iPhone7 9,3 - 15.2 & 15.3.1 | Hangs after verbose while booting

[iam-theKid]

**Isolating from #5

Devices: iPhone7 9,3 - 15.2 & iPhone7 9,3 - 15.3.1 (2 different devices)
No passcode;
Blobs from TSSaver

Command:
./palera1n.sh ~/Downloads/7399542136251174_iPhone9,3_d101ap_15.2-27325c8258be46e69d9ee57fa9a8fbc28b873df434e5e702a8b27999551138ae.shsh2 --dfu 15.2 --debug

palera1n | Version 1.0.0
Written by Nebula | Some code by Nathan | Patching commands and ramdisk by Mineek | Loader app by Amy

[*] Getting device info...
[*] Pwning device
[*] Downloading BuildManifest
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2021FCSWinter/fullrestores/071-91985/2A9A676E-4BE6-4AE4-93A6-15A8A12AD433/iPhone_4.7_P3_15.2_19C56_Restore.ipsw
init done
getting: BuildManifest.plist
100% [===================================================================================================>]
download succeeded
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f-RELEASE
Compiled with plist: YES
Saved IM4M to IM4M
[*] Downloading and decrypting iBSS
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2021FCSWinter/fullrestores/071-91985/2A9A676E-4BE6-4AE4-93A6-15A8A12AD433/iPhone_4.7_P3_15.2_19C56_Restore.ipsw
init done
getting: Firmware/dfu/iBSS.d10.RELEASE.im4p
100% [===================================================================================================>]
download succeeded
usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:001A49D828882326 IBFL:3C SRTG:[iBoot-2696.0.0.1.33]
Found the USB handle.
Stage: RESET
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:001A49D828882326 IBFL:3C SRTG:[iBoot-2696.0.0.1.33]
Found the USB handle.
Stage: SPRAY
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:001A49D828882326 IBFL:3C SRTG:[iBoot-2696.0.0.1.33]
Found the USB handle.
Stage: SETUP
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:001A49D828882326 IBFL:3C SRTG:[iBoot-2696.0.0.1.33]
Found the USB handle.
Stage: PATCH
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:001A49D828882326 IBFL:3C SRTG:[iBoot-2696.0.0.1.33] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
[*] Downloading and decrypting iBEC
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2021FCSWinter/fullrestores/071-91985/2A9A676E-4BE6-4AE4-93A6-15A8A12AD433/iPhone_4.7_P3_15.2_19C56_Restore.ipsw
init done
getting: Firmware/dfu/iBEC.d10.RELEASE.im4p
100% [===================================================================================================>]
download succeeded
usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:001A49D828882326 IBFL:3C SRTG:[iBoot-2696.0.0.1.33] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
[*] Downloading DeviceTree
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2021FCSWinter/fullrestores/071-91985/2A9A676E-4BE6-4AE4-93A6-15A8A12AD433/iPhone_4.7_P3_15.2_19C56_Restore.ipsw
init done
getting: Firmware/all_flash/DeviceTree.d101ap.im4p
100% [===================================================================================================>]
download succeeded
[*] Downloading trustcache
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2021FCSWinter/fullrestores/071-91985/2A9A676E-4BE6-4AE4-93A6-15A8A12AD433/iPhone_4.7_P3_15.2_19C56_Restore.ipsw
init done
getting: Firmware/018-73308-068.dmg.trustcache
100% [===================================================================================================>]
download succeeded
[*] Downloading kernelcache
Version: 9bfdde2b2456181045f74631683fba491d8bf4f2 - 38
libfragmentzip version: 0.64-aaf6fae83a0aa6f7aae1c94721857076d04a14e8-RELEASE
init pzb: https://updates.cdn-apple.com/2021FCSWinter/fullrestores/071-91985/2A9A676E-4BE6-4AE4-93A6-15A8A12AD433/iPhone_4.7_P3_15.2_19C56_Restore.ipsw
init done
getting: kernelcache.release.iphone9
100% [===================================================================================================>]
download succeeded
[*] Patching and repacking iBSS/iBEC
main: Starting...
iOS 15 iBoot detected!
getting get_debug_enabled_patch() patch
getting get_sigcheck_patch() patch
applying patch=0x1800c0ef8 : 000080d2
applying patch=0x1800c0f40 : 000080d2
applying patch=0x1800c2b14 : 200080d2
main: Writing out patched file to iBSS.patched...
main: Quitting...
main: Starting...
iOS 15 iBoot detected!
getting get_boot_arg_patch(-v keepsyms=1 debug=0xfffffffe panic-wait-forever=1 wdt=-1) patch
getting get_debug_enabled_patch() patch
getting get_sigcheck_patch() patch
applying patch=0x1800c0ef8 : 000080d2
applying patch=0x1800c0f40 : 000080d2
applying patch=0x1800c2b14 : 200080d2
applying patch=0x1800c416c : 183e0b50
applying patch=0x1800da92e : 2d76206b65657073796d733d312064656275673d307866666666666666652070616e69632d776169742d666f72657665723d31207764743d2d3100
main: Writing out patched file to iBEC.patched...
main: Quitting...
none
none
[*] Patching and converting kernelcache
Reading work/kernelcache.release.iphone9...
[NOTE] Image4 payload data is LZFSE compressed, decompressing...
Extracted Image4 payload data to: work/kcache.raw
main: Starting...
main: Detected fat macho kernel
Kernel: Adding AMFI_get_out_of_my_way patch...
get_amfi_out_of_my_way_patch: Entering ...
get_amfi_out_of_my_way_patch: Kernel-8019 inputted
get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str loc at 0x9aaadc
get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str ref at 0x1131c84
get_amfi_out_of_my_way_patch: Patching AMFI at 0x112d2d8
Kernel: Adding could_not_authenticate_personalized_root_hash patch...
get_could_not_authenticate_personalized_root_hash_patch: Entering ...
get_could_not_authenticate_personalized_root_hash_patch: Found "successfully validated on-disk root hash" str loc at 0xd5e0bb
get_could_not_authenticate_personalized_root_hash_patch: Found "successfully validated on-disk root hash" xref at 0xc832cc
get_could_not_authenticate_personalized_root_hash_patch: Could not find previous cbz
main: Writing out patched file to work/kcache.patched...
main: Quitting...
Reading work/kcache.patched...
Compressing payload using LZSS...
IM4P outputted to: work/krnlboot.im4p
Reading work/krnlboot.im4p...
Reading work/IM4M...
Creating Image4...
Image4 file outputted to: boot-iPhone9,3/kernelcache.img4
[*] Converting DeviceTree
dtre
[*] Patching and converting trustcache
trst
[*] Pwning device
usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:001A49D828882326 IBFL:3C SRTG:[iBoot-2696.0.0.1.33] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
Found the USB handle.
[*] Booting device
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%

Done!
The device should now boot to iOS
If you already have installed Pogo, click uicache and remount preboot in the tools section
If not, get an IPA from the latest action build of Pogo and install with TrollStore
Add the repo mineek.github.io/repo for Procursus

[itsnebulalol]

The only thing i see that’s different between my working patch, and yours is this:

get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str loc at 0x9aaadc
get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str ref at 0x1131c84

On someone else’s failed patch, it also shows this.

Mine shows:

get_amfi_out_of_my_way_patch: Found entitlements too small str loc at 0x8da177
get_amfi_out_of_my_way_patch: Found entitlements too small str ref at 0xeddf30

Not completely sure why there’s a difference.

[iam-theKid]

Would you mind to try Kernel64Patcher from your end? Here's the kcache.raw: https://drive.google.com/file/d/1hsLsCno8iHbHaH6Yp_2qgZ4mgzFwC4RH/view?usp=sharing

[itsnebulalol]

I had the same issue, but I applied a different patch too. Here's the krnlboot.im4p:
https://mega.nz/file/6mp2GYqI#7XJ8BVj78m4JVcH6V88mkWrZRbc91P_2oxVgSCriVL4
You'll have to sign it with your IM4M:
pyimg4 img4 create -p krnlboot.im4p -o kernelcache.img4 -m IM4M
(use img4tool -e -s path/to/your/blob.shsh2 -m IM4M to get the IM4M)

[iam-theKid]

Thank you @itsnebulalol for all your time, the problem persists, same sympthoms. I believe we can mark as closed. Lets see if this is an issue with this specific device, I will keep checking for any success reported with the iphone7 9,3 . Thank you again

[ghost]

I fixed the issue, it was caused by using blobs off of tsssaver. I dumped the onboard blobs using SSHRD_Script-High-Sierra and used those for palera1n and it booted the iPhone 7 right away with no issue.

[ghost]

Thank you @itsnebulalol for all your time, the problem persists, same sympthoms. I believe we can mark as closed. Lets see if this is an issue with this specific device, I will keep checking for any success reported with the iphone7 9,3 . Thank you again

If you need assistance add me on Discord and I will help you kristenl64#0622 .

[ghost]

WARNING 3: As of now, it was confirmed that if you do not use the onboard blobs for your device when you are using palera1n then it will cause the device to enter a blank screen after verbose boot. You will have a blank screen on your phone after verbose boot if you do not use the right blobs for palera1n. To ensure you do not get a blank screen after you boot your device with palera1n, you must dump your onboard blobs using kristenlc/SSHRD_Script-High-Sierra and use those blobs with this script. Please do not use the blobs on tsssaver.1conan.com for your device as it will cause it to not boot with palera1n.

[itsnebulalol]

Hell yeah, good to know. Look at the ramdisk branch, please. Ramdisk branch is a bit broken as of now, still working on some of the bugs.

I'm assuming I didn't have the blobs issue since I have futurerestored my device, and something is still possibly set? No idea.

I'll close this for now.

[ghost]

Hell yeah, good to know. Look at the ramdisk branch, please. Ramdisk branch is a bit broken as of now, still working on some of the bugs.

I'm assuming I didn't have the blobs issue since I have futurerestored my device, and something is still possibly set? No idea.

I'll close this for now.

I probably will not be testing the ramdisk branch at all, it was already hell trying to get it to work the one time reliably. I am going to throw together a detailed walk through video on how to jailbreak the iphone 10 reliably on ios 15.4.1 using palera1n and pogo together, and will update you once the video is done. I am going to try to use adequate lighting and have it be more of a professional video *for advertising purposes for your jailbreak. I believe you need all the credit you can get.
edit: the video will include detailed ramdisk instructions using sshrd script and how to dump blobs using that script

[iam-theKid]

This 9.3 devices must be doomed, even with dumped onboard blobs the same thing happens lol. The dumped onboard blobs are ok since it is being validated by img4tool against OTA. Added you on discord @kristenlc

[ghost]

This 9.3 devices must be doomed, even with dumped onboard blobs the same thing happens lol. The dumped onboard blobs are ok since it is being validated by img4tool against OTA. Added you on discord @kristenlc

I added you, and texted you back

[itsnebulalol]

*for advertising purposes for your jailbreak. I believe you need all the credit you can get.

As long as you link this repo and maybe even my twitter i don’t have a problem with it. Just only send it to people in issues if they asked for it