Skip to content
This repository has been archived by the owner on Apr 14, 2023. It is now read-only.

Error "0: AMRestoreErrorDomain: failed to request root ticket" #99

Open
Duy-Thanh opened this issue Mar 24, 2023 · 5 comments
Open

Error "0: AMRestoreErrorDomain: failed to request root ticket" #99

Duy-Thanh opened this issue Mar 24, 2023 · 5 comments

Comments

@Duy-Thanh
Copy link

Hello.

I have been trying for the past time, today, I keep trying again next time. And I got the following error:

https://gist.github.com/Duy-Thanh/73724e47478bf9f0f614d12bd1f7adac

And in idevicerestore:

https://gist.github.com/Duy-Thanh/cafb478e3f2da4cc959058479c87ff50

Here is the command to run the iOS virtual machine:

~/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=/mnt/Linux/iphone/Firmware/038-44135-124.dmg.trustcache,ticket-filename=~/ios/root_ticket.der \
-kernel /mnt/Linux/iphone/kernelcache.research.iphone12b \
-dtb /mnt/Linux/iphone/Firmware/all_flash/DeviceTree.n104ap.im4p \
-append "debug=0x14e kextlog=0xffff serial=3 -v wdt=-1" \
-initrd /mnt/Linux/iphone/038-44135-124.dmg \
-cpu max -smp 4 \
-m 4G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait \

How to fix that? Any help is appreciated
@TrungNguyen1909
Copy link
Owner

ticket-filename=~/ios/root_ticket.der this should have been an absolute and expanded path.

In other words, you cant use the tilde ~ for home directory here.

@Duy-Thanh
Copy link
Author

Duy-Thanh commented Mar 25, 2023
edited

@TrungNguyen1909

I have successfully restored, and the following line said this:

apfs_vfsop_unmount:2682: all done. going home. (numMountedAPFSVolumes 5)

And when I reconnect to idevicerestore it says:

cyberday@cyberday-Standard-PC-i440FX-PIIX-1996:~$ idevicerestore -P -d --erase --restore-mode -i 0x1122334455667788 iPhone11,8,iPhone12,1_14.0_18A5351d_Restore.ipsw -T root_ticket.der
Using ApTicket found at root_ticket.der length 9115
idevicerestore 1.0.0-113-g3947045
progress: 0 0.000000
idevice_event_cb: device 1122334455667788 (udid: 00008030-1122334455667788) connected in normal mode
progress: 0 0.100000
Found device in Normal mode

This means the emulator is already working in normal mode

And there is a strange thing: when I connect VNC, immediately in the log of the iOS simulator appears:

FB invalidate called

However, when I connect VNC, I don't see anything

image

I waited for 15 minutes, but basically nothing happens next, connecting to idevicerestore still says that the device is still in Normal mode, also there are new logs in the iOS emulator's log:

tx_flush:1075: disk0s1 xid 305 tx stats: # 60 finish 60 enter 2108 wait 1 6883us close 7us flush 12973us
tx_flush:1075: disk0s1 xid 325 tx stats: # 80 finish 80 enter 1602 wait 1 6883us close 6us flush 12403us
AppleNVMe Assert failed: 0 == (status) ReleaseOutputBounceBuffer file: /Library/Caches/com.apple.xbs/Sources/IONVMeFamily/IONVMeFamily-557.0.2.152.1/Embedded/AppleNVMeUpdateUC.cpp line: 1730 
AppleNVMe Assert failed: 0 == (status) ReleaseOutputBounceBuffer file: /Library/Caches/com.apple.xbs/Sources/IONVMeFamily/IONVMeFamily-557.0.2.152.1/Embedded/AppleNVMeUpdateUC.cpp line: 1730 
AppleNVMe Assert failed: 0 == (status) ReleaseOutputBounceBuffer file: /Library/Caches/com.apple.xbs/Sources/IONVMeFamily/IONVMeFamily-557.0.2.152.1/Embedded/AppleNVMeUpdateUC.cpp line: 1730 
tx_flush:1075: disk0s1 xid 345 tx stats: # 100 finish 100 enter 1809 wait 2 6727us close 11us flush 12766us
tx_flush:1075: disk0s1 xid 365 tx stats: # 120 finish 120 enter 2682 wait 2 6727us close 11us flush 12464us
IOAccessoryPortUSB::setUSBRoleSwitchMask Index 0 Value 1
tx_flush:1075: disk0s1 xid 385 tx stats: # 140 finish 140 enter 2603 wait 2 6727us close 95us flush 12636us

I was also afraid that the emulator would crash, so I tried idevicerestore to check again, and the output was still:

Found device in Normal mode

So what should I do next to get the GUI to appear?

Here is the full log of the iOS emulator:

https://gist.github.com/Duy-Thanh/201a3b11a3c9d46c539f92075f15d3fa

@TrungNguyen1909
Copy link
Owner

The GUI is not supported. Sorry about that...

@Duy-Thanh
Copy link
Author

@TrungNguyen1909 so at least we have a way to access the iOS shell?

@AlexLearnsToCode
Copy link

@TrungNguyen1909 @Duy-Thanh hi guys, any progress? I was also stuck here and waited a long time for it to tx_flush, then I got wdog panic just like #64.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@AlexLearnsToCode @TrungNguyen1909 @Duy-Thanh