iOS tooling. Open source.
Low-level iOS access tools built for security researchers — iBoot patching, Astris probe support, and SSH ramdisk access on the latest hardware. All public on GitHub.
The Repos
Three tools covering the bootloader, debug hardware, and ramdisk layers of iOS.
Dynamic patcher for arm64e iBoot images (iBSS/iBEC). Instead of hardcoded offsets, it scans for PACIBSP instructions at runtime to locate patch sites — making it portable across iBoot versions without manual offset hunting. Applies four patches: signature check bypass (uses RETAB not RET on arm64e), kernel debug enable, custom boot-args, and image type unlock. Requires a dev-fused device (CPFM 0x00 or 0x01). Confirmed on iPhone 15 Plus (d38), iBoot 10151.2.12, iOS 17.0.
Patches the firmware of Apple retail technician cables so Astris recognises them as real debug probes. SNR/Nova (Lightning) gets a single-byte PID patch — 0x1624 → 0x1621 — making it appear as a Kanzi probe. UDT (USB-C) patches is_UDT() to always return 0, spoofing it as a Chimp probe (PID 0x168C → 0x162C). Run kblcrcfix from kanzitools after patching to fix the CRC. Confirmed on SNR firmware v1.07 and UDT firmware v1.14.
SSH ramdisk for the iPhone 15 Plus — boots a custom ramdisk over USB that exposes an SSH shell, giving direct low-level file system access without touching the device's internal storage. Operates entirely in ramdisk mode. Requires a dev-fused device (CPFM 0x00 or 0x01) — not for use on retail hardware. Tested exclusively on a CPFM 0x00 prototype unit (d38), iOS 17.0 — the same device used for iBootPatcher64e development.