This is Part 1 of a two-part guide on how to use Prometheus.

Before attempting this guide, everyone should read the introductory article, Prometheus Guide: Introduction. This will explain whether the guides apply to you, and if they do, which ones you should follow, as well as making sure that you fulfil the requirements for it to work.

If you currently have a jailbreak and you want to move to a different firmware with Prometheus’ nonceEnabler method, you must follow Parts 1 & 2 of the guide.

If you currently have no jailbreak, and you want to move to a different firmware with Prometheus’ nonce collision method, skip Part 1 and do only Part 2 of the guide.

Before you begin following the instructions, read the entire guide (Parts 1 & 2) through once, and watch tihmstar’s two videos which outline the process visually. This will save time and errors in the long run. Make sure you have all the required files ready before you begin. These are listed in the introductory article. Be prepared to continue directly from Part 1 to Part 2 of the guide. Have both open, and leave enough time to follow them one after each other.

This guide uses an upgrade from iOS 9.3.3 to iOS 10.2 as an example, but it can be used to move between any firmwares in principle, if and only if you meet the requirements. If you are using this guide to move between different firmwares, simply replace any mention of iOS 10.2 with the destination firmware you want, and mentions of iOS 10.2.1 with a currently signed firmware. Some examples of other possible Prometheus restores would be iOS 10.2 > iOS 10.2, iOS 10.3 b1 > iOS 10.2, and iOS 9.1 > iOS 10.2.

Instructions

0) Ensure your device has a jailbreak with tfp0, and that it is active. If on iOS 9.3.3, that means re-jailbreaking with Luca’s JailbreakMe website. Users on older firmwares must check that their jailbreak has tfp0, and possibly install a patch themselves if it does not.

1) Create a folder on your Desktop and name it nonceenabler.

2) Download the nonceEnabler tool, and place it into the folder on your desktop.

3) Copy the .shsh2 blob for the firmware you want to move to, and paste it into the folder on your desktop too.

4) Note down the generator from your .shsh2 blob.

a) If your blob was saved without a specific nonce, the generator can be found inside your blob file:

To get it, rename your blob from .shsh2 to .plist. Then open your .plist file in a text/plist editor of your choice (I use TextEdit or TextWrangler). Scroll to the very bottom of the file and find the generator field. Copy the generator value, and paste it somewhere safe for later. Afterwards, rename your .plist file back to .shsh2.

If your blob has no generator field in it, you may have saved it with a specific nonce, so try Step 4) b).

b) If your blob was saved with one of the five specific nonces which tihmstar provided on his blog:

In this case, tihmstar has provided the generators in the description section of his video guide, where you can find them.

5) Open the Terminal application from /Applications/Utilities, or via Spotlight.

6) Connect your device to your computer.

7) SSH into your device by typing:

ssh root@YOUR_DEVICE_IP_ADDRESS_HERE

Replace YOUR_DEVICE_IP_ADDRESS_HERE with your iOS device’s IP address.

If you do not know how to SSH into your device, or do not know its IP address, follow my full guide on how to connect to your device using SSH.

8) Enter your device’s root password if prompted. By default, the password is alpine, but if you followed my SSH guide linked above you should have changed it, and so should enter your new password instead.

9) Once your device is connected via SSH, leave the Terminal window with SSH open and running, and minimise it.

10) Open a second Terminal window.

11) At the Terminal prompt, type cd, then drag the nonceenabler folder from your desktop onto the Terminal window, and hit Enter.

12) Now type:

scp nonceEnabler root@YOUR_DEVICE_IP_ADDRESS_HERE:

Replace YOUR_DEVICE_IP_ADDRESS_HERE with the IP address of your device, which you used to connect to it in Step 6. Please remember the colon at the end of your device’s IP address.

13) Terminal should show the nonceEnabler file being transferred to the device.

14) Enter your device’s root password if prompted. By default, the password is alpine, but if you followed the guide linked in Step 6 you should have changed it, and so should enter your new password instead.

15) Now return to your open SSH Terminal window, which you minimised in Step 8. The command prompt should read root#.

16) At the prompt enter the following command, to run nonceEnabler:

./nonceEnabler

17) You should now see output as nonceEnabler attempts to patch the kernel. If it does not complete quickly, with only one line of “patching bytes at…”, then it likely has not worked. If many lines of patching appear, try rebooting your device and following Steps 4-15 again until it works. (Remember to re-jailbreak after rebooting if you are on a semi-untethered jailbreak, and use a method with tfp0 enabled).

18) Once the output of Step 16 reads “done patching” without having printed too many lines of bytes, and without crashing, proceed to Step 19.

19) At the prompt, type:

nvram com.apple.System.boot-nonce=YOUR_GENERATOR

Replace YOUR_GENERATOR with the generator from your own .shsh2 file, which you noted down in Step 4.

20) This should set the generator in nvram so that when we reboot, the device should generate the corresponding nonce. We can then use our saved blob, because the nonce saved in it will match the nonce on the device. To check that the generator is saved correctly in nvram, type the following command at the Terminal prompt:

nvram -p

Terminal will print out all the boot commands for your device. Make sure that you can see com.apple.System.boot-nonce in the list, and that it has your generator value set.

21) Now type the following command in Terminal:

nvram auto-boot=false

You can check this value is set correctly the same way we did in the previous step, with nvram -p. Look for the auto-boot flag to be listed, with the value false.

Do NOT close the Terminal windows, restart your iOS device, or disconnect your iOS device after Step 21!

Continue straight on to Part 2 of the guide and use futurerestore!

If you don’t want to use futurerestore right now, do NOT stop here! Follow the section below to properly cancel the procedure.

If you are not about to use futurerestore now, do this!

1) At the Terminal prompt, type:

nvram auto-boot=true

2) Type:

nvram -p

Make sure the auto-boot flag is set back to true, otherwise your device will not reboot back to iOS, it will keep booting back to recovery.

3) Type:

reboot

This will reboot your device back to iOS as normal. You will have to go through this guide again in future if you wish to use futurerestore with nonceEnabler.

If you’re currently not jailbroken and you want to move to a different firmware with Prometheus’ nonce collision method, skip Part 1 and go directly to Part 2 of the guide.

  • Joaquim Barbosa

    I don’t believe it is a typo. Do you mean in “System”? That is how it is in tihmstar’s guide, and Terminal itself prints out lines listing that variable with a large S, you can see them in the screenshots. It might work either way, but large S works well for me. Thanks for reading!

  • Joaquim Barbosa

    What device and iOS version are you on? Most likely the connection was lost for some reason, just follow the ssh steps again to reconnect.

  • Joaquim Barbosa

    What iOS version are you on? You must give details. It sounds like you are not jailbroken or do not have tfp0 enabled. You must be in a jailbroken state, and have tfp0 for it to work.

    • timominous

      Sorry. I am jailbroken on iOS 10.1.1 with yalu beta 7. Afaik beta 7 has tfp0.

      • Joaquim Barbosa

        How strange, did you fix it yet? What device do you have and are you on Mac? You’re right, b7 should have tfp0 equivalent. Is that the entire error from Terminal?

      • timominous

        Yeah. It’s from the phone’s terminal through ssh and also when I try to run the command on the phone directly. I am running macOS 10.12.3 and my device is an iPhone 6.

      • Joaquim Barbosa

        I haven’t seen that before I’m afraid. I know it’s not very specific advice, but I would try hard resetting your phone, re-sideloading the beta, re-jailbreaking, and then sending nonceenabler again and running it.

        Let me know if that gets you any further or changes the error…

      • Joaquim Barbosa

        Hi @timominous:disqus, did you see yOr3z’s comment below?

        Try reading through that and using the nvrampatcher linked there instead of nonceenabler, I’ve seen various success stories with it.

        Let me know if it works!

  • Joaquim Barbosa

    Well done! Glad you stuck with it and worked it out, and I hope you found my guide helpful!

  • Peter Peterchen

    Setting the nonce fails often because of my iPad rebooting after Step 16 (./nonceEnabler). Just got it to work twice

    • Joaquim Barbosa

      I would repeat the steps each time, though I’m not sure if they’re necessary. Copying nonceenabler might not be but patching each time probably is and setting nonce definitely is, so I’d do them all to be safe. Which iPad and iOS version are you on? Let me know how it goes!

  • yusslayer

    Hai all.
    I got error waiting for device..cannot connect a device in restore mode.please someone safe me..I want update my iPhone 5s 9.3.1 to 10.2 ..I read carefully and done everything..I think I use wmware Mac on windows.please save me friend.i

    • Joaquim Barbosa

      You do not give enough information with your problems. Please write clearly, in short sentences.

      What Step Number do you get this problem? Step 1), Step 2), etc.?

      Did everything work before that Step Number?

  • Joaquim Barbosa

    Haha, well done for cracking it!

    Nice to see some initiative, I had seen that nvrampatcher floating around but wasn’t sure if it would be helpful for you.

    Thanks for the kind words, and enjoy your updated phone!

  • linkincyde

    im on step 0. if i go to Lucas jailbreak website, after i close the popup window, an error in webpage ALWAYS display. pls help

    • Joaquim Barbosa

      Are you on iOS 9.3.3 or not?

  • linkincyde

    please help, i forgot to type this command: nvram auto-boot=true, now my iphone is in recovery mode. is there anyway i can access it thru terminal? im trying to connect to my ip but it displays: “connection timed out” pls help

  • ghost.bhoot2k

    can we dongrade from official 10.3 to 10.2.i am on jailbroken ip6+ ios10.2 .kindly advise.thanks

    • Joaquim Barbosa

      Nope, sorry.

  • Daniel Cordero

    Attempting this on a Win10 PC. I downloaded Putty and was able to ssh to the iphone but i am stuck on the part about opening a second terminal. Have tried to open another instance of putty but i don’t know if i am again supposed to ssh to the phone. Also tried downloading terminal emulators but typing cd does nothing and navigating to the nonceenabler folder and typing the command given returns a error.

  • Daniel Cordero

    I am stuck on the part about opening a second terminal. Trying this on a Win10 PC with Putty and terminal emulators. I can SSH to the phone but trying the second terminal window and typing what is instructed does not work.

    • Ash

      same

  • parazyt

    Hi all,
    I’ve used this guide to upgrade my ipad mini 2 from 9.3.3 to 10.2 with success.
    Now I would like to know :
    Can I restore my ipad from 10.2(jailbroken) to 10.2 with this method (10.2.1 is no longer signed).
    Can I downgrade 10.3 to 10.2 ?

    Thanks for your help

    • Joaquim Barbosa

      You can restore iOS 10.2 jailbroken to iOS 10.2 with this method, if you have iOS 10.2 .shsh2 blobs. You can’t downgrade from iOS 10.3 to iOS 10.2 with this method as it needs a jailbreak.

      • Ash

        do i must have mac??

  • Scot Birmingham

    I’m jailbroken on 9.3.3. Missed the window to save blobs for 10.2 so I can’t upgrade/downgrade to that. I’m prepping for the possibly pending JB on 10.3.1 and already have my blobs saved now. My question is, the generator in my blob is listed about halfway down as opposed to at the bottom of the file as it is in yours. Just curious if that’s an issue. Seems like if I used the file viewer that Timhstar uses I wouldn’t know it wasn’t at the bottom cause it pulls out and formats all the fields. Just trying to make sure I have everything in order. Thanks for your guide. Lots of steps but it looks very manageable.

    • Joaquim Barbosa

      Hi, the position of the generator in the text file doesn’t matter at all, so you should be fine.

  • Andrew

    Dear Joaquim,
    As I was going through the process, I ended up by getting error 45
    ((
    checking APTicket to be valid for this restore…
    [Error] ECID inside APTicket does not match device ECID
    APTicket is valid for 1024810322426 (dec) but device is 283983509333030 (dec)
    [Error] APTicket can’t be used for restoring this device
    Done: restoring failed.
    Failed with errorcode=-45
    ))

    anyway
    I was able to get out of the recovery mode. however, as I was trying to
    repeat the process starting in guide 1 again, I am getting stuck at
    step 19 where after running 17 where there is a big list before getting
    “done patching” and then I cannot continue after that.
    I tried to reboot multiple times but I am getting the same issue.a
    What do you think is the solution for that? ( I have iphone 6 on ios 9.3.3 trying to get to 10.2, using prometheus on a mac).
    Please let me know. Thank you