Difference between revisions of "Prometheus"

From The iPhone Wiki
Jump to: navigation, search
(Waiting for device...)
m (Various changes for spelling/grammar/formatting/etc.)
Line 1: Line 1:
Prometheus is a tool that can be used to upgrade/downgrade previously signed iOS versions on 64-bit devices.
+
Prometheus is a method that can be used to upgrade/downgrade previously signed iOS versions on 64-bit devices.
   
==Requirements==
+
== Requirements ==
* jailbroken 64-bit device (except iPhone 5s and iPad Air that generate the same nonce multiple times
+
* Jailbroken 64-bit device (except iPhone 5s and iPad Air) that generate the same nonce multiple times
* SHSH2 saved with [https://github.com/tihmstar/tsschecker tsschecher]
+
* SHSH2 saved with [https://github.com/tihmstar/tsschecker tsschecker]
   
==FAQ==
+
== FAQ ==
This FAQ guide was written by [https://twitter.com/tihmstar tihmstar].
+
This FAQ guide was originally written by [https://twitter.com/tihmstar tihmstar].
   
  +
What versions of iOS does it support?
  +
: Prometheus is not really limited to any specific version of iOS. Prometheus itself is the idea to restore a firmware by using replayed tickets and upgrading the SEP and baseband. futurerestore allows you to select a version of iOS and an APTicket to use during restore, as well as a baseband and SEP (which will get a fresh ticket and restored). Right now, it only makes sense to restore to 10.x, as the SEP in iOS 10 does not work with iOS 9 (and probably lower). You need to be careful though, because if Apple a new version of iOS (say, 10.3) has a new SEP that no longer works with 10.1.1, and they stop signing iOS 10.2, than you can't even really restore to 10.1.1.
   
  +
Do I need to be currently jailbroken?
Q: What iOS's does it support?
 
  +
: If you're jailbroken (with tfp0), you can use the generator method. This allows you to put a generator in NVRAM to force generate a specific APNonce. This makes it really convenient to make the device generate the same APNonce which is also inside your APTicket (in case you know the generator for that nonce).
  +
: I personally ran noncestatistics to figure out what nonce is generated the most on my iPhone 5s (this only works with devices that have collisions). Then I requested a ticket for 10.1.1 with that specific nonce while it was signed, and now I can use the reboot-until-nonce-matches method for restoring my iPhone 5s.<!-- If you didn't do all this, you probably can't restore without a jailbreak.-->
   
  +
Which jailbreaks support tfp0?
A: Prometheus is not really limited to any specifiy iOS. promethues itself is the idea to restore a firmware by using replayed tickets and upgrading sep+baseband.
 
  +
: As far as I know, iOS 7 and iOS 8 have tfp0. iOS 9.1 by Pangu has host_get_special_port and qwerty's jbme has host_get_special_port. iOS 10.x has tfp0.
futurerestore allows you to select an ios and apticket which is being used during restore, as well as baseband and sep which will get a fresh ticket and also restored.
 
Right now it only makes sense to restore to iOS 10.x firmware, as the iOS 10 SEP does not work with iOS 9 (and probably lower). You need to be careful though, because if apple stops signing iOS 10.2 and lets say iOS 10.3 SEP is not compatible with 10.1.1 anymore, than you can't even really restore to 10.1.1
 
   
  +
What devices are supported?
  +
: In theory, all 64-bit devices should be supported. Right now iPhone 7 and iPhone 7 Plus are not supported, but that is something which could probably be fixed with an update. Also there are some bugs in futurerestore, but once everything is ruled out, all 64-bit devices should be supported. Right now, I have no plans to test 32-bit, but i think that the method could work with 32-bit. If someone wants to adjust futurerestore for 32-bit devices, go ahead; source code is on Github.
   
  +
I saved SHSH2 with the nonces that had collisions on iOS 9 for iPhone 5s/iPad Air, but none are found when on iOS 10. What do I do?
Q: Do I need to be currently jailbroken?
 
  +
: iOS 10 has different colliding nonces to iOS 9. If the nonces you saved SHSH2 cannot be found once you are on iOS 10 and you require the collision method, then you are out of luck and can't use Prometheus.
   
  +
My device is stuck on "Waiting for device...". What can I do?
A: If you're jailbroken (with tfp0) you can use the generator method.
 
  +
: This happens if you have saved SHSH2 but it has the wrong boardconfig. To check the boardconfig or more information on this, see [https://tihmstar.blogspot.co.uk/2017/01/updates-on-prometheus-stuck-at-waiting.html this post].
This allows you to put a generator to nvram to force generate a specifiy APNonce.
 
This makes it really convinient to make the device generate the same APNonce which is also inside your APTicket. (in case you know the generator for that nonce).
 
I personally did run noncestatistics to figure out what nonce is generated the most on my iPhone5s (this only works with devices which do have collisions).
 
Then i requested an 10.1.1 ticket for that specific nonce while it was signed.
 
So now i can use the reboot-until-nonce-matches method for restoring my iPhone5s. If you didn't do all this, you probably can't restore without a jailbreak
 
   
  +
== External links ==
 
  +
* [https://www.youtube.com/watch?v=BIMx2Y13Ukc tutorial]
Q: Which jailbreaks support TFP0?
 
  +
* [https://media.ccc.de/v/33c3-7888-downgrading_ios_from_past_to_present#video&t=68 tihmstar's talk]
 
  +
* GitHub repositories:
A: Afaik ios 7 and ios 8 have tfpo, iOS 9.1 by pangu has host_get_special_port and qwerty's jbme has host_get_special_port. the 10.x has tfp0
 
  +
** [https://github.com/tihmstar/futurerestore futurerestore]
 
  +
** [https://github.com/tihmstar/noncestatistics noncestatistics]
 
  +
** [https://github.com/tihmstar/tsschecker tsschecker]
Q: What devices are supported?
 
 
A: In theory all 64bit device should be supported.
 
Right now iPhone7 and iPhone7+ are not supported, but that is something which could probably be fixed with an update.
 
Also there are some bugs in futurerestore, but once everything is ruled out, all 64bit device should be supported.
 
Right now i have no plans in testing 32bit, but i think that the method could work with 32bit. If someone wants to adjust futurerestore for 32bit, go ahead, sourcecode is on github
 
 
 
Q: I saved SHSH2 with the nonces that had collisions on iOS 9 for iPhone 5s/iPad Air but none are found when on iOS 10. What do I do?
 
 
A: iOS 10 has different colliding nonces to iOS 9. If the nonces you saved SHSH2 cannot be found once you are on iOS 10 and you require the collision method, then you are out of luck and can't use Prometheus.
 
 
 
Q: My device is stuck on "Waiting for device...". What can I do?
 
 
A: This happens if you have saved SHSH2 but it has the wrong boardconfig. To check the boardconfig or more information on this, see [https://tihmstar.blogspot.co.uk/2017/01/updates-on-prometheus-stuck-at-waiting.html this post].
 
 
==External links==
 
[https://www.youtube.com/watch?v=BIMx2Y13Ukc tutorial]<br>
 
[https://media.ccc.de/v/33c3-7888-downgrading_ios_from_past_to_present#video&t=68 tihmstar's talk]<br>
 
[https://github.com/tihmstar/noncestatistics noncestatistics]<br>
 

Revision as of 04:46, 3 January 2017

Prometheus is a method that can be used to upgrade/downgrade previously signed iOS versions on 64-bit devices.

Requirements

  • Jailbroken 64-bit device (except iPhone 5s and iPad Air) that generate the same nonce multiple times
  • SHSH2 saved with tsschecker

FAQ

This FAQ guide was originally written by tihmstar.

What versions of iOS does it support?

Prometheus is not really limited to any specific version of iOS. Prometheus itself is the idea to restore a firmware by using replayed tickets and upgrading the SEP and baseband. futurerestore allows you to select a version of iOS and an APTicket to use during restore, as well as a baseband and SEP (which will get a fresh ticket and restored). Right now, it only makes sense to restore to 10.x, as the SEP in iOS 10 does not work with iOS 9 (and probably lower). You need to be careful though, because if Apple a new version of iOS (say, 10.3) has a new SEP that no longer works with 10.1.1, and they stop signing iOS 10.2, than you can't even really restore to 10.1.1.

Do I need to be currently jailbroken?

If you're jailbroken (with tfp0), you can use the generator method. This allows you to put a generator in NVRAM to force generate a specific APNonce. This makes it really convenient to make the device generate the same APNonce which is also inside your APTicket (in case you know the generator for that nonce).
I personally ran noncestatistics to figure out what nonce is generated the most on my iPhone 5s (this only works with devices that have collisions). Then I requested a ticket for 10.1.1 with that specific nonce while it was signed, and now I can use the reboot-until-nonce-matches method for restoring my iPhone 5s.

Which jailbreaks support tfp0?

As far as I know, iOS 7 and iOS 8 have tfp0. iOS 9.1 by Pangu has host_get_special_port and qwerty's jbme has host_get_special_port. iOS 10.x has tfp0.

What devices are supported?

In theory, all 64-bit devices should be supported. Right now iPhone 7 and iPhone 7 Plus are not supported, but that is something which could probably be fixed with an update. Also there are some bugs in futurerestore, but once everything is ruled out, all 64-bit devices should be supported. Right now, I have no plans to test 32-bit, but i think that the method could work with 32-bit. If someone wants to adjust futurerestore for 32-bit devices, go ahead; source code is on Github.

I saved SHSH2 with the nonces that had collisions on iOS 9 for iPhone 5s/iPad Air, but none are found when on iOS 10. What do I do?

iOS 10 has different colliding nonces to iOS 9. If the nonces you saved SHSH2 cannot be found once you are on iOS 10 and you require the collision method, then you are out of luck and can't use Prometheus.

My device is stuck on "Waiting for device...". What can I do?

This happens if you have saved SHSH2 but it has the wrong boardconfig. To check the boardconfig or more information on this, see this post.

External links