Prometheus and TSSChecker: recent developments you should be aware of

By , Jan 3, 2017

Prometheus Downgrade Tool iOS 9.3.5 to iOS 9.3.2

It’s been a busy period for tihmstar’s suite of tools since the release of Prometheus during the 33c3 convention. Both TSSChecker and Prometheus have seen some problems, as well as updates in the intervening period, and this article will bring you up to date with their current statuses.

Prometheus

Soon after its release, various problems began to be reported with the “futurerestore” section of the Prometheus tool, which handles the actual upgrading/downgrading process.

Server errors

The most common of these were reports of server errors when attempting to use the tool. This led some to claim (incorrectly) that Apple had taken its TSS servers completely offline. Whilst it is not completely clear whether there was some concurrent server maintenance or whether it was something to do with the coding of tihmstar’s tool which caused the error to be thrown, this seems to have been fixed in the most recent builds.

Segfault errors

A second common occurrence was “segfault” errors, caused by macOS lacking the requisite OpenSSL support. This has also been fixed in the most recent builds of Prometheus, clearing up the majority of the failed usages of the tool which users had experienced. Reports are now being seen of successful usages of the “futurerestore” tool, however, with this broader testing has come the discovery of an even worse problem…

Touch ID on iOS 10.1.1

Because “futurerestore” does not downgrade the SEP + baseband as part of its restore (this isn’t possible without a SEP exploit), it instead replaces them with a currently signed version instead. At present, that means iOS 10.2 SEP + baseband are used when restoring to iOS 10.1.1. It was thought that the two versions were close enough that this wouldn’t cause problems, however it has become clear as more people have tried it out that while the downgrade/upgrade to iOS 10.1.1 does complete with “futurerestore”, it leaves the Touch ID services non-functional.

This will no doubt be a deal-breaker for most would-be users of the tool, as Touch ID (and possibly other related services too such as Apple Pay, not yet confirmed) are essential features for most.

Interestingly, Luca Todesco has commented that a workaround for this issue should be possible, but there is no further information beyond that. Whether it is truly possible, whether he has begun working on it, or whether he even intends to at all are unknown for the time being. For his part, tihmstar has said that he will not be working on the issue.

Overall, a bumpy start for Prometheus, but it can now be said that the tool does definitely work in principle, having had its fatal errors corrected. However, with the Touch ID situation as it is (not a bug but an inherent limitation of the downgrade method), it is unclear how many users will be willing to use it.

TSSChecker

Tihmstar’s other tool TSSChecker, used for saving APTickets into his proprietary .shsh2 format for use with Prometheus, has also had two serious hurdles come up in recent days.

Problem 1: iPhone 7 / Plus incompatibility

The discovery was made this week that the iPhone 7 and iPhone 7 Plus use a different method to other 64-bit devices when creating generators for its nonces. Whilst this problem does not affect any other devices, it does mean that all blobs saved with generators for these two devices are unfortunately invalid. Until tihmstar can figure out the different relationship Apple is using between its nonces and generators, TSSChecker will not be able to save blobs with generators on iP7(+).

Blobs saved with a specific nonce, and therefore with no generator, may not be affected, however since the iP7(+) is not susceptible to Prometheus’ nonce collision method anyway, it is doubtful what use this kind of blob will be in terms of downgrades. For now, iP7(+) blobs can be saved with TSSChecker by using a nonce composed of a random set of 32 bytes, so long as you use the newest version of the tool. It is unlikely that these blobs will be usable with Prometheus, though tihmstar has said that they may still come in handy with different methods at a later date.

Problem 2: BuildIdentities and invalid blobs

This issue is slightly more complicated to explain, and will not affect everyone equally. It turns out that a change to IPSW files in iOS 10 means that many devices use the same IPSW. This means that information pertaining to all the devices (BuildIdentities) is saved in the Build Manifest inside a single IPSW. As this never used to be the case, TSSChecker used to simply take the first BuildIdentity it found and request an APTicket for that. However, now that there are many BuildIdentities in the IPSW, the first entry may not in fact have been the correct one for your device. This means, sadly, that if the wrong BuildIdentity was selected, the APTicket which was generated by TSSChecker was invalid.

The most recent version of TSSChecker has fixed this error, and these changes are also incorporated into 1Conan’s online version of the tool, TSSSaver. However, what should you do about the .shsh2 files you already have saved? Are they valid?

If you have iOS 10.2 blobs, the best thing to do is just trash them and request new ones with the newest version of TSSChecker or TSSSaver, as 10.2 is still signed and you can get them easily. This will be faster and simpler than verifying the ones you already saved for that particular firmware.

With blobs for 10.1.1 and older, you obviously cannot request new .shsh2 files now as the firmwares are unsigned. In this case, your only option is to hope your blobs were some of the lucky ones which got the correct BuildIdentity first time round, and consequently a valid APTicket. This can be tested using tihmstar’s “img4tool”. The instructions for how to do so are on his blog, but I will put up a how-to soon as the process is fairly involved.

For now, I recommend that anyone who had previously saved .shsh2 blobs for iOS 10.2 re-save them with the newest TSSChecker/TSSSaver. For older blobs, do not delete them until you know for sure that they are bad. As a hopeful story, I checked mine and found that both my iPhone 6 and my iPhone SE blobs were correct, however my iPhone 5s blobs were invalid.

Good luck with your re-saving and verifying! If you do decide to verify your existing blobs with “img4tool”, please let me know which devices had good/bad blobs. It will be important to see if it is always specific devices, or whether it is more complicated than that. Make sure that in all cases you are downloading the most recent versions of tihmstar’s tools to ensure the same problems do not continue to occur.

  • Share:
  • Follow:

  • Mark S

    What a big charlie foxtrot this turned out to be. You know, forget all of this nonsense devs. Work on a straight forward 10.2 jailbreak, or whatever the next firmware is coming out in the next week, instead. What’s next? Upgrade, downgrade, how about a sideways restore? Make it easy on yourself and get your blobs here: tsssaver.1conan dot com

    • Carldini

      Hey Mark SmithDebbieDownerField…Zip it and go Instagram your food

    • leart

      nice useless comment

  • Samuel L. Jackson

    So if your upgrading to 10.1.1 from 9.3.3 do you still have the Touch Id issue?

    • Michael Hulet

      Yes

  • Michael Bemelmans

    Conclusion, stay away from this nonsense if you want to have a perfectly working device and hope for a jailbreak if you’re on 10.2 (for the 10.1.1 people they are lucky)?

  • Abhijeet Gupta

    Hey J, just wanted to know of the JB is stable now.

    • Diego Milano

      Can you elaborate, please? Thanks.

      • Abhijeet Gupta

        There are bugs in the jailbreak and it’s not deemed safe for mass consumption as it’s still in beta. Hearing a lot of people over twitter that it’s running flawlessly. That’s why I’m asking is it stable enough that everyone can use it.

      • Diego Milano

        Oh, you were actually ASKING, it didn’t seem like so, nevermind then. I would stay away from the jailbreak for the time being; if you are running on a jailbroken device on iOS 9, I do not recommend going through any of this. Besides, it is still quite unknown how many tweaks are compatible to iOS 10. So stay away, that’s my recommendation for everyone unless you have a device to spare to play around with.

      • Abhijeet Gupta

        My 7 plus came preninstalled with 10. So staying on 9.x is kinda irrelevant.

      • Diego Milano

        Clarifying this is trivial as well though.

      • Joaquim Barbosa

        Check out my new article Abhijeet, stability fixes for Yalu 10.1.x should be coming soon. I would wait for that if I were you. Hope this helps!

      • Abhijeet Gupta

        Yes sir

  • Diego Milano

    I will continue to say this: the more I read all this, the more I am thankful for realizing how fortunate I am for sitting on my jailbroken iPhone on iOS 9.3.3. I feel bad for those who aren’t as fortunate (for those who truly cling to the jailbreak, that is; others most likely can’t care less) and even for the developers who seem to be hitting a new potential dead-end with every step they make.
    Thank you for those who continuously work and put so much effort on this. Keep it up!

    • Ed Cuf

      I am on iphone 6s, still on 9.0.2 Working all perfectly and stable hehe

  • leart

    cmon its 2017 and still people update their iOS and regret later..
    updating to every single small iOS release ITS NOT OBLIGATORY… damn https://uploads.disquscdn.com/images/8ec823a28e38debbd343235099d5072bb03358b202fea919ff71fefe85682fac.png

  • Tomáš

    I have iPhone SE and iPad mini 2 and both devices have correct blobs.

    • Joaquim Barbosa

      That’s great news! Did you verify they were correct using img4tool? My SE was also fine. Perhaps it’s specific devices that are in trouble…

      • potato

        I would think so. If in the ipsw, it has a list, and it took the first one, then the first one should always be okay. it seems like the SE has been fine, according to the article and a few comments here and there. Perhaps whatever else was linked to that ipsw is not okay… I feel like it will be specific devices based on logic, unless the ipsw selects at random, which would be a somewhat effective method for apple to implement, at least before tsschecker/1conan’s site was updated.

  • Ed Cuf
  • shivam verma

    I tried saving blobs, saved 30 blobs and then tss server started rejecting requests on 31st attempt. Is it a matter of concern