iBUS

From The Apple Wiki

The iBUS adapter (iBUS S1 / iBUS S2 / iBUS S4/5) is a smaller dongle that utilizes a diagnostic port hidden behind a small plate in the slot into which the watch strap would normally slide. iBUS X is a box with wireless transfer support. Developed, manufactured and sold by MFC TEAM, these adapters allow the Apple Watch to appear in the Finder the same way as other Apple devices when plugged into a Mac via Lightning to USB. It is also recognized by libimobiledevice, Xcode and Console.app, but does not show logs in the latter.

iBUS S1 supports: Apple Watch (1st generation) and Apple Watch Series 1

iBUS S2 supports: Apple Watch Series 2 and Apple Watch Series 3

iBUS S4/5 supports: Apple Watch Series 4, Apple Watch Series 5, Apple Watch SE, Apple Watch SE 2 and Apple Watch Series 6

iBUS X supports: Apple Watch Series 7, Apple Watch Series 8, Apple Watch Series 9, Apple Watch Ultra and Apple Watch Ultra 2

Usage for Research

While the adapters are marketed for their ability to "restore" devices, the signed firmware required to do so is not readily available. However, the adapter does allow exploitation of any watches with an S3 or lower SIP using checkm8

"Pwning" the watch and dumping the bootrom

Entering DFU

Once you've connected your Apple watch via a standard USB Lightning cable and the iBUS adapter:

  1. Hold the crown and power button down
  2. Immediately after the screen goes black, count to 3
  3. After 3 seconds, release the power button, but continue to hold the crown.

Finder should now show an "Apple Watch" in DFU mode, and will allow you to install signed firmware if you have any.

Exploiting with ipwndfu

Reliability of checkm8 on the watch can vary.

After cloning https://github.com/axi0mX/ipwndfu, cd into the directory and run ./ipwndfu -p

If the exploit fails, you may need to run it again. It can take anywhere from one to several hundred attempts.

From here, you can run ./ipwndfu --dump-rom to dump the bootrom More information is available in the ipwndfu readme and on ipwndfu.

Do note the --boot flag currently only works for the iPhone X.

You can use ./ipwndfu --hex-dump=0x0,0x10000000000 to crash out of DFU and force a reboot.

Tips for usage

  • As the metal rod that ships with the adapter often fits loosely, consider using rubber bands to firmly press the adapter into the port.
    • A hairband is exceptional at this, and perfectly fits into the top of the watch.


Retrieved from "https://theapplewiki.com/index.php?title=IBUS&oldid=189861"