Advertisement

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
It's possible once again to bypass iCloud by using a CFW, with the CheckM8 Exploit
#1
A week ago, developer @axi0mX has released a new SecureROM (BootROM) exploit for iPhone 4S, iPhone 5, iPhone 5C, iPhone 5S, iPhone 6 / 6 Plus, iPhone 6S / 6S Plus, iPhone SE, iPhone 7 / 7 Plus, iPhone 8 / 8 Plus and iPhone X on all iOS versions supported by these devices. Quite a huge range. Such an exploit hasn't been released since 2010. It's been 10 years and nobody expected this release.

Of course, with a SecureROM exploit like checkm8, it's possible once again to patch iBEC, iBSS, the Restore Ramdisk (ASR to be more precise) and of course patch or remove Setup.App from the ROOT File System DMG file (the largest in the iPSW archive). Carrying these modifications requires some reverse engineering skills but it's nothing too hard. iBEC and iBSS are bootloaders the SecureROM loads. They're crucial parts of the Restore or normal boot. We'd need to patch both iBEC and iBSS to skip any checks these do for SHSH2 blobs and for the checksums of the Ramdisks.

We need to also modify the Restore Ramdisk because it contains a binary called ASR ("Apple System Restore") which is responsible for literally taking the ROOT FileSystem DMG and burning it to the appropriate partition after the partition is created and after the ROOT FS DMG is verified against its checksum. This is where things would normally fail. ASR would complain that the DMG file doesn't match the normal checksum because you removed Setup.App from it (or patched it).

By patching ASR we ensure that it never stops the restore because of checksum mismatches so the modified ROOT FS goes through and all the rest of the files (LLB, AppleLogo, RecoveryMode, Stockholm, etc.) are not modified anyways. Of course, such a bypass would work, but it would be tethered. Every time you want to reboot the device it would require the computer and the ipwndfu software.

Such a bypass would not have a functional SIM card because there is no real Activation Ticket from Apple's Albert server.
Reply
#2
Hi,

You will release an tutorial?

Regards.
Reply
#3
@GeoSn0w for icloud locked devices the jailbreak will always be tethered indipendently from the version of ios we install? Are there really no chance about make the sim part works? Can you explain why it's not possible in details?
Reply
#4
@GeoSn0w is there a possible way to get the Apple ID of an iCloud locked device? If I can get the ID, I can initiate the unlock. Thank you.
Reply
#5
(10-10-2019, 12:18 PM)greyhound Wrote: @GeoSn0w is there a possible way to get the Apple ID of an iCloud locked device? If I can get the ID, I can initiate the unlock. Thank you.

Only through GSX which I don't have access to.
Reply
#6
Hey so been trying to create a modified ipsw haven't done this since ios 3.1.2 aha... Its for the 7 plus but can't seem to put my modified setup.patch into the dmg and tips or should I hold off until someone else figures this out? thanks
Reply
#7
(10-09-2019, 08:27 PM)GeoSn0w Wrote: A week ago, developer @axi0mX has released a new SecureROM (BootROM) exploit for iPhone 4S, iPhone 5, iPhone 5C, iPhone 5S, iPhone 6 / 6 Plus, iPhone 6S / 6S Plus, iPhone SE, iPhone 7 / 7 Plus, iPhone 8 / 8 Plus and iPhone X on all iOS versions supported by these devices. Quite a huge range. Such an exploit hasn't been released since 2010. It's been 10 years and nobody expected this release.

Of course, with a SecureROM exploit like checkm8, it's possible once again to patch iBEC, iBSS, the Restore Ramdisk (ASR to be more precise) and of course patch or remove Setup.App from the ROOT File System DMG file (the largest in the iPSW archive). Carrying these modifications requires some reverse engineering skills but it's nothing too hard. iBEC and iBSS are bootloaders the SecureROM loads. They're crucial parts of the Restore or normal boot. We'd need to patch both iBEC and iBSS to skip any checks these do for SHSH2 blobs and for the checksums of the Ramdisks.

We need to also modify the Restore Ramdisk because it contains a binary called ASR ("Apple System Restore") which is responsible for literally taking the ROOT FileSystem DMG and burning it to the appropriate partition after the partition is created and after the ROOT FS DMG is verified against its checksum. This is where things would normally fail. ASR would complain that the DMG file doesn't match the normal checksum because you removed Setup.App from it (or patched it).

By patching ASR we ensure that it never stops the restore because of checksum mismatches so the modified ROOT FS goes through and all the rest of the files (LLB, AppleLogo, RecoveryMode, Stockholm, etc.) are not modified anyways. Of course, such a bypass would work, but it would be tethered. Every time you want to reboot the device it would require the computer and the ipwndfu software.

Such a bypass would not have a functional SIM card because there is no real Activation Ticket from Apple's Albert server.

SO, in that case, the method for a CFW IPSW described here combined with the checkm8 will get an iPhone 6s+ booting without iCloud activation??? (IF I read this entire forum right....) 

BUT, sadly, no SIM...til the iCloudfixer from this post hit the street, but looking at that it's a hit-n-miss...

But Geo, it will give this phone normal operation excepting the telephone...hmmmm, why not build a better driver for the broadband modem...one that doesn't require the files to activate the SIM??

I'm coming from an Android environment, so I'm trying to understand this whole icloud activation BS...but a friend had me hack the pincode on this unit, it's not showing in any way bad...just that the previous owner had dementia of some such happen and now the unit is locked with the APPLE ID...

I can understand the need for locking against theft, but DAAANG, these dogs didn't do anything but BOOST sales massively with this....

Please someone, Point me in the right direction to start....THANKS
Reply
#8
yes,Geo,Release videp tutorial for creatin cfw 10.3.3 for 5s and downgrading with bypass on OTA-Script Downgrder by Matthew Pirson
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  How To Bypass iOS 14.7 / 14.6 / iOS 13 Find My iPhone / iCloud With PassFab (2021 Method) GeoSn0w 0 883 07-08-2021, 07:19 AM
Last Post: GeoSn0w
Star How To Bypass iOS 14.7 / 14.6 / iOS 13 iCloud Activation Lock (2021 Method) With PassFab GeoSn0w 0 2,571 06-23-2021, 02:57 AM
Last Post: GeoSn0w
Star How To Remove Forgotten Apple ID & Bypass MDM / Screen Time Passcode in 2021 With PassFab GeoSn0w 0 423 06-14-2021, 01:56 AM
Last Post: GeoSn0w
  GSM iCloud Bypass with SIGNAL for FREE! 1CrackedTeam 0 1,061 04-16-2021, 12:08 PM
Last Post: 1CrackedTeam
Video How To Bypass Forgotten Passcode / "iPhone is disabled" On iOS 13.5.1 - 13 With SIM Card Working! GeoSn0w 0 2,209 07-07-2020, 09:18 AM
Last Post: GeoSn0w
Star iOS 13.5.1 - 13.0 / 12 - How To Fully BYPASS iCloud (Using Sliver) For Windows / macOS (For FREE) GeoSn0w 0 3,317 06-30-2020, 09:03 AM
Last Post: GeoSn0w
Star iOS 13.4.1 / 12 / 11 Full ICLOUD BYPASS With SIM CARD / Network WORKING (Sliver + Other Methods) GeoSn0w 0 3,908 05-19-2020, 11:02 AM
Last Post: GeoSn0w
Video NEW iOS 13.3.1 - 12 Completely FREE iCloud BYPASS RELEASED! (iBy0) GeoSn0w 0 3,675 04-10-2020, 03:57 AM
Last Post: GeoSn0w
Star iOS 13.3.1 / 13.0 / 12 iCloud Activation Bypass With SIM Card / Network RELEASED! & Other News GeoSn0w 0 3,925 03-06-2020, 09:00 PM
Last Post: GeoSn0w
Star iOS 13.3 / 13.2 / 13.0 / 12 / 11 / 10 iCloud Bypass Tool For Windows RELEASED! GeoSn0w 1 4,139 02-03-2020, 12:25 AM
Last Post: Ragencaine

Forum Jump:


Users browsing this thread: 1 Guest(s)

About Us
    Welcome to the Jailbreak Central Forum! Here you can get the latest iOS Jailbreak News from iDevice Central, ask your jailbreak questions and request help, and find the best iOS modding tools for downgrade, CFW iCloud Bypass, Jailbreak and so on. :-)