F.A.Q. CFW iCloud Bypass

× Warning! This is a WORK IN PROGRESS! Don't even try to do something unless you understand what it means READ this F.A.Q. Page! Pay attention to the descriptions and don't understand only what you want to understand!. You are stepping on a WORK IN PROGRESS Ground designed for developers! You have been warned.
× Warning! Bypassing iCloud is NOT possible if you don't learn how iOS work in the first place, for that you can follow up my white papers and my Reverse Engineering videos. You can't control something you don't understand. I am afraid iCloud is not a toy, you need to put some effort into learning how it works to be able to break it!

Here is an information paper we'd recommend you to read BEFORE trying the tutorials from F.C.E. 365 TV. Those rules / details ain't new, they are collected from various videos of mine, but I guess it is better to have them in a single place so that people knows better what is what. READ CAREFULLY BEFORE POSTING ANY COMMENTS.

Q: "Can you upload CFW for X.X.Y?"

A: No. That's why there is a tutorial for it. It is illegal to upload CFWs, takes to much to upload 2 GB of file, my internet band is limited (metered) and if I upload a file for let's say iPhone 5,2, everybody will want for their model. Not to complicate things, everybody creates his files.

Q: How does Lilo app behaves?

A: The app I built simply uses a modified plist that should be parsed at runtime. If the modified module is not parsed successfully this signals a bad bypass, if your receive a positive note, it's all right. You don't need to keep the app installed after checking.

Q: "Can I bypass 100% with carrier (SIM CARD)?"

A: No. On CFW the Network will NEVER work unless you can replicate the wildcard ticket via SSH (requires Jailbreak / EXPLOIT).

Q: How does Setup.App Works?

A: Please check this documentation about Setup.App

Q: "Does this work from the first time? Is guaranteed bypass? Money back? What is the price?"


  • It is NOT PAID. IT IS FREE. No need to pay nothing.
  • No it doesn't work from the first time.
  • It is a WORK IN PROGRESS that goes depending on what Apple changes inside the files.

For example, due to Apple leaving the iOS 10 ROOT FS DECRYPTED, we were able to create a CFW, for some might work for some not. Work in progress = Work in progress.

Q: "When you post video about bypassing X / Y model?"

A: I am not fortune teller. If I will ever find something at least interesting, I will let you know. If it doesn't exist on the channel, I didn't post it yet. Nothing falls from sky, we have to develop it first.

Q: Why does the service (SIM CARD) doesn't work after bypass on iPhone 4S and up?

A: Because the bypass consists in forcing the Setup.App not to start when the phone starts, therefore, the Activation screen is being skipped, but because lockdownd binary (LockDown Daemon) does not find a WildcardTicket.Plist file in the Activation Records, the phone has no idea if it is locked to a specific carrier, or if it is neverlock, hence, the Baseband gets a soft brick. This does not prevent the WiFi and the Bluetooth from working because only the SECZONE is corrupted. The cellular data can't be restored unless you somehow gain access to the ROOT File System to put your own Activation ticket and patched lockdownd file.

Q: What if I use Gevey SIM or R-SIM (or any other interposer).

A: Nor Gevey or R-SIM or any other interposer can fix the corrupted SECZONE, because the phone lacks the Wildcard Ticket (personalized to your IMEI and Serial). Don't spend your money on such interposers, for this scenario they won't work.

Q: Can I do this on 64 GB? 32? 128?

A: The NAND Flash = The storage chip (containing the entire operating system, in this case iOS + User Data). The NAND attack (bad name) means pushing / forcing files into the NAND storage so that it will eventually get corrupted. A sort of Race Condition (SEE THIS).
ASR (Apple System Restore) app located on the ramdisk is time dependent, it copies the payload (the modified DMG) inside the NAND so that it can be analyzed, if analyze does not mach, it removes it from NAND and errors out. Sometimes, if you try a lot of times, the NAND caches the file and ASR fails to remove it and mounts it by mistake.
This usually works on 16 GB and less because the less space you have, the more you will fill during the cache process. If you have 64 GB, there is no way you can do this the easy way because 3GB is nothing on a 64GB storage.​

Q: Can I jailbreak after bypassing?

A: Depends. Pangu does not let you do that if the device is locked, but after bypass you might be able to bypass as the lockdownd file does not freeze the Speringboard.app

Q: Does it really need to be LibiMobileDevice for restore?

A: NO! Libimobiledevice does nothing special. We only use it because it offers a perspective on the restore progress (via Terminal log). Don't bother the guys from Github Libi with iCloud Bypass questions. It's not their domain and neither their point of interest.

You can use iTunes, iTools 3, Libi or any other tool that can restore IPSWs. The effect is similar because the process is similar. iTunes is expected to get patches from Apple against CFW (happened in the past), but iTools 3, libi and so on not.

Q: "Which devices are compatible / being researched?"

A: Mostly, x32 devices but x64 started to earn advantages now after iOS 10 killed an inherited issue, the lack of keys for decryption. Now you no longer need them keys, making x64 as easy to modify as x32.


Q: Is there anything I can do / buy to fix No Service issue on iPhone 5 or up bypassed?

A: No. At this moment, no there is nothing you can do. (Unless you buy a new motherboard of course, but pay attention, scammers tend to sell locked MOBOS!).

Q: During the restore, I get Error 53 in iTunes. How to fix it?

A: This means you used an aftermarket Touch ID Sensor / Screen. Put your phone in DFU Mode and restore it with freshly downloaded iPSW, this will fix the issue but your Touch ID won't work if it is not the original.

Q: Do you accept donations?

A: No. You are NOT allowed to donate. You can still send files from jailbroken devices for development.

Q: Is there any full method I can use right now that is not in work in progress?

A: No. Unless you change the hardware parts (chip or MOBO).

Q: "What is Error 14 on CFW iOS 10?"

1) Not all device variants support CFWs, if you try 10 times with no luck, then your device will most likely require EXPLOIT to push the CFW. Unless you find one, there is no point into trying the CFW anymore.

This is normal. Usually, this method would require you to patch ASR, iBEC, IBSS and LLB to get a smooth restore (see iPhone 4 example). But there are no public exploits right now. We're working in the background on developing / finding exploits but for the moment, if your device isn't weak enough to pass the CFW after multiple attempts, you must wait for an exploit.

Exploits are always found but remain unpublished by devs. See, Jailbreaking uses 10-12 exploits per tool to make the Jailbreaking process possible. Every new Jailbreak means 10-12 new exploits.

On iPhone 4 and lower, for example, there is Limera1n. A very powerful BOOTROM Exploit (there is a difference between iBOOT and BOOTROM). When an exploit will be publicly released, all devices supported by it will be able to restore CFW from the first attempt without any error. Until then, we either try various methods: forcing CFW, DNS Bypass, Setup.App Crashing via Emojis and so on, or wait. You can also consider hardware unlock. It is not that cheap and require soldering / electronics experience. You can seriously damage your device if you solder the chips wrongly or if you melt transistors near the chip during the process. Leave that only for experts…

3) Apple said that it might be an error with USB Connection HERE

By USB error it doesn't mean the cable is faulty, it can be the iTunes that stops the restore or disconnects the USB phone due to the CFW being incompatible. Usually CFWs have significantly greater success rate if the device is PWNED (PDFU), but even in this situation it can easily fail.

4) There is no easy fix for this as we don't know what part of the CFW invalidates the restore (besides the ROOT FS).

Q: "I got ASR Error (80) / (110) what Can I do??" 

A: Well, we're working on a general fix, but without a public exploit is hard. Some devices work from 3rd, 4th 5th attempt to circumvent this issue, some fail with ASR even if you try 300 times. That's simply the way different devices act to this custom IPSW. THE FIX EXISTS. There are the ASR.PATCH files meant to patch the Apple System Restore (ASR) from giving any error, but that requires you to follow my tutorial on how to use the patches (HERE IF YOU GET ASR ERROR 110) and HERE IF YOU GET ASR ERROR 80

Patching ASR is simple, you need to disassemble the ASR application located on ramdisk/usr/sbin folder, and to patch the second instruction, "Image failed signature verification" to redirect to the first scenario, which is the "Image failed signature verification". This will prevent ASR from giving HASH-related errors.

This is the ASR Verify part that you need to patch (use IDA Pro or Hopper):

__text:00014204 loc_14204                               ; CODE XREF: sub_13AB4+61E�j
__text:00014204                                         ; sub_13AB4+73E�j
__text:00014204                 LDR     R3, =(off_235E8 - 0x1420A)
__text:00014206                 ADD     R3, PC
__text:00014208                 LDR     R3, [R3]
__text:0001420A                 LDR     R3, [R3]
__text:0001420C                 CMP     R3, #0
__text:0001420E                 BEQ     loc_1427A
__text:00014210                 LDR     R0, =(aImagePassedSig - 0x14216)
__text:00014212                 ADD     R0, PC          ; "Image passed signature verification"
__text:00014214                 BLX     _warnx
__text:00014218                 B       loc_1427A
__text:0001421A ; ---------------------------------------------------------------------------
__text:0001421A loc_1421A                               ; CODE XREF: sub_13AB4+622�j
__text:0001421A                                         ; sub_13AB4+628�j ...
__text:0001421A                 LDR.W   R0, =(aImageFailedSig - 0x14222)
__text:0001421E                 ADD     R0, PC          ; "Image failed signature verification"
__text:00014220                 BLX     _warnx
__text:00014224                 MOVS    R2, #0x50
__text:00014226                 B       loc_1426E
__text:00014228 ; ---------------------------------------------------------------------------

Source: The iPhone Wiki

The iPhone Wiki has a very clear instruction on patching using the XREF method. ASSEMBLY KNOWLEDGE REQUIRED! (Who said iCloud Bypass is easy?) 

ASR can be patched by finding a xref to a string "Image failed signature verification" and patching the first instruction at the preceding label to branch to the previous label, which is the success case "Image passed signature verification". On ARMv7 this branch is usually 'F3 E7' (Thumb mode, instruction B (branch) to address -0x16 relative to opcode address).

Keep In mind, modifying the RAMDISK requires iBEC / iBSS Patching as well (THE TUTORIAL) and without an iBOOT Exploit you cannot load the patched iBSS and iBEC on a normal way, use iRecovery to manually send and call the files either way, you will get errors from libi! iRecovery is available for both MAC and Windows.

For the moment, we're also researching this error, so the fixes might appear from time to time. I recommend you to subscribe to stay updated, usually these fixes get patched shortly after release, and if you see the video 2 months after being patched, is for no use anymore.

Q: "Where can I get the latest patches for iBEC, iBSS and ASR?"

A: On the Channel. Always look at the latest video about that thing. Older videos clearly address older firmware versions, but I always add the version in the video title to make things easier. You can also find all released patches on the PATCHES PAGE.

Q: "How can I fix "Done sending FDR Trust?"

A: Yes, you are most likely trying to restore an iPhone 5S, 6 or 6S (x64) using a deprecated version of LibiMobileDevice (or Firmware Manager). CFWs on x64 devices are in the alpha stage, there is still a lot of research to be done. There are no keys, no exploits, no leaked files, no dumps and things move slower than on x32 where you have a lot of info to work with. Please be patient. Also, you can find the updated LibiMobileDevice version on the channel.

Q: "How can I fix "Waiting for Device" on LibimobileDevice?

A: We have a permanent fix for that, check out here. It works regardless of version.

Q: "Can I use this RESEARCH on my stolen device?"

A: Of course NO. You are NOT allowed to use this in any illegal way.

Q: "Can I copy your videos on my channel?"

A: No. If you are caught doing that (you can't hide, we use Content ID), you will receive Copyright Strikes and the videos will be taken down from your channel. At 4 strikes, YouTube automatically terminates your channel with no possible way to recover it. 

Q: "When you will make research on iPads?"

A: I have no idea, I don't own any iPad and I am not really interested in them. Maybe some day.

Q: "Is iPhone 5S bypass able?"

A: Kinda. On iOS 10 due to the fact that the ROOT FS is no longer encrypted with AES key, chances are for you to restore a CFW with no issue. The process is similar as on iPhone 5 iOS 10 iCloud Bypass as the iPSWs are similar. I managed to decrypt and completely disassemble the iPhone 5S Kernel, which give me big hopes for the future of x64 Jailbreak and Research on iCloud Bypass. The fact that keys are required no more is already a huge step. In fact, the lack of keys was the only problem that prevented us from doing research on AARCH 64. Although it is now easier, it doesn't mean it works on all variants of iPhone 5S. The smaller the NAND space, the better, but it is not a rule.

The research on iPhone 5S and x64 in general has just begun, so YOU MUST BEAR IN MIND that it is buggy, it might not work for your particular device while for others might work with no issue, or it might work for you and might not work for others. That completely normal because iPhone 5S has multiple revisions (variants).

Q: "I am a dev. Can I have a full iOS 10 Beta iPhone 5S Kernel Dump list with all kexts? Wanna mess with it a little ^^"

A: Sure! I uploaded it for you here: GeoSn0w-Full-iPhone5S-KernelKexts

Q: "Who is the target group of your videos?"

A: Mostly, Developers / People with programming / iOS knowledge. As it is a work in progress, It might pose serious difficulty on an average users. You must keep in mind the idea that there are still errors to be fixed in some cases and if you find something (a fix, a workaround), you might share it.

Q: "What is this channel for?"

A: I created F.C.E. 365 TV iDevice Central to share my knowledge and my research in iOS Security and Jailbreak it is more like a sketch notebook. Provides a lot of interesting info about iOS. This channel is strictly providing research info and comes with no guarantees. Try not to take it as a service for bypassing2go. It is not. Unless you are willing to learn with us how these devices work internally, it is probably not suitable for you.

Q: "Do you offer any paid iCloud bypass?"

A: No. And I never will.

Q: "What would make a CFW work with lower error rate?"

A: An exploit (LLB / BootRom recommended). I explained why on the page (up).

Q: How does an exploit work? What's that?

A: Here I've written a fully detailed whitepaper about exploits with a practical OS X example, I strongly recommend reading and trying to understanding it.

Q: "I think is fake because I get error x / I am a troll / I want attention"

A: Ok, go to other channel that is not fake. You clearly don't understand what WORK IN PROGRESS Means! Bye.

Q: "Somebody said you are fake".

A: I don't care. And I never will. They clearly don't understand what WORK IN PROGRESS means.

Q: "If you don't give me file X or if you don't release video Y I give dislike to all videos"

A: Go ahead. Make sure you don't forget any one. LMAO.

Q: "Do you Jailbreak / Research Jailbreaking?"

A: Nope, at least not publicly yet.

Q: "I always get error X, Y"

A: Yes, as I said, not all devices work with this method, especially newer devices that are in WORK IN PROGRESS.


NOTE: On the YouTube Channel the SPAM filter is set to biggest. Most of the comments require approval. DON'T Post 1-mile long error logs, YouTube will take it as spam, instead send them to office@fce365.info and when I have time I check them.

* Now Channel Rules! (As any other organized channel, we have some internal rules to keep the community clear and readable).

Rule #1: If you copy our work (i.e name (F.C.E. 365 TV), (GeoSn0w) (iDevice Central), or the logo or the videos, expect Copyright strike. I think it is fair enough. Of course, you can obtain a permission from us to use any of these in your title but you must have the written permission before you can use them.

Rule #2: If you consider it fake just because it gives errors / it is a work in progress, then please, kindly don't watch, leave the video (you can even dislike). These videos are ONLY for those who DO understand everything I published on this page. It is more a developer thing.

If you thought you can come here and bypass a couple devices and sell them, you are NOT in the right place. This is a development community, not a GSM store. You can still subscribe to learn more about the iOS / iDevices, but be civilized.

Rule #3: Don't CUSS! Yes, we want normal, respectful comments. Don't swear, don't pick up fights with other users, discuss ideas in a civilized manner.

Rule #4: Don't demand! Developers are NOT factories. If something is finished, it will surely appear. Some things can't be released (like Exploits) due to security measures.

Rule #5: Stay on-topic. If the video is about Jailbreak and you are interested in iCloud and don't wanna see Jailbreak videos, simply leave and come back when you see what interests you. Don't post questions that are not related to the video and expect any reply. If you have a question find an appropriate video. Keep it clean.

Rule #6: Stop selling F.C.E. 365 Firmware Manager on eBay for 20$ or any other price. I made that App FREE and the only genuine link is the one from this page (that goes to The iPhone Wiki).

Rule #7: DON'T Post the same question multiple times, that is SPAM and YouTube will automatically flag it.

To sum up, this is a development community, the channel is more over a sketch notebook for my ideas, if you find an error, try to fix it, if you can't then try to understand where it fails and what it takes to fix it. There is no such thing as "impossible". If jailbreakers can, so can you. (If you learn).

I am doing my best to reply to as much comments as possible, but I have a real Job and I do these research things in my FREE TIME. Please do understand.

That's it. It might look like there are too much rules, but all these rules keep the community a warm place.

× Pay attention to the scammers that re-upload my Setup.App patches on YouTube and put ADFLY links on them, most of the re-uploads get bundled with viruses so avoid / report them to me. As a rule, try not to make the fact that you bought a stolen / lost / locked device my problem. It is your fault, not mine. I develop this things ONLY in my free time. My job has priority. Don't force things up. If something isn't on the channel, is probably because we haven't achieved it yet. This a development community, not a GSM Service Shop and we are NOT paid for our research so please be patient.

Page Last Modification: 02/26/2017 (February 2017)