Error while downgrading, unable to restore [ Unable to send iBSS component: Unable to upload data to device ] about sunst0rm HOT 2 OPEN

Another attempt with a different outcome

Last login: Mon Sep 19 00:44:03 on ttys000
(base) zyan910@Zyans-MBP ~ % cd /Users/zyan910/Downloads/sunst0rm-main
(base) zyan910@Zyans-MBP sunst0rm-main % python3 sunstorm.py -i /Users/zyan910/Downloads/sunst0rm-main/iPhone_4.7_P3_14.8_18H17_Restore.ipsw -t /Users/zyan910/Downloads/sunst0rm-main/2331690638442542_iPhone10,4_d201ap_15.5-19F77_27325c8258be46e69d9ee57fa9a8fbc28b873df434e5e702a8b27999551138ae.shsh2 -r -d D201AP
sunst0rm
Made by mineek
Some code by m1n1exploit
[] Extracting IPSW
[] Extracting RamDisk
rdsk
[] Mounting RamDisk
/dev/disk4 /Users/zyan910/Downloads/sunst0rm-main/work/ramdisk
[] Patching ASR in the RamDisk
getting get_asr_patch()
[] Image failed signature verification 0x14804c5e1
[] Image passed signature verification 0x14804c5bd
[] Assembling arm64 branch
[] Writing out patched file to work/patched_asr
[] Extracting ASR Ents
[] Resigning ASR
[] Chmoding ASR
[] Copying Patched ASR back to the RamDisk
[] Patching Restored External
file size: 1049440
getting get_skip_sealing_patch()
[] Skipping sealing system volume string at 0xb22fa
[] Skipping sealing system volume xref at 0x3129c
[] Skipping sealing system volume branch to xref at 0x3123c
[] Assembling arm64 branch
[] Writing out patched file to work/restored_external_patched
[] Extracting Restored External Ents
[] Resigning Restored External
[] Chmoding Restored External
[] Copying Patched Restored External back to the RamDisk
[] Detaching RamDisk
"disk4" ejected.
[] Creating RamDisk
Reading work/ramdisk.dmg...
IM4P outputted to: work/ramdisk.im4p
[] Extracting Kernel
Reading work/kernelcache.release.iphone10...
[NOTE] Image4 payload data is LZFSE compressed, decompressing...
Extracted Image4 payload data to: work/kcache.raw
[] Patching Kernel
main: Starting...
Kernel: Adding AppleFirmwareUpdate img4 signature check patch...
get_AppleFirmwareUpdate_img4_signature_check: Entering ...
get_AppleFirmwareUpdate_img4_signature_check: Found "%s::%s() Performing img4 validation outside of workloop" str loc at 0x41522a
get_AppleFirmwareUpdate_img4_signature_check: Found "%s::%s() Performing img4 validation outside of workloop" xref at 0x12173e0
get_AppleFirmwareUpdate_img4_signature_check: Patching "%s::%s() Performing img4 validation outside of workloop" at 0x12173ec

Kernel: Adding AMFI_get_out_of_my_way patch...
get_amfi_out_of_my_way_patch: Entering ...
get_amfi_out_of_my_way_patch: Kernel-7195 inputted
get_amfi_out_of_my_way_patch: Found entitlements too small str loc at 0x40a18e
get_amfi_out_of_my_way_patch: Found entitlements too small str ref at 0x11b0270
get_amfi_out_of_my_way_patch: Patching AMFI at 0x11ac6e8
main: Writing out patched file to work/krnl.patched...
main: Quitting...
[] Rebuilding Kernel
Reading work/krnl.patched...
Compressing payload using LZSS...
IM4P outputted to: work/krnl.im4p
[] Done!
[?] Do you want to restore the device? (y/n)
y
[?] Are you in pwndfu with sigchecks removed? (y/n)
y
[*] Restoring Device
Version: v2.0.0-test(19e30c014b2736ed9a5af08d95669a2dc8044bd3-291)
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f-RELEASE
libipatcher version: 0.88-1e855d70c84419014e363bdbcaead7b145fe3e1f-RELEASE
Odysseus for 32-bit support: yes
Odysseus for 64-bit support: yes
[INFO] 64-bit device detected
futurerestore init done
reading signing ticket /Users/zyan910/Downloads/sunst0rm-main/2331690638442542_iPhone10,4_d201ap_15.5-19F77_27325c8258be46e69d9ee57fa9a8fbc28b873df434e5e702a8b27999551138ae.shsh2 is done
User specified to use latest signed SEP
Using cached SEP.
Checking if SEP is being signed...
Sending TSS request attempt 1... response successfully received
SEP is being signed!
User specified to use latest signed baseband
Downloading Baseband
Checking if Baseband is being signed...
[TSSR] User specified to request only a Baseband ticket.
Sending TSS request attempt 1... response successfully received
Baseband is being signed!
Downloading the latest firmware components...
Downloading SE firmware
Finished downloading the latest firmware components!
Found device in DFU mode
requesting to get into pwnRecovery later
Found device in DFU mode
Identified device as d201ap, iPhone10,4
Extracting BuildManifest from iPSW
Product version: 14.8
Product build: 18H17 Major: 18
Device supports Image4: true
checking if the APTicket is valid for this restore...
Verified ECID in APTicket matches the device's ECID
checking if the APTicket is valid for this restore...
Verified ECID in APTicket matches the device's ECID
[IMG4TOOL] checking buildidentity 0:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 1:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 2:
[IMG4TOOL] checking buildidentity matches board ... YES
[IMG4TOOL] checking buildidentity has all required hashes:
[IMG4TOOL] checking hash for "AOP" OK (untrusted)
[IMG4TOOL] checking hash for "Ap,SystemVolumeCanonicalMetadata"BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AppleLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AudioCodecFirmware" OK (untrusted)
[IMG4TOOL] checking hash for "BasebandFirmware" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "BatteryCharging0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryCharging1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryFull" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryPlugin" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "DeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ISP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "KernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "LLB" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Liquid" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Multitouch" OK (untrusted)
[IMG4TOOL] checking hash for "OS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RecoveryMode" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreDeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreKernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreRamDisk" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreSEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SE,UpdatePayload" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "SEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "StaticTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SystemVolume" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ftap" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "ftsp" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "iBEC" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBSS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBoot" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "rfta" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "rfts" IGN (no digest in BuildManifest)

failed verification with error:
[exception]:
what=verification failed!
code=84279308
line=1286
file=img4tool.cpp
commit count=197:
commit sha =aca6cf005c94caf135023263cbb5c61a0081804f:
[IMG4TOOL] checking buildidentity 3:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 4:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 5:
[IMG4TOOL] checking buildidentity matches board ... NO
[IMG4TOOL] checking buildidentity 6:
[IMG4TOOL] checking buildidentity matches board ... YES
[IMG4TOOL] checking buildidentity has all required hashes:
[IMG4TOOL] checking hash for "AOP" OK (untrusted)
[IMG4TOOL] checking hash for "Ap,SystemVolumeCanonicalMetadata"BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AppleLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "AudioCodecFirmware" OK (untrusted)
[IMG4TOOL] checking hash for "BasebandFirmware" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "BatteryCharging0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryCharging1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryFull" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow0" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryLow1" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "BatteryPlugin" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "DeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ISP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "KernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "LLB" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Liquid" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "Multitouch" OK (untrusted)
[IMG4TOOL] checking hash for "OS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RecoveryMode" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreDeviceTree" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreKernelCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreLogo" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreRamDisk" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreSEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "RestoreTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SE,UpdatePayload" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "SEP" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "StaticTrustCache" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "SystemVolume" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "ftap" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "ftsp" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "iBEC" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBSS" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "iBoot" BAD! (hash not found in im4m)
[IMG4TOOL] checking hash for "rfta" IGN (no digest in BuildManifest)
[IMG4TOOL] checking hash for "rfts" IGN (no digest in BuildManifest)

failed verification with error:
[exception]:
what=verification failed!
code=84279308
line=1286
file=img4tool.cpp
commit count=197:
commit sha =aca6cf005c94caf135023263cbb5c61a0081804f:
[IMG4TOOL] checking buildidentity 7:
[IMG4TOOL] checking buildidentity matches board ... NO
[WARNING] NOT VALIDATING SHSH BLOBS IM4M!
[Error] BuildIdentity selected for restore does not match APTicket

BuildIdentity selected for restore:
BuildNumber : 18H17
BuildTrain : AzulSecuritySky
DeviceClass : d201ap
FDRSupport : YES
MobileDeviceMinVersion : 1253.100.1
RestoreBehavior : Erase
Variant : Customer Erase Install (IPSW)

BuildIdentity is valid for the APTicket:
IM4M is not valid for any restore within the Buildmanifest
This APTicket can't be used for restoring this firmware
[WARNING] NOT VALIDATING SHSH BLOBS!
Variant: Customer Erase Install (IPSW)
This restore will erase all device data.
Device found in DFU Mode.
Sending iBSS (1456228 bytes)...
[==================================================] 100.0%
Booting iBSS, waiting for device to disconnect...
Booting iBSS, waiting for device to reconnect...
ApNonce pre-hax:
INFO: device serial number is C8QVNJWSJC67
Getting ApNonce in recovery mode... cb 61 1e 84 15 f9 08 62 bf 60 0b 89 78 98 8e 34 99 ce 54 ce e0 b6 86 11 65 26 da d2 80 20 f8 91
ApNonce from device doesn't match IM4M nonce, applying hax...
Writing generator=0x1111111111111111 to nvram!
Sending iBEC (1456228 bytes)...
[==================================================] 100.0%
Booting iBEC, waiting for device to disconnect...
Booting iBEC, waiting for device to reconnect...
APnonce post-hax:
Getting ApNonce in recovery mode... 27 32 5c 82 58 be 46 e6 9d 9e e5 7f a9 a8 fb c2 8b 87 3d f4 34 e5 e7 02 a8 b2 79 99 55 11 38 ae
Successfully set nonce generator: 0x1111111111111111
futurerestore(1217,0x305faf000) malloc: Heap corruption detected, free list is damaged at 0x600001e91b60
*** Incorrect guard value: 16629806333025528536
futurerestore(1217,0x305faf000) malloc: *** set a breakpoint in malloc_error_break to debug
[] Done!
[] Cleaning
[*] Done!
(base) zyan910@Zyans-MBP sunst0rm-main %

from sunst0rm.

You need superuser permissions

from sunst0rm.