Support ramdisk kernel split and snapshot

Add ramdisk-specific kernel snapshot and build logic so the installer ramdisk can boot with a conservative kernel while the restore target keeps the fully JB-patched kernel. Changes: - research/patch_comparison_all_variants.md: document the Ramdisk Kernel Split and intent. - scripts/fw_patch_jb.py: snapshot the base/dev-patched kernel before applying JB extensions (new helper and constants). - scripts/ramdisk_build.py: build krnl.ramdisk.img4 from the snapshot and krnl.img4 from the restore kernel when a snapshot exists; factor kernel IMG4 creation into build_kernel_img4. - scripts/ramdisk_send.sh: prefer krnl.ramdisk.img4 when present, falling back to krnl.img4; fail early if no kernel image found. This improves /dev/disk1s1 remount reliability during CFW/install by keeping the restore kernel JB-patched but booting the installer ramdisk with a more conservative kernel variant.
2026-04-05 13:09:06 +08:00 · 2026-03-04 22:26:06 +08:00
parent db5a2886fa
commit 8575bef264
4 changed files with 81 additions and 10 deletions
--- a/research/patch_comparison_all_variants.md
+++ b/research/patch_comparison_all_variants.md
@@ -184,6 +184,17 @@ Regular and Dev share the same 25 base kernel patches. JB adds 34 additional pat
    - `jb/org.coolstar.sileo_2.5.1_iphoneos-arm64.deb`
    - `basebin/*.dylib` (BaseBin hooks for JB-3)

+## Ramdisk Kernel Split (JB mode)
+
+- `scripts/fw_patch_jb.py` now snapshots the base/dev-patched kernel before JB kernel extensions:
+  - `iPhone*_Restore/kernelcache.research.vphone600.ramdisk`
+- `scripts/ramdisk_build.py` uses that snapshot to build:
+  - `Ramdisk/krnl.ramdisk.img4` (base/dev kernel for SSH ramdisk boot + CFW install)
+  - `Ramdisk/krnl.img4` (post-JB kernel, unchanged restore target)
+- `scripts/ramdisk_send.sh` now prefers `krnl.ramdisk.img4` when present, otherwise falls back to `krnl.img4`.
+- Intent: keep restore kernel fully JB-patched while booting the installer ramdisk with a
+  more conservative kernel variant to improve `/dev/disk1s1` remount reliability.
+
 ## Dynamic Implementation Log (JB Patchers)

 ### TXM (`txm_dev.py`)
--- a/scripts/fw_patch_jb.py
+++ b/scripts/fw_patch_jb.py
@@ -9,6 +9,7 @@ This script extends fw_patch_dev with additional JB-oriented patches.
 """

 import os
+import shutil
 import sys

 from fw_patch import (
@@ -25,6 +26,9 @@ from fw_patch_dev import patch_txm_dev
 from patchers.iboot_jb import IBootJBPatcher
 from patchers.kernel_jb import KernelJBPatcher

+RAMDISK_KERNEL_SUFFIX = ".ramdisk"
+KERNEL_SEARCH_PATTERNS = ["kernelcache.research.vphone600"]
+

 def patch_ibss_jb(data):
    p = IBootJBPatcher(data, mode="ibss", label="Loaded iBSS")
@@ -71,6 +75,15 @@ JB_COMPONENTS = [
 ]


+def snapshot_base_kernel_for_ramdisk(restore_dir):
+    """Save base/dev-patched kernel before JB extensions for ramdisk boot."""
+    kernel_path = find_file(restore_dir, KERNEL_SEARCH_PATTERNS, "kernelcache")
+    ramdisk_kernel_path = f"{kernel_path}{RAMDISK_KERNEL_SUFFIX}"
+    shutil.copy2(kernel_path, ramdisk_kernel_path)
+    print(f"[*] Saved ramdisk kernel snapshot: {ramdisk_kernel_path}")
+    return ramdisk_kernel_path
+
+
 def main():
    vm_dir = sys.argv[1] if len(sys.argv) > 1 else os.getcwd()
    vm_dir = os.path.abspath(vm_dir)
@@ -93,6 +106,8 @@ def main():
        path = find_file(search_base, patterns, name)
        patch_component(path, patch_fn, name, preserve_payp)

+    snapshot_base_kernel_for_ramdisk(restore_dir)
+
    if JB_COMPONENTS:
        print(f"\n[*] Applying {len(JB_COMPONENTS)} JB extension patches ...")
        for name, in_restore, patterns, patch_fn, preserve_payp in JB_COMPONENTS:
--- a/scripts/ramdisk_build.py
+++ b/scripts/ramdisk_build.py
@@ -57,6 +57,8 @@ RAMDISK_BOOT_ARGS = b"serial=3 rd=md0 debug=0x2014e -v wdt=-1 %s"
 # IM4P fourccs for restore mode
 TXM_FOURCC = "trxm"
 KERNEL_FOURCC = "rkrn"
+RAMDISK_KERNEL_SUFFIX = ".ramdisk"
+RAMDISK_KERNEL_IMG4 = "krnl.ramdisk.img4"

 # Files to remove from ramdisk to save space
 RAMDISK_REMOVE = [
@@ -198,6 +200,18 @@ def create_im4p_uncompressed(raw_data, fourcc, description, output_path):
        f.write(new_im4p.output())


+def build_kernel_img4(kernel_src, output_dir, temp_dir, im4m_path, output_name, temp_tag):
+    """Build one signed kernel IMG4 from a kernelcache source file."""
+    kc_raw = os.path.join(temp_dir, f"{temp_tag}.raw")
+    kc_im4p = os.path.join(temp_dir, f"{temp_tag}.im4p")
+    _, data, original_raw = extract_to_raw(kernel_src, kc_raw)
+    print(f"  source: {kernel_src}")
+    print(f"  format: IM4P, {len(data)} bytes")
+    _save_im4p_with_payp(kc_im4p, KERNEL_FOURCC, data, original_raw)
+    sign_img4(kc_im4p, os.path.join(output_dir, output_name), im4m_path)
+    print(f"  [+] {output_name}")
+
+
 # ══════════════════════════════════════════════════════════════════
 # iBEC boot-args patching
 # ══════════════════════════════════════════════════════════════════
@@ -573,15 +587,36 @@ def main():
        ],
        "kernelcache",
    )
-    kc_raw = os.path.join(temp_dir, "kcache.raw")
-    im4p_obj, data, original_raw = extract_to_raw(kc_src, kc_raw)
-    print(f"  format: IM4P, {len(data)} bytes")
-    kc_im4p = os.path.join(temp_dir, "krnl.im4p")
-    _save_im4p_with_payp(kc_im4p, KERNEL_FOURCC, data, original_raw)
-    sign_img4(
-        kc_im4p, os.path.join(output_dir, "krnl.img4"), im4m_path
+    kc_ramdisk_src = f"{kc_src}{RAMDISK_KERNEL_SUFFIX}"
+    if os.path.isfile(kc_ramdisk_src):
+        print(f"  found ramdisk kernel snapshot: {kc_ramdisk_src}")
+        print(f"  building {RAMDISK_KERNEL_IMG4} from base/dev snapshot")
+        build_kernel_img4(
+            kc_ramdisk_src,
+            output_dir,
+            temp_dir,
+            im4m_path,
+            RAMDISK_KERNEL_IMG4,
+            "kcache_ramdisk",
+        )
+        print("  building krnl.img4 from restore kernel (post-JB)")
+        build_kernel_img4(
+            kc_src,
+            output_dir,
+            temp_dir,
+            im4m_path,
+            "krnl.img4",
+            "kcache_jb",
+        )
+    else:
+        build_kernel_img4(
+            kc_src,
+            output_dir,
+            temp_dir,
+            im4m_path,
+            "krnl.img4",
+            "kcache",
        )
-    print(f"  [+] krnl.img4")

    # ── 8. Ramdisk + Trustcache ──────────────────────────────────
    print(f"\n{'=' * 60}")
--- a/scripts/ramdisk_send.sh
+++ b/scripts/ramdisk_send.sh
@@ -18,6 +18,16 @@ fi

 echo "[*] Sending ramdisk from $RAMDISK_DIR ..."

+KERNEL_IMG="$RAMDISK_DIR/krnl.img4"
+if [[ -f "$RAMDISK_DIR/krnl.ramdisk.img4" ]]; then
+    KERNEL_IMG="$RAMDISK_DIR/krnl.ramdisk.img4"
+    echo "  [*] Using ramdisk kernel variant: $(basename "$KERNEL_IMG")"
+fi
+[[ -f "$KERNEL_IMG" ]] || {
+    echo "[-] Kernel image not found: $KERNEL_IMG"
+    exit 1
+}
+
 # 1. Load iBSS + iBEC (DFU → recovery)
 echo "  [1/8] Loading iBSS..."
 "$IRECOVERY" -f "$RAMDISK_DIR/iBSS.vresearch101.RELEASE.img4"
@@ -61,7 +71,7 @@ echo "  [8/8] Loading SEP..."

 # 8. Load kernel and boot
 echo "  [*] Booting kernel..."
-"$IRECOVERY" -f "$RAMDISK_DIR/krnl.img4"
+"$IRECOVERY" -f "$KERNEL_IMG"
 "$IRECOVERY" -c bootx

 echo "[+] Boot sequence complete. Device should be booting into ramdisk."