Difference between revisions of "DFU Mode"

From The iPhone Wiki
Jump to: navigation, search
m
m
 
(51 intermediate revisions by 25 users not shown)
Line 1: Line 1:
'''DFU''' or '''Device Firmware Upgrade''' mode allows the [[S5L8900]], [[S5L8720]] and [[S5L8920]] to be restored from any state. It resides in the [[VROM]] and the [[S5L8900]] variant is vulnerable to the [[Pwnage 2.0]] exploit.
+
'''DFU''' or '''Device Firmware Upgrade''' mode allows all devices to be restored from any state. It is essentially a mode where the BootROM can accept [[iBSS]]. DFU is part of the [[Bootrom|SecureROM]] which is burned into the hardware, so it cannot be removed. On A7+ devices, it generates an ApNonce and recognizes APTickets as well, so even in DFU, it can accept an APTicket.
   
==Entering / Exitting DFU==
+
== Entering DFU Mode ==
  +
NOTE: If you are using a USB-C cable to enter DFU mode, it might not work. If this happens, you need to use the normal USB cable. You can use a normal USB cable and a USB to USB-C adapter.
Software cannot be used to reliably enter DFU. Software methods rely on sending a signed WTF file which either calls the "real" DFU mode in bootrom or emulates it. Only ones calling the bootrom DFU is useful for exploiting bootrom (unpatchable) exploits and none exist that work for firmware 2.0 and later. If you are attempting to exploit the DFU, it is advisable to always use the hardware method. If your NOR firmware is corrupted, of course you have no recourse but to use the hardware method.
 
   
===How to Enter True Hardware DFU===
+
=== Apple TV ===
# Turn off the device.
+
# Plug the device into your computer using a Micro-USB cable.
  +
# Force the device to reboot by holding down the "Menu" and "Down" buttons simultaneously for 6-7 seconds.
# Hold Power and Home for 10 seconds
 
  +
# Press "Menu" and "Play" simultaneously right after reboot, until a message pops up in [[iTunes]] or Finder, saying that it has detected an Apple TV in Recovery Mode.
# Release Power, and keep holding Home
 
# Keep holding home for 4-8 seconds or until you are alerted by your computer that it has detected a device in DFU.
 
   
  +
=== iPhone, iPad, iPod touch ===
If the Restore Logo is present on the screen, you are in ''[[Recovery Mode]]'', '''not''' ''DFU''.
 
  +
==== A9 and older devices (iPad other than the ones listed below, iPhone 6s and below, iPhone SE and iPod touch 6 and below) ====
  +
# Connect the device to a computer using a USB cable.
  +
# Hold down both the Home button and Lock button.
  +
# After 8 seconds, release the Lock button while continuing to hold down the Home button.
  +
#* If the Apple logo appears, the Lock button was held down for too long.
  +
# Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
  +
#* If your device shows a screen telling you to connect the device to iTunes, retry these steps.
   
  +
==== A10 devices (iPhone 7 and iPhone 7 Plus, iPad 2018, iPod touch 7) ====
===Exiting DFU===
 
  +
# Connect the device to a computer using a USB cable.
While in DFU, hold the power button for 30-60 seconds. When I have tested it, it has varied, so I don't know an exact length of time to hold it. Note that sometimes if you do this, when the device reboots from DFU, it will go into recovery mode for unknown reasons.
 
  +
# Hold down both the Side button and Volume Down button.
  +
# After 8 seconds, release the Side button while continuing to hold down the Volume Down button.
  +
#* If the Apple logo appears, the Side button was held down for too long.
  +
# Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
  +
#* If your device shows a screen telling you to connect the device to iTunes, retry these steps.
  +
  +
==== A11 and newer devices (iPhone 8 and above, iPad Pro 2018, iPad Air 2019, iPad Mini 2019) ====
  +
# Connect the device to a computer using a USB cable.
  +
# Quick-press the Volume Up button
  +
# Quick-press the Volume Down button
  +
# Hold down the Side button until the screen goes black, then hold down both the Side button and Volume Down button.
  +
# After 5 seconds, release the Side button while continuing to hold down the Volume Down button.
  +
#* If the Apple logo appears, the Side button was held down for too long.
  +
# Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
  +
#* If your device shows a screen telling you to connect the device to iTunes, retry these steps.
  +
  +
=== Apple Watch ===
  +
  +
# Connect to computer via [[iBUS]] adapter and lightning cable
  +
# Hold crown and power button (bottom right)
  +
# Wait for the screen to go black
  +
# After 3 seconds of black, let go of the power button but continue to hold the crown
  +
# After about 5 seconds your watch will be in DFU mode
  +
  +
=== Mac with the T2 Security chip ===
  +
Note: To restore bridgeOS, you will need to use Apple Configurator on a second Mac.
  +
==== iMac (2020), iMac Pro (2017) ====
  +
# Disconnect the iMac Pro or iMac from power.
  +
# Plug the USB-C cable into the Thunderbolt port closest to the Ethernet port.
  +
# While holding down the power button, connect the iMac Pro or iMac to power and continue to hold the power button for about 3 seconds.
  +
  +
==== Mac mini (2018) ====
  +
# Optional but recommended step. Connect a monitor to your Mac mini (so you can see when the restore process is complete).
  +
# Disconnect the Mac mini from power for at least 10 seconds.
  +
# Plug the USB-C cable into the Thunderbolt port closest to the HDMI port.
  +
# While holding down the power button, connect the Mac mini to power and continue to hold the power button for about 3 seconds.
  +
  +
==== MacBook Air or MacBook Pro ====
  +
# Press the Sleep/Wake button for about 5 seconds to shut down the Apple notebook computer.
  +
# Plug the USB-C cable into the front Thunderbolt port on the left side of the Apple notebook computer.
  +
# While holding down the power button, press the right shift key, the left option key and the left control keys for about 3 seconds.
  +
  +
==== Mac Pro (2019) ====
  +
# Optional but recommended step. Connect a monitor to your Mac Pro (so you can see when the restore process is complete).
  +
# Disconnect the Mac Pro from power.
  +
# For the desktop Mac Pro, plug the USB-C cable into the Thunderbolt port farthest away from the power button.
  +
# For the rack mount Mac Pro, plug the USB-C cable into the Thunderbolt port closest to the power button.
  +
# While holding down the power button, connect the Mac Pro to power and continue to hold the power button for about 3 seconds.
  +
  +
=== Mac with Apple Silicon ===
  +
Note: To restore macOS and recoveryOS, you will need to use Apple Configurator on a second Mac.
  +
==== iMac (24-inch, M1, 2021) ====
  +
# Disconnect the iMac from power.
  +
# Plug the USB-C cable into the Thunderbolt port closest to the stand.
  +
# While holding down the power button, connect the iMac to power and continue to hold the power button for about 3 seconds.
  +
  +
==== Mac Studio and Mac mini ====
  +
# Optional but recommended step. Connect a monitor to your Mac Studio or Mac mini (so you can see when the restore process is complete).
  +
# Disconnect the Mac Studio or Mac mini from power for at least 10 seconds.
  +
# Plug the USB-C cable into the Thunderbolt port closest to the Ethernet port.
  +
# Press and hold the power button.
  +
# Reconnect power while still holding the power button.
  +
# Release the power button.
  +
# The status indicator light should turn amber. This indicates that the Mac Studio or Mac mini is in DFU mode.
  +
  +
==== MacBook Air or MacBook Pro ====
  +
Note: the MagSafe LED indicator will be disabled while in DFU Mode.
  +
# Press the power button.
  +
# Plug the USB-C cable into the front Thunderbolt port on the left side of the Apple notebook computer.
  +
# While holding down the power button, press the right shift key, the left option key and the left control keys for about 10 seconds.
  +
# After 10 seconds, immediately release the three keys but continue to hold down the power button until Apple Configurator indicates that the Mac is in DFU mode.
  +
  +
=== GPIO Pins ===
  +
If you have hardware access to the SoC, you can either perform the above methods for your device by utilizing the <code>GPIO_REQUEST_DFU1</code> and <code>GPIO_REQUEST_DFU2</code> GPIO pins (previously <code>HOLD_KEY</code> and <code>MENU_KEY</code>) corresponding to Power and Home/Vol-, respectively, or by pulling your board's <code>GPIO_FORCE_DFU</code> pin high at SecureROM startup (unless you are using an [[iFPGA]], where Force DFU mode is the default).
  +
  +
The physical GPIO pins for each SoC varies.
  +
  +
== Exiting DFU Mode ==
  +
To exit DFU Mode, simply force restart your device.
  +
  +
* For Apple TV, hold down the "Menu" and "Down" buttons on your remote until the Apple TV reboots.
  +
* For iPad, iPhone 6s and below, iPhone SE and iPod touch, hold the Home button and the Lock button until the device reboots.
  +
* For iPhone 7 and iPhone 7 Plus, hold down the Side button and Volume Down button until the device reboots.
  +
* For iPhone 8, iPhone 8 Plus, iPhone SE (2020) and iPhone X or newer, quick-press the Volume Up button, then quick-press the Volume Down button, then hold down the Side button until the device reboots.
  +
* For a Mac (T2 or Apple Silicon), press and hold the power button until you see the Apple logo and/or hear the startup chime.
  +
  +
==Enter True Hardware DFU Mode Automatically==
  +
The EnterDFU function in the [[MobileDevice Library]] does not enter the true DFU Mode in the hardware. It's possible to enter the true DFU Mode without doing it manually, but it cannot be exited unless a restore is performed, as it creates a [[DFU Loop]]. This doesn't work with [[S5L8900]] devices.
  +
  +
===Steps===
  +
# Make a copy of a fresh IPSW file.
  +
# Open the IPSW as a zip folder and browse to /firmware/all_flash/all_flash.xxxxx.production/
  +
# Extract LLB.*****.RELEASE.img3/im4p and open it in a hex editor.
  +
# Change some random bit or bits, it doesn't matter which or what you write.
  +
# Add the edited file back to the zip, rename zip to ipsw and restore it to your device using iTunes.
  +
# The restore will error out and your device will be in DFU Mode.
  +
  +
===Alternative Method===
  +
If the previous method does not work for you, try this one.
  +
# Do steps 1 and 2 from above.
  +
# Delete LLB.*****.RELEASE.img3.
  +
# Copy applelogo.********.img3 to temporary directory.
  +
# Rename the copy of applelogo.********.img3/im4p to LLB.*****.RELEASE.img3/im4p. (If you forget the name of the LLB file, you can find it again in the file named manifest.)
  +
# Copy the renamed applelogo file back to the all_flash.xxxxx.production directory.
  +
# Rename the zip.
  +
# Restore the file using iTunes. (If every thing goes well, you should receive an error 31 from iTunes.)
  +
  +
==DFU Mode Output to the computer==
  +
<pre>iProduct: "Apple Mobile Device (DFU Mode)"</pre> <pre>iSerialNumber: "CPID:XXXX CPRV:XX CPFM:0X SCEP:XX BDID:XX ECID:XXXXXXXXXXXXXXXX SRTG:[iBoot-XXXX.X.X]"</pre>
   
 
==Revisions==
 
==Revisions==
 
===[[S5L8900]] (0x1222)===
 
===[[S5L8900]] (0x1222)===
This is the device ID in the [[N45ap|iPod Touch 1G]], the [[M68ap|iPhone]], and the [[N82ap|iPhone 3G]]. For more information about the protocol, see [[DFU 0x1222]].
+
This is the device ID in the [[N45AP|iPod touch]], the [[M68AP|iPhone]], and the [[N82AP|iPhone 3G]]. For more information about the protocol, see [[DFU 0x1222]].
   
 
===[[S5L8720 Bootrom|S5L8720]], [[S5L8920]], and [[WTF|WTF mode post-2.0]] (0x1227)===
 
===[[S5L8720 Bootrom|S5L8720]], [[S5L8920]], and [[WTF|WTF mode post-2.0]] (0x1227)===
This is the device ID in the [[N72ap|iPod Touch 2G]], the [[N88ap|iPhone 3GS]], and [[WTF|WTF mode]]. For more information on the protocol, see [[DFU 0x1227]].
+
This is the device ID in the [[N72AP|iPod touch (2nd generation)]], the [[N88AP|iPhone 3GS]], the [[N90AP|iPhone 4]], subsequent 32 bit devices, all 64 bit devices, and [[WTF|WTF mode]]. For more information on the protocol, see [[DFU 0x1227]].
   
[[Category:VROM]]
+
[[Category:Bootrom]]

Latest revision as of 16:14, 29 November 2022

DFU or Device Firmware Upgrade mode allows all devices to be restored from any state. It is essentially a mode where the BootROM can accept iBSS. DFU is part of the SecureROM which is burned into the hardware, so it cannot be removed. On A7+ devices, it generates an ApNonce and recognizes APTickets as well, so even in DFU, it can accept an APTicket.

Entering DFU Mode

NOTE: If you are using a USB-C cable to enter DFU mode, it might not work. If this happens, you need to use the normal USB cable. You can use a normal USB cable and a USB to USB-C adapter.

Apple TV

  1. Plug the device into your computer using a Micro-USB cable.
  2. Force the device to reboot by holding down the "Menu" and "Down" buttons simultaneously for 6-7 seconds.
  3. Press "Menu" and "Play" simultaneously right after reboot, until a message pops up in iTunes or Finder, saying that it has detected an Apple TV in Recovery Mode.

iPhone, iPad, iPod touch

A9 and older devices (iPad other than the ones listed below, iPhone 6s and below, iPhone SE and iPod touch 6 and below)

  1. Connect the device to a computer using a USB cable.
  2. Hold down both the Home button and Lock button.
  3. After 8 seconds, release the Lock button while continuing to hold down the Home button.
    • If the Apple logo appears, the Lock button was held down for too long.
  4. Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
    • If your device shows a screen telling you to connect the device to iTunes, retry these steps.

A10 devices (iPhone 7 and iPhone 7 Plus, iPad 2018, iPod touch 7)

  1. Connect the device to a computer using a USB cable.
  2. Hold down both the Side button and Volume Down button.
  3. After 8 seconds, release the Side button while continuing to hold down the Volume Down button.
    • If the Apple logo appears, the Side button was held down for too long.
  4. Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
    • If your device shows a screen telling you to connect the device to iTunes, retry these steps.

A11 and newer devices (iPhone 8 and above, iPad Pro 2018, iPad Air 2019, iPad Mini 2019)

  1. Connect the device to a computer using a USB cable.
  2. Quick-press the Volume Up button
  3. Quick-press the Volume Down button
  4. Hold down the Side button until the screen goes black, then hold down both the Side button and Volume Down button.
  5. After 5 seconds, release the Side button while continuing to hold down the Volume Down button.
    • If the Apple logo appears, the Side button was held down for too long.
  6. Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode.
    • If your device shows a screen telling you to connect the device to iTunes, retry these steps.

Apple Watch

  1. Connect to computer via iBUS adapter and lightning cable
  2. Hold crown and power button (bottom right)
  3. Wait for the screen to go black
  4. After 3 seconds of black, let go of the power button but continue to hold the crown
  5. After about 5 seconds your watch will be in DFU mode

Mac with the T2 Security chip

Note: To restore bridgeOS, you will need to use Apple Configurator on a second Mac.

iMac (2020), iMac Pro (2017)

  1. Disconnect the iMac Pro or iMac from power.
  2. Plug the USB-C cable into the Thunderbolt port closest to the Ethernet port.
  3. While holding down the power button, connect the iMac Pro or iMac to power and continue to hold the power button for about 3 seconds.

Mac mini (2018)

  1. Optional but recommended step. Connect a monitor to your Mac mini (so you can see when the restore process is complete).
  2. Disconnect the Mac mini from power for at least 10 seconds.
  3. Plug the USB-C cable into the Thunderbolt port closest to the HDMI port.
  4. While holding down the power button, connect the Mac mini to power and continue to hold the power button for about 3 seconds.

MacBook Air or MacBook Pro

  1. Press the Sleep/Wake button for about 5 seconds to shut down the Apple notebook computer.
  2. Plug the USB-C cable into the front Thunderbolt port on the left side of the Apple notebook computer.
  3. While holding down the power button, press the right shift key, the left option key and the left control keys for about 3 seconds.

Mac Pro (2019)

  1. Optional but recommended step. Connect a monitor to your Mac Pro (so you can see when the restore process is complete).
  2. Disconnect the Mac Pro from power.
  3. For the desktop Mac Pro, plug the USB-C cable into the Thunderbolt port farthest away from the power button.
  4. For the rack mount Mac Pro, plug the USB-C cable into the Thunderbolt port closest to the power button.
  5. While holding down the power button, connect the Mac Pro to power and continue to hold the power button for about 3 seconds.

Mac with Apple Silicon

Note: To restore macOS and recoveryOS, you will need to use Apple Configurator on a second Mac.

iMac (24-inch, M1, 2021)

  1. Disconnect the iMac from power.
  2. Plug the USB-C cable into the Thunderbolt port closest to the stand.
  3. While holding down the power button, connect the iMac to power and continue to hold the power button for about 3 seconds.

Mac Studio and Mac mini

  1. Optional but recommended step. Connect a monitor to your Mac Studio or Mac mini (so you can see when the restore process is complete).
  2. Disconnect the Mac Studio or Mac mini from power for at least 10 seconds.
  3. Plug the USB-C cable into the Thunderbolt port closest to the Ethernet port.
  4. Press and hold the power button.
  5. Reconnect power while still holding the power button.
  6. Release the power button.
  7. The status indicator light should turn amber. This indicates that the Mac Studio or Mac mini is in DFU mode.

MacBook Air or MacBook Pro

Note: the MagSafe LED indicator will be disabled while in DFU Mode.

  1. Press the power button.
  2. Plug the USB-C cable into the front Thunderbolt port on the left side of the Apple notebook computer.
  3. While holding down the power button, press the right shift key, the left option key and the left control keys for about 10 seconds.
  4. After 10 seconds, immediately release the three keys but continue to hold down the power button until Apple Configurator indicates that the Mac is in DFU mode.

GPIO Pins

If you have hardware access to the SoC, you can either perform the above methods for your device by utilizing the GPIO_REQUEST_DFU1 and GPIO_REQUEST_DFU2 GPIO pins (previously HOLD_KEY and MENU_KEY) corresponding to Power and Home/Vol-, respectively, or by pulling your board's GPIO_FORCE_DFU pin high at SecureROM startup (unless you are using an iFPGA, where Force DFU mode is the default).

The physical GPIO pins for each SoC varies.

Exiting DFU Mode

To exit DFU Mode, simply force restart your device.

  • For Apple TV, hold down the "Menu" and "Down" buttons on your remote until the Apple TV reboots.
  • For iPad, iPhone 6s and below, iPhone SE and iPod touch, hold the Home button and the Lock button until the device reboots.
  • For iPhone 7 and iPhone 7 Plus, hold down the Side button and Volume Down button until the device reboots.
  • For iPhone 8, iPhone 8 Plus, iPhone SE (2020) and iPhone X or newer, quick-press the Volume Up button, then quick-press the Volume Down button, then hold down the Side button until the device reboots.
  • For a Mac (T2 or Apple Silicon), press and hold the power button until you see the Apple logo and/or hear the startup chime.

Enter True Hardware DFU Mode Automatically

The EnterDFU function in the MobileDevice Library does not enter the true DFU Mode in the hardware. It's possible to enter the true DFU Mode without doing it manually, but it cannot be exited unless a restore is performed, as it creates a DFU Loop. This doesn't work with S5L8900 devices.

Steps

  1. Make a copy of a fresh IPSW file.
  2. Open the IPSW as a zip folder and browse to /firmware/all_flash/all_flash.xxxxx.production/
  3. Extract LLB.*****.RELEASE.img3/im4p and open it in a hex editor.
  4. Change some random bit or bits, it doesn't matter which or what you write.
  5. Add the edited file back to the zip, rename zip to ipsw and restore it to your device using iTunes.
  6. The restore will error out and your device will be in DFU Mode.

Alternative Method

If the previous method does not work for you, try this one.

  1. Do steps 1 and 2 from above.
  2. Delete LLB.*****.RELEASE.img3.
  3. Copy applelogo.********.img3 to temporary directory.
  4. Rename the copy of applelogo.********.img3/im4p to LLB.*****.RELEASE.img3/im4p. (If you forget the name of the LLB file, you can find it again in the file named manifest.)
  5. Copy the renamed applelogo file back to the all_flash.xxxxx.production directory.
  6. Rename the zip.
  7. Restore the file using iTunes. (If every thing goes well, you should receive an error 31 from iTunes.)

DFU Mode Output to the computer

iProduct: "Apple Mobile Device (DFU Mode)"
iSerialNumber: "CPID:XXXX CPRV:XX CPFM:0X SCEP:XX BDID:XX ECID:XXXXXXXXXXXXXXXX SRTG:[iBoot-XXXX.X.X]"

Revisions

S5L8900 (0x1222)

This is the device ID in the iPod touch, the iPhone, and the iPhone 3G. For more information about the protocol, see DFU 0x1222.

S5L8720, S5L8920, and WTF mode post-2.0 (0x1227)

This is the device ID in the iPod touch (2nd generation), the iPhone 3GS, the iPhone 4, subsequent 32 bit devices, all 64 bit devices, and WTF mode. For more information on the protocol, see DFU 0x1227.