A pre-boot execution environment for Apple boards built on top of checkra1n.
- Install Xcode + command-line utilities
- Run
make all
- Install clang (if in doubt, from apt.llvm.org)
- Install
ld64
and cctools'strip
.- On Debian/Ubuntu these can be installed from the checkra1n repo:
echo 'deb https://assets.checkra.in/debian /' | sudo tee /etc/apt/sources.list.d/checkra1n.list sudo apt-key adv --fetch-keys https://assets.checkra.in/debian/archive.key sudo apt-get update sudo apt-get install -y ld64 cctools-strip
- On other Linux flavours you'll likely have to build them yourself. Maybe this repo will help you.
- On Debian/Ubuntu these can be installed from the checkra1n repo:
- Run
make all
If clang
, ld64
or cctools-strip
don't have their default names/paths, you'll want to change their invocation. For reference, the default variables are equivalent to:
EMBEDDED_CC=clang EMBEDDED_LDFLAGS=-fuse-ld=/usr/bin/ld64 STRIP=cctools-strip make all
The Makefile will create four binaries in build/
:
Pongo
- A Mach-O of the main PongoOSPongo.bin
- Same as the above, but as a bare metal binary that can be jumped tocheckra1n-kpf-pongo
- The checkra1n kernel patchfinder, as a Pongo module (Mach-O/kext)PongoConsolidated.bin
- PongoOS and the KPF merged into a single binary
This fork support to consolidate multiple module into the binary.
You can use the following command to generate it, the modules would load from modn to mod1 (reversed)
python2 consolidate.py [output-path] [Pongo.bin path] [mod1 path] [mod1 command] [mod1 wait time] ... [modn path] [mod1 command] [mod1 wait time]
Note:
- you should also consolidate kpf, or your binary won't autoboot.
- because the kpf needs to receive bootstrap ramdisk (which is sent by checkra1n immediately after pongoOS), the kpf must be the last module, so that the remaining loader_xfer_data would be preserved for kpf
- maximum command length are 23 chars
- module are loaded from the last one to the first one (that's because kpf needs to setup hook first)
Example: python consolidate.py build/PongoConsolidated_new.bin build/Pongo.bin ../xnuspy/module/xnuspy_consolidated "xnuspy-prep" 5000000 build/checkra1n-kpf-pongo "" 0
checkra1n -k Pongo.bin # Boots to Pongo shell, KPF not available
checkra1n -k PongoConsolidated.bin # Auto-runs KPF and boots to XNU
checkra1n -k PongoConsolidated.bin -p # Loads KPF, but boots to Pongo shell
By submitting a pull request, you agree to license your contributions under the MIT License and you certify that you have the right to do so.
If you want to import third-party code that cannot be licensed as such, that shall be noted prominently for us to evaluate accordingly.
- The core PongoOS and drivers are in
src/
.- Build-time helper tools are in
tools/
.
- Build-time helper tools are in
- The stdlib used by PongoOS (Newlib) is in
aarch64-none-darwin
.- This includes a custom patch for Newlib to work with the Darwin ABI.
- An example module exists in
example/
. - Scripts to communicate with the PongoOS shell are in
scripts/
.- This includes
pongoterm
, an interactive shell client for macOS.
- This includes
- The checkra1n kernel patchfinder (KPF) is in
checkra1n/kpf
.- This currently includes the SEP exploit, though that is to be moved into mainline PongoOS in the future.
- A userland version of the KPF can be built from
checkra1n/kpf-test
(can only be run on arm64).