search

synackuk / n1ghtshade

A bootchain jailbreak/downgrade utility for 32 bit iOS devices.
https://synackuk.dev/projects/n1ghtshade.html
GNU General Public License v3.0
350 stars 45 forks source link

it apparently works but no. #105

Open evilshado opened 3 years ago

evilshado commented 3 years ago

On apple A6x (iPad A1460) Seems to work except those errors (ERROR: Unable to connect to FDR client (-2)) and (ERROR: Failed to start FDR Ctrl channel) The screen shows a loading bar with the apple symbol, ios 6 style (i am trying to downgrade to ios 6.1.3) After the automatic restart of the iPad the screen remains black with no life signal.. Connecting the iPad to the mac, itunes warns that the ipad needs to be restore.

evilshado commented 3 years ago

full log checkm8 by axi0mX Grooming heap Preparing for overwrite Grooming heap Overwriting task struct Uploading payload Executing payload Device is now in pwned DFU mode Finding iBSS for device Uploading iBSS Executing iBSS Finding iBEC for device Uploading iBEC Executing iBEC Downloading atropine hooker Uploading atropine hooker Executing hooker Downloading atropine Uploading atropine Loading payload Restoring device Found device in Recovery mode Identified device as p103ap, iPad3,6 Extracting BuildManifest from IPSW Product Version: 6.1.3 Product Build: 10B329 Major: 10 INFO: device serial number is **** Device supports Image4: false Variant: Customer Erase Install (IPSW) This restore will erase your device data. Checking IPSW for required components... All required components found in IPSW Extracting filesystem from IPSW: 048-2562-005.dmg Found ECID * Getting ApNonce in recovery mode... ***** Trying to fetch new SHSH blob Getting SepNonce in recovery mode... Request URL set to https://gs.apple.com/TSS/controller?action=2 Sending TSS request attempt 1... response successfully received Received SHSH blobs Sending APTicket (2764 bytes) Extracting iBEC.p103ap.RELEASE.dfu... Not personalizing component iBEC... Sending iBEC (289284 bytes)... Getting ApNonce in recovery mode... *** Sending APTicket (2764 bytes) Recovery Mode Environment: iBoot build-version=iBoot-1537.9.55 iBoot build-style=RELEASE Sending RestoreLogo... Extracting applelogo@2x.s5l8955x.img3... Not personalizing component RestoreLogo... Sending RestoreLogo (15236 bytes)... ramdisk-size=RELEASE Extracting 048-2666-005.dmg... Not personalizing component RestoreRamDisk... Sending RestoreRamDisk (9914756 bytes)... Extracting DeviceTree.p103ap.img3... Not personalizing component RestoreDeviceTree... Sending RestoreDeviceTree (85124 bytes)... Extracting kernelcache.release.p103... Not personalizing component RestoreKernelCache... Sending RestoreKernelCache (7875332 bytes)... Waiting for device to enter restore mode... About to restore device... Connecting now... Connected to com.apple.mobile.restored, version 12 Device ** has successfully entered restore mode Hardware Information: BoardID: 4 ChipID: **** UniqueChipID: * ProductionMode: true Starting FDR listener thread ERROR: Unable to connect to FDR client (-2) ERROR: Failed to start FDR Ctrl channel Waiting for NAND (28) Creating partition map (11) Creating filesystem (12) Creating filesystem (12) Checking filesystems (15) Mounting filesystems (16) Checking filesystems (15) Mounting filesystems (16) Resizing system partition (51) Unmounting filesystems (29) Unmounting filesystems (29) About to send RootTicket... Sending RootTicket now... Done sending RootTicket About to send filesystem... Connected to ASR Validating the filesystem Filesystem validated Sending filesystem now... Done sending filesystem Verifying restore (14) Checking filesystems (15) Mounting filesystems (16) Checking filesystems (15) Mounting filesystems (16) About to send KernelCache... Extracting kernelcache.release.p103... Not personalizing component KernelCache... Sending KernelCache now... Done sending KernelCache Installing kernelcache (27) Fixing up /var (17) Modifying persistent boot-args (25) About to send NORData... Found firmware path Firmware/all_flash/all_flash.p103ap.production Getting firmware manifest from Firmware/all_flash/all_flash.p103ap.production/manifest Personalizing IMG3 component LLB... reconstructed size: 162150 Not personalizing component iBoot... Extracting DeviceTree.p103ap.img3... Not personalizing component DeviceTree... Extracting applelogo@2x.s5l8955x.img3... Not personalizing component AppleLogo... Extracting batterylow0@2x.s5l8955x.img3... Not personalizing component BatteryLow0... Extracting batterylow1@2x.s5l8955x.img3... Not personalizing component BatteryLow1... Extracting glyphcharging@2x.s5l8955x.img3... Not personalizing component BatteryCharging... Extracting batterycharging0@2x.s5l8955x.img3... Not personalizing component BatteryCharging0... Extracting batterycharging1@2x.s5l8955x.img3... Not personalizing component BatteryCharging1... Extracting glyphplugin@2x.s5l8955x.img3... Not personalizing component BatteryPlugin... Extracting batteryfull@2x.s5l8955x.img3... Not personalizing component BatteryFull... Extracting recoverymode@2x~ipad.s5l8955x.img3... Not personalizing component RecoveryMode... Extracting iBoot.p103ap.RELEASE.img3... Not personalizing component iBoot... Sending NORData now... Done sending NORData Flashing firmware (18) Updating gas gauge software (46) Updating gas gauge software (46) Updating baseband (19) About to send BasebandData... Sending Baseband TSS request... Request URL set to https://gs.apple.com/TSS/controller?action=2 Sending TSS request attempt 1... response successfully received Received Baseband SHSH blobs Sending BasebandData now... Done sending BasebandData Updating baseband (19) Updating baseband (19) Updating baseband (19) Updating baseband (19) Updating baseband (19) Updating Baseband in progress... About to send BasebandData... Sending Baseband TSS request... Request URL set to https://gs.apple.com/TSS/controller?action=2 Sending TSS request attempt 1... response successfully received Received Baseband SHSH blobs Sending BasebandData now... Done sending BasebandData Updating Baseband in progress... About to send BasebandData... Sending BasebandData now... Done sending BasebandData Updating baseband (19) Updating baseband (19) Updating baseband (19) Updating baseband (19) Updating Baseband in progress... About to send BasebandData... Sending BasebandData now... Done sending BasebandData Updating baseband (19) Updating baseband (19) Updating baseband (19) Updating baseband (19) Updating baseband (19) Updating Baseband completed. Creating system key bag (49) Resizing system partition (51) Unmounting filesystems (29) Unmounting filesystems (29) Got status message Status: Restore Finished Cleaning up... DONE Done.

corece commented 3 years ago

iPhone5,2same

evilshado commented 3 years ago

I have tried with old versions, but old ones don't work correctly as well

synackuk commented 3 years ago

Once at the black screen do a tethered boot and it should boot fine

mba08mc commented 3 years ago

I did the restore, after when I boot tethered it says "Error in exploits/checkm8/checkm8.c:137 "Failed To Send Abort." Error in libelladonna.c:288 "Failed to enter pwned dfu mode" Error in libelladonna.c:643 "Failed to put device into pwned dfu mode" Error in libelladonna.c:689 "Failed to put device into pwned dfu mode" Failed To Boot Tethered

Screenshot 2021-07-26 at 21 46 48