[教程] 【SHSH2 升级|降级 iOS10.2等】所有已越狱设备无需验证安装固件

过程有点复杂,真的,不骗你们


若对终端不熟悉,不想折腾,不建议尝试!


有不少成功的,但不能保证成功。
升级、降级至任意版本要求:

1、设备已越狱,版本 >= iOS 9.1
2、需要mac/linux,暂时仅在Mac下、iPhone6p、9.3.3->10.2测试通过
3、已备份SHSH2,并且其中含有generator项
4、有一定的终端基础操作知识。。。
5、由于openssl的问题,可能需要关闭rootless内核保护(详细见下)

前期准备:
1、下载最新的ios包(例如:iPhone_XXX_10.2.1_XXXXX_Restore.ipsw),重命名为.zip,解压,依次获取其中以下文件:
        【1】直接解压,获取 Build​Manifest​.​plist;
        【2】Firmware目录下,XXXXXXXXX.Release​.​bbfw文件,会有多个,获取哪个请参考以下表格中iOS版本号后的数字:(你想安装的版本号)
MDM9615: iPhone 5s, iPad Air, iPad mini 2, iPad mini 3
iOS 10.0.1/10.0.2/10.1(.1): 7.01.00
iOS 10.2: 7.21.00
MDM9625: iPhone 6, iPhone 6 Plus, iPhone SE, iPad Air 2, iPad Pro (12.9"), iPad mini 4
iOS 10.0.1/10.0.2: 5.24.00
iOS 10.1(.1): 5.26.00
iOS 10.2: 5.32.00
MDM9635: iPhone 6s, iPhone 6s Plus, iPad Pro (9.7")
iOS 10.0.1/10.0.2: 2.30.00
iOS 10.1(.1): 2.36.00
iOS 10.2: 2.41.00
MDM9645: iPhone 7
iOS 10.0(.1): 1.00.02
iOS 10.0.2: 1.00.03
iOS 10.0.3: 1.00.05
iOS 10.1 1.02.13
iOS 10.1.1: 1.02.15
iOS 10.2: 1.02.15
MDM9645: iPhone 7 Plus
iOS 10.0: 1.00.02
iOS 10.0.1: 1.00.03
iOS 10.0.2: 1.00.04
iOS 10.0.3: 1.00.05
iOS 10.1(.1): 1.25.00
iOS 10.2: 1.33.00
        【3】 获取其中Firmware/all_flash/all​_​flash​.​XXXXX​.​production/sep​-​firmware​.​XXXXX​.RELEASE​.​im4p文件,XXXXX部分根据机型芯片确定,具体可到https://www.theiphonewiki.com/wiki/Category:Devices查询。
2、下载你备份过SHSH,想要降级到的ios包(例如:iPhone_XXX_10.2_XXXXX_Restore.ipsw)
3、准备好你的SHSH文件,复制,改名为plist后打开,复制其中的generator项值(为一串数字字母组合)
4、futurerestore-latest.zip,从http://api.tihmstar.net/builds/f ... erestore-latest.zip下载,解压获取其中文件
5、Nonceenabler,从https://www.dropbox.com/s/ghv44y0h4uoko8w/nonceEnabler.zip(连接为dropbox,或者帖子附件)下载,解压获取其中文件
6、cydia中安装OpenSSH(手机上安装terminal应该可以本地操作,我按照国外教程通过OpenSSH操作)
注意:我在iPhone6p上测试通过,操作前请做好备份,找根好点的数据线,最好手机和电脑连接同一路由器。
最终请在桌面上新建文件夹futurerestore,其中应该有:

  • buildmanifest.plist
  • .bbfw文件
  • .im4p文件
  • Nonceenabler
  • ipsw文件(你想安装的版本)
  • futurerestore_macos文件(或linux)
  • SHSH文件以及其中generator项值


一、如果你是9.2-9.3.3版本的盘古越狱(不是可跳过这一步骤):

  • 请重启恢复未越狱状态,打开网址: jbme.qwertyoruiop.com 进行越狱(否则步骤中可能会报错:[!] failed to get the kernel base address)
  • 具体操作:Safari打开上述连接 -> 点击GO -> 关闭跳出的提示窗口 -> 锁屏等待重启恢复越狱状态。
  • 若失败,多试试。



二、iOS10.2通过yalu102越狱后:

  • 尝试正常继续
  • 若失败,出现 [!] failed to get the kernel base address 错误,尝试删除三胖,安装b6、b3等其它版本越狱后继续。
  • 若依然出现错误,尝试b7版本越狱后进入恢复模式,从第六步开始:
  • [email protected]:People getting failed kernelbase on nonceEnabler with yalu102: you can just skip this and directly write generator to nvram


三、openssh连接iPhone,具体步骤:

四、上传文件Nonceenabler,具体步骤:(可以直接数据线上传文件,修改权限后本地执行。需要手机安装终端)

  • Mac打开第二个终端,输入 cd desktop/futurerestore
  • 输入 scp nonceEnabler [email protected]: (ip地址为iPhone的IP地址,最后有个冒号!!!
  • 输入密码,显示上传完成

五、执行nonceEnabler,设备进入恢复模式

  • 在第一个终端中输入 ./nonceEnabler,确保无警告错误(参考第一步)
  • 输入 nvram com.apple.System.boot-nonce=GENERATOR(GENERATOR为SHSH中获取的generator项的值)
  • 输入 nvram auto-boot=false
  • 确保无误后,输入 reboot,设备会进入恢复模式
  • 连接设备至电脑,弹出iTunes,关闭之。

六、futurerestore_macos安装ios

  • 在第一个终端中,输入chmod +x futurerestore_macos执行futurerestore_macos。执行futurerestore_macos需要较多支持包,建议参考https://www.reddit.com/r/jailbreak/comments/5lhby9/tutorial_how_to_upgrade_on_jailbroken_ios_933/解决
  • 若出现 Library not loaded: /usr/local/lib/****.dylib ,说明缺少支持包,请先安装homebrew(自行搜索解决)后,brew install ****,安装缺少的包
  • 若出现 Library not loaded: /opt/local/lib/libcrypto.1.0.0.dylib,先brew install openssl,关闭rootless内核保护(自行搜索解决),依次输入:
  • cd /usr/local/Cellar/openssl/1.0.2k/lib (1.0.2k为openssl版本!请输入对应的版本!)
  • sudo cp libssl.1.0.0.dylib libcrypto.1.0.0.dylib /usr/lib/
  • sudo rm libssl.dylib libcrypto.dylib
  • sudo ln -s libssl.1.0.0.dylib libssl.dylib
  • sudo ln -s libcrypto.1.0.0.dylib libcrypto.dylib
  • 输入 ./futurerestore_macos -t blob.shsh2 -b baseband.bbfw -p BuildManifest.plist -s SEP.im4p -m BuildManifest.plist -w targeted.ipsw 其中:
  • blob.shsh2 改为你SHSH2文件的名字
  • baseband.bbfw 改为bbfw文件的名字
  • BuildManifest.plist 应该都一样,不变
  • SEP.im4p 改为im4p文件的名字
  • targeted.ipsw 改为要安装的ipsw文件的名字
  • 确保无误,回车开始安装。耐心等待。
  • 若出现绿屏,恭喜成功!
  • 我操作成功时终端显示如下:(仅供参考)
macbook-pro-2:futurerestore-latest UserName***$ ssh [email protected]
[email protected]'s password:
ReveEver-iPhone:~ root# ./nonceEnabler
separt=com.apple.System.sep.art
kbase=0xffff************
kbase=0xffff************
found bytes at 0x               0
kmem=-----com.apple.System.sep.art-----
nextstr=-----com.apple.System.boot-nonce-----
found com.apple.System.sep.art at 0xffff************
found com.apple.System.boot-nonce at 0xffff************
kbase=0xffff************
found bytes at 0x               0
kmem=-----??k ????-----
patching bytes at=0xffff************
done patching
ReveEver-iPhone:~ root# nvram com.apple.System.boot-nonce=0x7936************
ReveEver-iPhone:~ root# nvram auto-boot=false
ReveEver-iPhone:~ root# nvram -p
boot-args        
com.apple.System.boot-nonce        0x7936************
auto-boot        false
backlight-level        1566
ReveEver-iPhone:~ root# reboot
Connection to 192.168.5.6 closed by remote host.
Connection to 192.168.5.6 closed.
macbook-pro-2:futurerestore-latest UserName***$ ./futurerestore_macos -t 379142615*******_iPhone7,1_10.2-14C92.shsh2 -b Mav10-5.32.00.Release.bbfw -p BuildManifest.plist -s sep-firmware.n56.RELEASE.im4p -m BuildManifest.plist -w iPhone_5.5_10.2_14C92_Restore.ipsw
Version: 6aa188cd06789de1573263aa301a************ - 89
futurerestore init done
reading ticket 379142615*******_iPhone7,1_10.2-14C92.shsh2 done
[TSSC] opening BuildManifest.plist
WARNING: Unable to find BbSkeyId node
[TSSR] User specified not to request a Baseband ticket.
Sending TSS request attempt 1... response successfully received
Did set sep+baseband path and firmware
[WARNING] failed to read BasebandGoldCertID from device! Is it already in recovery?
[WARNING] using tsschecker's fallback to get BasebandGoldCertID. This might result in invalid baseband signing status information
[TSSC] opening BuildManifest.plist
WARNING: Unable to find BbSkeyId node
[TSSR] User specified to request only a Baseband ticket.
ERROR: Unable to get BasebandFirmware node
ERROR: Unable to find required BbGoldCertId in parameters
Sending TSS request attempt 1... response successfully received
Found device in Recovery mode
Device already in Recovery mode
INFO: device serial number is FK2NN4*******
waiting for nonce: 9a 75 c2 7b 20 f4 81 b1 0f 87 eb 7d ed 6b 00 5d f2 f8 b1 08
Got ApNonce from device: 9a 75 c2 7b 20 f4 81 b1 0f 87 eb 7d ed 6b 00 5d f2 f8 b1 08
Device has requested ApNonce now
Found device in Recovery mode
Identified device as n56ap, iPhone7,1
Extracting BuildManifest from IPSW
Product Version: 10.2
Product Build: 14C92 Major: 14
Device supports Image4: true
checking APTicket to be valid for this restore...
[Warning] findAnyBuildidentityForFilehash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] getBuildIdentityForIM4M: skipping element=ftap
[Warning] getBuildIdentityForIM4M: skipping element=ftsp
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=ftap
[Warning] hasBuildidentityElementWithHash: skipping element=ftsp
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=ftap
[Warning] hasBuildidentityElementWithHash: skipping element=ftsp
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=ftap
[Warning] hasBuildidentityElementWithHash: skipping element=ftsp
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] getBuildIdentityForIM4M: skipping element=rfta
[Warning] getBuildIdentityForIM4M: skipping element=rfts
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
[Warning] hasBuildidentityElementWithHash: skipping element=BasebandFirmware
Verified APTicket to be valid for this restore
Variant: Customer Erase Install (IPSW)
This restore will erase your device data.
Extracting filesystem from IPSW
[==================================================] 100.0%
Extracting iBEC.n56.RELEASE.im4p...
Personalizing IMG4 component iBEC...
Sending iBEC (632436 bytes)...
Getting SepNonce in recovery mode... 49 5f 23 92 10 1a 5f ad 29 2a 91 c3 a3 90 0b 2d 18 36 94 5c
Getting ApNonce in recovery mode... 9a 75 c2 7b 20 f4 81 b1 0f 87 eb 7d ed 6b 00 5d f2 f8 b1 08
Recovery Mode Environment:
iBoot build-version=iBoot-3406.30.8
iBoot build-style=RELEASE
Sending RestoreLogo...
Extracting apple[email protected]~iphone.t7000.im4p...
Personalizing IMG4 component RestoreLogo...
Sending RestoreLogo (18834 bytes)...
ramdisk-size=0x10000000
Extracting 058-54560-094.dmg...
Personalizing IMG4 component RestoreRamDisk...
Sending RestoreRamDisk (40330739 bytes)...
Extracting DeviceTree.n56ap.im4p...
Personalizing IMG4 component RestoreDeviceTree...
Sending RestoreDeviceTree (124133 bytes)...
Extracting kernelcache.release.n56...
Personalizing IMG4 component RestoreKernelCache...
Sending RestoreKernelCache (12368816 bytes)...
Trying to fetch new SHSH blob
WARNING: Unable to find BbSkeyId node
Sending TSS request attempt 1... response successfully received
Received SHSH blobs
About to restore device...
Waiting for device...
Device e178068837194a705853d34de975************ is now connected in restore mode...
Connecting now...
Connected to com.apple.mobile.restored, version 14
Device e178068837194a705853d34de975************ has successfully entered restore mode
Hardware Information:
BoardID: 4
ChipID: 28672
UniqueChipID: 379142615*******
ProductionMode: true
Starting FDR listener thread
About to send NORData...
Found firmware path Firmware/all_flash/all_flash.n56ap.production
Getting firmware manifest Firmware/all_flash/all_flash.n56ap.production/manifest
Extracting LLB.n56.RELEASE.im4p...
Personalizing IMG4 component LLB...
Extracting iBoot.n56.RELEASE.im4p...
Personalizing IMG4 component iBoot...
Extracting DeviceTree.n56ap.im4p...
Personalizing IMG4 component DeviceTree...
Extracting [email protected]~iphone.t7000.im4p...
Personalizing IMG4 component AppleLogo...
Extracting [email protected]~iphone-lightning.t7000.im4p...
Personalizing IMG4 component RecoveryMode...
Extracting [email protected]~iphone.t7000.im4p...
Personalizing IMG4 component BatteryLow0...
Extracting [email protected]~iphone.t7000.im4p...
Personalizing IMG4 component BatteryLow1...
Extracting [email protected]~iphone.t7000.im4p...
Personalizing IMG4 component BatteryCharging0...
Extracting [email protected]~iphone.t7000.im4p...
Personalizing IMG4 component BatteryCharging1...
Extracting [email protected]~iphone-lightning.t7000.im4p...
Personalizing IMG4 component BatteryPlugin...
Extracting [email protected]~iphone.t7000.im4p...
Personalizing IMG4 component BatteryFull...
Personalizing IMG4 component RestoreSEP...
Personalizing IMG4 component SEP...
Sending NORData now...
Done sending NORData
About to send RootTicket...
Sending RootTicket now...
Done sending RootTicket
Waiting for NAND (28)
Checking filesystems (15)
About to send FDR Trust data...
Sending FDR Trust data now...
Done sending FDR Trust Data
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Creating partition map (11)
Creating filesystem (12)
Creating filesystem (12)
Creating filesystem (12)
About to send filesystem...
Connected to ASR
Validating the filesystem
Filesystem validated
Sending filesystem now...
[==================================================] 100.0%
Done sending filesystem
Verifying restore (14)
[==================================================] 100.0%
Mounting filesystems (16)
Mounting filesystems (16)
Mounting filesystems (16)
About to send KernelCache...
Extracting kernelcache.release.n56...
Personalizing IMG4 component KernelCache...
Sending KernelCache now...
Done sending KernelCache
Installing kernelcache (27)
Flashing firmware (18)
[==================================================] 100.0%
Updating gas gauge software (47)
Updating gas gauge software (47)
Updating baseband (19)
About to send BasebandData...
sending request without baseband nonce
WARNING: Unable to find BbSkeyId node
Sending Baseband TSS request...
Sending TSS request attempt 1... response successfully received
Received Baseband SHSH blobs
Sending BasebandData now...
Done sending BasebandData
Updating Baseband in progress...
About to send BasebandData...
WARNING: Unable to find BbSkeyId node
Sending Baseband TSS request...
Sending TSS request attempt 1... response successfully received
Received Baseband SHSH blobs
Sending BasebandData now...
Done sending BasebandData
Updating Baseband completed.
Updating Stockholm (55)
Updating SE Firmware (59)
About to send FUD data...
Sending FUD data now...
Done sending FUD data
About to send FUD data...
Sending FUD data now...
Done sending FUD data
Fixing up /var (17)
Creating system key bag (50)
Modifying persistent boot-args (25)
Resizing system partition (52)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Got status message
Status: Restore Finished
Cleaning up...
DONE
Done: restoring succeeded.
至此,教程结束。整个过程较为复杂,需要一定知识基础,基本问题请自行搜索解决。

参考:
[1] https://www.reddit.com/r/jailbre ... e_to_ios_102_using/
[2] https://www.reddit.com/r/jailbre ... jailbroken_ios_933/
[3] https://www.youtube.com/watch?v=BIMx2Y13Ukc

nonceEnabler.zip

原文地址:点击附件即可进入。。。

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

*