Research: Re-allowing unsigned ramdisks and boot-args with the 2.* iBoot

From The Apple Wiki


Ramdisks will run from the get go, just use xpwntool to pack / encrypt them using a vanilla ramdisk as the template. I am not sure if xpwntool will do this, so you may want to check the header to make sure the correct info (sizes etc) are there.


They use a buffer that is passed on when booting a kernel for boot args, the difference in 2.x is that the boot-args NVRAM var is totally ignored. Not only would a 'patch' be needed, but some code would actually need to be added, somehow.