Prometheus: upcoming tool may allow unsigned iOS upgrades and downgrades

By , Dec 18, 2016

downgrade iOS header

iOS hacker tihmstar has announced the upcoming release of his tool Prometheus. And no, it doesn’t steal fire from the gods for you to foster the burgeoning potential of your race. Instead, he claims it will be the first tool capable of upgrading and downgrading 64-bit iOS devices to unsigned firmwares.
If successful, this would be welcome news for the jailbreak community, allowing movement between firmwares for which you have saved your blobs, even after Apple’s signing windows have closed.

The first and most important thing to note if you think you may want to use this tool in future is to save your blobs now. The blobs must be saved in a new format called .shsh2, so previously saved blobs will not work. You must save your blobs again using tihmstar’s tool called tsschecker. After downloading tsschecker, save the blobs with it by following a guide. Be warned, whilst not very long and certainly not impossible, this process is not foolproof and requires careful attention.

The news of Prometheus is especially salient to people who are interested in a possible upcoming iOS 10.1.1 jailbreak but who don’t want to jump ship yet and lose their current jailbreak. If you save the .shsh2 blobs for iOS 10.1.1 now, before the signing window closes, you may be able to upgrade from 9.3.3 to 10.1.1 at a later date even if iOS 10.1.1 is no longer being signed. Of course, this is provisional and no foolproof guarantees have been made, but I would recommend saving the blobs anyway as you have little to lose and it doesn’t take long. You may decide later you want to give it a go.

Tihmstar has said that although 32-bit support is possible, Prometheus will initially be just for 64-bit devices. However, as I mentioned briefly in a previous post, several downgrade tools for 32-bit devices already exist, such as tihmstar’s OdysseusOTA2, Dayt0n’s Odysseus, and geeksn0w’s Beehind, so you could try those instead.

As with all downgrade tools, many caveats apply. Some of Prometheus’ requirements are as follows:

  • 64-bit only, at least initially.
  • Needs a jailbreak on the firmware you are leaving, to get to the one you are aiming for. (This may not be required on some iPhone 5s and iPad Air, but don’t count on it). To attempt to use Prometheus on these devices without a jailbreak, you must save .shsh2 blobs with an specific nonce, which complicates the process. Some guides can be found which show how to do it however, so feel free to try it if you’re feeling optimistic.
  • Your jailbreak must have “tfp0” functionality (“host_get_special_port” workaround is also fine). This rules out some jailbreaks, so you’ll have to get lucky. Pangu for iOS 9.1 had it, and Luca’s JailbreakMe for 9.3.3 also enables it, but as the latter is semi-untethered it remains to be seen whether it will work as rebooting the device is part of the downgrade process.
  • You must have .shsh2 blobs for the firmware you want to go to saved with tsschecker.

Tihmstar has elaborated further on the workings of the tool, and also posted a teaser/explanation video which shows the first steps of using it, which you can watch below.

The tentative date for its release seems to be New Year’s Eve, so watch this space! However, for those interested in a possible upgrade to iOS 10.1.1 outside of its signing window, you’ll have to have saved your .shsh2 blobs within the signing window and well before NYE to have a chance of using his tool for iOS 10.1.1. Of course, you can always use it for later firmwares, once you’ve started saving your blobs in the correct format.

For some, the process of saving the .shsh2 blobs may be too much hassle or they may not get round to it in time, but even if not, the release of this tool signifies something exciting for the community. After years of devs and bloggers like me telling people to save their blobs just in case, it has been proven again that given enough time, a way can be found to leverage them in an unsigned downgrade/upgrade. Even if the current usages may be limited (as people may not have the correct .shsh2 saved in time, or may not have a jailbreak to move from), the fact that 64-bit devices can be manipulated in this way is news in and of itself. Who knows what other improvements can be made to the process in future?

Have you saved your .shsh2 blobs yet? Are you excited at the prospect of unsigned downgrades on all devices, not just dinosaurs like the iPhone 4? Let me know.

 

  • Share:
  • Follow:

  • Jay

    This is great, I’ll be able to download my old 6 to jailbreak again on a better OS then 10.

    • 7000rpm

      If blobs are saved in this new format then it’s possible?

      • Joaquim Barbosa

        Hi guys. Unfortunately, I’m not sure it will. I don’t think you can save any .shsh2 blobs for iOS 9 now that they are all unsigned firmwares, and Prometheus needs them to work. You will only be able to move between iOS that you have .shsh2 blobs for. Currently signed are 10.1, 10.1.1, 10.1.1_2, and 10.2. Check out my newest article on how to do this. Thanks for reading!

  • Ash

    tsschecker save blobs guide for windows is removed :/

    • :D

      There’s a new, easier script to run

  • Ben$

    Both links have been removed from Reddit. Where can I get it?

    • I updated the post with a new link to a guide. We might come up with our own guide too.

      • Fabi

        yes please a tut for saving shsh

      • Sohaib Siddique

        im using 9.3.3 any method for windows ?

      • 7000rpm

        I’ll wait for that

      • Joaquim Barbosa

        New guide is up, get saving!

  • Elienay Freitas

    I would love to get iOS9 back

    • Diego Milano

      What device are you running right now?

    • Joaquim Barbosa

      At present, I don’t think that will be possible I’m afraid. Prometheus only moves between iOS versions you have shsh2 blobs saved for, which is probably only iOS 10 versions. Check out my newest article for how to do this. Who knows what may be possible in the future though!

      • Rolf Bause

        But don’t forget: there are also iPhone 5S and iPad Air… if you have one of these, you probably can switch.

  • Mark S

    I’m on 9.0.2. on a 6+ looks like I’m out.

    • Julio Hernandez

      You can still get the SHSH blobs of 10.1.1 on your device even if you’re on 9.0.2. I say it’s worth it to give it a try in the case that you ever do lose your iOS 9 jailbreak somehow as like a backup plan.

      • Joaquim Barbosa

        As Julio says, better safe than sorry!

  • Diego Milano

    One thing and one thing only: OMFG!

  • Sohaib Siddique

    can i save ios 9.3.3 blobs, i want to update ios 10.1.1 so if ios 10 jb will not out can i back to my ios 9.3.3 ?

    • Diego Milano

      That’s actually a good idea. I may be wrong, but apparently that’s what the article explains, so in theory you could.

      • Sohaib Siddique

        i just saw youtube video which is available here the guy said in that 9.1 jb has task 0 functionality or something like that im not sure about, ios 9.3.3 doesn’t have

      • Diego Milano

        Yeah, apparently iOS 9.3.3 doesn’t have this, however there may be a patch for this floating around, else someone will most likely introduce it.
        Joaquim may know better about this but I still recommend you to try to save your SHSH2 blobs as soon as you can while iOS 10.1.1 is still being signed, which may not be possible starting this coming week, so… rush and save yours now. 🙂

      • Joaquim Barbosa

        Luca’s JailbreakMe tool has tfp0 functionality, as I mentioned in my article, so in theory it should work for this process.

      • Sohaib Siddique

        cant understand with following statement can you please guide me can i save blobs on 9.3.3 or not 🙂

        “Your jailbreak must have “tfp0” functionality (“host_get_special_port” workaround is also fine). This rules out some jailbreaks, so you’ll have to get lucky. Pangu for iOS 9.1 had it, and Luca’s JailbreakMe for 9.3.3 also enables it, but as the latter is semi-untethered it remains to be seen whether it will work as rebooting the device is part of the downgrade process.”

      • Diego Milano

        If you watch the video -which is what I just finished doing right now- then the guy will explain this is actually needed to run a specific step in the process of downgrading or upgrading to a specific firmware outside the signing window. This process allows you to run kernel patching and from what I understand, without this you won’t be able to downgrade or upgrade to a firmware that is no longer being signed.
        You could still save your SHSH2 blobs though just in case a workaround or fix comes in the future, which is what I’m going to do today.

      • Sohaib Siddique

        unfortunately im a windows user, is there any method for it ?

      • Diego Milano

        I’m a Windows user myself as well but saving the SHSH2 blobs should be possible via Windows.

      • Joaquim Barbosa

        You can’t save 9.3.3 blobs as it’s not signed. However, 9.3.3 does have tfp0 if you use Luca’s tool, so you can use Prometheus on 9.3.3 to go to iOS 10.1.1, if you save blobs for 10.1.1 now. Cheers.

    • Raymond Lanser

      No, “Needs a jailbreak on the firmware you are leaving, to get to the one you are aiming for.” So many people aren’t reading that part. So if you you upgrade to 10.1.1 and a jailbreak isn’t released, you can’t downgrade. Same thing for those, like me, who were thinking of downgrading, saving blobs, and upgrading again in the hopes of downgrading later if a JB was released a ways down the road.

      • Sohaib Siddique

        its sounds like if we want to come back we must on jb, right?

      • Raymond Lanser

        So it would seem based on that bullet, and in the video he uses OpenSSH to do it, which is a jailbreak tweak.

      • Raymond Lanser

        Based on Julio Hernandez’s comment, you might be able to save 10.1.1 blobs without being on that version and upgrade after the signing window is closed though. I guess that’s the real purpose.

      • Diego Milano

        The thing is you cannot get SHSH blobs for a firmware that’s no longer being signed. I just tried to get blobs for iOS 9.3.3 and it failed, so I don’t think it’s possible to downgrade, or either I’m doing something wrong or this use case still needs to be clarified as to whether it is possible or not.
        My recommendation is for everyone to save SHSH blobs for ALL iOS versions currently being signed by Apple in the event we can upgrade to any of those in the future (eg., iOS 10.1.1).

      • Diego Milano

        Yes, I’m running iOS 9.3.3 and I could grab iOS 10.x blobs. Also, you don’t need to connect your device to get these blobs using the command tool, but ideally you should get your ECID in which case you do need your device plugged and in recovery mode to get it.

      • Joaquim Barbosa

        Yup, only signed versions, so no iOS 9.x blobs anymore. Device doesn’t need to be connected, or have the firmware on it that you want, just has to be signed.

      • Rolf Bause

        But you can grab your APTicket for 9.3.3, which is basically the same as the blobs – under some circumstances (iPad Air, 5S) you should be able to downgrade with it… and maybe someone else comes along with a fix for other devices too, who knows…

      • Diego Milano

        Interesting, I’d need to try that. Thanks for the suggestion!

      • Joaquim Barbosa

        Hi Raymond, that’s correct. Unless you have some specific iPhone 5s or iPad Air models, but do *not* count on that. Although I believe there will be a 10.1.1 jailbreak soon, the tool will be more useful for 9.3.3 > 10.1.1 than it will be for 10.1.1>9.3.3. Also, you don’t need to downgrade to save blobs for an iOS version, it just has to be currently signed, even if it’s not on your device. Thanks for reading!

      • David Regan

        Finally someone on here realizes how useless this truly will be.

    • Diego Milano

      Actually, I just tried tsschecker and I cannot get iOS 9.3.3 blobs anymore since that firmware is no longer being signed.

    • Joaquim Barbosa

      Hi Sohaib. You can’t save iOS 9.3.3 blobs anymore I’m afraid as it’s no longer signed. You can still save the blobs for iOS 10.1.1 if you’re quick. If you do that, you can probably stay on iOS 9.3.3 and see if a jb comes out, and then use them to go from 9.3.3 to 10.1.1, even if it’s no longer signed. You can’t go from 10.1.1 to 9.3.3 however as you don’t have blobs for iOS 9.3.3. However, if a 10.1.1 jb is more important to you than your current 9.3.3 jailbreak, the best thing to do is still to upgrade to 10.1.1 now, so you don’t have to worry with this process going wrong for any reason. It’s up to you whether you stay on 9.3.3 with your jailbreak and trust to Prometheus, or just jump now and trust to 10.1.1 jailbreak coming out. Thanks for reading!

  • Raymond Lanser

    “Needs a jailbreak on the firmware you are leaving, to get to the one you are aiming for.” So many people aren’t reading that part. So if you you upgrade to 10.1.1 and a jailbreak isn’t released, you can’t downgrade. Same thing for those, like me, who were thinking of downgrading, saving blobs, and upgrading again in the hopes of downgrading later if a JB was released a ways down the road.

    Makes it kind of worthless for anyone besides the people who hate future iOS versions after trying them and would want to downgrade. If you’re already jailbroken, why would you downgrade?

  • 7000rpm

    I want to be safe and save this 10.1.1 blob. I doubt I have any other blobs especially in a new format laying around.

    • leart

      try beehind tool, so far for me it’s the best and easy to use tool.. saves even baseband tickets plus shsh

      • Joaquim Barbosa

        Sorry leart, but although this is normally good advice, it *isn’t* here. beehind can’t downgrade 64-bit devices, and doesn’t save the correct blobs for Prometheus. You must use tsschecker to save shsh2 blobs for Prometheus, not shsh. beehind shshs will *not* work to downgrade using Prometheus. Cheers!

      • 7000rpm

        Good thing I caught this reply!

    • Joaquim Barbosa

      Go for it! Check out my latest article for how to use tsschecker to save blobs in the new format for iOS 10.1.1. And remember, time is running out!

      • 7000rpm

        Even if I’m on iOS 10.1.1 jailbrek ready time is still an issue for me?

      • Joaquim Barbosa

        Not so much, but it might still be good to have the blobs for it, you never know if they’ll be useful. I would save them anyway before they’re unsigned.

      • 7000rpm

        When you say Replace “USERNAME” with your computer username, for example “joebloggs” do you mean replace with the name of the booted hard drive or the username of the account? Sometimes terminal shows both when commanding. I just want to be sure that’s why I’m asking.

      • Joaquim Barbosa

        Username of account. Cheers!

  • Mark S

    Hmm TSS Assistant just sits there when you click launch. Trying another method…

  • David Regan

    “Needs a jailbreak on the firmware you are leaving, to get to the one you are aiming for.”

    Then WTF is the point? If I have a jailbreak on an existing firmware then I would never want to downgrade to another version of iOS for a jailbreak, I would already have one.

    USELESS

    • Mark S

      NOT USELESS.

      HELLO? You are trying to get to a newer firmware that’s the point.

      • David Regan

        No I’m not trying to get to a newer firmware because I buy the newest device, unlike broke people.

        The iPhone 7/+ shipped higher then iOS 9. Give me one example of an iPhone 7 user that makes this worth wild?

  • Chris Ryan

    what about if you are jailbroken with pangu 9.3.3…did it enable “tfp0” functionality ? it is also a semi-tethered jailbreak, does this mean its not certain if prmoethus will work on it ?

  • meir cohen

    Samsung Galaxy s7 Edge !
    No all the apple BS.

    • Docservlet

      Your phone is junk. Thanks for sharing.

  • Rowan09

    While this is great news for the JB community, anyone thinking of putting IOS 9 on a 7/7+ won’t work. 6S/6S+ would be fine since they were released on IOS 9.

  • jarmster

    iPhone 5s, ios 9.1 jailbroke, 10.1.1 shsh2 blob saved…bring it on

  • Does the 9.0.2 Pangu Jailbreak include tfp0 functionality?

  • Ron Westerduin

    No 32 Bit? useless…..