Odysseus

Jun 08, 2015

Should've saved your blobs...

Disclaimer

This method currently works on just certain 32bit devices. By certain I mean only for bundles that xerub can create with keys he has. Also, if your SHSH blobs and APTickets are invalid in any way, this restore will fail and you will be forced to upgrade to the latest signed firmware, which may not currently be jailbreakable. Xerub or myself are absolutely not responsible for any damage you do to your device or current firmware. There may also be problems with the baseband if you attempt to downgrade to a firmware with a different baseband than you are currently on. Make sure you check the baseband. I cannot stress this enough. If you only know how to click a “jailbreak” button and do not know much about the underlying components of iOS, please do not try this as you will probably mess up your device. I only recommend experienced developer use this tool.

What is this?

Odysseus is a program written by xerub that will downgrade your 32bit A5+ devices. This method also works on A4, but why use this on A4 when you have limera1n? Anyway, this method uses a tool incuded within winocm’s ios-kexec-utils. The tool, kloader, is a CLI that you can run on an iOS device that loads an (decrypted) image. It requires a jailbreak currently to run kloader on the device. Odyssseus is fairly simple for the experienced user. It is a tool that allows you to bootstrap a pwned iBSS and then initiate a restore using iDeviceRestore with a custom iPSW that will effectively downgrade/upgrade/restore to any firmware you have valid blobs and an APTicket for. Note: this does not change your baseband, so if you go too far up or down then the core OS will not understand the new software and YMMV.

Requirements

  • A jailbroken with the latest untether that has tfp0 enabled. tfp0 enabled untethers include evasi0n, TaiG, and the latest Pangu. For example, early versions of Pangu did not have tfp0 enabled.

  • OpenSSH installed on target device

  • Valid SHSH blobs with valid APTickets. Odysseus comes with a native SHSH blob validator called validate.

Other Options

If for some reason, you would like to go back to the firmware that is currently installed on your device, well, Odysseus has you covered there as well with a method to grab on-device blobs from any 32bit device! After you have completed Step 4: Building the Custom iPSW in the main instructions, continue with these directions:

Extract iBEC

User$ mv `unzip -j custom.ipsw 'Firmware/dfu/iBEC*' | awk '/inflating/{print $2}'` pwnediBEC

Boot PWNed

User$ ./sshtool -k ../kloader -b pwnediBSS -p 22 deviceIP

Wait for the device to enter DFU Mode. Then upload the iBEC you extracted previously:

User$ ./irecovery -f pwnediBEC

Wait for the device to enter what seems like recovery mode (should have a blank, lit screen)

Grab those Blobs!

Now, you have to execute a few commands with iRecovery:

User$ ./irecovery -s
iRecovery> /send ../payload
iRecovery> go blobs
iRecovery> /exit
User$ ./irecovery -g myblob.dump
User$ ./irecovery -s
iRecovery> reboot

Unpack/Validate Blobs

You must download an iPSW file of the firmware you are currently on now.

User$ ./ticket myblob.dump myblob.plist matching.ipsw -z
User$ ./validate myblob.plist matching.ipsw -z

If everything checks out and is valid, that means: Yay! It worked! Now you have a fallback to a still jailbreakable version of iOS in case you do not like your downgrade.

Instructions

1. Download the iPSW file you want to downgrade to here.

2. Validate the Blob(s)

  • Convert the .shsh file you have to the xml format and validate:
User$ zcat myblob.shsh > myblob.plist
User$ plutil -convert xml1 myblob.plist
User$ ./validate myblob.plist downloaded.ipsw -z
  • If you get a bunch of “ERROR”s then, the blob/ticket is not valid, and you should stop now and do not try to downgrade. “WARNING”s are fine.

3. Save your Baseband

  • Enter your SSH password. The default password is alpine:
User$ ./sshtool -s baseband.tar -p 22 deviceIP
  • If baseband.tar is 0 bytes, that is fine; it probably means your device does not have the baseband on the main filesystem. Any other error, however is bad.

4. Build the custom iPSW

  • This may take a while.. Use the -memory parameter only if your computer has greater than or equal to four gigabytes of RAM. Also make sure you have the correct bundle in FirmwareBundles/. If the bundle you want is not there, ask for it.
User$ ./ipsw downloaded.ipsw custom.ipsw -memory baseband.tar

*You can also specify a size for the rootfs if the default size is not big enough. A reason for this would be if you wanted to add large .tar files, and there wasn’t enough room for them. Add however much you need to the original size and round it off a bit. Just use the -s parameter and then the size in megabytes.

  • Extract the iBSS from the custom iPSW you just built.
User$ ./xpwntool `unzip -j custom.ipsw 'Firmware/dfu/iBSS*' | awk '/inflating/{print $2}'` pwnediBSS

5. SSH into the device and execute kloader as follows:

User$ ./sshtool -k ../kloader -b pwnediBSS -p 22 deviceIP
  • Wait for the device to enter DFU mode. If iTunes doesn’t recognize it within a 2 minutes, unplug and plug back in, but DO NOT press any buttons. Once iTunes recognizes it, kill iTunes. If iTunes doesn’t recognize it after roughly 5 minutes, do a hard reset by holding the home + power button until the Apple Logo appears.

6. Make sure the desired VALID SHSH blob is in shsh/ECID-iDeviceModel-Version.shsh. Then restore to the custom iPSW using idevicerestore.

  • Note: You may need to be root to access USB.
User$ killall iTunesHelper
User$ ./idevicerestore -d -w custom.ipsw

8. Enjoy your downgraded device! If you followed all the instructions to a T, you will be alright, if not, you may be forced to restore to the currently signed, possibly non-jailbreakable firmware.

Download Odysseus v0.999

SHA1 = 23717f90a6b5bf847b996648be4c06046bc590b

MD5 = ba38fcd9b9eabccd213f2c2d38a813f4

Credits

-dayt0n