WatchOS, checkm8, and the general iBoot hellscape.

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

WatchOS, checkm8, and the general iBoot hellscape.

Postby kritanta » Sat Jul 18, 2020 8:15 am

I've recently started efforts to implement a checkm8 based "jailbreak" on watchOS. At the moment, I would really just like to get this thing to boot.

I'm starting a thread here for the sake of serving as a place to dump my information as I go, and for anyone else to step in and help if they can. It's my hope that once this is done, nobody should ever have to go through this blind, undocumented, unresearched hell.

It's safe to say the one thing I've learned thus far is that I should have picked a better target for my foray into the *os bootchain.

Details on the target:
  • I'm working with an iBUS adapter, plugged into my S3 Watch (t8004, n111b)
  • The only public utility supporting this device or anything related to it is ipwndfu. I've yet to find anything else.
  • The processor is an armv7 chip, but the rom supports img4 files
  • ipsw's don't really exist for it. Leaks have been floating around, but I'm fairly new, and haven't quite earned the privilege of those circles.
  • OTA's do exist, and they include the kernelcache and img4 files. The links rarely work, though, and your best bet is finding someone who's willing to drop you a link to a re-up.
  • Due to the lack of a public ipsw, till I or others make any tools for this stuff, a bootloop is essentially game over. Apple store is currently the only feasible option if you want it to boot again.
  • No ipsw = no rootfs .dmg = no manually applying library symbols over unsymbolicated things, till I or someone else ports an exploit to watchOS and dumps it.

What I've learned thus far:
  • IDA hates this iBoot. Strings must be manually defined. It refuses to see the xrefs to them, for some reason, though.
  • Since an iBoot from 2019 was shipped on WatchOS 6.*, "iBoot32Patcher" fails to work.
  • Any tools (recovery, et al.) don't work with it.
  • Due to a lack of xrefs, string recognition, and armv7 decompilation (I can't afford arm, all I have is arm64 w/ IDA), I have managed to reverse a singular symbol thus far.
  • I've created https://github.com/KritantaDev/memmap solely for the purpose of helping me map out the memory space here.

What I'm trying to figure out:
I understand what ipwndfu's t8015 shellcode to patch iBoot does. I have a surface level understanding of checkra1n's patches to iboot and process for jumping into pongoOS.

I however am stuck trying to figure out how to apply any of this to the unsymbolicated, undocumented, 32 bit mess that is the watchOS bootchain. I'm going to continue researching, hunting for info/leaks/obscure projects, and will try to dump what I can here. If you want to help, contribute, or just dump random info on the topic here, please feel free.

You can also grab me on twitter at @arm64e, or on discord at @kritanta#0443. I'm difficult to find anywhere else, most likely. I'll post decryption keys for my SOC later to the iPhone wiki, but if I haven't yet feel free to give me a shout.

I won't rest till this damn thing boots, but that may cost me my sanity.

If you have questions related to getting started with watchOS bootchain fun/hell, feel free to drop them here and I'll answer what little I can.
kritanta
 
Posts: 3
Joined: Sun Jun 21, 2020 3:56 am

Re: WatchOS, checkm8, and the general iBoot hellscape.

Postby kritanta » Sat Jul 18, 2020 9:51 am

dumping 0x0-0x20000 and loading into IDA produces a processable securerom. someone more experienced than myself could explain why, all I know is that it works. and thank god.
kritanta
 
Posts: 3
Joined: Sun Jun 21, 2020 3:56 am

Re: WatchOS, checkm8, and the general iBoot hellscape.

Postby kritanta » Fri Jul 24, 2020 5:43 am

Jin_Store on twitter just dropped ipsw's for all watches, so bootloops are no longer a risk regarding the watch, for now.
kritanta
 
Posts: 3
Joined: Sun Jun 21, 2020 3:56 am


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 5 guests

cron