{"id":20957920,"url":"https://github.com/jonpalmisc/respawn","last_synced_at":"2025-05-14T06:31:40.694Z","repository":{"id":214695807,"uuid":"723187462","full_name":"jonpalmisc/respawn","owner":"jonpalmisc","description":"Experimentation environment for checkm8-vulnerable devices","archived":false,"fork":false,"pushed_at":"2023-12-30T11:05:45.000Z","size":143,"stargazers_count":53,"open_issues_count":0,"forks_count":2,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-05-07T01:49:43.326Z","etag":null,"topics":["checkm8","ios","iosre","iphone","securerom"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jonpalmisc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-24T22:13:16.000Z","updated_at":"2024-12-24T11:02:35.000Z","dependencies_parsed_at":null,"dependency_job_id":"8c718f5d-e314-4804-b1ff-f2ba9228d427","html_url":"https://github.com/jonpalmisc/respawn","commit_stats":null,"previous_names":["jonpalmisc/respawn"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jonpalmisc%2Frespawn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jonpalmisc%2Frespawn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jonpalmisc%2Frespawn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jonpalmisc%2Frespawn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jonpalmisc","download_url":"https://codeload.github.com/jonpalmisc/respawn/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254084643,"owners_count":22011915,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["checkm8","ios","iosre","iphone","securerom"],"created_at":"2024-11-19T01:44:30.058Z","updated_at":"2025-05-14T06:31:40.688Z","avatar_url":"https://github.com/jonpalmisc.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Respawn\n\n![Respawn REPL Demo Image](docs/demo.webp)\n\nRespawn is an experimental research tool for iPhone models vulnerable to the\ninfamous [checkm8](https://theapplewiki.com/wiki/Checkm8_Exploit)\nvulnerability. It is a completely-rewritten version of an older project,\n[Pawn](https://twitter.com/jonpalmisc/status/1596177346616512512). The name is\na portmanteau of \"resurrected Pawn\".\n\n## Motivation\n\nWhile the project is mostly just for fun and nostalgia now, the original\npurpose was to create a high-quality checkm8 exploit implementation and\nsubsequent environment for iPhone security research.\n\nRespawn's code is aims to be modern, pragmatic, and easy to read. Numerous\ndesign decisions, bits of lore, etc. are documented inside.\n\n## Building\n\nRespawn uses CMake as its build system, and has a few small dependencies that are\nalready included as submodules. Start by performing a recursive clone of\nRespawn and all of its submodules:\n\n```sh\ngit clone --recurse-submodules git@github.com:jonpalmisc/respawn.git\n```\n\nNext, once inside the cloned repo, configure the project with CMake:\n\n```sh\ncmake -S . -B build # -GNinja ...\n```\n\u003e If you get errors about missing `CMakeLists.txt` files, you likely forgot to\n\u003e clone recursively (or otherwise initialize all submodules) as shown above.\n\nFinally, simply build the project with CMake:\n\n```sh\ncmake --build build\n```\n\n\u003e At this point, if you are not on macOS you will notice you are missing some\n\u003e headers. Respawn uses [Sioku](https://github.com/jonpalmisc/sioku) for all of\n\u003e its USB operations, which is based on IOKit. Sorry...\n\nA `respawn` executable will be available at `./build/respawn` upon completion.\n\n## Usage\n\nOnce built, first run `respawn -h` to see a full list of options; the built-in\nhelp will always have the most up-to-date usage instructions and options.\n\nBy default, Respawn doesn't emit much output. If something isn't working or if\nyou desire more detail, the `-v` flag can be passed to Respawn to enable\nverbose logging.\n\n### REPL\n\nMost likely, you will want to use Respawn's REPL interface to poke around on\nthe device. Running `respawn -r` will launch the REPL, exploiting the device\nfirst if it has not been already.\n\nTo get started, try reading SecureROM's build banner string:\n\n```\n\u003e ia.read(0x100000200, 64)\n100000200:  5365 6375 7265 524f 4d20 666f 7220 7437  SecureROM for t7\n100000210:  3030 3073 692c 2043 6f70 7972 6967 6874  000si, Copyright\n100000220:  2032 3031 332c 2041 7070 6c65 2049 6e63   2013, Apple Inc\n100000230:  2e00 0000 0000 0000 0000 0000 0000 0000  ................\n```\n\u003e The `interactive` module is aliased to `ia` in the REPL for convenience.\n\nRespawn's REPL is really just a [Lua](https://www.lua.org/) REPL with some\nnative functions exposed. You can evaluate arbitrary Lua code, automate device\nactions by loading Lua scripts, etc.\n\n\u003e Respawn expects to find its built-in Lua modules in the `lua` folder of the\n\u003e current working directory. The invocation above should actually be\n\u003e `./build/respawn` if you followed the build instructions above and are in the\n\u003e project's root directory; alternatively you can copy the executable out of\n\u003e the build folder to the root directory.\n\nTo get more familiar with using the REPL to interact with the device, take a\nlook at [`test.lua`](lua/test.lua), which checks that all of the features\nprovided by the `device` module are working as expected. If you aren't writing\nscripts, you will probably want to use the equivalent functions in the\n`interactive` module to get better feedback. \n\n### Known Limitations\n\n- Only devices with T7000 or S8000 SoCs are supported.\n- Initial exploitation time varies considerably based on unknown factors.\n- Only one device can be connected at once.\n- Respawn only builds and runs on macOS since it depends on IOKit.\n\n#### T8015 support\n\nBeing one of the most recent SoCs still vulnerable to checkm8, support for\nT8015 devices is desirable and is a glaring omission right now. Respawn's\npredecessor Pawn (which remains closed-source) had mostly-complete support for\nT8015 devices, but via a rather messy implementation that would require\nrewriting to integrate back into this project.\n\nGiven that checkm8 is largely dead now in 2023, T8015 support may never arrive;\nbut maybe with enough rainy days it will.\n\n## Credits\n\nAcknowledgements are due to a handful of individuals that othewise don't appear\nin the Git history:\n\n- Parts of Respawn's predecessor Pawn were contributed by\n  [@0cyn](https://github.com/0cyn).\n- An old version of [@0x7ff](https://github.com/0x7ff)'s\n  [gaster](https://github.com/0x7ff/gaster) was used as a reference during the\n  early stages of Pawn's development back in 2022.\n- Like many other checkm8 proejcts, some of the exploit primitives\n  (`ExploitDriver::do_*` in Respawn's case) are lifted from\n  [ipwndfu](https://github.com/axi0mX/ipwndfu) by\n  [@axi0mX](https://twitter.com/axi0mx).\n\nFurthermore, this project would have been a lot less fun and a lot more\nannoying without the knowledge and moral support contributed by the artist\nformerly known as @bendycatus, [@Siguza](https://siguza.net/), and other\nfriends I'm probably forgetting along the way.\n\n## License\n\nCopyright \u0026copy; 2022\u0026ndash;2023 Jon Palmisciano. All rights reserved.\n\nUse of Respawn and its source code is governed by the BSD 3-Clause license; the\nfull terms of the license can be found in [LICENSE.txt](LICENSE.txt).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjonpalmisc%2Frespawn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjonpalmisc%2Frespawn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjonpalmisc%2Frespawn/lists"}