Full Untethered iCloud Bypass iOS 13 – 13.4.1 Checkra1n Devices -->

Full Untethered iCloud Bypass iOS 13 – 13.4.1 Checkra1n Devices

AVA Studio
12 June 2020 || Hits

A new Full Free Untethered iCloud Bypass for iOS 13 up 13.4.1 checkra1n devices. Also, it may work on the latest iOS beta version. iOS 13.4.5. All icloud services working, cellular no, but it is untethered, it is by far the best method for free icloud bypass at this time. Its not the most simple method, you will need some skills to do it but if you want to do it you should try. Follow these steps and you will succeed. First let me thanks all the work and effort dedicated to giving us Untethered icloud bypass solution all thanks to @exploit3dguy

Icloud services working
  • notification
  • untethered
  • facetime
  • carrier not working
Method I will present you today is spoofing device activation status to activated and FactoryActivated. In order to do this we will be patching mobileactivationd binary and precisely we will change 2 Unactivated references to Activated and second FactoryActivated. So when program see that our device isnt activated it will activate Unactivated reference which we changed to Activated so device will think it’s Activated and it will make us able to finish setup without any problems.

– Some knowledge in assemblers and disassemblers.
– Disassembler you can use Hopper v4 IDA or free soft like Radare2
– checkra1n compatible device.
– python ssh iCloud Bypass Package download here (we will need tcprelay).

First Jailbreak your device using checkra1n open new terminal window and cd SSH folder inside iOS 13.3.1 iCloud Bypass package and type using terminal:

./tcprelay.py 44:2222

Now open another window and type:
scp -P 2222 root@localhost:/usr/libexec/mobileactivationd /path/to/folder/on/mac
Open binary in a disassembler and look for Unactivated or Activated or FactoryActivated string. You should see this:

Follow this steps:
Full Untethered iCloud Bypass
  • Jump into it’s reference and write down “Activated” reference address. In my case it’s 0xb68.
Full Untethered iCloud Bypass

  • Now jump to “unactivated” reference and assemble it with “Activated” reference address.
Full Untethered iCloud Bypass

  • If you did correctly “Unactivated” will change into “Activated” reference.
Full Untethered iCloud Bypass

  • now jump to “FactoryActivated” reference and write down it’s address. 0xb70 in my case.

Full Untethered iCloud Bypass

  • Now jump to next and last “Unactivated” reference we are interested in and assemble it with “FactoryActivated” address.
Full Untethered iCloud Bypass

  • If you did correctly “Unactivated” will change to “FactoryActivated” address.

Full Untethered iCloud Bypass

  • That’s about it. Now you can save patched binary. Now we need to add patched binary to /usr/libexec. To do this first rename original binary to some random name and mount disk as rw.
  • mount -o rw,union,update /
  • now change original binary name.
  • mv /usr/libexec/mobileactivationd /usr/libexec/shit
  • Now add patched binary to /usr/libexec
  • scp -P 2222 path/to/mobileactivationd_patched root@localhost:/usr/libexec
  • Change it’s name to mobileactivationd
  • mv /usr/libexec/mobileactivationd_patched /usr/libexec/mobileactivationd
  • Change permission.
  • chmod +x /usr/libexec/mobileactivationd
  • Now we need to reload mobileactivationd LaunchDeamon.
  • launchctl unload /System/Library/LaunchDaemons/com.apple.mobileactivationd.plist
  • launchctl load /System/Library/LaunchDaemons/com.apple.mobileactivationd.plist
  • Done your device should be now fake activated. congratulations if you managed to finish this guide.