越狱平刷,并非未越狱平刷,刷机有风险,操作需谨慎。
工具和固件
降级&平刷工具
- 下载一:https://github.com/encounter/futurerestore/releases
- 下载二:http://api.tihmstar.net/builds/futurerestore/futurerestore-latest.zip
固件
环境
- PC
- 6s(型号 n71ap)
- 10.2、10.2.1
- VM Mac 10.11.1(USB 2.0)
- 网络环境(55R + kcp)
- SHSH2(带 CPU 型号 shsh2 文件,这里是备份&验证方法)
写入 Generator 值
i4 助手打开 ssh 通道,PC 用 putty.exe连接 IP
地址:127.0.0.1
端口:22
登录
用户:root
密码:alpine
写入
iPhone-6s:~ root# nvram com.apple.System.boot-nonce=0xe21x88x546dx85xe
Generator 值在 shsh2 文件内容最下面
<key>generator</key>
<string>0xe21x88x546dx85xe</string>
检查写入
iPhone-6s:~ root# nvram -p
backlight-level 1546
boot-args
com.apple.System.boot-nonce 0xe21x88x546dx85xe
obliteration handle_message: Obliteration Complete
auto-boot true
oblit-begins OblitType: ObliterateDataPartition. No reason given.
Mac
注意:在 VM 设置里断开 IP 与主机连接,这样手机才能正确连接到虚拟 Mac
环境准备
注意:必须行行输入 终端执行安装 Homebrew
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
brew install automake autoconf libtool pkg-config
git clone https://github.com/tihmstar/libirecovery && cd ./libirecovery && bash autogen.sh && make install
git clone https://github.com/tihmstar/libcrippy && cd ./libcrippy && bash autogen.sh && make install
git clone https://github.com/tihmstar/libfragmentzip && cd ./libfragmentzip && bash autogen.sh && make install
安装 OpenSSL
cd /wp-content/local
sudo mkdir ssl // 输入密码
sudo chmod 777 /wp-content/local/ssl
cd
git clone https://github.com/openssl/openssl.git
cd openssl
./config
make
make install
brew install curl
brew install libzip
brew install openssl
ln -s /wp-content/local/opt/openssl/lib/libcrypto.1.0.0.dylib /wp-content/local/lib/
ln -s /wp-content/local/opt/openssl/lib/libssl.1.0.0.dylib /wp-content/local/lib/
ln -s /wp-content/local/Cellar/openssl/1.0.2j/bin/openssl openssl
平刷文件
一、建立 IOS 文件夹,里面有固件 10.2 和 10.2.1、shsh2 文件、futurerestore_macos (降级&平刷工具)。
二、7z 打开 iPhone\_4.7\_10.2.1\_14D27\_Restore.ipsw。
(危险!! 两个不是跨版本固件,提取文件都一样无区别 10.2 和 10.2.1 提取哪个都行)
三、提取 固件/BuildManifest.plist。
四、提取 固件/Firmware/Mav13-2.41.00.Release.bbfw,
(危险!! 基带文件 Mav13-2.41.00.Release.bbfw 在关于本机 - 调制解调器估计查看,否则入狱)
五、提取 固件/Firmware/all_flash/all_flash.n71ap.production/sep-firmware.n71.RELEASE.im4p。
(危险!! 指纹文件 sep-firmware.n71.RELEASE.im4p 对应 CPU 型号,否则 Touch ID 会失效)
总共7个文件。
检查环境
cd ~/Desktop/downgrade
chmod +x futurerestore_macos
./futurerestore_macos
### 出现下面内容说明环境已经没问题了 ###
MacosdeMac:downgrade macos$ ./futurerestore_macos
Version: 6aa188cd06789de15732fakeaa301a4242db044ceb - 89
Usage: futurerestore [OPTIONS] IPSW
Allows restoring nonmatching iOS/Sep/Baseband
-t, --apticket PATH Apticket used for restoring
-b, --baseband PATH Baseband to be flashed
-p, --baseband-manifest PATH Buildmanifest for requesting baseband ticket
-s, --sep PATH Sep to be flashed
-m, --sep-manifest PATH Buildmanifest for requesting sep ticket
-w, --wait keep rebooting until nonce matches APTicket
-u, --update update instead of erase install
--latest-sep use latest signed sep instead of manually specifying one(may cause bad restore)
--latest-baseband se latest signed baseband instead of manually specifying one(may cause bad restore)
--no-baseband skip checks and don't flash baseband.
WARNING: only use this for device without baseband (eg iPod or some wifi only iPads)
开始平刷
示例格式:
./futurerestore_macos -t shsh2文件.shsh2 -b 基带文件.bbfw -p BuildManifest.plist -s sep-firmware.nxx.RELEASE.im4p -m BuildManifest.plist -w 降级&平刷固件.ipsw
具体命令:
./futurerestore_macos -t 665x16x95x80x_iphone8,1_n71ap_10.2-14c92.shsh2 -b Mav13-2.41.00.Release.bbfw -p BuildManifest.plist -s sep-firmware.n71.RELEASE.im4p -m BuildManifest.plist -w iPhone_4.7_10.2_14C92_Restore.ipsw
执行后手机自动重启,待 Mac 终端进度 100% 时手机会绿屏,几秒后自动开机,屏幕手机显示 Apple Logo 和进度,6 分钟左右看见 Hello 你好,所有步骤完成。
注:
- 因为是虚拟机,手机每次自动重启需要重新连接虚拟 Mac,应尽量快速点击。
- 危险警告,基带选择步骤一定要正确,不然据说会再次入狱还是变砖不得而知。
- 别人测试 10.3 beta1,我没有这样做,因为会把基带升到新版,降下来会很麻烦,虽然可能没有影响。
- 未测试 Windows(暂无工具)、Linux 平刷(一般是用深度),Ubuntu 或 Debian 还有 Centos 安装以来稍微麻烦。
问题集
- 出现
Waiting for device..
发生在首次手机重启,断开了 IP 和虚拟机的连接,重新连接即可,但是有几率发生平刷失败,有条件直接 iMac。 - 循环在 iTunes 恢复模式,用爱思助手退出即可,这里是另一个办法。
- 实际 PC 硬件 USB 是 3.0,但是在虚拟机设定是 USB 2.0 时一定几率发生错误。
2017-4-15 这一次补充是狱中平刷:
- 基带文件:
Firmware/Mav13-2.41.00.Release.bbfw和sep-firmware.n71.RELEASE.im4p继续从当前手机使用的固件版本去提取。 - 剩余文件:
BuildManifest.plist,要从最新的并且未关闭验证的固件提取,否则会提示:
Sending TSS request attempt 1... [Error] sep firmware isn't signed
- 基带文件:
学习
http://bbs.feng.com/read-htm-tid-11064854.html
https://www.reddit.com/r/jailbreak/comments/5lhby9/tutorial\_how\_to\_upgrade\_on\_jailbroken\_ios\_933/
http://www.ipodhacks142.com/how-to-restore-to-ios-10-2-unsigned-using-prometheus-on-iphone-ipod-touch-or-ipad/
平刷阶段记录
MacosdeMac:downgrade macos$ ./futurerestore_macos -t 665x16x95x80_iphone8,1_n71ap_10.2-14c92.shsh2 -b Mav13-2.41.00.Release.bbfw -p BuildManifest.plist -s sep-firmware.n71.RELEASE.im4p -m BuildManifest.plist -w iPhone_4.7_10.2_14C92_Restore.ipsw
Version: 6aa188cd06789de15732fakeaa301a4242db044ceb - 89
futurerestore init done
reading ticket 665x16x95x80x_iphone8,1_n71ap_10.2-14c92.shsh2 done
[TSSC] opening BuildManifest.plist
WARNING: Unable to find BbSkeyId node
[TSSR] User specified not to request a Baseband ticket.
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Did set sep+baseband path and firmware
[WARNING] failed to read BasebandGoldCertID from device! Is it already in recovery?
[WARNING] using tsschecker's fallback to get BasebandGoldCertID. This might result in invalid baseband signing status information
[TSSC] opening BuildManifest.plist
WARNING: Unable to find BbSkeyId node
[TSSR] User specified to request only a Baseband ticket.
ERROR: Unable to get BasebandFirmware node
ERROR: Unable to find required BbGoldCertId in parameters
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Found device in Recovery mode
Device already in Recovery mode
INFO: device serial number is FFMfakeG3F4R
waiting for nonce: 4f 1d 20 96 55 39 0a f4 d0 18 dc b8 6e 19 b7 96 fd d4 56 fe
Got ApNonce from device: 4f 1d 20 96 55 39 0a f4 d0 18 dc b8 6e 19 b7 96 fd d4 56 fe
Device has requested ApNonce now
Found device in Recovery mode
Identified device as n71ap, iPhone8,1
Extracting BuildManifest from IPSW
Product Version: 10.2
Product Build: 14C92 Major: 14
Device supports Image4: true
checking APTicket to be valid for this restore...
[Warning] findAnyBuildidentityForFilehash: skipping element=BasebandFirmware
[Warning] findAnyBuildidentityForFilehash: skipping element=ftap
[Warning] findAnyBuildidentityForFilehash: skipping element=ftsp
[Warning] findAnyBuildidentityForFilehash: skipping element=rfta
[Warning] findAnyBuildidentityForFilehash: skipping element=rfts
[Warning] findAnyBuildidentityForFilehash: skipping element=BasebandFirmware
[Warning] findAnyBuildidentityForFilehash: skipping element=ftap
[Warning] findAnyBuildidentityForFilehash: skipping element=ftsp
[Warning] findAnyBuildidentityForFilehash: skipping element=rfta
[Warning] findAnyBuildidentityForFilehash: skipping element=rfts
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=ftap
[Warning] hasBuildidentityElementWithHash: skipping element=ftsp
[Warning] hasBuildidentityElementWithHash: skipping element=rfta
[Warning] hasBuildidentityElementWithHash: skipping element=rfts
[Warning] findAnyBuildidentityForFilehash: skipping element=BasebandFirmware
[Warning] findAnyBuildidentityForFilehash: skipping element=ftap
[Warning] findAnyBuildidentityForFilehash: skipping element=ftsp
[Warning] findAnyBuildidentityForFilehash: skipping element=rfta
[Warning] findAnyBuildidentityForFilehash: skipping element=rfts
[Warning] findAnyBuildidentityForFilehash: skipping element=BasebandFirmware
[Warning] findAnyBuildidentityForFilehash: skipping element=ftap
[Warning] findAnyBuildidentityForFilehash: skipping element=ftsp
[Warning] findAnyBuildidentityForFilehash: skipping element=rfta
[Warning] findAnyBuildidentityForFilehash: skipping element=rfts
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=ftap
[Warning] hasBuildidentityElementWithHash: skipping element=ftsp
[Warning] hasBuildidentityElementWithHash: skipping element=rfta
[Warning] hasBuildidentityElementWithHash: skipping element=rfts
[Warning] findAnyBuildidentityForFilehash: skipping element=BasebandFirmware
[Warning] findAnyBuildidentityForFilehash: skipping element=ftap
[Warning] findAnyBuildidentityForFilehash: skipping element=ftsp
[Warning] findAnyBuildidentityForFilehash: skipping element=rfta
[Warning] findAnyBuildidentityForFilehash: skipping element=rfts
[Warning] findAnyBuildidentityForFilehash: skipping element=BasebandFirmware
[Warning] findAnyBuildidentityForFilehash: skipping element=ftap
[Warning] findAnyBuildidentityForFilehash: skipping element=ftsp
[Warning] findAnyBuildidentityForFilehash: skipping element=rfta
[Warning] findAnyBuildidentityForFilehash: skipping element=rfts
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] getBuildIdentityForIM4M: skipping element=ftap
[Warning] getBuildIdentityForIM4M: skipping element=ftsp
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=ftap
[Warning] hasBuildidentityElementWithHash: skipping element=ftsp
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=ftap
[Warning] hasBuildidentityElementWithHash: skipping element=ftsp
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=ftap
[Warning] hasBuildidentityElementWithHash: skipping element=ftsp
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] getBuildIdentityForIM4M: skipping element=rfta
[Warning] getBuildIdentityForIM4M: skipping element=rfts
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
Verified APTicket to be valid for this restore
Variant: Customer Erase Install (IPSW)
This restore will erase your device data.
Using cached filesystem from 'iPhone_4.7_10.2_14C92_Restore/058-54986-095.dmg'
Extracting iBEC.n71.RELEASE.im4p...
Personalizing IMG4 component iBEC...
Sending iBEC (333507 bytes)...
Getting SepNonce in recovery mode... 80 6f 2b 0f e8 94 cf 9c 8d 75 98 b1 db 96 38 8d ff 89 a4 ba
Getting ApNonce in recovery mode... 4f 1d 20 96 55 39 0a f4 d0 18 dc b8 6e 19 b7 96 fd d4 56 fe
Recovery Mode Environment:
iBoot build-version=iBoot-3406.30.8
iBoot build-style=RELEASE
Sending RestoreLogo...
Extracting applelogo@2x~iphone.s8000.im4p...
Personalizing IMG4 component RestoreLogo...
Sending RestoreLogo (12195 bytes)...
ramdisk-size=0x10000000
Extracting 058-54560-094.dmg...
Personalizing IMG4 component RestoreRamDisk...
Sending RestoreRamDisk (40330818 bytes)...
Extracting DeviceTree.n71ap.im4p...
Personalizing IMG4 component RestoreDeviceTree...
Sending RestoreDeviceTree (132848 bytes)...
Extracting kernelcache.release.n71...
Personalizing IMG4 component RestoreKernelCache...
Sending RestoreKernelCache (12592991 bytes)...
Trying to fetch new SHSH blob
WARNING: Unable to find BbSkeyId node
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Received SHSH blobs
About to restore device...
Waiting for device...
Device ffffffffffffffffffffffffffffffff00000001 is now connected in restore mode...
Connecting now...
Connected to com.apple.mobile.restored, version 14
Device ffffffffffffffffffffffffffffffff00000001 has successfully entered restore mode
Hardware Information:
BoardID: 4
ChipID: 32768
UniqueChipID: 665x16x95x80x
ProductionMode: true
Starting FDR listener thread
About to send NORData...
Found firmware path Firmware/all_flash/all_flash.n71ap.production
Getting firmware manifest Firmware/all_flash/all_flash.n71ap.production/manifest
Extracting LLB.n71.RELEASE.im4p...
Personalizing IMG4 component LLB...
Extracting iBoot.n71.RELEASE.im4p...
Personalizing IMG4 component iBoot...
Extracting DeviceTree.n71ap.im4p...
Personalizing IMG4 component DeviceTree...
Extracting applelogo@2x~iphone.s8000.im4p...
Personalizing IMG4 component AppleLogo...
Extracting recoverymode@1334~iphone-lightning.s8000.im4p...
Personalizing IMG4 component RecoveryMode...
Extracting batterylow0@2x~iphone.s8000.im4p...
Personalizing IMG4 component BatteryLow0...
Extracting batterylow1@2x~iphone.s8000.im4p...
Personalizing IMG4 component BatteryLow1...
Extracting batterycharging0@2x~iphone.s8000.im4p...
Personalizing IMG4 component BatteryCharging0...
Extracting batterycharging1@2x~iphone.s8000.im4p...
Personalizing IMG4 component BatteryCharging1...
Extracting glyphplugin@1334~iphone-lightning.s8000.im4p...
Personalizing IMG4 component BatteryPlugin...
Extracting batteryfull@2x~iphone.s8000.im4p...
Personalizing IMG4 component BatteryFull...
Personalizing IMG4 component RestoreSEP...
Personalizing IMG4 component SEP...
Sending NORData now...
Done sending NORData
About to send RootTicket...
Sending RootTicket now...
Done sending RootTicket
Waiting for NAND (28)
Updating S3E Firmware (58)
Checking filesystems (15)
About to send FDR Trust data...
Sending FDR Trust data now...
Done sending FDR Trust Data
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Creating partition map (11)
Creating filesystem (12)
Creating filesystem (12)
Creating filesystem (12)
About to send filesystem...
Connected to ASR
Validating the filesystem
Filesystem validated
Sending filesystem now...
[==================================================] 100.0%
Done sending filesystem
Verifying restore (14)
[==================================================] 100.0%
Mounting filesystems (16)
Mounting filesystems (16)
Mounting filesystems (16)
About to send KernelCache...
Extracting kernelcache.release.n71...
Personalizing IMG4 component KernelCache...
Sending KernelCache now...
Done sending KernelCache
Installing kernelcache (27)
Flashing firmware (18)
[==================================================] 100.0%
Updating gas gauge software (47)
Updating gas gauge software (47)
Updating baseband (19)
About to send BasebandData...
sending request without baseband nonce
WARNING: Unable to find BbSkeyId node
Sending Baseband TSS request...
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Received Baseband SHSH blobs
Sending BasebandData now...
Done sending BasebandData
Updating Baseband in progress...
About to send BasebandData...
WARNING: Unable to find BbSkeyId node
Sending Baseband TSS request...
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Received Baseband SHSH blobs
Sending BasebandData now...
Done sending BasebandData
Updating Baseband completed.
Updating Stockholm (55)
Updating SE Firmware (59)
About to send FUD data...
Found FUD component 'AOP'
Extracting aopfw.im4p...
Personalizing IMG4 component AOP...
Sending FUD data now...
Done sending FUD data
About to send FUD data...
Found FUD component 'AOP'
Extracting aopfw.im4p...
Personalizing IMG4 component AOP...
Sending FUD data now...
Done sending FUD data
Fixing up /var (17)
Creating system key bag (50)
Modifying persistent boot-args (25)
Resizing system partition (52)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Got status message
Status: Restore Finished
Cleaning up...
DONE
Done: restoring succeeded.更新 2017-03-08