• Stars
    star
    818
  • Rank 55,733 (Top 2 %)
  • Language
    C++
  • License
    GNU Lesser Genera...
  • Created almost 8 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A hacked up idevicerestore wrapper, which allows specifying SEP and Baseband for restoring

futurerestore

It is a hacked up idevicerestore wrapper, which allows manually specifying SEP and Baseband for restoring.

Latest compiled version can be found here.

Only use if you are sure what you're doing.


Features

  • Supports the following downgrade methods:
    • Prometheus 64-bit devices (generator and ApNonce collision mode)
    • Odysseus for 32-bit & 64-bit (A7-A11) devices
    • Re-restoring 32-bit devices to iOS 9.x with alitek123's no-ApNonce method (alternative β€” idevicererestore).
  • Allows restoring to non-matching firmware with custom SEP+baseband

Dependencies

Report an issue

You can do it here.

Restoring on Windows 10

  1. Try to restore the device, error -8 occurs;
  2. Leave the device plugged in, it'll stay on the Recovery screen;
  3. Head over to device manager under control panel in Windows;
  4. Locate "Apple Recovery (iBoot) USB Composite Device" (at the bottom);
  5. Right click and choose "Uninstall device". You may see a tick box that allows you to uninstall the driver software as well, tick that (all the three Apple mobile device entries under USB devices will disappear);
  6. Unplug the device and re-plug it in;
  7. Go back to futurerestore and send the restore command again (just press the up arrow to get it back, then enter). Error -8 is now fixed, but the process will fail again after the screen of your device has turned green;
  8. Go back to device manager and repeat the driver uninstall process as described above (step 4 to 6);
  9. Go back to futurerestore once again and repeat the restore process;
  10. The device will reboot and error -10 will also be solved;
  11. The restore will now proceed and succeed.

Some about cURL

  • Linux: Follow this guide to use tsschecker on Ubuntu 18.04 (Bionic) as it requires libcurl3 which cannot coexist with libcurl4 on this OS.

Help

(might become outdated):

Usage: futurerestore [OPTIONS] iPSW

option (short) option (long) description
-t --apticket PATH Signing tickets used for restoring
-u --update Update instead of erase install (requires appropriate APTicket)
DO NOT use this parameter, if you update from jailbroken firmware!
-w --wait Keep rebooting until ApNonce matches APTicket (ApNonce collision, unreliable)
-d --debug Show all code, use to save a log for debug testing
-e --exit-recovery Exit recovery mode and quit
--use-pwndfu Restoring devices with Odysseus method. Device needs to be in pwned DFU mode already
--just-boot "-v" Tethered booting the device from pwned DFU mode. You can optionally set boot-args
--latest-sep Use latest signed SEP instead of manually specifying one (may cause bad restore)
-s --sep PATH SEP to be flashed
-m --sep-manifest PATH BuildManifest for requesting SEP ticket
--latest-baseband Use latest signed baseband instead of manually specifying one (may cause bad restore)
-b --baseband PATH Baseband to be flashed
-p --baseband-manifest PATH BuildManifest for requesting baseband ticket
--no-baseband Skip checks and don't flash baseband
Only use this for device without a baseband (eg. iPod touch or some Wi-Fi only iPads)

0) What futurerestore can do

Downgrade/Upgrade/Re-restore same mobile firmware version. Whenever you read "downgrade" nowadays it means you can also upgrade and re-restore if you're on the same firmware version. Basically this allows restoring an firmware version and the installed firmware version doesn't matter.


1) Prometheus (64-bit device) - generator method

Requirements

  • Jailbreak
  • signing ticket files (.shsh, .shsh2, .plist) with a generator
  • nonceEnabler patch enabled

Info

You can downgrade, if the destination firmware version is compatible with the latest signed SEP and baseband and if you have a signing tickets files with a generator for that firmware version.

How to use

  1. Device must be jailbroken and nonceEnabler patch must be active
  2. Open signing ticket file and look up the generator
  • Looks like this: <key>generator</key><string>0xde3318d224cf14a1</string>
  1. Write the generator to device's NVRAM
  • Connect with SSH into the device and run nvram com.apple.System.boot-nonce=0xde3318d224cf14a1 to set the generator 0xde3318d224cf14a1
  • verify it with nvram -p
  1. Connect your device in normal mode to computer
  2. On the computer run futurerestore -t ticket.shsh --latest-baseband --latest-sep ios.ipsw

Youtube

Prometheus Prometheus

Prometheus nonceEnabler

Recommended methods to activate nonceEnabler patch

Method 1: ios-kern-utils (iOS 7.x-10.x)

  1. Install DEB-file of ios-kern-utils on device;
  2. Run on the device nvpatch com.apple.System.boot-nonce.

Method 2: Using special applications

Use utilities for setting boot-nonce generator:

  1. PhΕ“nixNonce for iOS 9.x;
  2. v0rtexnonce for iOS 10.x;
  3. Nonceset1112 for iOS 11.0-11.1.2;
  4. noncereboot1131UI for iOS 11.0-11.4b3;
  5. NonceReboot12xx for iOS 12.0-12.1.2;
  6. GeneratorAutoSetter for checkra1n jailbreak on iOS / iPadOS 13.x. Install it from Cydia's developer repo (https://halo-michael.github.io/repo/) on device.

Method 3: Using jailbreak tools

Use jailbreak tools for setting boot-nonce generator:

  1. Meridian for iOS 10.x;
  2. backr00m or greeng0blin for tvOS 10.2-11.1;
  3. Electra and ElectraTV for iOS and tvOS 11.x;
  4. unc0ver for iOS 11.0-12.2, 12.4.x;
  5. Chimera and ChimeraTV for iOS 12.0-12.2, 12.4 and tvOS 12.0-12.2, 12.4.

Activate tfp0, if jailbreak doesn't allow it

Method 1 (if jailbroken on iOS 9.2-9.3.x)

Method 2 (if jailbroken on iOS 8.0-8.1 with Pangu8)

Method 3 (if jailbroken on iOS 7.x with Pangu7)

Method 4


2) Prometheus (64-bit device) - ApNonce collision method (Recovery mode)

Requirements

  • Device with A7 chip on iOS 9.1 - 10.2 or iOS 10.3 beta 1;
  • Jailbreak doesn't required;
  • Signing ticket files (.shsh, .shsh2, .plist) with a customly chosen ApNonce;
  • Signing ticket files needs to have one of the ApNonces, which the device generates a lot;

Info

You can downgrade if the destination firmware version, if it is compatible with the latest signed SEP and baseband. You also need to have special signing ticket files. If you don't know what this is, you probably can NOT use this method!

How to use

  1. Connect your device in normal or recovery mode;
  2. On the computer run futurerestore -w -t ticket.shsh --latest-baseband --latest-sep firmware.ipsw
  • If you have saved multiple signing tickets with different nonces you can specify more than one to speed up the process: futurerestore -w -t t1.shsh -t t2.shsh -t t3.shsh -t t4.shsh --latest-baseband --latest-sep firmware.ipsw

3) Prometheus (64-bit device) - ApNonce collision method (DFU mode)

Requirements

  • Devices with A7 (iPhone 5s, iPad Air, iPad mini 2), A8 (iPhone 6 [+], iPad mini [2,3,4], iPod touch [6th generation]) and A8X (iPad Air 2) chips on all firmwares;
  • Devices have been released after ~September, 2015 {PROBABLY};
  • Jailbreak doesn't required;
  • Signing ticket files (.shsh, .shsh2, .plist) with a customly chosen APNonce;
  • Signing ticket files needs to have one of the ApNonces, which the device generates a lot;
  • img4tool can't be used for Windows [problem with signing iBSS/iBEC], now it's TO-DO;

Info

You can downgrade if the destination firmware version, if it is compatible with the latest signed SEP and baseband. You also need to have special signing ticket files. If you don't know what this is, you probably can NOT use this method!

How to use

  1. Connect your device in DFU mode;

  2. Use irecovery for checking ApNonce, which booted in DFU;

  3. Extract iBSS/iBEC from target firmware for downgrade (unsigned);

  4. Check DFU-collisioned ApNonces with irecovery, which booted in DFU. You can't automatically collision DFU ApNonces.

    If ApNonce is not collisioned, "use hands" for DFU booting.

    If ApNonce is successfully coliisioned, use this SHSH2 for sign iBSS/iBEC.

  5. Use img4tool for sign iBSS: img4tool -s ticket.shsh -c iBSS.signed -p <original_iBSS>;

  6. Use img4tool for sign iBEC: img4tool -s ticket.shsh -c iBEC.signed -p <original_iBEC>;

  7. So, after signing we can boot into Recovery with irecovery.

    irecovery -f iBSS.signed - loading iBSS;

    irecovery -f iBEC.signed - loading iBEC;

  8. So good! On the computer run futurerestore -t ticket.shsh --latest-baseband --latest-sep -w firmware.ipsw.


4) Odysseus (32-bit / 64-bit devices)

Requirements

  • futurerestore compiled with libipatcher;
  • Jailbreak or bootrom exploit (limera1n, checkm8);
  • 32-bit: firmware keys for the device/destination firmware version must be public (check ipsw.me);
  • 64-bit: devices with A12 and A13 chips is NOT compatible with this method;
  • Signing ticket files (.shsh, .shsh2, .plist) from by destination firmware (OTA blobs work too!).

Info

If you have a jailbroken device, you can downgrade to any firmware version you have blobs for. You can still get OTA blobs for iOS 6.1.3, 8.4.1 or 10.3.3 for some devices and use those.

How to use

  1. Get device into kDFU/pwnDFU
  • Pre-iPhone4s (limera1n devices):
    • Enter to pwnDFU mode with redsn0w or any other tool
  • iPhone 4s and later 32-bit devices:
    • Enter to kDFU mode with kDFU app (cydia: repo.tihmstar.net) or by loading a pwnediBSS from any existing odysseus bundle
  • Any 64-bit device:
    • Enter to pwnDFU mode and patch signature check with special fork of ipwndfu
  1. Connect your device to computer in kDFU mode (or pwnDFU mode)
  2. On the computer run futurerestore --use-pwndfu -t ticket.shsh --latest-baseband firmware.ipsw

Youtube

Odysseus futurerestore + libipatcher

Odysseus kDFU app

Odysseus Enter kDFU mode (watch up to the point where the screen goes black)

You can use any odysseus bundle for this.

5) iOS 9.x re-restore bug by @alitek123 (only for 32-bit devices)

Requirements

  • Jailbreak doesn't required;
  • Signing ticket files (.shsh, .shsh2, .plist) from by iOS 9.x without ApNonce (noNonce APTickets)

Info

If you have signing tickets files for iOS 9.x, which do not contain a ApNonce, you can restore to that firmware.

How to use

  1. Connect your device in DFU mode
  2. On the computer run futurerestore -t ticket.shsh --latest-baseband ios9.ipsw

More Repositories

1

tsschecker

a powerfull tool to check tss signing status of various devices and firmwares
C++
718
star
2

doubleH3lix

Jailbreak for iOS 10.x 64bit devices without KTRR
Objective-C
225
star
3

img4tool

A tool for manipulating IMG4, IM4M and IM4P files
C++
206
star
4

jelbrekTime

An developer jailbreak for Apple watch S3 watchOS 4.1
Objective-C
201
star
5

usbmuxd2

A socket daemon written in C++ to multiplex connections from and to iOS devices over USB and WIFI
C++
189
star
6

jbinit

iOS booter ramdisk creator for checkm8 based jailbreaks
C
168
star
7

ra1nsn0w

A tethered booter for 64bit iOS devices vulnerable to checkm8
C++
162
star
8

libtakeover

call functions in a remote process using Mach API
C++
98
star
9

iBoot64Patcher

A reboot of the popular iBoot32Patcher but with twice the amount of bits
C++
90
star
10

partialZipBrowser

a tool for browsing and downloading files from zip files on remote webserver
C++
81
star
11

libpatchfinder

A 64bit offsetfinder. It finds offsets, patches, parses Mach-O and even supports IMG4
C++
77
star
12

v1ntex

getf tfp0 on iOS 11.2 - 11.4.1
Objective-C
68
star
13

desc_race-fun_public

C
67
star
14

v3ntex

getf tfp0 on iOS 12.0 - 12.1.2
Objective-C
64
star
15

libfragmentzip

A library allowing to download single files from a remote zip archive
C
53
star
16

treadm1ll

You don't need to be as fast as lightspeed, but a run on a treadm1ll surely doesn't hurt.
C
50
star
17

noncestatistics

a simple tool to get a bunch of ApNonces from iOS devices
C
50
star
18

igetnonce

C
37
star
19

uido_public

C
33
star
20

libgeneral

general stuff for projects
C++
28
star
21

otachecker

quick and dirty tool to check what ota blobs are being signed by apple
Objective-C
25
star
22

libipatcher

a convinient wrapper for iBoot32Patcher/iBoot64Patcher
C++
23
star
23

gido_public

C++
23
star
24

stool

A tool for parsing/analyzing/extracting with nintendo switch binaries
C
21
star
25

fwkeydb

20
star
26

kDFUApp

C
18
star
27

kdp.py

crappy "debugger"-like memory reader, to inspect 32bit ios kernel after it paniced
Python
16
star
28

cydia-repo.tihmstar.org

Shell
14
star
29

exVasi0n

proof of concept using evasi0n security issue
C
12
star
30

Breakout

Breakout is a free, completely open-source iOS 7 jailbreak.
C
12
star
31

jssy

Tiny json parser written in C
C
11
star
32

libgrabkernel

just a kernelgrabber, for those who can't reach out of sandbox
Makefile
11
star
33

vacuumstreamer

C
10
star
34

prelecta1212

get ready for 1212 jb hax
Objective-C
10
star
35

homepodstuff

Shell
10
star
36

libinsn

C++
9
star
37

uido2hashcat

C++
8
star
38

deadPengu1n

deadPengu1n - Pangu untether bug
Objective-C
8
star
39

webkitcacher

Cache directory with web files (html/js...) to ApplicationCache.db file
C++
7
star
40

micSpy

Objective-C++
7
star
41

ps4-linux-git

Shell
6
star
42

Fuzzyparrot

A Semi-automated remote fuzzing tool for mov files on iOS devices
PHP
6
star
43

kfd_JBKit

C++
6
star
44

dyld-print-to-file-exploit

exploits DYLD_PRINT_TO_FILE, modifys sudoers, cleans up and spawns root shell
C
5
star
45

simpleShellEmu

simple shell Emulator, which runs on Linux
C
4
star
46

fwkeydb_tools

Python
4
star
47

JBKit

C
4
star
48

headsUpDisplay

Logos
3
star
49

libdcsdled

A wrapper library for controlling leds on DCSD cable
C++
3
star
50

mkinitcpio-ps4

Shell
3
star
51

rootpipe2_exploit

rootpipe exploited again on 10.10.3
Objective-C
2
star
52

developerexcuses-App

Little App which grabs the funny jokes from http://www.developerexcuses.com/
Objective-C
2
star
53

rb3converter

C++
2
star
54

slides

1
star
55

freePW_tc7200Eploit

Technicolor TC7200 - Credentials Disclosure CVE : CVE-2014-1677
Objective-C
1
star
56

img2tool

A tool for manipulating IMG2 files
C++
1
star
57

GamecubeControllerAnalyzer

C++
1
star
58

img1tool

A tool for manipulating IMG1 (8900) files
C++
1
star