The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

iBUS

From The iPhone Wiki
Revision as of 11:09, 12 July 2020 by Kritanta (talk | contribs) (Create iBUS page with what little information exists about these adapters)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The "iBUS" adapter is a smaller "dongle" that takes advantage of the diagnostics port hidden behind a small plate in the slot where the band for your watch would normally slide into.

These adapters are sold by "MFC" and appear to be clones of Apple's own proprietary hardware; When plugged into a Mac via lightning-to-USB, the Apple Watch appears in Finder in the same way that other apple devices do when plugged in. It is also recognized by libimobiledevice, Xcode, and Apple's Console.app, although no logs are displayed in the latter.

Not much information about these adapters has been released, by MFC or otherwise.

Usage for Research

While the adapters are marketed for their ability to "restore" devices, the signed firmware required to do so is not readily available. However, the adapter does allow exploitation of the S1, S2, and S3 Watches using checkm8

"Pwning" the watch and dumping the bootrom

Entering DFU

Once you've connected your apple watch via a standard USB Lightning cable and the iBUS adapter:

  1. Hold the crown and power button down
  2. Immediately after the screen goes black, count to 3
  3. After 3 seconds, release the power button, but continue to hold the crown.

Finder should now show an "Apple Watch" in DFU mode, and will allow you to install signed firmware if you have any.

Exploiting with ipwndfu

Reliability of checkm8 on the watch can vary.

After cloning [1], `cd` into the directory and run `./ipwndfu -p`

If the exploit fails, you may need to run it again. It can take anywhere from one to several hundred attempts.

From here, you can run `./ipwndfu --dump-rom` to dump the SecureRom. More information is available in the ipwndfu readme and on ipwndfu.

Do note the `--boot` flag currently only works for the iPhone X.

You can use `./ipwndfu --hex-dump=0x0,0x10000000000` to crash out of DFU and force a reboot.

Tips for usage

  • As the metal rod that ships with the adapter often fits loosely, consider using rubber bands to firmly press the adapter into the port.
    • A hairband is exceptional at this, and perfectly fits into the top of the watch.


Retrieved from "https://www.theiphonewiki.com/w/index.php?title=IBUS&oldid=105752"