Only use this on devices you own or when you have permisson to use it.
This project is made for educational purposes ONLY and is NOT made to break laws and/or
for personal gain. Everythin is provided as-is and has no warranty so if your break any of your devices.
The exploit was originaly developed and discovered by ECTO-1A. I ported it to the ESP32 and to RPi (and any devices that can run python). The scipts are meant for the ESP32, as the ESP8266 doesnt have BLE. The exploit causes the device to crash (works fastest while it is locked on the homescreen).
This script was tested with and at the time of writing, works on:
ESP32-S3:
• iPhone 14 Pro - iOS 17.2 (21C5029g)
• iPhone 14 Pro - iOS 17.1 (21B506 & 21B74)
ESP-WROOM-32:
• iPhone 12 Pro - iOS 17.0 (21A329)
RPi 4:
• iPhone XS - iOS 17.0 (21A329)
• iPhone 12 Pro - iOS 17.1 Beta 2
• iPhone 11 Pro - iOS 17.1.2 (21B101)
RPi Pico W:
• iPhone 13 Pro - iOS 17.2.1 (21C66) "Patched"
• iPhone 13 - iOS 17.0.3 (21A360)
• iPhone 12 - iOS 17.0 (21A329)
• iPhone 12 - iOS 17.0.1 (21A340)
• iPhone 11 - iOS 17.0 (21A326)
The iPhone starts to freeze after a few seconds of it getting spammed with BLE pairing requests. After a random looking amount of time the iPhone turns completely black and you can now force restart it (Volume UP, Volume Down, Hold power button), or, alternatively, wait for it to restart by itself. While testing (on an ESP32-S3), it reaches stable temps at ~57c, so heat shouldn't be of concern. Some PI models report to get a little bit hotter than that, however it still should not be an issue.
@ECTO-1A: Found the exploit
@WillyJL: Portet the exploit to Flipper Zero
@Amachik: Helped make the RPi script
@N1-TR0: Made the micropython script
@FLOCK4H: Made the circuitpython script
If you have a compilation error telling you the esp_fill_random was not declared there is a easy fix. The esp_fill_random is a hardware random generation function and available on most ESP32's. There are two fixes for it. Firstly you can try to choose another ESP32 board and just compile for it and hope that it works or you can add these lines of code:
void esp_fill_random(uint8_t* buf, size_t len) {
for(size_t i = 0; i < len; i++) {
buf[i] = random(0, 1000);
}
}
I spilled coffee all over a lot of electronics while writing this :(
My discord if you need help: rapierxbox
or open a issue