mineek / sunst0rm Goto Github PK

It is a tethered downgrade meaning you will have to boot tethered every single time from your PC if your battery dies or if you reboot your phone.
On A10-A11 devices crucial functionality such as the Home Button, Audio, Microphone, Vibration does NOT work at the moment.
On iPhone X touch doesn't work but iPhone 8 and 8 Plus are fine.
You should NOT be tether downgrading your main device it is only recommended to tether downgrade a second device.
For some frequently asked fixes go here for help.

Requirements:

libirecovery
futurerestore (fork)
futurerestore must be the nightly build. A compiled binary can be found here
iBoot64patcher (fork)
Precompiled binaries for iBoot64Patcher can be found here
Kernel64patcher (fork)
img4tool
img4
ldid
restored_external64_patcher
asr64_patcher
Python3
- Make sure you updated Python and are not using the bundled one in macOS
Python dependencies
- pip3 install -r requirements.txt
- A device that is vulnerable to checkm8 (A7-A11 devices.), if your device is not vulnerable then you can NOT tether downgrade at all.

Make sure to use the forks listed above.

How to use?

Option (short)	Option (long)	Description
`-i IPSW`	`--ipsw IPSW`	Path to IPSW
`-t SHSH2`	`--blob SHSH2`	Path to SHSH2
`-r`	`--restore`	Restore mode
`-b`	`--boot`	Boot mode
`-d BOARDCONFIG`	`--boardconfig BOARDCONFIG`	BoardConfig to use (E.g: `d221ap`)
`-kpp`	`--kpp`	Use KPP (A9 or lower)
`-id IDENTIFIER`	`--identifier IDENTIFIER`	Identifier to use (E.g: `iPhone10,6`)
	`--legacy`	Use Legacy Mode (iOS 11 or lower)
	`--skip-baseband`	Skip Baseband sending, do NOT do this if your device does have baseband this argument is only ment to be passed when your device does not have baseband such as WiFi only iPads.

Restoring

python3 sunstorm.py -i 'IPSW' -t 'SHSH2' -r -d 'BOARDCONFIG'

Use --kpp if you have KPP, otherwise don't add
A10+ Devices do NOT have KPP so do not add --kpp if you are attempting to tether downgrade an A10+ device, A7-A9X devices does have KPP so that means you will pass --kpp and to clear things up having KPP or not does not change the fact if you are able to tether downgrade your device.

Booting

python3 sunstorm.py -i 'IPSW' -t 'SHSH2' -b -d 'BOARDCONFIG' -id 'IDENTIFIER'

Use --kpp if you have KPP, otherwise don't add

./boot.sh

Credits:

M1n1Exploit - Some code from ra1nstorm

Arna13 - Writing an easy to understand guide

swayea - Logo's

sunst0rm's People

Contributors

Stargazers

Watchers

sunst0rm's Issues

iPhone X Touchscreen Issue

I successfully downgraded to iOS 14.3 but touch doesn't work

iPhone 7 downgraded to iOS 14.0 and don't want exit from dfu

Hello, I install iOS 14.0 using tether sunst0rm, ipwndfu doesn't install on phone, working only reboot
Hardware: Mac Mini mid 2011
Install log:

Mac-mini-Ivan:sunst0rm hiprivsid$ python3 sunstorm.py -i iPhone_4.7_P3_14.0_18A373_Restore.ipsw -t 673373594124326_iPhone9,3_d101ap_15.7-19H12_15400076bc4c35a7c8caefdcae5bda69c140a11bce870548f0862aac28c194cc.shsh2 -r -d d101ap
sunst0rm
Made by mineek | Some code by m1n1exploit

[*] Extracting IPSW
[*] Extracting ramdisk
rdsk
[*] Mounting ramdisk
/dev/disk1          	                               	/Users/hiprivsid/sunst0rm/work/ramdisk
[*] Patching ASR in the ramdisk
getting get_asr_patch()
[*] Image failed signature verification 0x10089b77d
[*] Image passed signature verification 0x10089b759
[*] Assembling arm64 branch
[*] Writing out patched file to work/patched_asr
[*] Extracting ASR entitlements
[*] Resigning ASR
[*] Chmoding ASR
[*] Copying patched ASR back to the ramdisk
[*] Patching restored_external
file size: 825664
getting get_skip_sealing_patch()
[*] Skipping sealing system volume string at 0x821b4
[*] Skipping sealing system volume xref at 0x2fac8
[*] Skipping sealing system volume branch to xref at 0x2fa6c
[*] Assembling arm64 branch
[*] Writing out patched file to work/restored_external_patched
[*] Extracting restored_external Ents
[*] Resigning restored_external
[*] Chmoding restored_external
[*] Copying patched restored_external back to the ramdisk
[*] Detaching ramdisk
"disk1" unmounted.
"disk1" ejected.
[*] Creating ramdisk
Reading work/ramdisk.dmg...
IM4P outputted to: work/ramdisk.im4p
[*] Extracting ramdisk
Reading work/kernelcache.release.iphone9...
[NOTE] Image4 payload data is LZFSE compressed, decompressing...
Extracted Image4 payload data to: work/kcache.raw
[*] Patching kernel
main: Starting...
main: Detected fat macho kernel
Kernel: Adding AppleFirmwareUpdate img4 signature check patch...
get_AppleFirmwareUpdate_img4_signature_check: Entering ...
get_AppleFirmwareUpdate_img4_signature_check: Found "%s::%s() Performing img4 validation outside of workloop" str loc at 0x950585
get_AppleFirmwareUpdate_img4_signature_check: Found "%s::%s() Performing img4 validation outside of workloop" xref at 0x116092c
get_AppleFirmwareUpdate_img4_signature_check: Patching "%s::%s() Performing img4 validation outside of workloop" at 0x1160938

Kernel: Adding AMFI_get_out_of_my_way patch...
get_amfi_out_of_my_way_patch: Entering ...
get_amfi_out_of_my_way_patch: Kernel-7195 inputted
get_amfi_out_of_my_way_patch: Found entitlements too small str loc at 0x8b42cb
get_amfi_out_of_my_way_patch: Found entitlements too small str ref at 0xf57bfc
get_amfi_out_of_my_way_patch: Patching AMFI at 0xf52db4
main: Writing out patched file to work/krnl.patched...
main: Quitting...
[*] Rebuilding kernel
Reading work/krnl.patched...
Compressing payload using LZSS...
IM4P outputted to: work/krnl.im4p
[*] Done!
[?] Do you want to restore the device? (y/n)
y
[?] Are you in pwndfu with sigchecks removed? (y/n)
y
[*] Restoring Device
Version: v2.0.0-test(7220525e9f8fa3000d0beb04eb8f30b44b501573-300)
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f-RELEASE
libipatcher version: 0.88-1e855d70c84419014e363bdbcaead7b145fe3e1f-RELEASE
Odysseus for 32-bit support: yes
Odysseus for 64-bit support: yes
Checking for updates...
Futurerestore is up to date!
[INFO] 64-bit device detected
futurerestore init done
reading signing ticket 673373594124326_iPhone9,3_d101ap_15.7-19H12_15400076bc4c35a7c8caefdcae5bda69c140a11bce870548f0862aac28c194cc.shsh2 is done
User specified to use latest signed SEP
Using cached SEP.
Checking if SEP is being signed...
Sending TSS request attempt 1... response successfully received
SEP is being signed!
User specified to use latest signed baseband
Downloading Baseband
100[===================================================================================================>]
Checking if Baseband is being signed...
Sending TSS request attempt 1... response successfully received
Baseband is being signed!
Downloading the latest firmware components...
Finished downloading the latest firmware components!
Found device in DFU mode
requesting to get into pwnRecovery later
Found device in DFU mode
Identified device as d101ap, iPhone9,3
Extracting BuildManifest from iPSW
Product version: 14.0
Product build: 18A373 Major: 18
Device supports Image4: true
checking if the APTicket is valid for this restore...
Verified ECID in APTicket matches the device's ECID
checking if the APTicket is valid for this restore...
Verified ECID in APTicket matches the device's ECID
[IMG4TOOL] checking buildidentity 0:
[IMG4TOOL] checking buildidentity matches board ... YES
[IMG4TOOL] checking buildidentity has all required hashes:
[IMG4TOOL] checking hash for "AOP"                     OK (untrusted)
[IMG4TOOL] checking hash for "Ap,SystemVolumeCanonicalMetadata"BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AppleLogo"               BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BasebandFirmware"        IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "BatteryCharging0"        BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryCharging1"        BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryFull"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow0"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow1"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryPlugin"           BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "DeviceTree"              BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Homer"                   OK (untrusted)
[IMG4TOOL] checking hash for "KernelCache"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "LLB"                     BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Liquid"                  BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "OS"                      BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RecoveryMode"            BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreDeviceTree"       BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreKernelCache"      BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreLogo"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreRamDisk"          BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreSEP"              BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreTrustCache"       BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SEP"                     BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "StaticTrustCache"        BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SystemVolume"            BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ftap"                    IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "ftsp"                    IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "iBEC"                    BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBSS"                    BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBoot"                   BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "rfta"                    IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "rfts"                    IGN (no digest in BuildManifest)

failed verification with error:
[exception]:
what=verification failed!
code=84279308
line=1286
file=img4tool.cpp
commit count=197:
commit sha  =aca6cf005c94caf135023263cbb5c61a0081804f:
[IMG4TOOL] checking buildidentity 1:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 2:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 3:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 4:
[IMG4TOOL] checking buildidentity matches board ... YES
[IMG4TOOL] checking buildidentity has all required hashes:
[IMG4TOOL] checking hash for "AOP"                     OK (untrusted)
[IMG4TOOL] checking hash for "Ap,SystemVolumeCanonicalMetadata"BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AppleLogo"               BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BasebandFirmware"        IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "BatteryCharging0"        BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryCharging1"        BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryFull"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow0"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow1"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryPlugin"           BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "DeviceTree"              BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Homer"                   OK (untrusted)
[IMG4TOOL] checking hash for "KernelCache"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "LLB"                     BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Liquid"                  BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "OS"                      BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RecoveryMode"            BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreDeviceTree"       BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreKernelCache"      BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreLogo"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreRamDisk"          BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreSEP"              BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreTrustCache"       BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SEP"                     BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "StaticTrustCache"        BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SystemVolume"            BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ftap"                    IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "ftsp"                    IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "iBEC"                    BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBSS"                    BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBoot"                   BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "rfta"                    IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "rfts"                    IGN (no digest in BuildManifest)

failed verification with error:
[exception]:
what=verification failed!
code=84279308
line=1286
file=img4tool.cpp
commit count=197:
commit sha  =aca6cf005c94caf135023263cbb5c61a0081804f:
[IMG4TOOL] checking buildidentity 5:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 6:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 7:
[IMG4TOOL] checking buildidentity matches board ... NO
[WARNING] NOT VALIDATING SHSH BLOBS IM4M!
[Error] BuildIdentity selected for restore does not match APTicket

BuildIdentity selected for restore:
BuildNumber : 18A373
BuildTrain : Azul
DeviceClass : d101ap
FDRSupport : YES
MobileDeviceMinVersion : 1253
RestoreBehavior : Erase
Variant : Customer Erase Install (IPSW)

BuildIdentity is valid for the APTicket:
IM4M is not valid for any restore within the Buildmanifest
This APTicket can't be used for restoring this firmware
[WARNING] NOT VALIDATING SHSH BLOBS!
Variant: Customer Erase Install (IPSW)
This restore will erase all device data.
Device found in DFU Mode.
Sending iBSS (522513 bytes)...
[==================================================] 100.0%
Booting iBSS, waiting for device to disconnect...
Booting iBSS, waiting for device to reconnect...
ApNonce pre-hax:
INFO: device serial number is G27YJ015J5KN
Getting ApNonce in recovery mode... fd 0c 75 79 10 00 c2 36 27 52 c2 72 46 b3 a3 b2 58 f0 fc 02 d2 58 5b d4 0e 46 6e 96 e1 f4 3e 4b 
ApNonce from device doesn't match IM4M nonce, applying hax...
Writing generator=0xbd34a880be0b53f3 to nvram!
Sending iBEC (522513 bytes)...
[==================================================] 100.0%
Booting iBEC, waiting for device to disconnect...
Booting iBEC, waiting for device to reconnect...
APnonce post-hax:
Getting ApNonce in recovery mode... 15 40 00 76 bc 4c 35 a7 c8 ca ef dc ae 5b da 69 c1 40 a1 1b ce 87 05 48 f0 86 2a ac 28 c1 94 cc 
Successfully set nonce generator: 0xbd34a880be0b53f3
Extracting filesystem from iPSW
[==================================================] 100.0%
Getting SepNonce in recovery mode... e9 e2 fb 83 59 5c 19 8e 5b 53 7b 32 0e 7a 37 7d 20 d9 84 91 
Getting ApNonce in recovery mode... 15 40 00 76 bc 4c 35 a7 c8 ca ef dc ae 5b da 69 c1 40 a1 1b ce 87 05 48 f0 86 2a ac 28 c1 94 cc 
[WARNING] Setting bgcolor to green! If you don't see a green screen, then your device didn't boot iBEC correctly
Recovery Mode Environment:
iBoot build-version=iBoot-6723.0.48
iBoot build-style=RELEASE
Sending RestoreLogo...
Extracting applelogo@2x~iphone.im4p (Firmware/all_flash/applelogo@2x~iphone.im4p)...
Personalizing IMG4 component RestoreLogo...
Sending RestoreLogo (13544 bytes)...
ramdisk-size=0x20000000
1337 CUSTOM RAMDISK!
Personalizing IMG4 component RestoreRamDisk...
Sending RestoreRamDisk (103028613 bytes)...
Extracting 048-58904-639.dmg.trustcache (Firmware/048-58904-639.dmg.trustcache)...
Personalizing IMG4 component RestoreTrustCache...
Sending RestoreTrustCache (11838 bytes)...
Extracting DeviceTree.d101ap.im4p (Firmware/all_flash/DeviceTree.d101ap.im4p)...
Personalizing IMG4 component RestoreDeviceTree...
Sending RestoreDeviceTree (36553 bytes)...
Extracting sep-firmware.d101.RELEASE.im4p (Firmware/all_flash/sep-firmware.d101.RELEASE.im4p)...
Personalizing IMG4 component RestoreSEP...
Sending RestoreSEP (1362884 bytes)...
1337 CUSTOM KERNEL!
Personalizing IMG4 component RestoreKernelCache...
Sending RestoreKernelCache (19620731 bytes)...
getting SEP ticket
Trying to fetch new SHSH blob
Sending TSS request attempt 1... response successfully received
Received SHSH blobs
About to restore device... 
Connecting now...
Connected to com.apple.mobile.restored, version 15
Device ffffffffffffffffffffffffffffffff00000010 has successfully entered restore mode
Hardware Information:
BoardID: 12
ChipID: 32784
UniqueChipID: 673373594124326
ProductionMode: true
Starting FDR listener thread
Checkpoint 1621 complete with code 0
Checkpoint 1540 complete with code 0
Checkpoint 1679 complete with code 0
Checkpoint 1544 complete with code 0
About to send RootTicket...
Sending RootTicket now...
Done sending RootTicket
Checkpoint 1547 complete with code 0
Waiting for NAND (28)
Checkpoint 1549 complete with code 0
Updating NAND Firmware (58)
Checkpoint 1550 complete with code 0
Checkpoint 1551 complete with code 0
Checkpoint 1628 complete with code 0
Checkpoint 1552 complete with code 0
Checkpoint 1555 complete with code 0
Checkpoint 1662 complete with code 0
About to send NORData...
Found firmware path Firmware/all_flash
Getting firmware manifest from build identity
Extracting LLB.d10.RELEASE.im4p (Firmware/all_flash/LLB.d10.RELEASE.im4p)...
Personalizing IMG4 component LLB...
Extracting applelogo@2x~iphone.im4p (Firmware/all_flash/applelogo@2x~iphone.im4p)...
Personalizing IMG4 component AppleLogo...
Extracting batterycharging0@2x~iphone.im4p (Firmware/all_flash/batterycharging0@2x~iphone.im4p)...
Personalizing IMG4 component BatteryCharging0...
Extracting batterycharging1@2x~iphone.im4p (Firmware/all_flash/batterycharging1@2x~iphone.im4p)...
Personalizing IMG4 component BatteryCharging1...
Extracting batteryfull@2x~iphone.im4p (Firmware/all_flash/batteryfull@2x~iphone.im4p)...
Personalizing IMG4 component BatteryFull...
Extracting batterylow0@2x~iphone.im4p (Firmware/all_flash/batterylow0@2x~iphone.im4p)...
Personalizing IMG4 component BatteryLow0...
Extracting batterylow1@2x~iphone.im4p (Firmware/all_flash/batterylow1@2x~iphone.im4p)...
Personalizing IMG4 component BatteryLow1...
Extracting glyphplugin@1334~iphone-lightning.im4p (Firmware/all_flash/glyphplugin@1334~iphone-lightning.im4p)...
Personalizing IMG4 component BatteryPlugin...
Extracting DeviceTree.d101ap.im4p (Firmware/all_flash/DeviceTree.d101ap.im4p)...
Personalizing IMG4 component DeviceTree...
Extracting liquiddetect@1334~iphone-lightning.im4p (Firmware/all_flash/liquiddetect@1334~iphone-lightning.im4p)...
Personalizing IMG4 component Liquid...
Extracting recoverymode@1334~iphone-lightning.im4p (Firmware/all_flash/recoverymode@1334~iphone-lightning.im4p)...
Personalizing IMG4 component RecoveryMode...
Extracting iBoot.d10.RELEASE.im4p (Firmware/all_flash/iBoot.d10.RELEASE.im4p)...
Personalizing IMG4 component iBoot...
Personalizing IMG4 component RestoreSEP...
Personalizing IMG4 component SEP...
Sending NORData now...
Done sending NORData
Checkpoint 1545 complete with code 0
Checkpoint 1683 complete with code 0
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Checkpoint 1637 complete with code 0
Checkpoint 1556 complete with code 0
Checkpoint 1620 complete with code 0
Checkpoint 1557 complete with code 0
About to send FDR Trust data...
Sending FDR Trust data now...
Done sending FDR Trust Data
Checkpoint 1558 complete with code 0
Checkpoint 1559 complete with code 0
Checkpoint 1560 complete with code 0
Checking for uncollected logs (44)
Checkpoint 1561 complete with code 0
Checking for uncollected logs (44)
ERROR: Unable to receive message from FDR 0x7fa27f2e4750 (-2). 0/2 bytes
ERROR: Unable to receive message from FDR 0x7fa27f707c20 (-2). 0/2 bytes
Checkpoint 1562 complete with code 0
ERROR: Unable to receive message from FDR 0x7fa27f2e4750 (-2). 0/2 bytes
Checkpoint 1563 complete with code 0
Checkpoint 1633 complete with code 0
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Checkpoint 1565 complete with code 0
Checkpoint 1614 complete with code 0
Checkpoint 1567 complete with code 0
Checkpoint 1674 complete with code 0
Creating partition map (11)
Checkpoint 1569 complete with code 0
Checkpoint 1632 complete with code 0
Checkpoint 1570 complete with code 0
Checkpoint 1629 complete with code 0
Checkpoint 5645 complete with code 0
Creating filesystem (12)
Checkpoint 1624 complete with code 0
Checkpoint 1625 complete with code 0
Checkpoint 1626 complete with code 0
About to send filesystem...
Connected to ASR
Validating the filesystem
Filesystem validated
Sending filesystem now...
[=====                                             ]   9.0%ERROR: Unable to receive message from FDR 0x7fa27f21f110 (-7). 0/2 bytes
[==================================================] 100.0%
Done sending filesystem
Verifying restore (14)
[==================================================] 100.0%
Checkpoint 1627 complete with code 0
Checkpoint 1664 complete with code 0
Checkpoint 1653 complete with code 0
Checkpoint 1676 complete with code 0
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Checking filesystems (15)
Checking filesystems (15)
Checking filesystems (15)
Mounting filesystems (16)
Mounting filesystems (16)
Mounting filesystems (16)
Mounting filesystems (16)
Checkpoint 1574 complete with code 0
Checkpoint 1634 complete with code 0
Checkpoint 1655 complete with code 0
Checkpoint 1658 complete with code 0
Checkpoint 113722144065063 complete with code 0
Checkpoint 4294968914 complete with code 0
Checkpoint 1661 complete with code 0
Checkpoint 1588 complete with code 0
Unknown operation (80)
Sending IsiBootEANFirmware image list
Sending IsiBootNonEssentialFirmware image list
Flashing firmware (18)
[==================================================] 100.0%
Checkpoint 4294972160 complete with code 0
Unknown operation (80)
Sending IsEarlyAccessFirmware image list
Sending IsiBootEANFirmware image list
Sending IsiBootNonEssentialFirmware image list
Checkpoint 4882 complete with code 0
Requesting FUD data (36)
Found IsFUDFirmware component AOP
Found IsFUDFirmware component Homer
Found IsFUDFirmware component RestoreTrustCache
Found IsFUDFirmware component StaticTrustCache
Sending IsFUDFirmware image list
Extracting aopfw-t8010aop.im4p (Firmware/AOP/aopfw-t8010aop.im4p)...
Personalizing IMG4 component AOP...
Sending IsFUDFirmware for AOP...
Extracting homer_D101.im4p (Firmware/homer_D101.im4p)...
Personalizing IMG4 component Homer...
Sending IsFUDFirmware for Homer...
Extracting 048-58904-639.dmg.trustcache (Firmware/048-58904-639.dmg.trustcache)...
Personalizing IMG4 component RestoreTrustCache...
Sending IsFUDFirmware for RestoreTrustCache...
Extracting 048-58826-521.dmg.trustcache (Firmware/048-58826-521.dmg.trustcache)...
Personalizing IMG4 component StaticTrustCache...
Sending IsFUDFirmware for StaticTrustCache...
Checkpoint 4874 complete with code 0
Updating gas gauge software (47)
Checkpoint 1231748362240267009 complete with code 0
Updating gas gauge software (47)
Checkpoint 4294972162 complete with code 0
Updating Stockholm (55)
Checkpoint 1231748362240267012 complete with code 0
Requesting FUD data (36)
Found IsFUDFirmware component AOP
Found IsFUDFirmware component Homer
Found IsFUDFirmware component RestoreTrustCache
Found IsFUDFirmware component StaticTrustCache
Sending IsFUDFirmware image list
Checkpoint 1231748362240267020 complete with code 0
Checkpoint 4294972166 complete with code 0
Checkpoint 3906926831986545415 complete with code 0
Checkpoint 4872 complete with code 0
Checkpoint 4294972174 complete with code 0
Checkpoint 4294972175 complete with code 0
Checkpoint 4294972171 complete with code 0
Updating baseband (19)
About to send BasebandData...
sending request without baseband nonce
Sending Baseband TSS request...
Sending TSS request attempt 1... response successfully received
Received Baseband SHSH blobs
WARNING: size mismatch when parsing MBN file. Continuing anyway.
WARNING: size mismatch when parsing MBN file. Continuing anyway.
Sending BasebandData now...
Done sending BasebandData
Updating Baseband in progress...
About to send BasebandData...
Sending Baseband TSS request...
Sending TSS request attempt 1... response successfully received
Received Baseband SHSH blobs
WARNING: size mismatch when parsing MBN file. Continuing anyway.
WARNING: size mismatch when parsing MBN file. Continuing anyway.
Sending BasebandData now...
Done sending BasebandData
Updating Baseband completed.
Checkpoint 4867 complete with code 0
Checkpoint 1231748362240267024 complete with code 0
Updating SE Firmware (59)
Checkpoint 4294972169 complete with code 0
Checkpoint 4877 complete with code 0
Updating Veridian (66)
Checkpoint 4294972177 complete with code 0
Checkpoint 4294972182 complete with code 0
Checkpoint 1231748362240263733 complete with code 0
Checkpoint 1596 complete with code 0
Checkpoint 4294968943 complete with code 0
Creating Protected Volume (67)
Checkpoint 1652 complete with code 0
Checkpoint 18446744069414585951 complete with code 0
About to send KernelCache...
Extracting kernelcache.release.iphone9 (kernelcache.release.iphone9)...
Personalizing IMG4 component KernelCache...
Sending KernelCache now...
Done sending KernelCache
Installing kernelcache (27)
Checkpoint 3584 complete with code 0
About to send DeviceTree...
Extracting DeviceTree.d101ap.im4p (Firmware/all_flash/DeviceTree.d101ap.im4p)...
Personalizing IMG4 component DeviceTree...
Sending DeviceTree now...
Done sending DeviceTree
Installing DeviceTree (61)
Checkpoint 3585 complete with code 0
About to send NORData...
Found firmware path Firmware/all_flash
Getting firmware manifest from build identity
Extracting LLB.d10.RELEASE.im4p (Firmware/all_flash/LLB.d10.RELEASE.im4p)...
Personalizing IMG4 component LLB...
Extracting applelogo@2x~iphone.im4p (Firmware/all_flash/applelogo@2x~iphone.im4p)...
Personalizing IMG4 component AppleLogo...
Extracting batterycharging0@2x~iphone.im4p (Firmware/all_flash/batterycharging0@2x~iphone.im4p)...
Personalizing IMG4 component BatteryCharging0...
Extracting batterycharging1@2x~iphone.im4p (Firmware/all_flash/batterycharging1@2x~iphone.im4p)...
Personalizing IMG4 component BatteryCharging1...
Extracting batteryfull@2x~iphone.im4p (Firmware/all_flash/batteryfull@2x~iphone.im4p)...
Personalizing IMG4 component BatteryFull...
Extracting batterylow0@2x~iphone.im4p (Firmware/all_flash/batterylow0@2x~iphone.im4p)...
Personalizing IMG4 component BatteryLow0...
Extracting batterylow1@2x~iphone.im4p (Firmware/all_flash/batterylow1@2x~iphone.im4p)...
Personalizing IMG4 component BatteryLow1...
Extracting glyphplugin@1334~iphone-lightning.im4p (Firmware/all_flash/glyphplugin@1334~iphone-lightning.im4p)...
Personalizing IMG4 component BatteryPlugin...
Extracting DeviceTree.d101ap.im4p (Firmware/all_flash/DeviceTree.d101ap.im4p)...
Personalizing IMG4 component DeviceTree...
Extracting liquiddetect@1334~iphone-lightning.im4p (Firmware/all_flash/liquiddetect@1334~iphone-lightning.im4p)...
Personalizing IMG4 component Liquid...
Extracting recoverymode@1334~iphone-lightning.im4p (Firmware/all_flash/recoverymode@1334~iphone-lightning.im4p)...
Personalizing IMG4 component RecoveryMode...
Extracting iBoot.d10.RELEASE.im4p (Firmware/all_flash/iBoot.d10.RELEASE.im4p)...
Personalizing IMG4 component iBoot...
Personalizing IMG4 component RestoreSEP...
Personalizing IMG4 component SEP...
Sending NORData now...
Done sending NORData
Checkpoint 3588 complete with code 0
Checkpoint 3589 complete with code 0
Checkpoint 3587 complete with code 0
Checkpoint 4294968872 complete with code 0
Fixing up /var (17)
Creating system key bag (50)
Checkpoint 3840 complete with code 0
Checkpoint 3841 complete with code 0
Checkpoint 3844 complete with code 0
Checkpoint 3849 complete with code 0
Checkpoint 1613 complete with code 0
Checkpoint 4294968891 complete with code 0
Modifying persistent boot-args (25)
Checkpoint 1593 complete with code 0
Checkpoint 1231748362240263774 complete with code 0
Checkpoint 5377 complete with code 0
Checkpoint 5376 complete with code 0
Checkpoint 5379 complete with code 0
Requesting EAN Data (74)
Checkpoint 5380 complete with code 0
Checkpoint 4884 complete with code 0
Checkpoint 1640 complete with code 0
Checkpoint 1597 complete with code 0
Checkpoint 4294968968 complete with code 0
Checkpoint 1659 complete with code 0
Checkpoint 5632 complete with code 0
Checkpoint 1599 complete with code 0
Checkpoint 1600 complete with code 0
Checkpoint 1675 complete with code 0
Checkpoint 1641 complete with code 0
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Checkpoint 4294968898 complete with code 0
Checkpoint 1660 complete with code 0
Checkpoint 5651 complete with code 0
Checkpoint 1607 complete with code 0
Got status message
Status: Restore Finished
Cleaning up...
Done: restoring succeeded!
[*] Done!
[*] Cleaning
[*] Done!

iPad 5 (6,11) Rotation broken after downgrade

I've tried 14.3 and now 14.2. I can still rotate the screen if I use assistive touch. however, auto rotate will not work.

TypeError: can only concatenate str (not "NoneType") to str

sunst0rm
Made by mineek
Some code by m1n1exploit
[] Extracting IPSW
[] Extracting RamDisk
Traceback (most recent call last):
File "/Users/hxngxd/Downloads/sunst0rm/sunstorm.py", line 277, in
main()
File "/Users/hxngxd/Downloads/sunst0rm/sunstorm.py", line 263, in main
prep_restore(args.ipsw, args.blob, args.boardconfig, args.kpp, args.legacy, args.skip_baseband)
File "/Users/hxngxd/Downloads/sunst0rm/sunstorm.py", line 53, in prep_restore
subprocess.run(['/usr/local/bin/img4', '-i', './work/' + ramdisk_path, '-o', './work/ramdisk.dmg'])
TypeError: can only concatenate str (not "NoneType") to str

Im trying to downgrade an iPhone 6s to 14.2. I have compiled everything and install the requirements with the latest python version.

checksum error

When I try to restore my iPhone 7 it gives me this error:
futurerestore(1518,0x70000e0e3000) malloc: Incorrect checksum for freed object 0x7fdc4ce09870: probably modified after being freed.
Corrupt value: 0xe6c8f0c05b872ad8
futurerestore(1518,0x70000e0e3000) malloc: *** set a breakpoint in malloc_error_break to debug

any fix?

unable to locate BasebandFirmware path

when restoring a wifi only ipad i get hit with "what: unable to find BasebandFirmware path... restore failed"

Restoring Failed

I am trying to do a tether downgrade and it says, "Restoring Failed". The command I used is:

python3 sunstorm.py -i "/Users/aholicknight/Documents/iPhoneFirmwares/iPhone_4.7_14.3_18C66_Restore.ipsw" -t "/Users/aholicknight/Desktop/futurerestorebeta/15.5-19F77.shsh2" -d "n71map" -r --kpp -id "iPhone8,1"

Before I started the restore, I used ipwndfu to rmsigchecks which can be viewed here:

Due to how big the log output is, the log can be viewed here

If anyone can tell me what is causing this problem that would be great. Thank you!

Boot.sh Error (iPad Air 2 WiFi

Hi, I have succeeded with the downgrading process but when I run ./boot.sh it shows me this one. No error logs so I can't troubleshoot.

"ldid not installed" but it clearly is...

it says ldid not installed but it is. With brew

Why??

Clarification for legacy option

Just to clarify, is the legacy option used if the current option is iOS 11 or below, or if the version you’re downgrading to is iOS 11 or below? Thanks.

Retore iPhone 7 Plus

BuildIdentity selected for restore:
BuildNumber : 18C66
BuildTrain : AzulC
DeviceClass : d11ap
FDRSupport : YES
MobileDeviceMinVersion : 1253
RestoreBehavior : Erase
Variant : Customer Erase Install (IPSW)

BuildIdentity is valid for the APTicket:
IM4M is not valid for any restore within the Buildmanifest
This APTicket can't be used for restoring this firmware
[WARNING] NOT VALIDATING SHSH BLOBS!
Variant: Customer Erase Install (IPSW)
This restore will erase all device data.
Device found in DFU Mode.
Sending iBSS (522513 bytes)...
[==================================================] 100.0%
Booting iBSS, waiting for device to disconnect...
Booting iBSS, waiting for device to reconnect...
ApNonce pre-hax:
INFO: device serial number is DX3V71TLHFXW
Getting ApNonce in recovery mode... 27 32 5c 82 58 be 46 e6 9d 9e e5 7f a9 a8 fb c2 8b 87 3d f4 34 e5 e7 02 a8 b2 79 99 55 11 38 ae
Sending iBEC (522513 bytes)...
[==================================================] 100.0%
Booting iBEC, waiting for device to disconnect...
Booting iBEC, waiting for device to reconnect...
APNonce from device already matches IM4M nonce, no need for extra hax...
Successfully set nonce generator: 0x1111111111111111
futurerestore(8985,0x108031e00) malloc: Incorrect checksum for freed object 0x7fe11ac9c3a8: probably modified after being freed.
Corrupt value: 0x864007dffa87c4a6
futurerestore(8985,0x108031e00) malloc: *** set a breakpoint in malloc_error_break to debug
[] Done!
[] Cleaning
[*] Done!

iPhone8,1 A9 not booting after downgrade.

First of all, thanks for this awesome tool!
This is the only tool that actually got to complete futurerestore, but sadly I cannot get the iPhone to boot.

Every time I try to run boot.sh, it all seems to work until it hangs on the last progress bar:

[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==================================================] 100.0%
[==                                                ] 2.8%

Nothing ever happens on the iPhone after this, no backlight change no nothing.

Furthermore, after restoring with this tool, I can no longer get into Pwndfu, I have never tried a tethered downgrade before so I am not sure if this is expected or something is wrong. I can get back to iOS 15 with Apple's official restore in finder, and then Pwndfu works as normal.

In case any of this info is useful:
- Running on an i7 10870h hackintosh
- macOS 10.15.7
- Tried multiple cables
- Trying to restore from iOS 15.4 to iOS 14.3 on an n71map iPhone 6S (A9)
- Getting into Pwndfu with eclipsa, after restoring eclipsa hangs while trying to exploit every time, and other tools wont work either

Any advice is appreciated, thank you so much.

error

sunst0rm
Made by mineek | Some code by m1n1exploit

usage: sunstorm.py [-h] -i IPSW -t BLOB [-r] [-b] -d BOARDCONFIG [-kpp]
[-id IDENTIFIER] [--legacy] [--skip-baseband]
sunstorm.py: error: unrecognized arguments: true true

how to fixed?

Can’t boot after sleep

I tethered downgrade ipadair2 to 14.3. At first, everything was perfect, but I accidentally let him sleep. Then, the device will no longer accept boot.sh, and if you restore with ipsw, you will get a 4014 error. I tried idevicerestore, but it says that the device could not be put into restore mode. Are there any other tools that can be restructured?

unc0ver support (iOS 14.0.1)

Oh mineek, master of 1337. Please make a UI friendly app for dummies, and unc0ver support for iOS 14.0.1

ERROR: Unable to receive message from FDR 0x7fd691bc6060 (-7). 0/2 bytes on iPhone 7 Global

restore-step-user-progress = 51
[09:10:25.0786-GMT]{3>5} CHECKPOINT BEGIN: (null):[0x067D] fdr_auto_challenge_claim
restore-step-ids = {0x1103067B:60;0x1103067D:63}
restore-step-names = {0x1103067B:perform_restore_installing;0x1103067D:fdr_auto_challenge_claim}
restore-step-uptime = 222
restore-step-user-progress = 51
entering RestoredFDRAutoChallengeClaim
[09:10:25.0787-GMT]{3>5} CHECKPOINT END: (null):[0x067D] fdr_auto_challenge_claim
restore-step-ids = {0x1103067B:60}
restore-step-names = {0x1103067B:perform_restore_installing}
restore-step-uptime = 222
restore-step-user-progress = 51
[09:10:25.0787-GMT]{3>5} CHECKPOINT BEGIN: (null):[0x0634] fdr_recover
restore-step-ids = {0x1103067B:60;0x11030634:64}
restore-step-names = {0x1103067B:perform_restore_installing;0x11030634:fdr_recover}
restore-step-uptime = 222
restore-step-user-progress = 51
entering RestoredFDRRecover
AMFDRDataApTicketIsTrusted: AMFDRDataApTicketIsTrusted returning true
AMFDRSealingMapRecoverCurrentDevice: populate sealedData with sealing manifest, sealingManifestOverride : (null), forceSealing : (null), allowForbidden : (null), allowUnSeal : 0, updateDataClasses : (null), updateProperties : (null)
AMSupportPlatformCreateBufferFromNativeFilePath: open failed: No such file or directory
AMSupportPlatformCreateBufferFromNativeFilePath: /mnt6/FactoryData//System/Library/Caches/com.apple.factorydata/seal-00008010-000C585110D1A526
AMFDRCreateError: AMFDRDataLocalCopy: Failed to read data: code=4
AMFDRCreateError: AMFDRDataCopy: seal:00008010-000C585110D1A526 get data failed - foundData is NULL: code=10
AMFDRCreateError: AMFDRSealingMapPopulateSealingManifest: sealingManifest is NULL: code=10
AMFDRCryptoCreateSignedCsr: adding apManifestTruncated to CSR
_AMFDRHttpRequestSendSyncNoRetry: No cookie found
_AMFDRHttpCopyPurpleReverseProxyInformation: Failed to get proxy info for URL 'https://gg.apple.com/ca/authorize'
AMFDRCreateError: _AMFDRHttpMessageSendSync: Failed to copy proxy information and proxy is enabled.: code=10
AMFDRCreateError: _AMFDRHttpRequestSendSyncNoRetry: _AMFDRHttpMessageSendSync failed: code=8
AMFDRCreateError: _AMFDRPermissionsRequestWithString: AMFDRPermissionsRequest failed: code=8
AMFDRCreateError: AMFDRPermissionsRequest: _AMFDRSavePersistentData failed: code=8
AMFDRCreateError: AMFDRDataHTTPLoadPersistent: Permissions request failed.: code=12
AMFDRCreateError: AMFDRDataHTTPCopy: AMFDRDataHTTPLoadPersistent failed: code=8
AMFDRCreateError: AMFDRDataCopy: seal:00008010-000C585110D1A526 get data failed - foundData is NULL: code=10
AMFDRCreateError: AMFDRSealingMapPopulateSealingManifest: sealingManifest is NULL: code=10
AMFDRCreateError: AMFDRSealingMapRecoverCurrentDevice: AMFDRSealingMapPopulateSealingManifest failed on amfdrRemote: code=10
AMFDRDataRecoverCurrentDevice(sealData=false) failed, errCode=10
0: AMFDRError/a: AMFDRSealingMapPopulateSealingManifest failed on amfdrRemote
1: AMFDRError/a: sealingManifest is NULL
2: AMFDRError/a: seal:00008010-000C585110D1A526 get data failed - foundData is NULL
3: AMFDRError/8: AMFDRDataHTTPLoadPersistent failed
4: AMFDRError/c: Permissions request failed.
5: AMFDRError/8: _AMFDRSavePersistentData failed
6: AMFDRError/8: AMFDRPermissionsRequest failed
7: AMFDRError/8: _AMFDRHttpMessageSendSync failed
8: AMFDRError/a: Failed to copy proxy information and proxy is enabled.
[09:10:30.0851-GMT]{3>5} CHECKPOINT FAILURE:(FAILURE:53) (null):[0x0634] fdr_recover D(AMFDRDataHTTPLoadPersistent failed)[6]D(Permissions request failed.)[7]D(_AMFDRSavePersistentData failed)[8]D(AMFDRPermissionsRequest failed)[9]D(_AMFDRHttpMessageSendSync failed)[10]D(Failed to copy proxy information and proxy is enabled.)
restore-step-results = {0x11070634:{0:53}}
restore-step-codes = {0x11070634:{0:53}}
restore-step-domains = {0x11070634:{0:"AMRestoreErrorDomain"}}
restore-step-error = {0x11070634:"D(AMFDRDataHTTPLoadPersistent failed)[6]D(Permissions request failed.)[7]D(_AMFDRSavePersistentData failed)[8]D(AMFDRPermissionsRequest failed)[9]D(_AMFDRHttpMessageSendSync failed)[10]D(Failed to copy proxy information and proxy is enabled.)"}
restore-step-uptime = 227
restore-step-user-progress = 51
[09:10:30.0854-GMT]{3>5} CHECKPOINT NOTICE: (NVRAM set) restore-step-user-progress=51 [sync=true] (first failure)
[09:10:30.0854-GMT]{3>5} CHECKPOINT FAILURE:(FAILURE:53) RESTORED:[0x067B] perform_restore_installing D(AMFDRDataHTTPLoadPersistent failed)[6]D(Permissions request failed.)[7]D(_AMFDRSavePersistentData failed)[8]D(AMFDRPermissionsRequest failed)[9]D(_AMFDRHttpMessageSendSync failed)[10]D(Failed to copy proxy information and proxy is enabled.)
restore-step-results = {0x1107067B:{0:53};0x11070634:{0:53}}
restore-step-codes = {0x1107067B:{0:53};0x11070634:{0:53}}
restore-step-domains = {0x1107067B:{0:"AMRestoreErrorDomain"};0x11070634:{0:"AMRestoreErrorDomain"}}
restore-step-error = {0x1107067B:"D(AMFDRDataHTTPLoadPersistent failed)[6]D(Permissions request failed.)[7]D(_AMFDRSavePersistentData failed)[8]D(AMFDRPermissionsRequest failed)[9]D(_AMFDRHttpMessageSendSync failed)[10]D(Failed to copy proxy information and proxy is enabled.)"}
restore-step-uptime = 227
restore-step-user-progress = 51
[09:10:30.0857-GMT]{3>5} CHECKPOINT BEGIN: RESTORED:[0x067C] cleanup_boot_command
restore-step-ids = {0x1103067B:60;0x11030634:64;0x1103067C:65}
restore-step-names = {0x1103067B:perform_restore_installing;0x11030634:fdr_recover;0x1103067C:cleanup_boot_command}
restore-step-uptime = 227
restore-step-user-progress = 51
entering reset_boot_command_if_value
executing /usr/sbin/nvram -d recovery-boot-mode
Successfully deleted recovery-boot-moderecovery-boot-mode
executing /usr/sbin/nvram -d iboot-failure-reason
Successfully deleted iboot-failure-reasoniboot-failure-reason
[09:10:30.0916-GMT]{3>5} CHECKPOINT END: RESTORED:[0x067C] cleanup_boot_command
restore-step-ids = {0x1103067B:60;0x11030634:64}
restore-step-names = {0x1103067B:perform_restore_installing;0x11030634:fdr_recover}
restore-step-uptime = 227
restore-step-user-progress = 51
[09:10:30.0918-GMT]{3>5} CHECKPOINT BEGIN: RESTORED:[0x1613] cleanup_recovery_os_volume
restore-step-ids = {0x1103067B:60;0x11030634:64;0x11031613:66}
restore-step-names = {0x1103067B:perform_restore_installing;0x11030634:fdr_recover;0x11031613:cleanup_recovery_os_volume}
restore-step-uptime = 227
restore-step-user-progress = 51
[09:10:30.0918-GMT]{3>5} CHECKPOINT END: RESTORED:[0x1613] cleanup_recovery_os_volume
restore-step-ids = {0x1103067B:60;0x11030634:64}
restore-step-names = {0x1103067B:perform_restore_installing;0x11030634:fdr_recover}
restore-step-uptime = 227
restore-step-user-progress = 51
[09:10:30.0919-GMT]{3>5} CHECKPOINT BEGIN: RESTORED:[0x0647] cleanup_check_result
restore-step-ids = {0x1103067B:60;0x11030634:64;0x11030647:67}
restore-step-names = {0x1103067B:perform_restore_installing;0x11030634:fdr_recover;0x11030647:cleanup_check_result}
restore-step-uptime = 227
restore-step-user-progress = 51
[09:10:30.0920-GMT]{3>5} CHECKPOINT END: RESTORED:[0x0647] cleanup_check_result
restore-step-ids = {0x1103067B:60;0x11030634:64}
restore-step-names = {0x1103067B:perform_restore_installing;0x11030634:fdr_recover}
restore-step-uptime = 227
restore-step-user-progress = 51
[09:10:30.0921-GMT]{3>5} CHECKPOINT BEGIN: RESTORED:[0x0648] cleanup_send_final_status
restore-step-ids = {0x1103067B:60;0x11030634:64;0x11030648:68}
restore-step-names = {0x1103067B:perform_restore_installing;0x11030634:fdr_recover;0x11030648:cleanup_send_final_status}
restore-step-uptime = 227
restore-step-user-progress = 51
restore failed with CFError:
0: AMRestoreErrorDomain/35: failed to recover FDR data
1: AMRestoreErrorDomain/35: Failed to recover FDR data
2: AMFDRError/a: AMFDRSealingMapPopulateSealingManifest failed on amfdrRemote
3: AMFDRError/a: sealingManifest is NULL
4: AMFDRError/a: seal:00008010-000C585110D1A526 get data failed - foundData is NULL
5: AMFDRError/8: AMFDRDataHTTPLoadPersistent failed
6: AMFDRError/c: Permissions request failed.
7: AMFDRError/8: _AMFDRSavePersistentData failed
8: AMFDRError/8: AMFDRPermissionsRequest failed
9: AMFDRError/8: _AMFDRHttpMessageSendSync failed
10: AMFDRError/a: Failed to copy proxy information and proxy is enabled.
[09:10:30.0925-GMT]{3>5} CHECKPOINT END: RESTORED:[0x0648] cleanup_send_final_status
restore-step-ids = {0x1103067B:60;0x11030634:64}
restore-step-names = {0x1103067B:perform_restore_installing;0x11030634:fdr_recover}
restore-step-uptime = 227
restore-step-user-progress = 51
[09:10:30.0926-GMT]{3>5} CHECKPOINT BEGIN: RESTORED:[0x0649] cleanup_wait_status_received
restore-step-ids = {0x1103067B:60;0x11030634:64;0x11030649:69}
restore-step-names = {0x1103067B:perform_restore_installing;0x11030634:fdr_recover;0x11030649:cleanup_wait_status_received}
restore-step-uptime = 227
restore-step-user-progress = 51
waiting for host to acknowledge final status received...
final response is missing message type[09:10:30.0938-GMT]{3>5} CHECKPOINT END: RESTORED:[0x0649] cleanup_wait_status_received
restore-step-ids = {0x1103067B:60;0x11030634:64}
restore-step-names = {0x1103067B:perform_restore_installing;0x11030634:fdr_recover}
restore-step-uptime = 227
restore-step-user-progress = 51
[09:10:30.0938-GMT]{3>5} CHECKPOINT BEGIN: RESTORED:[0x064A] cleanup_write_restore_log
restore-step-ids = {0x1103067B:60;0x11030634:64;0x1103064A:70}
restore-step-names = {0x1103067B:perform_restore_installing;0x11030634:fdr_recover;0x1103064A:cleanup_write_restore_log}
restore-step-uptime = 227
restore-step-user-progress = 51
send(10, 4) failed: Broken pipeattempting to dump restore log
writing log file: /mnt1/restore.log

Checkpoint 4294968857 complete with code 0
Checkpoint 4294968858 complete with code 0
Checkpoint 4294968859 complete with code 0
Checkpoint 1633 complete with code 0
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Checkpoint 1565 complete with code 0
Checkpoint 38654707278 complete with code 0
Checkpoint 1567 complete with code 0
Checkpoint 1674 complete with code 0
Creating partition map (11)
Checkpoint 1569 complete with code 0
Checkpoint 1632 complete with code 0
Checkpoint 1570 complete with code 0
Checkpoint 1629 complete with code 0
Checkpoint 5645 complete with code 0
Creating filesystem (12)
Checkpoint 1624 complete with code 0
Checkpoint 1625 complete with code 0
Checkpoint 1626 complete with code 0
About to send filesystem...
Connected to ASR
Validating the filesystem
Filesystem validated
Sending filesystem now...
ERROR: Unable to receive message from FDR 0x7fd691bc6060 (-7). 0/2 bytes
[======= ] 13.0%

Phone is still booting into iOS 15

As far as I can tell there's no errors & I'm doing everything correctly but my phone still boots into iOS 15 after running ./boot.sh

https://bin.0xfc.de/?5fc20031b0a6728e#4XbwrjmguHe4HkqhUYkL73kRmvyrkXhwUNGD82woMPdU

No LICENSE file

Hi, please could you add a license to this project, otherwise no one has the rights to use this code if there is no license.

Process ends after [DOWN] .json/condensed No error given

It happened for almost an hour then I reinstalled everything and still happened so I just gave up

[TSSC] opening firmwares.json
[DOWN] downloading file https://api.ipsw.me/v2.1/firmwares.json/condensed
[] Done!
[] Cleaning!
[*] Done!

What should I do after the restore and boot command

My device is just off idk what to do

Device is in an invalid state after sending ibec

Please see this error, is there anything we can do about it? Failed to get apnonce from device

iPad mini4 无法使用

KeyError: 'StaticTrustCache'

Hello, When I run the boot command I get a python error. I ran: python3 sunstorm.py -i /Users/USERNAME/sunst0rm/iPhone.ipsw -t /Users/USERNAME/sunst0rm/blob.shsh2 -b -d N56AP --kpp -id iPhone7,1. The entire log of the command is:

Made by mineek | Some code by m1n1exploit

[*] Creating working directory
[*] Unzipping IPSW
[*] Getting ProductBuildVersion
[*] Getting IBSS and IBEC
[*] Decrypting IBSS
ibss
[*] Decrypting IBEC
ibec
[*] Patching IBSS
Version: 4a2feb7a40cef43fa26d648eaab9be7562164f8a-21
main: Starting...
getting get_sigcheck_patch() patch
applying patch=0x18038d710 : 000080d2
applying patch=0x18038d714 : c0035fd6
applying patch=0x18038d780 : 000080d2
main: Writing out patched file to work/ibss.patched...
main: Quitting...
[*] Patching IBEC
Version: 4a2feb7a40cef43fa26d648eaab9be7562164f8a-21
main: Starting...
getting get_boot_arg_patch(-v) patch
getting get_debug_enabled_patch() patch
getting get_sigcheck_patch() patch
applying patch=0x83000a4d8 : 000080d2
applying patch=0x83000a4dc : c0035fd6
applying patch=0x83000a51c : 000080d2
applying patch=0x83000be7c : 200080d2
applying patch=0x83000d2e0 : a9861b10
applying patch=0x8300443b4 : 2d7600
applying patch=0x83000d2ec : fb0309aa
applying patch=0x83000d364 : 9b821b10
main: Writing out patched file to work/ibec.patched...
main: Quitting...
[*] Converting BLOB to IM4M
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f
Compiled with plist: YES
Saved IM4M to IM4M
[*] Converting IBSS to IMG4
none
[*] Converting IBEC to IMG4
none
[*] Getting DeviceTree and TrustCache
Traceback (most recent call last):
  File "/Users/USERNAME/sunst0rm/sunstorm.py", line 395, in <module>
    main()
  File "/Users/USERNAME/sunst0rm/sunstorm.py", line 385, in main
    prep_boot(args.ipsw, args.blob, args.boardconfig,
  File "/Users/USERNAME/sunst0rm/sunstorm.py", line 285, in prep_boot
    trustcache = manifest.get_comp(board, 'StaticTrustCache')
  File "/Users/USERNAME/sunst0rm/utils/manifest.py", line 13, in get_comp
    return deviceclass['Manifest'][comp]['Info']['Path']
KeyError: 'StaticTrustCache'

Thanks in advance!

futurerestore not working

I've been getting this error when I try to use the nightly build of futurerestore
futurerestore(921,0x1168f6600) malloc: Heap corruption detected, free list is damaged at 0x600002a10580
*** Incorrect guard value: 13091678336542240272
futurerestore(921,0x1168f6600) malloc: *** set a breakpoint in malloc_error_break to debug
Is there any way to fix this?
Also, I'm using the latest futurerestore nightly build:
Here is the log:
sunst0rm
Made by mineek
Some code by m1n1exploit
[] Extracting IPSW
[] Extracting RamDisk
rdsk
[] Mounting RamDisk
/dev/disk2 /Users/davidluski/Downloads/sunst0rm-main 4/work/ramdisk
[] Patching ASR in the RamDisk
getting get_asr_patch()
[] Image failed signature verification 0x7fa3b004071c
[] Image passed signature verification 0x7fa3b00406f8
[] Assembling arm64 branch
[] Writing out patched file to work/patched_asr
[] Extracting ASR Ents
[] Resigning ASR
[] Chmoding ASR
[] Copying Patched ASR back to the RamDisk
[] Patching Restored External
file size: 1012752
getting get_skip_sealing_patch()
[] Skipping sealing system volume string at 0xaaa17
[] Skipping sealing system volume xref at 0x326b0
[] Skipping sealing system volume branch to xref at 0x32654
[] Assembling arm64 branch
[] Writing out patched file to work/restored_external_patched
[] Extracting Restored External Ents
[] Resigning Restored External
[] Chmoding Restored External
[] Copying Patched Restored External back to the RamDisk
[] Detaching RamDisk
"disk2" ejected.
[] Creating RamDisk
Reading work/ramdisk.dmg...
IM4P outputted to: work/ramdisk.im4p
[] Extracting Kernel
Reading work/kernelcache.release.iphone10b...
[NOTE] Image4 payload data is LZFSE compressed, decompressing...
Extracted Image4 payload data to: work/kcache.raw
[] Patching Kernel
main: Starting...
Kernel: Adding AMFI_get_out_of_my_way patch...
get_amfi_out_of_my_way_patch: Entering ...
get_amfi_out_of_my_way_patch: Kernel-7195 inputted
get_amfi_out_of_my_way_patch: Found entitlements too small str loc at 0x404a53
get_amfi_out_of_my_way_patch: Found entitlements too small str ref at 0x115e8d4
get_amfi_out_of_my_way_patch: Patching AMFI at 0x115afb4
main: Writing out patched file to work/krnl.patched...
main: Quitting...
[] Rebuilding Kernel
Reading work/krnl.patched...
Compressing payload using LZSS...
IM4P outputted to: work/krnl.im4p
[] Done!
[?] Do you want to restore the device? (y/n)
y
[?] Are you in pwndfu with sigchecks removed? (y/n)
y
[*] Restoring Device
Version: v2.0.0-test(futurerestore/futurerestore@7f732140187bbcecfed3c34ac38185a4096d06d7-290)
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f-RELEASE
libipatcher version: 0.88-1e855d70c84419014e363bdbcaead7b145fe3e1f-RELEASE
Odysseus for 32-bit support: yes
Odysseus for 64-bit support: yes
[INFO] 64-bit device detected
daemonManager: suspending invasive macOS daemons...
daemonManager: findProc: found MobileDeviceUpdater!
daemonManager: killing MobileDeviceUpdater.
daemonManager: findProc: found AMPDevicesAgent!
daemonManager: killing AMPDevicesAgent.
daemonManager: findProc: found AMPDeviceDiscoveryAgent!
daemonManager: killing AMPDeviceDiscoveryAgent.
daemonManager: done!
futurerestore init done
reading signing ticket /Users/davidluski/Downloads/2587898990118970_iPhone10,6_d221ap_15.6.1-19G82_7269cf71c79667b93b60c97951c037759711d23abed03398ea8f98bbb12f3624.shsh2 is done
user specified to use latest signed SEP

[TSSC] opening firmwares.json
[DOWN] downloading file https://api.ipsw.me/v2.1/firmwares.json/condensed
[TSSC] opening /tmp/betas_iPhone10,6.json
[DOWN] downloading file https://api.m1sta.xyz/betas/iPhone10,6
[TSSC] selecting latest firmware version: 15.6.1
[TSSC] got firmwareurl for iOS 15.6.1 build 19G82
[TSSC] opening Buildmanifest for iPhone10,6_15.6.1
[DOWN] downloading file https://updates.cdn-apple.com/2022SummerFCS/fullrestores/012-52718/E165707F-2AA7-40C8-B1A5-0BB94E3F845A/BuildManifest.plist
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
downloading SEP
100 [===========================================================================]
[TSSC] opening /tmp/futurerestore/sepManifest.plist
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] User specified to not request a baseband ticket.
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
user specified to use latest signed baseband

[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
downloading Baseband
100 [===========================================================================]
ERROR: Unable to connect to device?!
[Error] Unable to find required BbGoldCertId in parameters
[WARNING] using tsschecker's fallback to get BasebandGoldCertID. This might result in invalid baseband signing status information
[TSSC] opening /tmp/futurerestore/basebandManifest.plist
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] User specified to request only a Baseband ticket.
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Downloading the latest firmware components...
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
downloading SE firmware
100 [===========================================================================]
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
downloading Savage,B0-Prod-Patch
100 [===========================================================================077 [===========================================================================100 [===================================================================================================>]
downloading Savage,B0-Dev-Patch
100 [===========================================================================077 [===========================================================================100 [===================================================================================================>]
downloading Savage,B2-Prod-Patch
100 [===========================================================================097 [===========================================================================100 [===================================================================================================>]
downloading Savage,B2-Dev-Patch
100 [===========================================================================097 [===========================================================================100 [===================================================================================================>]
downloading Savage,BA-Prod-Patch
100 [===========================================================================100 [===================================================================================================>]
downloading Savage,BA-Dev-Patch
100 [===========================================================================100 [===================================================================================================>]
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
Finished downloading the latest firmware components!
Found device in DFU mode
requesting to get into pwnRecovery later
Found device in DFU mode
Identified device as d221ap, iPhone10,6
Extracting BuildManifest from iPSW
Product version: 14.3
Product build: 18C66 Major: 18
Device supports Image4: true
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
checking if the APTicket is valid for this restore...
Verified ECID in APTicket matches the device's ECID
checking if the APTicket is valid for this restore...
Verified ECID in APTicket matches the device's ECID
[IMG4TOOL] checking buildidentity 0:
[IMG4TOOL] checking buildidentity matches board ... YES
[IMG4TOOL] checking buildidentity has all required hashes:
[IMG4TOOL] checking hash for "AOP" OK (untrusted)
[IMG4TOOL] checking hash for "Ap,SystemVolumeCanonicalMetadata"BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AppleLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AudioCodecFirmware" OK (untrusted)
[IMG4TOOL] checking hash for "BasebandFirmware" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "BatteryCharging0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryCharging1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryFull" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryPlugin" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "DeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ISP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "KernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "LLB" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Liquid" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Multitouch" OK (untrusted)
[IMG4TOOL] checking hash for "OS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RecoveryMode" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreDeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreKernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreRamDisk" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreSEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SE,UpdatePayload" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "SEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Savage,B0-Dev-Patch" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "Savage,B0-Dev-PatchVT" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "Savage,B0-Prod-Patch" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "Savage,B0-Prod-PatchVT" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "Savage,B2-Dev-Patch" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "Savage,B2-Dev-PatchVT" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "Savage,B2-Prod-Patch" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "Savage,B2-Prod-PatchVT" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "Savage,BA-Dev-Patch" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "Savage,BA-Prod-Patch" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "StaticTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SystemVolume" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ftap" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "ftsp" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "iBEC" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBSS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBoot" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "rfta" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "rfts" IGN (no digest in BuildManifest)

failed verification with error:
[exception]:
what=verification failed!
code=84279308
line=1286
file=img4tool.cpp
commit count=197:
commit sha =aca6cf005c94caf135023263cbb5c61a0081804f:
[IMG4TOOL] checking buildidentity 1:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 2:
[IMG4TOOL] checking buildidentity matches board ... YES
[IMG4TOOL] checking buildidentity has all required hashes:
[IMG4TOOL] checking hash for "AOP" OK (untrusted)
[IMG4TOOL] checking hash for "Ap,SystemVolumeCanonicalMetadata"BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AppleLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AudioCodecFirmware" OK (untrusted)
[IMG4TOOL] checking hash for "BasebandFirmware" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "BatteryCharging0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryCharging1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryFull" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryPlugin" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "DeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ISP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "KernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "LLB" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Liquid" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Multitouch" OK (untrusted)
[IMG4TOOL] checking hash for "OS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RecoveryMode" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreDeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreKernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreRamDisk" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreSEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SE,UpdatePayload" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "SEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Savage,B0-Dev-Patch" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "Savage,B0-Dev-PatchVT" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "Savage,B0-Prod-Patch" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "Savage,B0-Prod-PatchVT" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "Savage,B2-Dev-Patch" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "Savage,B2-Dev-PatchVT" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "Savage,B2-Prod-Patch" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "Savage,B2-Prod-PatchVT" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "Savage,BA-Dev-Patch" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "Savage,BA-Prod-Patch" IGN (hash not found in im4m, but ignoring since not explicitly enforced through "Trusted"="YES" tag)
[IMG4TOOL] checking hash for "StaticTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SystemVolume" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ftap" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "ftsp" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "iBEC" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBSS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBoot" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "rfta" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "rfts" IGN (no digest in BuildManifest)

BuildIdentity selected for restore:
BuildNumber : 18C66
BuildTrain : AzulC
DeviceClass : d221ap
FDRSupport : YES
MobileDeviceMinVersion : 1253
RestoreBehavior : Erase
Variant : Customer Erase Install (IPSW)

BuildIdentity is valid for the APTicket:
IM4M is not valid for any restore within the Buildmanifest
This APTicket can't be used for restoring this firmware
[WARNING] NOT VALIDATING SHSH BLOBS!
[TSSR] Checking BuildIdentity 0
[TSSR] Selected BuildIdentity for request
Variant: Customer Erase Install (IPSW)
This restore will erase all device data.
Device found in DFU Mode.
Getting firmware keys for: d221ap
Patching iBSS
Extracting iBSS.d22.RELEASE.im4p (Firmware/dfu/iBSS.d22.RELEASE.im4p)...
payload decrypted
Compression detected, uncompressing (bvx2): ok
iBoot64Patch: Staring iBoot64Patch!
iOS 14 iBoot detected!
iBoot64Patch: Inited ibootpatchfinder64!
iBoot64Patch: Added sigpatches!
iBoot64Patch: Added unlock nvram patch!
iBoot64Patch: Added freshnonce patch!
iBoot64Patch: has_kernel_load is false!
iBoot64Patch: Applying patch=0x180032914 : 000080d2
iBoot64Patch: Applying patch=0x180032960 : 000080d2
iBoot64Patch: Applying patch=0x18001f908 : 000080d2c0035fd6
iBoot64Patch: Applying patch=0x18001f958 : 000080d2c0035fd6
iBoot64Patch: Applying patch=0x18006ba84 : 000080d2c0035fd6
iBoot64Patch: Applying patch=0x180038c58 : 1f2003d5
iBoot64Patch: Patches applied!
[WARNING] BUG WORKAROUND recompressing images with bvx2 makes them not boot for some reason. Skipping compression
Patching iBEC
Extracting iBEC.d22.RELEASE.im4p (Firmware/dfu/iBEC.d22.RELEASE.im4p)...
payload decrypted
Compression detected, uncompressing (bvx2): ok
iBoot64Patch: Staring iBoot64Patch!
iOS 14 iBoot detected!
iBoot64Patch: Inited ibootpatchfinder64!
iBoot64Patch: Added sigpatches!
iBoot64Patch: Added unlock nvram patch!
iBoot64Patch: Added freshnonce patch!
iBoot64Patch: has_kernel_load is true!
iBoot64Patch: Added debugenabled patch!
iBoot64Patch: Added bootarg patch!
iBoot64Patch: Applying patch=0x180032914 : 000080d2
iBoot64Patch: Applying patch=0x180032960 : 000080d2
iBoot64Patch: Applying patch=0x18001f908 : 000080d2c0035fd6
iBoot64Patch: Applying patch=0x18001f958 : 000080d2c0035fd6
iBoot64Patch: Applying patch=0x18006ba84 : 000080d2c0035fd6
iBoot64Patch: Applying patch=0x180038c58 : 1f2003d5
iBoot64Patch: Applying patch=0x18003443c : 200080d2
iBoot64Patch: Applying patch=0x180035828 : 29535230
iBoot64Patch: Applying patch=0x1800da28d : 72643d6d6430206e616e642d656e61626c652d7265666f726d61743d307831202d76202d726573746f72652064656275673d30783230313465206b65657073796d733d30783120616d66693d3078666620616d66695f616c6c6f775f616e795f7369676e61747572653d30783120616d66695f6765745f6f75745f6f665f6d795f7761793d3078312063735f656e666f7263656d656e745f64697361626c653d30783100
iBoot64Patch: Applying patch=0x180035834 : f30309aa
iBoot64Patch: Applying patch=0x180035924 : 534b5230
iBoot64Patch: Patches applied!
[WARNING] BUG WORKAROUND recompressing images with bvx2 makes them not boot for some reason. Skipping compression
Repacking patched iBSS as IMG4
Repacking patched iBEC as IMG4
Sending iBSS (1471381 bytes)...
[==================================================] 100.0%
Booting iBSS, waiting for device to disconnect...
Booting iBSS, waiting for device to reconnect...
ApNonce pre-hax:
INFO: device serial number is F2MVP4DZJCLH
Getting ApNonce in recovery mode... 72 69 cf 71 c7 96 67 b9 3b 60 c9 79 51 c0 37 75 97 11 d2 3a be d0 33 98 ea 8f 98 bb b1 2f 36 24
Sending iBEC (1471381 bytes)...
[==================================================] 100.0%
Booting iBEC, waiting for device to disconnect...
Booting iBEC, waiting for device to reconnect...
APNonce from device already matches IM4M nonce, no need for extra hax...
Successfully set nonce generator: 0x3a76563e7dde61d8
Extracting filesystem from iPSW
[==================================================] 100.0%
Getting SepNonce in recovery mode... c5 8a 7f 81 ff 27 5c 7f a2 f9 66 11 d0 fe a3 cd 4b 2b ad e2
Getting ApNonce in recovery mode... 72 69 cf 71 c7 96 67 b9 3b 60 c9 79 51 c0 37 75 97 11 d2 3a be d0 33 98 ea 8f 98 bb b1 2f 36 24
Recovery Mode Environment:
iBoot build-version=iBoot-6723.62.3
iBoot build-style=RELEASE
Sending RestoreLogo...
Extracting [email protected] (Firmware/all_flash/[email protected])...
Personalizing IMG4 component RestoreLogo...
Sending RestoreLogo (20651 bytes)...
ramdisk-size=0x20000000
1337 CUSTOM RAMDISK!
Personalizing IMG4 component RestoreRamDisk...
Sending RestoreRamDisk (104124681 bytes)...
Extracting adc-nike-d22.im4p (Firmware/isp_bni/adc-nike-d22.im4p)...
Personalizing IMG4 component ISP...
Sending ISP (13269959 bytes)...
Extracting 038-83284-083.dmg.trustcache (Firmware/038-83284-083.dmg.trustcache)...
Personalizing IMG4 component RestoreTrustCache...
Sending RestoreTrustCache (12226 bytes)...
Extracting DeviceTree.d221ap.im4p (Firmware/all_flash/DeviceTree.d221ap.im4p)...
Personalizing IMG4 component RestoreDeviceTree...
Sending RestoreDeviceTree (40676 bytes)...
1337 CUSTOM KERNEL!
Personalizing IMG4 component RestoreKernelCache...
Sending RestoreKernelCache (18721165 bytes)...
getting SEP ticket
Trying to fetch new SHSH blob
futurerestore(921,0x1168f6600) malloc: Heap corruption detected, free list is damaged at 0x600002a10580
*** Incorrect guard value: 13091678336542240272
futurerestore(921,0x1168f6600) malloc: *** set a breakpoint in malloc_error_break to debug
[] Done!
[] Cleaning
[*] Done!

Unable to activate

Hello, i have an iphone 8 (gsm) and when i downgrade with Sunst0rm on 15.7 to 14.3 or other versions. After the downgrade complete, when I open welcome menu on iPhone, I get an error message "Unable to activate". I tried to change the shsh blobs file, change the pwndfu mode (gaster and ipwndfu), try to activate the iPhone in Finder but nothing works. Any fix please ? Im on macOS

loadRamdisk error

Hey everyone im having issues where im trying to downgrade however im getting a ram disk issue as seen below

so is there any way to fix this issue?

iPad Air Wifi (iPad4,1) Fails To Enter Restore Mode

The title says it all. I'm trying to downgrade my iPad Air Wifi to iOS 11.3 (which SEP is compatible for), but FutureRestore always fails with the message "failed to place device into restore mode", after trying to send RestoreKernelCache. Full log:
Getting SepNonce in recovery mode... 87 3b 77 ad 78 3f 41 80 51 b4 f5 3f 5c 90 5d 79 9b 5e 8e 17
Getting ApNonce in recovery mode... 60 3b e1 33 ff 0b df a0 f8 3f 21 e7 41 91 cf 67 70 ea 43 bb
Recovery Mode Environment:
iBoot build-version=iBoot-4076.50.126
iBoot build-style=RELEASE
Sending RestoreLogo...
Extracting applelogo@2x~~ipad.im4p (Firmware/all_flash/applelogo@2x~~ipad.im4p)...
Personalizing IMG4 component RestoreLogo...
Sending RestoreLogo (22925 bytes)...
ramdisk-size=0x10000000
1337 CUSTOM RAMDISK!
Personalizing IMG4 component RestoreRamDisk...
Sending RestoreRamDisk (79287021 bytes)...
Extracting DeviceTree.j71ap.im4p (Firmware/all_flash/DeviceTree.j71ap.im4p)...
Personalizing IMG4 component RestoreDeviceTree...
Sending RestoreDeviceTree (101933 bytes)...
Extracting sep-firmware.j71.RELEASE.im4p (Firmware/all_flash/sep-firmware.j71.RELEASE.im4p)...
Personalizing IMG4 component RestoreSEP...
Sending RestoreSEP (1488225 bytes)...
1337 CUSTOM KERNEL!
Personalizing IMG4 component RestoreKernelCache...
Sending RestoreKernelCache (13389390 bytes)...
ERROR: Failed to place device in restore mode
Cleaning up...
[exception]:
what=ERROR: Unable to place device into restore mode

code=89391172
line=1364
file=/Users/runner/work/futurerestore/futurerestore/src/futurerestore.cpp
commit count=289:
commit sha =c15e30b290141e47383de93aa6b0273b7b6df8d6:
Done: restoring failed!
[] Done!
[] Cleaning
[*] Done!

Any help would be much appreciated!

Possibly invalid iBSS

I was trying to downgrade my iphone 7 to IOS 14 but i keep getting an error "Device did not reconnect. Possibly invalid iBSS. Reset device and try again"
Heres my full output

python3 sunstorm.py -i iPhone_4.7_P3_14.0_18A373_Restore.ipsw -t 7381211341759782_iPhone9,1_d10ap_15.6.1-19G82_27325c8258be46e69d9ee57fa9a8fbc28b873df434e5e702a8b27999551138ae.shsh2 -r -d d10ap
sunst0rm
Made by mineek
Some code by m1n1exploit
[*] Extracting IPSW
[*] Extracting RamDisk
rdsk
[*] Mounting RamDisk
/dev/disk2          	                               	/Users/aniketkokate/Downloads/sunst0rm/work/ramdisk
[*] Patching ASR in the RamDisk
getting get_asr_patch()
[*] Image failed signature verification 0x7f901b04077d
[*] Image passed signature verification 0x7f901b040759
[*] Assembling arm64 branch
[*] Writing out patched file to work/patched_asr
[*] Extracting ASR Ents
[*] Resigning ASR
[*] Chmoding ASR
[*] Copying Patched ASR back to the RamDisk
[*] Patching Restored External
file size: 825664
getting get_skip_sealing_patch()
[*] Skipping sealing system volume string at 0x821b4
[*] Skipping sealing system volume xref at 0x2fac8
[*] Skipping sealing system volume branch to xref at 0x2fa6c
[*] Assembling arm64 branch
[*] Writing out patched file to work/restored_external_patched
[*] Extracting Restored External Ents
[*] Resigning Restored External
[*] Chmoding Restored External
[*] Copying Patched Restored External back to the RamDisk
[*] Detaching RamDisk
"disk2" ejected.
[*] Creating RamDisk
Reading work/ramdisk.dmg...
IM4P outputted to: work/ramdisk.im4p
[*] Extracting Kernel
Reading work/kernelcache.release.iphone9...
[NOTE] Image4 payload data is LZFSE compressed, decompressing...
Extracted Image4 payload data to: work/kcache.raw
[*] Patching Kernel
main: Starting...
main: Detected fat macho kernel
Kernel: Adding AppleFirmwareUpdate img4 signature check patch...
get_AppleFirmwareUpdate_img4_signature_check: Entering ...
get_AppleFirmwareUpdate_img4_signature_check: Found "%s::%s() Performing img4 validation outside of workloop" str loc at 0x950585
get_AppleFirmwareUpdate_img4_signature_check: Found "%s::%s() Performing img4 validation outside of workloop" xref at 0x116092c
get_AppleFirmwareUpdate_img4_signature_check: Patching "%s::%s() Performing img4 validation outside of workloop" at 0x1160938

Kernel: Adding AMFI_get_out_of_my_way patch...
get_amfi_out_of_my_way_patch: Entering ...
get_amfi_out_of_my_way_patch: Kernel-7195 inputted
get_amfi_out_of_my_way_patch: Found entitlements too small str loc at 0x8b42cb
get_amfi_out_of_my_way_patch: Found entitlements too small str ref at 0xf57bfc
get_amfi_out_of_my_way_patch: Patching AMFI at 0xf52db4
main: Writing out patched file to work/krnl.patched...
main: Quitting...
[*] Rebuilding Kernel
Reading work/krnl.patched...
Compressing payload using LZSS...
IM4P outputted to: work/krnl.im4p
[*] Done!
[?] Do you want to restore the device? (y/n)
y
[?] Are you in pwndfu with sigchecks removed? (y/n)
y
[*] Restoring Device
Version: v2.0.0-test(7f732140187bbcecfed3c34ac38185a4096d06d7-290)
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f-RELEASE
libipatcher version: 0.88-1e855d70c84419014e363bdbcaead7b145fe3e1f-RELEASE
Odysseus for 32-bit support: yes
Odysseus for 64-bit support: yes
[INFO] 64-bit device detected
daemonManager: suspending invasive macOS daemons...
daemonManager: findProc: found MobileDeviceUpdater!
daemonManager: killing MobileDeviceUpdater.
daemonManager: findProc: found AMPDeviceDiscoveryAgent!
daemonManager: killing AMPDeviceDiscoveryAgent.
daemonManager: done!
futurerestore init done
reading signing ticket 7381211341759782_iPhone9,1_d10ap_15.6.1-19G82_27325c8258be46e69d9ee57fa9a8fbc28b873df434e5e702a8b27999551138ae.shsh2 is done
user specified to use latest signed SEP

[TSSC] opening firmwares.json
[DOWN] downloading file https://api.ipsw.me/v2.1/firmwares.json/condensed
[TSSC] opening /tmp/betas_iPhone9,1.json
[DOWN] downloading file https://api.m1sta.xyz/betas/iPhone9,1
[TSSC] selecting latest firmware version: 15.7
[TSSC] got firmwareurl for iOS 15.7 build 19H12
[TSSC] opening Buildmanifest for iPhone9,1_15.7
[DOWN] downloading file https://updates.cdn-apple.com/2022FallFCS/fullrestores/012-38914/C7764173-5CC4-4D58-8F8B-F093F9A060F0/BuildManifest.plist
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Selected BuildIdentity for request
downloading SEP
100 [===================================================================================================>]
[TSSC] opening /tmp/futurerestore/sepManifest.plist
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Selected BuildIdentity for request
[TSSR] User specified to not request a baseband ticket.
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
user specified to use latest signed baseband

[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Selected BuildIdentity for request
downloading Baseband
100 [===================================================================================================>]
ERROR: Unable to connect to device?!
[Error] Unable to find required BbGoldCertId in parameters
[WARNING] using tsschecker's fallback to get BasebandGoldCertID. This might result in invalid baseband signing status information
[TSSC] opening /tmp/futurerestore/basebandManifest.plist
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Selected BuildIdentity for request
[TSSR] User specified to request only a Baseband ticket.
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Downloading the latest firmware components...
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Selected BuildIdentity for request
Finished downloading the latest firmware components!
Found device in DFU mode
requesting to get into pwnRecovery later
Found device in DFU mode
Identified device as d10ap, iPhone9,1
Extracting BuildManifest from iPSW
Product version: 14.0
Product build: 18A373 Major: 18
Device supports Image4: true
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Selected BuildIdentity for request
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Selected BuildIdentity for request
checking if the APTicket is valid for this restore...
Verified ECID in APTicket matches the device's ECID
checking if the APTicket is valid for this restore...
Verified ECID in APTicket matches the device's ECID
[IMG4TOOL] checking buildidentity 0:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 1:
[IMG4TOOL] checking buildidentity matches board ... YES
[IMG4TOOL] checking buildidentity has all required hashes:
[IMG4TOOL] checking hash for "AOP"                     OK (untrusted)
[IMG4TOOL] checking hash for "Ap,SystemVolumeCanonicalMetadata"BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AppleLogo"               BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BasebandFirmware"        IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "BatteryCharging0"        BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryCharging1"        BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryFull"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow0"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow1"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryPlugin"           BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "DeviceTree"              BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Homer"                   OK (untrusted)
[IMG4TOOL] checking hash for "KernelCache"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "LLB"                     BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Liquid"                  BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "OS"                      BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RecoveryMode"            BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreDeviceTree"       BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreKernelCache"      BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreLogo"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreRamDisk"          BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreSEP"              BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreTrustCache"       BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SE,Bootloader"           IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "SE,Firmware"             IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "SE,MigrationOS"          IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "SE,OS"                   IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "SEP"                     BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "StaticTrustCache"        BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SystemVolume"            BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ftap"                    IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "ftsp"                    IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "iBEC"                    BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBSS"                    BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBoot"                   BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "rfta"                    IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "rfts"                    IGN (no digest in BuildManifest)

failed verification with error:
[exception]:
what=verification failed!
code=84279308
line=1286
file=img4tool.cpp
commit count=197:
commit sha  =aca6cf005c94caf135023263cbb5c61a0081804f:
[IMG4TOOL] checking buildidentity 2:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 3:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 4:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 5:
[IMG4TOOL] checking buildidentity matches board ... YES
[IMG4TOOL] checking buildidentity has all required hashes:
[IMG4TOOL] checking hash for "AOP"                     OK (untrusted)
[IMG4TOOL] checking hash for "Ap,SystemVolumeCanonicalMetadata"BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AppleLogo"               BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BasebandFirmware"        IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "BatteryCharging0"        BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryCharging1"        BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryFull"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow0"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow1"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryPlugin"           BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "DeviceTree"              BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Homer"                   OK (untrusted)
[IMG4TOOL] checking hash for "KernelCache"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "LLB"                     BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Liquid"                  BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "OS"                      BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RecoveryMode"            BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreDeviceTree"       BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreKernelCache"      BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreLogo"             BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreRamDisk"          BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreSEP"              BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreTrustCache"       BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SE,Bootloader"           IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "SE,Firmware"             IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "SE,MigrationOS"          IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "SE,OS"                   IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "SEP"                     BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "StaticTrustCache"        BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SystemVolume"            BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ftap"                    IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "ftsp"                    IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "iBEC"                    BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBSS"                    BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBoot"                   BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "rfta"                    IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "rfts"                    IGN (no digest in BuildManifest)

failed verification with error:
[exception]:
what=verification failed!
code=84279308
line=1286
file=img4tool.cpp
commit count=197:
commit sha  =aca6cf005c94caf135023263cbb5c61a0081804f:
[IMG4TOOL] checking buildidentity 6:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 7:
[IMG4TOOL] checking buildidentity matches board ... NO
[WARNING] NOT VALIDATING SHSH BLOBS IM4M!
[Error] BuildIdentity selected for restore does not match APTicket

BuildIdentity selected for restore:
BuildNumber : 18A373
BuildTrain : Azul
DeviceClass : d10ap
FDRSupport : YES
MobileDeviceMinVersion : 1253
RestoreBehavior : Erase
Variant : Customer Erase Install (IPSW)

BuildIdentity is valid for the APTicket:
IM4M is not valid for any restore within the Buildmanifest
This APTicket can't be used for restoring this firmware
[WARNING] NOT VALIDATING SHSH BLOBS!
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Selected BuildIdentity for request
Variant: Customer Erase Install (IPSW)
This restore will erase all device data.
Device found in DFU Mode.
Sending iBSS (522513 bytes)...
[==================================================] 100.0%
Booting iBSS, waiting for device to disconnect...
Booting iBSS, waiting for device to reconnect...
Cleaning up...
[exception]:
what=Device did not reconnect. Possibly invalid iBSS. Reset device and try again
code=46792772
line=714
file=/Users/runner/work/futurerestore/futurerestore/src/futurerestore.cpp
commit count=290:
commit sha  =7f732140187bbcecfed3c34ac38185a4096d06d7:
Done: restoring failed!
[*] Done!
[*] Cleaning
[*] Done!

where the error occurs at the bottom here

BuildIdentity is valid for the APTicket:
IM4M is not valid for any restore within the Buildmanifest
This APTicket can't be used for restoring this firmware
[WARNING] NOT VALIDATING SHSH BLOBS!
[TSSR] Checking BuildIdentity 0
[TSSR] Checking BuildIdentity 1
[TSSR] Selected BuildIdentity for request
Variant: Customer Erase Install (IPSW)
This restore will erase all device data.
Device found in DFU Mode.
Sending iBSS (522513 bytes)...
[==================================================] 100.0%
Booting iBSS, waiting for device to disconnect...
Booting iBSS, waiting for device to reconnect...
Cleaning up...
[exception]:
what=Device did not reconnect. Possibly invalid iBSS. Reset device and try again
code=46792772
line=714
file=/Users/runner/work/futurerestore/futurerestore/src/futurerestore.cpp
commit count=290:
commit sha  =7f732140187bbcecfed3c34ac38185a4096d06d7:
Done: restoring failed!
[*] Done!
[*] Cleaning
[*] Done!

I have an IPhone 7 (9,1) btw and im trying to downgrade to 14.0

Any help would be appreciated i really want to jailbreak because i need to downgrade

INFO:SUNST0RM DOESNT WORK WITH VMWARE DUE TO USB ISSUES SO DONT DO IT

There is no fix just use a Hackintosh or a Mac.

Restore success but device doesn't boot

i am using Linux. I can restore using futurerestore, but after restore I can't boot
just an hour ago, pwndfu works so but i can using boot script
but it's stuck at irecovery -s krnlboot.img4 so i cant boot my device anymore
is there any solution other than reverting to iOS 15?

getting keys failed with error: 14745615

already put device 'J208AP' into pwndfu mode, but failed.
getting keys failed with error: 14745615 (failed to get FirmwareJson from Server). Are keys publicly available?
code=39583761
line=604
file=futurerestore.cpp
commit count=277:
commit sha =1f0c7e1c906ef3d06e07f66f1a960146c54d607d:
Done: restoring failed!

make work on windows

make it work on windowsss

iPhone 5s, iPhone 6,2 can't restore.

I am on macOS Monterey btw. I did everything perfectly, I think. The only issue I had was using ipwndfu but I just used gaster and it worked. However when I enter the restore command this is what happens.

christos@Christoss-Mac-Mini sunst0rm % python3 sunstorm.py -i /Users/christos/sunst0rm/iPhone_4.0_64bit_11.3_15E216_Restore.ipsw -t /Users/christos/Blobs/6656995878968_iPhone6,2_n53ap_12.5.6-16H71_3a88b7c3802f2f0510abc432104a15ebd8bd7154.shsh2 -r -d N53AP --kpp
sunst0rm
Made by mineek
Some code by m1n1exploit
[] Extracting IPSW
[] Extracting RamDisk
rdsk
[] Mounting RamDisk
/dev/disk3 /Users/christos/sunst0rm/work/ramdisk
[] Patching ASR in the RamDisk
getting get_asr_patch()
[] Image failed signature verification 0x7f94080397fe
[] Image passed signature verification 0x7f94080397da
[] Assembling arm64 branch
[] Writing out patched file to work/patched_asr
[] Extracting ASR Ents
[] Resigning ASR
[] Chmoding ASR
[] Copying Patched ASR back to the RamDisk
[] Patching Restored External
file size: 614624
getting get_skip_sealing_patch()
patch not found!
[] Extracting Restored External Ents
[] Resigning Restored External
ldid.cpp(3332): _assert(): errno=2
[] Chmoding Restored External
chmod: work/restored_external_patched: No such file or directory
[] Copying Patched Restored External back to the RamDisk
cp: work/restored_external_patched: No such file or directory
[] Detaching RamDisk
"disk3" ejected.
[] Creating RamDisk
Reading work/ramdisk.dmg...
IM4P outputted to: work/ramdisk.im4p
[] Extracting Kernel
Reading work/kernelcache.release.iphone6...
[NOTE] Image4 payload data is LZSS compressed, decompressing...
Extracted extra Image4 payload data: to work/kpp.bin.
Extracted Image4 payload data to: work/kcache.raw
[] Patching Kernel
main: Starting...
Kernel: Adding AppleFirmwareUpdate img4 signature check patch...
get_AppleFirmwareUpdate_img4_signature_check: Entering ...
get_AppleFirmwareUpdate_img4_signature_check: Could not find "%s::%s() Performing img4 validation outside of workloop" string
Kernel: Adding AMFI_get_out_of_my_way patch...
get_amfi_out_of_my_way_patch: Entering ...
get_amfi_out_of_my_way_patch: Kernel-4570 inputted
get_amfi_out_of_my_way_patch: Found entitlements too small str loc at 0x669643
get_amfi_out_of_my_way_patch: Found entitlements too small str ref at 0xa57874
get_amfi_out_of_my_way_patch: Patching AMFI at 0xa5634c
main: Writing out patched file to work/krnl.patched...
main: Quitting...
[] Rebuilding Kernel
Reading work/krnl.patched...
Reading extra: work/kpp.bin...
Compressing payload using LZSS...
IM4P outputted to: work/krnl.im4p
[] Done!
[?] Do you want to restore the device? (y/n)
y
[?] Are you in pwndfu with sigchecks removed? (y/n)
n
[!] You need to enter pwndfu
[!] You can restore the device later using futurestore like this: futurerestore -t blob --use-pwndfu --skip-blob --rdsk work/ramdisk.im4p --rkrn work/krnl.im4p --latest-sep --latest-baseband ipsw.ipsw
christos@Christoss-Mac-Mini sunst0rm % python3 sunstorm.py -i /Users/christos/sunst0rm/iPhone_4.0_64bit_11.3_15E216_Restore.ipsw -t /Users/christos/Blobs/6656995878968_iPhone6,2_n53ap_12.5.6-16H71_3a88b7c3802f2f0510abc432104a15ebd8bd7154.shsh2 -r -d N53AP --kpp
sunst0rm
Made by mineek
Some code by m1n1exploit
[] Extracting IPSW
[] Extracting RamDisk
rdsk
[] Mounting RamDisk
/dev/disk3 /Users/christos/sunst0rm/work/ramdisk
[] Patching ASR in the RamDisk
getting get_asr_patch()
[] Image failed signature verification 0x7fb2b00397fe
[] Image passed signature verification 0x7fb2b00397da
[] Assembling arm64 branch
[] Writing out patched file to work/patched_asr
[] Extracting ASR Ents
[] Resigning ASR
[] Chmoding ASR
[] Copying Patched ASR back to the RamDisk
[] Patching Restored External
file size: 614624
getting get_skip_sealing_patch()
patch not found!
[] Extracting Restored External Ents
[] Resigning Restored External
ldid.cpp(3332): _assert(): errno=2
[] Chmoding Restored External
chmod: work/restored_external_patched: No such file or directory
[] Copying Patched Restored External back to the RamDisk
cp: work/restored_external_patched: No such file or directory
[] Detaching RamDisk
"disk3" ejected.
[] Creating RamDisk
Reading work/ramdisk.dmg...
IM4P outputted to: work/ramdisk.im4p
[] Extracting Kernel
Reading work/kernelcache.release.iphone6...
[NOTE] Image4 payload data is LZSS compressed, decompressing...
Extracted extra Image4 payload data: to work/kpp.bin.
Extracted Image4 payload data to: work/kcache.raw
[] Patching Kernel
main: Starting...
Kernel: Adding AppleFirmwareUpdate img4 signature check patch...
get_AppleFirmwareUpdate_img4_signature_check: Entering ...
get_AppleFirmwareUpdate_img4_signature_check: Could not find "%s::%s() Performing img4 validation outside of workloop" string
Kernel: Adding AMFI_get_out_of_my_way patch...
get_amfi_out_of_my_way_patch: Entering ...
get_amfi_out_of_my_way_patch: Kernel-4570 inputted
get_amfi_out_of_my_way_patch: Found entitlements too small str loc at 0x669643
get_amfi_out_of_my_way_patch: Found entitlements too small str ref at 0xa57874
get_amfi_out_of_my_way_patch: Patching AMFI at 0xa5634c
main: Writing out patched file to work/krnl.patched...
main: Quitting...
[] Rebuilding Kernel
Reading work/krnl.patched...
Reading extra: work/kpp.bin...
Compressing payload using LZSS...
IM4P outputted to: work/krnl.im4p
[] Done!
[?] Do you want to restore the device? (y/n)
y
[?] Are you in pwndfu with sigchecks removed? (y/n)
y
[*] Restoring Device
Version: 0ab9df3209ee599f581532d05d331e6abe0f53f3 - 194
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f
libipatcher version: 0.82-0b2f79ff0917ef9b8a92475d93d9466b23fc2322
Odysseus for 32-bit support: yes
Odysseus for 64-bit support: yes
futurerestore: unrecognized option `--skip-blob'
Usage: futurerestore [OPTIONS] iPSW
Allows restoring to non-matching firmware with custom SEP+baseband

General options:
-t, --apticket PATH Signing tickets used for restoring
-u, --update Update instead of erase install (requires appropriate APTicket)
DO NOT use this parameter, if you update from jailbroken firmware!
-w, --wait Keep rebooting until ApNonce matches APTicket (ApNonce collision, unreliable)
-d, --debug Show all code, use to save a log for debug testing
-e, --exit-recovery Exit recovery mode and quit

Options for downgrading with Odysseus:
--use-pwndfu Restoring devices with Odysseus method. Device needs to be in pwned DFU mode already
--just-boot="-v" Tethered booting the device from pwned DFU mode. You can optionally set boot-args

Options for SEP:
--latest-sep Use latest signed SEP instead of manually specifying one (may cause bad restore)
-s, --sep PATH SEP to be flashed
-m, --sep-manifest PATH BuildManifest for requesting SEP ticket

Options for baseband:
--latest-baseband Use latest signed baseband instead of manually specifying one (may cause bad restore)
-b, --baseband PATH Baseband to be flashed
-p, --baseband-manifest PATH BuildManifest for requesting baseband ticket
--no-baseband Skip checks and don't flash baseband
Only use this for device without a baseband (eg. iPod touch or some Wi-Fi only iPads)

[] Done!
[] Cleaning
[*] Done!

can anyone help?

ETA FOR IPHONE 13 PRO MAX

restoring to iOS 14 on iPhone SE n69uAP breaks functions

Siri & Raise to Wake dont work on iOS 14.2/3; also 14.3 break the flashlight & camera as well

please add support for android

android sunst0rm checkm8 pwn tether ios 2022 no human verification wen eta ok

Traceback (most recent call last):

Hi, I'm trying to use sunst0rm to get my iPad Mini 2 128GB Cellular to iOS 11.4.1, I have completed the restore and ran the command below, and it gives me this error. I am following the sunst0rm guide linked on the readme.md file and it is not working. I tried the command below with -legacy at the end and it still gave same error.
I'm using macOS Catalina 10.15.7 on a hackintosh laptop. Also, all dependencies are installed and seem to be working.
Finally, blob.shsh2 and ios11.ipsw are in the same folder as sunst0rm.

jaydenridley4@Sony-ETH sunst0rm % python3 sunstorm.py -i ios11.ipsw -t blob.shsh2 -b -d j86ap -kpp -id iPad4,5
sunst0rm
Made by mineek | Some code by m1n1exploit

[] Creating working directory
[] Unzipping IPSW
[*] Getting ProductBuildVersion
Traceback (most recent call last):
File "/Users/jaydenridley4/ss/sunst0rm/sunstorm.py", line 395, in
main()
File "/Users/jaydenridley4/ss/sunst0rm/sunstorm.py", line 385, in main
prep_boot(args.ipsw, args.blob, args.boardconfig,
File "/Users/jaydenridley4/ss/sunst0rm/sunstorm.py", line 237, in prep_boot
ibss_iv, ibss_key, ibec_iv, ibec_key = api.get_keys(
NameError: name 'api' is not defined
jaydenridley4@Sony-ETH sunst0rm %

Cannot activate after restore

iPad mini 2 downgraded to 11.4.1 using this command

python3 sunstorm.py -i /Users/bogo/sunst0rm/11.ipsw -t /Users/bogo/sunst0rm/2699597210068_iPad4\,4_j73ap_12.5.5-16H62_3a88b7c3802f2f0510abc432104a15ebd8bd7154.shsh2 -r -d j85ap --kpp --skip-baseband --legacy

Everything goes well. I cannot get the normal boot script to work so I used Ramiel which worked but now I cannot activate. It says "Your iPad could not be activated because the activation server cannot be reached. Try connecting your iPad to iTunes to activate it, or try again in a couple of minutes." A couple minutes later (and a day later) still doesn't work. connecting to iTunes just gives "unexpected response from device".

Anybody got any idea?

Fugu_V0 for A10 instead of Gaster

I think that Fugu pwn and rmsigchks for A10 devices is much better than gaster. Often with gaster I get the “IBSS didn’t upload properly”

Audio not working in iOS 14.3 thether downgrade

Audio not working on iPhone 7 (9,3; d101ap)

Ramdisk is r/o when copying back to ramdisk

When its unpacked and files are patched it can't copy files back to it due to it mounting read only

iPhone X (iPhone10,6) (d221ap)(Downgrading iOS 15.5 to 14.3) Restore fail

code=42729540
line=652
file=/Users/runner/work/futurerestore/futurerestore/src/futurerestore.cpp
commit count=290:
commit sha =7f732140187bbcecfed3c34ac38185a4096d06d7:
Done: restoring failed!

taurine not work in ios 14.2 thether downgrade

taurine said that is already jailbroken then I think is because of the path amfi in the kernel, that we use to boot. I tried to modify the app in order to that passed the function isjailbroken and every time returned false so that worked however that stuck in waiting for amfidebilitate. I want to modify the app in order to pass amfi exploitation however i don't know how to do that. any idea makes me happier xd :)

Sunst0rm issues: iPhone 6s

Downgraded to iOS 14.3 on a 6s but no camera output at all. Was working perfectly before. I then went back and upgraded to iOS 15 and camera was fine. Downgraded to 14.3 again, no camera. Downgraded with blobs to 14.4, camera works. Clearly a sunst0rm issue.

Iphone X a11 restored (even thaugh it said failed) !!! How can i jailbreak ?

So it worked !!! But the tool said failed to restore. I proceded to boot the device, and i am now on ios 14.8. Thank you for this tool !!! But since its tethered downgrade. How can i jailbreak the device with checkra1n ?

ERROR: Unable to receive message from FDR 0x600002ef7380 (-2). 0/2 bytes

MacOS 12.5
iOS 15.6 RC on iPhone X (d221ap) iPhone10,6
Downgrading to iOS 14.8.1

Error while downgrading, unable to restore [ Unable to send iBSS component: Unable to upload data to device ]

Attempted a few times, Is it possible to find the exact issue?
(I removed the SEP / Baseband downloading progress in the code)

Last login: Mon Sep 19 00:43:58 on ttys000
(base) zyan910@Zyans-MBP ~ % cd /Users/zyan910/Downloads/sunst0rm-main
(base) zyan910@Zyans-MBP sunst0rm-main % python3 sunstorm.py -i /Users/zyan910/Downloads/sunst0rm-main/iPhone_4.7_P3_14.8_18H17_Restore.ipsw -t /Users/zyan910/Downloads/sunst0rm-main/2331690638442542_iPhone10,4_d201ap_15.5-19F77_27325c8258be46e69d9ee57fa9a8fbc28b873df434e5e702a8b27999551138ae.shsh2 -r -d D201AP
sunst0rm
Made by mineek
Some code by m1n1exploit
[] Extracting IPSW
[] Extracting RamDisk
rdsk
[] Mounting RamDisk
/dev/disk4 /Users/zyan910/Downloads/sunst0rm-main/work/ramdisk
[] Patching ASR in the RamDisk
getting get_asr_patch()
[] Image failed signature verification 0x14804c5e1
[] Image passed signature verification 0x14804c5bd
[] Assembling arm64 branch
[] Writing out patched file to work/patched_asr
[] Extracting ASR Ents
[] Resigning ASR
[] Chmoding ASR
[] Copying Patched ASR back to the RamDisk
[] Patching Restored External
file size: 1049440
getting get_skip_sealing_patch()
[] Skipping sealing system volume string at 0xb22fa
[] Skipping sealing system volume xref at 0x3129c
[] Skipping sealing system volume branch to xref at 0x3123c
[] Assembling arm64 branch
[] Writing out patched file to work/restored_external_patched
[] Extracting Restored External Ents
[] Resigning Restored External
[] Chmoding Restored External
[] Copying Patched Restored External back to the RamDisk
[] Detaching RamDisk
"disk4" ejected.
[] Creating RamDisk
Reading work/ramdisk.dmg...
IM4P outputted to: work/ramdisk.im4p
[] Extracting Kernel
Reading work/kernelcache.release.iphone10...
[NOTE] Image4 payload data is LZFSE compressed, decompressing...
Extracted Image4 payload data to: work/kcache.raw
[] Patching Kernel
main: Starting...
Kernel: Adding AppleFirmwareUpdate img4 signature check patch...
get_AppleFirmwareUpdate_img4_signature_check: Entering ...
get_AppleFirmwareUpdate_img4_signature_check: Found "%s::%s() Performing img4 validation outside of workloop" str loc at 0x41522a
get_AppleFirmwareUpdate_img4_signature_check: Found "%s::%s() Performing img4 validation outside of workloop" xref at 0x12173e0
get_AppleFirmwareUpdate_img4_signature_check: Patching "%s::%s() Performing img4 validation outside of workloop" at 0x12173ec

Kernel: Adding AMFI_get_out_of_my_way patch...
get_amfi_out_of_my_way_patch: Entering ...
get_amfi_out_of_my_way_patch: Kernel-7195 inputted
get_amfi_out_of_my_way_patch: Found entitlements too small str loc at 0x40a18e
get_amfi_out_of_my_way_patch: Found entitlements too small str ref at 0x11b0270
get_amfi_out_of_my_way_patch: Patching AMFI at 0x11ac6e8
main: Writing out patched file to work/krnl.patched...
main: Quitting...
[] Rebuilding Kernel
Reading work/krnl.patched...
Compressing payload using LZSS...
IM4P outputted to: work/krnl.im4p
[] Done!
[?] Do you want to restore the device? (y/n)
y
[?] Are you in pwndfu with sigchecks removed? (y/n)
y
[*] Restoring Device
Version: v2.0.0-test(19e30c014b2736ed9a5af08d95669a2dc8044bd3-291)
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f-RELEASE
libipatcher version: 0.88-1e855d70c84419014e363bdbcaead7b145fe3e1f-RELEASE
Odysseus for 32-bit support: yes
Odysseus for 64-bit support: yes
[INFO] 64-bit device detected
futurerestore init done
reading signing ticket /Users/zyan910/Downloads/sunst0rm-main/2331690638442542_iPhone10,4_d201ap_15.5-19F77_27325c8258be46e69d9ee57fa9a8fbc28b873df434e5e702a8b27999551138ae.shsh2 is done
User specified to use latest signed SEP
Cached /tmp/futurerestore/sep.im4p not found, downloading a new one.
Downloading SEP
Checking if SEP is being signed...
Sending TSS request attempt 1... response successfully received
SEP is being signed!
User specified to use latest signed baseband
Downloading Baseband
Checking if Baseband is being signed...
[TSSR] User specified to request only a Baseband ticket.
Sending TSS request attempt 1... response successfully received
Baseband is being signed!
Downloading the latest firmware components...
Downloading SE firmware
Finished downloading the latest firmware components!
Found device in DFU mode
requesting to get into pwnRecovery later
Found device in DFU mode
Identified device as d201ap, iPhone10,4
Extracting BuildManifest from iPSW
Product version: 14.8
Product build: 18H17 Major: 18
Device supports Image4: true
checking if the APTicket is valid for this restore...
Verified ECID in APTicket matches the device's ECID
checking if the APTicket is valid for this restore...
Verified ECID in APTicket matches the device's ECID
[IMG4TOOL] checking buildidentity 0:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 1:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 2:
[IMG4TOOL] checking buildidentity matches board ... YES
[IMG4TOOL] checking buildidentity has all required hashes:
[IMG4TOOL] checking hash for "AOP" OK (untrusted)
[IMG4TOOL] checking hash for "Ap,SystemVolumeCanonicalMetadata"BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AppleLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AudioCodecFirmware" OK (untrusted)
[IMG4TOOL] checking hash for "BasebandFirmware" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "BatteryCharging0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryCharging1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryFull" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryPlugin" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "DeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ISP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "KernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "LLB" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Liquid" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Multitouch" OK (untrusted)
[IMG4TOOL] checking hash for "OS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RecoveryMode" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreDeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreKernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreRamDisk" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreSEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SE,UpdatePayload" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "SEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "StaticTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SystemVolume" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ftap" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "ftsp" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "iBEC" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBSS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBoot" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "rfta" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "rfts" IGN (no digest in BuildManifest)

failed verification with error:
[exception]:
what=verification failed!
code=84279308
line=1286
file=img4tool.cpp
commit count=197:
commit sha =aca6cf005c94caf135023263cbb5c61a0081804f:
[IMG4TOOL] checking buildidentity 3:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 4:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 5:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 6:
[IMG4TOOL] checking buildidentity matches board ... YES
[IMG4TOOL] checking buildidentity has all required hashes:
[IMG4TOOL] checking hash for "AOP" OK (untrusted)
[IMG4TOOL] checking hash for "Ap,SystemVolumeCanonicalMetadata"BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AppleLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AudioCodecFirmware" OK (untrusted)
[IMG4TOOL] checking hash for "BasebandFirmware" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "BatteryCharging0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryCharging1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryFull" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryPlugin" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "DeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ISP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "KernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "LLB" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Liquid" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Multitouch" OK (untrusted)
[IMG4TOOL] checking hash for "OS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RecoveryMode" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreDeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreKernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreRamDisk" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreSEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SE,UpdatePayload" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "SEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "StaticTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SystemVolume" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ftap" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "ftsp" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "iBEC" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBSS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBoot" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "rfta" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "rfts" IGN (no digest in BuildManifest)

BuildIdentity selected for restore:
BuildNumber : 18H17
BuildTrain : AzulSecuritySky
DeviceClass : d201ap
FDRSupport : YES
MobileDeviceMinVersion : 1253.100.1
RestoreBehavior : Erase
Variant : Customer Erase Install (IPSW)

BuildIdentity is valid for the APTicket:
IM4M is not valid for any restore within the Buildmanifest
This APTicket can't be used for restoring this firmware
[WARNING] NOT VALIDATING SHSH BLOBS!
Variant: Customer Erase Install (IPSW)
This restore will erase all device data.
Device found in DFU Mode.
Getting firmware keys for: d201ap
Patching iBSS
Extracting iBSS.d20.RELEASE.im4p (Firmware/dfu/iBSS.d20.RELEASE.im4p)...
payload decrypted
Compression detected, uncompressing (bvx2): ok
iBoot64Patch: Staring iBoot64Patch!
iOS 14 iBoot detected!
iBoot64Patch: Inited ibootpatchfinder64!
iBoot64Patch: Added sigpatches!
iBoot64Patch: Added unlock nvram patch!
iBoot64Patch: Added freshnonce patch!
iBoot64Patch: has_kernel_load is false!
iBoot64Patch: Applying patch=0x180032878 : 000080d2
iBoot64Patch: Applying patch=0x1800328cc : 000080d2
iBoot64Patch: Applying patch=0x18001f8a8 : 000080d2c0035fd6
iBoot64Patch: Applying patch=0x18001f8f8 : 000080d2c0035fd6
iBoot64Patch: Applying patch=0x18006a36c : 000080d2c0035fd6
iBoot64Patch: Applying patch=0x180038c64 : 1f2003d5
iBoot64Patch: Patches applied!
[WARNING] BUG WORKAROUND recompressing images with bvx2 makes them not boot for some reason. Skipping compression
Patching iBEC
Extracting iBEC.d20.RELEASE.im4p (Firmware/dfu/iBEC.d20.RELEASE.im4p)...
payload decrypted
Compression detected, uncompressing (bvx2): ok
iBoot64Patch: Staring iBoot64Patch!
iOS 14 iBoot detected!
iBoot64Patch: Inited ibootpatchfinder64!
iBoot64Patch: Added sigpatches!
iBoot64Patch: Added unlock nvram patch!
iBoot64Patch: Added freshnonce patch!
iBoot64Patch: has_kernel_load is true!
iBoot64Patch: Added debugenabled patch!
iBoot64Patch: Added bootarg patch!
iBoot64Patch: Applying patch=0x180032878 : 000080d2
iBoot64Patch: Applying patch=0x1800328cc : 000080d2
iBoot64Patch: Applying patch=0x18001f8a8 : 000080d2c0035fd6
iBoot64Patch: Applying patch=0x18001f8f8 : 000080d2c0035fd6
iBoot64Patch: Applying patch=0x18006a36c : 000080d2c0035fd6
iBoot64Patch: Applying patch=0x180038c64 : 1f2003d5
iBoot64Patch: Applying patch=0x180034248 : 200080d2
iBoot64Patch: Applying patch=0x180035854 : b8df3810
iBoot64Patch: Applying patch=0x1800a7448 : 72643d6d6430206e616e642d656e61626c652d7265666f726d61743d307831202d76202d726573746f72652064656275673d30783230313465206b65657073796d733d30783120616d66693d3078666620616d66695f616c6c6f775f616e795f7369676e61747572653d30783120616d66695f6765745f6f75745f6f665f6d795f7761793d3078312063735f656e666f7263656d656e745f64697361626c653d30783100
iBoot64Patch: Patches applied!
[WARNING] BUG WORKAROUND recompressing images with bvx2 makes them not boot for some reason. Skipping compression
Repacking patched iBSS as IMG4
Repacking patched iBEC as IMG4
Sending iBSS (1456228 bytes)...
Cleaning up...
[exception]:
what=ERROR: Unable to send iBSS component: Unable to upload data to device

code=43122756
line=658
file=/Users/runner/work/futurerestore/futurerestore/src/futurerestore.cpp
commit count=291:
commit sha =19e30c014b2736ed9a5af08d95669a2dc8044bd3:
Done: restoring failed!

Add support for T2 Macs please

Add support for T2 Macs please
hoping to downgrade the mac bridgeOS
from the ipsw file, since T2 macs use very similar files in the ipsw like ibss ibec ramdisk
& im able to patch these files & gain ssh through ramdisk on T2.
first step to add firmware.jason for T2 macs
then the patching process can be just like the iphone ipsw process.
thank you

Update docs to indicate the need for firmware keys. Drop support for a9x.

After struggling to get things to work for A9x, I was stuck because there are no publicly available firmware keys for the iPad pro first gen.
Is there any way or a guide on how to work on extracting the firmware keys? checkm8 should've made it possible AFAIK.

I also suggest adding a note about that in the readme or the guide. iPhone Wiki - Firmware Keys

Device found in DFU Mode.
Getting firmware keys for: j99aap
Cleaning up...
[exception]:
what=getting keys failed with error: 14745615 (failed to get FirmwareJson from Server). Are keys publicly available?
code=41549892

what=ERROR: Unable to place device into restore mode

I've followed the steps up to the point where my ipad mini 4 (wifi only, used "--kpp--skip-baseband") is displaying all the different lights. But then this error comes up and doesn't let me go to the next step. I would love if I could get helped :)

mineek / sunst0rm Goto Github PK

sunst0rm's Introduction

sunst0rm

please, please, please, DO NOT ask for help in any other discord. Developers not affiliated with sunst0rm are sick of getting issue after issue due to sunst0rm and I just don't want to irritate them, instead join the discord server linked below.

Also: please DO NOT open issues at futurerestore when using sunst0rm, they're almost always NOT the fault of futurerestore.

See this guide for help

You can also watch this youtube video for a video tutorial

If you still have problems, join the Discord server for help

Linux version by MCApollo: here ( only tested on arch )

If you want, please checkout the dev branch where my bash rewrite lives and give feedback / report issues, it would be really useful!

Notes