The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Tutorial:Creating a NOR-only IPSW"
(untethered bootrom exploit need) |
m |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
+ | This will create an [[IPSW File Format|IPSW]] that only flashes your device's [[NOR]]. It will not touch the [[iOS|operating system]] or [[NAND]]. |
||
− | 1. Create a custom ipsw |
||
+ | # Create a custom IPSW |
||
+ | # Unpack it, remove rootfs DMG |
||
+ | # Decrypt the ramdisk ([[xpwntool]]) and mount it. |
||
+ | # Edit options.plist (/usr/local/share/restore/options.plist) on the restore ramdisk: |
||
+ | <?xml version="1.0" encoding="UTF-8"?> |
||
+ | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> |
||
+ | <plist version="1.0"> |
||
+ | <dict> |
||
+ | <key>CreateFilesystemPartitions</key> |
||
+ | <false/> |
||
+ | <key>UpdateBaseband</key> |
||
+ | <false/> |
||
+ | <key>SystemImage</key> |
||
+ | <false/> |
||
+ | </dict> |
||
+ | </plist> |
||
+ | <ol start="5"> |
||
− | 2. Unpack it, remove rootfs dmg |
||
+ | <li>Unmount and reencrypt the restore ramdisk.</li> |
||
+ | <li>Repack the IPSW.</li> |
||
+ | </ol> |
||
+ | NOTE: This technique only works on devices that have an untethered bootrom exploit ([[Pwnage]] or [[0x24000 Segment Overflow]]). |
||
− | 3. Decrypt ramdisk (xpwntool), mount it. |
||
+ | [[Category:Tutorials]] |
||
− | 4. Edit options.plist on the restore ramdisk: |
||
− | |||
− | /usr/local/share/restore/options.plist |
||
− | <pre><?xml version="1.0" encoding="UTF-8"?> |
||
− | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> |
||
− | <plist version="1.0"> |
||
− | <dict> |
||
− | <key>CreateFilesystemPartitions</key> |
||
− | <false/> |
||
− | <key>UpdateBaseband</key> |
||
− | <false/> |
||
− | <key>SystemImage</key> |
||
− | <false/> |
||
− | </dict> |
||
− | </plist> |
||
− | </pre> |
||
− | |||
− | 5. Unmount and reencrypt the restore ramdisk. |
||
− | |||
− | 6. Repack the ipsw. |
||
− | |||
− | NOTE: This technique only works with the [[N72ap|iPod touch 2G]] [[Models|MB-version]] and the [[N88ap|iPhone 3GS]] old [[bootrom]] (devices that are vulnerable to bootrom untethered exploit) |
Latest revision as of 12:18, 27 August 2013
This will create an IPSW that only flashes your device's NOR. It will not touch the operating system or NAND.
- Create a custom IPSW
- Unpack it, remove rootfs DMG
- Decrypt the ramdisk (xpwntool) and mount it.
- Edit options.plist (/usr/local/share/restore/options.plist) on the restore ramdisk:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CreateFilesystemPartitions</key> <false/> <key>UpdateBaseband</key> <false/> <key>SystemImage</key> <false/> </dict> </plist>
- Unmount and reencrypt the restore ramdisk.
- Repack the IPSW.
NOTE: This technique only works on devices that have an untethered bootrom exploit (Pwnage or 0x24000 Segment Overflow).