Skip to content

Latest commit

 

History

History
152 lines (103 loc) · 6.57 KB

README.md

File metadata and controls

152 lines (103 loc) · 6.57 KB

Open-source jailbreaking tool for many iOS devices

*Read disclaimer before using this software.

checkm8

  • Permanent, unpatchable bootrom exploit for hundreds of millions of iOS devices
  • Meant for researchers, this is not a jailbreak with Cydia yet (see below)
  • Allows dumping SecureROM, decrypting keybags for iOS firmware, and demoting device for JTAG
  • current SoC support:
    • s5l8947x
    • s5l8950x
    • s5l8955x
    • s5l8960x
    • t8002
    • t8004
    • t8010
    • t8011
    • t8015
  • future SoC support:
    • s5l8940x
    • s5l8942x
    • s5l8945x
    • s5l8747x
    • t7000
    • t7001
    • s7002
    • s8000
    • s8001
    • s8003
    • t8012

(more support information in Detailed Support)

Full (Cydia-inclusive) jailbreak on any iOS version is possible, but requires additional work

Dependencies

This tool is compatible with macOS and Linux [NO WINDOWS SUPPORT FOR NOW]. It won't work in a virtual machine.

  • libusb If you are using Linux: install libusb using your package manager.
  • Python 2.7 Python 3 is NOT backwards compatible
  • iPhone 3GS iOS 4.3.5 iBSS

Quick start guide for checkm8

  1. Use a cable to connect device to your Mac or Linux machine. Hold buttons as needed to enter DFU Mode.
  2. First run ./ipwndfu -p to exploit the device. Repeat the process if it fails, it is not reliable.
  3. Run ./ipwndfu --dump-rom to get a dump of SecureROM.
  4. Run ./ipwndfu --decrypt-gid KEYBAG to decrypt a keybag.
  5. Run ./ipwndfu --demote to demote device and enable JTAG.

Detailed-Support

This table lists all currently supported devices for the checkm8 exploit:

SoC CPUID Name Supported Devices
S5L8930 0x8930 A4 * iPad
* iPhone 4
* iPod Touch (4th Gen)
* Apple TV (2nd Gen)
S5L8947 0x8947 A5 (rev. B) * Apple TV (3rd Gen)
S5L8950 0x8950 A6 * iPhone 5
* iPhone 5c
S5L8955 0x8955 A6X * iPad (4th Gen)
S5L8950
S5L8965
0x8960 A7 * iPhone 5S
* iPad mini 2
* iPad mini 3
* iPad Air
T8002 0x8002 S1P S2 T1 * Apple Watch S1
* Apple Watch S2
* T1 iBridge
T8004 0x8004 S3 * Apple Watch S3
T8010 0x8010 A10 Fusion * iPad (6th Gen)
* iPad (7th Gen)
* iPhone 7/7+
* iPod Touch (7th Gen)
T8011 0x8011 A10X Fusion * iPad Pro (2nd Gen)
* Apple TV 4K
T8015 0x8015 A11 Bionic * iPhone 8/8+
* iPhone X

If your device is not on this list, it is NOT SUPPORTED Future device support is being worked on, please be patient. If you have a device older than the iPhone 3GS (the iPhone 3G or original) or newer than the iPhone X (all A12 and A13 devices), this tool will not support your device. Not now, most likely not ever.

Features

  • Jailbreak and downgrade iPhone 3GS (new bootrom) with alloc8 untethered bootrom exploit. :-)
  • Pwned DFU Mode with steaks4uce exploit for S5L8720 devices.
  • Pwned DFU Mode with limera1n exploit for S5L8920/S5L8922 devices.
  • Pwned DFU Mode with SHAtter exploit for S5L8930 devices.
  • Dump SecureROM on S5L8920/S5L8922/S5L8930 devices.
  • Dump NOR on S5L8920 devices.
  • Flash NOR on S5L8920 devices.
  • Encrypt or decrypt hex data on a connected device in pwned DFU Mode using its GID or UID key.

Tutorial

This tool can be used to downgrade or jailbreak iPhone 3GS (new bootrom) without SHSH blobs, as documented in JAILBREAK-GUIDE.

Exploit write-up

Write-up for alloc8 exploit can be found here

iBSS

  • Download iPhone 3GS iOS 4.3.5 IPSW from Apple
  • In Terminal, extract iBSS using the following command, then move the file to ipwndfu folder:
    unzip -p iPhone2,1_4.3.5_8L1_Restore.ipsw Firmware/dfu/iBSS.n88ap.RELEASE.dfu > n88ap-iBSS-4.3.5.img3
    

Coming soon!

  • Reorganize and refactor code.
  • Easier setup: download iBSS automatically using partial zip.
  • Dump SecureROM on S5L8720 devices.
  • Install custom boot logos on devices jailbroken with 24Kpwn and alloc8.
  • Enable verbose boot on devices jailbroken with 24Kpwn and alloc8.

Disclaimer

This is BETA software.

Backup your data.

This tool is currently in beta and could potentially brick your device. It will attempt to save a copy of data in NOR to nor-backups folder before flashing new data to NOR, and it will attempt to not overwrite critical data in NOR which your device requires to function. If something goes wrong, hopefully you will be able to restore to latest IPSW in iTunes and bring your device back to life, or use nor-backups to restore NOR to the original state, but I cannot provide any guarantees.

There is NO warranty provided.

THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

Toolchain

You will not need to use make or compile anything to use ipwndfu. However, if you wish to make changes to assembly code in src/*, you will need to use an ARM toolchain and assemble the source files by running make.

If you are using macOS with Homebrew, you can use binutils and gcc-arm-embedded. You can install them with these commands:

brew install binutils
brew cask install https://raw.githubusercontent.com/Homebrew/homebrew-cask/b88346667547cc85f8f2cacb3dfe7b754c8afc8a/Casks/gcc-arm-embedded.rb

Credit

geohot for limera1n exploit

posixninja and pod2g for SHAtter exploit

chronic, CPICH, ius, MuscleNerd, Planetbeing, pod2g, posixninja, et al. for 24Kpwn exploit

pod2g for steaks4uce exploit

walac for pyusb