fix touch 3 ios 3, and other changes

fixes enable exploit on 3.1.x/3.2.x for touch 3/ipad 1.
- offset is +63 instead of +64
- partition size now depends on sector size as well. previously this was hardcoded to 8 (for 65536/8192, meaning this is broken on devices that use 4096)

Author: LukeZGD

README.md

@@ -99,7 +99,7 @@
     - iPhone 4 CDMA - iOS 4.2.6 to 7.1.1
     - iPhone 4S, 5, 5C, iPad 2 Rev A, iPod touch 5 - iOS 5.0 to 9.3.5
     - iPad 1 - iOS 3.2 to 5.1
-    - iPod touch 3 - iOS 4.0 to 5.1 (3.1.x has issues)
+    - iPod touch 3 - iOS 3.1.1 to 5.1
     - Using powdersn0w requires iOS 7.1.x blobs for your device
         - No blob requirement for iPhone 4, iPad 1, iPod touch 3 (7.1.2 and 5.1.1 are signed)
         - For iPhone 5 and 5C, both 7.0.x and 7.1.x blobs can be used
@@ -111,6 +111,8 @@
     - iPhone 2G, 3G, 3GS, iPod touch 1, touch 2 - All versions are supported
     - Lowest downgradable version is 2.0. Going to 1.x does not work
     - For jailbreaking support, see below
+- [Restoring the iPod touch 3rd gen to iOS 6.0 untethered](https://github.com/LukeZGD/Legacy-iOS-Kit/wiki/touch3-ios6)
+- [Restoring the iPod touch 4th gen to iOS 7.1.2 tethered](https://github.com/LukeZGD/Legacy-iOS-Kit/wiki/touch4-ios7)
 - Jailbreaking for 32-bit devices and versions support:
     - iPhone 2G and touch 1 - 3.1.3 only
     - iPhone 3G and touch 2 - 4.2.1, 4.1, and 3.1.3

resources/firmware/src/target/n18/options.plist

@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>SystemPartitionPadding</key>
+	<dict>
+		<key>n18</key>
+		<dict>
+			<key>128</key>
+			<integer>1280</integer>
+			<key>16</key>
+			<integer>160</integer>
+			<key>32</key>
+			<integer>320</integer>
+			<key>64</key>
+			<integer>640</integer>
+			<key>8</key>
+			<integer>80</integer>
+		</dict>
+	</dict>
+	<key>SystemPartitionSize</key>
+	<integer>1280</integer>
+	<key>UpdateBaseband</key>
+	<false/>
+</dict>
+</plist>

restore.sh

@@ -4670,9 +4670,9 @@ ipsw_prepare_multipatch() {
         "$dir/hfsplus" RestoreRamdisk.dec chmod 755 usr/sbin/asr
     fi
 
-    if [[ $device_target_vers == "3.2"* ]]; then
-        log "3.2 options.plist"
-        cp ../resources/firmware/src/target/k48/options.plist $options_plist
+    if [[ $device_target_vers == "3."* ]]; then
+        log "3.x options.plist"
+        cp ../resources/firmware/src/target/${device_model}/options.plist $options_plist
     else
         log "Extract options.plist from $device_target_vers IPSW"
         "$dir/hfsplus" ramdisk2.dec extract usr/local/share/restore/$options_plist
@@ -5449,6 +5449,14 @@ restore_idevicerestore() {
         log "Sending iBEC..."
         $irecovery -f "$ipsw_custom/Firmware/dfu/iBEC.${device_model}ap.RELEASE.dfu"
         device_find_mode Recovery
+    elif [[ $device_type == "iPod3,1" && $device_target_vers == "6.0" ]]; then
+        rm -rf shsh
+        idevicerestore2=
+        [[ $platform == "linux" ]] && idevicerestore2="sudo "
+        idevicerestore2+="../saved/SundanceInH2A_$platform/executables/"
+        [[ $platform == "linux" ]] && idevicerestore2+="$(uname -m)/"
+        idevicerestore2+="idevicerestore"
+        ExtraArgs="-ey"
     fi
     if [[ $debug_mode == 1 ]]; then
         ExtraArgs+="d"
@@ -5771,7 +5779,10 @@ restore_deviceprepare() {
             if [[ $device_type == "iPod4,1" && $device_target_vers == "7.1.2" ]] ||
                [[ $device_type == "iPod3,1" && $device_target_vers == "6.0" ]]; then
                 shsh_save version $device_latest_vers
-                device_buttons
+                case $device_type in
+                    iPod4,1 ) device_buttons;;
+                    iPod3,1 ) device_enter_mode pwnDFU;;
+                esac
             elif [[ $device_target_tethered == 1 ]]; then
                 shsh_save version $device_latest_vers
                 device_enter_mode pwnDFU
@@ -7007,12 +7018,17 @@ device_ramdisk_setnvram() {
 
 device_ramdisk_ios3exploit() {
     log "iOS 3.x detected, running exploit commands"
-    local offset="$($ssh -p $ssh_port [email protected] "echo -e 'p\nq\n' | fdisk -e /dev/rdisk0" | grep AF | head -1)"
+    local fdisk_out="$($ssh -p $ssh_port [email protected] "fdisk /dev/rdisk0")"
+    echo "$fdisk_out"
+    local offset="$(echo "$fdisk_out" | grep AF | head -1)"
     offset="${offset##*-}"
     offset="$(echo ${offset%]*} | tr -d ' ')"
-    offset=$((offset+64))
+    offset=$((offset+63))
+    local sector_size="$(echo "$fdisk_out" | grep "Sector size" | awk '{print $3}')"
+    local partition_size=$((65536/sector_size))
     log "Got offset $offset"
-    $ssh -p $ssh_port [email protected] "echo -e 'e 3\nAF\n\n${offset}\n8\nw\ny\nq\n' | fdisk -e /dev/rdisk0"
+    log "Got sector size $sector_size. Partition size will be $partition_size"
+    $ssh -p $ssh_port [email protected] "echo -e 'e 3\nAF\n\n${offset}\n${partition_size}\nw\ny\nq\n' | fdisk -e /dev/rdisk0"
     echo
     log "Writing exploit ramdisk"
     $scp -P $ssh_port ../resources/firmware/src/target/$device_model/9B206/exploit [email protected]:/
@@ -10069,7 +10085,7 @@ device_jailbreak_gilbert() {
     mv freeze.tar payload/common/Cydia.tar
     log "Running g1lbertJB..."
     "../../$dir/gilbertjb"
-    rm payload/common/Cydia.tar
+    rm -rf payload/common/Cydia.tar private var
     popd >/dev/null
 }