A new Full Free Untethered iCloud Bypass for iOS 13 up 13.4.1 checkra1n devices. Also, it may work on the latest iOS beta version. iOS 13.4.5. All icloud services working, cellular no, but it is untethered, it is by far the best method for free icloud bypass at this time. Its not the most simple method, you will need some skills to do it but if you want to do it you should try. Follow these steps and you will succeed. First let me thanks all the work and effort dedicated to giving us Untethered icloud bypass solution all thanks to @exploit3dguy
- Icloud services working
- notification
- untethered
- facetime
- carrier not working
Introduction
Method I will present you today is spoofing device activation status to activated and FactoryActivated. In order to do this we will be patching mobileactivationd binary and precisely we will change 2 Unactivated references to Activated and second FactoryActivated. So when program see that our device isnt activated it will activate Unactivated reference which we changed to Activated so device will think it’s Activated and it will make us able to finish setup without any problems.
Requirements:
– Some knowledge in assemblers and disassemblers.
– Disassembler you can use Hopper v4 IDA or free soft like Radare2
– checkra1n compatible device.
– python ssh iCloud Bypass Package download here (we will need tcprelay).
Patching mobileactivationd:
First Jailbreak your device using checkra1n open new terminal window and cd SSH folder inside iOS 13.3.1 iCloud Bypass package and type using terminal:
./tcprelay.py 44:2222
Now open another window and type:
scp -P 2222 root@localhost:/usr/libexec/mobileactivationd /path/to/folder/on/mac
Open binary in a disassembler and look for Unactivated or Activated or FactoryActivated string. You should see this:
Follow this steps:
Jump into it’s reference and write down “Activated” reference address. In my case it’s 0xb68.
Now jump to “unactivated” reference and assemble it with “Activated” reference address.
If you did correctly “Unactivated” will change into “Activated” reference.
now jump to “FactoryActivated” reference and write down it’s address. 0xb70 in my case.
Now jump to next and last “Unactivated” reference we are interested in and assemble it with “FactoryActivated” address.
If you did correctly “Unactivated” will change to “FactoryActivated” address.
That’s about it. Now you can save patched binary. Now we need to add patched binary to /usr/libexec. To do this first rename original binary to some random name and mount disk as rw.
mount -o rw,union,update /
now change original binary name.
mv /usr/libexec/mobileactivationd /usr/libexec/shit
Now add patched binary to /usr/libexec
scp -P 2222 path/to/mobileactivationd_patched root@localhost:/usr/libexec
Change it’s name to mobileactivationd
mv /usr/libexec/mobileactivationd_patched /usr/libexec/mobileactivationd
Change permission.
chmod +x /usr/libexec/mobileactivationd
Now we need to reload mobileactivationd LaunchDeamon.
launchctl unload /System/Library/LaunchDaemons/com.apple.mobileactivationd.plist
launchctl load /System/Library/LaunchDaemons/com.apple.mobileactivationd.plist
Done your device should be now fake activated. congratulations if you managed to finish this guide.
Here the exploit3dguy original Guide and follow this video if you have troubles using this tutorial: