Today hacker tihmstar released his tool Prometheus, which can be used (in some cases), to upgrade or downgrade iOS to currently unsigned firmwares.
The tool is not foolproof however, so in this article I’ll briefly explain what its limitations are and how to follow tihmstar’s guidance on the tool.
First off, I strongly advise you read through my previous article on Prometheus, because it clarifies the main areas of confusion, the requirements to use the tool, and explains in more detail what the tool is.
Prometheus is not a single GUI tool, but a collection of tools including “nonceenabler”, “futurerestore” and “img4tool”. Together, they have the upgrade/downgrade functionality.
Prometheus can be used in two ways. One uses “nonceenabler” and “futurerestore” together. This is more reliable and faster, but requires a jailbreak, and .shsh2 blobs saved with a generator. The second way uses only “futurerestore”, does not require a jailbreak, but uses a probabilistic attack which may take a long time to work (or not work at all). This second way still requires .shsh2 blobs, but saved with a specific nonce and no generator. This only seems to work for certain devices, and may take forever.
- A 64-bit device, excluding the iPhone 7(+). Do not bother trying with a 32-bit device or an iPhone 7(+).
- In most cases, a jailbreak on the firmware you are leaving.
(Not be required on some iPhone 5s and iPad Air, when using the nonce collision method).
- If using Prometheus with a jailbreak, saved .shsh2 blobs for the firmware you want to restore to, with a generator. The generator is a field within the .shsh2 file, which can be seen by opening it and looking near the end of the document.
- If using Prometheus with no jailbreak, saved .shsh2 blobs for the firmware you want to restore to, created using one (or more) of the 5 specific nonces given out by tihmstar, which have been found to work most often in a probabilistic attack.
- If using Prometheus with a jailbreak, the jailbreak must have “tfp0” functionality (“host_get_special_port” workaround is also fine). This rules out some jailbreaks.
There is some confusion over how to follow tihmstar’s process, as it is not unified. Depending on your situation, you may have to follow more than one video to complete the process. If you have your blobs saved with a generator and have a current jailbreak, follow Steps 1 and 2. If you have your blobs saved with the 5 nonces tihmstar made public, and are attempting the process without a jailbreak, go straight to Step 2.
1) The video below shows you how to use your jailbreak to set a specific nonce on your device. The advantage of this is that once the specific nonce has been manually set (which will match the generator in the .shsh2 files you saved), the restore will be accepted immediately on the first try, as the nonce and .shsh2 generators match.
Therefore, using Prometheus this way is recommended if you have a jailbreak. Follow the above video and set your nonce with “nonceenabler”. Once the nonce is set and the device is in recovery mode (from 0:00 – 10:35 in the above video), you can move onto Step 2.
2) The video below shows how to restore an unsigned firmware onto your device, using the “futurerestore” component of Prometheus.
If you just came from Step 1 and have set your nonce, follow the instructions from the beginning of the video up to 5:53, but ignore any talk about the nonce collision method. At 5:53, pay close attention to what he says. Your device will already be in recovery mode and you must leave out the “-w” flag here. Then continue with the instructions (you will not have to wait through the rebooting stage which the video shows).
If you have no jailbreak and started at Step 2, follow the entirety of the video below to the letter, using one of the most generated nonces. It may take a few minutes, or an unknown amount of time, because you will have to use the nonce-collision method. This is probabilistic and relies on some luck/time. You cannot use your jailbreak to immediately create the right nonce for you.
Together, these two videos cover the whole process of downgrading with Prometheus, using both the “nonceenabler jailbreak method” and the “nonce collision no-jailbreak method”.
SEP and basebands
One last thing to note is what tihmstar says about SEP and basebands, which are two parts of the iOS firmwares you will be working with. The information he gives on this can be found from 0:50 – 2:07 in the second video, and this applies to you whichever method you are using. Users of both the “nonceenabler jailbreak method” and the “nonce collision no-jailbreak method” must note this information.
Basically, the SEP and baseband must be taken from a currently signed firmware because they cannot be faked by Prometheus. But SEPs and basebands are not compatible over many iOS versions, so you must use one that is near enough to be compatible. For example, iOS 10.2 is currently signed, so you could use its SEP and baseband. However, you cannot use them to restore to iOS 9 because the gap is too big; they are not compatible. You can use the SEP and baseband from iOS 10.2 to restore to iOS 10.1.1, because they are close enough versions to be compatible.
In summary: you must always use the SEP and baseband from a signed firmware to use Prometheus, but it must also always be compatible with the version you want to restore to. If the SEP and baseband are not compatible with your target firmware, you cannot restore even if they are signed, and vice versa. The version of iOS you are coming from is irrelevant. The version of iOS you want to restore to, and the signed version of SEP/baseband you have, are relevant.
Here are some likely use-cases:
1) Upgrading from iOS 9.3.3 to 10.1.1. You can use the SEP and baseband from 10.2 to finish the restore. iOS 10.2 SEP and baseband are signed whilst 10.2 is signed. iOS 10.2 SEP and baseband are compatible with 10.1.1 because they are close to each other. The fact that you are on iOS 9.3.3 doesn’t matter, only the destination firmware matters. Possible.
2) Downgrading from iOS 10.2 to 10.1.1. You can use the SEP and baseband from 10.2 to finish the restore. iOS 10.2 SEP and baseband are signed whilst 10.2 is signed. iOS 10.2 SEP and baseband are compatible with 10.1.1 because they are close to each other. The fact that you are on iOS 10.2 doesn’t matter, only the destination firmware matters. (Because there is no jailbreak for 10.2, you can only try this with the nonce collision method). Possible, depending on device (nonce collision method).
3) Downgrading from iOS 10.2 to 9.3.3, you cannot use the SEP and baseband from 10.2 to finish the restore. iOS 10.2 SEP and baseband are signed whilst 10.2 is signed, but iOS 10.2 SEP and baseband are not compatible with 9.3.3 because they are not close enough versions to each other. The fact that you are on iOS 10.2 doesn’t matter, but the fact that your signed SEP version is far from your destination firmware does matter. Not possible.
I will put together a hands-on tutorial at a later date which will show the specific steps involved in these two methods. For now though this article should clarify the two methods of using Prometheus, which one applies to you, and whether you can use either one at all. Good luck!