Difference between revisions of "IBUS"

From The iPhone Wiki
Jump to: navigation, search
m (small edits)
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
The "iBUS" adapter is a smaller "dongle" that takes advantage of the diagnostics port hidden behind a small plate in the slot where the band for your watch would normally slide into.
+
The iBUS adapter is a smaller dongle that takes advantage of the diagnostics port hidden behind a small plate in the slot where the band for your watch would normally slide into.
   
These adapters are sold by "MFC" and appear to be clones of Apple's own proprietary hardware; When plugged into a Mac via lightning-to-USB, the Apple Watch appears in Finder in the same way that other apple devices do when plugged in. It is also recognized by [[libimobiledevice]], Xcode, and Apple's Console.app, although no logs are displayed in the latter.
+
These adapters are sold by MFC and appear to be clones of Apple's own proprietary hardware; When plugged into a Mac via lightning-to-USB, the Apple Watch appears in Finder in the same way that other apple devices do when plugged in. It is also recognized by libimobiledevice, Xcode, and Console.app, although no logs are displayed in the latter.
   
 
Not much information about these adapters has been released, by MFC or otherwise.
 
Not much information about these adapters has been released, by MFC or otherwise.
Line 13: Line 13:
   
 
==== Entering DFU ====
 
==== Entering DFU ====
Once you've connected your apple watch via a standard USB Lightning cable and the iBUS adapter:
+
Once you've connected your Apple watch via a standard USB Lightning cable and the iBUS adapter:
   
 
# Hold the crown and power button down
 
# Hold the crown and power button down

Latest revision as of 12:59, 14 March 2021

The iBUS adapter is a smaller dongle that takes advantage of the diagnostics port hidden behind a small plate in the slot where the band for your watch would normally slide into.

These adapters are sold by MFC and appear to be clones of Apple's own proprietary hardware; When plugged into a Mac via lightning-to-USB, the Apple Watch appears in Finder in the same way that other apple devices do when plugged in. It is also recognized by libimobiledevice, Xcode, and Console.app, although no logs are displayed in the latter.

Not much information about these adapters has been released, by MFC or otherwise.

Adapters for the S4 and S5 have been announced as "upcoming"

Usage for Research

While the adapters are marketed for their ability to "restore" devices, the signed firmware required to do so is not readily available. However, the adapter does allow exploitation of the S1, S2, and S3 Watches using checkm8

"Pwning" the watch and dumping the bootrom

Entering DFU

Once you've connected your Apple watch via a standard USB Lightning cable and the iBUS adapter:

  1. Hold the crown and power button down
  2. Immediately after the screen goes black, count to 3
  3. After 3 seconds, release the power button, but continue to hold the crown.

Finder should now show an "Apple Watch" in DFU mode, and will allow you to install signed firmware if you have any.

Exploiting with ipwndfu

Reliability of checkm8 on the watch can vary.

After cloning [1], `cd` into the directory and run `./ipwndfu -p`

If the exploit fails, you may need to run it again. It can take anywhere from one to several hundred attempts.

From here, you can run `./ipwndfu --dump-rom` to dump the SecureRom. More information is available in the ipwndfu readme and on ipwndfu.

Do note the `--boot` flag currently only works for the iPhone X.

You can use `./ipwndfu --hex-dump=0x0,0x10000000000` to crash out of DFU and force a reboot.

Tips for usage

  • As the metal rod that ships with the adapter often fits loosely, consider using rubber bands to firmly press the adapter into the port.
    • A hairband is exceptional at this, and perfectly fits into the top of the watch.