futurerestore is a hacked up idevicerestore wrapper, which allows manually specifying SEP and Baseband for restoring
- Supports the following downgrade methods
- Prometheus 64-bit devices (generator and APNonce collision mode);
- Odysseus for 32-bit devices;
- Re-restoring 32-bit devices to iOS 9 with @alitek123's no-nonce method (alternative — idevicererestore).
- Allows restoring any nonmatching signed iOS/SEP/Baseband.
-
- On macOS and Windows, futurerestore requires no runtime dependencies, the following are only for compiling.
- On Linux, usbmuxd is required at runtime.
-
Make sure these are installed
- libzip;
- libcurl;
- openssl (or CommonCrypto on macOS/OS X);
- libplist;
- libirecovery;
- libimobiledevice
- Make sure these projects compile on your system (install their dependencies)
Follow this guide to use tsschecker on Ubuntu 18.04 (Bionic) as it requires libcurl3 which cannot coexist with libcurl4 on this OS.
Downgrade/Upgrade/Re-restore same iOS. Whenever you read "downgrade" nowadays it means you can also upgrade and re-restore if you're on the same iOS. Basically this allows restoring an iOS and the installed iOS doesn't matter.
- Jailbreak
- SHSH2 files with a generator
- nonceEnabler patch enabled
You can downgrade if the destination iOS is compatible with the latest signed SEP and if you have shsh2 files with a generator for that iOS.
- Device must be jailbroken and nonceEnabler patch must be active
- Open shsh file and look up the generator
- Looks like this:
<key>generator</key><string>0xde3318d224cf14a1</string>
- Write the generator to device's nvram
- SSH into the device and run
nvram com.apple.System.boot-nonce=0xde3318d224cf14a1to set the generator 0xde3318d224cf14a1 - verify with
nvram -p
- Connect your device in normal mode to computer
- On the computer run
futurerestore -t ticket.shsh --latest-baseband --latest-sep ios.ipsw
- Install DEB-file of ios-kern-utils on device
- Run on the device
nvpatch com.apple.System.boot-nonce
Use utilities for setting boot-nonce — PhœnixNonce for iOS 9.x, v0rtexnonce for iOS 10.x, nonceset1112 for iOS 11.0-11.1.2 and noncereboot1131UI for iOS 11.0-11.4b3.
Method 3: noncereboot11 for iOS 11.x.
This CLI tool available at pwn20wnd's Cydia repo. Install it and set boot-nonce with help on the binary.
- reboot
- reactivate jailbreak with Luca Todesco's JailbreakMe
- done
Method 2 (if jailbroken on iOS 8.0-8.1 with Pangu)
- install this untether DEB-file with included tfp0 patch
Method 3 (if jailbroken on iOS 7.x with Pangu)
- install this untether DEB-file with included tfp0 patch
- Use cl0ver for iOS 9.x
- iPhone 5s, iPad Air, iPad mini 2 on iOS 9.1 - 10.2
- No Jailbreak required
- SHSH files with customly chosen APNonce
- The shsh file needs to have one of the APNnces, which the device generates a lot
- collisioned APNonces available in file 'nonces.txt'
You can downgrade if the destination iOS is compatible with the latest signed SEP. You also need to have special shsh files. If you don't know what this is, you probably can NOT use this method!
- Connect your device in normal mode or recovery mode
- On the computer run
futurerestore -w -t ticket.shsh --latest-baseband --latest-sep ios.ipsw
- If you have saved multiple tickets with different nonces you can specify more than
one to speed up the process:
futurerestore -w -t t1.shsh -t t2.shsh -t t3.shsh -t t4.shsh --latest-baseband --latest-sep ios.ipsw
- Devices for A7 chip (iPhone 5s, iPad Air, iPad mini 2) and some devices with A8 chip (iPod touch [6th gen]) on all iOS firmwares
- No Jailbreak required
- SHSH files with customly chosen APNonce
- The shsh file needs to have one of the APNnces, which the device generates a lot
- img4tool can't be used for Windows [problem with signing iBSS/iBEC], now it's TO-DO
- collisioned APNonces available in file 'nonces.txt' in TSSChecker.
You can downgrade if the destination iOS is compatible with the latest signed SEP. You also need to have special shsh files. If you don't know what this is, you probably can NOT use this method!
-
Connect your device in DFU mode
-
Use irecovery for check nonce booted with DFU
-
Extract iBSS/iBEC from target firmware for downgrade (unsigned)
-
Check DFU APNonces with irecovery with DFU booting. You can't automatically collision DFU APNonces.
If APNonce is not collisioned, "use hands" for DFU booting.
If APNonce is successfully coliisioned, use this SHSH2 for sign iBSS/iBEC.
-
Use img4tool for sign iBSS:
img4tool -s ticket.shsh -c iBSS.signed -p <original_iBSS> -
Use img4tool for sign iBEC:
img4tool -s ticket.shsh -c iBEC.signed -p <original_iBEC> -
So, after signing we can boot into Recovery with irecovery:
irecovery -f iBSS.signed- loading iBSSirecovery -f iBEC.signed- loading iBEC -
So good! On the computer run
futurerestore -w -t ticket.shsh --latest-baseband --latest-sep ios.ipsw
- futurerestore compiled with libipatcher (Odysseus support)
- Jailbreak or bootrom exploit (limera1n)
- Firmware keys for the device/destination iOS must be public
- SHSH files for the destination iOS (OTA blobs work too!)
If you have a jailbroken 32-bit device you can downgrade to any iOS you have blobs for. You can still get OTA blobs for iOS 6.1.3 and 8.4.1 for some devices and use those.
- Get device into kDFU/pwnDFU
- Pre-iPhone 4s (limera1n devices):
- Enter pwndfu mode with redsn0w or any other tool
- iPhone 4s and later:
- Jailbreak required!
- Enter kDFU mode by loading a pwnediBSS from any existing odysseus bundle.
- Connect your device to computer in kDFU mode (or pwnDFU mode)
- On the computer run
futurerestore --use-pwndfu -t ticket.shsh --latest-baseband ios.ipsw
You can use any successfully created odysseus bundle for this
5) iOS 9 Re-restore bug (found by @alitek123, 32-bit devices only):
- No Jailbreak required
- SHSH files without a APNonce (noNonce APTickets)
If you have shsh files for iOS9 which do not contain an APNonce, you can restore to that firmware.
- Connect your device in DFU mode
- On the computer run
futurerestore -t ticket.shsh --latest-baseband ios9.ipsw