From 07adf2a64d5efc64bb837a9c0e89d2142833c494 Mon Sep 17 00:00:00 2001 From: LukeeGD Date: Tue, 19 Nov 2019 23:17:44 +0800 Subject: [PATCH] WIP --- .gitignore | 3 + README.md | 2 + patch/iBSS.n94.RELEASE.patch | Bin 138 -> 0 bytes {patch => patches}/iBSS.j1.RELEASE.patch | Bin {patch => patches}/iBSS.j2.RELEASE.patch | Bin {patch => patches}/iBSS.j2a.RELEASE.patch | Bin {patch => patches}/iBSS.k93.RELEASE.patch | Bin {patch => patches}/iBSS.k93a.RELEASE.patch | Bin {patch => patches}/iBSS.k94.RELEASE.patch | Bin {patch => patches}/iBSS.k95.RELEASE.patch | Bin {patch => patches}/iBSS.n41.RELEASE.patch | Bin {patch => patches}/iBSS.n42.RELEASE.patch | Bin {patch => patches}/iBSS.n78.RELEASE.patch | Bin patches/iBSS.n94.RELEASE.patch | Bin 0 -> 172 bytes {patch => patches}/iBSS.p101.RELEASE.patch | Bin {patch => patches}/iBSS.p102.RELEASE.patch | Bin {patch => patches}/iBSS.p103.RELEASE.patch | Bin {patch => patches}/iBSS.p105.RELEASE.patch | Bin {patch => patches}/iBSS.p106.RELEASE.patch | Bin {patch => patches}/iBSS.p107.RELEASE.patch | Bin restore.sh | 143 +++++++++++++++++++-- 21 files changed, 139 insertions(+), 9 deletions(-) create mode 100644 .gitignore delete mode 100644 patch/iBSS.n94.RELEASE.patch rename {patch => patches}/iBSS.j1.RELEASE.patch (100%) rename {patch => patches}/iBSS.j2.RELEASE.patch (100%) rename {patch => patches}/iBSS.j2a.RELEASE.patch (100%) rename {patch => patches}/iBSS.k93.RELEASE.patch (100%) rename {patch => patches}/iBSS.k93a.RELEASE.patch (100%) rename {patch => patches}/iBSS.k94.RELEASE.patch (100%) rename {patch => patches}/iBSS.k95.RELEASE.patch (100%) rename {patch => patches}/iBSS.n41.RELEASE.patch (100%) rename {patch => patches}/iBSS.n42.RELEASE.patch (100%) rename {patch => patches}/iBSS.n78.RELEASE.patch (100%) create mode 100644 patches/iBSS.n94.RELEASE.patch rename {patch => patches}/iBSS.p101.RELEASE.patch (100%) rename {patch => patches}/iBSS.p102.RELEASE.patch (100%) rename {patch => patches}/iBSS.p103.RELEASE.patch (100%) rename {patch => patches}/iBSS.p105.RELEASE.patch (100%) rename {patch => patches}/iBSS.p106.RELEASE.patch (100%) rename {patch => patches}/iBSS.p107.RELEASE.patch (100%) mode change 100644 => 100755 restore.sh diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..823ad6f --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +*.shsh2 +tmp/ +tools/ diff --git a/README.md b/README.md index f60bdcc..e7d6433 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,4 @@ # 841-OTA-Downgrader Downgrade almost any 32-bit device to iOS 8.4.1 + +### WIP diff --git a/patch/iBSS.n94.RELEASE.patch b/patch/iBSS.n94.RELEASE.patch deleted file mode 100644 index 548c17639324082c7f217b068abdaf9cbd406ff8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 138 zcmZmbNDy#fa9~hiFgVLF z<*VExH6Npj-IFvAwKQ1i&dxxnUurvd7Xw4b0fqxi3>-k!XIM3twU`O=ix;_C1WW+Q Kg49BIAgcfc*CMk3 diff --git a/patch/iBSS.j1.RELEASE.patch b/patches/iBSS.j1.RELEASE.patch similarity index 100% rename from patch/iBSS.j1.RELEASE.patch rename to patches/iBSS.j1.RELEASE.patch diff --git a/patch/iBSS.j2.RELEASE.patch b/patches/iBSS.j2.RELEASE.patch similarity index 100% rename from patch/iBSS.j2.RELEASE.patch rename to patches/iBSS.j2.RELEASE.patch diff --git a/patch/iBSS.j2a.RELEASE.patch b/patches/iBSS.j2a.RELEASE.patch similarity index 100% rename from patch/iBSS.j2a.RELEASE.patch rename to patches/iBSS.j2a.RELEASE.patch diff --git a/patch/iBSS.k93.RELEASE.patch b/patches/iBSS.k93.RELEASE.patch similarity index 100% rename from patch/iBSS.k93.RELEASE.patch rename to patches/iBSS.k93.RELEASE.patch diff --git a/patch/iBSS.k93a.RELEASE.patch b/patches/iBSS.k93a.RELEASE.patch similarity index 100% rename from patch/iBSS.k93a.RELEASE.patch rename to patches/iBSS.k93a.RELEASE.patch diff --git a/patch/iBSS.k94.RELEASE.patch b/patches/iBSS.k94.RELEASE.patch similarity index 100% rename from patch/iBSS.k94.RELEASE.patch rename to patches/iBSS.k94.RELEASE.patch diff --git a/patch/iBSS.k95.RELEASE.patch b/patches/iBSS.k95.RELEASE.patch similarity index 100% rename from patch/iBSS.k95.RELEASE.patch rename to patches/iBSS.k95.RELEASE.patch diff --git a/patch/iBSS.n41.RELEASE.patch b/patches/iBSS.n41.RELEASE.patch similarity index 100% rename from patch/iBSS.n41.RELEASE.patch rename to patches/iBSS.n41.RELEASE.patch diff --git a/patch/iBSS.n42.RELEASE.patch b/patches/iBSS.n42.RELEASE.patch similarity index 100% rename from patch/iBSS.n42.RELEASE.patch rename to patches/iBSS.n42.RELEASE.patch diff --git a/patch/iBSS.n78.RELEASE.patch b/patches/iBSS.n78.RELEASE.patch similarity index 100% rename from patch/iBSS.n78.RELEASE.patch rename to patches/iBSS.n78.RELEASE.patch diff --git a/patches/iBSS.n94.RELEASE.patch b/patches/iBSS.n94.RELEASE.patch new file mode 100644 index 0000000000000000000000000000000000000000..884e666019f505335c8e59ddec51e8c753d604f0 GIT binary patch literal 172 zcmZ>U zP+WY))=7dzRnzM0$8we6R!)Yg0=x_eP5Z_7)iW^U1a>~)Xi(r_U{ILA03 zWN=L7QTuA?;_DEo1(K12Raw$kifX0?07{|9~r& literal 0 HcmV?d00001 diff --git a/patch/iBSS.p101.RELEASE.patch b/patches/iBSS.p101.RELEASE.patch similarity index 100% rename from patch/iBSS.p101.RELEASE.patch rename to patches/iBSS.p101.RELEASE.patch diff --git a/patch/iBSS.p102.RELEASE.patch b/patches/iBSS.p102.RELEASE.patch similarity index 100% rename from patch/iBSS.p102.RELEASE.patch rename to patches/iBSS.p102.RELEASE.patch diff --git a/patch/iBSS.p103.RELEASE.patch b/patches/iBSS.p103.RELEASE.patch similarity index 100% rename from patch/iBSS.p103.RELEASE.patch rename to patches/iBSS.p103.RELEASE.patch diff --git a/patch/iBSS.p105.RELEASE.patch b/patches/iBSS.p105.RELEASE.patch similarity index 100% rename from patch/iBSS.p105.RELEASE.patch rename to patches/iBSS.p105.RELEASE.patch diff --git a/patch/iBSS.p106.RELEASE.patch b/patches/iBSS.p106.RELEASE.patch similarity index 100% rename from patch/iBSS.p106.RELEASE.patch rename to patches/iBSS.p106.RELEASE.patch diff --git a/patch/iBSS.p107.RELEASE.patch b/patches/iBSS.p107.RELEASE.patch similarity index 100% rename from patch/iBSS.p107.RELEASE.patch rename to patches/iBSS.p107.RELEASE.patch diff --git a/restore.sh b/restore.sh old mode 100644 new mode 100755 index 5577d6c..9022222 --- a/restore.sh +++ b/restore.sh @@ -1,6 +1,59 @@ #!/bin/bash -clear +platform="linux" + +iv_k93=781b9672a86ba1b41f8b7fa0af714c94 +key_k93=db03d63a767b5211d644fccd3e85ef4d5704c94d7589e0fa9ca475a353d8734b + +iv_k94=883c92ed915e4d2481570a062583495b +key_k94=ccfadf3732904885d38f963cce035d7e03b387b67212d526503c85773b58e52f + +iv_k95=460116385cca6d5596221c58ae122669 +key_k95=7852f1fd93d9d49ebea44021081e8f1dffa336d0d3e9517374f8be451dd92eb7 + +iv_k93a=976aa656929ac699fff36715de96876d +key_k93a=5fe5c47b5620c2b40b1ca2bd1764a92d568901a24e1caf8faf0cf0f84ae11b4e + +iv_p101=b21abc8689b0dea8f6e613f9f970e241 +key_p101=b9ed63e4a31f5d9d4d7dddc527e65fd31d1ea48c70204e6b44551c1e6dfc52b5 + +iv_p102=56231fd62c6296ed0c8c411bcef602e0 +key_p102=cdb2142489e5e936fa8f3540bd036f62ed0f27ddb6fec96b9fbfec5a65bc5f17 + +iv_p103=fa39c596b6569e572d90f0820e4e4357 +key_p103=34b359fcc729a0f0d2853e786a78b245ed36a9212c8296aaab95dc0401cf07de + +iv_j1=c3ea87ed43788dfc3e268abdf1af27dd +key_j1=cd3dd7eee07b9ce8b180d1526632cf86dc7fef7d52352d06af354598ab9cf2ef + +iv_j2=32fcd912cb9a472ef2a6db72596ae01c +key_j2=076720d5a07e8011bdda6f6eafaf4845b40a441615cd1d7c1a9cca438ce7db17 + +iv_j2a=e6b041970cd611c8a1561a4c210bc476 +key_j2a=aec6a888d45bd26106ac620d7d4ec0c160ab80276deedc1b50ce8f5d99dcc9af + +iv_p105=a5892a58c90b6d3fb0e0b20db95070d7 +key_p105=75612774968009e3f85545ac0088d0d0bb9cb4e2c2970e8f88489be0b9dfe103 + +iv_p106=fba6d9aaec7237891c80390e6ffa88bf +key_p106=92909dca9bfdb9193131f9ad9b628b1a4971b1cbab52c0ddd114a6253fad96c0 + +iv_p107=1d99e780d96c32a25ca7e4b1c7fe14c0 +key_p107=4e2c14927693d61e1da375e340061521c9376007163f6ab55afbe1a03b901fd3 + +iv_n78=e0175b03bc29817adc312638884e0898 +key_n78=0a0e0aedc8171669c9af6a229930a395959df55dcd8a3ee1fe0f4c009007df3c + +iv_n94=147cdef921ed14a5c10631c5e6e02d1e +key_n94=6ea1eb62a9f403ee212c1f6b3039df093963b46739c6093407190fe3d750c69c + +iv_n41=bd0c8b039a819604a30f0d39adf88572 +key_n41=baf05fe0282f78c18c2e3842be4f9021919d586b55594281f5b5abd0f6e61495 + +iv_n42=fdad2b7a35384fa2ffc7221213ca1082 +key_n42=74cd68729b800a20b1f8e8a3cb5517024a09f074eaa05b099db530fb5783275e + +clear echo "******* 841-OTA-Downgrader *******" echo " - by LukeZGD " echo @@ -8,27 +61,99 @@ echo HardwareModel=$(ideviceinfo | grep 'HardwareModel' | cut -c 16-) HardwareModelLower=$(echo $HardwareModel | tr '[:upper:]' '[:lower:]' | sed 's/.\{2\}$//') ProductType=$(ideviceinfo | grep 'ProductType' | cut -c 14-) +ProductVersion=$(ideviceinfo | grep 'ProductVersion' | cut -c 17-) +UniqueChipID=$(ideviceinfo | grep 'UniqueChipID' | cut -c 15-) +iBSS="iBSS.$HardwareModelLower.RELEASE" if [ ! $HardwareModel ] then - echo "Please plug in the device before proceeding" + echo "Please plug the device in before proceeding" echo exit fi -echo "HardwareModel = $HardwareModel" -echo "ProductType = $ProductType" -echo "HardwareModelLower = $HardwareModelLower" +echo "HardwareModel: $HardwareModel" +echo "ProductType: $ProductType" +echo "ProductVersion: $ProductVersion" +echo "UniqueChipID (ECID): $UniqueChipID" +echo "iBSS: $iBSS" echo -IPSW="${HardwareModel}_8.4.1_12H321_Restore.ipsw" +IPSW="${ProductType}_8.4.1_12H321_Restore" -if [ -e $IPSW ] +#if [ ! -e ${IPSW}.ipsw ] +if [ -e ${IPSW}.ipsw ] then echo "iOS 8.4.1 IPSW is missing! Please put the IPSW on the same directory of this script" echo exit fi -echo "Downloading kloader..." -wget -q "https://github.com/axi0mX/ios-kexec-utils/raw/master/kloader" +echo "Downloading tsschecker..." +mkdir tmp +wget -q "https://github.com/tihmstar/tsschecker/releases/download/v212/tsschecker_v212_mac_win_linux.zip" -O "tmp/tsschecker.zip" +echo "Extracting tsschecker..." +unzip -q tmp/tsschecker.zip -d tools/tsschecker/ +chmod +x tools/tsschecker/tsschecker_$platform +echo + +echo "Downloading futurerestore..." +wget -q "http://api.tihmstar.net/builds/futurerestore/futurerestore-latest.zip" -O "tmp/futurerestore.zip" +echo "Extracting futurerestore..." +unzip -q tmp/futurerestore.zip -d tools/futurerestore/ +chmod +x tools/futurerestore/futurerestore_$platform +echo + +echo "Downloading ota.json..." +wget -q "https://api.ipsw.me/v2.1/ota.json/condensed" -O tmp/ota.json +echo "Copying ota.json to /tmp..." +cp tmp/ota.json /tmp +echo + +echo "Downloading OTA Firmware..." +wget -q "https://api.ipsw.me/v4/ota/download/$ProductType/12H321?prerequisite=12H143" -O tmp/ota.zip +echo "Extracting BuildManifest.plist..." +unzip -q -j tmp/ota.zip AssetData/boot/BuildManifest.plist -d tmp/ +echo + +echo "Saving 8.4.1 blobs with tsschecker..." +env "LD_PRELOAD=libcurl.so.3" tools/tsschecker/tsschecker_$platform -d $ProductType -i 8.4.1 -o -s -e $UniqueChipID -m tmp/BuildManifest.plist > /dev/null 2>&1 +echo + +echo "Extracting 8.4.1 IPSW..." +unzip -q ${IPSW}.ipsw -d $IPSW/ +echo + +echo "Decrypting iBSS..." +iv=iv_$HardwareModelLower +key=key_$HardwareModelLower +echo "IV = ${!iv}" +echo "Key = ${!key}" +tools/xpwntool_$platform $IPSW/Firmware/dfu/$iBSS.dfu tmp/iBSS.dec -k ${!key} -iv ${!iv} -decrypt +echo + +echo "Patching iBSS..." +bspatch tmp/iBSS.dec patches/$iBSS.patch tmp/pwnediBSS +echo + +if [ ! $iOS10 ] +then + kloader="kloader" +else + kloader="kloader_hgsp" +fi + +echo "Please enter Wi-Fi IP address of device for SSH connection:" +#read IPAddress +echo "Will now connect to device using SSH" +echo "Please enter root password when prompted (default is 'alpine')" +echo + +echo "Copying stuff to device..." +scp tools/$kloader root@$IPAddress:/usr/bin +scp tmp/pwnediBSS root@$IPAddress:/ +echo + +echo "Entering pwnDFU mode..." +ssh root@$IPAddress "$kloader /pwnediBSS" +echo