One of the most well-known methods of bypassing iOS iCloud Activation is through a CFW (Custom Firmware) which is a patched version of iOS that usually has the Setup.app patched or removed. This has been done for as long as the activation existed ever since exploits like limera1n were released by geohot. This is not a new method, but over the years, the BootChain of iOS has changed a bit making patching a bit different.

For the sake of respecting Apple's intellectual property, I will not upload any modified iOS CFWs / iPSWs. However, in this post, I will detail the BootChain components, what they do and what patches need to be done on an individual basis for a CFW to boot using the newly released CheckM8 SecureROM (BootROM) exploit by security researcher @axi0mX.

The iOS Boot Sequence:

- SecureROM (BootROM) - It all starts here. This is the very first code that runs on the iOS device when it powers on. It's a small piece of code that handles the lowest level of the BootChain. This code is written into the silicon itself. No way for Apple or any other party to update this code via software. They'd basically need to produce a different SoC (A10 Chip, for example) and replace the one on your phone with the new one that has the BootROM exploit patched. iOS BootROM exploits are extremely rare and extremely expensive on the 0day market. Limera1n is maybe the most well-known BootROM exploit. It works on iPhone 4 and lower (A4 SoC). Up until @axi0mX released his CheckM8 BootROM exploit 2 weeks ago, we had no such exploit publicly available for A5 devices (iPhone 4S) or newer. CheckM8 supports iPhone 4S all the way up to iPhone X, and it was patched in the A12 SoC used in iPhone XS, XR, etc. The BootROM contains Apple's ROOT CA.

- LLB (Low-Level Bootloader) - This is also known as the "iBoot first-stage loader" and it is the first part of the chain loaded by the SecureROM after an SHSH2 blob check. This is part of the IPSW file for each iOS version. An exploit in here would be very powerful but it would be patchable by the next version. LLB runs a couple of setup routines, then it checks the SHSH2 blob of iBoot, loads it in memory and jumps to it if everything goes to plan (assuming a normal boot). When building a CFW, an initial patch would be here. You will need to patch iBoot downstream, so you need to also patch LLB to not check iBoot's signature.

- iBoot (iBoot Second-stage Loader) - This is another IPSW component flashed onto the device. It's being often the target for so-called iBoot exploits because they're also powerful. Such exploits allow verbose boot, custom boot logo, and jailbreaks to be loaded. Unfortunately, such exploits can also be patched. The ubiquitous "Recovery Mode" is run by iBoot. It provides an interactive interface that can be used over USB through either a normal USB -> Lightning cable, or a DCSD one. DCSD cables are Apple's Internal tools so they will not be discussed here. There's already a lot of research on those on The iPhone Wiki. iBoot is responsible for finding and loading the XNU Kernel. iBoot needs to be patched if you are planning to load a custom or patched kernel.

- The XNU Kernel - The Kernel and its kexts run the entire device. The security such as AMFI (Apple Mobile File Integrity) + CoreTrust, which handle code signing on iOS, the SandBox profiles which restrict apps based on their entitlements (part of the MACF Framework - Mandatory Access Control Framework), as well as any other driver or bit of code required for apps to run, for devices to work such as Bluetooth, GPS, etc, and also the entire memory management is being handled by the kernel. All iOS apps run under the kernel.

Apps such as the SpringBoard, daemons such as launchd, lockdownd, fairplayd, and many others, all run under the kernel itself. No kernel = no OS. So, if you are looking to jailbreak the device the CFW way, you would need to patch the kernel to disable AMFI, SandBoxing, maybe get tfp0 by patching the task_for_pid() function to allow you to get the task port for pid 0 (PID 0 = the kernel), and patch the kernel to allow remounting of the ROOT FS as Read / Write. I won't go into the details of these patches as they will be the subject of a different post under a different section of the forum.

- iBEC and iBSS - iBEC stands for iBoot Epoch Change and iBSS stands for iBoot Single Stage. These two components are uploaded from fake DFU mode during a restore. They're both stripped-down versions of iBoot but they lack the support for filesystems. They're used to load one another. iBSS is being loaded in fake DFU mode and it loads iBEC. iBEC receives, checks and loads the Restore Ramdisk and the restore process begins. You meet iBEC and iBSS every time you restore an iPSW from fake DFU mode. iBEC also talks with iTunes (or whichever software handles the restore on the computer-side). iBEC checks the signature of all the IMG4 (IM4P) or IMG3 files which are the contains in which most iOS Firmware components are stored.

For iOS CFW purposes, both iBEC and iBSS would need to be patched out of all the checks they do. This can be done in any Disassembler that supports ARM (64-Bit) files.

Also, for a CFW to restore, if there were changes to the ROOT FS DMG file (such as removal of Setup.app), the ASR binary inside the Restore Ramdisk also needs to be patched because it would otherwise fail to restore the modified Root FileSystem.

These together form the so-called iOS Trusted BootChain. Trusted, because every time a new part of the chain is loaded, a check is being done to ensure no tampering has been done. That's why all the checks need to be stripped.

That's mostly it for now. Stay posted.
~GeoSn0w

In today's video, we're discussing the current status of the CheckM8 BootROM exploit released a week and a half ago by developer @axi0mX, as well as the current status of #CheckRa1n, a full Jailbreak solution developed by KJC team on top of the #CheckM8 exploit. The CheckM8 exploit is an unpatchable SecureROM (BootROM) exploit for iPhone 4S all the way up to the iPhone 8 and iPhone X (and everything in-between), supporting all #iOS versions that exist, or will exist for these devices, rendering a jailbreak forever. In this video, we talk about the progress being done to port the exploit features such as CFW creation to other devices beyond the initial support.

Of course, most developers in our community who started tackling this exploit quickly realized it's not an easy one. BootROM is the lowest level possible. This is written in the silicon chip and it cannot be updated by Apple. This is a very powerful exploit but with great power comes great responsibility. A Jailbreak or a CFW (Custom Firmware) made with this exploit would be tethered. It would require a program such as CheckRa1n to be started on the computer with the device in DFU Mode every time the person wants to enable the jailbreak or to boot the CFW. 

Big progress is also being made to port CheckRa1n to Apple TV. In fact, Apple TV devices have similar SoCs which are containing a vulnerable version of the BootROM. This exploit has been patched in A12, so iPhone XS, iPhone XS Max, iPhone XR, iPhone 11 and most newer iPads except this year's iPad 7 (A10) are not vulnerable.

In today's video, we're discussing the very first major project done using the CheckM8 SecureROM (BootROM) exploit for iPhone 4S up to iPhone X released by @axi0mX a few days ago. This project called CheckRa1n seems to be a very ambitious jailbreak project aimed at iOS 13.1.2 and lower. Big names working on this include axi0mX, Siguza, Luca Todesco, littlelailo, iH8Sn0w, and many others. A major jailbreak project like none in the past couple of years which will definitely make history.

The CheckM8 exploit itself works on iPhone X, iPhone 8 / 8 Plus, iPhone 7 / 7 Plus, iPhone 6S / 6S Plus, iPhone SE, iPhone 6 / 6 Plus, iPhone 5S, iPhone 5C, iPhone 5 and iPhone 4S, on all iOS versions supported by these devices. And of course, this exploit cannot be patched, so these devices will be jailbreakable on any iOS version forever. 

The CheckRa1n project seems to contain two components: a computer program currently working on macOS, and an on-device component which shows a text-based user interface before the phone even boots to the home screen. They seem to have coded a bootloader-like low-level program that runs on the device and listens to the CheckRa1n via USB. Once detected, the computer part of CheckRa1n uploads the patches to the iOS device thus jailbreaking it. This is very similar to RedSn0w Jailbreak back in the days. Of course, such a jailbreak is tethered.

A week ago, developer @axi0mX has released a new SecureROM (BootROM) exploit for iPhone 4S, iPhone 5, iPhone 5C, iPhone 5S, iPhone 6 / 6 Plus, iPhone 6S / 6S Plus, iPhone SE, iPhone 7 / 7 Plus, iPhone 8 / 8 Plus and iPhone X on all iOS versions supported by these devices. Quite a huge range. Such an exploit hasn't been released since 2010. It's been 10 years and nobody expected this release.

Of course, with a SecureROM exploit like checkm8, it's possible once again to patch iBEC, iBSS, the Restore Ramdisk (ASR to be more precise) and of course patch or remove Setup.App from the ROOT File System DMG file (the largest in the iPSW archive). Carrying these modifications requires some reverse engineering skills but it's nothing too hard. iBEC and iBSS are bootloaders the SecureROM loads. They're crucial parts of the Restore or normal boot. We'd need to patch both iBEC and iBSS to skip any checks these do for SHSH2 blobs and for the checksums of the Ramdisks.

We need to also modify the Restore Ramdisk because it contains a binary called ASR ("Apple System Restore") which is responsible for literally taking the ROOT FileSystem DMG and burning it to the appropriate partition after the partition is created and after the ROOT FS DMG is verified against its checksum. This is where things would normally fail. ASR would complain that the DMG file doesn't match the normal checksum because you removed Setup.App from it (or patched it).

By patching ASR we ensure that it never stops the restore because of checksum mismatches so the modified ROOT FS goes through and all the rest of the files (LLB, AppleLogo, RecoveryMode, Stockholm, etc.) are not modified anyways. Of course, such a bypass would work, but it would be tethered. Every time you want to reboot the device it would require the computer and the ipwndfu software.

Such a bypass would not have a functional SIM card because there is no real Activation Ticket from Apple's Albert server.

In today's video, we tackle an interesting topic which seems almost impossible at a first sight: can you possibly run real android on a current or slightly older iPhone like the iPhone X, iPhone 8, iPhone 6S, iPhone 7 and so on? It used to be possible back on the iPhone 2G and the first iPod Touch, through a project called iDroid and OpeniBoot, but that was almost 10 years ago. We are about to experience another revolution in the iPhone modifying community with the release of the CheckM8 BootROM exploit by developer @axi0mX a week ago. This combined with a ton of work, would enable once again Android to run on iOS devices.

So yes, it is definitely possible now that we can control what runs on our devices we paid for, thanks to @axi0mX's very generous release, but that doesn't mean it is an easy task whatsoever. Android has a ton of drivers that need to be re-built or completely ditched. You see, Apple doesn't always use standard components for their devices, and this is especially true for their ICs. The A** chip, for example, the A10 in the iPhone 7 Plus and iPhone 7, is a proprietary Apple chip that simply doesn't exist on Android. So Power Management, Memory handling, NVRAM, States, NOR, NAND, etc have to be tackled from scratch at low level if we were to create a new bootloader to be able to load Android. 

It takes more than a tweak developer to port #Android on #iOS devices. This is very low-level programming and requires a solid understanding of Apple's hardware and possibly a ton of research, but it IS possible. Until the release of #CheckM8 the answer would have been a resounding NO because even with all the research in the world and all the drivers ready, there would have been no way to load those files on the device. Today, thanks to @axi0mX's historical release that made headlines on all major news outlets, it's once again possible!

依靠着谷歌翻译，一直我关注在特推
请问现在有没有办法将ipad6 12.4.1降级

Relying on Google Translate, I have been paying attention to
Is there any way to downgrade ipad6 12.4.1?

hai , i’m late for the 12.4 windows,i have enough money to buy the ipad pro 2018 just a day before the window close, and by the time it arrive , apple close the window, althought i think i manage to got the ipad pro which production date is at august which apple should use the 12.4 for the ipad , but seems that apple did not ship the ipad pro 2018 with 12.4 version, it came with os 12.3.1 , so i follow your advice to wait at 12.4.1 for now , and i know that there some guyannounce gonna release the tfpo for a12 12.4.1. but do you have any idea , when it will possible be release?

Although with the release of CheckM8 exploit for A5 to A11 (iPhone 4S to iPhone X) devices it may seem that the entire community forgot about A12 devices (iPhone XS, iPhone XR, and iPhone XS Max), it is not the case. A few weeks ago Pwn20wnd has released the Beta 1 of the Unc0ver Jailbreak with full support for #A12. It was, however, mostly a failure, as multiple and severe bugs were encountered by people, such as Camera not working, FaceID not working, Keychain not working, GPS not working, AppStore not working, Tweaks not showing in Settings, and other such issues. In this video, we're discussing the news about Beta 2 of this jailbreak which aims to fix all the aforementioned issues once and for all.

The good news is that Pwn20wnd knows exactly what causes all of these issues and he's working as I am writing this on Beta 2. According to him, a fix already exists but he wants to perfect it (probably to avoid repeating the mistakes in beta 1). But Beta software is not called beta for no reason, it is bound to have bugs and to need repairs. The release of the CheckM8 BootROM exploit by @axi0mX a few days ago has drifted the community a bit from the A12 Jailbreak, but we're slowly getting back at it. You should expect these issues to soon be fixed and #Unc0ver Beta 2 should hopefully make the A12 devices finally jailbroken properly on iOS 12.0 to iOS 12.4.

As always, do not forget to SUBSCRIBE to stay updated with the latest #iOS and #Jailbreak news, tutorials and updates!

I have iPhone Xs max which is carrier locked, more precisely "Locked to AT&T at next activation. Right now it is only unlocked for GSM." So, I can't reset it neither I can update it to. If I update or reset it will become locked to AT&T once again. But, I want to update it to 12.4.1. I dont want to update it to iOS 13 , because it removed the 3d touch. I have tried tsssaver.1conan and 3U tools but those option failed. Suggested method requires jailbraking , but then again that will require resetting and lead me to a locked device. So, is there is a way to save the 12.4.1 blobs that apple is currently signing without jailbreaking? Currently the device is stuck at iOS 12.1.4 and it was hard to resist an iPhone as gift  Also, if anyone know a reputable carrier unlock service that not a scam will highly appreciate the suggestion. Currently trying to unlock it with the original purchaser , but by the time he will do apple will stop signing ios 12.

In today's video, we're discussing some very important news for the iOS Jailbreak community, at first coming from Tihmstar who has released a very important tool that allows us to patch iBEC and iBSS (part of the iOS bootchain) which is a required thing if you wanna build a CFW (Custom Firmware) for iCloud Bypass, Jailbreak, Downgrades or other purposes, and then from Linus Henze who has released a modified version of the checkm8 BootROM exploit (initially released by developer axi0mX), but Linus' fork supporting sending the modified iBSS and iBEC to the pwned DFU device for some devices. Chronic is also making a comeback if you remember the Chronic Dev Team and their greep0ison tools. 

Security researcher Will Strafach (Chronic) has asked a few days ago on Twitter if people would be interested in a fully stable jailbreak based on checkm8 bootrom exploit for all the supported devices (iPhone 4S all the way up to iPhone X), on all supported iOS versions (iOS 6 to iOS 13.x). The response has been huge and he said he'll provide more details soon. It's only been a couple of days since developer @axi0mX made history by releasing the very first iOS BootROM exploit in nearly 10 years, and tools that make use of it already start popping in. Of course, Apple knew about the vulnerability and newer devices such as 2018's iPhone XS iPhone XR and iPhone XS Max have the bug patched. So are 2019's iPhone 11 models.

As always, do not forget to SUBSCRIBE to stay updated with the latest #iOS and #Jailbreak news, tutorials and updates!