• Welcome to Jailbreak Central!
  • Do not forget to Subscribe to our YouTube channel for the latest news!
  • You can contact GeoSn0w on Twitter: @FCE365
Hello There, Guest! Login Register



Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
It's possible once again to bypass iCloud by using a CFW, with the CheckM8 Exploit
#1
A week ago, developer @axi0mX has released a new SecureROM (BootROM) exploit for iPhone 4S, iPhone 5, iPhone 5C, iPhone 5S, iPhone 6 / 6 Plus, iPhone 6S / 6S Plus, iPhone SE, iPhone 7 / 7 Plus, iPhone 8 / 8 Plus and iPhone X on all iOS versions supported by these devices. Quite a huge range. Such an exploit hasn't been released since 2010. It's been 10 years and nobody expected this release.

Of course, with a SecureROM exploit like checkm8, it's possible once again to patch iBEC, iBSS, the Restore Ramdisk (ASR to be more precise) and of course patch or remove Setup.App from the ROOT File System DMG file (the largest in the iPSW archive). Carrying these modifications requires some reverse engineering skills but it's nothing too hard. iBEC and iBSS are bootloaders the SecureROM loads. They're crucial parts of the Restore or normal boot. We'd need to patch both iBEC and iBSS to skip any checks these do for SHSH2 blobs and for the checksums of the Ramdisks.

We need to also modify the Restore Ramdisk because it contains a binary called ASR ("Apple System Restore") which is responsible for literally taking the ROOT FileSystem DMG and burning it to the appropriate partition after the partition is created and after the ROOT FS DMG is verified against its checksum. This is where things would normally fail. ASR would complain that the DMG file doesn't match the normal checksum because you removed Setup.App from it (or patched it).

By patching ASR we ensure that it never stops the restore because of checksum mismatches so the modified ROOT FS goes through and all the rest of the files (LLB, AppleLogo, RecoveryMode, Stockholm, etc.) are not modified anyways. Of course, such a bypass would work, but it would be tethered. Every time you want to reboot the device it would require the computer and the ipwndfu software.

Such a bypass would not have a functional SIM card because there is no real Activation Ticket from Apple's Albert server.
 
Reply
#2
Hi,

You will release an tutorial?

Regards.
 
Reply
#3
@GeoSn0w for icloud locked devices the jailbreak will always be tethered indipendently from the version of ios we install? Are there really no chance about make the sim part works? Can you explain why it's not possible in details?
 
Reply
#4
@GeoSn0w is there a possible way to get the Apple ID of an iCloud locked device? If I can get the ID, I can initiate the unlock. Thank you.
 
Reply
#5
(10-10-2019, 12:18 PM)greyhound Wrote: @GeoSn0w is there a possible way to get the Apple ID of an iCloud locked device? If I can get the ID, I can initiate the unlock. Thank you.

Only through GSX which I don't have access to.
 
Reply
#6
Hey so been trying to create a modified ipsw haven't done this since ios 3.1.2 aha... Its for the 7 plus but can't seem to put my modified setup.patch into the dmg and tips or should I hold off until someone else figures this out? thanks
 
Reply
  


Forum Jump:


Browsing: 1 Guest(s)