open-source jailbreaking tool for older iOS devices
Switch branches/tags
Nothing to show
Clone or download
Permalink
Failed to load latest commit information.
aes-keys Add AES keys for 5.0 Apr 16, 2017
bin Implement --remove-24kpwn and --remove-alloc8 Jun 16, 2017
libusbfinder Update Mavericks bottle to latest available Oct 5, 2018
nor-backups Initial commit Apr 11, 2017
repo Documentation changes and Logo Apr 21, 2017
src Implement --remove-24kpwn and --remove-alloc8 Jun 16, 2017
usb Simplify dependencies: remove requirement for pip and pyusb Apr 27, 2017
.gitignore Make libusbfinder into a module May 29, 2017
JAILBREAK-GUIDE.md Update device compatibility list Jun 9, 2017
LICENSE Initial commit Apr 11, 2017
Makefile Implement steaks4uce exploit for S5L8720 devices Jun 4, 2017
README.md Add ARM toolchain info to README Oct 6, 2018
SHAtter.py Implement steaks4uce exploit for S5L8720 devices Jun 4, 2017
alloc8.py Implement --remove-24kpwn and --remove-alloc8 Jun 16, 2017
dfu.py Increase USB timeouts Jun 7, 2017
dfuexec.py Implement --remove-24kpwn and --remove-alloc8 Jun 16, 2017
ibootpatcher Implement ibootpatcher for EL3->EL1 on iBoot64 Aug 14, 2017
image3.py Implement --remove-24kpwn and --remove-alloc8 Jun 16, 2017
image3_24Kpwn.py Implement --remove-24kpwn and --remove-alloc8 Jun 16, 2017
ipwndfu Implement --remove-24kpwn and --remove-alloc8 Jun 16, 2017
ipwnrecovery Add --enable-uart Jun 14, 2017
limera1n.py Sleep after requesting image validation Jun 9, 2017
nor.py Refactor 24Kpwn and alloc8 NOR-related code Jun 14, 2017
recovery.py Increase USB timeouts Jun 7, 2017
steaks4uce.py Increase USB timeouts Jun 7, 2017
utilities.py Refactor utilities Jun 7, 2017

README.md

Open-source jailbreaking tool for older iOS devices

*Read disclaimer before using this software.

Features

  • Jailbreak and downgrade iPhone 3GS (new bootrom) with alloc8 untethered bootrom exploit. :-)

  • Pwned DFU Mode with steaks4uce exploit for S5L8720 devices.

  • Pwned DFU Mode with limera1n exploit for S5L8920/S5L8922 devices.

  • Pwned DFU Mode with SHAtter exploit for S5L8930 devices.

  • Dump SecureROM on S5L8920/S5L8922/S5L8930 devices.

  • Dump NOR on S5L8920 devices.

  • Flash NOR on S5L8920 devices.

  • Encrypt or decrypt hex data on a connected device in pwned DFU Mode using its GID or UID key.

Dependencies

This tool should be compatible with Mac and Linux. It won't work in a virtual machine.

Tutorial

This tool can be used to downgrade or jailbreak iPhone 3GS (new bootrom) without SHSH blobs, as documented in JAILBREAK-GUIDE.

Exploit write-up

Write-up for alloc8 exploit can be found here:

https://github.com/axi0mX/alloc8

iBSS

Download iPhone 3GS iOS 4.3.5 IPSW from Apple:

http://appldnld.apple.com/iPhone4/041-1965.20110721.gxUB5/iPhone2,1_4.3.5_8L1_Restore.ipsw

In Terminal, extract iBSS using the following command, then move the file to ipwndfu folder:

unzip -p iPhone2,1_4.3.5_8L1_Restore.ipsw Firmware/dfu/iBSS.n88ap.RELEASE.dfu > n88ap-iBSS-4.3.5.img3

Coming soon!

  • Reorganize and refactor code.

  • Easier setup: download iBSS automatically using partial zip.

  • Dump SecureROM on S5L8720 devices.

  • Install custom boot logos on devices jailbroken with 24Kpwn and alloc8.

  • Enable verbose boot on devices jailbroken with 24Kpwn and alloc8.

Disclaimer

This is BETA software.

Backup your data.

This tool is currently in beta and could potentially brick your device. It will attempt to save a copy of data in NOR to nor-backups folder before flashing new data to NOR, and it will attempt to not overwrite critical data in NOR which your device requires to function. If something goes wrong, hopefully you will be able to restore to latest IPSW in iTunes and bring your device back to life, or use nor-backups to restore NOR to the original state, but I cannot provide any guarantees.

There is NO warranty provided.

THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

Toolchain

You will not need to use make or compile anything to use ipwndfu. However, if you wish to make changes to assembly code in src/*, you will need to use an ARM toolchain and assemble the source files by running make.

If you are using macOS with Homebrew, you can use gcc-arm-embedded. You can install it with this command:

brew cask install gcc-arm-embedded

Credit

geohot for limera1n exploit

posixninja and pod2g for SHAtter exploit

iPhone Dev Team for 24Kpwn exploit

pod2g for steaks4uce exploit

walac for pyusb