Custom Restore via Limera1n about ipwndfu HOT 18 CLOSED

Can you provide more info?

1. What iTunes version?
2. What is the filename of the original IPSW?
3. Be more specific about the error you are getting, "none of them worked" will not help me diagnose the issue.

from ipwndfu.

I've tried using iTunes 11.0.X because if I'm correct that iTunes 11.1 checks for ipsw hashes and that didn't work. I'm on 12.5.2 and didn't work. It always gives me "declined to authorize this image on this device for this user." Original ipsw is iOS 5.1.1 both iphone 4 gsm and cdma and I just ran it through pwnagetool. Sorry for the confusion.

from ipwndfu.

Do you have SHSH blobs saved for your device for 5.1.1? Are they on Cydia?

from ipwndfu.

No. I've gotten these phones this year and they all came with iOS 7.1.2 on them. I have only one phone with shsh blobs and that my iPhone 7 and that's not really relevant.

from ipwndfu.

There is no exploit which allows you to downgrade iPhone 4 to 5.1.1 untethered if you don't have SHSH blobs for your device. Are you trying to do one of the tethered downgrades?

from ipwndfu.

I'm trying to restore to a lower firmware to test some things and the only way I've gotten to a lower firmware is with Sund0wn and booted tethered. You would use pwned dfu to restore with a custom ipsw. So mostly yes I'm doing a tethered downgrade and I'm having issues with doing so. I'm not exactly a genius. I just like to play around and I've been wanting to develop things like your programs and I want to start on somewhat lower firmwares and try to make my own jailbreaks rather than using existing exploits

from ipwndfu.

That's great. You're on the right path then. Jailbreaking isn't about being a genius, it's about putting thousands of hours into learning the skills that you need and then using them to do research.

What is the error when you try to restore with iTunes 11.0.X?

Have you tried coolbooter? https://coolbooter.com/ You can use it to dual boot iOS 5/6/7 on your iPhone 4, untethered.

from ipwndfu.

I've used coolbooter. Not really into it that much. I don't want to wait for new releases. I might use it for studying purposes. Ive been working on doing a triple boot and I'm retarded enough to keep messing it up. The only files that are working are files made from sund0wn. Everything else is giving me the declined this image error.

from ipwndfu.

What is the error when you try to restore with iTunes 11.0.X?

from ipwndfu.

Whatever error is "Declined to authorize this image on this device for this user." Maybe 3194 since its probably checking with the servers if the ipsw is signed?? Not sure which error it is. I went back to iTunes 11.0.X because I've use a tethered ipsw from sund0wn and it worked but I'm trying to use tihmstar's fork of idevicerestore where he's incorporated booting tethered but haven't messed with it yet. Sund0wn is the only program that's worked downgrading but I have to keep tether booting which is annoying.

from ipwndfu.

I have to keep tether booting which is annoying.

There is no way to downgrade untethered without SHSH blobs on iPhone 4.

Sund0wn is the only program that's worked downgrading

Sund0wn supports tethered downgrades, which is what you want to do.

I've pwned my iPhone 4 GSM & CDMA and no custom ipsw's from Pwnagetool or Sn0wbreeze work.

PwnageTool and sn0wbreeze don't support tethered downgrades, AFAIK. They'll create a jailbroken IPSW, but you need SHSH blobs for your device for that version.

from ipwndfu.

Last thing I want to ask and address. When you added support for Limera1n, did you add the iBoot exploit because I've read that Limera1n is a bootrom exploit and iBoot? I'm guessing that was it because for your 3GS New bootrom exploit, you used the iBoot to run unsigned code which allow for untethered downgrades because you used the Limera1n bootrom exploit to put into pwned dfu. So was that the reason you can't go untethered for iPhone 4 because you're mostly loading the 2nd load of the boot and not the very first? Sorry I'm keeping this issue for a long time. If you reply to this, you can close it if you want.

from ipwndfu.

No worries.

When you added support for Limera1n, did you add the iBoot exploit because I've read that Limera1n is a bootrom exploit and iBoot?

No. It might work for exploiting some very old versions of iBoot (limera1n was fixed in iOS 3.1.3) over USB, but it wouldn't be that useful because all such devices already have a tethered USB bootrom exploit for pwned DFU Mode.

I'm guessing that was it because for your 3GS New bootrom exploit, you used the iBoot to run unsigned code which allow for untethered downgrades because you used the Limera1n bootrom exploit to put into pwned dfu. So was that the reason you can't go untethered for iPhone 4 because you're mostly loading the 2nd load of the boot and not the very first?

Not sure what you are asking. There are 2 use cases when booting:

1. DFU Mode/Recovery Mode, where boot process stops and you must control device over USB
2. Untethered boot, where phone simply boots into iOS without any interaction

There is some overlap in the attack surface, but it is small. Exploits for one use case usually don't work for the other.

limera1n and SHAtter only apply to use case 1, they can never work for use case 2.
alloc8 only applies to use case 2. Though the vulnerability can be triggered in use case 1, it does not seem to be exploitable, and it would require a completely different exploit.

from ipwndfu.

If you've only added the support to pwn iBoot 574.4 and that only, do you think you would add support for SHAtter? It's quite easy to find the file, in fact I have the bootrom exploit but I'm not genius enough to incorporate it into anything atm. It was mainly supposed to be added with syringe along with the other bootrom exploits but was not. So if using limera1ns iBoot exploit you can't downgrade untethered but if using SHAttered you could possibly?

from ipwndfu.

So if using limera1ns iBoot exploit you can't downgrade untethered but if using SHAttered you could possibly?

No. SHAtter only works over USB, it does not work for untethered downgrades. The only advantage of SHAtter is that it shouldn't have any issues running in a VM.

do you think you would add support for SHAtter?

I might eventually add it, but it won't make a lot of difference. It will only help users who want to exploit S5L8930 devices with ipwndfu in a VM.

from ipwndfu.

I guess that sums up what I've been trying to ask just couldn't figure out earlier. So untethered downgrades already have all of the checks patched and would boot normally and you would need shsh blobs to boot untethered for A4 or just an older idevice should do it. Booting tethered only works up to 6.0 for any device supported. I've had an idea and it may be very close to impossible without using a bootrom exploit. You think there's a possibility that we could reverse engineer a shsh blob and create one for a iOS we've never had or never had the chance to save them? Like creating a valid nonce from luck or maybe something else. Kinda complicated but I've always had that idea. You can grab people shsh blobs from the tethered downgrade page on iphonewiki and reverse engineer it. Most go from iOS 4-7 so there might be a chance idk lol. Instead of keeping this going on here, can you add me on Skype or something so you could maybe help me out?

from ipwndfu.

So untethered downgrades already have all of the checks patched and would boot normally and you would need shsh blobs to boot untethered for A4 or just an older idevice should do it.

No. For untethered downgrades with SHSH blobs you cannot patch the bootloaders.

You think there's a possibility that we could reverse engineer a shsh blob and create one for a iOS we've never had or never had the chance to save them?

No. Because of signature check, not because of reverse engineering. Only Apple can create SHSH blobs with a valid signature, because only Apple is in possession of the private key.

from ipwndfu.

Not a issue, but I see you added SHAtter XD. Nice job!

from ipwndfu.