mirrors/futurerestore
1
0
Fork 0
mirror of https://github.com/tihmstar/futurerestore.git synced 2024-12-21 17:25:30 +00:00
Code Issues Projects Releases Wiki Activity

Probably fix issue with baseband restore (#295) & (#296)

Browse source
This commit is contained in:
s0uthwest 2020-01-03 06:56:50 -08:00
parent f8f2e79e09
commit 38b168002b
5 changed files with 42 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
README.md
View file

@ -10,12 +10,12 @@ __Only use if you are sure what you're doing.__
# Features
* Supports the following downgrade methods:
* Prometheus 64-bit devices (generator and ApNonce collision mode)
* Odysseus for 32-bit / 64-bit devices
* Odysseus for 32-bit & 64-bit (A7-A11) devices
* Re-restoring 32-bit devices to iOS 9.x with [alitek123](https://github.com/alitek12)'s no-ApNonce method (alternative — [idevicererestore](https://downgrade.party)).
* Allows restoring to non-matching firmware with custom SEP+baseband
# Dependencies
* ## External Libs
* ## External libs
Make sure these are installed
* [libzip](https://github.com/nih-at/libzip);
* [libcurl](https://github.com/curl/curl);
@ -25,7 +25,7 @@ __Only use if you are sure what you're doing.__
* [libirecovery](https://github.com/libimobiledevice/libirecovery);
* [libimobiledevice](https://github.com/libimobiledevice/libimobiledevice);
* [img4tool](https://github.com/tihmstar/img4tool);
* [liboffsetfinder64](https://github.com/tihmstar/liboffsetfinder64)
* [liboffsetfinder64](https://github.com/tihmstar/liboffsetfinder64);
* [libipatcher](https://github.com/tihmstar/libipatcher)
* ## Submodules
@ -67,15 +67,15 @@ Usage: `futurerestore [OPTIONS] iPSW`
| | | DO NOT use this parameter, if you update from jailbroken firmware! |
| ` -w ` | ` --wait ` | Keep rebooting until ApNonce matches APTicket (ApNonce collision, unreliable) |
| ` -d ` | ` --debug ` | Show all code, use to save a log for debug testing |
| | ` --exit-recovery ` | Exit recovery mode and quit |
| ` -e ` | ` --exit-recovery ` | Exit recovery mode and quit |
| | ` --use-pwndfu ` | Restoring devices with Odysseus method. Device needs to be in pwned DFU mode already |
| | ` --just-boot "-v" ` | Tethered booting the device from pwned DFU mode. You can optionally set ` boot-args ` |
| | ` --latest-sep ` | Use latest signed sep instead of manually specifying one (may cause bad restore) |
| | ` --latest-sep ` | Use latest signed SEP instead of manually specifying one (may cause bad restore) |
| ` -s ` | ` --sep PATH ` | SEP to be flashed |
| ` -m ` | ` --sep-manifest PATH ` | BuildManifest for requesting SEP ticket |
| | ` --latest-baseband ` | Use latest signed baseband instead of manually specifying one (may cause bad restore) |
| ` -b ` | ` --baseband PATH ` | Baseband to be flashed |
| ` -p ` | ` --baseband-manifest PATH ` | Buildmanifest for requesting baseband ticket |
| ` -p ` | ` --baseband-manifest PATH ` | BuildManifest for requesting baseband ticket |
| | ` --no-baseband ` | Skip checks and don't flash baseband |
| | | Only use this for device without a baseband (eg. iPod touch or some Wi-Fi only iPads) |
@ -88,7 +88,6 @@ Whenever you read "downgrade" nowadays it means you can also upgrade and re-rest
---
## 1) Prometheus (64-bit device) - generator method
### Requirements
- Jailbreak
- signing ticket files (`.shsh`, `.shsh2`, `.plist`) with a generator
@ -109,13 +108,13 @@ You can downgrade, if the destination firmware version is compatible with the **
### Youtube
<a href="http://www.youtube.com/watch?feature=player_embedded&v=BIMx2Y13Ukc" target="_blank"><img src="http://img.youtube.com/vi/BIMx2Y13Ukc/0.jpg" alt="Prometheus" width="240" height="180"/></a>
*Prometheus*
*Prometheus*
<a href="http://www.youtube.com/watch?feature=player_embedded&v=UXxpUH71-s4" target="_blank"><img src="http://img.youtube.com/vi/UXxpUH71-s4/0.jpg" alt="Prometheus" width="240" height="180"/></a>
*nonceEnabler*
*nonceEnabler*
### Recommended methods to activate nonceEnabler patch
#### Method 1: ios-kern-utils (iOS 7.x-10.x):
#### Method 1: ios-kern-utils (iOS 7.x-10.x)
1. Install DEB-file of [ios-kern-utils](https://github.com/Siguza/ios-kern-utils/releases/) on device;
2. Run on the device `nvpatch com.apple.System.boot-nonce`.
@ -125,7 +124,8 @@ Use utilities for setting boot-nonce generator:
2. [v0rtexnonce](https://github.com/arx8x/v0rtexnonce) for iOS 10.x;
3. [Nonceset1112](https://github.com/julioverne/NonceSet112) for iOS 11.0-11.1.2;
4. [noncereboot1131UI](https://github.com/s0uthwest/noncereboot1131UI) for iOS 11.0-11.4b3;
5. [NonceReboot12xx](https://github.com/ur0/NonceReboot12XX) for iOS 12.0-12.1.2.
5. [NonceReboot12xx](https://github.com/ur0/NonceReboot12XX) for iOS 12.0-12.1.2;
6. [GeneratorAutoSetter](https://github.com/Halo-Michael/GeneratorAutoSetter) for checkra1n jailbreak on iOS / iPadOS 13.x. Install it from Cydia's developer repo (https://halo-michael.github.io/repo/) on device.
#### Method 3: Using jailbreak tools
Use jailbreak tools for setting boot-nonce generator:
@ -135,7 +135,7 @@ Use jailbreak tools for setting boot-nonce generator:
4. [unc0ver](https://unc0ver.dev) for iOS 11.0-12.2, 12.4.x;
5. [Chimera and ChimeraTV](https://chimera.sh) for iOS 12.0-12.2, 12.4 and tvOS 12.0-12.2, 12.4.
### Activate tfp0 if jailbreak doesn't allow it
### Activate tfp0, if jailbreak doesn't allow it
#### Method 1 (if jailbroken on iOS 9.2-9.3.x)
* reboot;
* reactivate jailbreak with [Luca Todesco](https://github.com/kpwn)'s [JailbreakMe](https://jbme.qwertyoruiop.com/);
@ -152,12 +152,11 @@ Use jailbreak tools for setting boot-nonce generator:
---
## 2) Prometheus (64-bit device) - ApNonce collision method (Recovery mode);
## 2) Prometheus (64-bit device) - ApNonce collision method (Recovery mode)
### Requirements
- Device with A7 chip on iOS 9.1 - 10.2 or iOS 10.3 beta 1;
- **Device with A7 chip on iOS 9.1 - 10.2 or iOS 10.3 beta 1**;
- Jailbreak doesn't required;
- Signing ticket files (`.shsh`, `.shsh2`, `.plist`) with a customly chosen APNonce;
- Signing ticket files (`.shsh`, `.shsh2`, `.plist`) with a customly chosen ApNonce;
- Signing ticket files needs to have one of the ApNonces, which the device generates a lot;
### Info
@ -165,14 +164,13 @@ You can downgrade if the destination firmware version, if it is compatible with
### How to use
1. Connect your device in normal or recovery mode;
2. On the computer run `futurerestore -w -t ticket.shsh --latest-baseband --latest-sep ios.ipsw`
2. On the computer run `futurerestore -w -t ticket.shsh --latest-baseband --latest-sep firmware.ipsw`
* If you have saved multiple signing tickets with different nonces you can specify more than
one to speed up the process: `futurerestore -w -t t1.shsh -t t2.shsh -t t3.shsh -t t4.shsh --latest-baseband --latest-sep ios.ipsw`
one to speed up the process: `futurerestore -w -t t1.shsh -t t2.shsh -t t3.shsh -t t4.shsh --latest-baseband --latest-sep firmware.ipsw`
---
## 3) Prometheus (64-bit device) - ApNonce collision method (DFU mode);
## 3) Prometheus (64-bit device) - ApNonce collision method (DFU mode)
### Requirements
- __Devices with A7 (iPhone 5s, iPad Air, iPad mini 2), A8 (iPhone 6 [+], iPad mini [2,3,4], iPod touch [6th generation]) and A8X (iPad Air 2) chips on all firmwares;__
- __Devices have been released after ~September, 2015 {PROBABLY};__
@ -198,17 +196,16 @@ You can downgrade if the destination firmware version, if it is compatible with
`img4tool -s ticket.shsh -c iBSS.signed -p <original_iBSS>`;
6. Use img4tool for sign iBEC:
`img4tool -s ticket.shsh -c iBEC.signed -p <original_iBEC>`;
7. So, after signing we can boot into Recovery with irecovery.
7. So, after signing we can boot into Recovery with irecovery.
`irecovery -f iBSS.signed` - loading iBSS;
`irecovery -f iBEC.signed` - loading iBEC;
8. So good! On the computer run `futurerestore -t ticket.shsh --latest-baseband --latest-sep -w ios.ipsw`.
8. So good! On the computer run `futurerestore -t ticket.shsh --latest-baseband --latest-sep -w firmware.ipsw`.
---
## 4) Odysseus (32-bit / 64-bit devices)
### Requirements
- futurerestore compiled with libipatcher;
- Jailbreak or bootrom exploit (limera1n, checkm8);
@ -223,26 +220,23 @@ If you have a jailbroken device, you can downgrade to **any** firmware version y
1. Get device into kDFU/pwnDFU
* Pre-iPhone4s (limera1n devices):
* Enter to pwnDFU mode with redsn0w or any other tool
* iPhone 4s and later:
* Enter to kDFU mode with kDFU app (cydia: repo.tihmstar.net) or by loading a pwniBSS from any existing odysseus bundle
or
* Enter to pwnDFU mode with [ipwndfu](https://github.com/axi0mx/ipwndfu) or use futurerestore for it;
* iPhone 4s and later 32-bit devices:
* Enter to kDFU mode with kDFU app (cydia: repo.tihmstar.net) or by loading a pwnediBSS from any existing odysseus bundle
* Any 64-bit device:
* Enter to pwnDFU mode and patch signature check with special fork of [ipwndfu](https://github.com/LinusHenze/ipwndfu_public)
2. Connect your device to computer in kDFU mode (or pwnDFU mode)
3. On the computer run `futurerestore --use-pwndfu -t ticket.shsh --latest-baseband ios.ipsw`
3. On the computer run `futurerestore --use-pwndfu -t ticket.shsh --latest-baseband firmware.ipsw`
### Youtube
<a href="http://www.youtube.com/watch?feature=player_embedded&v=FQfcybsEWmM" target="_blank"><img src="http://img.youtube.com/vi/FQfcybsEWmM/0.jpg" alt="Odysseus" width="240" height="180"/></a>
*Futurerestore + libipatcher*
<a href="http://www.youtube.com/watch?feature=player_embedded&v=FQfcybsEWmM" target="_blank"><img src="http://img.youtube.com/vi/FQfcybsEWmM/0.jpg" alt="Odysseus" width="240" height="180"/></a> *futurerestore + libipatcher*
<a href="http://www.youtube.com/watch?feature=player_embedded&v=8Ro4g6StPeI" target="_blank"><img src="http://img.youtube.com/vi/8Ro4g6StPeI/0.jpg" alt="Odysseus" width="240" height="180"/></a>
*kDFU app*
<a href="http://www.youtube.com/watch?feature=player_embedded&v=8Ro4g6StPeI" target="_blank"><img src="http://img.youtube.com/vi/8Ro4g6StPeI/0.jpg" alt="Odysseus" width="240" height="180"/></a> *kDFU app*
<a href="http://www.youtube.com/watch?feature=player_embedded&v=Wo7mGdMcjxw" target="_blank"><img src="http://img.youtube.com/vi/Wo7mGdMcjxw/0.jpg" alt="Odysseus" width="240" height="180"/></a>
*Enter kDFU mode (watch up to the point where the screen goes black)*
<a href="http://www.youtube.com/watch?feature=player_embedded&v=Wo7mGdMcjxw" target="_blank"><img src="http://img.youtube.com/vi/Wo7mGdMcjxw/0.jpg" alt="Odysseus" width="240" height="180"/></a> *Enter kDFU mode (watch up to the point where the screen goes black)*
*You can use **any** odysseus bundle for this*
You can use **any** odysseus bundle for this.
## 5) iOS 9.x Re-restore bug (found by @alitek123) (only for 32-bit devices):
## 5) iOS 9.x re-restore bug by @alitek123 (only for 32-bit devices)
### Requirements
- Jailbreak doesn't required;
- Signing ticket files (`.shsh`, `.shsh2`, `.plist`) from by iOS 9.x without ApNonce (noNonce APTickets)

2
external/idevicerestore vendored

@ -1 +1 @@
Subproject commit 9e4cc5359fdeba9fc395d6d7d3220d2052e46bf1
Subproject commit c97e02e22b9971471db5dcb3b9e02eb30222d6c0

9
futurerestore/futurerestore.cpp
View file

@ -7,7 +7,6 @@
//
#include <libgeneral/macros.h>
#include <iostream>
#include <stdlib.h>
#include <string.h>
@ -137,7 +136,7 @@ void futurerestore::putDeviceIntoRecovery(){
info("Entering recovery mode...\n");
retassure(!normal_enter_recovery(_client),"Unable to place device into recovery mode from %s mode\n", _client->mode->string);
}else if (_client->mode->index == MODE_RECOVERY){
info("Device already in Recovery mode\n");
info("Device already in recovery mode\n");
}else if (_client->mode->index == MODE_DFU && _isPwnDfu &&
#ifdef HAVE_LIBIPATCHER
true
@ -178,7 +177,7 @@ plist_t futurerestore::nonceMatchesApTickets(){
if (getDeviceMode(true) != MODE_RECOVERY){
if (getDeviceMode(false) != MODE_DFU || *_client->version != '9')
reterror("Device is not in recovery mode, can't check apnonce\n");
reterror("Device is not in recovery mode, can't check ApNonce\n");
else
_rerestoreiOS9 = (info("Detected iOS 9.x 32-bit re-restore, proceeding in DFU mode\n"),true);
}
@ -291,7 +290,7 @@ void futurerestore::waitForNonce(vector<const char *>nonces, size_t nonceSize){
usleep(1*USEC_PER_SEC);
}
while (getDeviceMode(true) != MODE_RECOVERY) usleep(USEC_PER_SEC*0.5);
retassure(!recovery_client_new(_client), "Could not connect to device in recovery mode.\n");
retassure(!recovery_client_new(_client), "Could not connect to device in recovery mode\n");
recovery_get_ap_nonce(_client, &realnonce, &realNonceSize);
info("Got ApNonce from device: ");
@ -1078,11 +1077,9 @@ int futurerestore::doJustBoot(const char *ipsw, string bootargs){
//
// retassure(build_identity = getBuildidentityWithBoardconfig(buildmanifest, client->device->hardware_model, 0),"ERROR: Unable to find any build identities for IPSW\n");
//
//
// /* print information about current build identity */
// build_identity_print_information(build_identity);
//
//
// //check for enterpwnrecovery, because we could be in DFU mode
// retassure(_enterPwnRecoveryRequested, "enterPwnRecoveryRequested is not set, but required");
//

2
futurerestore/futurerestore.hpp
View file

@ -9,9 +9,9 @@
#ifndef futurerestore_hpp
#define futurerestore_hpp
//make sure WIN32 is defined if compiling for windows
#if defined _WIN32 || defined __CYGWIN__
#ifndef WIN32
//make sure WIN32 is defined if compiling for windows
#define WIN32
#endif
#endif

13
futurerestore/main.cpp
View file

@ -40,6 +40,7 @@ static struct option longopts[] = {
{ "wait", no_argument, NULL, 'w' },
{ "update", no_argument, NULL, 'u' },
{ "debug", no_argument, NULL, 'd' },
{ "exit-recovery", no_argument, NULL, 'e' },
{ "latest-sep", no_argument, NULL, '0' },
{ "latest-baseband", no_argument, NULL, '1' },
{ "no-baseband", no_argument, NULL, '2' },
@ -47,7 +48,6 @@ static struct option longopts[] = {
{ "use-pwndfu", no_argument, NULL, '3' },
{ "just-boot", optional_argument, NULL, '4' },
#endif
{ "exit-recovery", no_argument, NULL, '5' },
{ NULL, 0, NULL, 0 }
};
@ -67,7 +67,7 @@ void cmd_help(){
printf(" \t\t\tDO NOT use this parameter, if you update from jailbroken firmware!\n");
printf(" -w, --wait\t\t\tKeep rebooting until ApNonce matches APTicket (ApNonce collision, unreliable)\n");
printf(" -d, --debug\t\t\tShow all code, use to save a log for debug testing\n");
printf(" --exit-recovery\t\tExit recovery mode and quit\n");
printf(" -e, --exit-recovery\t\tExit recovery mode and quit\n");
#ifdef HAVE_LIBIPATCHER
printf("\nOptions for downgrading with Odysseus:\n");
@ -86,7 +86,7 @@ void cmd_help(){
printf(" -p, --baseband-manifest PATH\tBuildManifest for requesting baseband ticket\n");
printf(" --no-baseband\t\tSkip checks and don't flash baseband\n");
printf(" \t\tOnly use this for device without a baseband (eg. iPod touch or some Wi-Fi only iPads)\n\n");
}
}
#ifdef WIN32
DWORD termFlags;
@ -133,7 +133,7 @@ int main_r(int argc, const char * argv[]) {
return -1;
}
while ((opt = getopt_long(argc, (char* const *)argv, "ht:b:p:s:m:wud0123", longopts, &optindex)) > 0) {
while ((opt = getopt_long(argc, (char* const *)argv, "ht:b:p:s:m:wude0123", longopts, &optindex)) > 0) {
switch (opt) {
case 't': // long option: "apticket"; can be called as short option
apticketPaths.push_back(optarg);
@ -141,7 +141,7 @@ int main_r(int argc, const char * argv[]) {
case 'b': // long option: "baseband"; can be called as short option
basebandPath = optarg;
break;
case 'p': // long option: "baseband-plist"; can be called as short option
case 'p': // long option: "baseband-manifest"; can be called as short option
basebandManifestPath = optarg;
break;
case 's': // long option: "sep"; can be called as short option
@ -174,7 +174,7 @@ int main_r(int argc, const char * argv[]) {
break;
break;
#endif
case '5': // long option: "exit-recovery";
case 'e': // long option: "exit-recovery"; can be called as short option
exitRecovery = true;
break;
case 'd': // long option: "debug"; can be called as short option
@ -185,6 +185,7 @@ int main_r(int argc, const char * argv[]) {
return -1;
}
}
if (argc-optind == 1) {
argc -= optind;
argv += optind;