A10X, iPadOS15.7, Linux, stuck at Pwning device

[runhuizhou]

Device is iPad Pro 10.5" 2017, on iPadOS 15.7

What i did is:
0. Got dumped blob from previous execution of sudo ./palera1n.sh --dfu 15.7 --debug

1. sudo ./sshrd.sh 15.7 TrollStore Tips (Stuck at "Getting Device Info... This may take a second" always, and succeeded to continue execution after lots of trials. Just like this issue.)
2. sudo ./sshrd.sh boot (seems ok, as Tips app is not opening now)
3. sudo ./palera1n.sh clean
4. sudo ./palera1n.sh --dfu 15.7 --debug (stuck somewhere)

This is kind of a random issue, randomly successfully continues, but mostly it's just stuck at somewhere.

For example, this time it's stuck at "[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227":

[root@relafnic palera1n]# sudo ./palera1n.sh --dfu 15.7 --debug
palera1n | Version 1.0.0
Written by Nebula | Some code and ramdisk from Nathan | Patching commands and help from Mineek | Loader app by Amy

[] Getting device info...
[] Pwning device
usb_timeout: 5
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:000D0D402006603A IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: RESET
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:000D0D402006603A IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: SPRAY
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:000D0D402006603A IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: SETUP
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:000D0D402006603A IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: PATCH
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227

And then the device will boot into system normally, and I need to Ctrl + C to terminate it manually.

Or, it will be stuck at some other stage for a while and then stuck after PATCH stage returns true.

Saw similar issue here: https://github.com/0x7ff/gaster/issues/1
I don't know if it helps :>

[runhuizhou]

Sometimes when it successfully continues, it will be like this:

100% [===================================================================================================>]
download succeeded
[] Patching and repacking iBSS/iBEC
main: Starting...
iOS 15 iBoot detected!
getting get_debug_enabled_patch() patch
getting get_sigcheck_patch() patch
applying patch=0x1800c4c54 : 000080d2
applying patch=0x1800c4c9c : 000080d2
applying patch=0x1800c688c : 200080d2
main: Writing out patched file to iBSS.patched...
main: Quitting...
main: Starting...
iOS 15 iBoot detected!
getting get_boot_arg_patch(-v keepsyms=1 debug=0xfffffffe panic-wait-forever=1 wdt=-1) patch
getting get_debug_enabled_patch() patch
getting get_sigcheck_patch() patch
applying patch=0x1800c4c54 : 000080d2
applying patch=0x1800c4c9c : 000080d2
applying patch=0x1800c688c : 200080d2
applying patch=0x1800c7de8 : f8690b10
applying patch=0x1800deb24 : 2d76206b65657073796d733d312064656275673d307866666666666666652070616e69632d776169742d666f72657665723d31207764743d2d3100
main: Writing out patched file to iBEC.patched...
main: Quitting...
none
none
[] Patching and converting kernelcache
Reading work/kernelcache.release.ipad7...
[NOTE] Image4 payload data is LZFSE compressed, decompressing...
Extracted Image4 payload data to: work/kcache.raw
main: Starting...
main: Detected fat macho kernel
Kernel: Adding AMFI_get_out_of_my_way patch...
get_amfi_out_of_my_way_patch: Entering ...
get_amfi_out_of_my_way_patch: Kernel-8020 inputted
get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str loc at 0x9a7061
get_amfi_out_of_my_way_patch: Found Internal Error: No cdhash found. str ref at 0x10d8c64
get_amfi_out_of_my_way_patch: Patching AMFI at 0x10d42a8
Kernel: Adding could_not_authenticate_personalized_root_hash patch...
get_could_not_authenticate_personalized_root_hash_patch: Entering ...
get_could_not_authenticate_personalized_root_hash_patch: Found "successfully validated on-disk root hash" str loc at 0xcd0c0a
get_could_not_authenticate_personalized_root_hash_patch: Found "successfully validated on-disk root hash" xref at 0x1ddd964
get_could_not_authenticate_personalized_root_hash_patch: Found previous cbz at 0x1ddd940
get_could_not_authenticate_personalized_root_hash_patch: Found "could not authenticate personalized root hash!" str loc at 0xcd0b5f
get_could_not_authenticate_personalized_root_hash_patch: Found "could not authenticate personalized root hash!" xref at 0x1ddda3c
get_could_not_authenticate_personalized_root_hash_patch: Found cbz target at 0x1ddda1c
get_could_not_authenticate_personalized_root_hash_patch: Patching root hash check at 0x1ddda1c
main: Writing out patched file to work/kcache.patched...
main: Quitting...
Reading work/kcache.patched...
Compressing payload using LZSS...
IM4P outputted to: work/krnlboot.im4p
Reading work/krnlboot.im4p...
Reading work/IM4M...
Creating Image4...
Image4 file outputted to: boot-iPad7,3/kernelcache.img4
[] Converting DeviceTree
dtre
[] Patching and converting trustcache
trst
none
[*] Booting device
[==================================================] 100.0%
ERROR: Unable to connect to device
[root@relafnic palera1n]#

And then the device boots normally into system

[itsnebulalol]

Make sure to go into dfu from recovery, not normal mode

[runhuizhou]

Make sure to go into dfu from recovery, not normal mode

Hi Nebula! Now I go into DFU mode from Recovery, and then it gets stuck at here too:

[root@relafnic palera1n]# sudo ./palera1n.sh --dfu 15.7 --debug
palera1n | Version 1.0.0
Written by Nebula | Some code and ramdisk from Nathan | Patching commands and help from Mineek | Loader app by Amy

[] Getting device info...
[] Pwning device
usb_timeout: 5
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:000D0D402006603A IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: RESET
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:000D0D402006603A IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: SPRAY
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:000D0D402006603A IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: SETUP
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:000D0D402006603A IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: PATCH
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227

[itsnebulalol]

Have you tried replugging there? Unplug your device and plug it back in.

[runhuizhou]

Have you tried replugging there? Unplug your device and plug it back in.

Now tried three times of replugging, still stuck. But if I Ctrl+C and execute command again, it's like:

[root@relafnic palera1n]# sudo ./palera1n.sh --dfu 15.7 --debug
palera1n | Version 1.0.0
Written by Nebula | Some code and ramdisk from Nathan | Patching commands and help from Mineek | Loader app by Amy

[] Getting device info...
[] Booting device
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%

Done!
The device should now boot to iOS
If you already have ran palera1n, click Do All in the tools section of Pogo
If not, Pogo should be installed to Tips
[root@relafnic palera1n]#

Device boots into recovery

[runhuizhou]

Have you tried replugging there? Unplug your device and plug it back in.

Now tried three times of replugging, still stuck. But if I Ctrl+C and execute command again, it's like:

[root@relafnic palera1n]# sudo ./palera1n.sh --dfu 15.7 --debug
palera1n | Version 1.0.0
Written by Nebula | Some code and ramdisk from Nathan | Patching commands and help from Mineek | Loader app by Amy
[] Getting device info...
[] Booting device
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
Done!
The device should now boot to iOS
If you already have ran palera1n, click Do All in the tools section of Pogo
If not, Pogo should be installed to Tips
[root@relafnic palera1n]#

Device boots into recovery

Oh my bad. Maybe that's because I had entered recovery mode via ./palera1n.sh which made it into recovery loop. Give me a second

[runhuizhou]

Now firstly I manually enter recovery mode, and then dfu mode, and then execute commands:

[root@relafnic palera1n]# sudo ./palera1n.sh --dfu 15.7 --debug
palera1n | Version 1.0.0
Written by Nebula | Some code and ramdisk from Nathan | Patching commands and help from Mineek | Loader app by Amy

[] Getting device info...
[] Pwning device
usb_timeout: 5
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:000D0D402006603A IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: RESET
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:000D0D402006603A IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: SPRAY
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:000D0D402006603A IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: SETUP
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:000D0D402006603A IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: PATCH
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
^C
[root@relafnic palera1n]# sudo ./palera1n.sh --dfu 15.7 --debug
palera1n | Version 1.0.0
Written by Nebula | Some code and ramdisk from Nathan | Patching commands and help from Mineek | Loader app by Amy

[] Getting device info...
[] Booting device
[==================================================] 100.0%
ERROR: Unable to connect to device
[root@relafnic palera1n]#

Then moment the device booted into iPadOS, terminal said "ERROR: Unable to connect to device" :<
Reproduced twice

[itsnebulalol]

What linux distro is this?

[runhuizhou]

What linux distro is this?

Arch linux

[runhuizhou]

What linux distro is this?

Hey! I tested on a MacBook Air, with Big Sur 11.7, where the pwning device issue has gone.
But still got "ERROR: Unable to connect to device" when booting the device, and the device just boots into normal system itself. Here's the log:
loooog.txt

[itsnebulalol]

Hey, what device is this? Is this A11 or an iPad? If so, you’ll have to go into recovery first, then DFU. I recommend having palera1n guide you through it

[runhuizhou]

Hey, what device is this? Is this A11 or an iPad? If so, you’ll have to go into recovery first, then DFU. I recommend having palera1n guide you through it

Hey it's a10x ipad pro10.5, the same device as the original post. Yes now I've been always go to rec first and then dfu. Still no luck.

[neizvedaniydag]

IPhone 7+, ios 15.4.1.
[] Cleaning up work directory
[] Booting ramdisk
[*] Getting device info... this may take a second
[========================================] 100.0%
[========================================] 100.0%
ERROR: Unable to connect to device
[-] An error occured

[zipg]

What linux distro is this?

Hey! I tested on a MacBook Air, with Big Sur 11.7, where the pwning device issue has gone. But still got "ERROR: Unable to connect to device" when booting the device, and the device just boots into normal system itself. Here's the log: loooog.txt

My iPad got exactly same problems. Have you found the way to solve it?

[runhuizhou]

What linux distro is this?

Hey! I tested on a MacBook Air, with Big Sur 11.7, where the pwning device issue has gone. But still got "ERROR: Unable to connect to device" when booting the device, and the device just boots into normal system itself. Here's the log: loooog.txt

My iPad got exactly same problems. Have you found the way to solve it?

Nah. I'm dumb :(

[DinkaKami22]

Hello everyone.
I have an iPad 6 (2018) on 15.7.

Should I try this?