diff --git a/README.md b/README.md index d516fe7..0bc20ef 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # iOS-OTA-Downgrader -- **Downgrade/restore and jailbreak supported legacy iOS devices to signed OTA firmwares** +- **A multi-purpose script to downgrade/restore and jailbreak supported legacy iOS devices** - **iPhone4Down: Downgrade your iPhone 4 on Linux/Windows (using powdersn0w)** - **Linux, macOS, and Windows** are supported - Windows usage is not recommended @@ -16,6 +16,7 @@ - This script can also be used to enter kDFU mode for 32-bit devices - This script can also be used to restore your iPhone 4 back to iOS 7.1.2 with the option to jailbreak the install - This script can also be used to restore supported devices to their latest versions +- This script can also be used to save on-board SHSH blobs for 32-bit devices ## Supported devices - [Identify your device here](https://ipsw.me/device-finder) diff --git a/bin/linux/x86_64/irecovery2 b/bin/linux/x86_64/irecovery2 new file mode 100755 index 0000000..0b04b1c Binary files /dev/null and b/bin/linux/x86_64/irecovery2 differ diff --git a/bin/linux/x86_64/ticket b/bin/linux/x86_64/ticket new file mode 100755 index 0000000..cb201e7 Binary files /dev/null and b/bin/linux/x86_64/ticket differ diff --git a/bin/linux/x86_64/validate b/bin/linux/x86_64/validate new file mode 100755 index 0000000..c0f9f45 Binary files /dev/null and b/bin/linux/x86_64/validate differ diff --git a/bin/macos/irecovery2 b/bin/macos/irecovery2 new file mode 100755 index 0000000..73d4117 Binary files /dev/null and b/bin/macos/irecovery2 differ diff --git a/bin/macos/ticket b/bin/macos/ticket new file mode 100755 index 0000000..430bf24 Binary files /dev/null and b/bin/macos/ticket differ diff --git a/bin/macos/validate b/bin/macos/validate new file mode 100755 index 0000000..45fc752 Binary files /dev/null and b/bin/macos/validate differ diff --git a/bin/windows/ticket b/bin/windows/ticket new file mode 100644 index 0000000..8da9d05 Binary files /dev/null and b/bin/windows/ticket differ diff --git a/bin/windows/validate b/bin/windows/validate new file mode 100644 index 0000000..1810fb5 Binary files /dev/null and b/bin/windows/validate differ diff --git a/resources/firmware/iPad2,2/11D257/url b/resources/firmware/iPad2,2/11D257/url new file mode 100644 index 0000000..a9a391a --- /dev/null +++ b/resources/firmware/iPad2,2/11D257/url @@ -0,0 +1 @@ +http://appldnld.apple.com/iOS7.1/031-4791.20140627.5r2nx/iPad2,2_7.1.2_11D257_Restore.ipsw \ No newline at end of file diff --git a/resources/firmware/iPad2,4/10B329/url b/resources/firmware/iPad2,4/10B329/url new file mode 100644 index 0000000..40f8302 --- /dev/null +++ b/resources/firmware/iPad2,4/10B329/url @@ -0,0 +1 @@ +http://appldnld.apple.com/iOS6.1/091-2633.20130319.Xd54r/iPad2,4_6.1.3_10B329_Restore.ipsw \ No newline at end of file diff --git a/resources/firmware/iPad2,5/10B329/url b/resources/firmware/iPad2,5/10B329/url new file mode 100644 index 0000000..e776368 --- /dev/null +++ b/resources/firmware/iPad2,5/10B329/url @@ -0,0 +1 @@ +http://appldnld.apple.com/iOS6.1/091-2417.20130319.Nh23w/iPad2,5_6.1.3_10B329_Restore.ipsw \ No newline at end of file diff --git a/resources/firmware/iPad3,1/10B146/url b/resources/firmware/iPad3,1/10B146/url new file mode 100644 index 0000000..517c779 --- /dev/null +++ b/resources/firmware/iPad3,1/10B146/url @@ -0,0 +1 @@ +http://appldnld.apple.com/iOS6.1/091-0736.20130215.Wwft4/iPad3,1_6.1.2_10B146_Restore.ipsw \ No newline at end of file diff --git a/resources/firmware/iPad3,3/10B329/url b/resources/firmware/iPad3,3/10B329/url new file mode 100644 index 0000000..31b7d1e --- /dev/null +++ b/resources/firmware/iPad3,3/10B329/url @@ -0,0 +1 @@ +http://appldnld.apple.com/iOS6.1/091-2592.20130319.64uy6/iPad3,3_6.1.3_10B329_Restore.ipsw \ No newline at end of file diff --git a/resources/firmware/iPad3,4/10B329/url b/resources/firmware/iPad3,4/10B329/url new file mode 100644 index 0000000..093110c --- /dev/null +++ b/resources/firmware/iPad3,4/10B329/url @@ -0,0 +1 @@ +http://appldnld.apple.com/iOS6.1/091-2407.20130319.vs6yt/iPad3,4_6.1.3_10B329_Restore.ipsw \ No newline at end of file diff --git a/resources/firmware/iPad3,6/10B329/url b/resources/firmware/iPad3,6/10B329/url new file mode 100644 index 0000000..99ddb4f --- /dev/null +++ b/resources/firmware/iPad3,6/10B329/url @@ -0,0 +1 @@ +http://appldnld.apple.com/iOS6.1/091-2347.20130319.Aqwe3/iPad3,6_6.1.3_10B329_Restore.ipsw \ No newline at end of file diff --git a/resources/firmware/iPhone5,1/10B329/url b/resources/firmware/iPhone5,1/10B329/url new file mode 100644 index 0000000..eacbc19 --- /dev/null +++ b/resources/firmware/iPhone5,1/10B329/url @@ -0,0 +1 @@ +http://appldnld.apple.com/iOS6.1/091-2341.20130319.C24tg/iPhone5,1_6.1.3_10B329_Restore.ipsw \ No newline at end of file diff --git a/resources/firmware/iPhone5,2/10B329/url b/resources/firmware/iPhone5,2/10B329/url new file mode 100644 index 0000000..ca77e7f --- /dev/null +++ b/resources/firmware/iPhone5,2/10B329/url @@ -0,0 +1 @@ +http://appldnld.apple.com/iOS6.1/091-2516.20130319.7164R/iPhone5,2_6.1.3_10B329_Restore.ipsw \ No newline at end of file diff --git a/resources/firmware/iPhone5,3/11B511/url b/resources/firmware/iPhone5,3/11B511/url new file mode 100644 index 0000000..7273a28 --- /dev/null +++ b/resources/firmware/iPhone5,3/11B511/url @@ -0,0 +1 @@ +http://appldnld.apple.com/iOS7/031-0943.20131022.Mestt/iPhone5,3_7.0.3_11B511_Restore.ipsw \ No newline at end of file diff --git a/resources/firmware/iPhone5,4/11B651/url b/resources/firmware/iPhone5,4/11B651/url new file mode 100644 index 0000000..143c2bc --- /dev/null +++ b/resources/firmware/iPhone5,4/11B651/url @@ -0,0 +1 @@ +http://appldnld.apple.com/iOS7/031-3516.20140221.8j5GW/iPhone5,4_7.0.6_11B651_Restore.ipsw \ No newline at end of file diff --git a/resources/patch/iBEC.j1ap.RELEASE.patch b/resources/patch/iBEC.j1ap.RELEASE.patch new file mode 100644 index 0000000..ba5fd13 Binary files /dev/null and b/resources/patch/iBEC.j1ap.RELEASE.patch differ diff --git a/resources/patch/iBEC.j2.RELEASE.patch b/resources/patch/iBEC.j2.RELEASE.patch new file mode 100644 index 0000000..dad18fe Binary files /dev/null and b/resources/patch/iBEC.j2.RELEASE.patch differ diff --git a/resources/patch/iBEC.j2aap.RELEASE.patch b/resources/patch/iBEC.j2aap.RELEASE.patch new file mode 100644 index 0000000..1b5463a Binary files /dev/null and b/resources/patch/iBEC.j2aap.RELEASE.patch differ diff --git a/resources/patch/iBEC.k93aap.RELEASE.patch b/resources/patch/iBEC.k93aap.RELEASE.patch new file mode 100644 index 0000000..8a81d39 Binary files /dev/null and b/resources/patch/iBEC.k93aap.RELEASE.patch differ diff --git a/resources/patch/iBEC.k93ap.RELEASE.patch b/resources/patch/iBEC.k93ap.RELEASE.patch new file mode 100644 index 0000000..0eba4eb Binary files /dev/null and b/resources/patch/iBEC.k93ap.RELEASE.patch differ diff --git a/resources/patch/iBEC.k94ap.RELEASE.patch b/resources/patch/iBEC.k94ap.RELEASE.patch new file mode 100644 index 0000000..f44cfe5 Binary files /dev/null and b/resources/patch/iBEC.k94ap.RELEASE.patch differ diff --git a/resources/patch/iBEC.k95.RELEASE.patch b/resources/patch/iBEC.k95.RELEASE.patch new file mode 100644 index 0000000..ea16d64 Binary files /dev/null and b/resources/patch/iBEC.k95.RELEASE.patch differ diff --git a/resources/patch/iBEC.n41ap.RELEASE.patch b/resources/patch/iBEC.n41ap.RELEASE.patch new file mode 100644 index 0000000..9c983e4 Binary files /dev/null and b/resources/patch/iBEC.n41ap.RELEASE.patch differ diff --git a/resources/patch/iBEC.n42ap.RELEASE.patch b/resources/patch/iBEC.n42ap.RELEASE.patch new file mode 100644 index 0000000..9c983e4 Binary files /dev/null and b/resources/patch/iBEC.n42ap.RELEASE.patch differ diff --git a/resources/patch/iBEC.n48ap.RELEASE.patch b/resources/patch/iBEC.n48ap.RELEASE.patch new file mode 100644 index 0000000..ade2ec0 Binary files /dev/null and b/resources/patch/iBEC.n48ap.RELEASE.patch differ diff --git a/resources/patch/iBEC.n49ap.RELEASE.patch b/resources/patch/iBEC.n49ap.RELEASE.patch new file mode 100644 index 0000000..ade2ec0 Binary files /dev/null and b/resources/patch/iBEC.n49ap.RELEASE.patch differ diff --git a/resources/patch/iBEC.n78ap.RELEASE.patch b/resources/patch/iBEC.n78ap.RELEASE.patch new file mode 100644 index 0000000..4ae9378 Binary files /dev/null and b/resources/patch/iBEC.n78ap.RELEASE.patch differ diff --git a/resources/patch/iBEC.n94ap.RELEASE.patch b/resources/patch/iBEC.n94ap.RELEASE.patch new file mode 100644 index 0000000..0179cb7 Binary files /dev/null and b/resources/patch/iBEC.n94ap.RELEASE.patch differ diff --git a/resources/patch/iBEC.p101ap.RELEASE.patch b/resources/patch/iBEC.p101ap.RELEASE.patch new file mode 100644 index 0000000..927cddd Binary files /dev/null and b/resources/patch/iBEC.p101ap.RELEASE.patch differ diff --git a/resources/patch/iBEC.p102.RELEASE.patch b/resources/patch/iBEC.p102.RELEASE.patch new file mode 100644 index 0000000..0725e12 Binary files /dev/null and b/resources/patch/iBEC.p102.RELEASE.patch differ diff --git a/resources/patch/iBEC.p103ap.RELEASE.patch b/resources/patch/iBEC.p103ap.RELEASE.patch new file mode 100644 index 0000000..927cddd Binary files /dev/null and b/resources/patch/iBEC.p103ap.RELEASE.patch differ diff --git a/resources/patch/iBEC.p105ap.RELEASE.patch b/resources/patch/iBEC.p105ap.RELEASE.patch new file mode 100644 index 0000000..c42b7f9 Binary files /dev/null and b/resources/patch/iBEC.p105ap.RELEASE.patch differ diff --git a/resources/patch/iBEC.p106.RELEASE.patch b/resources/patch/iBEC.p106.RELEASE.patch new file mode 100644 index 0000000..5925cbc Binary files /dev/null and b/resources/patch/iBEC.p106.RELEASE.patch differ diff --git a/resources/patch/iBEC.p107.RELEASE.patch b/resources/patch/iBEC.p107.RELEASE.patch new file mode 100644 index 0000000..5925cbc Binary files /dev/null and b/resources/patch/iBEC.p107.RELEASE.patch differ diff --git a/resources/payload b/resources/payload new file mode 100644 index 0000000..2780951 Binary files /dev/null and b/resources/payload differ diff --git a/restore.sh b/restore.sh index c96c67f..a7104ca 100755 --- a/restore.sh +++ b/restore.sh @@ -257,7 +257,7 @@ install_depends() { elif (( ubuntu_ver >= 22 )) || (( debian_ver >= 12 )) || [[ $debian_ver == "sid" ]]; then sudo apt update - sudo apt install -y bsdiff curl jq libimobiledevice6 openssh-client python3 unzip usbmuxd usbutils xmlstarlet xxd zenity zip + sudo apt install -y bsdiff curl jq libimobiledevice6 libirecovery-common openssh-client python3 unzip usbmuxd usbutils xmlstarlet xxd zenity zip sudo systemctl enable --now udev systemd-udevd usbmuxd 2>/dev/null elif [[ $ID == "fedora" || $ID == "nobara" ]] && (( VERSION_ID >= 36 )); then @@ -289,6 +289,7 @@ install_depends() { sudo chown root:root /etc/udev/rules.d/39-libirecovery.rules sudo chmod 0644 /etc/udev/rules.d/39-libirecovery.rules sudo udevadm control --reload-rules + sudo udevadm trigger fi uname > "../resources/firstrun" @@ -876,6 +877,7 @@ main_menu() { else tmp_items+=("Send Pwned iBSS") fi + tmp_items+=("Save Onboard Blobs") fi # SSH Ramdisk for iPhone 4 GSM only if [[ $device_type == "iPhone3,1" ]]; then @@ -904,6 +906,7 @@ main_menu() { "Restore to Latest iOS" ) mode="restore-latest"; break;; "SSH Ramdisk" ) mode="ramdisk4"; break;; "Send Pwned iBSS" ) mode="pwned-ibss"; break;; + "Save Onboard Blobs" ) mode="save-onboard-blobs"; break;; "(Re-)Install Dependencies" ) install_depends;; * ) break;; esac @@ -1020,11 +1023,28 @@ device_fw_key_check() { device_fw_key="$(cat $keys_path/index.html)" } +download_comp() { + # usage: download_comp [build_id] [comp] + local build_id="$1" + local comp="$2" + download_targetfile="$comp.$device_model" + if [[ $build_id != "12"* ]]; then + download_targetfile+="ap" + fi + download_targetfile+=".RELEASE" + + if [[ -e "../saved/$device_type/${comp}_$build_id.dfu" ]]; then + cp "../saved/$device_type/${comp}_$build_id.dfu" ${comp} + else + log "Downloading ${comp}..." + "$dir/partialzip" $(cat "$device_fw_dir/$build_id/url") "Firmware/dfu/$download_targetfile.dfu" ${comp} + cp ${comp} "../saved/$device_type/${comp}_$build_id.dfu" + fi +} + patch_ibss() { # creates file pwnediBSS to be sent to device - local targetfile="iBSS." local build_id - case $device_type in iPad3,1 | iPhone3,[123] ) build_id="11D257" @@ -1036,27 +1056,59 @@ patch_ibss() { * ) build_id="12H321" - targetfile+="${device_model}.RELEASE" ;; esac - - if [[ $build_id != "12"* ]]; then - targetfile+="${device_model}ap.RELEASE" - fi - - if [[ -e "../saved/$device_type/iBSS_$build_id.dfu" ]]; then - cp "../saved/$device_type/iBSS_$build_id.dfu" iBSS - else - log "Downloading iBSS..." - "$dir/partialzip" $(cat "$device_fw_dir/$build_id/url") "Firmware/dfu/$targetfile.dfu" iBSS - cp iBSS "../saved/$device_type/iBSS_$build_id.dfu" - fi + download_comp $build_id iBSS log "Patching iBSS..." - $bspatch iBSS pwnediBSS "../resources/patch/$targetfile.patch" + $bspatch iBSS pwnediBSS "../resources/patch/$download_targetfile.patch" cp pwnediBSS ../saved/$device_type log "Pwned iBSS saved at: saved/$device_type/pwnediBSS" } +patch_ibec() { + # creates file pwnediBEC to be sent to device for blob dumping + local build_id + case $device_type in + iPad2,[145] | iPad3,[346] | iPhone4,1 | iPhone5,[12] | iPod5,1 ) + build_id="10B329" + ;; + + iPad2,2 | iPhone3,[123] ) + build_id="11D257" + ;; + + iPad2,[367] | iPad3,[25] ) + build_id="12H321" + ;; + + iPad3,1 ) + build_id="10B146" + ;; + + iPhone5,3 ) + build_id="11B511" + ;; + + iPhone5,4 ) + build_id="11B651" + ;; + esac + download_comp $build_id iBEC + device_target_build=$build_id + device_fw_key_check + local name=$(echo $device_fw_key | $jq -j '.keys[] | select(.image | startswith("iBEC")) | .filename') + local iv=$(echo $device_fw_key | $jq -j '.keys[] | select(.image | startswith("iBEC")) | .iv') + local key=$(echo $device_fw_key | $jq -j '.keys[] | select(.image | startswith("iBEC")) | .key') + log "Decrypting iBEC" + mv iBEC $name.orig + "$dir/xpwntool" $name.orig $name.dec -iv $iv -k $key -decrypt + "$dir/xpwntool" $name.dec $name.raw + log "Patching iBEC" + $bspatch $name.raw $name.patched "../resources/patch/$download_targetfile.patch" + "$dir/xpwntool" $name.patched pwnediBEC -t $name.dec + rm $name.dec $name.orig $name.raw $name.patched +} + ipsw_path_set() { : ' set variable ipsw_path, ipsw_custom, also ipsw_path_712 for iphone 4 @@ -2145,6 +2197,31 @@ device_ramdisk4() { print " reboot_bak" } +shsh_save_onboard() { + if [[ $platform == "windows" ]]; then + log "Saving onboard SHSH is not (yet) supported on Windows" + return + fi + device_target_other=1 + ipsw_path_set + device_enter_mode kDFU + patch_ibec + $irecovery -f pwnediBEC + sleep 5 + device_find_mode Recovery + (echo -e "/send ../resources/payload\ngo blobs\n/exit") | ${irecovery}2 -s + ${irecovery}2 -g myblob.dump + $irecovery -n + "$dir/ticket" myblob.dump myblob.plist "$ipsw_path.ipsw" -z + "$dir/validate" myblob.plist "$ipsw_path.ipsw" -z + if [[ ! -s myblob.plist ]]; then + warn "Saving onboard blobs failed." + return + fi + mv myblob.plist ../saved/shsh/$device_ecid-$device_type-$device_target_vers.shsh + log "Successfully saved $device_target_vers blobs: saved/shsh/$device_ecid-$device_type-$device_target_vers.shsh" +} + main() { clear print "******* iOS-OTA-Downgrader *******" @@ -2227,6 +2304,10 @@ main() { device_enter_mode pwnDFU ;; + "save-onboard-blobs" ) + shsh_save_onboard + ;; + * ) log "No valid option selected." ;;