Open-source jailbreaking tool for many iOS devices

Overview

Open-source jailbreaking tool for many iOS devices

*Read disclaimer before using this software.

checkm8

  • permanent unpatchable bootrom exploit for hundreds of millions of iOS devices

  • meant for researchers, this is not a jailbreak with Cydia yet

  • allows dumping SecureROM, decrypting keybags for iOS firmware, and demoting device for JTAG

  • current SoC support: s5l8947x, s5l8950x, s5l8955x, s5l8960x, t8002, t8004, t8010, t8011, t8015

  • future SoC support: s5l8940x, s5l8942x, s5l8945x, s5l8747x, t7000, t7001, s7002, s8000, s8001, s8003, t8012

  • full jailbreak with Cydia on latest iOS version is possible, but requires additional work

Quick start guide for checkm8

  1. Use a cable to connect device to your Mac. Hold buttons as needed to enter DFU Mode.

  2. First run ./ipwndfu -p to exploit the device. Repeat the process if it fails, it is not reliable.

  3. Run ./ipwndfu --dump-rom to get a dump of SecureROM.

  4. Run ./ipwndfu --decrypt-gid KEYBAG to decrypt a keybag.

  5. Run ./ipwndfu --demote to demote device and enable JTAG.

Features

  • Jailbreak and downgrade iPhone 3GS (new bootrom) with alloc8 untethered bootrom exploit. :-)

  • Pwned DFU Mode with steaks4uce exploit for S5L8720 devices.

  • Pwned DFU Mode with limera1n exploit for S5L8920/S5L8922 devices.

  • Pwned DFU Mode with SHAtter exploit for S5L8930 devices.

  • Dump SecureROM on S5L8920/S5L8922/S5L8930 devices.

  • Dump NOR on S5L8920 devices.

  • Flash NOR on S5L8920 devices.

  • Encrypt or decrypt hex data on a connected device in pwned DFU Mode using its GID or UID key.

Dependencies

This tool should be compatible with Mac and Linux. It won't work in a virtual machine.

Tutorial

This tool can be used to downgrade or jailbreak iPhone 3GS (new bootrom) without SHSH blobs, as documented in JAILBREAK-GUIDE.

Exploit write-up

Write-up for alloc8 exploit can be found here:

https://github.com/axi0mX/alloc8

iBSS

Download iPhone 3GS iOS 4.3.5 IPSW from Apple:

http://appldnld.apple.com/iPhone4/041-1965.20110721.gxUB5/iPhone2,1_4.3.5_8L1_Restore.ipsw

In Terminal, extract iBSS using the following command, then move the file to ipwndfu folder:

unzip -p iPhone2,1_4.3.5_8L1_Restore.ipsw Firmware/dfu/iBSS.n88ap.RELEASE.dfu > n88ap-iBSS-4.3.5.img3

Coming soon!

  • Reorganize and refactor code.

  • Easier setup: download iBSS automatically using partial zip.

  • Dump SecureROM on S5L8720 devices.

  • Install custom boot logos on devices jailbroken with 24Kpwn and alloc8.

  • Enable verbose boot on devices jailbroken with 24Kpwn and alloc8.

Disclaimer

This is BETA software.

Backup your data.

This tool is currently in beta and could potentially brick your device. It will attempt to save a copy of data in NOR to nor-backups folder before flashing new data to NOR, and it will attempt to not overwrite critical data in NOR which your device requires to function. If something goes wrong, hopefully you will be able to restore to latest IPSW in iTunes and bring your device back to life, or use nor-backups to restore NOR to the original state, but I cannot provide any guarantees.

There is NO warranty provided.

THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

Toolchain

You will not need to use make or compile anything to use ipwndfu. However, if you wish to make changes to assembly code in src/*, you will need to use an ARM toolchain and assemble the source files by running make.

If you are using macOS with Homebrew, you can use binutils and gcc-arm-embedded. You can install them with these commands:

brew install binutils
brew cask install https://raw.githubusercontent.com/Homebrew/homebrew-cask/b88346667547cc85f8f2cacb3dfe7b754c8afc8a/Casks/gcc-arm-embedded.rb

Credit

geohot for limera1n exploit

posixninja and pod2g for SHAtter exploit

chronic, CPICH, ius, MuscleNerd, Planetbeing, pod2g, posixninja, et al. for 24Kpwn exploit

pod2g for steaks4uce exploit

walac for pyusb

Comments
  • iPhone 5s (6,2) - 0% success rate when pwning DFU

    iPhone 5s (6,2) - 0% success rate when pwning DFU

    After retrying 20 times, I still haven't managed to get my 5s to enter pwned DFU. The phone reboots around 7 seconds after the tool has been run, then it returns this timeout error:

    Found: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:02 ECID:000005F5A9D9BCD0 IBFL:1C SRTG:[iBoot-1704.10]
    ERROR: No Apple device in DFU Mode 0x1227 detected after 5.00 second timeout. Exiting.
    

    Do I need to keep trying, or is this a common issue with A7 devices?

    opened by ghost 93
  • Translate to Thunderbolt DFU to support T2 security chips

    Translate to Thunderbolt DFU to support T2 security chips

    The T2 processor is almost identical in DFU protocol to USB DFU, but instead uses Thunderbolt as the transport. Because of this sending the same payloads over Thunderbolt DFU will likely allow it to be used with the T2 chip as well.

    opened by rickmark 75
  • Device has no langid [Error]

    Device has no langid [Error]

    Hello thanks for this sharing! Im on parrot os new fresh install. I have the same problem with iphone 5c and 5s... i dont have idea why i have this error can check pls thanks"

    sudo ./ipwndfu.py -p

    *** checkm8 exploit by axi0mX *** Found: CPID:8950 CPRV:20 CPFM:03 SCEP:10 BDID:0E ECID:0000009xxxxx8 IBFL:00 SRTG:[iBoot-1145.3] Traceback (most recent call last): File "ipwndfu", line 62, in <module> checkm8.exploit() File "/home/gen/ipwndfu/checkm8.py", line 510, in exploit if 'PWND:[checkm8]' not in device.serial_number: File "/home/gen/ipwndfu/usb/core.py", line 830, in serial_number self._serial_number = util.get_string(self, self.iSerialNumber) File "/home/gen/ipwndfu/usb/util.py", line 314, in get_string raise ValueError("The device has no langid") ValueError: The device has no langid

    opened by genhack 36
  • Please Help!!!

    Please Help!!!

    When I run ./ipwndfu -p a pop-up comes up saying "Python quit unexpectedly while using the libusb-1.0.dylib plug-in" then I get Illegal instruction: 4 on terminal. When I run the command again I get "IndexError: array index out of range" and then "ValueError: The device has no langid" on macOS Sierra. Thanks!

    opened by juhuc 21
  • special libimobiledevice version needed?

    special libimobiledevice version needed?

    My device has been restored with iOS 5.0.1 and starts in DFU mode. I tried to run ./ipwndfu -x but now I'm stuck at

    Device is not in pwned DFU Mode. Try again

    Then I tried to run ideviceinfo and get No device found. But if I plug in an iPhone 5S, ideviceinfo can provide all informations. I tested this on a Mac, windows and on a linux debian and all get the No device found error wehen I run ideviceinfo.

    Do I need to install a special version of libimobiledevice?

    opened by theIuser 21
  • ipwndfu -p fails many times

    ipwndfu -p fails many times

    My enviroment:

    Linux Mint 19.2 Tina
    Linux Computer 5.3.1-xanmod1 #1.190922 SMP PREEMPT Sun Sep 22 12:20:12 -03 2019 x86_64 x86_64 x86_64 GNU/Linux
    
    toor@Computer ~/ipwndfu $ apt list --installed | grep libusb
    
    libusb-0.1-4/bionic,now 2:0.1.12-31 amd64
    libusb-1.0-0/bionic,now 2:1.0.21-2 amd64
    libusb-1.0-0-dev/bionic,now 2:1.0.21-2 amd64
    libusb-1.0-doc/bionic,bionic,now 2:1.0.21-2 all
    libusbmuxd4/bionic,now 1.1.0~git20171206.c724e70f-0.1 amd64
    

    iPad mini 2(soc:S5L8960)/iOS 12.4/iBoot-1704.10

    I tried "ipwndfu -p" 30+ times but it fails by same error

    
    toor@Computer ~/ipwndfu $ ./ipwndfu -p
    *** checkm8 exploit by axi0mX ***
    Found: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:0A ECID:000001B78D366D1C IBFL:1C SRTG:[iBoot-1704.10]
    ERROR: No Apple device in DFU Mode 0x1227 detected after 5.00 second timeout. Exiting.
    
    toor@Computer ~/ipwndfu $ ./ipwndfu -p
    Traceback (most recent call last):
      File "./ipwndfu", line 48, in <module>
        serial_number = device.serial_number
      File "/home/toor/ipwndfu/usb/core.py", line 830, in serial_number
        self._serial_number = util.get_string(self, self.iSerialNumber)
      File "/home/toor/ipwndfu/usb/util.py", line 314, in get_string
        raise ValueError("The device has no langid")
    
    opened by xfm00mm 20
  • Custom Restore via Limera1n

    Custom Restore via Limera1n

    I've pwned my iPhone 4 GSM & CDMA and no custom ipsw's from Pwnagetool or Sn0wbreeze work. I've even tried using the pwn feature from your program and restore from osx, linux, windows and none of them worked. And the only phone I've ever been able to downgrade is my 3G and 3GS. iTunes versions don't make a difference towards this issue. What do I need to do?

    opened by Merculous 18
  • Getting this error when use ./ipwndfu -p and ./ipwndfu -x

    Getting this error when use ./ipwndfu -p and ./ipwndfu -x

    I get this error when typing the command ./ipwndfu -x and ./ipwndfu -p How do i fix this?

    My iPhone 3GS is a New BR on iOS 3.1 after downgrading with 24Kpwn, my mac is running MacOS Sierra 10.12.4

    ./ipwndfu -p screen shot 2017-04-12 at 5 35 17 pm

    ./ipwndfu -x screen shot 2017-04-12 at 6 04 24 pm

    opened by CodeyMoore 18
  • "Device has no langid" Error at Random Points During Dumping NOR

    Hi, I'm trying to downgrade my iPhone 3GS to iPhone OS 3.1.3. I made a custom 3.1.3 firmware using PwnageTool. I was able to put the device into pwned dfu mode and restore to the custom firmware successfully. When I went to install Alloc8 and boot by typing ./ipwndfu -x into Terminal, the process fails on Dumping NOR, at any random step. I've tried multiple times, sometimes it gets to stage 4 and fails, sometimes it fails on the first stage with the error "The device has no langid". I've pasted the output I'm getting from the terminal. Any ideas on how to solve this? I'm using Mac OS X 10.9 Mavericks. Thank you so much.

    Tims-Mac:ipwndfu-master Janiszewski$ sudo ./ipwndfu -x Installing alloc8 exploit to NOR. Dumping NOR, part 1/8. Dumping NOR, part 2/8. Traceback (most recent call last): File "./ipwndfu", line 532, in nor = device.nor_dump(saveBackup=True) File "./ipwndfu", line 297, in nor_dump (retval, received) = self.execute(struct.pack('<6I', read, bdev, self.config.load_address + 8, i * NOR_PART_SIZE, 0, NOR_PART_SIZE), NOR_PART_SIZE) File "./ipwndfu", line 242, in execute assert self.identifier == device.serial_number File "/Users/Janiszewski/Desktop/ipwndfu-master/usb/core.py", line 830, in serial_number self._serial_number = util.get_string(self, self.iSerialNumber) File "/Users/Janiszewski/Desktop/ipwndfu-master/usb/util.py", line 314, in get_string raise ValueError("The device has no langid") ValueError: The device has no langid

    opened by iiLmaoCrim 13
  • Error running ipwndfu -p on macOS

    Error running ipwndfu -p on macOS

    I am getting this error Traceback (most recent call last): File "./ipwndfu", line 48, in device = dfu.acquire_device() File "/Users/jayden/Documents/checkm8exploit/ipwndfu/dfu.py", line 16, in acquire_device for device in usb.core.find(find_all=True, idVendor=0x5AC, idProduct=0x1227, backend=backend): File "/Users/jayden/Documents/checkm8exploit/ipwndfu/usb/core.py", line 1263, in find raise NoBackendError('No backend available') usb.core.NoBackendError: No backend available when running ipwndfu -p on macOS i've never gotten this error before and it just appeared when I went to try the exploit.

    opened by jayden000 10
  • Use print() function in both Python 2 and Python 3

    Use print() function in both Python 2 and Python 3

    Legacy print statements are syntax errors in Python 3 but print() function works as expected in both Python 2 and Python 3. There are 93 days until Python 2 end of life.

    opened by cclauss 10
  • No Backend Error (iPhone SE 2016)

    No Backend Error (iPhone SE 2016)

    Last login: Sun Aug 28 20:54:25 on ttys000
    jonahdecker@Jonahs-MBP ~ % cd ipwndfu-master      
    jonahdecker@Jonahs-MBP ipwndfu-master % sudo python2 ipwndfu -p
    Password:
    Traceback (most recent call last):
      File "ipwndfu", line 48, in <module>
        device = dfu.acquire_device()
      File "/Users/jonahdecker/ipwndfu-master/dfu.py", line 16, in acquire_device
        for device in usb.core.find(find_all=True, idVendor=0x5AC, idProduct=0x1227, backend=backend):
      File "/Users/jonahdecker/ipwndfu-master/usb/core.py", line 1263, in find
        raise NoBackendError('No backend available')
    usb.core.NoBackendError: No backend available
    jonahdecker@Jonahs-MBP ipwndfu-master % 
    
    opened by jonahdecker 1
  • after using the AppStore bypass it gives an error

    after using the AppStore bypass it gives an error "unable to connect to itunes store"

    Bypass is working, but.. Error: "unable to connect to itunes store" Logged in through Settings - iTunes and the App Store, not through iCloud.

    Problem in IC-Info.sisv file need paid software for fix this problem to download from Appstore..

    opened by vDemo7 1
  • ipwndfu appears to succeed in patching and uploading iPhone 3GS NOR with alloc8, but iPhone 3GS stays stuck in DFU mode

    ipwndfu appears to succeed in patching and uploading iPhone 3GS NOR with alloc8, but iPhone 3GS stays stuck in DFU mode

    I have been trying to use ipwndfu to downgrade my new bootrom iPhone 3GS to iOS 3.1.3. I have followed the steps in the guide for creating and restoring to the custom IPSW, then putting the device in pwned DFU mode and installing the alloc8 exploit to NOR, but the iPhone just re-enters DFU mode when trying to boot. My iPhone is a 2009 Week 40 model and I was able to downgrade it to iOS 3.1.3 a year ago using this tool, so I know it's possible, but for some reason it no longer works. I read online this could be caused by a restore error or a faulty IPSW, so I tried remaking the IPSW with pwnagetool and sn0wbreeze multiple times with different settings, but it gives the same result. Since ipwndfu hasn't been updated recently, I tried running it on different versions of macOS and on linux, but nothing has helped. I though maybe it had to do with iOS 3.1.3, so I tried restoring to iOS 5.1.1 instead. However, I still have the same problem where the alloc8 exploit installs just fine but the iPhone still doesn't boot. Is anyone else experiencing this? If so, were you able to fix it?

    opened by Cameron12533439 1
Owner
null
This is the fuzzer I made to fuzz Preview on macOS and iOS like 8years back when I just started fuzzing things.

Fuzzing PDFs like its 1990s This is the fuzzer I made to fuzz Preview on macOS and iOS like 8years back when I just started fuzzing things. Some discl

Chaithu 14 Sep 30, 2022
Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.

The Recon-ng Framework Recon-ng content now available on Pluralsight! Recon-ng is a full-featured reconnaissance framework designed with the goal of p

null 2.4k Jan 7, 2023
MVT is a forensic tool to look for signs of infection in smartphone devices

Mobile Verification Toolkit Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic

null 8.3k Jan 8, 2023
adb - A tool that allows you to search for vulnerable android devices across the world and exploit them.

adb - An exploitation tool for android devices. A tool that allows you to search for vulnerable android devices across the world and exploit them. Fea

null 136 Jan 2, 2023
An OSINT tool that searches for devices directly connected to the internet (IoT) with a user specified query. It returns results for Webcams, Traffic lights, Refridgerators, Smart TVs etc.

An OSINT tool that searches for devices directly connected to the internet (IoT) with a user specified query. It returns results for Webcams, Traffic

Richard Mwewa 48 Nov 20, 2022
Open Source Tool - Cybersecurity Graph Database in Neo4j

GraphKer Open Source Tool - Cybersecurity Graph Database in Neo4j |G|r|a|p|h|K|e|r| { open source tool for a cybersecurity graph database in neo4j } W

Adamantios - Marios Berzovitis 27 Dec 6, 2022
Scout Suite - an open source multi-cloud security-auditing tool,

Description Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using t

NCC Group Plc 5k Jan 5, 2023
Dahua IPC/VTH/VTO devices auth bypass exploit

CVE-2021-33044 Dahua IPC/VTH/VTO devices auth bypass exploit About: The identity authentication bypass vulnerability found in some Dahua products duri

Ashish Kunwar 23 Dec 2, 2022
A repository to detect the ARP spoofing in any devices and prevent Man in the Middle(MITM) attack using Python3

arp_spoof_detector A repository to detect the ARP spoofing in any devices and prevent Man in the Middle(MITM) attack using Python3 Usage: git clone ht

Surya Das N 1 Oct 30, 2021
Make files with as many random bytes as you want

Lots o' Bytes ?? Make files with as many random bytes as you want! Use case Can be used to package malware that is normally small by making the downlo

Addi 1 Jan 13, 2022
Open source vulnerability DB and triage service.

OSV - Open Source Vulnerabilities OSV is a vulnerability database and triage infrastructure for open source projects aimed at helping both open source

Google 893 Jan 4, 2023
An open-source post-exploitation framework for students, researchers and developers.

Questions? Join the Discord support server Disclaimer: This project should be used for authorized testing or educational purposes only. BYOB is an ope

dvm 8.1k Dec 31, 2022
LinOTP - the open source solution for two factor authentication

LinOTP LinOTP - the Open Source solution for multi-factor authentication Copyright © 2010-2019 KeyIdentity GmbH Coypright © 2019- arxes-tolina GmbH In

LinOTP 462 Jan 2, 2023
🔍 IRIS: An open-source intelligence framework

IRIS is an open-source OSINT framework, consisting of modules to find information about a target by scraping sites and fetching data from APIs.

IRIS 79 Dec 20, 2022
Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks.

Dependency Combobulator Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage

Apiiro 84 Dec 23, 2022
Linus-png.github.io - Versionsverwaltung & Open Source Hausaufgabe

Let's Git - Versionsverwaltung & Open Source Hausaufgabe Herzlich Willkommen zu

null 1 Jan 24, 2022
Red Team Toolkit is an Open-Source Django Offensive Web-App which is keeping the useful offensive tools used in the red-teaming together.

RedTeam Toolkit Note: Only legal activities should be conducted with this project. Red Team Toolkit is an Open-Source Django Offensive Web-App contain

Mohammadreza Sarayloo 382 Jan 1, 2023