Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipwndfu -p fails many times #83

Closed
xfm00mm opened this issue Sep 29, 2019 · 20 comments
Closed

ipwndfu -p fails many times #83

xfm00mm opened this issue Sep 29, 2019 · 20 comments

Comments

@xfm00mm
Copy link

xfm00mm commented Sep 29, 2019

My enviroment:

Linux Mint 19.2 Tina
Linux Computer 5.3.1-xanmod1 #1.190922 SMP PREEMPT Sun Sep 22 12:20:12 -03 2019 x86_64 x86_64 x86_64 GNU/Linux

toor@Computer ~/ipwndfu $ apt list --installed | grep libusb

libusb-0.1-4/bionic,now 2:0.1.12-31 amd64
libusb-1.0-0/bionic,now 2:1.0.21-2 amd64
libusb-1.0-0-dev/bionic,now 2:1.0.21-2 amd64
libusb-1.0-doc/bionic,bionic,now 2:1.0.21-2 all
libusbmuxd4/bionic,now 1.1.0~git20171206.c724e70f-0.1 amd64

iPad mini 2(soc:S5L8960)/iOS 12.4/iBoot-1704.10

I tried "ipwndfu -p" 30+ times but it fails by same error


toor@Computer ~/ipwndfu $ ./ipwndfu -p
*** checkm8 exploit by axi0mX ***
Found: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:0A ECID:000001B78D366D1C IBFL:1C SRTG:[iBoot-1704.10]
ERROR: No Apple device in DFU Mode 0x1227 detected after 5.00 second timeout. Exiting.

toor@Computer ~/ipwndfu $ ./ipwndfu -p
Traceback (most recent call last):
  File "./ipwndfu", line 48, in <module>
    serial_number = device.serial_number
  File "/home/toor/ipwndfu/usb/core.py", line 830, in serial_number
    self._serial_number = util.get_string(self, self.iSerialNumber)
  File "/home/toor/ipwndfu/usb/util.py", line 314, in get_string
    raise ValueError("The device has no langid")
@Saraseti
Copy link

Dude I was just going to post comment about iPad mini 2 I've tried 30+ also and still nothing.

@Levin000
Copy link

I've got a same result.

My environment: Ubuntu 18.04LTS

Error warning:
*** checkm8 exploit by axi0mX ***
Found: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:0A ECID:000006758A8BB9E8 IBFL:1C SRTG:[iBoot-1704.10]
Traceback (most recent call last):
File "./ipwndfu", line 66, in
checkm8.exploit()
File "/home/walker/下载/ipwndfu-master/checkm8.py", line 510, in exploit
if 'PWND:[checkm8]' not in device.serial_number:
File "/home/walker/下载/ipwndfu-master/usb/core.py", line 830, in serial_number
self._serial_number = util.get_string(self, self.iSerialNumber)
File "/home/walker/下载/ipwndfu-master/usb/util.py", line 314, in get_string
raise ValueError("The device has no langid")
ValueError: The device has no langid

@ghost
Copy link

ghost commented Sep 29, 2019

Do you see the itunes logo on your iPad when trying to run the command? If so then you didn't enter into DFU mode correctly.

@xfm00mm
Copy link
Author

xfm00mm commented Sep 29, 2019

I thought the cause of this probrem is may idevice isn't setup yet.
My device cannot setup due to activation locked.

#76 (comment)
I've edit "usb/util.py" code with reference to this comment and reran "./ipwndfu -p".
It was solved "ValueError: The device has no langid" error but other error appeared.

toor@Computer ~/ipwndfu $ sudo ./ipwndfu -p
*** checkm8 exploit by axi0mX ***
Found: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:0A ECID:000001B78D366D1C IBFL:1C SRTG:[iBoot-1704.10]
ERROR: No Apple device in DFU Mode 0x1227 detected after 5.00 second timeout. Exiting.
toor@Computer ~/ipwndfu $ sudo ./ipwndfu -p
()
Traceback (most recent call last):
  File "./ipwndfu", line 48, in <module>
    serial_number = device.serial_number
  File "/home/toor/ipwndfu/usb/core.py", line 830, in serial_number
    self._serial_number = util.get_string(self, self.iSerialNumber)
  File "/home/toor/ipwndfu/usb/util.py", line 327, in get_string
    langid
  File "/home/toor/ipwndfu/usb/control.py", line 173, in get_descriptor
    data_or_wLength = desc_size)
  File "/home/toor/ipwndfu/usb/core.py", line 1043, in ctrl_transfer
    self.__get_timeout(timeout))
  File "/home/toor/ipwndfu/usb/backend/libusb1.py", line 884, in ctrl_transfer
    timeout))
  File "/home/toor/ipwndfu/usb/backend/libusb1.py", line 596, in _check
    raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out

I edited
usb/core.py
_DEFAULT_TIMEOUT = 1000 --> 10000
usb/backend/libusb1.py
timeout = 10000 (add in line 98)

but result wasn't changed.

@xfm00mm
Copy link
Author

xfm00mm commented Sep 29, 2019

Do you see the itunes logo on your iPad when trying to run the command? If so then you didn't enter into DFU mode correctly.

Nope.It is DFU mode.

@xfm00mm
Copy link
Author

xfm00mm commented Sep 29, 2019

Tried with geohat's fork

toor@Computer ~/ipwndfu $ python3 ./ipwndfu -p
*** checkm8 exploit by axi0mX ***
****** stage 1, heap grooming
Found: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:0A ECID:000001B78D366D1C IBFL:1C SRTG:[iBoot-1704.10]
ctrl transfer ERROR: 2 3 USBError(32, 'Pipe error')
ctrl transfer ERROR: 128 6 USBError(110, 'Operation timed out')
ctrl transfer ERROR: 128 6 USBError(110, 'Operation timed out')
ctrl transfer ERROR: 128 6 USBError(110, 'Operation timed out')
[7933 same lines]
ctrl transfer ERROR: 128 6 USBError(110, 'Operation timed out')
ctrl transfer ERROR: 128 6 USBError(110, 'Operation timed out')
ctrl transfer ERROR: 128 6 USBError(110, 'Operation timed out')
Performing USB port reset.
****** stage 2, usb setup, send 0x800 of 'A', sends no data
ctrl transfer ERROR: 33 4 USBError(5, 'Input/Output Error')
****** stage 3, exploit
ctrl transfer ERROR: 2 3 USBError(32, 'Pipe error')
ctrl transfer ERROR: 128 6 USBError(110, 'Operation timed out')
ctrl transfer ERROR: 0 0 USBError(32, 'Pipe error')
ctrl transfer ERROR: 33 1 USBError(110, 'Operation timed out')
Performing USB port reset.
Caught exception during port reset; should still work.
****** final check
ERROR: No Apple device in DFU Mode 0x1227 detected after 5.00 second timeout. Exiting.
toor@Computer ~/ipwndfu $ python3 ./ipwndfu -p
Traceback (most recent call last):
  File "./ipwndfu", line 47, in <module>
    device = dfu.acquire_device()
  File "/home/toor/ipwndfu/dfu.py", line 19, in acquire_device
    usb.util.claim_interface(device, 0)
  File "/home/toor/ipwndfu/usb/util.py", line 205, in claim_interface
    device._ctx.managed_claim_interface(device, interface)
  File "/home/toor/ipwndfu/usb/core.py", line 102, in wrapper
    return f(self, *args, **kwargs)
  File "/home/toor/ipwndfu/usb/core.py", line 167, in managed_claim_interface
    self.backend.claim_interface(self.handle, i)
  File "/home/toor/ipwndfu/usb/backend/libusb1.py", line 811, in claim_interface
    _check(self.lib.libusb_claim_interface(dev_handle.handle, intf))
  File "/home/toor/ipwndfu/usb/backend/libusb1.py", line 595, in _check
    raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 2] Entity not found

@EWouters
Copy link

EWouters commented Sep 29, 2019
edited
Loading

Tried with geohat's fork

Did you install libusb1.dll on your system? I guess he takes that file from an archive and puts it in his system32. Check the stream somewhere around here.

Edit: sorry, I confused this issue with a different one.

@xfm00mm
Copy link
Author

xfm00mm commented Sep 29, 2019

dll is for windows,I use GNU/linux.
and i already installed libusb with apt.
iDevice is detected in DFU at stage 1 as you can see.

@xfm00mm
Copy link
Author

xfm00mm commented Sep 29, 2019

Here is lsof when running ipwndfu -p

toor@Computer ~ $ lsof | grep libusb
lsof: WARNING: can't stat() tracefs file system /sys/kernel/debug/tracing
      Output information may be incomplete.
gvfs-afc-  3246                   toor  mem       REG              253,1    147808    2365834 /usr/local/lib/libusbmuxd.so.4.1.0
gvfs-afc-  3246  3248             toor  mem       REG              253,1    147808    2365834 /usr/local/lib/libusbmuxd.so.4.1.0
gmain      3246  3249             toor  mem       REG              253,1    147808    2365834 /usr/local/lib/libusbmuxd.so.4.1.0
gdbus      3246  3251             toor  mem       REG              253,1    147808    2365834 /usr/local/lib/libusbmuxd.so.4.1.0
python3   19501                   toor  mem       REG              253,1     97080    1577473 /lib/x86_64-linux-gnu/libusb-1.0.so.0.1.0
python3   19501 19503             toor  mem       REG              253,1     97080    1577473 /lib/x86_64-linux-gnu/libusb-1.0.so.0.1.0

@l3d43r
Copy link

l3d43r commented Sep 29, 2019

hi why im getting this >?
/ipwndfu -p
ERROR: No Apple device in DFU Mode 0x1227 detected after 5.00 second timeout. Exiting.

and the iphone is on DFU
Apple Mobile Device (Recovery Mode):

      Product ID: 0x1281
      Vendor ID: 0x05ac (Apple Inc.)
      Version: 0.00
      Serial Number: SDOM:01 CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:00************* IBFL:3D SRNM:[**************]
      Speed: Up to 480 Mb/sec
      Manufacturer: Apple Inc.
      Location ID: 0x14100000 / 16
      Current Available (mA): 500
      Extra Operating Current (mA): 0

@Saraseti
Copy link

Dude got it to work used linux to put into pwned dfu and then I switched over to Mac to dump rom and etc...

@sh4d0wph03n1x
Copy link

sh4d0wph03n1x commented Sep 30, 2019
edited
Loading

I has the same issue, but you have to run it as sudo, because the normal user does not have full access to USB buses, I also used python2.7

@Saraseti
Copy link

Your getting the error because the phone isn't in DFU and also is best to use "sudo python ./ipwnd" nothing worked until I realized that and then "POOF" like magic pwned DFU.

@l3d43r
Copy link

l3d43r commented Sep 30, 2019

Your getting the error because the phone isn't in DFU and also is best to use "sudo python ./ipwnd" nothing worked until I realized that and then "POOF" like magic pwned DFU.

Perfect It worked!!! thanks
By the way the "decrypt a keybag" how we can ...?

@xfm00mm
Copy link
Author

xfm00mm commented Oct 2, 2019

I'm not solved yet

@EWouters EWouters mentioned this issue Oct 4, 2019
Closed
@Techsteps
Copy link

I'm not solved yet

I have the same error that you do with geosn0w fork.

@xfm00mm xfm00mm closed this as completed Oct 26, 2019
@mohamad00az
Copy link

mohamad00az commented Dec 15, 2019
edited
Loading

hello
how i fix this Error?
fffff

i use mac in VMW

@testpakse
Copy link

how to fix?
somvangoa@SOMVANGOAs-iMac ~ % cd /Users/somvangoa/Desktop/AppleTech752/Exploit
somvangoa@SOMVANGOAs-iMac Exploit % ./ipwndfu -p
Traceback (most recent call last):
File "./ipwndfu", line 49, in
device = dfu.acquire_device()
File "/Users/somvangoa/Desktop/AppleTech752/Exploit/dfu.py", line 16, in acquire_device
for device in usb.core.find(find_all=True, idVendor=0x5AC, idProduct=0x1227, backend=backend):
File "/Users/somvangoa/Desktop/AppleTech752/Exploit/usb/core.py", line 1263, in find
raise NoBackendError('No backend available')
usb.core.NoBackendError: No backend available
somvangoa@SOMVANGOAs-iMac Exploit %

@Chamith96R
Copy link

Traceback (most recent call last):
File "ipwndfu", line 53, in
serial_number = device.serial_number
File "/Users/crp/Downloads/ipwndfu-A11-patch-rom/usb/core.py", line 830, in serial_number
self._serial_number = util.get_string(self, self.iSerialNumber)
File "/Users/crp/Downloads/ipwndfu-A11-patch-rom/usb/util.py", line 314, in get_string
raise ValueError("The device has no langid")
ValueError: The device has no langid

how to fix?

@sh4d0wph03n1x
Copy link

Use sudo python2.7 ipwndfu.py -p

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@EWouters @Levin000 @xfm00mm @sh4d0wph03n1x @l3d43r @Techsteps @mohamad00az @Saraseti @Chamith96R @testpakse