SUMMARY: TSS | 21C52 | 21D5025f | 21C39 | X86_64 | T8101 | SRD0009 | SRD0037 | iPhone 11 | iPhone 12 || Workaround Posted | Work in Progress

[xsscx]

21C52 | 21D5025f | 21C39 | X86_64 | T8101 | TSS | SRD0009 | SRD0037 | iPhone 11 | iPhone 12

Main Tracker for https://github.com/apple/security-research-device/issues/9

[xsscx]

CoB on 7 JAN 2022

IPSW Population for iPhone 11

The Inventory for IPSW needs to be fully populated with Images for the iPhone 11, aka 12,1.

IPSW iPhone13,2,iPhone13,3_15.2_19C56_Restore.ipsw for iPhone 12, aka 13,3, SRD0037

For the iPhone 12, aka 13,1, the SRD2021 Model, SRD0037, TSS is not Signing any Downgrades from Beta to Retail as of 7 JAN 2022 at 1250 EST via T8101 or X86_64

[15:25:52.1598] amai: AMAuthInstallRequestSendSync: failed tss request:>>>>>>>>>>
[15:25:52.1599] amai: _AMAuthInstallApCreatePersonalizedResponseInternal: server request error: Declined to authorize this image on this device for this user.

iPhone 11, aka 12,1, SRD0009

TSS is Signing some IPSW for iPhone 11, aka 12,1 via Finder on X86_64 and T8101.

TSS Signed all 15.x, and Signed 14.7.1 + 14.4 IPSW when using Finder from X86_64.
TSS Signed all 15.x, and Signed 14.7.1 IPSW when using Finder from T8101.

T8010 testing in process.

IPSW 14.4 for iPhone 11, aka 12,1 via Finder on X86_64

TSS Signed a Downgrade Request for 14.4.

2022-01-07 13:09:03.000 AMPDevicesAgent[8304:103]: restore library built Nov 30 2021 at 21:49:04
2022-01-07 13:09:03.000 AMPDevicesAgent[8304:103]: AMPDevicesAgent: 1.2.1.40
2022-01-07 13:09:03.000 AMPDevicesAgent[8304:103]: AMPDevicesAgent: Current software version: 18G82
2022-01-07 13:09:03.000 AMPDevicesAgent[8304:103]: AMPDevicesAgent: Apple Mobile Device version: 1368.60.4
2022-01-07 13:09:03.000 AMPDevicesAgent[8304:103]: AMPDevicesAgent: Software payload version: 18D52 (option key)
2022-01-07 13:09:03.000 AMPDevicesAgent[8304:103]: AMPDevicesAgent: Using MobileRestore state machine

Success for TSS 14.4 IPSW on iPhone 11, aka 12,1 via Finder on X86_64

Successfully restored 

IPSW 14.7.1 for iPhone 11, aka 12,1 via Finder on X86_64

2022-01-07 12:29:01.000 AMPDevicesAgent[8304:103]: restore library built Nov 30 2021 at 21:49:04
2022-01-07 12:29:01.000 AMPDevicesAgent[8304:103]: AMPDevicesAgent: 1.2.1.40
2022-01-07 12:29:01.000 AMPDevicesAgent[8304:103]: AMPDevicesAgent: Current software version: 18G82
2022-01-07 12:29:01.000 AMPDevicesAgent[8304:103]: AMPDevicesAgent: Apple Mobile Device version: 1368.60.4
2022-01-07 12:29:01.000 AMPDevicesAgent[8304:103]: AMPDevicesAgent: Software payload version: 18D52 (option key)
2022-01-07 12:29:01.000 AMPDevicesAgent[8304:103]: AMPDevicesAgent: Using MobileRestore state machine

Success for TSS 14.7.1 IPSW on iPhone 11, aka 12,1 via Finder on X86_64

Successfully restored 

IPSW 14.3 for iPhone 11, aka 12,1 via Finder on X86_64

There was an error performing a Restore for 14.3 from X86_64 when using Finder on X86_64, error below:

14:02:44.1563] ramrod_display_set_granular_progress_forced: 28.000000
[14:02:44.1563] ASR RESTORE PROGRESS: 92%
[14:02:44.1563] ramrod_display_set_granular_progress_forced: 28.000000
[14:02:44.1563] ASR RESTORE PROGRESS: 94%
[14:02:44.1563] ramrod_display_set_granular_progress_forced: 29.000000
[14:02:44.1563] ASR RESTORE PROGRESS: 96%
[14:02:44.1563] ramrod_display_set_granular_progress_forced: 29.000000
[14:02:44.1563] ASR RESTORE PROGRESS: 98%
[14:02:44.1563] ramrod_display_set_granular_progress_forced: 30.000000
[14:02:44.1563] ASR RESTORE PROGRESS: 100%
[14:02:44.1563] ramrod_display_set_granular_progress_forced: 30.000000
[14:02:44.1563] ASR: Copied 7706308608 bytes in 130.88 seconds, 57498.94 KiB/s
[14:02:44.1563] ASR STATUS: verify
[14:02:44.1563] ASR: asr: Image failed signature verification
[14:02:44.1563] ASR: asr: Failed to read the stream: Authentication error
[14:02:44.1563] ASR: Could not restore - Authentication error
[14:02:44.1563] ASR STATUS: fail
[14:02:44.1563] restore_apfs_image : failed to restore an APFS image, error = 14
[14:02:44.1563] [19:02:42.0915-GMT]{4>7} CHECKPOINT FAILURE:(FAILURE:14) (null):[0x065B] asr_and_invert_image [0]D(failed to restore APFS image)
[14:02:44.1563] restore-step-results = {0x1107065B:{0:14}}
[14:02:44.1563] restore-step-codes = {0x1107065B:{0:14}}
[14:02:44.1563] restore-step-domains = {0x1107065B:{0:"AMRestoreErrorDomain"}}
[14:02:44.1563] restore-step-error = {0x1107065B:"[0]D(failed to restore APFS image)"}
[14:02:44.1563] restore-step-uptime = 167
[14:02:44.1563] restore-step-user-progress = 30
[14:02:44.1563] [19:02:42.0915-GMT]{4>7} CHECKPOINT NOTICE: (NVRAM set) restore-step-user-progress=30 [sync=true] (first failure)
[14:02:44.1563] [19:02:42.0915-GMT]{4>7} CHECKPOINT FAILURE:(FAILURE:14) RESTORED:[0x0677] perform_main_os_prepare [0]D(failed to restore APFS image)
[14:02:44.1563] restore-step-results = {0x11070677:{0:14};0x1107065B:{0:14}}
[14:02:44.1563] restore-step-codes = {0x11070677:{0:14};0x1107065B:{0:14}}
[14:02:44.1563] restore-step-domains = {0x11070677:{0:"AMRestoreErrorDomain"};0x1107065B:{0:"AMRestoreErrorDomain"}}
[14:02:44.1563] restore-step-error = {0x11070677:"[0]D(failed to restore APFS image)"}
[14:02:44.1563] restore-step-uptime = 167
[14:02:44.1563] restore-step-user-progress = 30
[14:02:44.1563] [19:02:42.0915-GMT]{4>7} CHECKPOINT BEGIN: RESTORED:[0x067C] cleanup_boot_command
[14:02:44.1563] restore-step-ids = {0x11030677:45;0x1103065B:53;0x1103067C:54}
[14:02:44.1563] restore-step-names = {0x11030677:perform_main_os_prepare;0x1103065B:asr_and_invert_image;0x1103067C:cleanup_boot_command}
[14:02:44.1563] restore-step-uptime = 167
[14:02:44.1563] restore-step-user-progress = 30
[14:02:44.1563] entering reset_boot_command_if_value
[14:02:44.1563] executing /usr/sbin/nvram -d recovery-boot-mode
[14:02:44.1563] Successfully deleted recovery-boot-moderecovery-boot-mode
[14:02:44.1563] executing /usr/sbin/nvram -d iboot-failure-reason
[14:02:44.1563] Successfully deleted iboot-failure-reasoniboot-failure-reason
[14:02:44.1563] [19:02:42.0932-GMT]{4>7} CHECKPOINT END: RESTORED:[0x067C] cleanup_boot_command
[14:02:44.1563] restore-step-ids = {0x11030677:45;0x1103065B:53}
[14:02:44.1563] restore-step-names = {0x11030677:perform_main_os_prepare;0x1103065B:asr_and_invert_image}
[14:02:44.1563] restore-step-uptime = 167
[14:02:44.1563] restore-step-user-progress = 30
[14:02:44.1563] [19:02:42.0932-GMT]{4>7} CHECKPOINT BEGIN: RESTORED:[0x1613] cleanup_recovery_os_volume
[14:02:44.1563] restore-step-ids = {0x11030677:45;0x1103065B:53;0x11031613:55}
[14:02:44.1563] restore-step-names = {0x11030677:perform_main_os_prepare;0x1103065B:asr_and_invert_image;0x11031613:cleanup_recovery_os_volume}
[14:02:44.1563] restore-step-uptime = 167
[14:02:44.1563] restore-step-user-progress = 30
[14:02:44.1563] [19:02:42.0932-GMT]{4>7} CHECKPOINT END: RESTORED:[0x1613] cleanup_recovery_os_volume
[14:02:44.1563] restore-step-ids = {0x11030677:45;0x1103065B:53}
[14:02:44.1563] restore-step-names = {0x11030677:perform_main_os_prepare;0x1103065B:asr_and_invert_image}
[14:02:44.1563] restore-step-uptime = 167
[14:02:44.1563] restore-step-user-progress = 30
[14:02:44.1563] [19:02:42.0932-GMT]{4>7} CHECKPOINT BEGIN: RESTORED:[0x0647] cleanup_check_result
[14:02:44.1563] restore-step-ids = {0x11030677:45;0x1103065B:53;0x11030647:56}
[14:02:44.1563] restore-step-names = {0x11030677:perform_main_os_prepare;0x1103065B:asr_and_invert_image;0x11030647:cleanup_check_result}
[14:02:44.1563] restore-step-uptime = 167
[14:02:44.1563] restore-step-user-progress = 30
[14:02:44.1563] [19:02:42.0932-GMT]{4>7} CHECKPOINT END: RESTORED:[0x0647] cleanup_check_result
[14:02:44.1563] restore-step-ids = {0x11030677:45;0x1103065B:53}
[14:02:44.1563] restore-step-names = {0x11030677:perform_main_os_prepare;0x1103065B:asr_and_invert_image}
[14:02:44.1563] restore-step-uptime = 167
[14:02:44.1563] restore-step-user-progress = 30
[14:02:44.1563] [19:02:42.0932-GMT]{4>7} CHECKPOINT BEGIN: RESTORED:[0x0648] cleanup_send_final_status
[14:02:44.1563] restore-step-ids = {0x11030677:45;0x1103065B:53;0x11030648:57}
[14:02:44.1563] restore-step-names = {0x11030677:perform_main_os_prepare;0x1103065B:asr_and_invert_image;0x11030648:cleanup_send_final_status}
[14:02:44.1563] restore-step-uptime = 167
[14:02:44.1563] restore-step-user-progress = 30
[14:02:44.1563] :57}
[14:02:44.1563] restore-step-names = {0x11030677:perform_main_os_prepare;0x1103065B:asr_and_invert_image;0x11030648:cleanup_send_final_status}
[14:02:44.1563] restore-step-uptime = 167
[14:02:44.1563] restore-step-user-progress = 30
[14:02:44.1563] 
[14:02:44.1563] ==== end of device restore output ====
[14:02:44.1572] AMRAuthInstallDeletePersonalizedBundle
[14:02:44.1672] <Restore Device 0x7f7d06825790>: Restore failed (result = 14)
[14:02:44.1673] Can't send dump_console command since device is not in recovery mode
[14:02:44.1673] AMRestorePerformRestoreModeRestoreWithError failed with error: 14
[14:02:44.1674] Finished RestoreOS Restore Phase: Failed
[14:02:44.1674] State Machine Dump, status:ERROR - [state:BootedOS remaining-cycles:0] -> [state:Recovery remaining-cycles:0] -> [state:RestoreOS remaining-cycles:0 (current state)]
[14:02:44.1686] Changing state from 'Restoring' to 'Error'
[14:02:44.1686] State is now set to error: AMRestorePerformRestoreModeRestoreWithError failed with error: 14
[14:02:44.1690] Restore completed, status:14
[14:02:44.1690] Restore Checkpoint Fingerprint: 065B.000E
[14:02:44.1690] Failure Description:
[14:02:44.1690] Depth:0 Code:-1 Error:AMRestorePerformRestoreModeRestoreWithError failed with error: 14
[14:02:44.1690] Depth:1 Code:14 Error:Failed to handle message type StatusMsg (ASR error)
[14:02:44.1690] Depth:2 Code:14 Error:failed to restore APFS image

srdutil

Successfully downgraded thru 15.x Mainline [Retail + Beta] via srdutil when using X86_64 with macOS 12.1 (21C52) and have successfully downgraded with srdutil on X86_64 and macOS 12.1 (21C52) to iOS 14.7.1 on SRD0009, the iPhone 11, aka 12,1. Working thru debugging the 14.5, 14.4, and 14.3 IPSW Restores via srdutil.

iOS 14.3 Restore via srdutil on X86_64

2022-01-07 16:39:13.872582-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - DeviceRequest failed: 0xe000404f (IOKit return code)
2022-01-07 16:39:13.872660-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - DeviceRequest was index: 0, direction: 0, requestType: 2, recipient: 0, request: 0, value: 0, length: 16, noDataTO: 60000, completionTO: 60000
2022-01-07 16:39:13.872730-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - Data was : getenv ota-uuid
2022-01-07 16:39:13.872790-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - command device request for 'getenv ota-uuid' failed: 2008
2022-01-07 16:39:13.872838-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - Failed to copy env variable, error:21
2022-01-07 16:39:13.872928-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - DeviceRequest failed: 0xe00002cd (IOKit return code)
2022-01-07 16:39:13.873071-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - DeviceRequest was index: 1, direction: 0, requestType: 0, recipient: 1, request: 11, value: 0, length: 0, noDataTO: 5000, completionTO: 0
2022-01-07 16:39:13.873134-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - unhandled error 0xe00002cd returned as 2009
2022-01-07 16:39:13.873179-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - error setting interface's alternate setting: 2009 (expected, not fatal).
2022-01-07 16:39:13.880007-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - unable to open device_map.txt: No such file or directory
2022-01-07 16:39:13.880165-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - _AMRestoreCopyDeviceMapPlistEntryForHardware: firmwareDirectory not in options
2022-01-07 16:39:13.882860-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - unable to open device_map.txt: No such file or directory
2022-01-07 16:39:13.882994-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - _AMRestoreCopyDeviceMapPlistEntryForHardware: firmwareDirectory not in options
2022-01-07 16:39:13.885045-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - DeviceRequest failed: 0xe000404f (IOKit return code)
2022-01-07 16:39:13.885120-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - DeviceRequest was index: 0, direction: 0, requestType: 2, recipient: 0, request: 0, value: 0, length: 19, noDataTO: 60000, completionTO: 60000
2022-01-07 16:39:13.885184-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - Data was : getenv radio-error
2022-01-07 16:39:13.885233-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - command device request for 'getenv radio-error' failed: 2008
2022-01-07 16:39:13.885473-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - unable to open device_map.txt: No such file or directory
2022-01-07 16:39:13.885688-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - <Recovery Mode Device 0x600002bf9e10>: production fused device
2022-01-07 16:39:13.885774-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - unable to open device_map.txt: No such file or directory
2022-01-07 16:39:13.885936-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - _AMRestoreCopyDeviceMapPlistEntryForHardware: firmwareDirectory not in options
2022-01-07 16:39:13.890035-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - unable to open device_map.txt: No such file or directory
2022-01-07 16:39:13.890268-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - _AMRestoreCopyDeviceMapPlistEntryForHardware: firmwareDirectory not in options
2022-01-07 16:39:13.896853-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - DeviceRequest failed: 0xe000404f (IOKit return code)
2022-01-07 16:39:13.896946-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - DeviceRequest was index: 0, direction: 0, requestType: 2, recipient: 0, request: 0, value: 0, length: 18, noDataTO: 60000, completionTO: 60000
2022-01-07 16:39:13.896989-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - Data was : getenv boot-stage
2022-01-07 16:39:13.897037-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - command device request for 'getenv boot-stage' failed: 2008
2022-01-07 16:39:15.003162-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - No additional boot images found
2022-01-07 16:39:15.003295-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - unable to open device_map.txt: No such file or directory
2022-01-07 16:39:15.003517-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - _AMRestoreCopyDeviceMapPlistEntryForHardware: firmwareDirectory not in options
2022-01-07 16:39:15.008551-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - unable to open device_map.txt: No such file or directory
2022-01-07 16:39:15.008707-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - _AMRestoreCopyDeviceMapPlistEntryForHardware: firmwareDirectory not in options
2022-01-07 16:39:18.554496-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - unable to open device_map.txt: No such file or directory
2022-01-07 16:39:18.554664-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - _AMRestoreCopyDeviceMapPlistEntryForHardware: firmwareDirectory not in options
2022-01-07 16:39:18.556712-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - DeviceRequest failed: 0xe000404f (IOKit return code)
2022-01-07 16:39:18.556801-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - DeviceRequest was index: 0, direction: 0, requestType: 2, recipient: 0, request: 0, value: 0, length: 21, noDataTO: 60000, completionTO: 60000
2022-01-07 16:39:18.556895-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - Data was : getenv ramdisk-delay
2022-01-07 16:39:18.556976-0500 0x73b21    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6007 - command device request for 'getenv ramdisk-delay' failed: 2008
2022-01-07 16:39:23.925835-0500 0x73b1b    Default     0x0                  10073  0    srdutil: (MobileDevice) Entered:_AMRecoveryDeviceDisconnected, libusbrestore-device:0x2BF9E10
2022-01-07 16:39:23.926036-0500 0x73bc1    Default     0x0                  10073  0    srdutil: (MobileDevice) Entered:__thr_AMRecoveryDeviceDisconnected, libusbrestore-device:0x2BF9E10
2022-01-07 16:39:23.926168-0500 0x73bc1    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:8d03 - Recovery mode device disconnected
2022-01-07 16:39:33.633051-0500 0x73b1b    Default     0x0                  10073  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxHandleDictionary:1437 Adding event 0x6000010b3780 to changelist.
2022-01-07 16:39:33.633175-0500 0x73b1b    Default     0x0                  10073  0    srdutil: (MobileDevice) Entered:_AMMuxedVersion2DeviceConnected, mux-device:39
2022-01-07 16:39:33.636700-0500 0x73c44    Default     0x0                  10073  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:39:33.637870-0500 0x73c44    Default     0x0                  10073  0    srdutil: (MobileDevice) AMDeviceConnect (thread 0x7000045ba000): Device @0x14500000 is not a device this instance is tracking (is actually com.apple.mobile.restored). Move along, move along.
2022-01-07 16:39:33.638195-0500 0x73c44    Default     0x0                  10073  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:39:33.639196-0500 0x73c44    Default     0x0                  10073  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:39:33.640364-0500 0x73c44    Default     0x0                  10073  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:39:33.641419-0500 0x73c44    Default     0x0                  10073  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:39:33.643030-0500 0x73c44    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:8d07 - RestoreOS mode device connected
2022-01-07 16:39:35.647349-0500 0x73c44    Default     0x0                  10073  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:39:35.650072-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:39:35.657040-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - amai: AMAuthInstallBundleCopyBuildIdentityForVariant: AMAuthInstallBundleCopyBuildIdentityForVariant: Found variant: Research Customer Erase Install (IPSW)
2022-01-07 16:39:35.657906-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - no override trust object found
2022-01-07 16:39:35.658180-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - no override trust object found
2022-01-07 16:39:35.673078-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - overwrite InstallDiags to false
2022-01-07 16:39:35.673436-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:39:35.676181-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - previous restore failed with exit status 0x100
2022-01-07 16:39:35.678240-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:39:35.681482-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - unable to open device_map.txt: No such file or directory
2022-01-07 16:39:35.681910-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:39:35.683849-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - no value returned for BootArgs
2022-01-07 16:39:35.683952-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - _copyDeviceProperty() failed for restore bootargs
2022-01-07 16:39:35.684065-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:39:35.686105-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - no value returned for MarketingPartNumber
2022-01-07 16:39:35.686228-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - _copyDeviceProperty() failed for mpn
2022-01-07 16:39:35.689302-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:39:35.692367-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - Can't return padding information since it's not in the Restore.plist, looking in BuildManifest.plist
2022-01-07 16:39:35.700282-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - Established proxy for device ID 39
2022-01-07 16:39:35.700427-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 14852 (04, 3a)
2022-01-07 16:39:44.806191-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - no override trust object found
2022-01-07 16:39:44.806280-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - no override trust object found
2022-01-07 16:39:47.041488-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 14640 (30, 39)
2022-01-07 16:39:47.042354-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:659 response indicated error: 61 -
2022-01-07 16:39:47.042402-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:671 failed: 61
2022-01-07 16:39:57.042874-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 14640 (30, 39)
2022-01-07 16:42:10.016793-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - dumping CFError returned by restored:
2022-01-07 16:42:10.016878-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - CFError domain:AMRestoreErrorDomain code:14 description:failed to restore APFS image
2022-01-07 16:42:10.851483-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - 
==== device restore output ====
[21:39:26.0073-GMT]{4>8} CHECKPOINT NOTICE: Image4 device: AP nonce clearable
entering ramrod_clear_ap_nonce
[21:39:26.0085-GMT]{4>8} CHECKPOINT NOTICE: AP nonce consumed
[21:39:26.0085-GMT]{4>8} CHECKPOINT NOTICE: Pre-existing NVRAM variable: auto-boot=false
[21:39:26.0085-GMT]{4>8} CHECKPOINT NOTICE: Pre-existing NVRAM variable: restore-outcome=initial_monitor_no_return
[21:39:26.0085-GMT]{4>8} CHECKPOINT PROGRESS: START (unknown) -> (initial_engine_no_return)
[21:39:26.0085-GMT]{4>8} CHECKPOINT NOTICE: NVRAM access available on initial check
restore-outcome = initial_engine_no_return
executing /usr/sbin/nvram restore-outcome=initial_engine_no_return
[21:39:26.0097-GMT]{4>8} CHECKPOINT BEGIN: MAIN:[0x0400] umask
restore-step-ids = {0x11030400:1}
restore-step-names = {0x11030400:umask}
restore-step-uptime = 1
restore-step-user-progress = -1
[21:39:26.0097-GMT]{4>8} CHECKPOINT END: MAIN:[0x0400] umask
restore-step-ids = {}
restore-step-names = {}
restor<…>
2022-01-07 16:42:10.859698-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - <Restore Device 0x6000025e8540>: Restore failed (result = 14)
2022-01-07 16:42:10.859778-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - Can't send dump_console command since device is not in recovery mode
2022-01-07 16:42:10.859829-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - AMRestorePerformRestoreModeRestoreWithError failed with error: 14
2022-01-07 16:42:10.859899-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - State Machine Dump, status:ERROR - [state:Recovery remaining-cycles:0] -> [state:RestoreOS remaining-cycles:0 (current state)]
2022-01-07 16:42:10.860003-0500 0x73d1c    Default     0x0                  10073  0    srdutil: (MobileDevice) tid:6407 - State is now set to error: AMRestorePerformRestoreModeRestoreWithError failed with error: 14
2022-01-07 16:42:10.860838-0500 0x742cc    Error       0x0                  10073  0    srdutil: [com.apple.srdtools.srdutil:restore] Failed to restore
2022-01-07 16:42:10.860873-0500 0x742cc    Default     0x0                  10073  0    srdutil: (CoreAnalytics) [com.apple.CoreAnalytics:client] Entering exit handler.
2022-01-07 16:42:10.860907-0500 0x742cc    Default     0x0                  10073  0    srdutil: (CoreAnalytics) [com.apple.CoreAnalytics:client] Exiting exit handler.

iOS 14.4 Restore via srdutil on X86_64

Result: Failed to Restore, Error below:

2022-01-07 16:34:01.024197-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - RestoreOS mode device connected
2022-01-07 16:34:03.025102-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:34:03.027788-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:34:03.034554-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - amai: AMAuthInstallBundleCopyBuildIdentityForVariant: AMAuthInstallBundleCopyBuildIdentityForVariant: Found variant: Research Customer Erase Install (IPSW)
2022-01-07 16:34:03.035153-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - no override trust object found
2022-01-07 16:34:03.035306-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - amai: _AMAuthInstallBasebandCheckForParameterChange: bbParameters is now non-NULL
2022-01-07 16:34:03.035489-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - no override trust object found
2022-01-07 16:34:03.040895-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - amai: AMAuthInstallBasebandCreateMeasurements: Using set ChipID 0x00000068 to measure
2022-01-07 16:34:03.604164-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - overwrite InstallDiags to false
2022-01-07 16:34:03.604525-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:34:03.608218-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:34:03.610277-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - unable to open device_map.txt: No such file or directory
2022-01-07 16:34:03.610458-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:34:03.611964-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - no value returned for BootArgs
2022-01-07 16:34:03.612024-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - _copyDeviceProperty() failed for restore bootargs
2022-01-07 16:34:03.612112-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:34:03.613720-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - no value returned for MarketingPartNumber
2022-01-07 16:34:03.613780-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - _copyDeviceProperty() failed for mpn
2022-01-07 16:34:03.615280-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 32498 (f2, 7e)
2022-01-07 16:34:03.616795-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - Can't return padding information since it's not in the Restore.plist, looking in BuildManifest.plist
2022-01-07 16:34:03.621801-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - Established proxy for device ID 38
2022-01-07 16:34:03.621860-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 14852 (04, 3a)
2022-01-07 16:34:13.488644-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - no override trust object found
2022-01-07 16:34:13.488759-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - no override trust object found
2022-01-07 16:34:15.497127-0500 0x730f9    Default     0x0                  10054  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 14528 (c0, 38)
2022-01-07 16:34:15.499338-0500 0x730c8    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:7f17 - [PurpleReverseProxy]: Jan 07 16:34:15 srdutil[10054] <Error>: RPSocket.cpp:218(signal): No client callback, missing event 8 for socket 0x7fb07cf04cf0
2022-01-07 16:34:17.908639-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 14640 (30, 39)
2022-01-07 16:34:17.909471-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:659 response indicated error: 61 -
2022-01-07 16:34:17.909520-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:671 failed: 61
2022-01-07 16:34:27.913356-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) [com.apple.usbmux:library] USBMuxConnectByPort:584 Connecting to port 14640 (30, 39)
2022-01-07 16:36:35.453011-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - dumping CFError returned by restored:
2022-01-07 16:36:35.453096-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - CFError domain:AMRestoreErrorDomain code:14 description:failed to restore APFS image
2022-01-07 16:36:45.367026-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - 
==== device restore output ====
|
ASR: 000CB080: A397 3221 4E32 8BC9 125A E5FC C788 67AD   | ..2!N2...Z....g. |
ASR: 000CB090: B8A1 0BE3 269C 6F53 853C 6326 CB7D B9DC   | ....&.oS.<c&.}.. |
ASR: 000CB0A0: B853 FDF2 A76B E16F 0BCF B131 40CC 5811   | .S...k.o...1@.X. |
ASR: 000CB0B0: D75B A127 93F2 34D4 0BD9 91D6 B528 B69D   | .[.'..4......(.. |
ASR: 000CB0C0: 1FB2 EFBE CEA1 6313 DFAD DA45 704F A323   | ......c....EpO.# |
ASR: 000CB0D0: C0C6 D773 967D BEFF 0292 D4A5 5EC1 5D1F   | ...s.}......^.]. |
ASR: 000CB0E0: EC15 B6CD 039A 01DE D27F 5B8E 88B9 C72F   | ..........[..../ |
ASR: 000CB0F0: 719E C1BF 0665 C1A9 10C6 B1DB 9048 19C2   | q....e.......H.. |
ASR: 000CB100: A9A9 E4FC AEF5 72D2 A170 5DE2 A272 9ECF   | ......r..p]..r.. |
ASR: 000CB110: 845B CF62 5090 7B6D B67E F8EA 1AA6 E212   | .[.bP.{m.~...... |
ASR: 000CB120: EDB8 48AD ED54 6D26 68F5 BCB7 C3C5 2C4F   | ..H..Tm&h.....,O |
ASR: 000CB130: 686E 75E6 50F8 F22A EAF1 D978 D795 2D43   | hnu.P..*...x..-C |
ASR: 000CB140:
ASR:  1FED ED8<…>
2022-01-07 16:36:45.376572-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - <Restore Device 0x600000ad03c0>: Restore failed (result = 14)
2022-01-07 16:36:45.376642-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - Can't send dump_console command since device is not in recovery mode
2022-01-07 16:36:45.376729-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) AMRestorePerformRestoreModeRestoreWithError failed with error: 14
2022-01-07 16:36:45.376840-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - State Machine Dump, status:ERROR - [state:BootedOS remaining-cycles:0] -> [state:Recovery remaining-cycles:0] -> [state:RestoreOS remaining-cycles:0 (current state)]
2022-01-07 16:36:45.379121-0500 0x73083    Default     0x0                  10054  0    srdutil: (MobileDevice) tid:5b13 - State is now set to error: AMRestorePerformRestoreModeRestoreWithError failed with error: 14
2022-01-07 16:36:45.380585-0500 0x7359a    Error       0x0                  10054  0    srdutil: [com.apple.srdtools.srdutil:restore] Failed to restore
2022-01-07 16:36:45.380619-0500 0x7359a    Default     0x0                  10054  0    srdutil: (CoreAnalytics) [com.apple.CoreAnalytics:client] Entering exit handler.
2022-01-07 16:36:45.380656-0500 0x7359a    Default     0x0                  10054  0    srdutil: (CoreAnalytics) [com.apple.CoreAnalytics:client] Exiting exit handler.

Summary

Verified that an IPSW Downgrade can be performed from iOS 15.3 Beta to 15.2 Retail from X86_64 for iPhone 11, aka 12,1, the 2020 SRD, SRD0009 when using Finder. srdutil testing showed a smaller IPSW Restoration window. Will continue testing next business day. Downgrades further along the 14 Retail IPSW Chain were Verified down to iOS 14.4 when using Finder_ on X86_64 and macOS 12.1 (21C52) with srdutil showing errors as indicated.

Restoration of iOS 14.3 on the iPhone 11, aka 12,1, the SRD 2020 Model, Results in the SRD0009 Device becoming Hung when using X86_64 and macOS 12.1 (21C52).

It was also found that for Downgrading the iPhone 11, aka 12,1, via Finder the IPSW Version needs to be apparently 14.7.1, then a downgrade can be further completed to 14.4. So far unable to install 14.4 strait-away to the iPhone 11, aka 12,1, the SRD 2020 Model on SRD0009. Further testing is being peformed to Validate the T8101 Restore Process using Finder and srdutil.

For the iPhone 12, aka 13,1, the SRD2021 Model, SRD0037, TSS is not Signing any Downgrades from Beta to Retail as of 7 JAN 2022 at 1250 EST when using X86_64 and macOS 12.1 (21C52).

Will upload sysdiag.tgz next business day.

[xsscx]

Workaround for iPhone 12 IPSW Downgrade from iOS 15.3 Beta 19D5026g to iOS 15.2 19C56

Workaround for Downgrade of IPSW for iPhone 12 using Finder and srdutil.

It has been found that when using srdutil and then Finder a successful Downgrade for the iPhone 12 can be performed as shown below:

[08:14:59.6816] Successfully applied power assertion
[08:14:59.6817] requested variant: Research Customer Erase Install (IPSW)
[08:14:59.6818] amai: AMAuthInstallBundleCopyBuildIdentityForVariant: searching for variant Research Customer Erase Install (IPSW) (0 recovery)
[08:14:59.6886] amai: AMAuthInstallBundleCopyBuildIdentityForVariant: No baseband chipid reported. Will match Build Identity based on ap chipid, boardid, and secdomain only.
[08:14:59.6886] amai: AMAuthInstallBundleCopyBuildIdentityForVariant: AMAuthInstallBundleCopyBuildIdentityForVariant: Found variant: Research Customer Erase Install (IPSW)
[08:14:59.6913] Automatically set FormatForAPFS => True and FormatForLwVM => False.
...
[08:14:59.7060] requested variant: Research Customer Erase Install (IPSW)
[08:14:59.7060] amai: AMAuthInstallBundleFDRSupported: FDR is supported for this device
[08:14:59.7061] personalizing: <AMAuthInstall 0x7fd44ff94d70>{ap=(personalize=YES d53gap ecid=0x1418da3cc0013a, chipid=0x8101, boardid=0xc, secDom=1, isProduction=YES, EPRO=YES, isSecure=YES, ESEC=YES, img4=YES, demotionPolicy=, managedBaaCert=NO, slowRollBaaCert=NO, nonce=0xa0ed6adc9e3bbf214ffc0c8a23f075bb085e49149ad1462e87e80f09b77119b1, sepNonce=0x30fb9e956bdc2b6cbb20ac11ad3442923b94457d), bp=(personalize=YES), UserAuth=NO, iTunes=NO, server="http://gs.apple.com:80", locale=en_US, version="libauthinstall-850.0.2", platform=mac/21C52/Macmini8,1}
[08:14:59.7079] amai: _AMAuthInstallBundleShouldPersonalizeOS: Personalize OS = Yes
[08:14:59.7095] amai: _AMAuthInstallBundleShouldPersonalizeOS: Personalize OS = Yes

Reproduction | Workaround

Via Terminal, execute:

defaults write com.apple.AMPDevicesAgent ipsw-variant -string 'Research Customer Erase Install (IPSW)'
killall Finder

Step 1. Start the Downgrade process using srdutil to Downgrade from iOS 15.3 Beta to iOS 15.2 Retail, allow the process to fail as shown below:

srdutil restore -vvv -s -D -e 0x1418da3cc0013a -i ~/Downloads/13-19C56.ipsw
[+] Patching PRKit with variant: "Research Developer Erase Install (IPSW)"
[+] Patching PRKit with IPSW: "/Users/xss/Downloads/13-19C56.ipsw"
[+] Dumping restore options
{
    AuthInstallVariant = "Research Developer Erase Install (IPSW)";
    AutoBootDelay = 0;
    CreateFilesystemPartitions = 1;
    FlashNOR = 1;
    NORImageType = production;
    RestoreBootArgs = "rd=md0 nand-enable-reformat=1 -progress";
    RestoreBundlePath = "file:///Users/xss/Downloads/13-19C56.ipsw";
    UpdateBaseband = 1;
}
[x] Waiting for device with ECID: 0x1418da3cc0013a to connect...
[x] Scanning for restorable devices...
[+] ECID: 0x1418da3cc0013a - connected
[+] ECID: 0x1418da3cc0013a - Sending device to recovery
[-] ECID: 0x1418da3cc0013a - disconnected
[+] ECID: 0x1418da3cc0013a - connected
[!] ECID: 0x1418da3cc0013a - target acquired - beginning restore
[ 100% ] Unrecognized operation (0)

[-!!-] Failed to restore!

Step 2. On your Screen, you should see the Finder pop up the Alert indicating your iPhone needs to be Restored, click Cancel declining to Restore.

Step 3. Using Finder, select the SRD iPhone, Press Option Key + Restore and select the IPSW for iPhone 12 Version 19C56, iOS 15.2 Retail, completing the typical Restore process.

Step 3. Upon Reboot, use Finder to Verify the IPSW Version as iOS 15.2 19C56

Step 4. Configure the SRD iPhone 12 and obtain IP Address for SSH

Step 5. Install and Verify a cryptex personalization

[example-cryptex] - Creating cryptex /Users/xss/security-research-device/example-cryptex/com.example.cryptex.cxbd - 1.3.3.7 from the disk image com.example.cryptex.dmg
[example-cryptex] - Installing /Users/xss/security-research-device/example-cryptex/com.example.cryptex.cxbd onto device: 00008101-001418DA3CC0013A
cryptexctl: cryptex not installed on device: com.example.cryptex
com.example.cryptex
  version = 1.3.3.7
  device = /dev/disk2s1
  mount point = /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.oFLnkx

Step 6. Confirm SSH access and uname -a confirming the IPSW Restore with cryptex installation is completed.

date
Wed Jan 12 08:31:22 EST 2022
uname -a
Darwin iPhone 21.2.0 Darwin Kernel Version 21.2.0: Sun Nov 28 20:43:38 PST 2021; root:xnu-8019.62.2~1/RELEASE_ARM64_T8101 iPhone13,2 Toybox

Summary

Use srdutil to set the SRD to Restore. Use Finder to complete the process.

nvram setting for Restore via cryptex needs further Testing & Validation.

[xsscx]

Knowledgebase

• https://github.com/apple/security-research-device/issues/51
• https://github.com/apple/security-research-device/issues/45
• https://github.com/apple/security-research-device/issues/35