Tutorial:Booting XNU on A4 Devices

These steps will let you boot XNU on all A4 devices. The tutorial was written for Macs with an iPhone 4 running iOS 6.1.3.

Instructions
First you must install CTF tools etc. Follow these instructions for 10.8. For 10.9, run these commands in Terminal. $ curl -O http://opensource.apple.com/tarballs/dtrace/dtrace-118.tar.gz $ curl -O http://opensource.apple.com/tarballs/AvailabilityVersions/AvailabilityVersions-6.tar.gz $ git clone https://github.com/darwin-on-arm/xnu $ tar zxf dtrace-118.tar.gz $ cd dtrace-118 $ mkdir -p obj sym dst $ xcodebuild install -target ctfconvert -target ctfdump -target ctfmerge ARCHS="x86_64" SRCROOT=$PWD OBJROOT=$PWD/obj SYMROOT=$PWD/sym DSTROOT=$PWD/dst $ sudo ditto $PWD/dst/usr/local /usr/local $ cd .. $ tar zxf AvailabilityVersions-6.tar.gz $ cd AvailabilityVersions-6 $ mkdir -p dst $ make install SRCROOT=$PWD DSTROOT=$PWD/dst $ sudo ditto $PWD/dst/usr/local `xcrun -sdk / -show-sdk-path`/usr/local $ cd .. $ cd xnu

Now you are in the xnu folder. Know you must make it for the A4. $ make TARGET_CONFIGS="debug arm S5L8930X"

Navigate to BUILD/obj/DEBUG_ARM_S5L8930X. In this folder are many files. mach_kernel is the bootable image.

Ok now you need the 4.x IPSW for your A4 device. If you have a newer iOS version, you need the IPSW for iOS 4.1 also.

You need redsn0w in order to boot the kernel. Open Terminal and navigate to the redsn0w folder. Now you type the following commands: $ cd redsn0w.app/Contents/MacOS $ ./redsn0w -i <'4.1 iPSW'> -k <'mach_kernel'>

Here a example command: $ ./redsn0w -i /Users/Louis/Desktop/iOS\:Mac\ hack/XNU_Kernel_Panic_Apple_A4-Booting/iPhone3\,1_4.1_8B117_Restore.ipsw -k /Users/Louis/Desktop/xnu/BUILD/obj/DEBUG_ARM_S5L8930X/mach_kernel

Boot-args: -graphics-mode     Enables video console graphics boot. Enables OS X style spinner and panic dialog. -no-cache          Disable L1i and L1d data/instruction caching completely. silence_kprintf    Remove kprintf serial output. kprintf            Send all kprintf output to the video console or serial console. symbolicate-panics Symbolicate all panic backtraces. kernel_read_only   Enable/disable kernel R-X protection. dataconstro        Override kernel const data section R-- protection. npvhash            Specify the internal PV hash value (used internally in pmap. Keep it at N^2-1.) -panic-reboot      Reboot on panics (only if the PE_halt_restart hook is installed) -early-fb-debug    Early kprintf output is sent to framebuffer, use with kprintf=1. -avoid-uarts       Avoid initializing UARTs entirely (only on S5L89xx) -force-uarts       Force initializing UARTs. (only on S5L89xx) omapfbres          Specify OMAP3530 DSS display resolution size.

Now you must get your device into DFU Mode.

Wait a few seconds and a white screen will flashes on your iDevice. Now you see the pineapple on your iDevice. 30-60 seconds later the kernel will be booted. You'll see 'Still waiting for root device' for a while, but a kernel panic will occur if you wait more than 10-30 minutes.

And that's it.