F.A.Q. CFW iCloud Bypass

× Warning! This is a WORK IN PROGRESS! THIS HASN'T BEEN TESTED IN OVER 6 MONTHS! The videos have PoC (Proof Of Concept) Status currently. AS OF JUNE 2017, NOT WORKING ON ALL DEVICES! AN iBOOT EXPLOIT IS REQUIRED! (PLEASE WATCH THIS
× Warning! Prior iOS internals knowledge REQUIRED! NOT FOR BEGINNERS!
× Warning! STARTING FROM iOS 10.3, APPLE USES APFS PARTITIONS THAT ARE NO LONGER OPENABLE ON WINDOWS, ONLY ON MAC OS SIERRA. THIS MEANS THAT YOU CAN'T FOLLOW THESE TUTORIALS ON WINDOWS ANYMORE! THERE IS NO FIX FOR THIS!

Here is an information paper we'd recommend you to read BEFORE trying the tutorials from F.C.E. 365 TV. Those rules / details ain't new, they are collected from various videos of mine, but I guess it is better to have them in a single place so that people knows better what is what. READ CAREFULLY BEFORE POSTING ANY COMMENTS.

Q: "Can you upload CFW for X.X.Y?"

A: Uploading CFWs is considered illegal, also my current internet plan is metered, which means if I upload 28 GB (total for 5 iPSWs) I will pay a lot.

Q: How does Lilo app behaves?

A: The app I built simply uses a modified PLIST that should be parsed at runtime. If the modified module is not parsed successfully this signals a bad bypass, if your receive a positive note, it's all right. You don't need to keep the app installed after checking.

Q: What about the videos?

A: The proofs in the videos have the role of PoC (Proof of Concept). Not all devices I've ever tested have passed, in fact only 4 devices out of 20 tested have pushed the file using the bug, it is very random and unfortunately not exploitable in a controlled manner without an iBOOT exploit.

Q: Can I downgrade using this method?

A: No.

Q: What is error 3194 and Error 17?

A: you are using an OLD iOS version IPSW. Apple doesn't allow downgrades. you probably followed an older tutorial. Please make sure the iOS IPSW you try to restore is signed. iOS 10.2, iOS 10.2.1 and iOS 10.3 are not signed anymore.

Q: "Can I bypass 100% with carrier (SIM CARD)?"

A: No. On CFW the Network will NEVER work unless you can replicate the wildcard ticket via SSH (requires Jailbreak / EXPLOIT).

Q: How does Setup.App Works?

A: Please check this documentation about Setup.App

Q: "Does this work from the first time? Is guaranteed bypass? Money back? What is the price?"

A:

  • It is NOT PAID. IT IS FREE. No need to pay nothing.
  • No it doesn't work from the first time. If you aren't lucky it might never work in fact. It is a project – not finished.
  • It is a WORK IN PROGRESS that goes depending on what Apple changes inside the files.

For example, due to Apple leaving the iOS 10 ROOT FS DECRYPTED, we were able to create a CFW, for some might work for some not. Work in progress = Work in progress.

Q: "When you post video about bypassing X / Y model?"

A: I am not fortune teller. If I will ever find something at least interesting, I will let you know. If it doesn't exist on the channel, I didn't post it yet. Nothing falls from sky, we have to develop it first.

Q: Why does the service (SIM CARD) doesn't work after bypass on iPhone 4S and up?

A: Because the bypass consists in forcing the Setup.App not to start when the phone starts, therefore, the Activation screen is being skipped, but because lockdownd binary (LockDown Daemon) does not find a WildcardTicket.Plist file in the Activation Records, the phone has no idea if it is locked to a specific carrier, or if it is neverlock, hence, the Baseband gets a soft brick. This does not prevent the WiFi and the Bluetooth from working because only the SECZONE is corrupted. The cellular data can't be restored unless you somehow gain access to the ROOT File System to put your own Activation ticket and patched lockdownd file.

Q: What if I use Gevey SIM or R-SIM (or any other interposer).

A: Nor Gevey or R-SIM or any other interposer can fix the corrupted SECZONE, because the phone lacks the Wildcard Ticket (personalized to your IMEI and Serial). Don't spend your money on such interposers, for this scenario they won't work.

Q: Can I do this on 64 GB? 32? 128?

A: I never had success on 32 GB an up (didn't actually hold serious tests tho), but for the moment assume it is imposible on anything past 16 GB.

Q: Can I jailbreak after bypassing?

A: Depends. Pangu does not let you do that if the device is locked, but after bypass you might be able to bypass as the lockdownd file does not freeze the Speringboard.app

Q: Does it really need to be LibiMobileDevice for restore?

A: NO! Libimobiledevice does nothing special. We only use it because it offers a perspective on the restore progress (via Terminal log). Don't bother the guys from Github Libi with iCloud Bypass CFW questions, as this requires an iBOOT Exploit no matter what restore software you use.

You can use iTunes, iTools 3, Libi or any other tool that can restore IPSWs. The effect is similar because the process is similar. iTunes is expected to get patches from Apple against CFW (happened in the past), but iTools 3, libi and so on, not, but that won't change the limitations of this project.

Q: "Which devices are compatible / being researched?"

A: Mostly, x32 devices but x64 started to earn advantages now after iOS 10 killed an inherited issue, the lack of keys for decryption. Now you no longer need them keys, making x64 as easy to modify as x32.

Q: Is there anything I can do / buy to fix No Service issue on iPhone 5 or up bypassed?

A: No. At this moment, no there is nothing you can do. (Unless you buy a new motherboard of course, but pay attention, scammers tend to sell locked MOBOS!).

Q: During the restore, I get Error 53 in iTunes. How to fix it?

A: This means you used an aftermarket Touch ID Sensor / Screen. Put your phone in DFU Mode and restore it with freshly downloaded iPSW, this will fix the issue but your Touch ID won't work if it is not the original.

Q: Do you accept donations?

A: No. You are NOT allowed to donate. You can still send files from jailbroken devices for development.

Q: Is there any full method I can use right now that is not in work in progress?

A: No. Unless you change the hardware parts (chip or MOBO).

Q: "What is Error 14 on CFW iOS 10?"

SHORT ANSWER: THERE IS NO FIX CURRENTLY FOR THIS ERROR WITHOUT AN EXPLOIT. THERE IS CURRENTLY NO EXPLOIT PUBLISHED FOR NEWER DEVICES! I've explained the matters here, so please watch this video.

LONG ANSWER:

1) Your device WILL REQUIRE EXPLOIT to push the CFW. Unless you find one / one gets published, there is no point into trying the CFW.

This is normal. Usually, this method would require you to patch ASR, iBEC, IBSS and LLB to get a smooth restore (see iPhone 4 example). But there are no public exploits right now. I am working in the background on developing / finding exploits but for the moment I am still a beginner on iOS Security so, you must wait for an exploit.

Exploits are always found, they can be Kernel Exploits, they can be iBoot exploits, etc. iBoot ones remain unpublished by devs most of the times because they are hard to find and Apple patches the exploit quite quickly. Starting with iOS 11, iPhone 5, 5C and 4S will be dropped, so the chances of such exploit to be released at some point is bigger. See, Jailbreaking uses quite a few exploits per tool to make the Jailbreaking process possible, but those are usually Kernel exploits, not iBoot or Bootrom Exploits. Every new Jailbreak means a lot of new exploits.

If you wanna test the validity of the CFW method, and you don't hold an exploit for newer devices, tests can be done on iPhone 4 to create a PoC. On iPhone 4 and lower, there is Limera1n. A very powerful BOOTROM Exploit (there is a difference between iBOOT and BOOTROM). When an exploit will be publicly released, all devices supported by it will be able to restore CFW from the first attempt without any error. Until then, we either try various methods: forcing CFW, DNS Bypass, Setup.App Crashing via Emojis and so on, or wait. You can also consider hardware unlock. It is not that cheap and require soldering / electronics experience. You can seriously damage your device if you solder the chips wrongly or if you melt transistors near the chip during the process. Leave that only for experts…

3) Apple said that it might be an error with USB Connection HERE

By USB error it doesn't mean the cable is faulty, it can be the iTunes that stops the restore or disconnects the USB phone due to the CFW holding invalid signatures. Usually CFWs have significantly greater success rate if the device is PWNED (PDFU), but even in this situation it can easily fail.

4) There is no easy fix for this as there are verifications in place which require an exploit to be patched.

Q: "I got ASR Error (80) / (110) what Can I do??" 

A: IT IS THE SAME THING AS ERROR 14 IN ITUNES! ONLY IN A DIFFERENT TOOL! There are the ASR.PATCH files meant to patch the Apple System Restore (ASR) from giving any error, but that requires you to use ASR, iBEC and IBSS Patches which in term, require an exploit!

Patching ASR is NOT very simple, you need to disassemble the ASR application located on ramdisk/usr/sbin folder, and to patch the second instruction, "Image failed signature verification" to redirect to the first scenario, which is the "Image failed signature verification". This will prevent ASR from giving HASH-related errors.

This is the ASR Verify part that you need to patch (use IDA Pro or Hopper):

__text:00014204 loc_14204                               ; CODE XREF: sub_13AB4+61E�j
__text:00014204                                         ; sub_13AB4+73E�j
__text:00014204                 LDR     R3, =(off_235E8 - 0x1420A)
__text:00014206                 ADD     R3, PC
__text:00014208                 LDR     R3, [R3]
__text:0001420A                 LDR     R3, [R3]
__text:0001420C                 CMP     R3, #0
__text:0001420E                 BEQ     loc_1427A
__text:00014210                 LDR     R0, =(aImagePassedSig - 0x14216)
__text:00014212                 ADD     R0, PC          ; "Image passed signature verification"
__text:00014214                 BLX     _warnx
__text:00014218                 B       loc_1427A
__text:0001421A ; ---------------------------------------------------------------------------
__text:0001421A
__text:0001421A loc_1421A                               ; CODE XREF: sub_13AB4+622�j
__text:0001421A                                         ; sub_13AB4+628�j ...
__text:0001421A                 LDR.W   R0, =(aImageFailedSig - 0x14222)
__text:0001421E                 ADD     R0, PC          ; "Image failed signature verification"
__text:00014220                 BLX     _warnx
__text:00014224                 MOVS    R2, #0x50
__text:00014226                 B       loc_1426E
__text:00014228 ; ---------------------------------------------------------------------------

Source: The iPhone Wiki

The iPhone Wiki has a very clear instruction on patching using the XREF method. ASSEMBLY KNOWLEDGE REQUIRED! (Who said iCloud Bypass is easy?) 

ASR can be patched by finding a xref to a string "Image failed signature verification" and patching the first instruction at the preceding label to branch to the previous label, which is the success case "Image passed signature verification". On ARMv7 this branch is usually 'F3 E7' (Thumb mode, instruction B (branch) to address -0x16 relative to opcode address).

Keep In mind, modifying the RAMDISK requires iBEC / iBSS Patching as well, and without an iBOOT Exploit you cannot load the patched iBSS and iBEC on a normal way, use iRecovery to manually send and call the files either way, you will get errors from libi! iRecovery is available for both MAC and Windows.

For the moment, we're also researching this error, so the fixes might appear from time to time. I recommend you to subscribe to stay updated, usually these fixes get patched shortly after release, and if you see the video 2 months after being patched, is for no use anymore.

Q: "Where can I get the latest patches for iBEC, iBSS and ASR?"

A: On the Channel. Always look at the latest video about that thing. Older videos clearly address older firmware versions, but I always add the version in the video title to make things easier. You can also find all released patches on the PATCHES PAGE.

Q: "How can I fix "Done sending FDR Trust?"

A: Yes, you are most likely trying to restore an iPhone 5S, 6 or 6S (x64) using a deprecated version of LibiMobileDevice (or Firmware Manager). CFWs on x64 devices are in the alpha stage, there is still a lot of research to be done. There are no keys, no exploits, no leaked files, no dumps and things move slower than on x32 where you have a lot of info to work with. Please be patient. Also, you can find the updated LibiMobileDevice version on the channel.

Q: "How can I fix "Waiting for Device" on LibimobileDevice?

A: We have a permanent fix for that, check out here. It works regardless of version.

Q: What about TransMAC errors while trying to open the DMG?

A: Starting with iOS 10.3, Apple has changed the file system format from the old HFS+ to APFS which in term is no longer compatible with old DMG handling tools – TransMAC included. The only way to open an APFS DMG file is on macOS Sierra (where APFS is supported). There is currently no way to open APFS DMG file on Windows or Linux. 

Q: "Can I use this RESEARCH on my stolen device?"

A: Of course NO. You are NOT allowed to use this in any illegal way.

Q: "Can I copy your videos on my channel?"

A: No. If you are caught doing that, you will receive Copyright Strikes and the videos will be taken down from your channel. At 3 strikes, YouTube automatically terminates your channel with no possible way to recover it. 

Q: "When you will make research on iPads?"

A: I have no idea, I don't own any iPad and I am not really interested in them. Maybe some day.

Q: "WHY iOS 10 doesn't have keys published?"

A: iOS 10 doesn't require keys anymore to decrypt parts of the system, but starting from iOS 10.3, the format has changed from HFS PLUS DMG into APFS DMG. APFS IS NOT SUPPORTED ON WINDOWS OR OLDER VERSIONS OF OS X.

Q: "Can I have iOS 10 Beta iPhone 5S Kernel Dump list with all kexts?"

A: Sure! I uploaded it for you here: GeoSn0w-Full-iPhone5S-KernelKexts

Q: "Who is the target group of your videos?"

A: Mostly, Developers / People with programming / iOS knowledge. As it is a work in progress, It might pose serious difficulty on an average users SO IT SHOULD NOT BE CONSIDERED A METHOD FOR AVERAGE PEOPLE!. IT DOES REQUIRE AN EXPLOIT AS FOR NOW! You must keep in mind the idea that there are still errors to be fixed in some cases and if you find something (a fix, a workaround), you might share it.

Q: "What is this channel for?"

A: I created F.C.E. 365 TV iDevice Central to share my knowledge and my research in iOS Security and Jailbreak it is more like a sketch notebook. Provides a lot of interesting info about iOS. This channel is strictly providing research info and comes with no guarantees. Try not to take it as a service for bypassing2go. It is not. Unless you are willing to learn with us how these devices work internally, it is probably not suitable for you.

Q: "Do you offer any paid iCloud bypass?"

A: No. And I never will.

Q: "What would make a CFW work with lower error rate?"

A: An exploit (iBoot, LLB / BootRom). I explained why on the page (up).

Q: How does an exploit work? What's that?

A: Here I've written a fully detailed whitepaper about exploits with a practical OS X example, I strongly recommend reading and trying to understanding it.

Q: "I think is fake because I get error x / I am a troll / I want attention / Someone said it is"

A: Ok, go to other channel that is not fake. This is a WORK IN PROGRESS. Everything is already on this page.

Q: "Somebody said you are fake".

A: Yes, there are people who do criticize CFW methods due to various reasons, but mostly because replicating the result is very hard since it requires an exploit and many have errors during the process. Some developers consider it is impossible, some consider it possible but unethical, etc… 

Q: "If you don't give me file X or if you don't release video Y I give dislike to all videos"

A: Go ahead. Make sure you don't forget any one.

Q: "Do you Jailbreak / Research Jailbreaking?"

A: I am not a full Jailbreak Developer but yes, I am now interested in studying Jailbreaks and how they work.

Q: "I always get error X, Y"

A: Yes, as I said, WORK IN PROGRESS.

NOTE: On the YouTube Channel the SPAM filter is set to biggest. Most of the comments require approval. DON'T Post 1-mile long error logs, YouTube will take it as spam, instead send them to office[at]fce365.info and when I have time I check them.

* Now Channel Rules! (As any other organized channel, we have some internal rules to keep the community clear and readable).

Rule #1: If you consider it fake just because it gives errors / it is a work in progress, then please, kindly don't watch, leave the video (you can even dislike). These videos are ONLY for those who DO understand everything I published on this page. It is more a developer thing.

If you thought you can come here and bypass a couple devices and sell them, you are NOT in the right place. This is a development community, not a GSM store. You can still subscribe to learn more about the iOS / iDevices, but be civilized.

Rule #2: Don't CUSS! Yes, we want normal, respectful comments. Don't swear, don't pick up fights with other users, discuss ideas in a civilized manner.

Rule #3: Don't demand! Developers are NOT factories. If something is finished, it will surely appear. Some things can't be released (like Exploits) due to security measures.

Rule #4: Stay on-topic. If the video is about Jailbreak and you are interested in iCloud and don't wanna see Jailbreak videos, simply leave and come back when you see what interests you. Don't post questions that are not related to the video and expect any reply. If you have a question find an appropriate video. Keep it clean.

Rule #4: Stop selling F.C.E. 365 Firmware Manager on eBay for 20$ or any other price. I made that App FREE and the only genuine link is the one from this page (that goes to The iPhone Wiki). The application is open-sourced.

Rule #7: DON'T Post the same question multiple times, that is SPAM and YouTube will automatically flag it.

To sum up, this is a development community, the channel is more over a sketch notebook for my ideas, if you find an error, try to fix it, if you can't then try to understand where it fails and what it takes to fix it. There is no such thing as "impossible". If jailbreakers can, so can you. (If you learn).

I am doing my best to reply to as much comments as possible, but I have a real Job and I do these research things in my FREE TIME. Please do understand.

That's it. It might look like there are too much rules, but all these rules keep the community a warm place.

Page Last Modification: 06/112017 (June 2017)