A new tutorial for downgrading from iOS 15 to 14 (I am doing it on an iPhone 8) through checkm8 tethered downgrades has released. https://www.reddit.com/r/jailbreak/comments/vqcqol/tutorial_how_to_tethered_downgrade_from_ios_15_to/?utm_source=share&utm_medium=ios_app&utm_name=iossmf
I have followed it successfully up until the restoring part. On both my devices (latest Monterey and other is on 10.13) I have the same setup (debug future restore, all the forks listed in PATH) and I have a different error on both but I get farther on macOS 12 so I will share that log, if you want the other log I can provide it.
My command is:
futurerestore -t /Users/bogo/Desktop/2380048545021998_iPhone10\,4_d201ap_15.5-19F77_27325c8258be46e69d9ee57fa9a8fbc28b873df434e5e702a8b27999551138ae.shsh2 --use-pwndfu --skip-blob --rdsk /Users/bogo/downgrade/ramdisk.im4p --rkrn /Users/bogo/downgrade/krnl.im4p --latest-sep --latest-baseband /Users/bogo/downgrade/iPhone_4.7_P3_14.3_18C66_Restore.ipsw
Log:
Version: v2.0.0-test(3bfba66-281)
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f-DEBUG
libipatcher version: 0.88-1e855d70c84419014e363bdbcaead7b145fe3e1f-DEBUG
Odysseus for 32-bit support: yes
Odysseus for 64-bit support: yes
[INFO] 64-bit device detected
futurerestore init done
reading signing ticket /Users/bogo/Desktop/2380048545021998_iPhone10,4_d201ap_15.5-19F77_27325c8258be46e69d9ee57fa9a8fbc28b873df434e5e702a8b27999551138ae.shsh2 is done
user specified to use latest signed SEP
[TSSC] opening firmwares.json
[DOWN] downloading file https://api.ipsw.me/v2.1/firmwares.json/condensed
[TSSC] opening /tmp/betas_iPhone10,4.json
[DOWN] downloading file https://api.m1sta.xyz/betas/iPhone10,4
[TSSC] selecting latest firmware version: 15.5
[TSSC] got firmwareurl for iOS 15.5 build 19F77
[TSSC] opening Buildmanifest for iPhone10,4_15.5
[DOWN] downloading file https://updates.cdn-apple.com/2022SpringFCS/fullrestores/012-07905/09AAD219-D436-40F0-B49B-E7C009FF5668/BuildManifest.plist
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
downloading SEP
[TSSC] opening /tmp/futurerestore/sepManifest.plist
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
[TSSR] User specified to not request a baseband ticket.
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
user specified to use latest signed baseband
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
downloading Baseband
ERROR: Unable to connect to device?!
[Error] Unable to find required BbGoldCertId in parameters
[WARNING] using tsschecker's fallback to get BasebandGoldCertID. This might result in invalid baseband signing status information
[TSSC] opening /tmp/futurerestore/basebandManifest.plist
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
[TSSR] User specified to request only a Baseband ticket.
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Downloading the latest firmware components...
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
downloading SE firmware
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
Finished downloading the latest firmware components!
Found device in DFU mode
requesting to get into pwnRecovery later
Found device in DFU mode
Identified device as d201ap, iPhone10,4
Extracting BuildManifest from iPSW
Product version: 14.3
Product build: 18C66 Major: 18
Device supports Image4: true
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
checking if the APTicket is valid for this restore...
Verified ECID in APTicket matches the device's ECID
checking if the APTicket is valid for this restore...
Verified ECID in APTicket matches the device's ECID
[IMG4TOOL] checking buildidentity 0:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 1:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 2:
[IMG4TOOL] checking buildidentity matches board ... YES
[IMG4TOOL] checking buildidentity has all required hashes:
[IMG4TOOL] checking hash for "AOP" OK (untrusted)
[IMG4TOOL] checking hash for "Ap,SystemVolumeCanonicalMetadata"BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AppleLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AudioCodecFirmware" OK (untrusted)
[IMG4TOOL] checking hash for "BasebandFirmware" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "BatteryCharging0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryCharging1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryFull" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryPlugin" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "DeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ISP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "KernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "LLB" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Liquid" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Multitouch" OK (untrusted)
[IMG4TOOL] checking hash for "OS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RecoveryMode" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreDeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreKernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreRamDisk" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreSEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SE,UpdatePayload" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "SEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "StaticTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SystemVolume" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ftap" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "ftsp" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "iBEC" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBSS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBoot" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "rfta" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "rfts" IGN (no digest in BuildManifest)
failed verification with error:
[exception]:
what=verification failed!
code=84279308
line=1286
file=img4tool.cpp
commit count=197:
commit sha =aca6cf005c94caf135023263cbb5c61a0081804f:
[IMG4TOOL] checking buildidentity 3:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 4:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 5:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 6:
[IMG4TOOL] checking buildidentity matches board ... YES
[IMG4TOOL] checking buildidentity has all required hashes:
[IMG4TOOL] checking hash for "AOP" OK (untrusted)
[IMG4TOOL] checking hash for "Ap,SystemVolumeCanonicalMetadata"BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AppleLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AudioCodecFirmware" OK (untrusted)
[IMG4TOOL] checking hash for "BasebandFirmware" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "BatteryCharging0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryCharging1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryFull" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryPlugin" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "DeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ISP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "KernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "LLB" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Liquid" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Multitouch" OK (untrusted)
[IMG4TOOL] checking hash for "OS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RecoveryMode" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreDeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreKernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreRamDisk" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreSEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SE,UpdatePayload" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "SEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "StaticTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SystemVolume" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ftap" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "ftsp" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "iBEC" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBSS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBoot" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "rfta" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "rfts" IGN (no digest in BuildManifest)
failed verification with error:
[exception]:
what=verification failed!
code=84279308
line=1286
file=img4tool.cpp
commit count=197:
commit sha =aca6cf005c94caf135023263cbb5c61a0081804f:
[IMG4TOOL] checking buildidentity 7:
[IMG4TOOL] checking buildidentity matches board ... NO
[WARNING] NOT VALIDATING SHSH BLOBS IM4M!
[Error] BuildIdentity selected for restore does not match APTicket
BuildIdentity selected for restore:
BuildNumber : 18C66
BuildTrain : AzulC
DeviceClass : d201ap
FDRSupport : YES
MobileDeviceMinVersion : 1253
RestoreBehavior : Erase
Variant : Customer Erase Install (IPSW)
BuildIdentity is valid for the APTicket:
IM4M is not valid for any restore within the Buildmanifest
This APTicket can't be used for restoring this firmware
[WARNING] NOT VALIDATING SHSH BLOBS!
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
Variant: Customer Erase Install (IPSW)
This restore will erase your device data.
Device found in DFU Mode.
Getting firmware keys for: d201ap
Patching iBSS
Extracting iBSS.d20.RELEASE.im4p (Firmware/dfu/iBSS.d20.RELEASE.im4p)...
payload decrypted
Compression detected, uncompressing (bvx2): ok
iBoot64Patch: Staring iBoot64Patch!
[DEBUG] iBoot-6723 inputted
iOS 14 iBoot detected!
[DEBUG] iBoot base at=0x00000001800d0d98
[DEBUG] iBoot-6723 inputted
[DEBUG] platform_name_str_loc: 0x180147d07
[DEBUG] platform_name_str_xref: 0x1800e91b8
[DEBUG] iBoot chipid = 8015
[DEBUG] iBoot base at=0x000000018001c000
iBoot64Patch: Inited ibootpatchfinder64!
[DEBUG] img4decodemanifestexists=0x18008342c
[DEBUG] img4decodemanifestexistsref=0x180032bec
[DEBUG] img4interposercallbackptr=0x1800969b8
[DEBUG] img4interposercallback=0x180031d9c
[DEBUG] img4interposercallbackret=0x180032580
[DEBUG] img4interposercallbackmov=0x180032568
[DEBUG] img4interposercallbackret2=0x1800325b8
iBoot64Patch: Added sigpatches!
[DEBUG] check stage
[DEBUG] stage not iBootStage1, continuing patch
[DEBUG] debug_uarts_str=0x180090bd3
[DEBUG] debug_uarts_ref=0x180095998
[DEBUG] chipid != a8x/a9
[DEBUG] setenv_whitelist=0x180095988
[DEBUG] blacklist1_func=0x18001f924
[DEBUG] blacklist1_func_top=0x18001f908
[DEBUG] env_whitelist=0x1800959b8
[DEBUG] blacklist2_func=0x18001f970
[DEBUG] blacklist2_func_top=0x18001f958
[DEBUG] com_apple_system=0x180094ceb
[DEBUG] com_apple_system_xref=0x180069f4c
[DEBUG] func3top=0x180069f44
iBoot64Patch: Added unlock nvram patch!
[DEBUG] check stage
[DEBUG] stage not iBootStage1, continuing patch
[DEBUG] noncevar_str=0x180090c32
[DEBUG] noncevar_ref=0x18006fe40
[DEBUG] noncefun1=0x18006fe28
[DEBUG] noncefun1_blref=0x180053f1c
[DEBUG] noncefun2=0x180053ef4
[DEBUG] noncefun2_blref=0x180038864
[DEBUG] branchloc=0x18003885c
iBoot64Patch: Added freshnonce patch!
iBoot64Patch: has_kernel_load is false!
iBoot64Patch: Applying patch=0x180032568 : 000080d2
iBoot64Patch: Applying patch=0x1800325b4 : 000080d2
iBoot64Patch: Applying patch=0x18001f908 : 000080d2c0035fd6
iBoot64Patch: Applying patch=0x18001f958 : 000080d2c0035fd6
iBoot64Patch: Applying patch=0x180069f44 : 000080d2c0035fd6
iBoot64Patch: Applying patch=0x18003885c : 1f2003d5
iBoot64Patch: Patches applied!
[WARNING] BUG WORKAROUND recompressing images with bvx2 makes them not boot for some reason. Skipping compression
Patching iBEC
Extracting iBEC.d20.RELEASE.im4p (Firmware/dfu/iBEC.d20.RELEASE.im4p)...
payload decrypted
Compression detected, uncompressing (bvx2): ok
iBoot64Patch: Staring iBoot64Patch!
[DEBUG] iBoot-6723 inputted
iOS 14 iBoot detected!
[DEBUG] iBoot base at=0x00000001800d0d98
[DEBUG] iBoot-6723 inputted
[DEBUG] platform_name_str_loc: 0x180147d07
[DEBUG] platform_name_str_xref: 0x1800e91b8
[DEBUG] iBoot chipid = 8015
[DEBUG] iBoot base at=0x000000018001c000
iBoot64Patch: Inited ibootpatchfinder64!
[DEBUG] img4decodemanifestexists=0x18008342c
[DEBUG] img4decodemanifestexistsref=0x180032bec
[DEBUG] img4interposercallbackptr=0x1800969b8
[DEBUG] img4interposercallback=0x180031d9c
[DEBUG] img4interposercallbackret=0x180032580
[DEBUG] img4interposercallbackmov=0x180032568
[DEBUG] img4interposercallbackret2=0x1800325b8
iBoot64Patch: Added sigpatches!
[DEBUG] check stage
[DEBUG] stage not iBootStage1, continuing patch
[DEBUG] debug_uarts_str=0x180090bd3
[DEBUG] debug_uarts_ref=0x180095998
[DEBUG] chipid != a8x/a9
[DEBUG] setenv_whitelist=0x180095988
[DEBUG] blacklist1_func=0x18001f924
[DEBUG] blacklist1_func_top=0x18001f908
[DEBUG] env_whitelist=0x1800959b8
[DEBUG] blacklist2_func=0x18001f970
[DEBUG] blacklist2_func_top=0x18001f958
[DEBUG] com_apple_system=0x180094ceb
[DEBUG] com_apple_system_xref=0x180069f4c
[DEBUG] func3top=0x180069f44
iBoot64Patch: Added unlock nvram patch!
[DEBUG] check stage
[DEBUG] stage not iBootStage1, continuing patch
[DEBUG] noncevar_str=0x180090c32
[DEBUG] noncevar_ref=0x18006fe40
[DEBUG] noncefun1=0x18006fe28
[DEBUG] noncefun1_blref=0x180053f1c
[DEBUG] noncefun2=0x180053ef4
[DEBUG] noncefun2_blref=0x180038864
[DEBUG] branchloc=0x18003885c
iBoot64Patch: Added freshnonce patch!
iBoot64Patch: has_kernel_load is true!
[DEBUG] debug_enabled=0x180092c9e
[DEBUG] xref=0x180033eec
iBoot64Patch: Added debugenabled patch!
[DEBUG] DEFAULT_BOOTARGS_STR not found, trying fallback to DEFAULT_BOOTARGS_STR_13
[DEBUG] default_boot_args_str_loc=0x1800931fb
[DEBUG] default_boot_args_xref=0x18003539c
[DEBUG] Relocating boot-args string...
[DEBUG] bootarg_loc1=0x1800a5aa8
[DEBUG] bootarg_loc=0x1800a5ab9
[DEBUG] Pointing default boot-args xref to 0x1800a5ab8...
[DEBUG] Applying custom boot-args "rd=md0 nand-enable-reformat=0x1 -v -restore debug=0x2014e keepsyms=0x1 amfi=0xff amfi_allow_any_signature=0x1 amfi_get_out_of_my_way=0x1 cs_enforcement_disable=0x1"
[DEBUG] xrefRD=9
[DEBUG] csel=0x1800353a8
[DEBUG] cselrd=19
[DEBUG] (0x1800353a8)patching: "mov x19, x9"
[DEBUG] branch loc=0x18003538c
[DEBUG] branch dst=0x180035498
[DEBUG] (0x180035498)patching: "adr x19, 0x1800a5ab8"
iBoot64Patch: Added bootarg patch!
iBoot64Patch: Applying patch=0x180032568 : 000080d2
iBoot64Patch: Applying patch=0x1800325b4 : 000080d2
iBoot64Patch: Applying patch=0x18001f908 : 000080d2c0035fd6
iBoot64Patch: Applying patch=0x18001f958 : 000080d2c0035fd6
iBoot64Patch: Applying patch=0x180069f44 : 000080d2c0035fd6
iBoot64Patch: Applying patch=0x18003885c : 1f2003d5
iBoot64Patch: Applying patch=0x180033f00 : 200080d2
iBoot64Patch: Applying patch=0x18003539c : e9383810
iBoot64Patch: Applying patch=0x1800a5ab8 : 72643d6d6430206e616e642d656e61626c652d7265666f726d61743d307831202d76202d726573746f72652064656275673d30783230313465206b65657073796d733d30783120616d66693d3078666620616d66695f616c6c6f775f616e795f7369676e61747572653d30783120616d66695f6765745f6f75745f6f665f6d795f7761793d3078312063735f656e666f7263656d656e745f64697361626c653d30783100
iBoot64Patch: Applying patch=0x1800353a8 : f30309aa
iBoot64Patch: Applying patch=0x180035498 : 13313810
iBoot64Patch: Patches applied!
[WARNING] BUG WORKAROUND recompressing images with bvx2 makes them not boot for some reason. Skipping compression
Repacking patched iBSS as IMG4
Repacking patched iBEC as IMG4
Sending iBSS (1438499 bytes)...
Cleaning up...
[exception]:
what=ERROR: Unable to send iBSS component: Unable to upload data to device
code=42664004
line=651
file=/Users/runner/work/futurerestore/futurerestore/src/futurerestore.cpp
commit count=281:
commit sha =3bfba667cce95a85ec918210f8b05d2aed6c3d91:
Done: restoring failed!
^C
bogo@bogotesrs-MacBook-Pro sunst0rm % git clone https://github.com/axi0mX/ipwndfu
Cloning into 'ipwndfu'...
remote: Enumerating objects: 407, done.
remote: Counting objects: 100% (148/148), done.
remote: Compressing objects: 100% (93/93), done.
remote: Total 407 (delta 60), reused 55 (delta 55), pack-reused 259
Receiving objects: 100% (407/407), 1.86 MiB | 3.78 MiB/s, done.
Resolving deltas: 100% (206/206), done.
bogo@bogotesrs-MacBook-Pro sunst0rm % cd ipwndfu
bogo@bogotesrs-MacBook-Pro ipwndfu % ./ipwndfu
zsh: ./ipwndfu: bad interpreter: /usr/bin/python: no such file or directory
bogo@bogotesrs-MacBook-Pro ipwndfu % chmod +x ./ipwndfu
bogo@bogotesrs-MacBook-Pro ipwndfu % ./ipwndfu
zsh: ./ipwndfu: bad interpreter: /usr/bin/python: no such file or directory
bogo@bogotesrs-MacBook-Pro ipwndfu % ./ipwndfu
zsh: ./ipwndfu: bad interpreter: /usr/bin/python: no such file or directory
bogo@bogotesrs-MacBook-Pro ipwndfu % python
Python 2.7.18 (v2.7.18:8d21aa21f2, Apr 19 2020, 20:48:48)
[GCC 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
KeyboardInterrupt
^D
bogo@bogotesrs-MacBook-Pro ipwndfu % ./ipwndfu
zsh: ./ipwndfu: bad interpreter: /usr/bin/python: no such file or directory
bogo@bogotesrs-MacBook-Pro ipwndfu % python3 ipwndfu
File "/Users/bogo/downgrade/sunst0rm/ipwndfu/ipwndfu", line 11
print 'USAGE: ipwndfu [options]'
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)?
bogo@bogotesrs-MacBook-Pro ipwndfu % python3 ipwndfu -p
File "/Users/bogo/downgrade/sunst0rm/ipwndfu/ipwndfu", line 11
print 'USAGE: ipwndfu [options]'
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)?
bogo@bogotesrs-MacBook-Pro ipwndfu % ipwndfu
zsh: command not found: ipwndfu
bogo@bogotesrs-MacBook-Pro ipwndfu % ./ipwndfu
zsh: ./ipwndfu: bad interpreter: /usr/bin/python: no such file or directory
bogo@bogotesrs-MacBook-Pro ipwndfu % chmod +x ./ipwndfu
bogo@bogotesrs-MacBook-Pro ipwndfu % ./ipwndfu
zsh: ./ipwndfu: bad interpreter: /usr/bin/python: no such file or directory
bogo@bogotesrs-MacBook-Pro ipwndfu % futurerestore -t /Users/bogo/Desktop/2380048545021998_iPhone10,4_d201ap_15.5-19F77_27325c8258be46e69d9ee57fa9a8fbc28b873df434e5e702a8b27999551138ae.shsh2 --use-pwndfu --skip-blob --rdsk /Users/bogo/downgrade/ramdisk.im4p --rkrn /Users/bogo/downgrade/krnl.im4p --latest-sep --latest-baseband /Users/bogo/downgrade/iPhone_4.7_P3_14.3_18C66_Restore.ipsw
Version: v2.0.0-test(3bfba66-281)
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f-DEBUG
libipatcher version: 0.88-1e855d70c84419014e363bdbcaead7b145fe3e1f-DEBUG
Odysseus for 32-bit support: yes
Odysseus for 64-bit support: yes
libc++abi: terminating with uncaught exception of type tihmstar::exception: can't init, no device found
zsh: abort futurerestore -t --use-pwndfu --skip-blob --rdsk --rkrn --latest-sep
bogo@bogotesrs-MacBook-Pro ipwndfu % cd ..
bogo@bogotesrs-MacBook-Pro sunst0rm % cd ..
bogo@bogotesrs-MacBook-Pro downgrade % python3 -m pip install --user --force-reinstall https://github.com/hack-different/ipwndfu/archive/main.zip
Collecting https://github.com/hack-different/ipwndfu/archive/main.zip
Using cached https://github.com/hack-different/ipwndfu/archive/main.zip
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing metadata (pyproject.toml) ... done
Collecting cryptography<37.0.0,>=36.0.1
Using cached cryptography-36.0.2-cp36-abi3-macosx_10_10_x86_64.whl (2.5 MB)
Collecting pyusb<2.0.0,>=1.2.1
Using cached pyusb-1.2.1-py3-none-any.whl (58 kB)
Collecting cffi>=1.12
Downloading cffi-1.15.1-cp310-cp310-macosx_10_9_x86_64.whl (179 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 179.2/179.2 kB 3.1 MB/s eta 0:00:00
Collecting pycparser
Using cached pycparser-2.21-py2.py3-none-any.whl (118 kB)
Building wheels for collected packages: ipwndfu
Building wheel for ipwndfu (pyproject.toml) ... done
Created wheel for ipwndfu: filename=ipwndfu-2.0.0b5-py3-none-any.whl size=1183379 sha256=851e6aaf248ce24f1270bb71e263c4ef130f5c13e0b4de33b52bdbbfdd814d5b
Stored in directory: /private/var/folders/b9/144jc0h57_5bbhvv_k_jk7b40000gn/T/pip-ephem-wheel-cache-6gawurf_/wheels/2f/17/55/c6750601b8a4da2893837d9226039487a919a4779186dd51ea
Successfully built ipwndfu
Installing collected packages: pyusb, pycparser, cffi, cryptography, ipwndfu
Attempting uninstall: pyusb
Found existing installation: pyusb 1.2.1
Uninstalling pyusb-1.2.1:
Successfully uninstalled pyusb-1.2.1
Attempting uninstall: pycparser
Found existing installation: pycparser 2.21
Uninstalling pycparser-2.21:
Successfully uninstalled pycparser-2.21
Attempting uninstall: cffi
Found existing installation: cffi 1.15.0
Uninstalling cffi-1.15.0:
Successfully uninstalled cffi-1.15.0
Attempting uninstall: cryptography
Found existing installation: cryptography 36.0.2
Uninstalling cryptography-36.0.2:
Successfully uninstalled cryptography-36.0.2
Attempting uninstall: ipwndfu
Found existing installation: ipwndfu 2.0.0b5
Uninstalling ipwndfu-2.0.0b5:
Successfully uninstalled ipwndfu-2.0.0b5
WARNING: The script ipwndfu is installed in '/Users/bogo/Library/Python/3.10/bin' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed cffi-1.15.1 cryptography-36.0.2 ipwndfu-2.0.0b5 pycparser-2.21 pyusb-1.2.1
bogo@bogotesrs-MacBook-Pro downgrade % (cd "$(python3 -m site --user-base)/bin"; ./ipwndfu -p; ./ipwndfu --patch-sigchecks; ./ipwndfu --repair-heap)
*** checkm8 exploit by axi0mX ***
Found: CPID:8015 CPRV:11 CPFM:03 SCEP:01 BDID:0A ECID:000874A43C13002E IBFL:3C SRTG:[iBoot-3332.0.0.1.23]
Device is now in pwned DFU Mode.
(1.77 seconds)
Successfully patched signature checks!
Heap repaired.
bogo@bogotesrs-MacBook-Pro downgrade % futurerestore -t /Users/bogo/Desktop/2380048545021998_iPhone10,4_d201ap_15.5-19F77_27325c8258be46e69d9ee57fa9a8fbc28b873df434e5e702a8b27999551138ae.shsh2 --use-pwndfu --skip-blob --rdsk /Users/bogo/downgrade/ramdisk.im4p --rkrn /Users/bogo/downgrade/krnl.im4p --latest-sep --latest-baseband /Users/bogo/downgrade/iPhone_4.7_P3_14.3_18C66_Restore.ipsw
Version: v2.0.0-test(3bfba66-281)
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f-DEBUG
libipatcher version: 0.88-1e855d70c84419014e363bdbcaead7b145fe3e1f-DEBUG
Odysseus for 32-bit support: yes
Odysseus for 64-bit support: yes
[INFO] 64-bit device detected
futurerestore init done
reading signing ticket /Users/bogo/Desktop/2380048545021998_iPhone10,4_d201ap_15.5-19F77_27325c8258be46e69d9ee57fa9a8fbc28b873df434e5e702a8b27999551138ae.shsh2 is done
user specified to use latest signed SEP
[TSSC] opening firmwares.json
[DOWN] downloading file https://api.ipsw.me/v2.1/firmwares.json/condensed
[TSSC] opening /tmp/betas_iPhone10,4.json
[DOWN] downloading file https://api.m1sta.xyz/betas/iPhone10,4
[TSSC] selecting latest firmware version: 15.5
[TSSC] got firmwareurl for iOS 15.5 build 19F77
[TSSC] opening Buildmanifest for iPhone10,4_15.5
[DOWN] downloading file https://updates.cdn-apple.com/2022SpringFCS/fullrestores/012-07905/09AAD219-D436-40F0-B49B-E7C009FF5668/BuildManifest.plist
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
downloading SEP
[TSSC] opening /tmp/futurerestore/sepManifest.plist
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
[TSSR] User specified to not request a baseband ticket.
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
user specified to use latest signed baseband
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
downloading Baseband
ERROR: Unable to connect to device?!
[Error] Unable to find required BbGoldCertId in parameters
[WARNING] using tsschecker's fallback to get BasebandGoldCertID. This might result in invalid baseband signing status information
[TSSC] opening /tmp/futurerestore/basebandManifest.plist
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
[TSSR] User specified to request only a Baseband ticket.
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Downloading the latest firmware components...
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
downloading SE firmware
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
Finished downloading the latest firmware components!
Found device in DFU mode
requesting to get into pwnRecovery later
Found device in DFU mode
Identified device as d201ap, iPhone10,4
Extracting BuildManifest from iPSW
Product version: 14.3
Product build: 18C66 Major: 18
Device supports Image4: true
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
checking if the APTicket is valid for this restore...
Verified ECID in APTicket matches the device's ECID
checking if the APTicket is valid for this restore...
Verified ECID in APTicket matches the device's ECID
[IMG4TOOL] checking buildidentity 0:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 1:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 2:
[IMG4TOOL] checking buildidentity matches board ... YES
[IMG4TOOL] checking buildidentity has all required hashes:
[IMG4TOOL] checking hash for "AOP" OK (untrusted)
[IMG4TOOL] checking hash for "Ap,SystemVolumeCanonicalMetadata"BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AppleLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AudioCodecFirmware" OK (untrusted)
[IMG4TOOL] checking hash for "BasebandFirmware" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "BatteryCharging0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryCharging1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryFull" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryPlugin" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "DeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ISP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "KernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "LLB" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Liquid" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Multitouch" OK (untrusted)
[IMG4TOOL] checking hash for "OS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RecoveryMode" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreDeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreKernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreRamDisk" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreSEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SE,UpdatePayload" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "SEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "StaticTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SystemVolume" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ftap" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "ftsp" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "iBEC" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBSS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBoot" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "rfta" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "rfts" IGN (no digest in BuildManifest)
failed verification with error:
[exception]:
what=verification failed!
code=84279308
line=1286
file=img4tool.cpp
commit count=197:
commit sha =aca6cf005c94caf135023263cbb5c61a0081804f:
[IMG4TOOL] checking buildidentity 3:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 4:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 5:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 6:
[IMG4TOOL] checking buildidentity matches board ... YES
[IMG4TOOL] checking buildidentity has all required hashes:
[IMG4TOOL] checking hash for "AOP" OK (untrusted)
[IMG4TOOL] checking hash for "Ap,SystemVolumeCanonicalMetadata"BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AppleLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AudioCodecFirmware" OK (untrusted)
[IMG4TOOL] checking hash for "BasebandFirmware" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "BatteryCharging0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryCharging1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryFull" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryPlugin" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "DeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ISP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "KernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "LLB" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Liquid" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Multitouch" OK (untrusted)
[IMG4TOOL] checking hash for "OS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RecoveryMode" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreDeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreKernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreRamDisk" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreSEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SE,UpdatePayload" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "SEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "StaticTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SystemVolume" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ftap" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "ftsp" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "iBEC" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBSS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBoot" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "rfta" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "rfts" IGN (no digest in BuildManifest)
failed verification with error:
[exception]:
what=verification failed!
code=84279308
line=1286
file=img4tool.cpp
commit count=197:
commit sha =aca6cf005c94caf135023263cbb5c61a0081804f:
[IMG4TOOL] checking buildidentity 7:
[IMG4TOOL] checking buildidentity matches board ... NO
[WARNING] NOT VALIDATING SHSH BLOBS IM4M!
[Error] BuildIdentity selected for restore does not match APTicket
BuildIdentity selected for restore:
BuildNumber : 18C66
BuildTrain : AzulC
DeviceClass : d201ap
FDRSupport : YES
MobileDeviceMinVersion : 1253
RestoreBehavior : Erase
Variant : Customer Erase Install (IPSW)
BuildIdentity is valid for the APTicket:
IM4M is not valid for any restore within the Buildmanifest
This APTicket can't be used for restoring this firmware
[WARNING] NOT VALIDATING SHSH BLOBS!
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Checking BuildIdentity 2
[TSSR] Selected BuildIdentity for request
Variant: Customer Erase Install (IPSW)
This restore will erase your device data.
Device found in DFU Mode.
Sending iBSS (1438499 bytes)...
[==================================================] 100.0%
Booting iBSS, waiting for device to disconnect...
Booting iBSS, waiting for device to reconnect...
ApNonce pre-hax:
INFO: device serial number is C8PYR2QAJC69
Getting ApNonce in recovery mode... 27 32 5c 82 58 be 46 e6 9d 9e e5 7f a9 a8 fb c2 8b 87 3d f4 34 e5 e7 02 a8 b2 79 99 55 11 38 ae
Sending iBEC (1438499 bytes)...
[==================================================] 100.0%
Booting iBEC, waiting for device to disconnect...
Booting iBEC, waiting for device to reconnect...
APNonce from device already matches IM4M nonce, no need for extra hax...
Successfully set nonce generator: 0x1111111111111111
Extracting filesystem from iPSW
futurerestore(36581,0x10a48f600) malloc: Heap corruption detected, free list is damaged at 0x600000dcc6c0
*** Incorrect guard value: 16629806333025528536
futurerestore(36581,0x10a48f600) malloc: *** set a breakpoint in malloc_error_break to debug
zsh: abort futurerestore -t --use-pwndfu --skip-blob --rdsk --rkrn --latest-sep