Open-source jailbreaking tool for many iOS devices

Overview

Open-source jailbreaking tool for many iOS devices

*Read disclaimer before using this software.

checkm8

  • permanent unpatchable bootrom exploit for hundreds of millions of iOS devices

  • meant for researchers, this is not a jailbreak with Cydia yet

  • allows dumping SecureROM, decrypting keybags for iOS firmware, and demoting device for JTAG

  • current SoC support: s5l8947x, s5l8950x, s5l8955x, s5l8960x, t8002, t8004, t8010, t8011, t8015

  • future SoC support: s5l8940x, s5l8942x, s5l8945x, s5l8747x, t7000, t7001, s7002, s8000, s8001, s8003, t8012

  • full jailbreak with Cydia on latest iOS version is possible, but requires additional work

Quick start guide for checkm8

  1. Use a cable to connect device to your Mac. Hold buttons as needed to enter DFU Mode.

  2. First run ./ipwndfu -p to exploit the device. Repeat the process if it fails, it is not reliable.

  3. Run ./ipwndfu --dump-rom to get a dump of SecureROM.

  4. Run ./ipwndfu --decrypt-gid KEYBAG to decrypt a keybag.

  5. Run ./ipwndfu --demote to demote device and enable JTAG.

Features

  • Jailbreak and downgrade iPhone 3GS (new bootrom) with alloc8 untethered bootrom exploit. :-)

  • Pwned DFU Mode with steaks4uce exploit for S5L8720 devices.

  • Pwned DFU Mode with limera1n exploit for S5L8920/S5L8922 devices.

  • Pwned DFU Mode with SHAtter exploit for S5L8930 devices.

  • Dump SecureROM on S5L8920/S5L8922/S5L8930 devices.

  • Dump NOR on S5L8920 devices.

  • Flash NOR on S5L8920 devices.

  • Encrypt or decrypt hex data on a connected device in pwned DFU Mode using its GID or UID key.

Dependencies

This tool should be compatible with Mac and Linux. It won't work in a virtual machine.

Tutorial

This tool can be used to downgrade or jailbreak iPhone 3GS (new bootrom) without SHSH blobs, as documented in JAILBREAK-GUIDE.

Exploit write-up

Write-up for alloc8 exploit can be found here:

https://github.com/axi0mX/alloc8

iBSS

Download iPhone 3GS iOS 4.3.5 IPSW from Apple:

http://appldnld.apple.com/iPhone4/041-1965.20110721.gxUB5/iPhone2,1_4.3.5_8L1_Restore.ipsw

In Terminal, extract iBSS using the following command, then move the file to ipwndfu folder:

unzip -p iPhone2,1_4.3.5_8L1_Restore.ipsw Firmware/dfu/iBSS.n88ap.RELEASE.dfu > n88ap-iBSS-4.3.5.img3

Coming soon!

  • Reorganize and refactor code.

  • Easier setup: download iBSS automatically using partial zip.

  • Dump SecureROM on S5L8720 devices.

  • Install custom boot logos on devices jailbroken with 24Kpwn and alloc8.

  • Enable verbose boot on devices jailbroken with 24Kpwn and alloc8.

Disclaimer

This is BETA software.

Backup your data.

This tool is currently in beta and could potentially brick your device. It will attempt to save a copy of data in NOR to nor-backups folder before flashing new data to NOR, and it will attempt to not overwrite critical data in NOR which your device requires to function. If something goes wrong, hopefully you will be able to restore to latest IPSW in iTunes and bring your device back to life, or use nor-backups to restore NOR to the original state, but I cannot provide any guarantees.

There is NO warranty provided.

THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

Toolchain

You will not need to use make or compile anything to use ipwndfu. However, if you wish to make changes to assembly code in src/*, you will need to use an ARM toolchain and assemble the source files by running make.

If you are using macOS with Homebrew, you can use binutils and gcc-arm-embedded. You can install them with these commands:

brew install binutils
brew cask install https://raw.githubusercontent.com/Homebrew/homebrew-cask/b88346667547cc85f8f2cacb3dfe7b754c8afc8a/Casks/gcc-arm-embedded.rb

Credit

geohot for limera1n exploit

posixninja and pod2g for SHAtter exploit

chronic, CPICH, ius, MuscleNerd, Planetbeing, pod2g, posixninja, et al. for 24Kpwn exploit

pod2g for steaks4uce exploit

walac for pyusb

You might also like...
React Native package for interacting with HomeKit devices

React Native package for interacting with HomeKit devices

Docker images for Swift on Raspberry Pi and other ARM devices from balena's base images.

Swift on Balena Welcome to Swift on Balena – a set of Docker images for Swift on Raspberry Pi and other ARM devices. These images are based on balena'

Ported scrcpy for mobile platforms, to remotely control Android devices on your iPhone or Android phone.
Ported scrcpy for mobile platforms, to remotely control Android devices on your iPhone or Android phone.

scrcpy-mobile Ported scrcpy for mobile platforms, to remotely control Android devices on your iPhone or Android phone. Currently only supports control

A tool to read the binarycookie format of Cookies on iOS applications

BinaryCookieReader Cloned from http://securitylearn.net/wp-content/uploads/tools/iOS/BinaryCookieReader.py ##Usage Python BinaryCookieReader.py [Cooki

ESP source code for Free Fire (iOS jailbreak)
ESP source code for Free Fire (iOS jailbreak)

ESP FreeFire ESP source code for Free Fire (iOS jailbreak, Free Fire version: 1.93.1). This source is for learning purpose only, please do not use it

Set `Open using Rosetta` option on Xcode easily
Set `Open using Rosetta` option on Xcode easily

xcode-arch A utility to switch running architecture of Xcode on M1 mac. Motivation Currently, there is no way to toggle Open using Rosetta option othe

Capacitor File Opener. The plugin is able to open a file given the mimeType and the file uri
Capacitor File Opener. The plugin is able to open a file given the mimeType and the file uri

Capacitor File Opener. The plugin is able to open a file given the mimeType and the file uri. This plugin is similar to cordova-plugin-file-opener2 without installation support.

Command line tool for exporting resources and generating code from your Figma files
Command line tool for exporting resources and generating code from your Figma files

Fugen Fugen is a command line tool for exporting resources and generating code from your Figma files. Currently, Fugen supports the following entities

A little beautifier tool for xcodebuild

xcbeautify xcbeautify is a little beautifier tool for xcodebuild. Similar to xcpretty, but faster. Features 2x faster than xcpretty. Human-friendly an

Owner
null
Enables easy, convenient asynchronous asset loading in RealityKit for many different kinds of assets.

RealityKit Asset Loading Discussion This package includes classes and examples that enable easy, convenient asynchronous asset loading in RealityKit f

Grant Jarvis 7 Dec 23, 2022
A free and open source xkcd comic reader for iOS.

A free, ad-free, open-source, native, and universal xkcd.com reader for iOS. Download it from the app store now! Architecture AFNetworking for network

Mike 249 Dec 12, 2022
Collaborative List of Open-Source iOS Apps

Open-Source iOS Apps A collaborative list of open-source iOS, iPadOS, watchOS and tvOS apps, your contribution is welcome ?? Jump to Apple TV Apple Wa

null 33k Dec 30, 2022
Joplin - an open source note taking and to-do application with synchronization capabilities for Windows, macOS, Linux, Android and iOS. Forum: https://discourse.joplinapp.org/

Joplin® is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. The notes are sea

Laurent 33.7k Dec 30, 2022
Beam: the open source Reddit client for iOS

Beam for Reddit An open source Reddit client for iOS. Introduction Hi, we're Awkward. In 2014, we started working on a Reddit client called Beam. In t

awkward 250 Dec 30, 2022
Free and open source manga reader for iOS and iPadOS.

Aidoku A free and open source manga reading application for iOS and iPadOS. Features Ad free Robust WASM source system Online reading through external

null 421 Jan 2, 2023
Start your next Open-Source Swift Framework 📦

SwiftKit enables you to easily generate a cross platform Swift Framework from your command line. It is the best way to start your next Open-Source Swi

Sven Tiigi 821 Dec 28, 2022
Open-source implementation of Apple's Combine for processing values over time

CombineX 简体中文 Open-source implementation of Apple's Combine for processing values over time. Though CombineX have implemented all the Combine interfac

Luo Xiu 1 Dec 30, 2021
Open source Clips-inspired app.

AlohaGIF Website Funny moments? Want to share it as a GIF, but you are worried that you will lose speech from video? Aloha will scan sound and attach

Mike Pyrka 61 Sep 16, 2022
Multitasking Drawer tweak for jailbroken iOS devices

PullOver-Pro Multitasking Drawer tweak for jailbroken iOS devices About PullOver Pro is multitasking substrate / jailbreak / runtime extension written

c1d3r 25 Oct 10, 2022