search

edwin170 / downr1n

downgrade tethered checkm8 idevices ios 14, 15.
Apache License 2.0
259 stars 35 forks source link

ipad pro 9.7 on 16.7.5. tried to downgrade to 15.7. get this error: Failed to get apnonce from device. #101

Closed StephySARS closed 5 months ago

StephySARS commented 6 months ago

[*] Command ran: ./downr1n.sh --downgrade 15.7 downr1n | Version 3.0 Created by edwin, thanks palera1, and all people creator of path file boot

[] Waiting for devices [] Detected normal mode device Hello, iPad6,3 on 15.7! [] Switching device into recovery mode... ./downr1n.sh: line 662: [: too many arguments [] Waiting for device in recovery mode [] Waiting for devices [] Detected recovery mode device [] Getting device info... Detected cpid, your cpid is 0x8001 Detected model, your model is j127ap Detected deviceid, your deviceid is iPad6,3 [] To get into DFU mode, you will be guided through 2 steps: [] Press any key when ready for DFU mode Get ready (0) Release power button, but keep holding home button (9) Release power button, but keep holding home button (3) [] Device entered DFU! ./downr1n.sh: line 705: [: ipsw/iPadPro_9.7_14.8_18H17_Restore.ipsw: unary operator expected [-] we found ipsw/iPadPro_9.7_15.7_19H12_Restore.ipsw, do you want to use it ? please write, yes or no yes ipsw/iPadPro_9.7_15.7_19H12_Restore.ipsw [] Checking if the ipsw is for your device [] Checking ipsw version [] Extracting ipsw, hang on please ... [] Got extract the IPSW successfully [] Creating ramdisk [-] Ramdisk is already created so SKIPPING ... [] Booting ramdisk [/] We couldn't get the ipsw curl. we will proceed with -k option with curl usb_timeout: 5 [IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227 CPID:8001 CPRV:10 CPFM:03 SCEP:01 BDID:08 ECID:0012386E38F82226 IBFL:1C SRTG:[iBoot-2481.0.0.2.1] Found the USB handle. Stage: RESET ret: true [IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227 CPID:8001 CPRV:10 CPFM:03 SCEP:01 BDID:08 ECID:0012386E38F82226 IBFL:1C SRTG:[iBoot-2481.0.0.2.1] Found the USB handle. Stage: SPRAY ret: true [IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227 CPID:8001 CPRV:10 CPFM:03 SCEP:01 BDID:08 ECID:0012386E38F82226 IBFL:1C SRTG:[iBoot-2481.0.0.2.1] Found the USB handle. Stage: SETUP ret: true [IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227 CPID:8001 CPRV:10 CPFM:03 SCEP:01 BDID:08 ECID:0012386E38F82226 IBFL:1C SRTG:[iBoot-2481.0.0.2.1] Found the USB handle. Stage: PATCH ret: true [IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227 CPID:8001 CPRV:10 CPFM:03 SCEP:01 BDID:08 ECID:0012386E38F82226 IBFL:1C SRTG:[iBoot-2481.0.0.2.1] PWND:[gaster] Found the USB handle. Now you can boot untrusted images. usb_timeout: 5 [IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227 Found the USB handle. [==================================================] 100.0% [==================================================] 100.0% [==================================================] 100.0% [==================================================] 100.0% [==================================================] 100.0% [==================================================] 100.0% [==================================================] 100.0% bind(): Address already in use Error creating socket for listen port 2222: Address already in use [] Waiting for the ramdisk to finish booting [] Mounting filesystems ... [] Dumpped SHSH [] Checking device version the version that the device is currently in is 16.7.5 [] extracting kernel ... [] extracted Reboot into recovery mode ... [] To get into DFU mode, you will be guided through 2 steps: [] Press any key when ready for DFU mode Get ready (0) Release power button, but keep holding home button (9) Release power button, but keep holding home button (2) [] Device entered DFU! [ ]Patching some boot files... [] Finished moving the boot files to work [] Decrypthing ibss and iboot usb_timeout: 5 [IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227 CPID:8001 CPRV:10 CPFM:03 SCEP:01 BDID:08 ECID:0012386E38F82226 IBFL:1C SRTG:[iBoot-2481.0.0.2.1] Found the USB handle. Stage: RESET ret: true [IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227 CPID:8001 CPRV:10 CPFM:03 SCEP:01 BDID:08 ECID:0012386E38F82226 IBFL:1C SRTG:[iBoot-2481.0.0.2.1] Found the USB handle. Stage: SPRAY ret: true [IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227 CPID:8001 CPRV:10 CPFM:03 SCEP:01 BDID:08 ECID:0012386E38F82226 IBFL:1C SRTG:[iBoot-2481.0.0.2.1] Found the USB handle. Stage: SETUP ret: true [IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227 CPID:8001 CPRV:10 CPFM:03 SCEP:01 BDID:08 ECID:0012386E38F82226 IBFL:1C SRTG:[iBoot-2481.0.0.2.1] Found the USB handle. Stage: PATCH ret: true [IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227 CPID:8001 CPRV:10 CPFM:03 SCEP:01 BDID:08 ECID:0012386E38F82226 IBFL:1C SRTG:[iBoot-2481.0.0.2.1] PWND:[gaster] Found the USB handle. Now you can boot untrusted images. [IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227 Found the USB handle. [] Patching the kernel [] Patching the kernel to restore using futurerestore [] Patching devicetree [] Patching the restored_external and asr, and saving them into the ramdisk ... "disk5" ejected. work/devicetree.img4 -> boot/iPad6,3/devicetree.img4 work/iBEC.img4 -> boot/iPad6,3/iBEC.img4 work/iBSS.img4 -> boot/iPad6,3/iBSS.img4 work/kernelcache.img4 -> boot/iPad6,3/kernelcache.img4 work/trustcache.img4 -> boot/iPad6,3/trustcache.img4 [] Sucess Patching the boot files [] Checking if the llb was already replaced [*] Executing futurerestore ... Press ENTER to continue with futurerestore, your device will start to restoring <- ./downr1n.sh: line 386: [: missing `]' Version: v2.0.0(36879969be71d56af062aa99be5f28ee482a12bc-309) img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f-RELEASE libipatcher version: 0.91-cb10d973d0af78cc55020d4cf1187c28fad0f2a0-RELEASE Odysseus for 32-bit support: yes Odysseus for 64-bit support: yes Checking for updates... Futurerestore is up to date! [INFO] 64-bit device detected futurerestore init done reading signing ticket blobs/iPad6,3-15.7.shsh2 is done User specified to use latest signed SEP Using cached SEP. Checking if SEP is being signed... Sending TSS request attempt 1... response successfully received SEP is being signed!

WARNING: user specified is not to flash a baseband. This can make the restore fail if the device needs a baseband!

If you added this flag by mistake, you can press CTRL-C now to cancel Continuing restore in 10 9 8 7 6 5 4 3 2 1 Downloading the latest firmware components... Finished downloading the latest firmware components! Found device in DFU mode requesting to get into pwnRecovery later Found device in DFU mode Identified device as j127ap, iPad6,3 Extracting BuildManifest from iPSW Product version: 15.7 Product build: 19H12 Major: 19 Device supports Image4: true checking if the APTicket is valid for this restore... Verified ECID in APTicket matches the device's ECID checking if the APTicket is valid for this restore... Verified ECID in APTicket matches the device's ECID [IMG4TOOL] checking buildidentity 0: [IMG4TOOL] checking buildidentity matches board ... YES [IMG4TOOL] checking buildidentity has all required hashes: [IMG4TOOL] checking hash for "AOP" OK (untrusted) [IMG4TOOL] checking hash for "Ap,SystemVolumeCanonicalMetadata"BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "AppleLogo" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "BatteryCharging0" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "BatteryCharging1" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "BatteryFull" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "BatteryLow0" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "BatteryLow1" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "BatteryPlugin" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "DeviceTree" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "KernelCache" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "LLB" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "OS" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "RecoveryMode" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "RestoreDeviceTree" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "RestoreKernelCache" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "RestoreLogo" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "RestoreRamDisk" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "RestoreSEP" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "RestoreTrustCache" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "SEP" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "StaticTrustCache" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "SystemVolume" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "ftap" IGN (no digest in BuildManifest) [IMG4TOOL] checking hash for "ftsp" IGN (no digest in BuildManifest) [IMG4TOOL] checking hash for "iBEC" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "iBSS" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "iBoot" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "rfta" IGN (no digest in BuildManifest) [IMG4TOOL] checking hash for "rfts" IGN (no digest in BuildManifest)

failed verification with error: [exception]: what=verification failed! code=84279308 line=1286 file=img4tool.cpp commit count=197 commit sha =aca6cf005c94caf135023263cbb5c61a0081804f [IMG4TOOL] checking buildidentity 1: [IMG4TOOL] checking buildidentity matches board ... NO [IMG4TOOL] checking buildidentity 2: [IMG4TOOL] checking buildidentity matches board ... YES [IMG4TOOL] checking buildidentity has all required hashes: [IMG4TOOL] checking hash for "AOP" OK (untrusted) [IMG4TOOL] checking hash for "Ap,SystemVolumeCanonicalMetadata"BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "AppleLogo" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "BatteryCharging0" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "BatteryCharging1" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "BatteryFull" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "BatteryLow0" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "BatteryLow1" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "BatteryPlugin" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "DeviceTree" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "KernelCache" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "LLB" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "OS" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "RecoveryMode" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "RestoreDeviceTree" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "RestoreKernelCache" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "RestoreLogo" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "RestoreRamDisk" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "RestoreSEP" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "RestoreTrustCache" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "SEP" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "StaticTrustCache" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "SystemVolume" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "ftap" IGN (no digest in BuildManifest) [IMG4TOOL] checking hash for "ftsp" IGN (no digest in BuildManifest) [IMG4TOOL] checking hash for "iBEC" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "iBSS" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "iBoot" BAD! (hash not found in im4m) [IMG4TOOL] checking hash for "rfta" IGN (no digest in BuildManifest) [IMG4TOOL] checking hash for "rfts" IGN (no digest in BuildManifest)

failed verification with error: [exception]: what=verification failed! code=84279308 line=1286 file=img4tool.cpp commit count=197 commit sha =aca6cf005c94caf135023263cbb5c61a0081804f [IMG4TOOL] checking buildidentity 3: [IMG4TOOL] checking buildidentity matches board ... NO [WARNING] NOT VALIDATING SHSH BLOBS IM4M! [Error] BuildIdentity selected for restore does not match APTicket

BuildIdentity selected for restore: BuildNumber : 19H12 BuildTrain : SkySecuritySydney DeviceClass : j127ap FDRSupport : YES MobileDeviceMinVersion : 1351 RestoreBehavior : Erase Variant : Customer Erase Install (IPSW)

BuildIdentity is valid for the APTicket: IM4M is not valid for any restore within the Buildmanifest This APTicket can't be used for restoring this firmware [WARNING] NOT VALIDATING SHSH BLOBS! Variant: Customer Erase Install (IPSW) This restore will erase all device data. Device found in DFU Mode. Sending iBSS (244293 bytes)... [==================================================] 100.0% Booting iBSS, waiting for device to disconnect... Booting iBSS, waiting for device to reconnect... Sending iBEC (437381 bytes)... [==================================================] 100.0% Booting iBEC, waiting for device to disconnect... Booting iBEC, waiting for device to reconnect... INFO: device serial number is DMPRJGM2H1MV ApNonce pre-hax: Getting ApNonce in recovery mode... 4f fa e9 4d 23 85 3d 28 43 6e 36 e5 b7 cb cd c3 6f 2c d4 f7 ApNonce from device doesn't match IM4M nonce, applying hax... Writing generator=0x20c1480f000a992d to nvram! Sending iBEC (437381 bytes)... [==================================================] 100.0% ERROR: Device is in an invalid state Booting iBEC, waiting for device to disconnect... Booting iBEC, waiting for device to reconnect... APnonce post-hax: Getting ApNonce failed Cleaning up... [exception]: what=Failed to get apnonce from device! code=53936196 line=823 file=/Users/runner/work/futurerestore/futurerestore/src/futurerestore.cpp commit count=309 commit sha =36879969be71d56af062aa99be5f28ee482a12bc Done: restoring failed! if futurerestore failed you can try execute the command below if futurerestore didn't finish succesfully please try to run (with sudo or without) this command: /Users/john/downloads/downr1n/binaries/Darwin/futurerestore -t blobs/iPad6,3-15.7.shsh2 --use-pwndfu --skip-blob --rdsk work/rdsk.im4p --rkrn work/krnl.im4p --latest-sep --no-baseband ipsw/iPadPro_9.7_15.7_19H12_Restore.ipsw if futurerestore restore sucess, you can boot using --boot

edwin170 commented 6 months ago

try again /Users/john/downloads/downr1n/binaries/Darwin/futurerestore -t blobs/iPad6,3-15.7.shsh2 --use-pwndfu --skip-blob --rdsk work/rdsk.im4p --rkrn work/krnl.im4p --latest-sep --no-baseband ipsw/iPadPro_9.7_15.7_19H12_Restore.ipsw

StephySARS commented 6 months ago

try again /Users/john/downloads/downr1n/binaries/Darwin/futurerestore -t blobs/iPad6,3-15.7.shsh2 --use-pwndfu --skip-blob --rdsk work/rdsk.im4p --rkrn work/krnl.im4p --latest-sep --no-baseband ipsw/iPadPro_9.7_15.7_19H12_Restore.ipsw

tried but still failed by stucking at Sending iBEC...

edwin170 commented 6 months ago

try again /Users/john/downloads/downr1n/binaries/Darwin/futurerestore -t blobs/iPad6,3-15.7.shsh2 --use-pwndfu --skip-blob --rdsk work/rdsk.im4p --rkrn work/krnl.im4p --latest-sep --no-baseband ipsw/iPadPro_9.7_15.7_19H12_Restore.ipsw

tried but still failed by stucking at Sending iBEC...

try with a lower iOS, like iOS 15.4 below

StephySARS commented 6 months ago

At first I tried ios14.8, failed with different error, forgot to copy the log. something like cannot connect to ipsw.me to get keys. Then I tried 15.7 but still no luck.

edwin170 commented 6 months ago

At first I tried ios14.8, failed with different error, forgot to copy the log. something like cannot connect to ipsw.me to get keys. Then I tried 15.7 but still no luck.

if it is about get keys you should add --keyServer to your command