Prometheus: upcoming tool may allow unsigned iOS upgrades and downgrades

downgrade iOS header

iOS hacker tihmstar has announced the upcoming release of his tool Prometheus. And no, it doesn’t steal fire from the gods for you to foster the burgeoning potential of your race. Instead, he claims it will be the first tool capable of upgrading and downgrading 64-bit iOS devices to unsigned firmwares.
If successful, this would be welcome news for the jailbreak community, allowing movement between firmwares for which you have saved your blobs, even after Apple’s signing windows have closed.

The first and most important thing to note if you think you may want to use this tool in future is to save your blobs now. The blobs must be saved in a new format called .shsh2, so previously saved blobs will not work. You must save your blobs again using tihmstar’s tool called tsschecker. After downloading tsschecker, save the blobs with it by following a guide. Be warned, whilst not very long and certainly not impossible, this process is not foolproof and requires careful attention.

The news of Prometheus is especially salient to people who are interested in a possible upcoming iOS 10.1.1 jailbreak but who don’t want to jump ship yet and lose their current jailbreak. If you save the .shsh2 blobs for iOS 10.1.1 now, before the signing window closes, you may be able to upgrade from 9.3.3 to 10.1.1 at a later date even if iOS 10.1.1 is no longer being signed. Of course, this is provisional and no foolproof guarantees have been made, but I would recommend saving the blobs anyway as you have little to lose and it doesn’t take long. You may decide later you want to give it a go.

Tihmstar has said that although 32-bit support is possible, Prometheus will initially be just for 64-bit devices. However, as I mentioned briefly in a previous post, several downgrade tools for 32-bit devices already exist, such as tihmstar’s OdysseusOTA2, Dayt0n’s Odysseus, and geeksn0w’s Beehind, so you could try those instead.

As with all downgrade tools, many caveats apply. Some of Prometheus’ requirements are as follows:

  • 64-bit only, at least initially.
  • Needs a jailbreak on the firmware you are leaving, to get to the one you are aiming for. (This may not be required on some iPhone 5s and iPad Air, but don’t count on it). To attempt to use Prometheus on these devices without a jailbreak, you must save .shsh2 blobs with an specific nonce, which complicates the process. Some guides can be found which show how to do it however, so feel free to try it if you’re feeling optimistic.
  • Your jailbreak must have “tfp0” functionality (“host_get_special_port” workaround is also fine). This rules out some jailbreaks, so you’ll have to get lucky. Pangu for iOS 9.1 had it, and Luca’s JailbreakMe for 9.3.3 also enables it, but as the latter is semi-untethered it remains to be seen whether it will work as rebooting the device is part of the downgrade process.
  • You must have .shsh2 blobs for the firmware you want to go to saved with tsschecker.

Tihmstar has elaborated further on the workings of the tool, and also posted a teaser/explanation video which shows the first steps of using it, which you can watch below.

The tentative date for its release seems to be New Year’s Eve, so watch this space! However, for those interested in a possible upgrade to iOS 10.1.1 outside of its signing window, you’ll have to have saved your .shsh2 blobs within the signing window and well before NYE to have a chance of using his tool for iOS 10.1.1. Of course, you can always use it for later firmwares, once you’ve started saving your blobs in the correct format.

For some, the process of saving the .shsh2 blobs may be too much hassle or they may not get round to it in time, but even if not, the release of this tool signifies something exciting for the community. After years of devs and bloggers like me telling people to save their blobs just in case, it has been proven again that given enough time, a way can be found to leverage them in an unsigned downgrade/upgrade. Even if the current usages may be limited (as people may not have the correct .shsh2 saved in time, or may not have a jailbreak to move from), the fact that 64-bit devices can be manipulated in this way is news in and of itself. Who knows what other improvements can be made to the process in future?

Have you saved your .shsh2 blobs yet? Are you excited at the prospect of unsigned downgrades on all devices, not just dinosaurs like the iPhone 4? Let me know.