MatthewPierson
commented
5 years ago This is an issue some people get on Catalina. Don't know why yet but I recommend using Mojave if Catalina doesn't work for you sorry.
Closed gb160 closed 5 years ago
MatthewPierson
commented
5 years ago This is an issue some people get on Catalina. Don't know why yet but I recommend using Mojave if Catalina doesn't work for you sorry.
motoissa
commented
5 years ago I'm running Mojave **** Matty's iPhone 5s 10.3.3 OTA Downgrader **** [Log] Removing old files Please enter device ID (iPhone6,1 or iPhone6,2 only) ONLY THE iPHONE 5s IS SUPPORTED iPhone6,1 [Log] Vaild device, continuing [Log] Getting current APNonce 5550335620560 26b40fe2298c628f1a188945ef2dff3d918fbaf8 Version: c0b554e83f54d39d90cac9791160bf2ccb062aed - 355 [TSSC] manually specified ECID to use, parsed "5550335620560" to dec:5550335620560 hex:50c49c875d0 [TSSC] manually specified ApNonce to use, parsed "26b40fe2298c628f1a188945ef2dff3d918fbaf8" to hex:26b40fe2298c628f1a188945ef2dff3d918fbaf8 [TSSC] opening restore/BuildManifest_iPhone6,1_1033_OTA.plist [TSSR] Request URL set to https://gs.apple.com/TSS/controller?action=2 [TSSR] Sending TSS request attempt 1... success also requesting APTicket for update installing [Error] [TSSR] Error: could not get id0 for installType=Update [WARNING] [TSSR] faild to build tssrequest for alternative installType [TSSR] User specified not to request a baseband ticket. [TSSR] Request URL set to https://gs.apple.com/TSS/controller?action=2 [TSSR] Sending TSS request attempt 1... failure [Error] ERROR: TSS request failed (status=128, message=An internal error occurred.) Saved signing tickets!
Build 14G60 for device iPhone6,1 IS being signed! Do you want to save a copy of the OTA SHSH to somewhere on your computer? (y/n) n [Log] SHSH saved [Log] Starting restore process
[Log] Copying SEP and Baseband cp: 10.3.3.custom/Firmware/Mav7Mav8-7.60.00.Release.bbfw: No such file or directory cp: 10.3.3.custom/Firmware/all_flash/sep-firmware.n53.RELEASE.im4p: No such file or directory cp: 10.3.3.custom/Firmware/all_flash/sep-firmware.n51.RELEASE.im4p: No such file or directory [Log] SEP and Baseband copied
[Log] Cleaning up un-needed files [Log] Clean up done [Log] Starting futurerestore Version: 536fee9e67dbc2842b2e461bb0d23cfd0f6cf903 - 246 Odysseus support: no [INFO] 64-bit device detected futurerestore init done reading signing ticket shsh/OTA.shsh is done Found device iPhone6,1 n51ap [Error] failed to read SEP [Error] Fail code=-15 Failed with errorcode=-15 [Log] Futurerestoring complete
MatthewPierson
commented
5 years ago You need to run ./prep.sh again and make sure that the sep/baseband files are in 10.3.3.custom/Firmware for baseband and 10.3.3.custom/Firmware/all_flash/ for sep after the script has run.
gb160
commented
5 years ago This is an issue some people get on Catalina. Don't know why yet but I recommend using Mojave if Catalina doesn't work for you sorry.
You were right about irecovery, I've run the steps in the script manually and everything works perfectly until sending the ibss/ibec files...its always the ibec file that it gets stuck at, and times out eventually, obviously the next stages of the script won't work correctly after that.
gb160
commented
5 years ago @MatthewPierson do u think that the Catalina issues could be related to the switch to using zsh as the default shell?
gb160
commented
5 years ago After installing a fresh install on Mojave, I'm getting the same issue....fails to correctly send the ibss/ibec files:
`**** Matty's iPhone 5s 10.3.3 OTA Downgrader ****
Plug device into computer in DFU Mode
THIS WILL FAIL UP TO 40 TIMES, THIS IS NORMAL JUST RE-RUN THIS SCRIPT
There is no current way around this, it's just the nature of the exploit on the 5s
Thanks to Merc (@Vyce_Merculous) for helping me fix stuff with this script!
... Waiting 10 seconds for you to actually read this before continuing ... [Log] Removing old files
[Log] Entering PWNDFU Mode No matching processes belonging to you were found checkm8 exploit by axi0mX modified version by Linus Henze s5l8965x support by Matthew Pierson Found: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:02 ECID:000000350C5CCC64 IBFL:1C SRTG:[iBoot-1704.10] Device is now in pwned DFU Mode. (12.66 seconds) 2019-10-12 12:45:20.389 system_profiler[527:7178] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be 2019-10-12 12:45:20.389 system_profiler[527:7178] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be 2019-10-12 12:45:20.390 system_profiler[527:7178] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be 2019-10-12 12:45:20.390 system_profiler[527:7178] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be 2019-10-12 12:45:20.392 system_profiler[527:7178] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be 2019-10-12 12:45:20.392 system_profiler[527:7178] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be 1 SecureROM Signature check remover by Linus Henze Found: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:02 ECID:000000350C5CCC64 IBFL:1C SRTG:[iBoot-1704.10] PWND:[checkm8] Applying patches... Successfully applied patches Resetting device state
[Log] Putting device into PWNDREC mode [==================================================] 100.0% ERROR: Unable to connect to device [Log] Device is now in PWNDREC mode
**** PWNing Completed. Please run restore.sh **** `
gb160
commented
5 years ago On iPad Air on Mojave, I'm getting exactly the same error, again its irecovery failing to send the ibss/ibec successfully:
`**** Matty's iPhone 5s 10.3.3 OTA Downgrader ****
Plug device into computer in DFU Mode
THIS WILL FAIL UP TO 40 TIMES, THIS IS NORMAL JUST RE-RUN THIS SCRIPT
There is no current way around this, it's just the nature of the exploit on the 5s
Thanks to Merc (@Vyce_Merculous) for helping me fix stuff with this script!
... Waiting 10 seconds for you to actually read this before continuing ... [Log] Removing old files
[Log] Entering PWNDFU Mode checkm8 exploit by axi0mX modified version by Linus Henze s5l8965x support by Matthew Pierson Found: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:10 ECID:000004B7CB02F4D0 IBFL:1C SRTG:[iBoot-1704.10] Device is now in pwned DFU Mode. (14.63 seconds) 2019-10-12 13:39:11.538 system_profiler[34168:148694] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be 2019-10-12 13:39:11.539 system_profiler[34168:148694] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be 2019-10-12 13:39:11.539 system_profiler[34168:148694] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be 2019-10-12 13:39:11.540 system_profiler[34168:148694] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be 2019-10-12 13:39:11.541 system_profiler[34168:148694] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be 2019-10-12 13:39:11.541 system_profiler[34168:148694] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be 1 SecureROM Signature check remover by Linus Henze Found: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:10 ECID:000004B7CB02F4D0 IBFL:1C SRTG:[iBoot-1704.10] PWND:[checkm8] Applying patches... Successfully applied patches Resetting device state
[Log] Putting device into PWNDREC mode [==================================================] 100.0% ERROR: Unable to connect to device [Log] Device is now in PWNDREC mode
**** PWNing Completed. Please run restore.sh **** `
gb160
commented
5 years ago @MatthewPierson Upon some further investigation using a linux machine, irecovery also fails to send ibec.final, ibss.final sends fine....exactly the same behaviour as on my MacBook....gets stuck at 80.9% every time.
I can only conclude that something's not right with ibec.final
Out of interest approx how big should the ibss/ibec files be?
MatthewPierson
commented
5 years ago iBEC stops sending half way if the device was not put into PWNREC mode properly or if iBSS had an issue (even if it reported as sending fully). My patches are fine and have been used successfully by many people. You can try manually sending iBSS/iBEC after entering PWNDFU mode and removing sigchecks with "pythong rmsigchks.py" to see if that fixes the issue.
gb160
commented
5 years ago PROGRESS!!! Kind of lol.
I was just about to pack it in, but then thought id try my iPad Air and to send the ibss/ibec files from my linux machine (raspberry pi)...so I ssh'd the files over to the pi, put the iPad in pwndfu state, and ran rmsigchks.py from my mac...this seemed to work so I plugged the iPad into the pi , and used irecovery to SUCCESSFULLY send ibss/ibec to the iPad, worked first time.
then I plugged the iPad back into the Mac, ran restore.sh, and lo and behold my iPad is now running 10.3.3.
Im well happy with it mate, it was unusable on ios12.
Just need to work out what the hell is going on with the 5s now.
gb160
commented
5 years ago More progress, 5S is now up and running 10.3.3
I had to resort to using my Pi again for sending the ibss/ibec again, but it worked after a couple of tries which allowed me to downgrade successfully at long last.
Apologies for doubting your patch method mate, I would conclude that the issue I was having must be down to the hardware (latest MacBook Pro) in combination with irecovery...they just don't play nice together. As this mac only has USB C ports, I'm forced to use a USB adapter so that's another piece of hardware in the way that could've been causing the issue.
Still worth remembering if anyone else comes across this nasty little issue, which I suppose someone will at some point, especially if you start adding more devices to this. Wasn't too difficult to install the dependencies on the pi, took about 10 minutes and I wish I'd tried it sooner.
Cheers buddy!
juul0003v
commented
2 years ago should i open Mav7Mav8.release.bffw i have it pasted approx 22.8MB in notes on 15.3.1
`**** Matty's iPhone 5s 10.3.3 OTA Downgrader **** [Log] Removing old files Please enter device ID (iPhone6,1 or iPhone6,2 only) ONLY THE iPHONE 5s IS SUPPORTED iPhone6,2 [Log] Vaild device, continuing [Log] Getting current APNonce 227840674916 47080312e71eda7ccd8eec33af095f41710fe8db Version: c0b554e83f54d39d90cac9791160bf2ccb062aed - 355 [TSSC] manually specified ECID to use, parsed "227840674916" to dec:227840674916 hex:350c5ccc64 [TSSC] manually specified ApNonce to use, parsed "47080312e71eda7ccd8eec33af095f41710fe8db" to hex:47080312e71eda7ccd8eec33af095f41710fe8db [TSSC] opening restore/BuildManifest_iPhone6,2_1033_OTA.plist [TSSR] Request URL set to https://gs.apple.com/TSS/controller?action=2 [TSSR] Sending TSS request attempt 1... success also requesting APTicket for update installing [Error] [TSSR] Error: could not get id0 for installType=Update [WARNING] [TSSR] faild to build tssrequest for alternative installType [TSSR] User specified not to request a baseband ticket. [TSSR] Request URL set to https://gs.apple.com/TSS/controller?action=2 [TSSR] Sending TSS request attempt 1... failure [Error] ERROR: TSS request failed (status=128, message=An internal error occurred.) Saved signing tickets!
Build 14G60 for device iPhone6,2 IS being signed! Do you want to save a copy of the OTA SHSH to somewhere on your computer? (y/n) n [Log] SHSH saved [Log] Starting restore process
[Log] Copying SEP and Baseband [Log] SEP and Baseband copied
[Log] Cleaning up un-needed files [Log] Clean up done [Log] Starting futurerestore Version: 536fee9e67dbc2842b2e461bb0d23cfd0f6cf903 - 246 Odysseus support: no [INFO] 64-bit device detected futurerestore init done reading signing ticket shsh/OTA.shsh is done Found device iPhone6,2 n53ap [TSSC] opening restore/BuildManifest_iPhone6,2_1033_OTA.plist [TSSR] User specified not to request a baseband ticket. Request URL set to https://gs.apple.com/TSS/controller?action=2 Sending TSS request attempt 1... response successfully received Did set SEP+baseband path and firmware [WARNING] Failed to read BasebandGoldCertID from device! Is it already in recovery? [WARNING] Using tsschecker's fallback BasebandGoldCertID. This might result in invalid baseband signing status information [WARNING] Failed to read BasebandSerialNumber from device! Is it already in recovery? [WARNING] Using tsschecker's fallback BasebandSerialNumber size. This might result in invalid baseband signing status information [TSSC] opening restore/BuildManifest_iPhone6,2_1033_OTA.plist [TSSR] User specified to request only a baseband ticket. Request URL set to https://gs.apple.com/TSS/controller?action=2 Sending TSS request attempt 1... response successfully received Found device in DFU mode [Error] unsupported device mode, please put device in recovery mode or normal mode [Error] Fail code=-3 Failed with errorcode=-3 [Log] Futurerestoring complete
**** Downgrade complete! Enjoy 10.3.3 =) **** **** Follow me on twitter @mosk_i for help/updates ** `