r0bf0rdsn0w The universal iCloud Activation Lock Bypasser is finallyhere.

- December 20, 2014

Yes. After the change.org petition reached so many petitioners. How could I NOT release this?

Thieves worldwide unite!

The universal iCloud Activation Lock Bypasser is finally here.

Download Now (v1.2)

SHA1(r0bf0rdsn0w-v1.2.zip) = 5b8bcf45e0194816107e72786cacdebc6f5805ac
(Credits to Gadgetwide's Varo & his 250k employees for research)

How do you get the zip password you're asking? Easy... (no survey bullshit)
Encrypt the string "r0bf0rdsn0w-r0bf0rdsn0w-r0bf0rdsn0w-r0bf0rdsn0w!!" with the s5l8920x AES GID key.
You know you got this right when the IV is... E6A9B03D9670523CFA8849A23A28722E
This part was posted on twitter...
Decrypt the outputted IV+Key from the s5l8920x with the s5l8930x AES GID key.
You know you got this right when the KEY is... 027132EF9D79AE6CD38E1E2CD3ED9080860EF53ED1CBA6D8395BDBCF541C1E2B
Finally, encrypt the outputted IV+Key from the s5l8930x with the s5l8940x AES GID key.
You know you got this right when the IV starts with F8A555D2 and the KEY starts with F4DFD3CB.
The password is the final IV+Key from above, 32-bit endian byte flipped.
Enjoy! :) * Password will be posted publicly (without the effort from above) when this method is patched.

Here are the SHA1 hashes of the extracted files...

iH8sn0ws-MacBook-Pro:r0bf0rdsn0w-v1.2 iH8sn0w$ ls -ltr
total 4296
-rwxr-xr-x@ 1 iH8sn0w staff 895 Mar 31 14:41 iPhoneDeviceCA_private.pem
-rwxr-xr-x@ 1 iH8sn0w staff 148512 Mar 31 14:45 proxy
-rwxr-xr-x@ 1 iH8sn0w staff 3990 Mar 31 14:46 iPhoneDeviceCA.pem
-rwxr-xr-x@ 1 iH8sn0w staff 3960 Mar 31 14:47 iPhoneActivation.pem
-rwxr-xr-x@ 1 iH8sn0w staff 932256 Mar 31 17:27 proxy.exe
-rwxr-xr-x@ 1 iH8sn0w staff 891 Apr 1 13:25 iPhoneActivation_private.pem
-rwxr-xr-x@ 1 iH8sn0w staff 21 Apr 1 14:11 README
-rw-r--r-- 1 iH8sn0w staff 1091905 Apr 3 16:38 r0bf0rdsn0w-v1.2.zip
iH8sn0ws-MacBook-Pro:r0bf0rdsn0w-v1.2 iH8sn0w$ openssl sha1 *
SHA1(README)= bfa093102ae4f219d92926d3e6f8916e4189734c
SHA1(iPhoneActivation.pem)= 925708392f87e5fc9a190e42f5d040fef7715fa1
SHA1(iPhoneActivation_private.pem)= ff809fe295db90ea9f9c44d36441b322739fa238
SHA1(iPhoneDeviceCA.pem)= 720e6e57e9a1db9c3b460118e6a923025913098d
SHA1(iPhoneDeviceCA_private.pem)= 5dafe717f05a1ea7a5ebd5266b281470d0e38b1a
SHA1(proxy)= 9264762e7c30da767161a1f12d475e9ecf3ca15d
SHA1(proxy.exe)= cdeb405308b2e443e951a8ab9bbaef469cc0c6cb
SHA1(r0bf0rdsn0w-v1.2.zip)= 5b8bcf45e0194816107e72786cacdebc6f5805ac

I decided to post these after people started redistributing fake "decrypted" zips. (*cough* gadgetwide *cough*)

Sample AES payload code to run in iBoot on s5l89xx

typedef int (*aes_crypto_cmd_t)(unsigned int op, void* src, void* dst, int size, unsigned int hwKey, void* iv, void* key);

int main() {

aes_crypto_cmd_t mahAESThing = (aes_crypto_cmd_t) 0x0; // Set hardcoded aes_hw_crypto_cmd offset here...
memcpy((void*) someAddy, (void*) KBAGloc, 0x30); // Copy the KBAG to someAddy...
mahAESThing(0x11,(void*) someAddy,(void*)someAddy,0x30,0x20000200,0,0); // (0x10 == ENCRYPT & 0x11 == DECRYPT)
// Hexdump the area of someAddy to grab the result :)

return 0;

Sample code to 32-bit endian byte flip

uint32_t key[] = {
0xF8A555D2, 0x00000000, 0x00000000, 0x00000000,
0xF4DFD3CB, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,

int main() {

int i;
for(i = 0; i < (sizeof(key)/sizeof(uint32_t)); i++) {
printf("%08X", __builtin_bswap32(key[i]));

return 0;}




Start typing and press Enter to search