I can't install DFU mode to my iPhone5. Please help me handle it. My final purpose is to Downupgrade 10.3.4 to 8

[FlutterW]

Legacy iOS Kit

• Script by LukeZGD -

• Version: v24.05.12 (9a3f574)

• Platform: macos (14.5)

• Device: iPhone5,2 (n42ap) in Recovery mode

• iOS Version: Unknown

• ECID: 2384983055755

  Main Menu > Restore/Downgrade [Input] Select an option: 1) iOS 8.4.1 5) Other (Tethered) 2) Latest iOS (10.3.4) 6) DFU IPSW 3) Other (powdersn0w 7.x blobs) 7) IPSW Downloader 4) Other (Use SHSH Blobs) 8) Go Back

  ? 6

• You are about to restore with a DFU IPSW.

• This will force the device to enter DFU mode, which is useful for devices with broken buttons.

• All device data will be wiped! Only proceed if you have backed up your data.

• Expect the restore to fail and the device to be stuck in DFU mode. [Input] Press Enter/Return to continue (or press Ctrl+C to cancel) [Log] Found existing DFU IPSW. Skipping IPSW creation. [Log] Extracting IPSW: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW.ipsw Archive: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW.ipsw inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/058-74968-065.dmg
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/._058-74968-065.dmg
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/058-75249-065.dmg
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/058-75393-065.dmg
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/BuildManifest.plist
  creating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/ creating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/all_flash/ inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/all_flash/applelogo@2x~iphone.s5l8950x.img3
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/all_flash/batterycharging0@2x~iphone.s5l8950x.img3
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/all_flash/batterycharging1@2x~iphone.s5l8950x.img3
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/all_flash/batteryfull@2x~iphone.s5l8950x.img3
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/all_flash/batterylow0@2x~iphone.s5l8950x.img3
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/all_flash/batterylow1@2x~iphone.s5l8950x.img3
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/all_flash/DeviceTree.n41ap.img3
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/all_flash/DeviceTree.n42ap.img3
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/all_flash/DeviceTree.n48ap.img3
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/all_flash/DeviceTree.n49ap.img3
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/all_flash/glyphplugin@1136~iphone-lightning.s5l8950x.img3
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/all_flash/iBoot.iphone5.RELEASE.img3
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/all_flash/iBoot.iphone5b.RELEASE.img3
  extracting: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/all_flash/LLB.iphone5.RELEASE.img3
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/all_flash/LLB.iphone5b.RELEASE.img3
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/all_flash/recoverymode@1136~iphone-lightning.s5l8950x.img3
  creating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/dfu/ inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/dfu/iBEC.iphone5.RELEASE.dfu
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/dfu/iBEC.iphone5b.RELEASE.dfu
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/dfu/iBSS.iphone5.RELEASE.dfu
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/dfu/iBSS.iphone5b.RELEASE.dfu
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/Mav5-11.80.00.Release.bbfw
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/Mav5-11.80.00.Release.plist
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/Mav7Mav8-7.60.00.Release.bbfw
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/Mav7Mav8-7.60.00.Release.plist
  creating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/usr/ creating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/usr/local/ creating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Firmware/usr/local/standalone/ inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/kernelcache.release.iphone5
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/kernelcache.release.iphone5b
  inflating: ../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/Restore.plist
  [Log] Running idevicerestore with command: ../bin/macos/idevicerestore -e "../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW.ipsw" Found device in Recovery mode INFO: device serial number is C7GN25K3DTWF Found ECID 2384983055755 Identified device as n42ap, iPhone5,2 Extracting BuildManifest from IPSW Product Version: 10.3.4 Product Build: 14G61 Major: 14 Device supports Image4: false Variant: Customer Erase Install (IPSW) This restore will erase your device data. Getting ApNonce in recovery mode... af b1 dc f3 c6 09 fa 25 58 3e 8e 3c 47 6d c7 c4 41 0e 8d 22 Trying to fetch new SHSH blob Getting SepNonce in recovery mode... WARNING: Unable to find BbSkeyId node Request URL set to https://gs.apple.com/TSS/controller?action=2 Sending TSS request attempt 1... response successfully received Received SHSH blobs Using cached filesystem from '../iPhone_4.0_32bit_10.3.4_14G61_DFUIPSW/058-74968-065.dmg' Sending APTicket (2760 bytes) Extracting iBEC.iphone5.RELEASE.dfu... Not personalizing component iBEC... Sending iBEC (303308 bytes)... Getting ApNonce in recovery mode... af b1 dc f3 c6 09 fa 25 58 3e 8e 3c 47 6d c7 c4 41 0e 8d 22 Sending APTicket (2760 bytes) Recovery Mode Environment: iBoot build-version=iBoot-3406.60.10 iBoot build-style=RELEASE ramdisk-size=0x10000000 Extracting 058-75249-065.dmg... Not personalizing component RestoreRamDisk... Sending RestoreRamDisk (24744076 bytes)... Extracting DeviceTree.n42ap.img3... Not personalizing component RestoreDeviceTree... Sending RestoreDeviceTree (88332 bytes)... Extracting kernelcache.release.iphone5... Not personalizing component RestoreKernelCache... Sending RestoreKernelCache (11658060 bytes)... About to restore device... Waiting for device... Device b56a29a3dfdf691da338c4df4a68e2e09c3a0585 is now connected in restore mode... Connecting now... Connected to com.apple.mobile.restored, version 14 Device b56a29a3dfdf691da338c4df4a68e2e09c3a0585 has successfully entered restore mode Hardware Information: BoardID: 2 ChipID: 35152 UniqueChipID: 2384983055755 ProductionMode: true Previous restore exit status: 0x100 About to send RootTicket... Sending RootTicket now... Done sending RootTicket Waiting for NAND (28) Checking filesystems (15) Checking filesystems (15) Checking filesystems (15) Unmounting filesystems (29) Unmounting filesystems (29) Creating partition map (11) Creating filesystem (12) Creating filesystem (12) About to send filesystem... Connected to ASR Validating the filesystem Filesystem validated Sending filesystem now... [============================= ] 56.0%ERROR: Unable to send data to ASR. Sent 0 of 1450 bytes. ERROR: Unable to send filesystem payload ERROR: Unable to send payload to ASR ERROR: Unable to send filesystem ERROR: Unable to successfully restore device ERROR: Unable to restore device [Log] Restoring done! Device should now be in DFU mode

• Save the terminal output now if needed.

• Legacy iOS Kit v24.05.12 (9a3f574)

• Platform: macos (14.5)

[LukeZGD]

Sounds like there is a USB issue going on.

• Check if your USB cable/port is loose
• It can also be something with the USB hub if you're using one
• Try different USB cables/ports
• Make sure to use a USB A to lightning cable. Use a USB A to USB C adapter if needed
• Do NOT use USB C to lightning cables

[FlutterW]

Oops! Maybe the USB-C cable is the problem, I'll try via a USB-A cable later!

[FlutterW]

Sounds like there is a USB issue going on.

• Check if your USB cable/port is loose
• It can also be something with the USB hub if you're using one
• Try different USB cables/ports
• Make sure to use a USB A to lightning cable. Use a USB A to USB C adapter if needed
• Do NOT use USB C to lightning cables

However, after entering DFU mode, there was still something wrong during the downupgrading:

Legacy iOS Kit

• Script by LukeZGD -

• Version: v24.05.12 (9a3f574)

• Platform: macos (14.5)

• Device: iPhone5,2 (n42ap) in DFU mode [WARNING] Disable bbupdate flag detected, baseband update is disabled. Proceed with caution

• For iPhones, current baseband will be dumped and stitched to custom IPSW

• Stitching is supported in these restores/downgrades: 8.4.1/6.1.3, Other with SHSH, powdersn0w

• iOS Version: Unknown

• To get iOS version, go to: Other Utilities -> Get iOS Version

• ECID: 2384983055755

• Only select unmodified IPSW for the selection. Do not select custom IPSWs

• Selected IPSW: ../iPhone5,2_8.4.1_12H321_Restore.ipsw

  Main Menu > Restore/Downgrade > iOS 8.4.1 [Input] Select an option: 1) Select Target IPSW 3) Start Restore 2) Download Target IPSW 4) Go Back

  ? 3

  [Input] Jailbreak Option

• When this option is enabled, your device will be jailbroken on restore.

• I recommend to enable this option to have the jailbreak and Cydia pre-installed.

• This option is enabled by default (Y). Select this option if unsure. [Input] Enable this option? (Y/n): Y [Log] Jailbreak option enabled.

[Input] Memory Option for creating custom IPSW

• When this option is enabled, system RAM will be used for the IPSW creation process.
• I recommend to enable this option to speed up creating the custom IPSW.
• However, if your PC/Mac has less than 8 GB of RAM, disable this option.
• This option is enabled by default (Y). Select this option if unsure. [Input] Enable this option? (Y/n): Y [Log] Memory option enabled.

[Log] Generating reboot.sh

!/bin/bash

mount_hfs /dev/disk0s1s1 /mnt1; mount_hfs /dev/disk0s1s2 /mnt2 nvram -d boot-partition; nvram -d boot-ramdisk /usr/bin/haxx_overwrite --iPhone5,2_12H321 [Log] Checking firmware keys in ../resources/firmware/iPhone5,2/12H321 [Log] Preparing config file <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

FilesystemJailbreak needPref iBootPatches debugEnabled bootArgsInjection bootArgsString -v

[Log] Generating firmware bundle for iPhone5,2-8.4.1 (12H321) daibutsu... Archive: ../iPhone5,2_8.4.1_12H321_Restore.ipsw inflating: manifest
Archive: ../iPhone5,2_8.4.1_12H321_Restore.ipsw inflating: 058-23947-023.dmg
/tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 98153539961328495cbaf32034d2c58bbea83308e14a81a5c5925c4b57273a7201d9220ca782808db7df654a86ac01ff <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

Filename../iPhone5,2_8.4.1_12H321_Restore.ipsw RootFilesystem058-24110-023.dmg RootFilesystemKey7f68bec2637d5ac0837e38878a8a411c72131fc6394b5a84fd0f878f54f97af3801f34fd RootFilesystemSize2088 RamdiskOptionsPath/usr/local/share/restore/options.n42.plist SHA1da4e50bf721d91bbd0b4a90ba9df9cdf2e8b9f53 RamdiskPatches asr Fileusr/sbin/asrPatchasr.patch FilesystemPatches FirmwarePatches iBSSFileFirmware/dfu/iBSS.n42.RELEASE.dfuIVfdad2b7a35384fa2ffc7221213ca1082Key74cd68729b800a20b1f8e8a3cb5517024a09f074eaa05b099db530fb5783275e PatchiBSS.n42.RELEASE.patch Decrypt iBECFileFirmware/dfu/iBEC.n42.RELEASE.dfuIVba178c287f6ce38acbec569f6adbf170Key888f24c26a13fdb2c8182b156d793b1350428e2b6c31a634d16a61752b236dc9 PatchiBEC.n42.RELEASE.patch Decrypt RestoreDeviceTreeFileFirmware/all_flash/all_flash.n42ap.production/DeviceTree.n42ap.img3IV40dc28c4fc1b28df6f44bff7f833b44dKeydccfcf97891d4fa62fef944ff646ce9a81e821883f2b6bc3cc5ca3a22ee90ce9DecryptPathDowngrade/RestoreDeviceTree Decrypt RestoreLogoFileFirmware/all_flash/all_flash.n42ap.production/applelogo@2x~iphone.s5l8950x.img3IVef41848f4bdd07ea7de5a2bd2d90b989Key967e260de1a600600ead78fa451865be406c851f8d97da4ddc6d7429173f5648DecryptPathDowngrade/RestoreLogo Decrypt RestoreKernelCacheFilekernelcache.release.n42IVa037ef50ae5bf24ae2d373345b6e5be5Key66b8ca4f732113f54dae9de7d1713093d6c54731c06033eef94489c168a8db3aDecryptPathDowngrade/RestoreKernelCache Decrypt Restore RamdiskFile058-23947-023.dmgIV9f3c9ed053e2057f7b2be54a80c3eec8Key9bde35e15c13939b0e910e30f45109103cacabc3c5535a20a79f87d35d4a8c35 Decrypt PackagePath./freeze.tar RamdiskPackage ./bin.tarRamdiskReboot./reboot.shUntetherPath./untether.tar hwmodelN42 [Log] Dumping files for baseband: /usr/local/standalone [Log] This operation requires an SSH ramdisk, proceeding * I recommend dumping baseband/activation on Normal mode instead of Recovery/DFU mode if possible * To mount /var (/mnt2) for iOS 9-10, I recommend using 9.0.2 (13A452). * If not sure, just press Enter/Return. This will select the default version. [Input] Enter build version (eg. 10B329): [Log] Checking firmware keys in ../resources/firmware/iPhone5,2/10B329 [Log] Checking URL in ../resources/firmware/iPhone5,2/10B329/url [Log] iBSS /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 8d25aba0d538112746ea4a919ba3b047f93734be4227c96adb75385ba31b57ed6933278f6159001e9e08fab727a0179e /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 8d25aba0d538112746ea4a919ba3b047f93734be4227c96adb75385ba31b57ed6933278f6159001e9e08fab727a0179e /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 8d25aba0d538112746ea4a919ba3b047f93734be4227c96adb75385ba31b57ed6933278f6159001e9e08fab727a0179e [Log] iBEC /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 72d529c649e3d6bd8f8fd016132297f0e86e5391d7e6d72b84dcf1f4453ebc0034fad90cd15abb83096dacc5ff1ab165 /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 72d529c649e3d6bd8f8fd016132297f0e86e5391d7e6d72b84dcf1f4453ebc0034fad90cd15abb83096dacc5ff1ab165 /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 72d529c649e3d6bd8f8fd016132297f0e86e5391d7e6d72b84dcf1f4453ebc0034fad90cd15abb83096dacc5ff1ab165 [Log] DeviceTree /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 10c7092fdbd04b311f22438c552f3c9f86eb171bc97ae581cfd95dd22574c7b1398bc46bdf748e288ca734f9da1f2e46 /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 10c7092fdbd04b311f22438c552f3c9f86eb171bc97ae581cfd95dd22574c7b1398bc46bdf748e288ca734f9da1f2e46 /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 10c7092fdbd04b311f22438c552f3c9f86eb171bc97ae581cfd95dd22574c7b1398bc46bdf748e288ca734f9da1f2e46 [Log] Kernelcache /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 060809e96c5cb972f1e91d4d2696146b09ab43aa11bd661fc4022a74f2adacdf849c030600caec5cf34b47696298266b /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 060809e96c5cb972f1e91d4d2696146b09ab43aa11bd661fc4022a74f2adacdf849c030600caec5cf34b47696298266b /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 060809e96c5cb972f1e91d4d2696146b09ab43aa11bd661fc4022a74f2adacdf849c030600caec5cf34b47696298266b [Log] RestoreRamdisk /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 31431b4794073061867eed20c8ae828e80be9aa2588960ab3418570e59eeb344a41e45532fb4395ebb71ca2fc8b90ef0 /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 31431b4794073061867eed20c8ae828e80be9aa2588960ab3418570e59eeb344a41e45532fb4395ebb71ca2fc8b90ef0 /tmp/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 31431b4794073061867eed20c8ae828e80be9aa2588960ab3418570e59eeb344a41e45532fb4395ebb71ca2fc8b90ef0 [Log] Patch RestoreRamdisk grew volume: 30000000 file: com.apple.springboard.plist (0644), size = 271 ignoring bin, type = 5 file: bin/bash (0755), size = 546768 file: bin/ls (0755), size = 152096 file: bin/mount.sh (0755), size = 1366 symlink: bin/sh (0777) -> bash file: bin/tar (0755), size = 430304 file: bin/dd (0755), size = 124896 file: bin/cp (0755), size = 162560 file: bin/chmod (0755), size = 125168 file: bin/chown (0755), size = 125616 ignoring sbin, type = 5 file: sbin/sshd (0755), size = 722848 file: sbin/umount (4755), size = 22784 ignoring usr, type = 5 ignoring usr/bin, type = 5 file: usr/bin/device_infos (0755), size = 75936 file: usr/bin/scp (0755), size = 49008 file: usr/bin/gptfdisk (0755), size = 164368 file: usr/bin/hfs_resize (0755), size = 12960 file: usr/bin/ibsspatch (0755), size = 51840 file: usr/bin/df (0755), size = 143296 file: usr/bin/du (0755), size = 178736 ignoring usr/lib, type = 5 symlink: usr/lib/libncurses.5.dylib (0777) -> libncurses.5.4.dylib file: usr/lib/libncurses.5.4.dylib (0755), size = 335968 file: usr/lib/libhistory.6.0.dylib (0755), size = 54752 file: usr/lib/libreadline.6.0.dylib (0755), size = 198112 file: usr/lib/libcrypto.0.9.8.dylib (0755), size = 1604336 file: usr/lib/libiconv.2.dylib (0755), size = 1022528 directory: usr/libexec (0755) file: usr/libexec/sftp-server (0755), size = 44240 ignoring private, type = 5 ignoring private/etc, type = 5 replacing private/etc/rc.boot file: private/etc/rc.boot (0755), size = 369 directory: private/etc/ssh (0700) file: private/etc/ssh/ssh_host_rsa_key (0600), size = 1675 file: private/etc/ssh/ssh_host_dsa_key.pub (0644), size = 590 file: private/etc/ssh/sshd_config (0644), size = 3227 file: private/etc/ssh/ssh_host_key.pub (0644), size = 627 file: private/etc/ssh/ssh_config (0644), size = 1526 file: private/etc/ssh/ssh_host_dsa_key (0600), size = 668 file: private/etc/ssh/ssh_host_rsa_key.pub (0644), size = 382 file: private/etc/ssh/moduli (0644), size = 125811 file: private/etc/ssh/ssh_host_key (0600), size = 963 ignoring private/var, type = 5 directory: private/var/root (0700) file: private/var/root/.profile (0644), size = 391 [Log] Patch iBSS main: Starting... main: iBoot-1537 inputted. patch_rsa_check: Entering... find_bl_verify_shsh_5_6_7: Entering... find_bl_verify_shsh_5_6_7: Found MOVW instruction at 0x636a find_bl_verify_shsh_5_6_7: Found BL verify_shsh at 0x66f8 find_bl_verify_shsh_5_6_7: Leaving... patch_rsa_check: Patching BL verify_shsh at 0x66f8... patch_rsa_check: Leaving... main: Writing out patched file to iBSS.patched... main: Quitting... [Log] Patch iBEC main: Starting... main: iBoot-1537 inputted. patch_boot_args: Entering... patch_boot_args: Default boot-args string is at 0x3b4df patch_boot_args: boot-args xref is at 0x1cc8c patch_boot_args: Relocating boot-args string... patch_boot_args: "Reliance on this certificate" string found at 0x420f4 patch_boot_args: Pointing default boot-args xref to 0xbff420f4... patch_boot_args: Applying custom boot-args "rd=md0 -v amfi=0xff cs_enforcement_disable=1" patch_boot_args: Found LDR R1, =boot_args at 0x1ca3a patch_boot_args: Found CMP R4, #0 at 0x1ca3c patch_boot_args: Found IT EQ/IT NE at 0x1ca40 patch_boot_args: Found MOV R6, R1 at 0x1ca42 patch_boot_args: Found LDR R6, =null_str at 0x1ca3e patch_boot_args: Pointing LDR R6, =null_str to boot-args xref... patch_boot_args: Leaving... patch_debug_enabled: Entering... find_dtre_get_value_bl_insn: Entering... find_dtre_get_value_bl_insn: debug-enabled string is at 0x3b06f find_dtre_get_value_bl_insn: "debug-enabled" xref is at 0x1c684 find_dtre_get_value_bl_insn: Found LDR R0, ="debug-enabled" at 0x1bd56 find_dtre_get_value_bl_insn: Found BL instruction at 0x1bd6e find_dtre_get_value_bl_insn: Leaving... patch_debug_enabled: Patching BL insn at 0x1bd6e... patch_debug_enabled: Leaving... patch_rsa_check: Entering... find_bl_verify_shsh_5_6_7: Entering... find_bl_verify_shsh_5_6_7: Found MOVW instruction at 0x1ad56 find_bl_verify_shsh_5_6_7: Found BL verify_shsh at 0x1b3a0 find_bl_verify_shsh_5_6_7: Leaving... patch_rsa_check: Patching BL verify_shsh at 0x1b3a0... patch_rsa_check: Leaving... main: Writing out patched file to iBEC.patched... main: Quitting... * Select Y if your device is in pwned iBSS/kDFU mode. * Select N to place device to pwned DFU mode using ipwndfu/ipwnder. * Failing to answer correctly will cause "Sending iBEC" to fail. [Input] Is your device already in pwned iBSS/kDFU mode? (y/N): N [Log] Placing device to pwnDFU mode using ipwnder_lite [main] Waiting for device in DFU mode... [io_get_serial] Found serial number! [main] CONNECTED [main] CPID: 0x8950, BDID: 0x02, STRG: [iBoot-1145.3] [main] Making directory: image3/ [dl_file] Downloading image: image3/ibss.n42 ... ** exploiting with checkm8 [checkm8_s5l8950x] reconnecting [io_reset] ResetDevice: 0 [io_reset] USBDeviceReEnumerate: 0 [checkm8_s5l8950x] running heap_spray() [heap_spray] (1/3) e000404f [heap_spray] (2/3) e0004051 [heap_spray] (3/3) e0004051 [checkm8_s5l8950x] reconnecting [io_reset] ResetDevice: 0 [io_reset] USBDeviceReEnumerate: 0 [checkm8_s5l8950x] running set_global_state() [set_global_state] (1/3) sent: 0, val: 640 [set_global_state] (2/3) e000404f [set_global_state] (3/3) 0 [checkm8_s5l8950x] reconnecting [checkm8_s5l8950x] running heap_occupation() [heap_occupation] (1/3) e000404f [heap_occupation] (2/3) e0004051 [heap_occupation] (3/3) e000404f [checkm8_s5l8950x] reconnecting [checkm8_s5l8950x] USBDeviceReEnumerate: 0 [io_get_serial] Found serial number! [checkm8_s5l8950x] pwned! [main] Waiting for device in DFU mode... [io_get_serial] Found serial number! [main] CONNECTED [main] CPID: 0x8950, BDID: 0x02, STRG: [iBoot-1145.3] [boot_checkm8_32] reconnecting [io_reset] ResetDevice: 0 [io_reset] USBDeviceReEnumerate: 0 [boot_checkm8_32] (1/5) 0 [boot_checkm8_32] (2/5) 0 [boot_checkm8_32] (3/5) 0 [boot_checkm8_32] (4/5) 0 [boot_checkm8_32] sending payload [boot_checkm8_32] (5/5) e00002ed [Log] Sending iBEC... [==================================================] 100.0% [Log] Finding device in Recovery mode... [Log] Found device in Recovery mode. [Log] Sending ramdisk... [==================================================] 100.0% [Log] Running ramdisk [Log] Sending DeviceTree... [==================================================] 100.0% [Log] Running devicetree [Log] Sending KernelCache... [==================================================] 100.0% [Log] Booting, please wait... [Log] Finding device in Restore mode... [Log] Found device in Restore mode. [Log] Running iproxy for SSH... [Log] Mounting root filesystem Warning: Permanently added '[127.0.0.1]:6414' (RSA) to the list of known hosts. Waiting for disks... Mounting /dev/disk0s1s1 on /mnt1 [Log] Getting iOS version Warning: Permanently added '[127.0.0.1]:6414' (RSA) to the list of known hosts. [Log] Mounting filesystems Warning: Permanently added '[127.0.0.1]:6414' (RSA) to the list of known hosts. Waiting for disks... /dev/disk0s1s1 already mounted on /mnt1 Mounting /dev/disk0s1s2 on /mnt2 mount_hfs: Operation not permitted [Log] Dumping both baseband and activation tars [Log] Creating baseband.tar Warning: Permanently added '[127.0.0.1]:6414' (RSA) to the list of known hosts. tar: /mnt2/tmp/baseband.tar: Cannot open: No such file or directory tar: Error is not recoverable: exiting now Warning: Permanently added '[127.0.0.1]:6414' (RSA) to the list of known hosts. scp: /mnt2/tmp/baseband.tar: No such file or directory tar: Error opening archive: Failed to open 'baseband.tar' rm: baseband.tar: No such file or directory ./restore.sh: 第 6533 行：pushd: usr/local/standalone/firmware/Baseband/Mav5: No such file or directory adding: 058-23947-023.dmg (stored 0%) adding: BuildVer (stored 0%) adding: DeviceTree.orig (stored 0%) adding: FirmwareBundles/ (stored 0%) adding: FirmwareBundles/Down_iPhone5,2_8.4.1_12H321.bundle/ (stored 0%) adding: FirmwareBundles/Down_iPhone5,2_8.4.1_12H321.bundle/iBSS.n42.RELEASE.patch (stored 0%) adding: FirmwareBundles/Down_iPhone5,2_8.4.1_12H321.bundle/iBEC.n42.RELEASE.patch (stored 0%) adding: FirmwareBundles/Down_iPhone5,2_8.4.1_12H321.bundle/manifest (stored 0%) adding: FirmwareBundles/Down_iPhone5,2_8.4.1_12H321.bundle/asr.patch (stored 0%) adding: FirmwareBundles/Down_iPhone5,2_8.4.1_12H321.bundle/Info.plist (stored 0%) adding: FirmwareBundles/config.plist (stored 0%) adding: Kernelcache.orig (stored 0%) adding: Ramdisk.raw (stored 0%) adding: RestoreRamdisk.dec (stored 0%) adding: RestoreRamdisk.orig (stored 0%) adding: SystemVersion.plist (stored 0%) adding: Version (stored 0%) adding: bin.tar (stored 0%) adding: freeze.tar (stored 0%) adding: iBEC.dec (stored 0%) adding: iBEC.orig (stored 0%) adding: iBEC.patched (stored 0%) adding: iBEC.raw (stored 0%) adding: iBSS.dec (stored 0%) adding: iBSS.orig (stored 0%) adding: iBSS.patched (stored 0%) adding: iBSS.raw (stored 0%) adding: image3/ (stored 0%) adding: image3/ibss.n42 (stored 0%) adding: options.n42.plist (stored 0%) adding: reboot.sh (stored 0%) adding: size (stored 0%) adding: ssh_config (stored 0%) adding: untether.tar (stored 0%) Archive: Mav5-personalized.zip extracting: ./058-23947-023.dmg extracting: ./BuildVer extracting: ./DeviceTree.orig extracting: ./FirmwareBundles/Down_iPhone5,2_8.4.1_12H321.bundle/iBSS.n42.RELEASE.patch extracting: ./FirmwareBundles/Down_iPhone5,2_8.4.1_12H321.bundle/iBEC.n42.RELEASE.patch extracting: ./FirmwareBundles/Down_iPhone5,2_8.4.1_12H321.bundle/manifest extracting: ./FirmwareBundles/Down_iPhone5,2_8.4.1_12H321.bundle/asr.patch extracting: ./FirmwareBundles/Down_iPhone5,2_8.4.1_12H321.bundle/Info.plist extracting: ./FirmwareBundles/config.plist extracting: ./Kernelcache.orig extracting: ./Ramdisk.raw extracting: ./RestoreRamdisk.dec extracting: ./RestoreRamdisk.orig extracting: ./SystemVersion.plist extracting: ./Version extracting: ./bin.tar extracting: ./freeze.tar extracting: ./iBEC.dec extracting: ./iBEC.orig extracting: ./iBEC.patched extracting: ./iBEC.raw extracting: ./iBSS.dec extracting: ./iBSS.orig extracting: ./iBSS.patched extracting: ./iBSS.raw extracting: ./image3/ibss.n42 extracting: ./options.n42.plist extracting: ./reboot.sh extracting: ./size extracting: ./ssh_config extracting: ./untether.tar tar: usr: Cannot stat: No such file or directory tar: Error exit delayed from previous errors. * Reminder to backup dump tars if needed cp: ../saved/iPhone5,2: No such file or directory [Log] Creating activation.tar ./restore.sh: 行 6591: ../bin/macos/sshpass: No such file or directory ./restore.sh: 行 6592: ../bin/macos/sshpass: No such file or directory [Log] Copying activation.tar * Reminder to backup dump tars if needed ./restore.sh: 行 6595: ../bin/macos/sshpass: No such file or directory mv: rename activation.tar to activation-2384983055755.tar: No such file or directory cp: activation-2384983055755.tar: No such file or directory ./restore.sh: 行 6605: ../bin/macos/sshpass: No such file or directory ./restore.sh: 行 6486: ../bin/macos/sshpass: No such file or directory [Log] Done, device should reboot to recovery mode now [Log] Put your device back in kDFU/pwnDFU mode to proceed [Log] Finding device in Recovery mode... [Error] Failed to find device in Recovery mode (Timed out). Please run the script again. * Legacy iOS Kit v24.05.12 (9a3f574) * Platform: macos (14.5)

[LukeZGD]

Why do you have disable bbupdate flag enabled? If you do not enable that, it will work fine

If you are coming from 10.3.4, disable bbupdate flag is completely unnecessary