Stuck on "Received Baseband SHSH blobs"

[ProfessrOak]

MacOS Version: 12.6.6 (It's a hackintosh, if that matters) Model: A1459 Version I'm trying to downgrade to: 6.0.1 Device Identifier: iPad3,5

It gets stuck on "Received Baseband SHSH blobs." I waited for an entire hour but it didn't get any further than that.

Log: Found supported exploit checkm8 Grooming heap Preparing for overwrite Grooming heap Overwriting task struct Uploading payload Executing payload Device is now in pwned DFU mode Restoring device Found device in DFU mode ECID: 1641954262512 Identified device as p102ap, iPad3,5 Extracting BuildManifest from IPSW Product Version: 6.0.1 Product Build: 10A8426 Major: 10 Device supports Image4: false Variant: Customer Erase Install (IPSW) This restore will erase your device data. Checking IPSW for required components... All required components found in IPSW Using cached filesystem from '/Volumes/Slow/iPad3,5_6.0.1_10A8426_Restore/038-4580-135.dmg' Getting ApNonce in dfu mode... aa 2d 08 32 ad 8f 57 cc b4 6f f4 ea 98 bf 8b 6d d7 77 cb 87 Trying to fetch new SHSH blob Getting SepNonce in dfu mode... Request URL set to https://gs.apple.com/TSS/controller?action=2 Sending TSS request attempt 1... response successfully received Received SHSH blobs Extracting iBSS.p102ap.RELEASE.dfu (Firmware/dfu/iBSS.p102ap.RELEASE.dfu)... Sending iBSS (76292 bytes)... Uploading command Executing command Nonce: aa 2d 08 32 ad 8f 57 cc b4 6f f4 ea 98 bf 8b 6d d7 77 cb 87 Extracting iBEC.p102ap.RELEASE.dfu (Firmware/dfu/iBEC.p102ap.RELEASE.dfu)... Not personalizing component iBEC... Sending iBEC (289284 bytes)... INFO: device serial number is DMPJM6XFF188 Finding appropriate atropine payload Uploading atropine Executing atropine Getting ApNonce in recovery mode... aa 2d 08 32 ad 8f 57 cc b4 6f f4 ea 98 bf 8b 6d d7 77 cb 87 Sending APTicket (2764 bytes) Recovery Mode Environment: iBoot build-version=iBoot-1537.4.21 iBoot build-style=RELEASE Sending RestoreLogo... Extracting applelogo@2x.s5l8955x.img3 (Firmware/all_flash/all_flash.p102ap.production/applelogo@2x.s5l8955x.img3)... Not personalizing component RestoreLogo... Sending RestoreLogo (15236 bytes)... ramdisk-size=RELEASE Extracting 038-7650-013.dmg (038-7650-013.dmg)... Not personalizing component RestoreRamDisk... Sending RestoreRamDisk (9697668 bytes)... Extracting DeviceTree.p102ap.img3 (Firmware/all_flash/all_flash.p102ap.production/DeviceTree.p102ap.img3)... Not personalizing component RestoreDeviceTree... Sending RestoreDeviceTree (84996 bytes)... Extracting kernelcache.release.p102 (kernelcache.release.p102)... Not personalizing component RestoreKernelCache... Sending RestoreKernelCache (7893636 bytes)... Waiting for device to enter restore mode... About to restore device... Connecting now... Connected to com.apple.mobile.restored, version 12 Device f6d7fa00e7459d6a807752d0332fee49a9df8931 has successfully entered restore mode Hardware Information: BoardID: 2 ChipID: 35157 UniqueChipID: 1641954262512 ProductionMode: true Starting Reverse Proxy Waiting for NAND (28) Creating partition map (11) Creating filesystem (12) Creating filesystem (12) Checking filesystems (15) Mounting filesystems (16) Checking filesystems (15) Mounting filesystems (16) Resizing system partition (51) Unmounting filesystems (29) Unmounting filesystems (29) About to send RootTicket... Sending RootTicket now... Done sending RootTicket About to send filesystem... Connected to ASR Validating the filesystem Filesystem validated Sending filesystem now... Done sending filesystem Verifying restore (14) Checking filesystems (15) Mounting filesystems (16) Checking filesystems (15) Mounting filesystems (16) About to send KernelCache... Extracting kernelcache.release.p102 (kernelcache.release.p102)... Not personalizing component KernelCache... Sending KernelCache now... Done sending KernelCache Installing kernelcache (27) Fixing up /var (17) Modifying persistent boot-args (25) About to send NORData... Found firmware path Firmware/all_flash Getting firmware manifest from build identity Personalizing IMG3 component LLB... reconstructed size: 162150 Not personalizing component AppleLogo... Not personalizing component BatteryCharging0... Not personalizing component BatteryCharging1... Not personalizing component BatteryFull... Not personalizing component BatteryLow0... Not personalizing component BatteryLow1... Not personalizing component BatteryPlugin... Extracting DeviceTree.p102ap.img3 (Firmware/all_flash/all_flash.p102ap.production/DeviceTree.p102ap.img3)... Not personalizing component DeviceTree... Not personalizing component RecoveryMode... Not personalizing component iBoot... Extracting iBoot.p102ap.RELEASE.img3 (Firmware/all_flash/all_flash.p102ap.production/iBoot.p102ap.RELEASE.img3)... Retagging IMG3 component iBoot... reconstructed size: 289284 Sending NORData now... Done sending NORData Flashing firmware (18) Updating gas gauge software (46) Updating gas gauge software (46) Updating baseband (19) About to send BasebandData... Sending Baseband TSS request... Request URL set to https://gs.apple.com/TSS/controller?action=2 Sending TSS request attempt 1... response successfully received Received Baseband SHSH blobs

[mba08mc]

may be a corrupt baseband. restore to 10.3.3 and try again. make sure you downloaded the iPad 4 wifi ipsw and not the cellular version.

Edit: my bad, only cellular ipads have a baseband. if yours is wifi you might have a used a cellular ipsw

[ProfessrOak]

No, you're good. Mine is a cellular model. I tried restoring to 10.3.3 and running n1ghtshade again, but it still wouldn't get past "received baseband SHSH blobs". Would using the IPSW file for an iPad3,4 (wifi only model) help? I double checked and made sure I did indeed have the right IPSW.

[mba08mc]

Sure, you could try with a wifi ipsw but I heavily doubt that would work. What version of macos are you using and maybe try using a different ios version such as 6.0 or 6.0.2

[ProfessrOak]

I got it to work by signing out and removing it from my Apple ID. My guess is that since iOS 6 never originally had Activation Lock, it refused to complete the process since it would've been activation locked.