checkm8_bootkit

Little utility to boot iBoot on some checkm8-able platforms. Now also can decrypt KBAGs and demote

It doesn't require any modifications to ipwndfu/gaster/etc. shellcodes since it utilizes ipwndfu's custom protocol

You can run it on iOS as well (if you are lucky)

SoC support

• S5L8940X - Apple A5
• S5L8942X - Apple A5 (32nm)
• S5L8945X - Apple A5X
• S5L8947X - Apple A5 (single-core)
• S5L8950X - Apple A6
• S5L8955X - Apple A6X
• S5L8747X - Haywire SoC
• S7002 - Apple S1
• T8002 - Apple S1P/S2/T1
• T8004 - Apple S3

Usage

➜  checkm8_bootkit git:(master) ✗ build/checkm8_bootkit
usage: build/checkm8_bootkit VERB [args]

where VERB is one of the following:
        boot <bootloader>
        kbag <kbag>
        demote
        batch <input> <output>

for batch KBAG processing, you must input a JSON in the following format:
        [
                {
                        "kbag": "KBAG",
                        "metadata_1": "METADATA",
                        ...
                        "metadata_n": "METADATA"
                },
                ...
        ]

in return you'll get the same structure, but with "key" appended to each entry

supported platforms:
        s5l8747x, s5l8940x, s5l8942x, s5l8945x, s5l8947x, s5l8950x, s5l8955x, s7002, t8002, t8004

• bootloader must be a path to raw unpacked iBoot image (usually you'd want to load iBSS)
• kbag must be a hex string

Set LIBBOOTKIT_DEBUG environment variable to 1 to enable verbose logging

Building

Requirements:

• lilirecovery

  • My little libirecovery fork
  • Included as a Git module

• vmacho

  • Only needed if you want to rebuild the payloads

Then just use make:

➜  checkm8_bootkit git:(full) ✗ make      
        building checkm8_bootkit for Mac
        building checkm8_bootkit for iOS
%%%%% done building

Add WITH_ARMV7=1 to the invocation to build armv7 iOS version as well (broken since Xcode 16)