iDowngrade

futurerestore is a hacked up idevicerestore wrapper, which allows manually specifying SEP and Baseband for restoringLatest compiled version can be found here:
(MacOS & Linux)
http://api.tihmstar.net/builds/futurerestore/futurerestore-latest.zip

Features

  • Supports the following methods for downgrading
    • Prometheus: 64bit idevices
    • Odysseus: 32bit idevices
    • Re-restoring 32bit devices to iOS 9 with @alitek123's no-nonce exploit
  • It Allows restoring any nonmatching signed iOS or Sep or Baseband

Dependencies

Bundled Libs

Those don't need to be installed manually
  • jsmn

External Libs

  • Make sure these libs are installed
    • libzip
    • libcurl
    • openssl (or CommonCrypto on OSX)
    • libplist

Submodules

Help

(might become outdated):Usage: futurerestore [OPTIONS] IPSW
option (short) option (long) description
-t --apticket PATH to Apticket used for restoring iDevice
-b --baseband PATH for Baseband to be flashed
-p --baseband-manifest PATH for Buildmanifest for requesting baseband ticket
-s --sep PATH Sep to be flashed on Idevice
-m --sep-manifest PATH Buildmanifest for requesting sep ticket
-w --wait keep rebooting iDevice until nonce matches APTicket
-u --update update iDevice instead of clean install
-d --debug show all logs, use to save a log for debugging
--latest-sep use latest signed sep instead of manually specifying one(may cause bad restore)
--latest-baseband use the latest signed baseband of device instead of manually specifying your baseband
--no-baseband skip device checks and don't flash the baseband.

0) What futurerestore can do

Downgrade/Upgrade/Re-restore same iOS. Whenever you read "downgrade" nowadays it means you can also upgrade and re-restore if you're on the same iOS. Basically this allows restoring an iOS and the installed iOS doesn't matter.

1) Prometheus (64bit device) - generator method

Requirements

  • Jailbreak
  • SHSH2 files with a generator
  • nonceEnabler patch enabled

Info

You can downgrade if the destination iOS is compatible with the latest signed SEP and if you have shsh2 files with a generator for that iOS.

How to use

  1. Device must be jailbroken and nonceEnabler patch must be enabled
  2. Open shsh file and look up the generator
  • Looks like this: <key>generator</key><string>0xde3318d224cf14a1</string>
  1. Write the generator to device's NVRAM
  • SSH into the device and run nvram com.apple.System.boot-nonce=0xde3318d224cf14a1 to set the generator 0xde3318d224cf14a1
  • verify with nvram -p
  1. Connect your device in normal mode to computer
  2. On the computer run futurerestore -t ticket.shsh --latest-baseband --latest-sep ios.ipsw

Recommended method to active nonceEnabler patch

  1. Get nvpatch https://github.com/Siguza/ios-kern-utils/releases/
  2. Run on the device nvpatch com.apple.System.boot-nonce

Activate tfp0 if jailbreak doesn't allow it

Method 1 (if jailbroken on 9.3.x)

Method 2


2) Prometheus (64bit device) - nonce collision method

Requirements

  • iPhone5s or iPad Air on iOS 9.1 - 10.2
  • No Jailbreak required
  • SHSH files with customly chosen APNonce
  • The shsh file needs to have one of the nonces, which the device generates a lot

Info

You can downgrade if the destination iOS is compatible with the latest signed SEP. You also need to have special shsh files. If you don't know what this is, you probably can NOT use this method!

How to use

  1. Connect your device in normal mode or recovery mode
  2. On the computer run futurerestore -w -t ticket.shsh --latest-baseband --latest-sep ios.ipsw
  • If you have saved multiple tickets with different nonces you can specify more than one to speed up the process: futurerestore -w -t t1.shsh -t t2.shsh -t t3.shsh -t t4.shsh --latest-baseband --latest-sep ios.ipsw

3) Odysseus (32bit devices)

Requirements

  • futurerestore compiled with libipatcher (odysseus support)
  • Jailbreak or bootrom exploit (limera1n)
  • Firmware keys for the idevice/destination iOS must be public on ispw.me.
  • SHSH files for the destination iOS (OTA blobs also works!)

Info

If you have a jailbroken 32bit device you can downgrade to any iOS you have blobs for. You can still get OTA blobs for iOS 6.1.3 and 8.4.1 for some devices and use those.

How to use

  1. Get device into kDFU/pwnDFU
  • Pre-iPhone4s (limera1n devices):
    • Enter pwndfu mode with redsn0w or any other tool
  • iPhone4s and later:
    • Jailbreak required!
    • Enter kDFU mode with kDFU app (cydia: repo.tihmstar.net) or by loading a pwniBSS from any existing odysseus bundle.
  1. Connect your device to computer in kDFU mode (or pwnDFU mode)
  2. On the computer run futurerestore --use-pwndfu -t ticket.shsh --latest-baseband ios.ipsw

4) iOS 9 Re-restore bug (found by @alitek123) (32bit devices):

Requirements

  • No Jailbreak required
  • SHSH files without a nonce (noNonce APTickets)

Info

If you have shsh files for iOS9 which do not contain a nonce, you can restore to that firmware.

How to use

  1. Connect your device in DFU mode
  2. On the computer run futurerestore -t ticket.shsh --latest-baseband ios9.ipsw