Jailbreak Central - The Best Jailbreak Forum!

Full Version: It's possible once again to bypass iCloud by using a CFW, with the CheckM8 Exploit
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
A week ago, developer @axi0mX has released a new SecureROM (BootROM) exploit for iPhone 4S, iPhone 5, iPhone 5C, iPhone 5S, iPhone 6 / 6 Plus, iPhone 6S / 6S Plus, iPhone SE, iPhone 7 / 7 Plus, iPhone 8 / 8 Plus and iPhone X on all iOS versions supported by these devices. Quite a huge range. Such an exploit hasn't been released since 2010. It's been 10 years and nobody expected this release.

Of course, with a SecureROM exploit like checkm8, it's possible once again to patch iBEC, iBSS, the Restore Ramdisk (ASR to be more precise) and of course patch or remove Setup.App from the ROOT File System DMG file (the largest in the iPSW archive). Carrying these modifications requires some reverse engineering skills but it's nothing too hard. iBEC and iBSS are bootloaders the SecureROM loads. They're crucial parts of the Restore or normal boot. We'd need to patch both iBEC and iBSS to skip any checks these do for SHSH2 blobs and for the checksums of the Ramdisks.

We need to also modify the Restore Ramdisk because it contains a binary called ASR ("Apple System Restore") which is responsible for literally taking the ROOT FileSystem DMG and burning it to the appropriate partition after the partition is created and after the ROOT FS DMG is verified against its checksum. This is where things would normally fail. ASR would complain that the DMG file doesn't match the normal checksum because you removed Setup.App from it (or patched it).

By patching ASR we ensure that it never stops the restore because of checksum mismatches so the modified ROOT FS goes through and all the rest of the files (LLB, AppleLogo, RecoveryMode, Stockholm, etc.) are not modified anyways. Of course, such a bypass would work, but it would be tethered. Every time you want to reboot the device it would require the computer and the ipwndfu software.

Such a bypass would not have a functional SIM card because there is no real Activation Ticket from Apple's Albert server.
Hi,

You will release an tutorial?

Regards.
@GeoSn0w for icloud locked devices the jailbreak will always be tethered indipendently from the version of ios we install? Are there really no chance about make the sim part works? Can you explain why it's not possible in details?
@GeoSn0w is there a possible way to get the Apple ID of an iCloud locked device? If I can get the ID, I can initiate the unlock. Thank you.
(10-10-2019, 12:18 PM)greyhound Wrote: [ -> ]@GeoSn0w is there a possible way to get the Apple ID of an iCloud locked device? If I can get the ID, I can initiate the unlock. Thank you.

Only through GSX which I don't have access to.
Hey so been trying to create a modified ipsw haven't done this since ios 3.1.2 aha... Its for the 7 plus but can't seem to put my modified setup.patch into the dmg and tips or should I hold off until someone else figures this out? thanks
(10-09-2019, 08:27 PM)GeoSn0w Wrote: [ -> ]A week ago, developer @axi0mX has released a new SecureROM (BootROM) exploit for iPhone 4S, iPhone 5, iPhone 5C, iPhone 5S, iPhone 6 / 6 Plus, iPhone 6S / 6S Plus, iPhone SE, iPhone 7 / 7 Plus, iPhone 8 / 8 Plus and iPhone X on all iOS versions supported by these devices. Quite a huge range. Such an exploit hasn't been released since 2010. It's been 10 years and nobody expected this release.

Of course, with a SecureROM exploit like checkm8, it's possible once again to patch iBEC, iBSS, the Restore Ramdisk (ASR to be more precise) and of course patch or remove Setup.App from the ROOT File System DMG file (the largest in the iPSW archive). Carrying these modifications requires some reverse engineering skills but it's nothing too hard. iBEC and iBSS are bootloaders the SecureROM loads. They're crucial parts of the Restore or normal boot. We'd need to patch both iBEC and iBSS to skip any checks these do for SHSH2 blobs and for the checksums of the Ramdisks.

We need to also modify the Restore Ramdisk because it contains a binary called ASR ("Apple System Restore") which is responsible for literally taking the ROOT FileSystem DMG and burning it to the appropriate partition after the partition is created and after the ROOT FS DMG is verified against its checksum. This is where things would normally fail. ASR would complain that the DMG file doesn't match the normal checksum because you removed Setup.App from it (or patched it).

By patching ASR we ensure that it never stops the restore because of checksum mismatches so the modified ROOT FS goes through and all the rest of the files (LLB, AppleLogo, RecoveryMode, Stockholm, etc.) are not modified anyways. Of course, such a bypass would work, but it would be tethered. Every time you want to reboot the device it would require the computer and the ipwndfu software.

Such a bypass would not have a functional SIM card because there is no real Activation Ticket from Apple's Albert server.

SO, in that case, the method for a CFW IPSW described here combined with the checkm8 will get an iPhone 6s+ booting without iCloud activation??? (IF I read this entire forum right....) 

BUT, sadly, no SIM...til the iCloudfixer from this post hit the street, but looking at that it's a hit-n-miss...

But Geo, it will give this phone normal operation excepting the telephone...hmmmm, why not build a better driver for the broadband modem...one that doesn't require the files to activate the SIM??

I'm coming from an Android environment, so I'm trying to understand this whole icloud activation BS...but a friend had me hack the pincode on this unit, it's not showing in any way bad...just that the previous owner had dementia of some such happen and now the unit is locked with the APPLE ID...

I can understand the need for locking against theft, but DAAANG, these dogs didn't do anything but BOOST sales massively with this....

Please someone, Point me in the right direction to start....THANKS
yes,Geo,Release videp tutorial for creatin cfw 10.3.3 for 5s and downgrading with bypass on OTA-Script Downgrder by Matthew Pirson