checkra1n doesn't work but pongoOS does

[mbesemann]

checkra1n ran normally gives me usbmux error -79 (Linux) or error -20 (Mac).

However, building pongoOS and specifying it with

checkra1n -k Pongo.bin

brings me to a PongoOS shell.

I have 2 questions:

1. How do I load the checkra1n module to continue the exploit and get a jailbreak?
2. If that fails, can I set a nonce with pongoterm in nvram to restore to 14.3?

[Siguza]

Just to check - specifiying PongoConsolidated.bin doesn't work?

[Siguza]

Okay, so:

1. Extract the ramdisk from the macOS binary (__CONST.__rdsk segment, or use this one: rdsk.dmg.gz)
2. Have both the ramdisk and checkra1n-kpf-pongo in an accessible path.
3. Get pongoterm from latest git master.
4. Create a command file (I'll call it cmd.txt) with the following contents:

   sep auto
   /send path/to/checkra1n-kpf-pongo
   modload
   /send path/to/rdsk.dmg
   ramdisk
   xargs rootdev=md0
   bootx
   

5. Run pongoterm <cmd.txt and let it wait
6. Run checkra1n.

[mbesemann]

This is what I get:

#==================
#
# pongoOS 2.5.0-0cb6126f
#
# https://checkra.in
#
#==================
Booted by: iBoot-6723.102.4
Built with: Clang 12.0.5 (clang-1205.0.22.9)
Running on: Apple A8X (T7001)
pongoOS> Bad command: /send
pongoOS> [modload_macho:i] Attempting to load a module
[modload_macho:!] load module: short read
pongoOS> Bad command: /send
pongoOS> please upload a ramdisk before issuing this command
pongoOS> set xnu boot arg cmdline to: [rootdev=md0]
pongoOS> %

For reference, my cmd.txt looks like this, and the 2 files are in the same directory (I tried both with ./ and without):

sep auto
/send ./checkra1n-kpf-pongo
modload
/send ./rdsk.dmg.gz
ramdisk
xargs rootdev=md0
bootx

UPDATE: I'm dumb, I forgot to recompile pongoterm after doing a pull... I think it worked this time, I just had to reopen pongoterm and hit enter since "bootx" wasn't run (maybe I needed a carriage return in the script after that line). Now I'm booted into iOS but I don't see a checkra1n icon yet. Maybe I can try the SSH workaround to get that in place.

UPDATE 2: Still no checkra1n icon - tried to SSH to port 44 and that doesn't work either. How can I tell if the device is in a jailbroken state?

UPDATE 3: I just realized your ramdisk is not gzipped - should I be extracting it and sending it as a .dmg?

UPDATE 4: Ok I definitely had to unzip it. However, I get this error message in pongoterm (even though checkra1n now says "All done" at the end of the process:

pongoOS> Uploaded 1048576 bytes
pongoOS> set xnu boot arg cmdline to: [rootdev=md0]
pongoOS> USBControlTransfer: (iokit/common) not ready

UPDATE 5: The above error doesn't seem to happen every time. However, when it doesn't, it seems like the iPad is hanging indefinitely at the "Booting" stage. I guess it's a matter of trial and error at this point.

UPDATE 6: I got it to boot once so far past the checkra1n screen, by launching pongoterm after the pongoOS shell was booted (not sure if that made a difference). The device booted fairly quickly and had a flash of red/pink on the entire screen, but still no checkra1n icon. SSH on port 44 is also unavailable.

[mbesemann]

Ok this deserves its own post because I finally did it :)

1. Run checkra1n with the following args:
   checkra1n -csvk Pongo.bin

2. Only once at the PongoOS shell, run pongoterm with the aforementioned cmd.txt

3. Success - checkra1n icon is on the home screen :)

Log of run:

 - [05/06/21 10:05:41] <Info>: Waiting for DFU devices
 - [05/06/21 10:05:41] <Verbose>: DFU mode device found
 - [05/06/21 10:05:41] <Info>: Exploiting
 - [05/06/21 10:05:41] <Verbose>: Attempting to perform checkm8 on 7001 1...
 - [05/06/21 10:05:41] <Info>: Checking if device is ready
 - [05/06/21 10:05:41] <Verbose>: == Checkm8 Preparation stage ==
 - [05/06/21 10:05:41] <Verbose>: DFU mode device found
 - [05/06/21 10:05:41] <Info>: Setting up the exploit (this is the heap spray)
 - [05/06/21 10:05:41] <Verbose>: == Checkm8 Setup stage ==
 - [05/06/21 10:05:41] <Info>: Right before trigger (this is the real bug setup)
 - [05/06/21 10:05:41] <Verbose>: Entered initial checkm8 state after 3 steps, issuing DFU abort..
 - [05/06/21 10:05:42] <Verbose>: DFU device disconnected
 - [05/06/21 10:05:42] <Verbose>: DFU mode device found
 - [05/06/21 10:05:42] <Verbose>: == Checkm8 Trigger stage ==
 - [05/06/21 10:05:42] <Verbose>: Checkmate!
 - [05/06/21 10:05:42] <Verbose>: DFU device disconnected
 - [05/06/21 10:05:42] <Verbose>: DFU mode device found
 - [05/06/21 10:05:42] <Verbose>: == Checkm8 Trying to run payload... ==
 - [05/06/21 10:05:42] <Verbose>: If everything went correctly, you should now have code execution.
 - [05/06/21 10:05:42] <Verbose>: DFU device disconnected
 - [05/06/21 10:05:43] <Info>: Entered download mode
 - [05/06/21 10:05:43] <Verbose>: Download mode device found
 - [05/06/21 10:05:43] <Info>: Booting...
 - [05/06/21 10:05:43] <Verbose>: Setting bootargs to: rootdev=md0
 - [05/06/21 10:05:44] <Verbose>: Download mode device disconnected
 - [05/06/21 10:06:13] <Info>: All Done
 - [05/06/21 10:06:13] <Verbose>: Bootstrap already installed, done

UPDATE: Bad news - Installing Cydia worked, then I realized I actually wanted to install oddysseyra1n, so I restored the system from the checkra1n app, and now I can't even get to the pongoOS shell. I'll keep trying I guess!

UPDATE 2: It seems that checkra1n doesnt like -k with other options, so I just got rid of the csv part and I was able to follow all the steps again and install oddysseyra1n. Finally jailbroken w/ Sileo!

[rinsuki]

I have same issue, and #72 (comment) workaround is worked. Thanks!

in my case:

• simply run checkra1n (without -k), then I got -20 (timeout) error. I also got similar error with -k PongoConsolidated.bin
• attached rdsk.dmg.gz will not work (even ungzipped) in my environment, then I extracted from checkra1n 0.12.4 with this tool https://gist.github.com/C0deH4cker/80b53de22012146ea9d8
• pongocmd sometimes freezes until disconnect and reconnect Lightning cable

[edwin170]

Okay, so:

1. Extract the ramdisk from the macOS binary (__CONST.__rdsk segment, or use this one: rdsk.dmg.gz)
2. Have both the ramdisk and checkra1n-kpf-pongo in an accessible path.
3. Get pongoterm from latest git master.
4. Create a command file (I'll call it cmd.txt) with the following contents:

   sep auto
   /send path/to/checkra1n-kpf-pongo
   modload
   /send path/to/rdsk.dmg
   ramdisk
   xargs rootdev=md0
   bootx
   

5. Run pongoterm <cmd.txt and let it wait
6. Run checkra1n.

that rdsk doesn't have the binpack files. may you please tell where we could find them.

[Siguza]

@edwin170 __CONST.__overlay

[edwin170]

@edwin170 __CONST.__overlay

idk if it is a dmg file but i tried it and the dmg was corrupted so i used file command "overlay.dmg: zlib compressed data" so i extracted it then it was just data. so i think that was extracted bad, however i did good i use otool to know the offset and the size, well could you share me the file as a zip or dmg or something similar ?

[Siguza]

@edwin170 sudo hdik overlay.dmg

[edwin170]

@edwin170 sudo hdik overlay.dmg

haha oh thanks let me try it :)

[edwin170]

@edwin170 sudo hdik overlay.dmg

sir may you please say who is responsible for mounting the overlay.dmg image?

[Siguza]

@edwin170 The payload binary.