Skip to content

A hacked up idevicerestore wrapper, which allows specifying SEP and Baseband for restoring

License

Notifications You must be signed in to change notification settings

teefixx/futurerestore

 
 

Repository files navigation

futurerestore

It is a hacked up idevicerestore wrapper, which allows manually specifying SEP and Baseband for restoring.

Latest compiled version can be found here.

Only use if you are sure what you're doing.


Features

  • Supports the following downgrade methods:
    • Prometheus 64-bit devices (generator and ApNonce collision mode)
    • Odysseus for 32-bit & 64-bit (A7-A11) devices
    • Re-restoring 32-bit devices to iOS 9.x with alitek123's no-ApNonce method (alternative — idevicererestore).
  • Allows restoring to non-matching firmware with custom SEP+baseband

Dependencies

Report an issue

You can do it here.

Restoring on Windows 10

  1. Try to restore the device, error -8 occurs;
  2. Leave the device plugged in, it'll stay on the Recovery screen;
  3. Head over to device manager under control panel in Windows;
  4. Locate "Apple Recovery (iBoot) USB Composite Device" (at the bottom);
  5. Right click and choose "Uninstall device". You may see a tick box that allows you to uninstall the driver software as well, tick that (all the three Apple mobile device entries under USB devices will disappear);
  6. Unplug the device and re-plug it in;
  7. Go back to futurerestore and send the restore command again (just press the up arrow to get it back, then enter). Error -8 is now fixed, but the process will fail again after the screen of your device has turned green;
  8. Go back to device manager and repeat the driver uninstall process as described above (step 4 to 6);
  9. Go back to futurerestore once again and repeat the restore process;
  10. The device will reboot and error -10 will also be solved;
  11. The restore will now proceed and succeed.

Some about cURL

  • Linux: Follow this guide to use tsschecker on Ubuntu 18.04 (Bionic) as it requires libcurl3 which cannot coexist with libcurl4 on this OS.

Help

(might become outdated):

Usage: futurerestore [OPTIONS] iPSW

option (short) option (long) description
-t --apticket PATH Signing tickets used for restoring
-u --update Update instead of erase install (requires appropriate APTicket)
DO NOT use this parameter, if you update from jailbroken firmware!
-w --wait Keep rebooting until ApNonce matches APTicket (ApNonce collision, unreliable)
-d --debug Show all code, use to save a log for debug testing
-e --exit-recovery Exit recovery mode and quit
--use-pwndfu Restoring devices with Odysseus method. Device needs to be in pwned DFU mode already
--just-boot "-v" Tethered booting the device from pwned DFU mode. You can optionally set boot-args
--latest-sep Use latest signed SEP instead of manually specifying one (may cause bad restore)
-s --sep PATH SEP to be flashed
-m --sep-manifest PATH BuildManifest for requesting SEP ticket
--latest-baseband Use latest signed baseband instead of manually specifying one (may cause bad restore)
-b --baseband PATH Baseband to be flashed
-p --baseband-manifest PATH BuildManifest for requesting baseband ticket
--no-baseband Skip checks and don't flash baseband
Only use this for device without a baseband (eg. iPod touch or some Wi-Fi only iPads)

0) What futurerestore can do

Downgrade/Upgrade/Re-restore same mobile firmware version. Whenever you read "downgrade" nowadays it means you can also upgrade and re-restore if you're on the same firmware version. Basically this allows restoring an firmware version and the installed firmware version doesn't matter.


1) Prometheus (64-bit device) - generator method

Requirements

  • Jailbreak
  • signing ticket files (.shsh, .shsh2, .plist) with a generator
  • nonceEnabler patch enabled

Info

You can downgrade, if the destination firmware version is compatible with the latest signed SEP and baseband and if you have a signing tickets files with a generator for that firmware version.

How to use

  1. Device must be jailbroken and nonceEnabler patch must be active
  2. Open signing ticket file and look up the generator
  • Looks like this: <key>generator</key><string>0xde3318d224cf14a1</string>
  1. Write the generator to device's NVRAM
  • Connect with SSH into the device and run nvram com.apple.System.boot-nonce=0xde3318d224cf14a1 to set the generator 0xde3318d224cf14a1
  • verify it with nvram -p
  1. Connect your device in normal mode to computer
  2. On the computer run futurerestore -t ticket.shsh --latest-baseband --latest-sep ios.ipsw

Youtube

Prometheus Prometheus

Prometheus nonceEnabler

Recommended methods to activate nonceEnabler patch

Method 1: ios-kern-utils (iOS 7.x-10.x)

  1. Install DEB-file of ios-kern-utils on device;
  2. Run on the device nvpatch com.apple.System.boot-nonce.

Method 2: Using special applications

Use utilities for setting boot-nonce generator:

  1. PhœnixNonce for iOS 9.x;
  2. v0rtexnonce for iOS 10.x;
  3. Nonceset1112 for iOS 11.0-11.1.2;
  4. noncereboot1131UI for iOS 11.0-11.4b3;
  5. NonceReboot12xx for iOS 12.0-12.1.2;
  6. GeneratorAutoSetter for checkra1n jailbreak on iOS / iPadOS 13.x. Install it from Cydia's developer repo (https://halo-michael.github.io/repo/) on device.

Method 3: Using jailbreak tools

Use jailbreak tools for setting boot-nonce generator:

  1. Meridian for iOS 10.x;
  2. backr00m or greeng0blin for tvOS 10.2-11.1;
  3. Electra and ElectraTV for iOS and tvOS 11.x;
  4. unc0ver for iOS 11.0-12.2, 12.4.x;
  5. Chimera and ChimeraTV for iOS 12.0-12.2, 12.4 and tvOS 12.0-12.2, 12.4.

Activate tfp0, if jailbreak doesn't allow it

Method 1 (if jailbroken on iOS 9.2-9.3.x)

Method 2 (if jailbroken on iOS 8.0-8.1 with Pangu8)

Method 3 (if jailbroken on iOS 7.x with Pangu7)

Method 4


2) Prometheus (64-bit device) - ApNonce collision method (Recovery mode)

Requirements

  • Device with A7 chip on iOS 9.1 - 10.2 or iOS 10.3 beta 1;
  • Jailbreak doesn't required;
  • Signing ticket files (.shsh, .shsh2, .plist) with a customly chosen ApNonce;
  • Signing ticket files needs to have one of the ApNonces, which the device generates a lot;

Info

You can downgrade if the destination firmware version, if it is compatible with the latest signed SEP and baseband. You also need to have special signing ticket files. If you don't know what this is, you probably can NOT use this method!

How to use

  1. Connect your device in normal or recovery mode;
  2. On the computer run futurerestore -w -t ticket.shsh --latest-baseband --latest-sep firmware.ipsw
  • If you have saved multiple signing tickets with different nonces you can specify more than one to speed up the process: futurerestore -w -t t1.shsh -t t2.shsh -t t3.shsh -t t4.shsh --latest-baseband --latest-sep firmware.ipsw

3) Prometheus (64-bit device) - ApNonce collision method (DFU mode)

Requirements

  • Devices with A7 (iPhone 5s, iPad Air, iPad mini 2), A8 (iPhone 6 [+], iPad mini [2,3,4], iPod touch [6th generation]) and A8X (iPad Air 2) chips on all firmwares;
  • Devices have been released after ~September, 2015 {PROBABLY};
  • Jailbreak doesn't required;
  • Signing ticket files (.shsh, .shsh2, .plist) with a customly chosen APNonce;
  • Signing ticket files needs to have one of the ApNonces, which the device generates a lot;
  • img4tool can't be used for Windows [problem with signing iBSS/iBEC], now it's TO-DO;

Info

You can downgrade if the destination firmware version, if it is compatible with the latest signed SEP and baseband. You also need to have special signing ticket files. If you don't know what this is, you probably can NOT use this method!

How to use

  1. Connect your device in DFU mode;

  2. Use irecovery for checking ApNonce, which booted in DFU;

  3. Extract iBSS/iBEC from target firmware for downgrade (unsigned);

  4. Check DFU-collisioned ApNonces with irecovery, which booted in DFU. You can't automatically collision DFU ApNonces.

    If ApNonce is not collisioned, "use hands" for DFU booting.

    If ApNonce is successfully coliisioned, use this SHSH2 for sign iBSS/iBEC.

  5. Use img4tool for sign iBSS: img4tool -s ticket.shsh -c iBSS.signed -p <original_iBSS>;

  6. Use img4tool for sign iBEC: img4tool -s ticket.shsh -c iBEC.signed -p <original_iBEC>;

  7. So, after signing we can boot into Recovery with irecovery.

    irecovery -f iBSS.signed - loading iBSS;

    irecovery -f iBEC.signed - loading iBEC;

  8. So good! On the computer run futurerestore -t ticket.shsh --latest-baseband --latest-sep -w firmware.ipsw.


4) Odysseus (32-bit / 64-bit devices)

Requirements

  • futurerestore compiled with libipatcher;
  • Jailbreak or bootrom exploit (limera1n, checkm8);
  • 32-bit: firmware keys for the device/destination firmware version must be public (check ipsw.me);
  • 64-bit: devices with A12 and A13 chips is NOT compatible with this method;
  • Signing ticket files (.shsh, .shsh2, .plist) from by destination firmware (OTA blobs work too!).

Info

If you have a jailbroken device, you can downgrade to any firmware version you have blobs for. You can still get OTA blobs for iOS 6.1.3, 8.4.1 or 10.3.3 for some devices and use those.

How to use

  1. Get device into kDFU/pwnDFU
  • Pre-iPhone4s (limera1n devices):
    • Enter to pwnDFU mode with redsn0w or any other tool
  • iPhone 4s and later 32-bit devices:
    • Enter to kDFU mode with kDFU app (cydia: repo.tihmstar.net) or by loading a pwnediBSS from any existing odysseus bundle
  • Any 64-bit device:
    • Enter to pwnDFU mode and patch signature check with special fork of ipwndfu
  1. Connect your device to computer in kDFU mode (or pwnDFU mode)
  2. On the computer run futurerestore --use-pwndfu -t ticket.shsh --latest-baseband firmware.ipsw

Youtube

Odysseus futurerestore + libipatcher

Odysseus kDFU app

Odysseus Enter kDFU mode (watch up to the point where the screen goes black)

You can use any odysseus bundle for this.

5) iOS 9.x re-restore bug by @alitek123 (only for 32-bit devices)

Requirements

  • Jailbreak doesn't required;
  • Signing ticket files (.shsh, .shsh2, .plist) from by iOS 9.x without ApNonce (noNonce APTickets)

Info

If you have signing tickets files for iOS 9.x, which do not contain a ApNonce, you can restore to that firmware.

How to use

  1. Connect your device in DFU mode
  2. On the computer run futurerestore -t ticket.shsh --latest-baseband ios9.ipsw

About

A hacked up idevicerestore wrapper, which allows specifying SEP and Baseband for restoring

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • C++ 94.1%
  • M4 4.0%
  • Makefile 1.4%
  • Shell 0.5%