Difference between revisions of "DFU Mode"

From The iPhone Wiki
Jump to: navigation, search
(Exiting DFU)
m (S5L8720, S5L8920, and WTF mode post-2.0 (0x1227))
(23 intermediate revisions by 13 users not shown)
Line 1: Line 1:
'''DFU''' or '''Device Firmware Upgrade''' mode allows the [[S5L8900]], [[S5L8720]] and [[S5L8920]] to be restored from any state. It resides in the [[VROM]] and the [[S5L8900]] variant is vulnerable to the [[Pwnage 2.0]] exploit.
+
'''DFU''' or '''Device Firmware Upgrade''' mode allows all devices to be restored from any state. It is essentially a mode where the BootROM can accept iBSS. DFU is burned into the hardware, so it cannot be removed. On A7+ devices, it generates an ApNonce and recognizes APTickets as well, so even in DFU, it can accept an APTicket.
   
  +
==DFU Mode==
==Entering / Exiting DFU==
 
  +
===Entering DFU Mode on iPhone, iPad or iPod touch===
Software cannot be used to reliably enter DFU. Software methods rely on sending a signed WTF file which either calls the "real" DFU mode in bootrom or emulates it. Only ones calling the bootrom DFU is useful for exploiting bootrom (unpatchable) exploits and none exist that work for firmware 2.0 and later. If you are attempting to exploit the DFU, it is advisable to always use the hardware method. If your NOR firmware is corrupted then you have no other choice but to use the hardware method.
 
  +
# Plug your device into your computer with a USB cable.
 
===How to Enter True Hardware DFU===
 
# Plug your device into your computer.
 
 
# Turn off the device.
 
# Turn off the device.
# Hold Power and Home for 10 seconds
+
# Hold the Power button for 3 seconds.
  +
# Hold the Home and Power buttons for 10 seconds.
# Release Power, and keep holding Home
 
  +
# Release the Power button but keep holding the Home button.
# Keep holding home for 4-8 seconds or until you are alerted by your computer that it has detected a device in DFU.
 
  +
# After about 15 seconds you will be alerted by iTunes saying that it has detected a device in Recovery Mode.
   
  +
'''Make sure the device screen is blank and no logos are present'''
If the Restore Logo is present on the screen, you are in ''[[Recovery Mode]]'', '''not''' ''DFU''.
 
   
===How to Enter DFU mode on [[K66ap|Apple TV (2G)]]===
+
===Exiting DFU Mode on iPhone, iPad or iPod touch===
  +
# Hold the Home and Power buttons until the Apple Logo appears.
  +
  +
===Entering DFU Mode on Apple TV===
 
# Plug the device into your computer using a microUSB cable.
 
# Plug the device into your computer using a microUSB cable.
 
# Force the device to reboot by holding down the "Menu" and "Down" buttons simultaneously for 6-7 seconds.
 
# Force the device to reboot by holding down the "Menu" and "Down" buttons simultaneously for 6-7 seconds.
# Press "Menu" and "Play" simultaneously right after reboot, until a message pops up in [[iTunes]], saying that it has detected an [[K66ap|Apple TV]] in recovery mode.
+
# Press "Menu" and "Play" simultaneously right after reboot, until a message pops up in [[iTunes]], saying that it has detected an Apple TV in Recovery Mode.
  +
  +
===Exiting DFU Mode on Apple TV===
  +
# Hold down the "Menu" and "Down" buttons. The Apple TV will reboot.
  +
  +
==Enter True Hardware DFU Mode Automatically==
  +
The EnterDFU function in the [[MobileDevice Library]] does not enter the true DFU Mode in the hardware. It's possible to enter the true DFU Mode without doing it manually, but it cannot be exited unless a restore is performed, as it creates a [[DFU Loop]]. This doesn't work with [[S5L8900]] devices.
  +
  +
===Steps===
  +
# Make a copy of a fresh IPSW file.
  +
# Open the IPSW as a zip folder and browse to /firmware/all_flash/all_flash.xxxxx.production/
  +
# Extract LLB.*****.RELEASE.img3/im4p and open it in a hex editor.
  +
# Change some random bit or bits, it doesn't matter which or what you write.
  +
# Add the edited file back to the zip, rename zip to ipsw and restore it to your device using iTunes.
  +
# The restore will error out and your device will be in DFU Mode.
  +
  +
===Alternative Method===
  +
If the previous method does not work for you, try this one.
  +
# Do steps 1 and 2 from above.
  +
# Delete LLB.*****.RELEASE.img3.
  +
# Copy applelogo.********.img3 to temporary directory.
  +
# Rename the copy of applelogo.********.img3/im4p to LLB.*****.RELEASE.img3/im4p. (If you forget the name of the LLB file, you can find it again in the file named manifest.)
  +
# Copy the renamed applelogo file back to the all_flash.xxxxx.production directory.
  +
# Rename the zip.
  +
# Restore the file using iTunes. (If every thing goes well, you should receive an error 31 from iTunes.)
   
  +
==DFU Mode Output to the computer==
===Exiting DFU===
 
  +
<pre>iProduct: "Apple Mobile Device (DFU Mode)"</pre> <pre>iSerialNumber: "CPID:XXXX CPRV:15 CPFM:03 SCEP:03 BDID:00 ECID:XXXXXXXXXXXXXXXX SRTG:[iBoot-XXX.X.X]"</pre>
While in DFU, hold the power and home buttons for about 10 seconds (until you hear the "device disconnected" tone on your computer). This should get you out.
 
Note that sometimes if you do this, when the device reboots from DFU, it will go into recovery mode for unknown reasons. To exit out of recovery mode, just use [[iLiberty / iLiberty+|iLiberty]].
 
   
 
==Revisions==
 
==Revisions==
 
===[[S5L8900]] (0x1222)===
 
===[[S5L8900]] (0x1222)===
This is the device ID in the [[N45ap|iPod Touch 1G]], the [[M68ap|iPhone]], and the [[N82ap|iPhone 3G]]. For more information about the protocol, see [[DFU 0x1222]].
+
This is the device ID in the [[N45AP|iPod touch]], the [[M68AP|iPhone]], and the [[N82AP|iPhone 3G]]. For more information about the protocol, see [[DFU 0x1222]].
   
 
===[[S5L8720 Bootrom|S5L8720]], [[S5L8920]], and [[WTF|WTF mode post-2.0]] (0x1227)===
 
===[[S5L8720 Bootrom|S5L8720]], [[S5L8920]], and [[WTF|WTF mode post-2.0]] (0x1227)===
This is the device ID in the [[N72ap|iPod Touch 2G]], the [[N88ap|iPhone 3GS]], and [[WTF|WTF mode]]. For more information on the protocol, see [[DFU 0x1227]].
+
This is the device ID in the [[N72AP|iPod touch (2nd generation)]], the [[N88AP|iPhone 3GS]], the [[N90AP|iPhone 4]], subsequent 32 bit devices, all 64 bit devices, and [[WTF|WTF mode]]. For more information on the protocol, see [[DFU 0x1227]].
   
[[Category:VROM]]
+
[[Category:Bootrom]]

Revision as of 18:05, 22 March 2017

DFU or Device Firmware Upgrade mode allows all devices to be restored from any state. It is essentially a mode where the BootROM can accept iBSS. DFU is burned into the hardware, so it cannot be removed. On A7+ devices, it generates an ApNonce and recognizes APTickets as well, so even in DFU, it can accept an APTicket.

DFU Mode

Entering DFU Mode on iPhone, iPad or iPod touch

  1. Plug your device into your computer with a USB cable.
  2. Turn off the device.
  3. Hold the Power button for 3 seconds.
  4. Hold the Home and Power buttons for 10 seconds.
  5. Release the Power button but keep holding the Home button.
  6. After about 15 seconds you will be alerted by iTunes saying that it has detected a device in Recovery Mode.

Make sure the device screen is blank and no logos are present

Exiting DFU Mode on iPhone, iPad or iPod touch

  1. Hold the Home and Power buttons until the Apple Logo appears.

Entering DFU Mode on Apple TV

  1. Plug the device into your computer using a microUSB cable.
  2. Force the device to reboot by holding down the "Menu" and "Down" buttons simultaneously for 6-7 seconds.
  3. Press "Menu" and "Play" simultaneously right after reboot, until a message pops up in iTunes, saying that it has detected an Apple TV in Recovery Mode.

Exiting DFU Mode on Apple TV

  1. Hold down the "Menu" and "Down" buttons. The Apple TV will reboot.

Enter True Hardware DFU Mode Automatically

The EnterDFU function in the MobileDevice Library does not enter the true DFU Mode in the hardware. It's possible to enter the true DFU Mode without doing it manually, but it cannot be exited unless a restore is performed, as it creates a DFU Loop. This doesn't work with S5L8900 devices.

Steps

  1. Make a copy of a fresh IPSW file.
  2. Open the IPSW as a zip folder and browse to /firmware/all_flash/all_flash.xxxxx.production/
  3. Extract LLB.*****.RELEASE.img3/im4p and open it in a hex editor.
  4. Change some random bit or bits, it doesn't matter which or what you write.
  5. Add the edited file back to the zip, rename zip to ipsw and restore it to your device using iTunes.
  6. The restore will error out and your device will be in DFU Mode.

Alternative Method

If the previous method does not work for you, try this one.

  1. Do steps 1 and 2 from above.
  2. Delete LLB.*****.RELEASE.img3.
  3. Copy applelogo.********.img3 to temporary directory.
  4. Rename the copy of applelogo.********.img3/im4p to LLB.*****.RELEASE.img3/im4p. (If you forget the name of the LLB file, you can find it again in the file named manifest.)
  5. Copy the renamed applelogo file back to the all_flash.xxxxx.production directory.
  6. Rename the zip.
  7. Restore the file using iTunes. (If every thing goes well, you should receive an error 31 from iTunes.)

DFU Mode Output to the computer

iProduct: "Apple Mobile Device (DFU Mode)"
iSerialNumber: "CPID:XXXX CPRV:15 CPFM:03 SCEP:03 BDID:00 ECID:XXXXXXXXXXXXXXXX SRTG:[iBoot-XXX.X.X]"

Revisions

S5L8900 (0x1222)

This is the device ID in the iPod touch, the iPhone, and the iPhone 3G. For more information about the protocol, see DFU 0x1222.

S5L8720, S5L8920, and WTF mode post-2.0 (0x1227)

This is the device ID in the iPod touch (2nd generation), the iPhone 3GS, the iPhone 4, subsequent 32 bit devices, all 64 bit devices, and WTF mode. For more information on the protocol, see DFU 0x1227.