Home Compiling Apple's iBoots from Source
Post
Cancel

Compiling Apple's iBoots from Source

Posted Aug 11, 2019
By Yui Aioi
2 min read

Back in 2017, the whole Apple’s iBoot source code have been leaked to the public and many people hurried up to download it.

But.

Obviously it sounded too good to be true: the leak were not complete and the source code dated from the iOS 9 era.

That’s why some techniques (specified in this post) have been adapted to make the compilation succeeding!

0x1: Informations

We have the source code yes, but we’re kind of limited in our possible actions because:

  • the available targets are only N41AP - N42AP - N48AP - N49AP (we can still add more platforms however),
  • depends of Apple Internals Tools which cannot be found on the internet like we would find a repo on GitHub.

However, the images (iBEC.bin, iBSS.bin, iBoot.bin, LLB.bin) obtained once we’re done are compiled, decrypted and can be found with the BUILD_TAG DEBUG, DEVELOPEMENT (and RELEASE) depending on what you’ve chose, and this is pretty sweet!

Also, if you wish to add more available platforms, please take a look to Nyan Satan’s post about this!

0x2. Prepare and compile

Contrary to what Nyan Satan had been said, I have been compiled the iBoot on macOS 10.14 so your OS version does not matter as long you have the requiered binaries.


  1. If you get an sdk error, change $(SDKVERSION) by 10.0 (l.33) of config.mk,
  2. By default, the tools/ directory has no privileges, give it some: chmod +x tools/*.
  3. The gkalsr_debug is useless, comment out to fix the error in lib/mach/macho.c (l.29),
  4. The -lcompiler_rt-static variable is useless, you have to remove it in build.mk (l.25),
  5. The sdk set by default is wrong, set iphoneos in the main Makefile instead of iPhoneOS (l.53),
  6. You can also modify the BUILD_TAG in the main Makefile (l.158), up to you to choose the text.
  7. Even if you have already installed WhiteTails, you need to change the path of device_map.db by removing $(SDKVERSION) in device_map.mk (l.36),
  8. if you don’t have img4payload nor image3maker, replace img4payload by img4 by xerub in tools.mk (l.49) (img3maker is on GitHub).


We should be okay, so the last step is nwo to compile everything by doing:

1

make APPLICATIONS="iBoot" TARGETS="nXX" BUILDS="DEVELOPMENT DEBUG" PRODUCTS="iBSS iBEC LLB iBoot"

Replace nXX by the platform of your choice like: `TARGETS=”n42”

0x3. Conclusion

Voilà! That should do the job!

Well, now a lot of opportunities are possible, the most common are:

  • Debug, fun, researches, […],
  • Load image in RAM (see (multi-)kloader),
  • Boot in diags mode (diag-nXX.img3 + iBEC.bin),
  • Use AppleInternal stuff with (cables and software),
  • etcetera etcetera…

It is up to you to decides which usage you will do!


Anyways that is all I wanted to say, I hope this was helpuful!

You can follow me on my twitter if you liked this post and you can also support me by looking at my others projects on GitHub!

Thank you for your time. ヾ(・ω・*)

0x4. references

Apple, iBoot
iBoot Internals
This post is licensed under CC BY 4.0 by the author.
Contents