ipwndfu

ipwndfu is an open-source jailbreaking tool for many iOS devices,

checkm8

  • permanent unpatchable bootrom exploit for hundreds of millions of iOS devices
  • Meant for researchers, this is not a jailbreak with Cydia yet
  • allows dumping SecureROM, decrypting keybags for iOS firmware, and demoting device for JTAG
  • current SoC support: s5l8947x, s5l8950x, s5l8955x, s5l8960x, t8002, t8004, t8010, t8011, t8015
  • future SoC support: s5l8940x, s5l8942x, s5l8945x, s5l8747x, t7000, t7001, s7002, s8000, s8001, s8003, t8012
  • full jailbreak with Cydia on the latest iOS version is possible, but requires additional work

Quick start guide for checkm8

  1. Use a cable to connect the device to your Mac. Hold buttons as needed to enter DFU Mode.
  2. First run ./ipwndfu -p to exploit the device. Repeat the process if it fails; it is not reliable.
  3. Run ./ipwndfu --dump-rom to get a dump of SecureROM.
  4. Run ./ipwndfu --decrypt-gid KEYBAG to decrypt a keybag.
  5. Run ./ipwndfu --demote to demote device and enable JTAG.

Features

  • Jailbreak and downgrade iPhone 3GS (new bootrom) with alloc8 untethered bootrom exploit. 🙂
  • Pwned DFU Mode with steaks4uce exploit for S5L8720 devices.
  • Pwned DFU Mode with limera1n exploit for S5L8920/S5L8922 devices.
  • Pwned DFU Mode with SHAtter exploit for S5L8930 devices.
  • Dump SecureROM on S5L8920/S5L8922/S5L8930 devices.
  • Dump NOR on S5L8920 devices.
  • Flash NOR on S5L8920 devices.
  • Encrypt or decrypt hex data on a connected device in pwned DFU Mode using its GID or UID key.

Dependencies

This tool should be compatible with Mac and Linux. It won’t work in a virtual machine.

  • libusb, If you are using Linux: install libusb using your package manager.
  • ailbreak guide for iPhone 3GS (new bootrom)

    Steps

    Backup your data. Everything will be removed from your phone as it is a full restore.
    Generate a custom 24Kpwn IPSW for iPhone 3GS (old bootrom).
    Restore to this custom IPSW on your iPhone 3GS (new bootrom).
    After restore is complete, your phone will connect back to your computer in DFU Mode. The screen will be black. This is expected. 24Kpwn exploit does not work on iPhone 3GS (new bootrom).
    Use ipwndfu to put your device into pwned DFU Mode:
    $ ./ipwndfu -p *** based on limera1n exploit (heap overflow) by geohot *** Found: CPID:8920 CPRV:15 CPFM:03 SCEP:03 BDID:00 ECID:XXXXXXXXXXXXXXXX SRTG:[iBoot-359.3.2] Device is now in pwned DFU Mode.

    Once in pwned DFU Mode, use the -x flag to install the alloc8 exploit. This step will replace 24Kpwn exploit with alloc8.
    $ ./ipwndfu -x Installing alloc8 exploit to NOR. Dumping NOR, part 1/8. Dumping NOR, part 2/8. Dumping NOR, part 3/8. Dumping NOR, part 4/8. Dumping NOR, part 5/8. Dumping NOR, part 6/8. Dumping NOR, part 7/8. Dumping NOR, part 8/8. NOR backed up to file: nor-backups/nor-XXXXXXXXXXXXXXXX-20170409-224258.dump Sending iBSS. Waiting for iBSS to enter Recovery Mode. Sending iBSS payload to flash NOR. Sending run command. If screen is not red, NOR was flashed successfully and device will reboot.

    Notes:

    Installation takes about 30 seconds. Once NOR is being flashed, the screen will be green for about 10 seconds, and then your phone will reboot.
    If there are any errors before the screen turned green, it is safe to try again.
    If the screen turns red, something went wrong while your phone was being flashed. Trying again probably won’t help.
    If there are no issues, the phone will reboot and automatically boot into iOS.
    3 second delay during boot when using a phone jailbroken with alloc8

    alloc8 exploit takes about 3 seconds to run.
    When your phone is off, to turn it on you will need to keep holding the Power button for at least 3 seconds, or your phone will not turn on. This might be because LLB protects against accidental presses of the Power button by shutting down the phone if the power button is not being held anymore. Without an exploit it takes less than a second before this check happens, but with alloc8 exploit it will happen after about 3 seconds. It might be possible to change this behavior by patching LLB.
    If your phone enters deep sleep, there will be a 3 second delay before it wakes up. This can be fixed if you disable deep sleep with a tweak from Cydia, but your phone’s battery life will decrease.
    Where to download older IPSWs

    Always download IPSWs directly from Apple, because IPSWs from other sites could be infected with malware.
    There is a trusted site where you can find legitimate Apple download links for older IPSW files:
    https://ipsw.me/
    How to create a 24Kpwn IPSW

    iOS version
    Tool
    iOS 3.1
    PwnageTool 3.1.3
    iOS 3.1.2
    PwnageTool 3.1.5
    iOS 3.1.3
    PwnageTool 3.1.5
    iOS 4.0
    PwnageTool 4.01
    iOS 4.3.3
    redsn0w 0.9.15 beta 3
    iOS 5.0
    redsn0w 0.9.15 beta 3
    iOS 5.0.1
    redsn0w 0.9.15 beta 3
    iOS 5.1
    redsn0w 0.9.15 beta 3
    iOS 5.1.1
    redsn0w 0.9.15 beta 3
    Notes on using redsn0w 0.9.15b3

    Q: Will this custom IPSW be used on a newer (fixed) version of the iPhone3GS? A: No

    You must answer No to create a 24Kpwn IPSW using redsn0w. If you did this correctly, the name of the custom IPSW from redsn0w will start with NO_BB_OLDROM_iPhone2,1.
    Compatibility with older iOS versions

    Newer phones might not support some older versions of iOS. You cannot brick your phone by attempting to restore an older version of iOS, so it might be worth it to try anyway. If iTunes restore fails with Error 28, the hardware of your phone is not compatible with that version of iOS.
    Manufactured
    Error 28
    Success
    Week 38 2010
    N/A
    3.1+
    Week 48 2010
    N/A
    3.1+
    Week 3 2011
    3.x
    4.3.3+
    Week 14 2011
    3.x
    4.0+
    Week 23 2011
    N/A
    3.1.2+
    Week 29 2011
    3.x
    4.0+
    Week 36 2011
    3.x
    4.0+
    Week 26 2012
    3.x, 4.x
    5.0+
    You can find the week and year of manufacture by looking at the serial number of your phone. If your phone is from 2011 or 2012, help me expand this list and let me what versions worked or didn’t work.
    Decoding iPhone 3GS serial number

    Serial number: AABCCDDDEE AA = Device ID B = 2009=9, 2010=0, 2011=1, 2012=2 CC = Week of production DDD = Unique ID EE = Color

    How to restore to a custom IPSW

    Enter DFU Mode: https://www.theiphonewiki.com/wiki/DFU_Mode
    Run exploit to put your phone into pwned DFU Mode. You can use ./ipwndfu -p.
    Any version of iTunes should work. In iTunes, hold Option (or SHIFT if using Windows) and click Restore. You should be prompted to choose a file. Choose your custom IPSW.

Written By:

  • Michael Warner - Michael Warner is an award-winning tech journalist, developer, and digital entrepreneur with over 15 years of hands-on experience in iOS jailbreaking, app development, and tweak creation. He is the founder of Zee iPA Library, a leading platform in the alternative app distribution ecosystem, trusted by millions of iOS enthusiasts worldwide.

    Michael Warner is an award-winning tech journalist and iOS developer with over 25 years of experience in jailbreaking, Cydia, Sileo tweak creation, and mobile app innovation. As the founder of Zee iPA Library, he’s a trusted name in the iOS community. Based in Australia, he also blogs about sports and lifestyle, and is a proud father of two.