0:00
what's going on YouTube right here so in
0:02
today's video we're discussing about the
0:04
current status of the blizzard jailbreak
0:06
for iOS 15.0 up to 16 beta for the
0:09
Checkmate devices I want to talk about
0:11
what's currently going on in which stage
0:13
I am with the chill break what's left
0:15
and stuff like that this video is
0:16
brought to you by all phone iOS location
0:18
changer which allows you to change your
0:19
location on your device with just a
0:21
couple of clicks on your mouse and the
0:23
program allows you to do single point
0:25
movement it allows you to change
0:26
location directly and even go with
0:28
multi-spot movement to any country in
0:31
the world which basically allows you to
0:33
change the location for the applications
0:35
that require location services like some
0:37
games and you know dating apps and stuff
0:39
like that and even for privacy reasons
0:41
you can even change the speed towards
0:43
that location if you're going by car or
0:45
bike and so on and the program is
0:47
actually quite easy to use there are a
0:49
variety of reasons why you would want to
0:51
change the location but this program
0:53
supports them without jailbreaking so
0:55
the blizzard jailbreak that I'm
0:56
currently working on is essentially my
0:58
jailbreak for iOS 15 but based on the
1:00
Checkmate exploit essentially it would
1:03
be something like check rain but this
1:04
one does not share any part of code with
1:07
checkrin aside from the initial exploit
1:10
which is Checkmate but yeah what's
1:11
currently going on well we got some
1:13
progress in the past couple of days and
1:15
I decided to make a new video at first I
1:17
got the jailbreak to actually boot with
1:19
custom logo and verbose boot which you
1:21
can see in here I posted a video a
1:24
couple of days ago in which I show it in
1:26
action it shows the custom logo and then
1:28
it goes into whatever verbose boot over
1:30
here this is basically part of the
1:32
jailbreak itself it's going to have a
1:34
custom logo so that you know you are
1:36
indeed booting into the jailbreak and
1:38
not into stock iOS because the exploit
1:40
itself it can actually fail to go into
1:42
Pawn B if you mode and it may reboot the
1:44
device and you know if you're jailbroken
1:46
or not because if you are it boots with
1:48
that logo aside from that I started
1:50
working on an experimental kernel patch
1:52
finder for blizzard so that I can apply
1:55
the patches on the fly now of course
1:56
with jailbreaks based on checkmates the
1:58
most important thing is they kernel
2:00
Patcher or at least to supply a kernel
2:02
that is already patched there are some
2:04
ways to do this and there are different
2:06
approaches I talked about more here on
2:08
my page you can actually check out this
2:10
page called blizzard jailbreak file is
2:12
15.0 to 16 beta current status here is
2:15
basically the official page when I post
2:17
all the updates to the Jailbreak in real
2:20
time and you can see exactly what I've
2:22
done and what is still left to do and
2:24
stuff like that but the way this works
2:26
I'm going to use a slide from teamstar's
2:28
presentation a couple of years ago
2:29
because it demonstrates very well how
2:31
the iOS boot chain Works essentially
2:33
with jailbreaks based on Checkmate you
2:35
are here so you run Checkmate you're on
2:38
the iPhone dfu to get the bootron
2:40
exploit and you would be here on Pawn
2:42
dfu mode nothing has loaded yet and from
2:45
here there are two Pathways the device
2:47
can take right now for testing purposes
2:49
I'm doing gram disks and stuff like that
2:51
because some people were like ah why are
2:53
they using Ram disks it's just this hmm
2:55
disk and stuff it's not I'm using Ram
2:57
disks just for testing purposes some
2:59
people don't realize how little
3:01
debugging power you have at this early
3:03
point before the colonel even booted
3:05
because there's no debugger I can
3:06
connect to not with my equipment anyways
3:09
you can do that with development devices
3:11
but good luck with that and aside from
3:13
using basically term Z in order to
3:15
redirect the serial output with a dcsd
3:17
cable there's not much debugging I can
3:20
do with the boot chain so being able to
3:22
load a custom Ram disk which would load
3:25
either SSH or whatever tells me that yes
3:27
the components were patched correctly
3:29
for example the idss or the ibac or the
3:32
kernel and stuff like that because
3:33
otherwise these would not boot you
3:36
wouldn't be able to put the blizzard Ram
3:37
disk right but in the end I will not be
3:39
able to use this pathway over here for
3:41
jailbreak purposes I mean I can it's
3:44
technically possible but it's much more
3:46
convoluted it takes much more effort to
3:48
do because if you boot via ibss and I
3:51
back and load a ram disk in kernel you
3:53
can load a custom kernel and I did that
3:55
I already achieved that a couple of days
3:57
ago I was able to load my own custom
3:59
kernel with patched ibss ibac device 3
4:01
and so on and even got it to boot
4:03
verbose to that but if you do that the
4:06
root file system will not be mounted the
4:08
kernel would actually Mount the ram disk
4:10
instead as the file system because it
4:13
will be prepared to do a restore rather
4:14
than to boot normally you can actually
4:17
Mount the file system but it would be
4:18
somewhere in MNT something so it's not
4:21
going to be the root file system even if
4:23
you have access to it which is tricky is
4:25
is bad you can boot from there there are
4:28
ways to do it but it requires more work
4:30
some diamonds wouldn't start if you're
4:32
in restore mode and stuff like that so
4:34
the better pathway for the jailbreak
4:36
would be going from pond bootroom which
4:38
is basically from Checkmate from the
4:40
exploit straight to ilb iboot whatever
4:43
iboot nowadays because on some devices
4:46
like A10 and newer they are basically
4:48
the same thing they share a lot of the
4:50
code base with ibac being capable to do
4:52
Ram disks and that's all but this is the
4:54
normal pathway that the device takes
4:56
when it boots normally in between all
4:58
these there are checks but will check
5:00
LLB LLB will check iboot before jumping
5:03
to it iboot will check the kernel before
5:05
jumping to it and so on so each step is
5:07
going to check each other out but thanks
5:09
to Checkmate I can disable the checks on
5:11
the boot room and then I can patch each
5:13
individual component to no longer check
5:15
the new one which I already did I
5:17
already have iboot completely patched
5:19
and I already have the ibss ibac device
5:21
3 RAM disk whatever already patched I'm
5:24
able to load a kernel that way and if I
5:26
load the patched kernel like this and
5:28
then the device Boot and I install the
5:30
blizzard application that application
5:32
doesn't even have to be signed because
5:33
at that point MV is dead so you would be
5:36
able to install from their silio and
5:38
enable SSH and so on but this is the
5:40
preferred pathway for the jailbreak the
5:42
second one would probably work with a
5:44
lot of effort and work but this one is
5:46
the preferred one and this one is what
5:48
I'm currently doing there are some
5:50
debugging things that I'm currently
5:51
doing with iboot refusing to boot on
5:53
some devices and stuff like that it's a
5:55
pain but that's currently what I am at
5:57
the moment I also started working on the
5:59
bootstrap wrap the bootstrap will
6:00
essentially be procursors and the
6:02
package manager will be cilio because
6:05
those are modern package managers that
6:07
don't have to mess with patching Cydia
6:09
myself and trying to keep alive
6:10
something that is long dead I will leave
6:13
that to pound on but I will go with
6:15
something modern like procursis and
6:17
Cilia which I know I can get support for
6:19
if they need an update and stuff like
6:21
that but yeah that's currently what's
6:22
going on with the blizzard jailbreak
6:24
that's essentially it if you want more
6:26
info you can definitely check out this
6:28
page over here I try to explain in depth
6:30
how the jailbreak would work and stuff
6:31
like that but yes I did manage to get
6:34
custom boot with essentially my own logo
6:37
and I'm not using a tool for that by the
6:40
way I know it's possible to do this kind
6:41
of stuff with some tools but I'm not
6:43
using a tool I'm creating my own
6:44
separate files my own patched firmware
6:47
which is essentially here I have the dfu
6:49
patched over here let's see the kernel
6:51
patched over here I have basically the
6:53
device 3 over here and stuff like that
6:55
so I'm patching the components
6:56
individually and then I'm sending them
6:58
one by one after pawning the the boot if
7:00
I'm not using a tool for this I have to
7:02
do my own patches anyways that's
7:04
basically thank you for watching ingos
7:06
now till the next time stay patient and
