7e4f2d891c28fff38f40468f4c057961
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: e444851abc901b7b81c6381e1940408137e960df1354cf78a0060f75b790eb4e7e4f2d891c28fff38f40468f4c057961
[Log] Pwned iBSS saved at: saved/iPad2,6/pwnediBSS
[Log] Pwned iBSS img3 saved at: saved/iPad2,6/pwnediBSS.dfu
[Log] Sending iBSS using ipwndfu...
done!
* ipwndfu should have "done!" as output.
[Log] Sending iBEC...
[Log] Finding device in Recovery mode...
[Error] Failed to find device in Recovery mode (Timed out). Please run the script again.

* Legacy iOS Kit v24.06.24 (0bc70aa)
* Platform: macos (14.5) 

[LukeZGD]

no the problem here is the ibec not being sent at all for some reason

try this: pwn with checkm8-a5, go to other utilities and use "send pwned ibss" first. unplug and replug the device, run the script again, and select activation records. select y when script asks if device is in pwned ibss mode