The iPhone Wiki - User contributions [en]

DFU Mode

2019-08-21T06:01:33Z

SiggiJG:

'''DFU''' or '''Device Firmware Upgrade''' mode allows all devices to be restored from any state. It is essentially a mode where the BootROM can accept iBSS. DFU is part of the [[Bootrom|SecureROM]] which is burned into the hardware, so it cannot be removed. On A7+ devices, it generates an ApNonce and recognizes APTickets as well, so even in DFU, it can accept an APTicket.

== Entering DFU Mode ==
=== Apple TV ===
# Plug the device into your computer using a Micro-USB cable.
# Force the device to reboot by holding down the "Menu" and "Down" buttons simultaneously for 6-7 seconds.
# Press "Menu" and "Play" simultaneously right after reboot, until a message pops up in [[iTunes]], saying that it has detected an Apple TV in Recovery Mode.

=== A9 and older devices (iPad other than the ones listed below, iPhone 6s and below, iPhone SE and iPod touch 6 and below) ===
# Connect the device to a computer using a USB cable.
# Hold down both the Home button and Lock button.
# After 8 seconds, release the Lock button while continuing to hold down the Home button.
#* If the Apple logo appears, the Lock button was held down for too long.
# Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
#* If your device shows a screen telling you to connect the device to iTunes, retry these steps.

=== A10 devices (iPhone 7 and iPhone 7 Plus, iPad 2018, iPod touch 7) ===
# Connect the device to a computer using a USB cable.
# Hold down both the Side button and Volume Down button.
# After 8 seconds, release the Side button while continuing to hold down the Volume Down button.
#* If the Apple logo appears, the Side button was held down for too long.
# Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
#* If your device shows a screen telling you to connect the device to iTunes, retry these steps.

=== A11 and newer devices (iPhone 8 and above, iPad Pro 2018, iPad Air 2019, iPad Mini 2019) ===
# Connect the device to a computer using a USB cable.
# Quick-press the Volume Up button
# Quick-press the Volume Down button
# Hold down the Side button until the screen goes black, then hold down both the Side button and Volume Down button.
# After 5 seconds, release the Side button while continuing to hold down the Volume Down button.
#* If the Apple logo appears, the Side button was held down for too long.
# Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
#* If your device shows a screen telling you to connect the device to iTunes, retry these steps.

== Exiting DFU Mode ==
To exit DFU Mode, simply force restart your device.

* For Apple TV, hold down the "Menu" and "Down" buttons on your remote until the Apple TV reboots.
* For iPad, iPhone 6s and below, iPhone SE and iPod touch, hold the Home button and the Lock button until the device reboots.
* For iPhone 7 and iPhone 7 Plus, hold down the Side button and Volume Down button until the device reboots.
* For iPhone 8, iPhone 8 Plus, and iPhone X, quick-press the Volume Up button, then quick-press the Volume Down button, then hold down the Side button until the device reboots.

==Enter True Hardware DFU Mode Automatically==
The EnterDFU function in the [[MobileDevice Library]] does not enter the true DFU Mode in the hardware. It's possible to enter the true DFU Mode without doing it manually, but it cannot be exited unless a restore is performed, as it creates a [[DFU Loop]]. This doesn't work with [[S5L8900]] devices.

===Steps===
# Make a copy of a fresh IPSW file.
# Open the IPSW as a zip folder and browse to /firmware/all_flash/all_flash.xxxxx.production/
# Extract LLB.*****.RELEASE.img3/im4p and open it in a hex editor.
# Change some random bit or bits, it doesn't matter which or what you write.
# Add the edited file back to the zip, rename zip to ipsw and restore it to your device using iTunes.
# The restore will error out and your device will be in DFU Mode.

===Alternative Method===
If the previous method does not work for you, try this one.
# Do steps 1 and 2 from above.
# Delete LLB.*****.RELEASE.img3.
# Copy applelogo.********.img3 to temporary directory.
# Rename the copy of applelogo.********.img3/im4p to LLB.*****.RELEASE.img3/im4p. (If you forget the name of the LLB file, you can find it again in the file named manifest.)
# Copy the renamed applelogo file back to the all_flash.xxxxx.production directory.
# Rename the zip.
# Restore the file using iTunes. (If every thing goes well, you should receive an error 31 from iTunes.)

==DFU Mode Output to the computer==
<pre>iProduct: "Apple Mobile Device (DFU Mode)"</pre> <pre>iSerialNumber: "CPID:XXXX CPRV:15 CPFM:03 SCEP:03 BDID:00 ECID:XXXXXXXXXXXXXXXX SRTG:[iBoot-XXX.X.X]"</pre>

==Revisions==
===[[S5L8900]] (0x1222)===
This is the device ID in the [[N45AP|iPod touch]], the [[M68AP|iPhone]], and the [[N82AP|iPhone 3G]]. For more information about the protocol, see [[DFU 0x1222]].

===[[S5L8720 Bootrom|S5L8720]], [[S5L8920]], and [[WTF|WTF mode post-2.0]] (0x1227)===
This is the device ID in the [[N72AP|iPod touch (2nd generation)]], the [[N88AP|iPhone 3GS]], the [[N90AP|iPhone 4]], subsequent 32 bit devices, all 64 bit devices, and [[WTF|WTF mode]]. For more information on the protocol, see [[DFU 0x1227]].

[[Category:Bootrom]]

Siri Protocol

2017-12-07T02:02:31Z

SiggiJG:

Applidium [http://applidium.com/en/news/cracking_siri/ documented] the '''Siri Protocol''' on 14 November 2011 by setting up a DNS to see the traffic. The traffic is simple HTTPS (with some modifications, mentioned later). The server presents a certificate for guzzoni.apple.com (IP 17.174.4.4) and the client checks for the correct domain certificate. But it does not check the issuer, so you can create a self-signed certificate to see the traffic.

=== Protocol ===
The request looks similar to a standard HTTP request:
ACE /ace HTTP/1.0
Host: guzzoni.apple.com
User-Agent: Assistant(iPhone/iPhone4,1; iPhone OS/5.0/9A334) Ace/1.0
Content-Length: 2000000000
X-Ace-Host: 4620a9aa-88f4-4ac1-a49d-e2012910921
The X-Ace-Host is tied to the 4S you are using. The content length of almost 2GB is fixed, so no actual length. The User-Agent is modified depending on your OS version and build. The data itself is binary.

=== Binary Data ===
* Starts with 0x00AACCEE on iOS 5, or 0xAACCEE02 on iOS 6+
* Rest is compressed with [http://zlib.net zlib]

Then the data is made out of chunks:
* Starting with 0x020000xxxx are "plist" packets with size xxxx of the binary plist data.
* Starting with 0x030000xxxx are "ping" packets, sent by the iPhone to Siri server to keep connection alive. xx is the ping sequence number.
* Starting with 0x040000xxxx are "pong" packets, sent from Siri server to the iPhone to keep connection alive. xx is the pong sequence number.
* Starting with 0x070000xxxx are "speech" packets, sent by iOS 8.4 (maybe a bit earlier and probably newer versions too, speech is sent as a plist on iOS 5 and 6, and maybe 7? (not tested on 7)). xxxx is the length of the packet.

To decipher the binary [[PList File Format|plist]] you can use the plutil command-line tool on Mac OS X.

=== plist data ===
The audio data is compressed with [http://www.speex.org/ Speex] audio codec (iOS 5 and 6) or with [http://opus-codec.org/ Opus] audio codec. (iOS 8)

(More documentation of plist data is missing here.)

[[Category:Protocols‏]]

Siri Protocol

2017-12-06T23:39:21Z

SiggiJG:

Applidium [http://applidium.com/en/news/cracking_siri/ documented] the '''Siri Protocol''' on 14 November 2011 by setting up a DNS to see the traffic. The traffic is simple HTTPS (with some modifications, mentioned later). The server presents a certificate for guzzoni.apple.com (IP 17.174.4.4) and the client checks for the correct domain certificate. But it does not check the issuer, so you can create a self-signed certificate to see the traffic.

=== Protocol ===
The request looks similar to a standard HTTP request:
ACE /ace HTTP/1.0
Host: guzzoni.apple.com
User-Agent: Assistant(iPhone/iPhone4,1; iPhone OS/5.0/9A334) Ace/1.0
Content-Length: 2000000000
X-Ace-Host: 4620a9aa-88f4-4ac1-a49d-e2012910921
The X-Ace-Host is tied to the 4S you are using. The content length of almost 2GB is fixed, so no actual length. The User-Agent is modified depending on your OS version and build. The data itself is binary.

=== Binary Data ===
* Starts with 0x00AACCEE
* Rest is compressed with [http://zlib.net zlib]

Then the data is made out of chunks:
* Starting with 0x020000xxxx are "plist" packets with size xxxx of the binary plist data.
* Starting with 0x030000xxxx are "ping" packets, sent by the iPhone to Siri server to keep connection alive. xx is the ping sequence number.
* Starting with 0x040000xxxx are "pong" packets, sent from Siri server to the iPhone to keep connection alive. xx is the pong sequence number.
* Starting with 0x070000xxxx are "speech" packets, sent by iOS 8.4 (maybe a bit earlier and probably newer versions too, speech is sent as a plist on iOS 5 and 6, and maybe 7? (not tested on 7)). xxxx is the length of the packet.

To decipher the binary [[PList File Format|plist]] you can use the plutil command-line tool on Mac OS X.

=== plist data ===
The audio data is compressed with [http://www.speex.org/ Speex] audio codec (iOS 5 and 6) or with [http://opus-codec.org/ Opus] audio codec. (iOS 8)

(More documentation of plist data is missing here.)

[[Category:Protocols‏]]