Open-source jailbreaking tool for many iOS devices

Overview

Open-source jailbreaking tool for many iOS devices

*Read disclaimer before using this software.

checkm8

  • permanent unpatchable bootrom exploit for hundreds of millions of iOS devices

  • meant for researchers, this is not a jailbreak with Cydia yet

  • allows dumping SecureROM, decrypting keybags for iOS firmware, and demoting device for JTAG

  • current SoC support: s5l8947x, s5l8950x, s5l8955x, s5l8960x, t8002, t8004, t8010, t8011, t8015

  • future SoC support: s5l8940x, s5l8942x, s5l8945x, s5l8747x, t7000, t7001, s7002, s8000, s8001, s8003, t8012

  • full jailbreak with Cydia on latest iOS version is possible, but requires additional work

Quick start guide for checkm8

  1. Use a cable to connect device to your Mac. Hold buttons as needed to enter DFU Mode.

  2. First run ./ipwndfu -p to exploit the device. Repeat the process if it fails, it is not reliable.

  3. Run ./ipwndfu --dump-rom to get a dump of SecureROM.

  4. Run ./ipwndfu --decrypt-gid KEYBAG to decrypt a keybag.

  5. Run ./ipwndfu --demote to demote device and enable JTAG.

Features

  • Jailbreak and downgrade iPhone 3GS (new bootrom) with alloc8 untethered bootrom exploit. :-)

  • Pwned DFU Mode with steaks4uce exploit for S5L8720 devices.

  • Pwned DFU Mode with limera1n exploit for S5L8920/S5L8922 devices.

  • Pwned DFU Mode with SHAtter exploit for S5L8930 devices.

  • Dump SecureROM on S5L8920/S5L8922/S5L8930 devices.

  • Dump NOR on S5L8920 devices.

  • Flash NOR on S5L8920 devices.

  • Encrypt or decrypt hex data on a connected device in pwned DFU Mode using its GID or UID key.

Dependencies

This tool should be compatible with Mac and Linux. It won't work in a virtual machine.

Tutorial

This tool can be used to downgrade or jailbreak iPhone 3GS (new bootrom) without SHSH blobs, as documented in JAILBREAK-GUIDE.

Exploit write-up

Write-up for alloc8 exploit can be found here:

https://github.com/axi0mX/alloc8

iBSS

Download iPhone 3GS iOS 4.3.5 IPSW from Apple:

http://appldnld.apple.com/iPhone4/041-1965.20110721.gxUB5/iPhone2,1_4.3.5_8L1_Restore.ipsw

In Terminal, extract iBSS using the following command, then move the file to ipwndfu folder:

unzip -p iPhone2,1_4.3.5_8L1_Restore.ipsw Firmware/dfu/iBSS.n88ap.RELEASE.dfu > n88ap-iBSS-4.3.5.img3

Coming soon!

  • Reorganize and refactor code.

  • Easier setup: download iBSS automatically using partial zip.

  • Dump SecureROM on S5L8720 devices.

  • Install custom boot logos on devices jailbroken with 24Kpwn and alloc8.

  • Enable verbose boot on devices jailbroken with 24Kpwn and alloc8.

Disclaimer

This is BETA software.

Backup your data.

This tool is currently in beta and could potentially brick your device. It will attempt to save a copy of data in NOR to nor-backups folder before flashing new data to NOR, and it will attempt to not overwrite critical data in NOR which your device requires to function. If something goes wrong, hopefully you will be able to restore to latest IPSW in iTunes and bring your device back to life, or use nor-backups to restore NOR to the original state, but I cannot provide any guarantees.

There is NO warranty provided.

THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

Toolchain

You will not need to use make or compile anything to use ipwndfu. However, if you wish to make changes to assembly code in src/*, you will need to use an ARM toolchain and assemble the source files by running make.

If you are using macOS with Homebrew, you can use binutils and gcc-arm-embedded. You can install them with these commands:

brew install binutils
brew cask install https://raw.githubusercontent.com/Homebrew/homebrew-cask/b88346667547cc85f8f2cacb3dfe7b754c8afc8a/Casks/gcc-arm-embedded.rb

Credit

geohot for limera1n exploit

posixninja and pod2g for SHAtter exploit

chronic, CPICH, ius, MuscleNerd, Planetbeing, pod2g, posixninja, et al. for 24Kpwn exploit

pod2g for steaks4uce exploit

walac for pyusb

Auto Tor Ip Changer

AutoTor Auto Tor Ip Changer for Linux! git clone https://github.com/Arest7/AutoTor cd AutoTor pip install -r requirements.txt python3 AutoTor.py follo

Ken Ryuguji 3 Jan 23, 2022
Generate malicious files using recently published bidi-attack (CVE-2021-42574)

CVE-2021-42574 - Code generator Generate malicious files using recently published bidi-attack vulnerability, which was discovered in Unicode Specifica

js-on 7 Nov 09, 2022
PoC for CVE-2021-45897 aka SCRMBT-#180 - RCE via Email-Templates (Authenticated only) in SuiteCRM <= 8.0.1

CVE-2021-45897 PoC for CVE-2021-45897 aka SCRMBT-#180 - RCE via Email-Templates (Authenticated only) in SuiteCRM = 8.0.1 This vulnerability was repor

Manuel Zametter 17 Nov 09, 2022
A simple python code for hacking profile views

This code for hacking profile views. Not recommended to adding profile views in profile. This code is not illegal code. This code is for beginners.

Fayas Noushad 3 Nov 28, 2021
Android Malware Behavior Deleter

Android Malware Behavior Deleter UDcide UDcide is a tool that provides alternative way to deal with Android malware. We help you to detect and remove

27 Sep 23, 2022
CVE-2021-22005 - VMWare vCenter Server File Upload to RCE

CVE-2021-22005 - VMWare vCenter Server File Upload to RCE Analyze Usage ------------------------------------------------------------- [*] CVE-2021-220

r0cky 224 Aug 05, 2022
CVE-2022-21907 Vulnerability PoC

CVE-2022-21907 Description POC for CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability. create by antx at 2022-01-17, just some sm

Michele 16 Dec 18, 2022
A Radare2 based Python module for Binary Analysis and Reverse Engineering.

Zepu1chr3 A Radare2 based Python module for Binary Analysis and Reverse Engineering. Installation You can simply run this command. pip3 install zepu1c

Mehmet Ali KERİMOĞLU 5 Aug 25, 2022
PyPasser is a Python library for bypassing reCaptchaV3 only by sending 2 requests.

PyPasser is a Python library for bypassing reCaptchaV3 only by sending 2 requests. In 1st request, gets token of captcha and in 2nd request,

253 Jan 05, 2023
Ensure secure infrastructure and consistency with the firewall rules

Python Port Scanner This script tries to check if it's possible to make a connection with the specific endpoint port. This is very useful to ensure se

Allan Avelar 7 Feb 26, 2022
A Safer PoC for CVE-2022-22965 (Spring4Shell)

Safer_PoC_CVE-2022-22965 A Safer PoC for CVE-2022-22965 (Spring4Shell) Functionality Creates a file called CVE_2022-22965_exploited.txt in the tomcat

Colin Cowie 46 Nov 12, 2022
Docker Compose based system for running remote browsers (including Flash and Java support) connected to web archives

pywb Remote Browsers This repository provides a simple configuration for deploying any pywb with remote browsers provided by OWT/Shepherd Remote Brows

Webrecorder 10 Jul 28, 2022
A guide to building basic malware in Python by implementing a keylogger application

Keylogger-Malware-Project A guide to building basic malware in Python by implementing a keylogger application. If you want even more detail on the Pro

Noah Davis 1 Jan 11, 2022
CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE

CVE-2022-1388 CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE. POST /mgmt/tm/util/bash HTTP/1.1 Host: Accept-Encoding: gzip, deflate Accept: */

M4rtin Hsu 81 Dec 12, 2022
pwncat module that automatically exploits CVE-2021-4034 (pwnkit)

pwncat_pwnkit Introduction The purpose of this module is to attempt to exploit CVE-2021-4034 (pwnkit) on a target when using pwncat. There is no need

Dana Epp 33 Jul 01, 2022
Signatures and IoCs from public Volexity blog posts.

threat-intel This repository contains IoCs related to Volexity public threat intelligence blog posts. They are organised by year, and within each year

Volexity 130 Dec 29, 2022
Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr

Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr 64bit2key.py

Stefan Marsiske 15 Nov 26, 2022
Caretaker 2 Jun 06, 2022
SubFind - Subdomain Finder Tools

SubFind (Subdomain Finder Tools) Info Tools Result Of Subdomain Command In Termi

LangMurpY 2 Jan 25, 2022
Lite version of my Gatekeeper backdoor for public use.

Gatekeeper Lite Backdoor Fully functioning bind-type backdoor This backdoor is a fully functioning bind shell and lite version of my full functioning

Joe Helle 56 Mar 25, 2022