In today's video, we're discussing the release of a universal Nonce Setter for #iOS 13.1.3 all the way down to iOS 9 or even iOS 8 for all the devices compatible with CheckM8 BootROM exploit released by @axi0mX, which are the iPhone 4S all the way up to iPhone X and everything in-between. The Nonce Setter is a tool required if you wanna downgrade from an iOS version to another, especially to an older jailbroken one. It allows you to set the nonce generator string from your saved SHSH2 blobs into the device NVRAM to allow the device to use that particular blob during a restore, even if Apple no longer signs the version you try to restore to.

Previously, such tools existed, but they were based on tfp0 Kernel exploits. My tool, called GeoSetter is one of these. These tools predate the #CheckM8 exploit and were the only way to perform a downgrade with SHSH2 blobs. The tool released today, however, doesn't require tfp0 or even a jailbreak to exist. This means that you can, for example, set the Nonce Generator on the latest iOS 13.1.3 right now on your iPhone 7, iPhone 7 Plus, etc. with no jailbreak needed.

SEP (Secure Enclave Processor) and the Baseband may still pose some issues as they need to be compatible to avoid breaking them, but other than that, we finally have a universal nonce setter which will help a lot the jailbreak community.

In today's video, we're discussing the release of Unc0ver Jailbreak Beta 2 and Beta 3 for #A12 devices (iPhone XS, iPhone XR, iPhone XS Max) which fixes the Camera issues, FaceID, AppStore, GPS, USB, shutdown/restart and many other problems introduced in the very first beta of the Unc0ver Jailbreak when it started supporting the A12 devices. This release fixes every bug and it should finally allow you to run all the tweaks you want. Beta 3 fixes an issue with the Substrate support. It's recommended that you update your Unc0ver to the latest available.

The Beta 3 contains all the fixes from Beta 2. Beta 2 also finally fully implements the AMFI / CoreTrust bypass added by Pwn20wnd when he released the beta 1. Unfortunately, Beta 1 was mostly unusable for A12 devices. Of course, this jailbreak supports iOS 12.4, iOS 12.2 and lower. No #iOS 12.4.1, iOS 13 or iOS 12.3 / 12.3.1 support because there is no tfp0 exploit. Also, this jailbreak does come with full Cydia and Substrate support so all the tweaks designed to work with A12 devices should now work. It's no longer a partial A12 jailbreak.

In other news, Xen HTML for A12 has been posted on the Packix repo and it should now be available. The developer announced that the issues that were present with Beta 1 have been resolved once Pwn20wnd released Beta 2 and Beta 3 of #Unc0ver Jailbreak. 

After installing everything from the prettify repo such as preference loader, rocketbooststrap and applist I am still getting the error that the preference bundles cannot be loaded for most tweaks? Any help?

Hi there, i m using XS Max 12.4 , when i apply theme through Snowboard, I can’t change the icon, rest of the things are all good .
Thanks in Advanve

Did the new beta of Unc0ver on a12 XR
still camera does not work neither does snapchat

In today's video, we're tackling again the topic of #CheckRa1n Jailbreak, based on the CheckM8 SecureROM (BootROM) iOS exploit released 2 weeks ago by @axi0mX, as we have some news. In this video, we're discussing about a newly released website, and we're also covering news about IMG4Tool which is currently being updated - this is a very important tool for CFW Creation on iOS 12, iOS 13 and so on for CheckM8. We're also discussing whether or not a Lambda Concept Bonobo cable is required in order to use CheckM8 or any tools made around CheckM8. All questions asked by you on Twitter or via comments on this channel, that we're going to answer in this video.

The #IMG4Tool is a very important tool for anybody who is planning to create an iOS CFW for iCloud Bypass, Downgrades, DualBoot or even #Jailbreak. Why? Because most firmware components inside the IPSW are packed in an IMG4 / IM4P container nowadays. You won't be able to patch them without first extracting the data from that container. Unfortunately, it's not as easy as unpacking a ZIP file. You need special programs such as IMG4Tool by @tihmstar. In a tweet a few hours ago, tihmstar announced that he has finished updating IMG4Tool and he will release it soon with bug fixes and new features. A very welcome update, considering how important the tool is for CFW creation.

Lambda Concept's Bonobo cable has been released the same day @axi0mX released the CheckM8 exploit, and it was made especially for it. It's a low-level tool for security researchers and developers who need JTAG. Many people asked me if this quite expensive cable is needed to be able to use #CheckM8 or any jailbreak based on it. In this video, I answer this question so that people know what they need to do if they are planning to use CheckM8.

One of the most well-known methods of bypassing iOS iCloud Activation is through a CFW (Custom Firmware) which is a patched version of iOS that usually has the Setup.app patched or removed. This has been done for as long as the activation existed ever since exploits like limera1n were released by geohot. This is not a new method, but over the years, the BootChain of iOS has changed a bit making patching a bit different.

For the sake of respecting Apple's intellectual property, I will not upload any modified iOS CFWs / iPSWs. However, in this post, I will detail the BootChain components, what they do and what patches need to be done on an individual basis for a CFW to boot using the newly released CheckM8 SecureROM (BootROM) exploit by security researcher @axi0mX.

The iOS Boot Sequence:

- SecureROM (BootROM) - It all starts here. This is the very first code that runs on the iOS device when it powers on. It's a small piece of code that handles the lowest level of the BootChain. This code is written into the silicon itself. No way for Apple or any other party to update this code via software. They'd basically need to produce a different SoC (A10 Chip, for example) and replace the one on your phone with the new one that has the BootROM exploit patched. iOS BootROM exploits are extremely rare and extremely expensive on the 0day market. Limera1n is maybe the most well-known BootROM exploit. It works on iPhone 4 and lower (A4 SoC). Up until @axi0mX released his CheckM8 BootROM exploit 2 weeks ago, we had no such exploit publicly available for A5 devices (iPhone 4S) or newer. CheckM8 supports iPhone 4S all the way up to iPhone X, and it was patched in the A12 SoC used in iPhone XS, XR, etc. The BootROM contains Apple's ROOT CA.

- LLB (Low-Level Bootloader) - This is also known as the "iBoot first-stage loader" and it is the first part of the chain loaded by the SecureROM after an SHSH2 blob check. This is part of the IPSW file for each iOS version. An exploit in here would be very powerful but it would be patchable by the next version. LLB runs a couple of setup routines, then it checks the SHSH2 blob of iBoot, loads it in memory and jumps to it if everything goes to plan (assuming a normal boot). When building a CFW, an initial patch would be here. You will need to patch iBoot downstream, so you need to also patch LLB to not check iBoot's signature.

- iBoot (iBoot Second-stage Loader) - This is another IPSW component flashed onto the device. It's being often the target for so-called iBoot exploits because they're also powerful. Such exploits allow verbose boot, custom boot logo, and jailbreaks to be loaded. Unfortunately, such exploits can also be patched. The ubiquitous "Recovery Mode" is run by iBoot. It provides an interactive interface that can be used over USB through either a normal USB -> Lightning cable, or a DCSD one. DCSD cables are Apple's Internal tools so they will not be discussed here. There's already a lot of research on those on The iPhone Wiki. iBoot is responsible for finding and loading the XNU Kernel. iBoot needs to be patched if you are planning to load a custom or patched kernel.

- The XNU Kernel - The Kernel and its kexts run the entire device. The security such as AMFI (Apple Mobile File Integrity) + CoreTrust, which handle code signing on iOS, the SandBox profiles which restrict apps based on their entitlements (part of the MACF Framework - Mandatory Access Control Framework), as well as any other driver or bit of code required for apps to run, for devices to work such as Bluetooth, GPS, etc, and also the entire memory management is being handled by the kernel. All iOS apps run under the kernel.

Apps such as the SpringBoard, daemons such as launchd, lockdownd, fairplayd, and many others, all run under the kernel itself. No kernel = no OS. So, if you are looking to jailbreak the device the CFW way, you would need to patch the kernel to disable AMFI, SandBoxing, maybe get tfp0 by patching the task_for_pid() function to allow you to get the task port for pid 0 (PID 0 = the kernel), and patch the kernel to allow remounting of the ROOT FS as Read / Write. I won't go into the details of these patches as they will be the subject of a different post under a different section of the forum.

- iBEC and iBSS - iBEC stands for iBoot Epoch Change and iBSS stands for iBoot Single Stage. These two components are uploaded from fake DFU mode during a restore. They're both stripped-down versions of iBoot but they lack the support for filesystems. They're used to load one another. iBSS is being loaded in fake DFU mode and it loads iBEC. iBEC receives, checks and loads the Restore Ramdisk and the restore process begins. You meet iBEC and iBSS every time you restore an iPSW from fake DFU mode. iBEC also talks with iTunes (or whichever software handles the restore on the computer-side). iBEC checks the signature of all the IMG4 (IM4P) or IMG3 files which are the contains in which most iOS Firmware components are stored.

For iOS CFW purposes, both iBEC and iBSS would need to be patched out of all the checks they do. This can be done in any Disassembler that supports ARM (64-Bit) files.

Also, for a CFW to restore, if there were changes to the ROOT FS DMG file (such as removal of Setup.app), the ASR binary inside the Restore Ramdisk also needs to be patched because it would otherwise fail to restore the modified Root FileSystem.

These together form the so-called iOS Trusted BootChain. Trusted, because every time a new part of the chain is loaded, a check is being done to ensure no tampering has been done. That's why all the checks need to be stripped.

That's mostly it for now. Stay posted.
~GeoSn0w

In today's video, we're discussing the current status of the CheckM8 BootROM exploit released a week and a half ago by developer @axi0mX, as well as the current status of #CheckRa1n, a full Jailbreak solution developed by KJC team on top of the #CheckM8 exploit. The CheckM8 exploit is an unpatchable SecureROM (BootROM) exploit for iPhone 4S all the way up to the iPhone 8 and iPhone X (and everything in-between), supporting all #iOS versions that exist, or will exist for these devices, rendering a jailbreak forever. In this video, we talk about the progress being done to port the exploit features such as CFW creation to other devices beyond the initial support.

Of course, most developers in our community who started tackling this exploit quickly realized it's not an easy one. BootROM is the lowest level possible. This is written in the silicon chip and it cannot be updated by Apple. This is a very powerful exploit but with great power comes great responsibility. A Jailbreak or a CFW (Custom Firmware) made with this exploit would be tethered. It would require a program such as CheckRa1n to be started on the computer with the device in DFU Mode every time the person wants to enable the jailbreak or to boot the CFW. 

Big progress is also being made to port CheckRa1n to Apple TV. In fact, Apple TV devices have similar SoCs which are containing a vulnerable version of the BootROM. This exploit has been patched in A12, so iPhone XS, iPhone XS Max, iPhone XR, iPhone 11 and most newer iPads except this year's iPad 7 (A10) are not vulnerable.

In today's video, we're discussing the very first major project done using the CheckM8 SecureROM (BootROM) exploit for iPhone 4S up to iPhone X released by @axi0mX a few days ago. This project called CheckRa1n seems to be a very ambitious jailbreak project aimed at iOS 13.1.2 and lower. Big names working on this include axi0mX, Siguza, Luca Todesco, littlelailo, iH8Sn0w, and many others. A major jailbreak project like none in the past couple of years which will definitely make history.

The CheckM8 exploit itself works on iPhone X, iPhone 8 / 8 Plus, iPhone 7 / 7 Plus, iPhone 6S / 6S Plus, iPhone SE, iPhone 6 / 6 Plus, iPhone 5S, iPhone 5C, iPhone 5 and iPhone 4S, on all iOS versions supported by these devices. And of course, this exploit cannot be patched, so these devices will be jailbreakable on any iOS version forever. 

The CheckRa1n project seems to contain two components: a computer program currently working on macOS, and an on-device component which shows a text-based user interface before the phone even boots to the home screen. They seem to have coded a bootloader-like low-level program that runs on the device and listens to the CheckRa1n via USB. Once detected, the computer part of CheckRa1n uploads the patches to the iOS device thus jailbreaking it. This is very similar to RedSn0w Jailbreak back in the days. Of course, such a jailbreak is tethered.

A week ago, developer @axi0mX has released a new SecureROM (BootROM) exploit for iPhone 4S, iPhone 5, iPhone 5C, iPhone 5S, iPhone 6 / 6 Plus, iPhone 6S / 6S Plus, iPhone SE, iPhone 7 / 7 Plus, iPhone 8 / 8 Plus and iPhone X on all iOS versions supported by these devices. Quite a huge range. Such an exploit hasn't been released since 2010. It's been 10 years and nobody expected this release.

Of course, with a SecureROM exploit like checkm8, it's possible once again to patch iBEC, iBSS, the Restore Ramdisk (ASR to be more precise) and of course patch or remove Setup.App from the ROOT File System DMG file (the largest in the iPSW archive). Carrying these modifications requires some reverse engineering skills but it's nothing too hard. iBEC and iBSS are bootloaders the SecureROM loads. They're crucial parts of the Restore or normal boot. We'd need to patch both iBEC and iBSS to skip any checks these do for SHSH2 blobs and for the checksums of the Ramdisks.

We need to also modify the Restore Ramdisk because it contains a binary called ASR ("Apple System Restore") which is responsible for literally taking the ROOT FileSystem DMG and burning it to the appropriate partition after the partition is created and after the ROOT FS DMG is verified against its checksum. This is where things would normally fail. ASR would complain that the DMG file doesn't match the normal checksum because you removed Setup.App from it (or patched it).

By patching ASR we ensure that it never stops the restore because of checksum mismatches so the modified ROOT FS goes through and all the rest of the files (LLB, AppleLogo, RecoveryMode, Stockholm, etc.) are not modified anyways. Of course, such a bypass would work, but it would be tethered. Every time you want to reboot the device it would require the computer and the ipwndfu software.

Such a bypass would not have a functional SIM card because there is no real Activation Ticket from Apple's Albert server.