to be straight: have not managed yet to unlock a pin locked ipad 3 and ipad 4 and/or recover the data.
it is easy to just overwrite the ipad with the latest firmware via itunes.
but i want to backup and extract all possible files before that.
if you want to jailbreak your Apple device, basically there are a lot of tools and you need to find the one that suits your hardware and firmware model.
comprehensive overview: https://www.reddit.com/r/jailbreak/wiki/escapeplan/guides/jailbreakcharts
have an older ipad 3 to wich the PIN was lost (no it is not stolen, it’s from a relative who forgot it and also can not remember his itunes password (alzheimer is very comon these days)). (Model: A1430 iPad 3, Early 2012, +Wi-Fi + Cellular, 30-pin connecto) but latest redsn0w (redsn0w_win_0.9.15b2.zip) says „iPad 3 is not supported“ (probably it has a newer iOS installed than 5.1.1… yes it has the latest iPad3,3_9.3.5_13G36_Restore.ipsw installed)
this site helps you find and download newer and older firmwares for your device: (GOOD JOB! 🙂
http://www.getios.com/ here you also can get a lot of firmware versions for your iDevice.
also interesting: https://nerdpol.ch/tags/jailbreak
- pull an (encrypted) backup from the device
- not possible via itunes with PIN locked ipad
- most approaches use some exploit to load their own ramdisk and get access to the device
- via brute force, find the decryption PIN
- extract the data
- reset the device
…. not so easy.
Eclomsoft Forensic Toolkit claims to be able to unlock PIN locked iDevices: https://www.elcomsoft.com/eift.html
it exists in different versions… let’s see what it can do.
„Imagine a computer which is protected with an OS level password – we can still access the hard disk data by booting a live CD, or by removing the hard disk and connecting it to another machine. When we compare computers to the iPhone, it is an embedded device. So it is not easy to take out the chips (hard disk) and dump data into it. To perform iPhone forensics, we use the Live CD approach. As the iPhone has only one serial port, we are going to load custom OS over the USB to access the hard disk of the device. The problem here is: the iPhone only loads firmware designed by Apple.
In order to create and load the forensic toolkit, first we need to understand iPhone functions at the operating system level. iOS (previously known as iPhone OS) is the operating system that runs on all Apple devices like iPhone, iPod, Apple TV and iPad. iOS is a zip file (ships with .ipsw extension) that contains boot loaders, kernel, system software, shared libraries & built in applications.
When an iPhone boots up, it walks through a chain of trust, which is a series of RSA signature checks among the software components in a specific order as shown below:
The BootRom is Read-only memory (ROM) and it is the first stage of booting an iOS device. BootRom contains all the root certificates to signature check the next stage.
iPhone operates in 3 modes – Normal Mode, Recovery Mode, DFU mode
In Normal mode, BootRom start off some initialization stuff and loads the low level boot loader (LLB) by verifying its signature. LLB signature checks and loads the stage 2 boot loader (iBoot). iBoot signature checks the kernel and device tree, while the kernel signature checks all the user applications.
In DFU mode, iPhone follows the boot sequence with a series of signature checks as shown below. BootRom signature checks the second level boot loaders (iBSS, iBEC). Boot loader signature checks the kernel, and the kernel signature checks the Ramdisk.
During iOS update, the Ramdisk gets loaded into RAM and it loads all the other OS components.
In Forensics, we will create a custom Ramdisk with our complete forensic tool kit and load it into the iPhone’s volatile memory.
Signature checks implemented at various stages in the boot sequence do not allow us to load our custom Ramdisk. To load our custom Ramdisk, we have to bypass all these signature checks. In the chain of trust boot sequence, if we compromise one link, we can fully control all the links that follow. The hacker community has found several vulnerabilities in BootRom. By using these, we can flash our own boot loader and patch all other signature checks in all the subsequent stages. Apart from signature checks, every stage is also encrypted. These encryption keys can be grabbed from JailBreaking tools.“
another lengthy writeup: https://blog.elcomsoft.com/2017/11/the-art-of-ios-and-icloud-forensics/
unlocking iDevices: how ex-empoyees make business
„Cellebrite, through means currently unknown, provides these services at $5,000 per device,“
Mysterious $15,000 ‚GrayKey‘ Promises To Unlock iPhone X For The Feds
- AXIOM has the most advanced parsing and carving techniques which finds more evidence than any other tool, including 25% more pictures.
- Get more detailed information about what someone was doing at any given time and where, with artifacts like KnowledgeC, iOS Wallet, geolocation data, Screen Time, and more.
- Analyze the full file system (including iTunes backup-style images) and decrypted Keychain from iOS devices and find evidence that other tools miss.
- Memory images could contain valuable evidence like messages, call logs, and email. AXIOM natively supports the analysis of memory from GrayKey images without the need to install third-party conversions or plugins.
- iOS images contain a lot of native files and raw data. Use AXIOM to cut through the noise of data and save time during your investigations by quickly surfacing only relevant evidence rather than unactionable data.
- Discover new artifacts with Dynamic App Finder to automatically scan your file system and memory images for relevant chat, browser, geolocation, and identifier data.
- AXIOM is a complete digital investigation platform that gives you the power to analyze evidence from GrayKey images alongside data from other computer, cloud, social media, and mobile evidentiary sources.
„can take up to three days or longer to (crack) for six-digit passcodes“ … and recover the data of the iDevice.
be careful! a JailBroken device that get’s attacked from within a LAN with default ssh password would be not a good idea.
just one reason to jailbreak: you can have a firewall! http://r-rill.net/FirewalliP7/FiPDepiction.html
that blocks outgoing connections.
Posted by Rajesh Pandey on Apr 30, 2019
the hardware hack: How to unlock iCloud locked Apple iPad 2, 3, 4, iPad Air and Air 2, iPad mini 1, 2, 3, 4, iPad 12.9 and 9.7 – WARNING!
This method works ONLY on iPads with 3G/4G/LTE and removes cellular from your iPad.
it will become wifi-only! (no 3G/4G/LTE no more!)
„This method will help you bypass iCloud on locked iPads.
This manual will help you with iCloud bypass on your iPad Cellular.
- After bypass iCloud you will have iPad Wi-Fi Only.
- Sim-slot (GSM, Mobile, SimCard) will not work.
- GPS and Bluetooth will work.
At this moment it works with Apple iPad 2, iPad 3, iPad 4, iPad Air, iPad mini, iPad mini 2, iPad Air 2, iPad mini 3, iPad mini 4, iPad Pro 12.9, iPad Pro 9.7 which is locked by service iCloud. Include locked through “Lost and erased” mode.
- On the iPad 2 3G Model A1396 (GSM) remove the resistor r1205. On the Model iPad 2 3G A1397 (CDMA) move resistor r1205 to position r1204.
- iPad 2 3G will enter DFU mode.
- Connect the iPad 2 3G to your PC or Mac.
- After that you need to restore the iPad 2 3G through iTunes with firmware of Wi-Fi ONLY model and activate using the official method.
- Turn off the automatic firmware update: Settings \ iTunes Store, App Store \ Automatic download \ Updates.
You can support this project through donations. „PayPal block my account with all money because I’m from Ukraine. “
After this you will can install any apps on your iCloud free iPad, make jailbreak, assign your own Apple ID account and do any other things.
Apple devices (for example iPads) have some part on logic board which called Board_id. Board_id is responsible for how device identifies itself. For iPad there are several possible configurations: Apple TV, Apple iPhone, Apple iPad Cellular, Apple iPad WiFi only.
When Apple’s iCloud servers bloсked iPads they do this in 2 ways:
- iPad WiFi only will be blocked by it serial number.
- iPad Cellular will be blocked by it serial number and IMEI.
To bypass iCloud on iPads Cellular you need disable it modem chip and change Board_id.
If you just only disable modem you will get error and not working device. Sometimes this happens when modem or cable modem is broken even on iPads which isn’t blocked in iCloud. My method can revive such devices.
When you disabled modem chip and changed Board_id device will stop work properly. Something inside will say: “Hey man, something wrong! My hardware is like for WiFi only model, but you use firmware for Cellular model. I go in DFU-mode and you should go in iTunes and restore me”.
When you connect your iPad to BigBrother OS will install driver for it.
At finish you will have iCloud unlocked iPad WiFi only. Now It can be registered on your own Apple ID through new clean serial number. Voila!
If you have some problem with recovering check USB cable and restore iPad manualy from file with firmware. You can download firmware from ipsw.me. Remember that now you have iPad WiFi only hardware and you should download WiFi only firmware. For example, if you have iCloud locked iPad Air Cellular A1475 you should download firmware for iPad Air WiFi only A1474.
And Yes. At any moment you can covert your iCloud freу iPad WiFi only with hardware method back to iPad Cellular. But iCloud blocking will back too.
Be careful and good luck!“
Here you can read manual to bypass iCloud on model of your iPad:
- bypass iCloud on iPad 2 A1396, A1397 and A1395,
- bypass iCloud on iPad 3 A1403, A1430 and A1416
- bypass iCloud on iPad 4 A1458, A1460 and A1458,
- bypass iCloud on iPad Air A1475 and A1474,
- bypass iCloud on iPad mini A1454, A1455 and A1432,
- bypass iCloud on iPad mini 2 A1490 and A1459,
- bypass iCloud on iPad Air 2 A1567 and A1566,
- bypass iCloud on iPad mini 3 A1600 and A1599,
- bypass iCloud on iPad mini 4 A1550 and A1538,
- bypass iCloud on Pro 12.9 A1652 and A1584,
- bypass iCloud on Pro 9.7 A1674 and A1673.
If you are looking for a way to unlock the iCloud on iPad Wi-Fi Only, iPhone or iPod, then read this article: How to bypass iCloud on iPad WiFi, iPad Cellular, iPhone and iPod
unlock: A1430 (GSM) and A1403 (CDMA)
… respect! this border_id change thing needs further investiagion.
how to open the thing:
all sort of weird things happening:
Hi can someone help me with ipad mini A1454 I have removed the resistor R1204 as stated in the instructions I need to now make a jumper on R1205 because itunes detects my ipad as a apple tv so a jumper going from R1205 but unsure where the other end of the jumper goes please help me I would be really grateful
„use good pencil (graphite) to make short (jumper) in R1205“
redsn0w is ooooold:
- jailbreak the device
- ssh into it (https://github.com/rcg4u/iphonessh)
- brute force the PIN (of course only works with weak PINs (4x digits))
- recover the data
problem: this probably only works with on older versions of the iPad / iPhone supported by Redsn0w and iOS 5.1 is rather old, most devices will have a newer version of iOS installed by now.
how to get into DFU (recovery) mode:
- hold power button pressed for 3 seconds
- now keep power button pressed while also holding home button pressed
- after a few seconds screen goes dark, now RELEASE POWER BUTTON but still keep home button pressed
… screen should stay dark and PC you connect do should detect an iPad in DFU mode.
Stuck in DFU mode – How to Exit DFU Mode:
Press Home and Power/ Sleep buttons at the same time for 10s > Release the Home and Power/ Sleep buttons together.
iOS 9.2 – 9.3.3 64-bit devices only
iphone 5s iphone 6 iphone 6 plus iphone 6s iphone 6s plus iphone se ipod touch 6g ipad mini 2 ipad mini 3 ipad mini 4 ipad air ipad air 2 ipad pro
will need your apple id and password.
for iOS 6.x – iOS 7.0.x
… this can not be used to unlock an iPad. Your iPad/iPhone will have to be unlocked (PIN) before jailbreaking.
evasi0n is an unconventional utility able to perform jailbreak operations on devices running iOS 6 and 7.
A consequence of the procedure is the removal of several limitations imposed by Apple, allowing users to install software that is not approved by the company and switch phone carriers seamlessly.
evasi0n became a success just days after its first release.
Supposedly, a few million copies have been downloaded in a very short period, which is not necessarily an indication of its efficiency, but sure says a lot. Statistics aside, the general opinion (as stated by most users on the Internet) is that evasi0n is a trustworthy jailbreak application, one that has to offer everything and asks for nothing in return.
evasi0n is special because it can perform an untethered jailbreak operation, which translates into the fact that the iOS device will be able to reboot without requiring a connection with an external device.
The principle it relies on involves a number of complicated steps, most of which are related to exploiting several vulnerabilities that were overlooked by Apple. However, the process is completed silently, without user intervention.
This is the main reason why evasi0n is considered one of the most easy-to-use and accessible applications of its type. It’s not pretentious as far as OS requirements are concerned, nor does it require advanced configurations.
In order for the jailbreak operation to be successful, you need to equip your system with iTunes and connect your iPhone, iPad or iPod to the computer via a USB cable.
It is also recommended that you backup the device in case something goes wrong.
Once you’ve completed these steps, you can proceed with the jailbreak operation, which, if free of errors, shouldn’t take more than five minutes. However, if the process fails, simply reboot the device and relaunch evasi0n.
On an ending note, this is a well-built jailbreak software, easy to use and user-friendly. Nevertheless, a backup operation is vital in case anything goes wrong.
jailbreak works only on 32-bit devices, which includes :
- iPhone 4S, 5C and 5
- iPad 2, 3, 4
- iPad Mini 1
- iPod Touch 5
Truly, jailbreaking should have stopped during the iOS 9 era, if not before; there is a reason essentially all of the reasonable developers left long ago and the community is largely now run by bullies. Everything that we do now just digs jailbreaking a deeper hole, full of fail.
— Jay Freeman (saurik) (@saurik) April 19, 2019
for older devices and firmwares (iOS 5.1.X)
„RedSn0w actually evolved from the Jailbreaking tool Quickpwn, which was an early Jailbreaking tool used to Jailbreak the 2nd generation of iOS. Nowadays RedSn0w can be used to Jailbreak a lot of versions of iPhone, iPod Touch and iPad.“ … but not all, iPad 4 seems not supported.
RedSn0w iPhone Support:
iPhone 6s Plus: Not Supported
iPhone 6s: Not Supported
iPhone 6 Plus: Not Supported
iPhone 6: Not Supported
iPhone 5s: Not Supported
iPhone 5c: Not Supported
iPhone 5: Not Supported
iPhone 4S: iOS 5 (iOS 5.1.1, iOS 5.0.1, iOS 5.0)
iPhone 4: iOS 6 (iOS 6.0,6.0.1) + iOS 5 (iOS 5.1.1, iOS 5.1, iOS 5.0.1, iOS 5.0) + iOS 4 (4.3.5, 4.3.4, 4.3.3, 4.3.2, 4.3.1, 4.3, 4.2.6, 4.2.1, 4.1, 4.0.2, 4.0.1, 4.0) + iOS 3 (iOS 3.1.3)
iPhone 3GS: iOS 6 (iOS 6.0, 6.0.1) + iOS 5 (iOS 5.1.1, iOS 5.1, iOS 5.0.1, iOS 5.0) + iOS 4 (4.3.5, 4.3.4, 4.3.3, 4.3.2, 4.3.1, 4.3, 4.2.6, 4.2.1, 4.1, 4.0.2, 4.0.1, 4.0) + iOS 3 (3.1.3)
iPhone 3G: iOS 4 (4.3.4, 4.2.1, 4.1, 4.0.2, 4.0.1, 4.0) + iOS 3 (3.1.3)
RedSn0w iPad Support:
iPad Pro: Not Supported
iPad Air 2: Not Supported
iPad Air: Not Supported
iPad Mini 4: Not Supported
iPad Mini 3: Not Supported
iPad Mini 2: Not Supported
iPad Mini: Not Supported
iPad 4: Not Supported <- argh!
iPad 3: iOS 5 (iOS 5.1.1) <- RedSn0w told me „Ipad 3 is not supported“, probably it has a newer iOS installed than 5.1.1)
iPad 2: iOS 5 (iOS 5.1.1, 5.0.1)
iPad 1: iOS 5 (iOS 5.1.1, iOS 5.1, iOS 5.0.1, iOS 5.0) + iOS 4 (iOS 4.3.5, 4.3.4, 4.3.3, 4.3.2, 4.3.1, 4.3, 4.2.1) + iOS 3 (iOS 3.2.2)
Method 2: Get Out of DFU Mode on iPhone/iPad/iPod touch with PhoneRescue
Click here to download PhoneRescue free version!
Step 1: Launch PhoneRescue on your computer > Connect your iOS device to your computer with a USB cable > Wait for PhoneRescue to recognize your iOS device.
Step 2: Click on „Exit Ramdisk Mode“ at the bottom of the Homepage.