Offsets iPhone 4,1 iOS 9.2.1

[BiteTheApple]

I've tried to insert the iOS 9.2.1 offsets for iPhone 4S into the project. The app installs, but once pressing YOLO the display shows strange colors (see the attached picture) and the device reboots.
The offsets I've inserted are these:

find_OSSSerializer_serialize(): 0x3107fc
find_OSSymbol_getMetaClass(): 0x312f18
find_calend_gettime(): 0x1de60
find_bufattr_cpx(): 0xd8750
find_clock_ops(): 0x3fc3dc
find_copyin(): 0xc6754
find_bx_lr(): 0xd8752
find_write_gadget(): 0xc6488
find_vm_kernel_addrperm(): 0x44e840
find_kernel_pmap(): 0x3ef444
find_flush_dcache(): 0xbb760
find_invalidate_tlb(): 0xc64e0
find_task_for_pid(): 0x2f56c4
find_setreuid(): 0x2a3bc4

[hazytint]

Same problem, the addresses are correct.

[hazytint]

Same problem, the addresses are correct.

[ganoninc]

I'm trying to find the offsets too for this iPhone on iOS 9.2.1

I have created a branch for that but I'm missing the last one (find_setreuid) so maybe it's the wrong one in your list

https://github.com/ganoninc/Trident/blob/ganoninc-iPhone41_iOS921/Trident/offsetfinder.c

I have used Hopper and it can't find the string "f0b503af2de9000d87b0044602910394d1f800b04d68dff7", even shortened. How did you find this adress ?

[ganoninc]

I'm trying to find the offsets too for this iPhone on iOS 9.2.1

I have created a branch for that but I'm missing the last one (find_setreuid) so maybe it's the wrong one in your list

https://github.com/ganoninc/Trident/blob/ganoninc-iPhone41_iOS921/Trident/offsetfinder.c

I have used Hopper and it can't find the string "f0b503af2de9000d87b0044602910394d1f800b04d68dff7", even shortened. How did you find this adress ?

[BiteTheApple]

I found a tweet of angelXwind which said to try with this string -> f0b503af2de9000d85b004460d4601

[BiteTheApple]

I found a tweet of angelXwind which said to try with this string -> f0b503af2de9000d85b004460d4601

[Napsters]

Found all offset using Hopper for iPhone 4s iOS 9.2.1. iPhone4,1_9.2.1_13D15_Restore.ipsw from ipsw.me. Please test.

find_OSSSerializer_serialize(): 0x3107fc {803117fc}
find_OSSymbol_getMetaClass(): 0x312f18 {80313f18}
find_calend_gettime(): 0x1de60 {8001ee60}
find_bufattr_cpx(): 0xd8750 {800d9750}
find_clock_ops(): 0x3fc3dc {0x803fd3d8 + 4 = 803fd3dc}
find_copyin(): 0xc6754 {800c7754}
find_bx_lr(): 0xd8752 {800d9752}
find_write_gadget(): 0xc6488 {800c7488}
find_vm_kernel_addrperm(): 0x44e840 {0x8044f844 - 0x4 = 8044f840}
find_kernel_pmap(): 0x3ef444 {803f0444}
find_flush_dcache(): 0xbb760 {800bc760}
find_invalidate_tlb(): 0xc64e0 {800c74e0}
find_task_for_pid(): 0x2f56c4 {802f66c4}
find_setreuid(): 0x2a3bc4 {802a4bc4}

*Updated

[Napsters]

Found all offset using Hopper for iPhone 4s iOS 9.2.1. iPhone4,1_9.2.1_13D15_Restore.ipsw from ipsw.me. Please test.

find_OSSSerializer_serialize(): 0x3107fc {803117fc}
find_OSSymbol_getMetaClass(): 0x312f18 {80313f18}
find_calend_gettime(): 0x1de60 {8001ee60}
find_bufattr_cpx(): 0xd8750 {800d9750}
find_clock_ops(): 0x3fc3dc {0x803fd3d8 + 4 = 803fd3dc}
find_copyin(): 0xc6754 {800c7754}
find_bx_lr(): 0xd8752 {800d9752}
find_write_gadget(): 0xc6488 {800c7488}
find_vm_kernel_addrperm(): 0x44e840 {0x8044f844 - 0x4 = 8044f840}
find_kernel_pmap(): 0x3ef444 {803f0444}
find_flush_dcache(): 0xbb760 {800bc760}
find_invalidate_tlb(): 0xc64e0 {800c74e0}
find_task_for_pid(): 0x2f56c4 {802f66c4}
find_setreuid(): 0x2a3bc4 {802a4bc4}

*Updated

[ganoninc]

It looks like you've forgotten to subtract 0x80001000 so we should try this:

find_OSSSerializer_serialize(): 0x3107fc
find_OSSymbol_getMetaClass(): 0x312f18
find_calend_gettime(): 0x1de60
find_bufattr_cpx(): 0xd8750
find_clock_ops(): 0x3fc3dc
find_copyin(): 0xc6754
find_bx_lr(): 0xd8752
find_write_gadget(): 0xc6488
find_vm_kernel_addrperm(): 0x44e840
find_kernel_pmap(): 0x3ef444
find_flush_dcache(): 0xbb760
find_invalidate_tlb(): 0xc64e0
find_task_for_pid(): 0x2f56c4
find_setreuid(): 0xcc5018

@BiteTheApple can you try?

[ganoninc]

It looks like you've forgotten to subtract 0x80001000 so we should try this:

find_OSSSerializer_serialize(): 0x3107fc
find_OSSymbol_getMetaClass(): 0x312f18
find_calend_gettime(): 0x1de60
find_bufattr_cpx(): 0xd8750
find_clock_ops(): 0x3fc3dc
find_copyin(): 0xc6754
find_bx_lr(): 0xd8752
find_write_gadget(): 0xc6488
find_vm_kernel_addrperm(): 0x44e840
find_kernel_pmap(): 0x3ef444
find_flush_dcache(): 0xbb760
find_invalidate_tlb(): 0xc64e0
find_task_for_pid(): 0x2f56c4
find_setreuid(): 0xcc5018

@BiteTheApple can you try?

[BiteTheApple]

Just tried, still reboot. :(
My fork is here: https://github.com/BiteTheApple/trident921

[BiteTheApple]

Just tried, still reboot. :(
My fork is here: https://github.com/BiteTheApple/trident921

[hazytint]

The kernel crash at io_service_get_matching_services_bin, probably the UAF failed.

[hazytint]

The kernel crash at io_service_get_matching_services_bin, probably the UAF failed.

[benjamin-42]

If it's failing at UAF exploit take a look at Lookout paper about Pegasus exploits, page 29 they show a different payload for iOS 9.0 through 9.3.1.

[benjamin-42]

If it's failing at UAF exploit take a look at Lookout paper about Pegasus exploits, page 29 they show a different payload for iOS 9.0 through 9.3.1.

[hazytint]

Thanks, I tried another payload, but not work, still reboot. It seems that both payloads can fill the object vtable, but the data is wrong.

[hazytint]

Thanks, I tried another payload, but not work, still reboot. It seems that both payloads can fill the object vtable, but the data is wrong.

[Napsters]

After using 32Stage2 payload which is exist in iOS versions from 9.0 to 9.3, there is problem with assert(read_primitive(kernel_base) == 0xfeedface);

The app not crash but it is stuck at Xcode debugging shows is Assertion failed: (read_primitive(kernel_base) == 0xfeedface). It seems kernel base is not == magic value!

[Napsters]

After using 32Stage2 payload which is exist in iOS versions from 9.0 to 9.3, there is problem with assert(read_primitive(kernel_base) == 0xfeedface);

The app not crash but it is stuck at Xcode debugging shows is Assertion failed: (read_primitive(kernel_base) == 0xfeedface). It seems kernel base is not == magic value!

[hazytint]

The payload failed. Attention that the payload buffer size is 0x1c, not 0x10. 2017年1月7日(土) 17:37 Napsters <notifications@github.com>:

…

After using 32Stage2 payload which is exist in iOS versions from 9.0 to 9.3, there is problem with assert(read_primitive(kernel_base) == 0xfeedface); The app not crash but it is stuck at Xcode debugging shows is Assertion failed: (read_primitive(kernel_base) == 0xfeedface). It seems kernel base is not == magic value! [image: screen shot 2017-01-07 at 5 35 57 pm] <https://cloud.githubusercontent.com/assets/16322897/21740806/d4570bb6-d4ff-11e6-9124-e4f0d3b68b48.png> — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#26 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABe7Eksw_wS9FNDjhit0QEJjkOykB9h-ks5rP1zGgaJpZM4LbD4g> .

[hazytint]

The payload failed. Attention that the payload buffer size is 0x1c, not 0x10. 2017年1月7日(土) 17:37 Napsters <notifications@github.com>:

…

After using 32Stage2 payload which is exist in iOS versions from 9.0 to 9.3, there is problem with assert(read_primitive(kernel_base) == 0xfeedface); The app not crash but it is stuck at Xcode debugging shows is Assertion failed: (read_primitive(kernel_base) == 0xfeedface). It seems kernel base is not == magic value! [image: screen shot 2017-01-07 at 5 35 57 pm] <https://cloud.githubusercontent.com/assets/16322897/21740806/d4570bb6-d4ff-11e6-9124-e4f0d3b68b48.png> — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#26 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABe7Eksw_wS9FNDjhit0QEJjkOykB9h-ks5rP1zGgaJpZM4LbD4g> .

[Napsters]

Confirmed, rebooting and kernel panic using another payload stage2. Same as previous payload result.

[Napsters]

Confirmed, rebooting and kernel panic using another payload stage2. Same as previous payload result.

[ro4fever]

For me there is no doubt that the offsets (even for setreuid), presented by BiteTheApple, are correct. I am not a programmer or developer and I am interested in downgrading my iPhone 4S, iOS 9.2.1.
A guy from Chinese forum (http://bbs.feng.com/read-htm-tid-10984095-page-72.html) wrote about ios 9.1 trident support. He posted some lines from exploit.c file:

void patch_setreuid(uint32_t kernel_base, mach_port_name_t kernel_task) {
uint32_t setreuid_base = find_setreuid() + kernel_base;
uint32_t branch_addr = 0x3e + setreuid_base;
// ushort new_branch = 0xe031; // b loc_802aaa2c iPhone4,1 IOS 9.3.4
ushort new_branch = 0xe040; // RVA:0x802ab35a 40E0 b loc_802ab3de //iPhone4,1 IOS 9.1
vm_write(kernel_task, branch_addr, (vm_address_t)&new_branch, 2);
}

Are numbers 0xe040 and 0x40E0 somewhat related with iOS 9.1 support? In case of positive answer, how to determine these (RVA?) numbers for iOS 9.2.1, b loc_802A4C6C ?

[ro4fever]

For me there is no doubt that the offsets (even for setreuid), presented by BiteTheApple, are correct. I am not a programmer or developer and I am interested in downgrading my iPhone 4S, iOS 9.2.1.
A guy from Chinese forum (http://bbs.feng.com/read-htm-tid-10984095-page-72.html) wrote about ios 9.1 trident support. He posted some lines from exploit.c file:

void patch_setreuid(uint32_t kernel_base, mach_port_name_t kernel_task) {
uint32_t setreuid_base = find_setreuid() + kernel_base;
uint32_t branch_addr = 0x3e + setreuid_base;
// ushort new_branch = 0xe031; // b loc_802aaa2c iPhone4,1 IOS 9.3.4
ushort new_branch = 0xe040; // RVA:0x802ab35a 40E0 b loc_802ab3de //iPhone4,1 IOS 9.1
vm_write(kernel_task, branch_addr, (vm_address_t)&new_branch, 2);
}

Are numbers 0xe040 and 0x40E0 somewhat related with iOS 9.1 support? In case of positive answer, how to determine these (RVA?) numbers for iOS 9.2.1, b loc_802A4C6C ?

[sumories]

Hello,everyone.The guy who creat Trident-Kloader.ipa post something on his weibo,maybe helpful.
http://weibo.com/u/5363037484

1.iOS 9.2.X的利用方式有些不一样，所以用一样的东西会出现问题
2.9.2.X的问题和A6处理器设备的问题不是同一个

I try to translate it:

1. The way that use (exploit) iOS 9.2.X has a littel different (with 9.1&9.3.X),so there will be some mistake if you use the same way (or something else).
   And,he said this is why torachiyo dosen't have success in his source codes on 9.2-9.2.1.
2. The matter of 9.2.X and A6 processor is not the same one.

That is all I can found on his weibo may be helpful.

So,I am a i4s on 9.2 user,still waiting downgrade my device.If those infomation has any help with you guys,then I will be glad.

I hope you guys can finish this work.Have a nice day!

All right,I remember that I have seen something that maybe we can find the different between 9.2.X&9.3.X with Trident on http://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf
But I forgot which pages,sorry.

[sumories]

Hello,everyone.The guy who creat Trident-Kloader.ipa post something on his weibo,maybe helpful.
http://weibo.com/u/5363037484

1.iOS 9.2.X的利用方式有些不一样，所以用一样的东西会出现问题
2.9.2.X的问题和A6处理器设备的问题不是同一个

I try to translate it:

1. The way that use (exploit) iOS 9.2.X has a littel different (with 9.1&9.3.X),so there will be some mistake if you use the same way (or something else).
   And,he said this is why torachiyo dosen't have success in his source codes on 9.2-9.2.1.
2. The matter of 9.2.X and A6 processor is not the same one.

That is all I can found on his weibo may be helpful.

So,I am a i4s on 9.2 user,still waiting downgrade my device.If those infomation has any help with you guys,then I will be glad.

I hope you guys can finish this work.Have a nice day!

All right,I remember that I have seen something that maybe we can find the different between 9.2.X&9.3.X with Trident on http://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf
But I forgot which pages,sorry.

[hazytint]

It works now, see hazytint/Trident@664d1b7.

[hazytint]

It works now, see hazytint/Trident@664d1b7.

[Napsters]

So 4s panic because of memory kernel leak at *return no bracket open and close ( )! Good JOB! @hazytint

[Napsters]

So 4s panic because of memory kernel leak at *return no bracket open and close ( )! Good JOB! @hazytint

[batareya16]

Can you send ipa file with 4s 9.2.1 support please?:)

[batareya16]

Can you send ipa file with 4s 9.2.1 support please?:)

[BiteTheApple]

@hazytint great job! I can't thank you enough :D

[BiteTheApple]

@hazytint great job! I can't thank you enough :D

[sumories]

9.2.1 ipa file.
http://pan.baidu.com/s/1mhAJ6VQ

Source code.Run it with XCODE.
http://pan.baidu.com/s/1gfHV9jt

[sumories]

9.2.1 ipa file.
http://pan.baidu.com/s/1mhAJ6VQ

Source code.Run it with XCODE.
http://pan.baidu.com/s/1gfHV9jt

[sumories]

Anyone can fix 9.2 offset please!

[sumories]

Anyone can fix 9.2 offset please!

[pbijilu]

@sumories no ipa, source code only

[pbijilu]

@sumories no ipa, source code only

[sumories]

@pbijilu sorry ,I update it.

[sumories]

@pbijilu sorry ,I update it.

[pbijilu]

@sumories thank you

[pbijilu]

@sumories thank you

[crysis99]

@sumories Have you tested the ipa yourself? It seems to get stuck and can't seem to get "w00t root" using this.

[crysis99]

@sumories Have you tested the ipa yourself? It seems to get stuck and can't seem to get "w00t root" using this.

[sumories]

@crysis99 No,my 4s is 9.2,but someone has success on his 9.2.1 device.

[sumories]

@crysis99 No,my 4s is 9.2,but someone has success on his 9.2.1 device.

[Napsters]

Success downgrade, nothing is impossible...add kloader into latest trident exploit xcode fix by @hazytint for iphone 4s iOS 9.2.1, install some brew, add idevicediagnostics into usr/local/bin. Cd into latest OdysseusOTA, add firmware.ipsw -bbupdate. Install trident into devices. Run trident kloader exploit, wait until Wait Exec Sleep Mode. Run idevicediagnostics sleep, push home button several time until hear the sound, phone will enter into dfu mode. Run idevicerestore -e firmware.ipsw. Wait until terminal restore finished. Fix in-case have problem, install redSnow to kick from recovery mode or enter manually into dfu mode.

*TL;DR Successful downgrade from iOS 9.2.1 to iOS 6.1.3 using this fix trident.

[Napsters]

Success downgrade, nothing is impossible...add kloader into latest trident exploit xcode fix by @hazytint for iphone 4s iOS 9.2.1, install some brew, add idevicediagnostics into usr/local/bin. Cd into latest OdysseusOTA, add firmware.ipsw -bbupdate. Install trident into devices. Run trident kloader exploit, wait until Wait Exec Sleep Mode. Run idevicediagnostics sleep, push home button several time until hear the sound, phone will enter into dfu mode. Run idevicerestore -e firmware.ipsw. Wait until terminal restore finished. Fix in-case have problem, install redSnow to kick from recovery mode or enter manually into dfu mode.

*TL;DR Successful downgrade from iOS 9.2.1 to iOS 6.1.3 using this fix trident.

[pbijilu]

@sumories @crysis99 can't get w00t root on this ipa either, seems like the app is stuck

[pbijilu]

@sumories @crysis99 can't get w00t root on this ipa either, seems like the app is stuck

[sumories]

WE DID IT!9.2&9.2.1 ALL SUCCESS!

[sumories]

WE DID IT!9.2&9.2.1 ALL SUCCESS!

[pbijilu]

@sumories used you ipa from this link http://pan.baidu.com/s/1gfysN0B, it worked, ty

[pbijilu]

@sumories used you ipa from this link http://pan.baidu.com/s/1gfysN0B, it worked, ty

[VeryKnave]

Good work! Now the problem with A6 processors should be fixed :)

[VeryKnave]

Good work! Now the problem with A6 processors should be fixed :)

[ro4fever]

Worked on iOS 9.2.1 iPhone 4S for downgrading to iOS 6.1.3. Thanks to all who worked on this. Thank you sumories for ipa file http://pan.baidu.com/s/1mhAJ6VQ!

[ro4fever]

Worked on iOS 9.2.1 iPhone 4S for downgrading to iOS 6.1.3. Thanks to all who worked on this. Thank you sumories for ipa file http://pan.baidu.com/s/1mhAJ6VQ!

[UnnamedCode]

Trident worked on ios 9.2.1 it went through the apple logo phase and now whenever I open it , its says start i press it and it crashes does that im rooted

[UnnamedCode]

Trident worked on ios 9.2.1 it went through the apple logo phase and now whenever I open it , its says start i press it and it crashes does that im rooted

[UnnamedCode]

Everytime I click start it crashes ive already went through the apple logo phase am I jailbroken? comments plz and thank you

[UnnamedCode]

Everytime I click start it crashes ive already went through the apple logo phase am I jailbroken? comments plz and thank you

[VeryKnave]

@UnnamedCode This is not a jailbreak tool, it's for root access only. If the device rebooted, that means it failed. What device and what iOS version do you have?

[VeryKnave]

@UnnamedCode This is not a jailbreak tool, it's for root access only. If the device rebooted, that means it failed. What device and what iOS version do you have?

[UnnamedCode]

iOS 9.2.1 the IPA in which it said it would work for

…

On Sun, Jan 15, 2017 at 8:31 PM VeryKnave ***@***.***> wrote: @UnnamedCode <https://github.com/UnnamedCode> This is not a jailbreak tool, it's for root access only. If the device rebooted, that means it failed. What device and what iOS version do you have? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#26 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AXnO7m9ima7m7MIVa5B8uzPj1qvkZpyHks5rSshxgaJpZM4LbD4g> .

[UnnamedCode]

iOS 9.2.1 the IPA in which it said it would work for

…

On Sun, Jan 15, 2017 at 8:31 PM VeryKnave ***@***.***> wrote: @UnnamedCode <https://github.com/UnnamedCode> This is not a jailbreak tool, it's for root access only. If the device rebooted, that means it failed. What device and what iOS version do you have? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#26 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AXnO7m9ima7m7MIVa5B8uzPj1qvkZpyHks5rSshxgaJpZM4LbD4g> .

[UnnamedCode]

I've been trying for 6 months to downgrade this iPhone to iOS 6 and I have no mac

…

On Sun, Jan 15, 2017 at 8:32 PM The cRacker ***@***.***> wrote: iOS 9.2.1 the IPA in which it said it would work for On Sun, Jan 15, 2017 at 8:31 PM VeryKnave ***@***.***> wrote: > @UnnamedCode <https://github.com/UnnamedCode> This is not a jailbreak > tool, it's for root access only. If the device rebooted, that means it > failed. What device and what iOS version do you have? > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <#26 (comment)>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AXnO7m9ima7m7MIVa5B8uzPj1qvkZpyHks5rSshxgaJpZM4LbD4g> > . >

[UnnamedCode]

I've been trying for 6 months to downgrade this iPhone to iOS 6 and I have no mac

…

On Sun, Jan 15, 2017 at 8:32 PM The cRacker ***@***.***> wrote: iOS 9.2.1 the IPA in which it said it would work for On Sun, Jan 15, 2017 at 8:31 PM VeryKnave ***@***.***> wrote: > @UnnamedCode <https://github.com/UnnamedCode> This is not a jailbreak > tool, it's for root access only. If the device rebooted, that means it > failed. What device and what iOS version do you have? > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <#26 (comment)>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AXnO7m9ima7m7MIVa5B8uzPj1qvkZpyHks5rSshxgaJpZM4LbD4g> > . >

[UnnamedCode]

Link to IPA http://pan.baidu.com/s/1gfysN0B

[UnnamedCode]

Link to IPA http://pan.baidu.com/s/1gfysN0B

[ihad91]

i want to downgrade my iphone 4s on ios 9.2 to ios 6.1.3 pleas help me and send me trident.ipa for iphone 4.1 ios 9.2

[ihad91]

i want to downgrade my iphone 4s on ios 9.2 to ios 6.1.3 pleas help me and send me trident.ipa for iphone 4.1 ios 9.2

[ihad91]

C:\Users\Hadii\Desktop\downgrade\libimobiledevice>idevicerestore.exe -e custom.i
psw
NOTE: using cached version data
Found device in DFU mode
Identified device as n94ap, iPhone4,1
Extracting BuildManifest from IPSW
Product Version: 6.1.3
Product Build: 10B329 Major: 10
Device supports Image4: false
Variant: Customer Erase Install (IPSW)
This restore will erase your device data.
Found ECID 4341407892269
Getting ApNonce in dfu mode... d0 3a ab 0e 7c 15 bb b1 97 58 01 24 63 d8 18 1f 3
4 f0 75 3c
Trying to fetch new SHSH blob
Getting SepNonce in dfu mode...
WARNING: Unable to find BbSkeyId node
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Received SHSH blobs
Extracting filesystem from IPSW
Extracting iBSS.n94ap.RELEASE.dfu...
Personalizing IMG3 component iBSS...
reconstructed size: 76110
Sending iBSS (76110 bytes)...
Nonce: d0 3a ab 0e 7c 15 bb b1 97 58 01 24 63 d8 18 1f 34 f0 75 3c
Extracting iBEC.n94ap.RELEASE.dfu...
Not personalizing component iBEC...
Sending iBEC (279576 bytes)...
ERROR: Unable to connect to device in recovery mode
ERROR: Unable to connect to recovery device
ERROR: Unable to place device into recovery mode from DFU mode

i have this error please help meeee :(

[ihad91]

C:\Users\Hadii\Desktop\downgrade\libimobiledevice>idevicerestore.exe -e custom.i
psw
NOTE: using cached version data
Found device in DFU mode
Identified device as n94ap, iPhone4,1
Extracting BuildManifest from IPSW
Product Version: 6.1.3
Product Build: 10B329 Major: 10
Device supports Image4: false
Variant: Customer Erase Install (IPSW)
This restore will erase your device data.
Found ECID 4341407892269
Getting ApNonce in dfu mode... d0 3a ab 0e 7c 15 bb b1 97 58 01 24 63 d8 18 1f 3
4 f0 75 3c
Trying to fetch new SHSH blob
Getting SepNonce in dfu mode...
WARNING: Unable to find BbSkeyId node
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Received SHSH blobs
Extracting filesystem from IPSW
Extracting iBSS.n94ap.RELEASE.dfu...
Personalizing IMG3 component iBSS...
reconstructed size: 76110
Sending iBSS (76110 bytes)...
Nonce: d0 3a ab 0e 7c 15 bb b1 97 58 01 24 63 d8 18 1f 34 f0 75 3c
Extracting iBEC.n94ap.RELEASE.dfu...
Not personalizing component iBEC...
Sending iBEC (279576 bytes)...
ERROR: Unable to connect to device in recovery mode
ERROR: Unable to connect to recovery device
ERROR: Unable to place device into recovery mode from DFU mode

i have this error please help meeee :(

[UnnamedCode]

Rename downgrade.ipsw to downgrade and then type in downgrade.ipsw in the command line also use behind downgrade to create your ipsw

…

On Thu, Jan 19, 2017 at 12:32 PM ihad91 ***@***.***> wrote: C:\Users\Hadii\Desktop\downgrade\libimobiledevice>idevicerestore.exe -e custom.i psw NOTE: using cached version data Found device in DFU mode Identified device as n94ap, iPhone4,1 Extracting BuildManifest from IPSW Product Version: 6.1.3 Product Build: 10B329 Major: 10 Device supports Image4: false Variant: Customer Erase Install (IPSW) This restore will erase your device data. Found ECID 4341407892269 Getting ApNonce in dfu mode... d0 3a ab 0e 7c 15 bb b1 97 58 01 24 63 d8 18 1f 3 4 f0 75 3c Trying to fetch new SHSH blob Getting SepNonce in dfu mode... WARNING: Unable to find BbSkeyId node Request URL set to https://gs.apple.com/TSS/controller?action=2 Sending TSS request attempt 1... response successfully received Received SHSH blobs Extracting filesystem from IPSW Extracting iBSS.n94ap.RELEASE.dfu... Personalizing IMG3 component iBSS... reconstructed size: 76110 Sending iBSS (76110 bytes)... Nonce: d0 3a ab 0e 7c 15 bb b1 97 58 01 24 63 d8 18 1f 34 f0 75 3c Extracting iBEC.n94ap.RELEASE.dfu... Not personalizing component iBEC... Sending iBEC (279576 bytes)... ERROR: Unable to connect to device in recovery mode ERROR: Unable to connect to recovery device ERROR: Unable to place device into recovery mode from DFU mode i have this error please help meeee :( — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#26 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AXnO7lMMJVLIhXZ15p5at37JZBeCtXlNks5rT542gaJpZM4LbD4g> .

[UnnamedCode]

Rename downgrade.ipsw to downgrade and then type in downgrade.ipsw in the command line also use behind downgrade to create your ipsw

…

On Thu, Jan 19, 2017 at 12:32 PM ihad91 ***@***.***> wrote: C:\Users\Hadii\Desktop\downgrade\libimobiledevice>idevicerestore.exe -e custom.i psw NOTE: using cached version data Found device in DFU mode Identified device as n94ap, iPhone4,1 Extracting BuildManifest from IPSW Product Version: 6.1.3 Product Build: 10B329 Major: 10 Device supports Image4: false Variant: Customer Erase Install (IPSW) This restore will erase your device data. Found ECID 4341407892269 Getting ApNonce in dfu mode... d0 3a ab 0e 7c 15 bb b1 97 58 01 24 63 d8 18 1f 3 4 f0 75 3c Trying to fetch new SHSH blob Getting SepNonce in dfu mode... WARNING: Unable to find BbSkeyId node Request URL set to https://gs.apple.com/TSS/controller?action=2 Sending TSS request attempt 1... response successfully received Received SHSH blobs Extracting filesystem from IPSW Extracting iBSS.n94ap.RELEASE.dfu... Personalizing IMG3 component iBSS... reconstructed size: 76110 Sending iBSS (76110 bytes)... Nonce: d0 3a ab 0e 7c 15 bb b1 97 58 01 24 63 d8 18 1f 34 f0 75 3c Extracting iBEC.n94ap.RELEASE.dfu... Not personalizing component iBEC... Sending iBEC (279576 bytes)... ERROR: Unable to connect to device in recovery mode ERROR: Unable to connect to recovery device ERROR: Unable to place device into recovery mode from DFU mode i have this error please help meeee :( — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#26 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AXnO7lMMJVLIhXZ15p5at37JZBeCtXlNks5rT542gaJpZM4LbD4g> .

[UnnamedCode]

https://www.youtube.com/watch?v=ibK8P3welVY

…

On Thu, Jan 19, 2017 at 2:37 PM The cRacker ***@***.***> wrote: Rename downgrade.ipsw to downgrade and then type in downgrade.ipsw in the command line also use behind downgrade to create your ipsw On Thu, Jan 19, 2017 at 12:32 PM ihad91 ***@***.***> wrote: C:\Users\Hadii\Desktop\downgrade\libimobiledevice>idevicerestore.exe -e custom.i psw NOTE: using cached version data Found device in DFU mode Identified device as n94ap, iPhone4,1 Extracting BuildManifest from IPSW Product Version: 6.1.3 Product Build: 10B329 Major: 10 Device supports Image4: false Variant: Customer Erase Install (IPSW) This restore will erase your device data. Found ECID 4341407892269 Getting ApNonce in dfu mode... d0 3a ab 0e 7c 15 bb b1 97 58 01 24 63 d8 18 1f 3 4 f0 75 3c Trying to fetch new SHSH blob Getting SepNonce in dfu mode... WARNING: Unable to find BbSkeyId node Request URL set to https://gs.apple.com/TSS/controller?action=2 Sending TSS request attempt 1... response successfully received Received SHSH blobs Extracting filesystem from IPSW Extracting iBSS.n94ap.RELEASE.dfu... Personalizing IMG3 component iBSS... reconstructed size: 76110 Sending iBSS (76110 bytes)... Nonce: d0 3a ab 0e 7c 15 bb b1 97 58 01 24 63 d8 18 1f 34 f0 75 3c Extracting iBEC.n94ap.RELEASE.dfu... Not personalizing component iBEC... Sending iBEC (279576 bytes)... ERROR: Unable to connect to device in recovery mode ERROR: Unable to connect to recovery device ERROR: Unable to place device into recovery mode from DFU mode i have this error please help meeee :( — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#26 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AXnO7lMMJVLIhXZ15p5at37JZBeCtXlNks5rT542gaJpZM4LbD4g> .

[UnnamedCode]

https://www.youtube.com/watch?v=ibK8P3welVY

…

On Thu, Jan 19, 2017 at 2:37 PM The cRacker ***@***.***> wrote: Rename downgrade.ipsw to downgrade and then type in downgrade.ipsw in the command line also use behind downgrade to create your ipsw On Thu, Jan 19, 2017 at 12:32 PM ihad91 ***@***.***> wrote: C:\Users\Hadii\Desktop\downgrade\libimobiledevice>idevicerestore.exe -e custom.i psw NOTE: using cached version data Found device in DFU mode Identified device as n94ap, iPhone4,1 Extracting BuildManifest from IPSW Product Version: 6.1.3 Product Build: 10B329 Major: 10 Device supports Image4: false Variant: Customer Erase Install (IPSW) This restore will erase your device data. Found ECID 4341407892269 Getting ApNonce in dfu mode... d0 3a ab 0e 7c 15 bb b1 97 58 01 24 63 d8 18 1f 3 4 f0 75 3c Trying to fetch new SHSH blob Getting SepNonce in dfu mode... WARNING: Unable to find BbSkeyId node Request URL set to https://gs.apple.com/TSS/controller?action=2 Sending TSS request attempt 1... response successfully received Received SHSH blobs Extracting filesystem from IPSW Extracting iBSS.n94ap.RELEASE.dfu... Personalizing IMG3 component iBSS... reconstructed size: 76110 Sending iBSS (76110 bytes)... Nonce: d0 3a ab 0e 7c 15 bb b1 97 58 01 24 63 d8 18 1f 34 f0 75 3c Extracting iBEC.n94ap.RELEASE.dfu... Not personalizing component iBEC... Sending iBEC (279576 bytes)... ERROR: Unable to connect to device in recovery mode ERROR: Unable to connect to recovery device ERROR: Unable to place device into recovery mode from DFU mode i have this error please help meeee :( — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#26 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AXnO7lMMJVLIhXZ15p5at37JZBeCtXlNks5rT542gaJpZM4LbD4g> .