pain

A operating system that's older than me, and I'm trying to figure what's going on. The lack of support is reasonable, but I digress. So in the true Legacy Child fashion, I will do myself (and possibly you) a favor.

the beginning

To restore this untimely piece of crap OS, I will use Legacy-iOS-Kit; The most underappreciated tool in this community. Following the wiki instruction on how to restore to 2.x.x (using usbmuxd from macports, homebrew's brother), I got it working. YES.

But not for long:

ERROR: Could not connect to lockdownd: Invalid configuration (-2) Failed to connect to lockdownd

Using older iTunes installed from retroactive produces the same message. It seems like newer macOS SIP (System Integrity Protection) doesn't like old stuff. To turn it off involves painstakingly waiting for the HDMI output to recovery, to type a single command.

Linux it- Shit. Neither works. I should've flash a hacktivate ipsw. That brings me to the only solution left: QuickPwn.

quickpwn (or winpwn): friend or foe?

Upon a quick inspection, this tool is to generate ipsws for iOS 2.0 till 2.2.1. Because of the poor security nature of iOS at the time, you can literally customize the ipsw and pack it back like nothing happened. Many Russians have tried this before, and the results... are something.

Sorry, it's my ADHD.

Inside the "Data" folder contains many interesting tars and possibly reproducible with a few simple Linux commands

• BootNeuter.tar - Baseband unlock (i guess?)
• Cydia.tar - Your old droog
• Installer.tar - Cydia's distant cousin (i also guess??)
• rd.tar - Jailbreak, with GUI progress (redsn0w???)
• YoutubeActivation.tar - Activate Classic YouTube
• PwnmetheusBundles/ - keys to decrypt dmg filesystem (folder)

MORE interestingly, I found files with the mimetype .patch in PwnmetheusBundles/ that starts with a "BSDIFF4" header. When searched on google, a unix tool was found that matched with the header mentioned above. Oh. So that's what the "byte search" in Apple Wiki is for! Fucking nerds.

Explaination:

• they make a copy of the binary file
• fix the copy by modifying the binary
• run it thru "bsdiff" to generate a .patch file
• "bspatch" to apply the patch to the unpatched file

This saves A TON of storage, in turn using tons of memory. The devs doesn't have to pack a chunk of pre-baked files; instead, unzip the ipsw and voila!

Honestly, I'm kinda shocked here. But first, we have to use winpwn first, not quickpwn, because you need to plug a iPod in first in order to continue, which will make a full process on restoring, etc...

After finishing, it's time to unpack the ipsw to examine its contents. Inside, you have the most important filesystem 018-3976-1.dmg (root). I do see Cydia.app and Installer.app and a bunch of /bin files for APT itself.

before doing anything

First, we have to install the ipsw first to see it working and bootable.

Sure it did:

...

No pics because of HOW FUCKING USELESS IT IS YOU FUCKING- Alright, there's Cydia and Installer, good. But because of the security mentioned above I have to go back and add the life saving tool: SSH. Unpacking the root filesystem, there is a fixed 500mb resize to add more space for Cydia and misc. The openssh package, only as mere 800kb, so I added it in, do another restore, and...

Weird. It doesn't work. There maybe some cert fuckerydoo that needs to be done.

I forgot the "dmg" command. Stumbled across this random of a Reddit thread showing how to hacktivate iCloud locked iPhones. The "dmg" command is responsible for re/packing the .dmg filesystem and faking the checksum (??). But anyways it booted on and I was happy.

CHMOD!!!!!!!! CHMOD FUCK.

[the pain continues later...]

part 2

< back