iPhone 5s (6,2) - 0% success rate when pwning DFU #96
Comments
|
Your device was likely not in DFU mode. |
? |
|
Can you post more of the terminal output, including the commands you used? |
This exploit works perfectly fine on my iPhone 5 and iPad 4 using the same cable and machine, so I don't think they're the problem. |
|
I’m glad I’m not alone, I’ve tried over 100 times on my iPhone 5S Put the device in DFU fine and even confirm with “lsusb -v | grep -i apple” that shows the iPhone in DFU mode But then in the middle of running the exploit, my phone reboots into normal mode and shows that error |
|
Do you also have the 6,2 model? Probably the exploit works fine on 6,1, especially seeing how other people have managed to pwn their 5s phones. |
|
Yes 6,2 model |
|
Well, it looks like only 6,1 works right now. :/ |
|
I've got an another device here (iPad mini 2 Wi-Fi only aka iPad4,4) and it doesn't work either. Perhaps the support for A7 devices is simply not finished yet. |
|
Can you try this in your python interpreter and post the output (if any)? import sys, time
import usb # pyusb: use 'pip install pyusb' to install this module
import usb.backend.libusb1
import libusbfinder
backend = usb.backend.libusb1.get_backend(find_library=lambda x:libusbfinder.libusb1_path())
list(usb.core.find(find_all=True, idVendor=0x5AC, idProduct=0x1226, backend=backend))
list(usb.core.find(find_all=True, idVendor=0x5AC, idProduct=0x1227, backend=backend))
list(usb.core.find(find_all=True, idVendor=0x5AC, idProduct=0x1228, backend=backend)) |
|
I don't get any output (tried iPhone 5s and iPad 4.) |
|
Also please post the output of |
|
|
I'm interested to know if your device has been recognized with Can you try if your device also returns |
|
Yes, it does return 0x1227. |
|
(It's quite late in my timezone right now, I'll try to contact you back tomorrow.) |
|
Well thanks for following along, your device is recognized by the OS but not by The devices I have show up in import usb, usb.backend.libusb1, libusbfinder
backend = usb.backend.libusb1.get_backend(find_library=lambda x:libusbfinder.libusb1_path())
list(usb.core.find(find_all=True))(in which case an item similar to this |
|
Give me like 2 hours and I’ll be home and I can continue troubleshooting with you and show you the output of the previous commands |
|
I don't have a 6,2 (i have a 6,1), but have you guys tried this PR? |
|
@melvyn2 might be worth a shot but it seems their system errors before reaching the lines of code changed in that PR. |
|
Ah okay, sorry. |
So mine returns 0x1227 too And your code snippet provides here no output then the iphone goes to the apple logo and boots normally |
Tried that PR, didn't work |
|
My iPad 4, even though got pwned successfully, didn't get detected by the script just like my iPhone 5s. I think I'll try using VM, as it might actually be my MacBook's fault. |
|
I assume you ran Python with detects your device and does not, |
|
What’s strange is that using the same command pwnd my iPhone 8 Plus fine but my iPhone 5S still is facing the same problem Yes I ran python with sudo |
|
I don’t think it’s USB problem. The exploit forces the device to reboot, which I think is caused by a BootROM crash. I assume the patches that checkm8 makes are incorrect. |
|
In addition, A6 devices, even if can be pwned easily, reboot if you try to send a file over USB. |
Edit: I was wrong, this is not related to the problem. I'm sorry to have sidetracked you. |
The output of the second command is: But the exploit still causes the device to reboot |
|
Considering that qwertyoruiop will release his own set of tools soon (which are written in C), I think I’ll close this issue. I have a theory that libusb is the one to blame here, as it’s the only part of the code that throws exceptions after unsuccessfully running the exploit. In the meantime, if you’re like me and aren’t patient, just get yourself an FMI A10-A11 device for cheap and use that one for experiments, as they seem to work for everyone. For other devices - wait for more stable tools, as this Python-written most likely will not receive any updates regarding the library issues. |
|
@DaJakerBoss my changes is very simple. just added print-messages in different places ps. sorry for vscode trash in commit. fogot for .gitignore xD |
|
I think. there is trouble in SoC/SecureROM version specifed params, like different offsets, decriptors etc. |
|
iPad Air. Same problem. |
|
@marikuns after using your fork I managed to get the exact same faults Weird. And yet someone managed to (using the Linus Henge fork) get to a pwndfu and set nonce... PART 2 |
|
@ L0WP1X3L
|
|
Linus’ fork didn’t run any better for me, same things happened, might go back and add debugging lines per example
… On Oct 4, 2019, at 20:00, mingyipli ***@***.***> wrote:
@ L0WP1X3L
I have been facing the same problems with my iPhone5S(iPhone6,2) fir a couple days.
I success today after the following moves:
Update the latest iOS(maybe not needed)
Connect to Mac and Enter dfu mode
Close iTunes App in Mac and Kill the iTunes Helper demon process through terminal
Clone the fork from LinusHenze ipwndfu_public (better iPhone5S support).
Run with sudo, eg. sudo ./ipwndfu -p
I suggest you try above before giving up.
Hope the above actually help.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Didn't work. |
|
Iphone 6,1 Same Problem (With MacOS 10.15 VMware & Ubuntu 19 Vmware) |
|
did anyone that got this to work use Linux? if so, which distro? |
|
It’s a pretty common saying ‘round these parts that VM’s do *not actually work* so you may consider an Ubuntu LiveUSB
… On Oct 5, 2019, at 04:57, zodaema ***@***.***> wrote:
Iphone 6,1 Same Problem (With MacOS 10.15 VMware & Ubuntu 19 Vmware)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
I've tried with Kali Live Usb, I was able to put it in pwnd dfu, i was having trouble installing exploit but i was able to demote and get securerom dump but once i restarted i wasnt able to dupilcate the scenario again . On iPad mini 2 |
Today I've tried in Ubuntu 16.
And my iphone automatic reboot |
|
I have found it'll sometimes just say exploit failed on Linus's fork. But 99% of the time it'll still give me |
|
ooh more stuff |
|
Alex, how did you get that debug? Are you using GeoHot's fork?
…On Sun, Oct 6, 2019 at 3:47 AM Alex King ***@***.***> wrote:
ooh more stuff
`
[15467.593321] usb 5-3: New USB device found, idVendor=05ac,
idProduct=1227, bcdDevice= 0.00
[15467.593325] usb 5-3: New USB device strings: Mfr=2, Product=3,
SerialNumber=4
[15467.593327] usb 5-3: Product: Apple Mobile Device (DFU Mode)
[15467.593329] usb 5-3: Manufacturer: Apple Inc.
[15467.593331] usb 5-3: SerialNumber: CPID:8960 CPRV:11 CPFM:03 SCEP:01
BDID:02 ECID:000004B749860FB0 IBFL:1C SRTG:[iBoot-1704.10]
[15504.444494] usb 5-3: reset high-speed USB device number 52 using
ehci-pci
[15504.622424] usb 5-3: usbfs: process 12993 (ipwndfu) did not claim
interface 0 before use
[15504.628177] usb 5-3: USB disconnect, device number 52
`
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#96?email_source=notifications&email_token=AH5TRTYYISJ75PPNHTGUB3DQNGQ3BA5CNFSM4I36YON2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEAOETUI#issuecomment-538724817>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AH5TRTZ67A2MNIMEKQHTRNLQNGQ3BANCNFSM4I36YONQ>
.
|
|
when I run |
|
alright and so i finally got checkm8 to work on the 5s. I TRIED EVERYTHING on several Linux distos. Before giving up I tried a hackintosh and IT WORKED! |
|
What version of macOS do you have installed? |
|
@fengwenhua you have to run the tool with superuser powers, run |
|
I used MacOS Mojave (10.14) |
|
After using Linus Henze’s ipwndfu_public, around 15 retries later I’ve actually managed to enter pwned DFU on my iPhone 5s. Took me 10 minutes to do so though, but at least it works. |
ghost
closed this as
Sorry for the late reply, this is the output of sudo dmesg |
Do U mean that using another macOS version can help solve this problem? |
It’s hardware dependent, not software. From what I can tell, you need to use a non-Apple PC running either Linux or macOS, since the USB controllers Apple puts in their machines have some serious issues with ipwndfu in particular (every other checkm8 utility that exists right now works fine on every machine, no matter what hardware or software they’re running on.) |
After retrying 20 times, I still haven't managed to get my 5s to enter pwned DFU. The phone reboots around 7 seconds after the tool has been run, then it returns this timeout error:
Do I need to keep trying, or is this a common issue with A7 devices?
The text was updated successfully, but these errors were encountered: