Difference between revisions of "Tutorial:Creating a NOR-only IPSW"

From The iPhone Wiki
Jump to: navigation, search
(untethered bootrom exploit need)
m
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
  +
This will create an [[IPSW File Format|IPSW]] that only flashes your device's [[NOR]]. It will not touch the [[iOS|operating system]] or [[NAND]].
1. Create a custom ipsw
 
  +
# Create a custom IPSW
  +
# Unpack it, remove rootfs DMG
  +
# Decrypt the ramdisk ([[xpwntool]]) and mount it.
  +
# Edit options.plist (/usr/local/share/restore/options.plist) on the restore ramdisk:
  +
<?xml version="1.0" encoding="UTF-8"?>
  +
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  +
<plist version="1.0">
  +
<dict>
  +
<key>CreateFilesystemPartitions</key>
  +
<false/>
  +
<key>UpdateBaseband</key>
  +
<false/>
  +
<key>SystemImage</key>
  +
<false/>
  +
</dict>
  +
</plist>
   
  +
<ol start="5">
2. Unpack it, remove rootfs dmg
 
  +
<li>Unmount and reencrypt the restore ramdisk.</li>
  +
<li>Repack the IPSW.</li>
  +
</ol>
   
  +
NOTE: This technique only works on devices that have an untethered bootrom exploit ([[Pwnage]] or [[0x24000 Segment Overflow]]).
3. Decrypt ramdisk (xpwntool), mount it.
 
   
  +
[[Category:Tutorials]]
4. Edit options.plist on the restore ramdisk:
 
 
/usr/local/share/restore/options.plist
 
<pre>&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
 
&lt;!DOCTYPE plist PUBLIC &quot;-//Apple//DTD PLIST 1.0//EN&quot; &quot;http://www.apple.com/DTDs/PropertyList-1.0.dtd&quot;&gt;
 
&lt;plist version=&quot;1.0&quot;&gt;
 
&lt;dict&gt;
 
&lt;key&gt;CreateFilesystemPartitions&lt;/key&gt;
 
&lt;false/&gt;
 
&lt;key&gt;UpdateBaseband&lt;/key&gt;
 
&lt;false/&gt;
 
&lt;key&gt;SystemImage&lt;/key&gt;
 
&lt;false/&gt;
 
&lt;/dict&gt;
 
&lt;/plist&gt;
 
</pre>
 
 
5. Unmount and reencrypt the restore ramdisk.
 
 
6. Repack the ipsw.
 
 
NOTE: This technique only works with the [[N72ap|iPod touch 2G]] [[Models|MB-version]] and the [[N88ap|iPhone 3GS]] old [[bootrom]] (devices that are vulnerable to bootrom untethered exploit)
 

Latest revision as of 12:18, 27 August 2013

This will create an IPSW that only flashes your device's NOR. It will not touch the operating system or NAND.

  1. Create a custom IPSW
  2. Unpack it, remove rootfs DMG
  3. Decrypt the ramdisk (xpwntool) and mount it.
  4. Edit options.plist (/usr/local/share/restore/options.plist) on the restore ramdisk:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>CreateFilesystemPartitions</key>
   <false/>
   <key>UpdateBaseband</key>
   <false/>
   <key>SystemImage</key>
   <false/>
</dict>
</plist>
  1. Unmount and reencrypt the restore ramdisk.
  2. Repack the IPSW.

NOTE: This technique only works on devices that have an untethered bootrom exploit (Pwnage or 0x24000 Segment Overflow).