turdus merula logo

Usage

MANUAL: turdus_merula
NAME turdus_merula — Restore IPSW firmware to an iOS device SYNOPSIS turdus_merula [OPTIONS] PATH DESCRIPTION turdus_merula is a specialized fork of idevicerestore. It is used to restore IPSW firmware at PATH to an iOS device. The PATH argument must be the final parameter and can be a compressed .ipsw file or a directory containing extracted IPSW components. OPTIONS -i, --ecid ECID Target a specific device by its ECID. e.g., 0xaabb123456 (hex) or 1234567890 (decimal). -u, --udid UDID Target a specific device by its UDID. Note: This only works with devices in normal mode. -y, --no-input Enable non-interactive mode. The tool will not ask for any user input. WARNING: This disables critical safety prompts designed to prevent DATA LOSS. Use with extreme caution. --ipsw-info Print detailed information about the IPSW at PATH and exit. -h, --help Display this usage information and exit. -C, --cache-path DIR Use the specified directory for caching extracted or reused files. -d, --debug Enable detailed communication debugging output. -v, --version Print version information and exit. ADVANCED/EXPERIMENTAL OPTIONS -s, --server URL Override the default signing server request URL. -P, --plain-progress Print progress as plain step and progress. --variant VARIANT Use given VARIANT to match the build identity to use, e.g. 'Customer Erase Install (IPSW)'. RESTORE AND DOWNGRADE OPTIONS -w, --downgrade Restore the device to an official firmware using a saved TSS record (SHSH). The SHSH must match the target firmware version. Note: --load-shsh must be specified when using this option. --load-shsh PATH Load a custom SHSH (ticket.shsh2) from the specified PATH. -o, --tethered Restore to any official firmware without a matching SHSH by using the latest signed ticket. Requires a checkm8 exploit on every reboot. -j, --boot-pongo Boot pongoOS with the restore chain without performing a restore. --enable-serial Enable serial output during restore. -b, --bbfw PATH Override the BasebandFirmware image. -f, --sefw PATH Override the SE Firmware image. -r, --rsepfw PATH Override the RestoreSEP image4 payload. --signed-manifest PATH Override the BuildManifest for signed firmware components. --signed-variant VARIANT Use the given VARIANT for custom signed firmware components. --allow-unsupport Allow restore to an unsupported firmware version. --api-url URL Override the default API server URL. Default: https://api.ipsw.me/v4/device/ --show-hash Show the SHA2-384 hashes of embedded modules. A9/A9X SPECIFIC EXPLOIT OPTIONS These options are exclusive to A9/A9X devices for handling SEPROM exploits. --get-shcblock Acquire the shcblock required for the SEPROM exploit (fwload race). Usage: ./turdus_merula --get-shcblock <IPSW> --get-pteblock Acquire the pteblock required for the SEPROM exploit (boot_tz0 race). Requires loading a previously acquired shcblock. Usage: ./turdus_merula --load-shcblock <shcblock.bin> --get-pteblock <IPSW> --load-shcblock PATH Load the SEP ciphertext block (shcblock) for either pteblock acquisition or the final restore process. Restore Usage: ./turdus_merula -w --load-shsh <ticket.shsh2> --load-shcblock <shcblock.bin> <IPSW> --load-pteblock PATH Load the SEP ciphertext block (pteblock) for the final restore process. Restore Usage: ./turdus_merula -w --load-shsh <ticket.shsh2> --load-pteblock <pteblock.bin> <IPSW> RESOURCES Homepage: <https://sep.lol> Bug Reports: <https://github.com/turdus-m3rula/bugTracker>
MANUAL: turdusra1n
NAME turdusra1n — checkm8-based utility for DFU exploitation and tethered booting SYNOPSIS turdusra1n [MODES] [OPTIONS] DESCRIPTION turdusra1n is a specialized tool for A9(X) and A10(X) devices. It leverages the checkm8 exploit to enter pwned DFU mode, fetch SEPROM ciphertext blocks, and perform tethered boots for devices that have been downgraded. MODES -D, --dfu-boot Enters pwned DFU mode using checkm8. This mode is a prerequisite for using turdus_merula to restore the device to an arbitrary firmware. -g, --get-block Fetches the SEP ciphertext block. This is only available on devices already running in a tethered-downgraded state. - No extra args: Fetches the SHC ciphertext block. - With -C: Fetches the PTE ciphertext block. -T, --tethered-boot-a9 Perform a tethered boot for A9/A9X devices via checkm8. Requires either a cached or fetched (via -g) ciphertext block. - If using SHC block: Requires a personalized SEP.img4 and the target version's SEP.im4p. -t, --tethered-boot-a10 <PATH> Perform a tethered boot for A10/A10X devices via checkm8. Requires the following cached files: - Personalized iBoot.img4 (specified at <PATH>) - Personalized SEP.img4 (via -i) - Target version SEP.im4p (via -p) GENERAL OPTIONS -h, --help Prints usage information. --version Print version information. -E, --early-exit Exit after uploading PongoOS. -k, --override-pongo <FILE> Override the default pongo image with the specified <FILE>. -v, --debug-logging Enable detailed debug logging for troubleshooting. -b, --boot-nonce <GENERATOR> Used in conjunction with -D to set a specific boot-nonce generator. This is mandatory when performing a restore via turdus_merula with -w option using a cached TSS record (SHSH). It forces the device's nonce to match the generator value preserved in the SHSH, enabling the restore process to validate against the cached record. -S, --sigcheck-patch Apply signature check patches during the process. -X, --sep-exploit-only Run SEPROM exploit only and exit before kernel patch for tethered booting. -x, --sep-kpatch-only Run SEPROM exploit and patch the kernel for tethered booting, then exit without booting. -e, --extra-bootargs <args> Set extra kernel boot arguments. -V, --verbose-boot Enable verbose boot output on the device screen. -P, --load-pteblock <PATH> Load the SEP ciphertext block (tz0_boot race) for A9/A9X. -C, --load-shcblock <PATH> Load the SEP ciphertext block (fwload race) for A9/A9X. -i, --sep-img4 <PATH> Load a valid, personalized SEP.img4 file for the SEPROM exploit. -p, --sep-im4p <PATH> Load a SEP.im4p payload file for the SEPROM exploit. -r, --checkra1n Apply an unofficial checkra1n jailbreak during the boot process. Note: Stage 4 is not supported. Once the device boots, you must manually execute official checkra1n v0.12.4 beta with CLI mode. -s, --safemode Boot with safemode (requires -r and --checkra1n args). -c, --cache-dir <DIR> Use the specified directory for caching. --show-hash Show the SHA2-384 hashes of embedded modules. ENVIRONMENT VARIABLES RA1N_ABORT_TIMEOUT Set a custom timeout value (0 to 999999999) for the exploit abort timer. While the default value is sufficient for standard platforms (intel or Apple Silicon), this variable allows for timing adjustments on specific environments like Linux (AMD) or Raspberry Pi (ARM64) where the exploit may fail due to platform-specific USB stack behavior. e.g. Raspberry Pi 5: RA1N_ABORT_TIMEOUT=1000000 EXAMPLES - Enter pwned DFU mode with a specific nonce for SHSH restore: turdusra1n -D -b 0x1111111111111111 - Fetch SHC ciphertext block (A9/A9X): turdusra1n -g - Fetch PTE ciphertext block (A9/A9X): turdusra1n -g -i <sep.img4> -C <shcblock.bin> - Tethered boot (A9/A9X using PTE block): turdusra1n -T -P <pteblock.bin> - Tethered boot (A10/A10X): turdusra1n -t <iBoot.img4> -i <sep.img4> -p <sep.im4p> RESOURCES Homepage: <https://sep.lol> Bug Reports: <https://github.com/turdus-m3rula/bugTracker>