iOS 9.2.1 CFW: How to fix “Waiting for device” Error | NAND Attack Basics for iCloud Bypas

As a few people had this issue, I decided to dig a little into it and get to see what cause the error "Waiting for device" in libimobiledevice app during a CFW restore.
The issue: Incorrect usage of patches for iBEC and iBSS, ASR. If you use the patches without having an iBOOT exploit, your device would likely fail with that error.

The NAND ATTACK:
The NAND attack consists in using cached files in the phone's memory from a failed attempt. By using them, your device has chances to skip ASR as the verification went to 100% already.
For tha
t you need to skip patching part (iBEc and iBSS and ASR).

In the video I show the concept of NAND Attack and also how to fix Waiting for Device issue.
As a bonus, I show you where to find the correct Base Addr for iBOOT in IDA so you can start researching if you have Assembly knowledge.

The NAND (NOT AND GATE) is a non-volatile memory chip that is used in all iDevices. This is the chip who stores anything from the system (including USER DATA and SYSTEM FILES). The main DMGs are being monted on this chip and it defines the storage of the device (from 4GB up to 128GB depending on the model).

If you want to attack the ROOT File System, this is where you will start.

What only a few people know is that although this chip shows only two visible File Systems, it actually has more, such as NVRAM, BOOT Files, SCFG (System Configuration) and so on, so it is a valuable piece for Jailbreakers too.

iCloud Bypass in it's standard concept is not very hard. You have to remove (by some way) the Setup.app inside the ROOT FS, in the Applications folder. By doing so, your device will start but the "Hello Screen" which is in fact this Setup.app, won't appear as it was removed.

In a normal case, during the BOOT, the Springboard (containing all apps) loads first, and on top of it, the Setup.app. That's why if you overload the Setup.app (with emojis) you will make it crash, and for a second you can see the springboard. It is under Setup.app.

If we remove the Setup.app entirely, there would be nothing to start on top of Springboard and also there would be no lock in process to make Springboard freeze, therefore you will be able to use iPhone's apps.

On iPhone 4 and all A4 processor devices from Apple, limera1n exploit made it easy to SSH into the System via Power Cord and SSH Ramdisk file, and you can use a SCP client like WinSCP in order to remove this Setup.app.

The lack of such exploit for A6 devices and A5 ones (iPhone 4S, 5, 5C etc.) makes it impossible to SSH into it, therefore, we use CFW already patched.

Although this tutorial is provided as "iOS 9.2.1", it works for all versions for which you can grab ROOT KEYS (AES) to decrypt the DMGs.

You can find such keys on The iPhone Wiki (a link was added at the links section down bellow, check it out).

Libimobiledevice: http://quamotion.mobi/iMobileDevice/download
Keys: https://www.theiphonewiki.com/wiki/Firmware

CFW making tutorial: https://www.youtube.com/watch?v=KQNYkp64oL4
(Just skip the patching part)

Tested on iPhone 4S, but works on all devices that have keys published.

I made a dissembled iBOOT for n42 and n49 available on the forum.
http://forum.fce365.info


//WORK IN PROGRESS

GeoSn0w

About GeoSn0w

C#, C, Objective-C Programmer | Beginner iOS Security Researcher | Content Creator | Web Developer I like to bring the latest news from the iOS / iDevice / Jailbreak battlefield to you in a beautiful manner :) I hope you like the site. If you do, don't forget to check out my channel :)

Leave a Reply