iOS Dualboot 手動修改

一需要工具

系統環境需求: Unix系統 (如Linux、Mac)

PC端工具:

xpwntool:

https://github.com/xerub/xpwn

或

https://github.com/sektioneins/xpwntool-lite

已編譯 Mac OS X

https://github.com/kalifans/Darwin/raw/IOS/XPwn-0.5.8-Darwin.zip

已編譯 Linux

https://github.com/Mint-Fans/linux-package/raw/IOS/XPwn-0.5.8-Linux.tar.bz2

HEX Editor: 如 HxD 之類

disassembler: 如 IDA Pro 之類

SSH client

iOS端工具

Cydia 添加源http://nyansatan.github.io/apt/

安裝以下套件

dualbootstuff (包含 gptfdisk，hfs_resize，kloader)

或者使用ssh連接iOS以命令安裝

echo "deb http://nyansatan.github.io/apt/ ./" >> /etc/apt/sources.list.d/cydia.listapt-get updateapt-get install com.nyansatan.dualbootstuff diskdev-cmds

二 Patching bootchain

1. iBSS Patch

解密 iBSS

xpwntool 輸入輸出 -iv -k

IDA Pro 載入

查看 ROM:00000044 LDR R1, =0x34000000

0x34000000 為載入基址

Edit > Segments > Rebase program...設定基址為 0x34000000

搜尋字串 iBSS ready, asking for DFU...

來到這裡

ROM:340008F2 LDR R0, =aIbssReadyAskin ; "iBSS ready, asking for DFU...\n"ROM:340008F4 BL sub_3400C850ROM:340008F8 BL sub_34007A18ROM:340008FC MOVW R10, #0ROM:34000900 ADD.W R11, SP, #0x14ROM:34000904 MOV.W R8, #1ROM:34000908 MOVT.W R10, #0x8FE0 ; 改為 #0x7FD0ROM:3400090CROM:3400090C loc_3400090CROM:3400090C MOVS R0, #1ROM:3400090E BL sub_340098B4ROM:34000912 MOV.W R0, #0x200000ROM:34000916 MOV.W R1, #0x200000ROM:3400091A STR R0, [SP,#0x14]ROM:3400091C MOV R0, R10ROM:3400091E STR.W R10, [SP,#0x18]ROM:34000922 BL sub_3400B12C ; 改為NOPROM:34000926 MOV R6, R0ROM:34000928 CMP R6, #0ROM:3400092A BLT loc_3400090C ; 改為NOP

iPhone 4S 改為 #0xBFD0

0x908 ?B F? D0 ??

其他改為 #0x7FD0

0x908 ?7 F? D0 ??

iOS 8 則搜尋 HEX 00 00 E0 8F (0x8FE00000) 改為與 multi_kloader 批配的 iBEC Remap addresses 0x7FD00000

搜尋字串 Apple Mobile Device (DFU Mode)

x 選擇第一項目

來到這裡

ROM:3400A638 sub_3400A638ROM:3400A638 PUSH {R4,R7,LR}ROM:3400A63A LDR R4, =0x34012D34ROM:3400A63C MOVS R0, #0ROM:3400A63E ADD R7, SP, #4ROM:3400A640 LDRB R1, [R4]ROM:3400A642 CMP R1, #0ROM:3400A644 IT NEROM:3400A646 POPNE {R4,R7,PC}ROM:3400A648 LDR R0, =aAppleMobileDev ; "Apple Mobile Device (DFU Mode)"ROM:3400A64A BL sub_3400A6B8sub_3400A638 x 返回ROM:3400B12C sub_3400B12CROM:3400B12C PUSH {R4-R7,LR}ROM:3400B12E LDR R5, =0x34012EF0ROM:3400B130 ADD R7, SP, #0xCROM:3400B132 STRD.W R0, R1, [R5]ROM:3400B136 BL sub_3400A638 ; 返回到此sub_3400B12C x 返回ROM:340008F2 LDR R0, =aIbssReadyAskin ; "iBSS ready, asking for DFU...\n"ROM:340008F4 BL sub_3400C850ROM:340008F8 BL sub_34007A18ROM:340008FC MOVW R10, #0ROM:34000900 ADD.W R11, SP, #0x14ROM:34000904 MOV.W R8, #1ROM:34000908 MOVT.W R10, #0x8FE0 ; 改為 #0xBFD0ROM:3400090CROM:3400090C loc_3400090CROM:3400090C MOVS R0, #1ROM:3400090E BL sub_340098B4ROM:34000912 MOV.W R0, #0x200000ROM:34000916 MOV.W R1, #0x200000ROM:3400091A STR R0, [SP,#0x14]ROM:3400091C MOV R0, R10ROM:3400091E STR.W R10, [SP,#0x18]ROM:34000922 BL sub_3400B12C ; 返回到此改為NOPROM:34000926 MOV R6, R0ROM:34000928 CMP R6, #0ROM:3400092A BLT loc_3400090C ; BLT loop 改為NOP0x922 00 BF 00 BF0x92A 00 BF

搜尋 TEXT "CMP R1, #0x41 ; 'A'"

代碼開頭 x 返回

ROM:340065E8 IT NEROM:340065EA ORRNE.W R6, R6, #4ROM:340065EE ADD R3, SP, #0xC8+var_90ROM:340065F0 MOV R1, R5ROM:340065F2 MOV R2, R6ROM:340065F4 BL sub_34006190 ; 來到這裡改為 MOVS R0, #0 STR R0, [R3]ROM:340065F8 MOVS R1, #0ROM:340065FA CMP R0, #0

0x65F4 00 20 18 60

然後往上看

ROM:3400657C BL sub_340060E4 ; 這裡進入ROM:34006580 MOV.W R10, #0xFFFFFFFFROM:34006584 CMP R0, #0ROM:34006586 BNE.W loc_3400679EROM:3400658A LDR R0, [SP,#0xC8+var_84]ROM:3400658C MOVS R5, #0ROM:3400658E CMP R6, #0ROM:34006590 LDR R0, [R0]ROM:34006592 LDR R0, [R0,#0x10]ROM:34006594 STR R0, [SP,#0xC8+var_9C]ROM:34006596 BEQ loc_340065B0 x 2ROM:34006598ROM:34006598 loc_34006598ROM:34006598 MOV.W R10, #0xFFFFFFFFROM:3400659C CMP R5, R6ROM:3400659E BCS.W loc_3400679EROM:340065A2 LDR.W R0, [R8,R5,LSL#2]ROM:340065A6 ADDS R5, #1ROM:340065A8 LDR R1, [SP,#0xC8+var_9C]ROM:340065AA CMP R0, R1ROM:340065AC BNE loc_34006598ROM:340065AE LDR R5, [SP,#0xC8+var_9C]ROM:340065B0ROM:340065B0 loc_340065B0 x 2ROM:340065B0 LDR R1, [R4,#0xC]ROM:340065B2 MOVW R2, #0x6733ROM:340065B6 LDR R0, [R4,#0x10]ROM:340065B8 MOVT.W R2, #0x696DROM:340065BC CMP R1, R2ROM:340065BE ITT EQROM:340065C0 MOVEQ R6, #1ROM:340065C2 TSTEQ.W R0, #0x200ROM:340065C6 BEQ loc_340065CE ; x 1ROM:340065C8 AND.W R0, R0, #4ROM:340065CC LSRS R6, R0, #2ROM:340065CEROM:340065CE loc_340065CE x 1ROM:340065CE BL sub_34006EB0ROM:340065D2 MOV R1, R0ROM:340065D4 MOVS R0, #0ROM:340065D6 STRB.W R0, [SP,#0xC8+var_90]ROM:340065DA LDR R0, [SP,#0xC8+var_84]ROM:340065DC CMP R0, #0ROM:340065DE BEQ.W loc_3400682AROM:340065E2 CMP R1, #0ROM:340065E4 LDR.W R8, [R4,#0x10]ROM:340065E8 IT NEROM:340065EA ORRNE.W R6, R6, #4ROM:340065EE ADD R3, SP, #0xC8+var_90ROM:340065F0 MOV R1, R5ROM:340065F2 MOV R2, R6ROM:340065F4 BL sub_34006190 ; 改為 MOVS R0, #0 STR R0, [R3]

來到這裡

ROM:340060E4 sub_340060E4ROM:340060E4 PUSH {R4-R7,LR}ROM:340060E6 ADD R7, SP, #0xCROM:340060E8 PUSH.W {R8,R10}ROM:340060EC MOV R6, R2ROM:340060EE MOV R8, R0ROM:340060F0 MOV R10, R3ROM:340060F2 MOV R5, R1ROM:340060F4 MOVS R0, #0x16ROM:340060F6 CMP R6, #0x14ROM:340060F8 BCC loc_34006188ROM:340060FA LDR R1, [R5]ROM:340060FC MOVW R2, #0x6733ROM:34006100 MOVS R0, #0x16ROM:34006102 MOVT.W R2, #0x496DROM:34006106 CMP R1, R2ROM:34006108 BNE loc_34006188ROM:3400610A LDR R1, [R5,#8]ROM:3400610C SUB.W R2, R6, #0x14ROM:34006110 MOVS R0, #0x16ROM:34006112 CMP R1, R2ROM:34006114 BHI loc_34006188 ; 改為 NOPROM:34006116 LDR R2, [R5,#0xC]ROM:34006118 MOVS R0, #0x16ROM:3400611A CMP R2, R1ROM:3400611C BHI loc_34006188

0x6114 00 BF

修改完後不用加密

2. iBEC Patch

解密 iBEC

用法: xpwntool 輸入輸出 -iv -k

IDA Pro 載入

查看 ROM:00000044 LDR R1, =0x9FF00000

0x9FF00000 為載入基址

Edit > Segments > Rebase program...設定基址為 0x9FF00000

搜尋 TEXT "CMP R1, #0x41 ; 'A'"

代碼開頭 x 返回

ROM:9FF1A3D0 MOV R1, R5ROM:9FF1A3D2 MOV R2, R6ROM:9FF1A3D4 BL sub_9FF19CC0 ; 返回到此改為 MOVS R0, #0 STR R0, [R3]0x1A3D4 00 20 18 60

然後往上看代碼

ROM:9FF1A35C BL sub_9FF19C14 ; 這裡進入ROM:9FF1A360 MOV.W R10, #0xFFFFFFFFROM:9FF1A364 CMP R0, #0ROM:9FF1A366 BNE.W loc_9FF1A57EROM:9FF1A36A LDR R0, [SP,#0xC8+var_84]ROM:9FF1A36C MOVS R5, #0ROM:9FF1A36E CMP R6, #0ROM:9FF1A370 LDR R0, [R0]ROM:9FF1A372 LDR R0, [R0,#0x10]ROM:9FF1A374 STR R0, [SP,#0xC8+var_9C]ROM:9FF1A376 BEQ loc_9FF1A390 ; x 2ROM:9FF1A378ROM:9FF1A378 loc_9FF1A378ROM:9FF1A378 MOV.W R10, #0xFFFFFFFFROM:9FF1A37C CMP R5, R6ROM:9FF1A37E BCS.W loc_9FF1A57EROM:9FF1A382 LDR.W R0, [R8,R5,LSL#2]ROM:9FF1A386 ADDS R5, #1ROM:9FF1A388 LDR R1, [SP,#0xC8+var_9C]ROM:9FF1A38A CMP R0, R1ROM:9FF1A38C BNE loc_9FF1A378ROM:9FF1A38E LDR R5, [SP,#0xC8+var_9C]ROM:9FF1A390ROM:9FF1A390 loc_9FF1A390 x 2ROM:9FF1A390 LDR R1, [R4,#0xC] ; x 2ROM:9FF1A392 MOVW R2, #0x6733ROM:9FF1A396 LDR R0, [R4,#0x10]ROM:9FF1A398 MOVT.W R2, #0x696DROM:9FF1A39C CMP R1, R2ROM:9FF1A39E ITT EQROM:9FF1A3A0 MOVEQ R6, #1ROM:9FF1A3A2 TSTEQ.W R0, #0x200ROM:9FF1A3A6 BEQ loc_9FF1A3AE ; x 1ROM:9FF1A3A8 AND.W R0, R0, #4ROM:9FF1A3AC LSRS R6, R0, #2ROM:9FF1A3AEROM:9FF1A3AE loc_9FF1A3AE x 1ROM:9FF1A3AE BL sub_9FF1DF64ROM:9FF1A3B2 MOV R1, R0ROM:9FF1A3B4 MOVS R0, #0ROM:9FF1A3B6 STRB.W R0, [SP,#0xC8+var_90]ROM:9FF1A3BA LDR R0, [SP,#0xC8+var_84]ROM:9FF1A3BC CMP R0, #0ROM:9FF1A3BE BEQ.W loc_9FF1A60AROM:9FF1A3C2 CMP R1, #0ROM:9FF1A3C4 LDR.W R8, [R4,#0x10]ROM:9FF1A3C8 IT NEROM:9FF1A3CA ORRNE.W R6, R6, #4ROM:9FF1A3CE ADD R3, SP, #0xC8+var_90ROM:9FF1A3D0 MOV R1, R5ROM:9FF1A3D2 MOV R2, R6ROM:9FF1A3D4 BL sub_9FF19CC0 ; 改為 MOVS R0, #0 STR R0, [R3]

來到這裡

ROM:9FF19C14 sub_9FF19C14ROM:9FF19C14 PUSH {R4-R7,LR}ROM:9FF19C16 ADD R7, SP, #0xCROM:9FF19C18 PUSH.W {R8,R10}ROM:9FF19C1C MOV R6, R2ROM:9FF19C1E MOV R8, R0ROM:9FF19C20 MOV R10, R3ROM:9FF19C22 MOV R5, R1ROM:9FF19C24 MOVS R0, #0x16ROM:9FF19C26 CMP R6, #0x14ROM:9FF19C28 BCC loc_9FF19CB8ROM:9FF19C2A LDR R1, [R5]ROM:9FF19C2C MOVW R2, #0x6733ROM:9FF19C30 MOVS R0, #0x16ROM:9FF19C32 MOVT.W R2, #0x496DROM:9FF19C36 CMP R1, R2ROM:9FF19C38 BNE loc_9FF19CB8ROM:9FF19C3A LDR R1, [R5,#8]ROM:9FF19C3C SUB.W R2, R6, #0x14ROM:9FF19C40 MOVS R0, #0x16ROM:9FF19C42 CMP R1, R2ROM:9FF19C44 BHI loc_9FF19CB8 ; 改為 NOPROM:9FF19C46 LDR R2, [R5,#0xC]ROM:9FF19C48 MOVS R0, #0x16ROM:9FF19C4A CMP R2, R1ROM:9FF19C4C BHI loc_9FF19CB8

0x19C44 00 BF

找尋字串 debug-enabled

x 選擇第一項目

來到這裡

ROM:9FF1AED0 loc_9FF1AED0ROM:9FF1AED0 LDR.W R0, =aDebugEnabled ; "debug-enabled"ROM:9FF1AED4 ADD R1, SP, #0xAC+var_3CROM:9FF1AED6 STR R0, [SP,#0xAC+var_3C]ROM:9FF1AED8 ADD R2, SP, #0xAC+var_40ROM:9FF1AEDA LDR R0, [SP,#0xAC+var_34]ROM:9FF1AEDC ADD R3, SP, #0xAC+var_38ROM:9FF1AEDE BL sub_9FF17B8CROM:9FF1AEE2 CMP R0, #1ROM:9FF1AEE4 BNE loc_9FF1AEF6ROM:9FF1AEE6 MOVS R0, #0x20 ; ' 'ROM:9FF1AEE8 BL sub_9FF20E40 ; 改為 MOVS R0, #1ROM:9FF1AEEC CMP R0, #1ROM:9FF1AEEE ITTT EQROM:9FF1AEF0 LDREQ R0, [SP,#0xAC+var_40]ROM:9FF1AEF2 MOVEQ R1, #1ROM:9FF1AEF4 STREQ R1, [R0]

0x1AEE8 01 20 01 20

找尋字串 upgrade 改為 fsboot

找尋字串 false 改為 true

找尋字串 Reliance on this certificate by any party assumes acceptance 位於 offset 0x42680

0x42680+0x9FF00000=0x9FF42680 Byte = 80 26 F4 9F

在 0x42680 寫入 rd=disk0s1s3 cs_enforcement_disable=1 -v amfi=0xff

搜尋 rd=md0 nand-enable-reformat=1 -progress offset 位於 offset 0x3B810

0x3B810+0x9FF00000=0x9FF3B810 Byte = 10 B8 F3 9F

搜尋指標指向 0x9FF3B810 的位址

找尋 Byte 10 B8 F3 9F

0x1C250 指標指向 0x9FF3B810

將 rd=md0 ... 指標替換為 rd=disk0s1s3 cs_enforcement_disable=1 -v amfi=0xff 的指標

offset 0x1C250 寫入 80 26 F4 9F (0x9FF42680)

修改完後添加img3檔頭

用法: xpwntool 輸入輸出 -t <原始加密文件>

範例:

xpwntool iBEC.dec iBEC -t iBEC.n94ap.RELEASE.dfu

3. keybagd Patch

for iOS 6/7

安裝第二系統後

使用scp下載 root@device_ip:/mnt3/usr/libexec/keybagd 到電腦修改，改完後替換源文件並重新簽名。

搜尋 RegisterBackupBag

__const:0000A27C DCD cfstr_Com_apple_keys ; "com.apple.keystore.device"__const:0000A280 DCD cfstr_Registerbackup ; "RegisterBackupBag"__const:0000A284 DCD sub_23B8+1 ; 這裡點進去

__text:000023B8 PUSH {R4-R7,LR}__text:000023BA ADD R7, SP, #0xC ; 改為 MOVS R0, #0 POP {R4-R7,PC}__text:000023BC STR.W R8, [SP,#0xC+var_10]!__text:000023C0 SUB SP, SP, #0x34__text:000023C2 MOV R5, R1__text:000023C4 MOV R1, #(cfstr_Backupkeybagke - 0x23D2) ; "BackupKeyBagKeys"__text:000023CC MOV R8, R0__text:000023CE ADD R1, PC ; "BackupKeyBagKeys"__text:000023D0 MOV R0, R5__text:000023D2 BL sub_1CA4__text:000023D6 MOVW R1, #(:lower16:(cfstr_Passcode - 0x23E6)) ; "Passcode"__text:000023DA MOV R6, R0__text:000023DC MOVT.W R1, #(:upper16:(cfstr_Passcode - 0x23E6)) ; "Passcode"__text:000023E0 MOV R0, R5__text:000023E2 ADD R1, PC ; "Passcode"

0x13BA 00 20 F0 BD

搜尋 EXPORT _AppleKeyStoreKeyBagChangeSecret

x 返回

來到這裡

__text:0000622A BL _AppleKeyStoreKeyBagGetSystem__text:0000622E MOV R1, R0__text:00006230 MOV.W R0, #0xFFFFFFFF__text:00006234 CBNZ R1, loc_6266 ; 改為 B__text:00006236 LDR R0, [SP,#0x1C+var_14]__text:00006238 MOV R1, R6__text:0000623A MOV R2, R5__text:0000623C BL _AppleKeyStoreKeyBagChangeSecret__text:00006240 MOV R1, R0__text:00006242 MOV.W R0, #0xFFFFFFFF__text:00006246 CBNZ R1, loc_6266__text:00006248 LDR R0, [SP,#0x1C+var_14]__text:0000624A MOV R2, #(aPrivateVar - 0x625A) ; "/private/var/"__text:00006252 MOV.W R8, #1__text:00006256 ADD R2, PC ; "/private/var/"__text:00006258 MOVS R1, #0__text:0000625A MOV R3, R4__text:0000625C STR.W R8, [SP,#0x1C+var_1C]__text:00006260 STR R1, [SP,#0x1C+var_18]__text:00006262 BL _KBSaveBagHandle

0x5234 17 E0

搜尋 EXPORT _KBUpdateSystemKeyBag

__text:00006338 EXPORT _KBUpdateSystemKeyBag__text:00006338 PUSH {R4-R7,LR}__text:0000633A ADD R7, SP, #0xC__text:0000633C STR.W R8, [SP,#0xC+var_10]!__text:00006340 SUB SP, SP, #0xC__text:00006342 MOV R5, R0__text:00006344 MOV R0, #(aPrivateVarKeyb - 0x6358) ; "/private/var//keybags"__text:0000634C MOV R1, #(aSystembag - 0x635A) ; "systembag"__text:00006354 ADD R0, PC ; "/private/var//keybags"__text:00006356 ADD R1, PC ; "systembag"__text:00006358 BL _KBLoadKeyBag__text:0000635C MOV R6, R0__text:0000635E CMP R6, #0__text:00006360 BEQ loc_63EC ; 改為 B__text:00006362 MOVW R1, #(:lower16:(cfstr_Opaquestuff - 0x6370)) ; "OpaqueStuff"__text:00006366 MOV R0, R6__text:00006368 MOVT.W R1, #(:upper16:(cfstr_Opaquestuff - 0x6370)) ; "OpaqueStuff"

0x5360 ?? E0

搜尋字串 auto-boot

__text:00002BCA ADD R0, PC ; "keybagd"__text:00002BCC BL sub_2A4C__text:00002BD0 MOV R0, #(aAutoBoot - 0x2BE4) ; "auto-boot"__text:00002BD8 MOV R1, #(aFalse - 0x2BE6) ; 將字串改為 true__text:00002BE0 ADD R0, PC ; "auto-boot"__text:00002BE2 ADD R1, PC ; "false"

搜尋字串 false 改為 true 0x00結尾

三磁碟分割

調整第二分割區大小

================================

調整 /private/var 分割區大小來釋放空間，來建立另外兩個新的分割區。

* 檢查空間

使用 ssh 連接裝置

ssh root@device_ip

# df -B1Filesystem 1B-blocks Used Available Use% Mounted on/dev/disk0s1s1 2332835840 2224795648 84713472 97% /devfs 26624 26624 0 100% /dev/dev/disk0s1s2 13521633280 476921856 13044711424 4% /private/var/dev/disk1 240852992 69222400 171630592 29% /Developer

/ 為系統分割區(system)

/private/var 為資料分割區(data)

1B-blocks 總空間

Used 已用空間

Available 可用空間

上面看到資料分割區:

總空間為 13521633280 byte (約12.59GB)

已經使用 476921856 byte (約454.8MB)

剩餘空間 13044711424 byte (約12.14GB)

資料分割區至少預留400-500MB的可用空間，iOS是從真實的可用空間中減去200MB，所以至少必須留700MB以上的空間。

例如：我們要分配8GB的空間給第二系統, 其餘的可用空間留給「disk0s1s2 資料分割區」

計算新的大小

8*1024*1024*1024 = 8589934592 byte

第二分區大小 - 第三分割區大小 = 第二分割區新的大小

總空間(13521633280) - 8G(8589934592) = 資料分割區新的大小(4931698688) byte (約4.59GB)

用法:

hfs_resize 掛載點新的大小(byte)

範例:調整 /private/var 容量為4.59G(4931698688 byte)

hfs_resize /private/var 4931698688

然後執行df查看調整結果

# df -B1Filesystem 1B-blocks Used Available Use% Mounted on/dev/disk0s1s1 2332835840 2224795648 84713472 97% /devfs 26624 26624 0 100% /dev/dev/disk0s1s2 4931698688 474763264 4456935424 10% /private/var/dev/disk1 240852992 69222400 171630592 29% /Developer

編輯分割區

編輯磁碟

gptfdisk /dev/rdisk0s1

Command (? for help): pDisk /dev/rdisk0s1: 3870731 sectors, 14.8 GiBLogical sector size: 4096 bytesDisk identifier (GUID): DA60F21F-DD91-4076-A4D3-632BA7F38079Partition table holds up to 2 entriesFirst usable sector is 6, last usable sector is 3870725Partitions will be aligned on 2-sector boundariesTotal free space is 0 sectors (0 bytes)Number Start (sector) End (sector) Size Code Name 1 6 569545 2.2 GiB AF00 System 2 569546 3870725 12.6 GiB AF00 Data

第一分割區開始區塊 6 結束區塊 569545

第二分割區開始區塊 569546 結束區塊 3870725

1個區塊等於 4096-byte (4KB)，區塊對齊也就是俗稱的4K對齊。

第二分割區修正

hfs_resize 調整可能無法對齊區塊，所以必須使用gptfdisk重新對齊資料分割區的區塊。

顯示分割區2的詳細信息

i 2

Command (? for help): iPartition number (1-2): 2Partition GUID code: 48465300-0000-11AA-AA11-00306543ECAC (Apple HFS/HFS+)Partition unique GUID: 353A726C-E8E1-4A9C-BD2D-BF34F7810862First sector: 569546 (at 2.2 GiB)Last sector: 3870725 (at 14.8 GiB)Partition size: 3301180 sectors (12.6 GiB)Attribute flags: 0003000000000000Partition name: 'Data'

記住 Partition unique GUID : 353A726C-E8E1-4A9C-BD2D-BF34F7810862 後面恢復GUID會用到。

刪除第二分割區

d 2

Command (? for help): dPartition number (1-2): 2

計算第二分割區區塊大小

新的大小(byte) / 4096 = 區塊大小

4931698688 / 4096 = 1204028

開始區塊 + 區塊大小 = 結束區塊

569546 + 1204028 = 1773574

記住第二分割區結束區塊大小為 1773574

修正第二分割區區塊大小

建立新的分割區

n ENTER 1773574 ENTER

Command (? for help): nUsing 2First sector (569546-3870725, default = 569546) or {+-}size{KMGTP}: Last sector (569546-3870725, default = 3870725) or {+-}size{KMGTP}: 1773574Current type is 'Apple HFS/HFS+'Hex code or GUID (L to show codes, Enter = AF00): Changed type of partition to 'Apple HFS/HFS+'

修改第二分割區標籤為 Data

c 2 Data

Command (? for help): cPartition number (1-2): 2Enter name: Data

查看修改結果

Command (? for help): pDisk /dev/rdisk0s1: 3870731 sectors, 14.8 GiBLogical sector size: 4096 bytesDisk identifier (GUID): DA60F21F-DD91-4076-A4D3-632BA7F38079Partition table holds up to 2 entriesFirst usable sector is 6, last usable sector is 3870725Partitions will be aligned on 2-sector boundariesTotal free space is 2097151 sectors (8.0 GiB)Number Start (sector) End (sector) Size Code Name 1 6 569545 2.2 GiB AF00 System 2 569546 1773574 4.6 GiB AF00 Data

修正第二分割區 Attribute flags

通常系統分割區 Attribute flags 為 0000000000000000

資料分割區 Attribute flags 為 0003000000000000

x a 2 48 49 ENTER

Command (? for help): xExpert command (? for help): aPartition number (1-2): 2Known attributes are:0: system partition1: hide from EFI2: legacy BIOS bootable60: read-only62: hidden63: do not automountAttribute value is 0000000000000000. Set fields are: No fields setToggle which attribute field (0-63, 64 or to exit): 48Have enabled the 'Undefined bit #48' attribute.Attribute value is 0001000000000000. Set fields are:48 (Undefined bit #48)Toggle which attribute field (0-63, 64 or to exit): 49Have enabled the 'Undefined bit #49' attribute.Attribute value is 0003000000000000. Set fields are:48 (Undefined bit #48)49 (Undefined bit #49)Toggle which attribute field (0-63, 64 or to exit):

恢復先前的GUID

先前紀錄的 Partition unique GUID 為 353A726C-E8E1-4A9C-BD2D-BF34F7810862

c 2 353A726C-E8E1-4A9C-BD2D-BF34F7810862

Expert command (? for help): cPartition number (1-2): 2Enter the partition's new unique GUID ('R' to randomize): 353A726C-E8E1-4A9C-BD2D-BF34F7810862New GUID is 353A726C-E8E1-4A9C-BD2D-BF34F7810862

到此第二分割區搞定.....

建立第二系統分割區

修改分割表允許擁有4個分割區

s 4Expert command (? for help): sCurrent partition table size is 32.Enter new size (32 up, default 128): 4Caution: The partition table size should officially be 16KB or larger,which works out to 128 entries. In practice, smaller tables seem towork with most OSes, but this practice is risky. I'm proceeding withthe resize, but you may want to reconsider this action and undo it.Adjusting GPT size from 4 to 32 to fill the sector

返回主選單

mExpert command (? for help): mCommand (? for help):

建立第三分割區(為第二系統的系統分割區)

設定前須先確定要安裝的目標系統容量大小,然後計算第三分割區區塊大小，設置第三分割區結束區塊。

或者可以自行分配大一點的區塊給第三分割區

例如分配2.2GB的空間給第三分割區

2.2GB = 2248MB

2248*1024*1024=2357198848 byte

2357198848 / 4096 = 575488 (區塊大小)

開始區塊 + 區塊大小 = 結束區塊

1773576 + 575488 = 2349064

n 3 ENTER 2349064 ENTER

Command (? for help): nPartition number (3-32, default 3): 3First sector (3-3870728, default = 1773576) or {+-}size{KMGTP}: Last sector (1773576-3870728, default = 3870728) or {+-}size{KMGTP}: 2349064Current type is 'Apple HFS/HFS+'Hex code or GUID (L to show codes, Enter = AF00): Changed type of partition to 'Apple HFS/HFS+'

建立第四分割區(為第二系統的資料分割區)

設置第四分割區結束區塊為:

Last sector (2349066-3870728, default = 3870728) 的 3870728 - 3 = 3870725

也就是第四分割區結束區塊後面必須預留3個區塊空間

.......剩余内容，请点击查看原文

本文由看雪论坛 djpvd 原创转载请注明来自看雪社区

iOSMac软件逆向工程

iOS Dualboot 手動修改

你可能感兴趣的:(iOS Dualboot 手動修改)