Odysseus

08 Jun 2015

Disclaimer

This method currently works on just certain 32bit devices. By certain I mean only for bundles that xerub can create with keys he has. Also, if your SHSH blobs and APTickets are invalid in any way, this restore will fail and you will be forced to upgrade to the latest signed firmware, which may not currently be jailbreakable. Xerub or myself are absolutely not responsible for any damage you do to your device or current firmware. There may also be problems with the baseband if you attempt to downgrade to a firmware with a different baseband than you are currently on. Make sure you check the baseband. I cannot stress this enough. If you only know how to click a “jailbreak” button and do not know much about the underlying components of iOS, please do not try this as you will probably mess up your device. I only recommend experienced developer use this tool.

What is this?

Odysseus is a program written by xerub that will downgrade your 32bit A5+ devices. This method also works on A4, but why use this on A4 when you have limera1n? Anyway, this method uses a tool incuded within winocm’s ios-kexec-utils. The tool, kloader, is a CLI that you can run on an iOS device that loads an (decrypted) image. It requires a jailbreak currently to run kloader on the device. Odyssseus is fairly simple for the experienced user. It is a tool that allows you to bootstrap a pwned iBSS and then initiate a restore using iDeviceRestore with a custom iPSW that will effectively downgrade/upgrade/restore to any firmware you have valid blobs and an APTicket for. Note: this does not change your baseband, so if you go too far up or down then the core OS will not understand the new software and YMMV.

Requirements

Other Options

If for some reason, you would like to go back to the firmware that is currently installed on your device, well, Odysseus has you covered there as well with a method to grab on-device blobs from any 32bit device! After you have completed Step 4: Building the Custom iPSW in the main instructions, continue with these directions:

Extract iBEC

User$ mv `unzip -j custom.ipsw 'Firmware/dfu/iBEC*' | awk '/inflating/{print $2}'` pwnediBEC

Boot PWNed

User$ ./sshtool -k ../kloader -b pwnediBSS -p 22 deviceIP

Wait for the device to enter DFU Mode. Then upload the iBEC you extracted previously:

User$ ./irecovery -f pwnediBEC

Wait for the device to enter what seems like recovery mode (should have a blank, lit screen)

Grab those Blobs!

Now, you have to execute a few commands with iRecovery:

User$ ./irecovery -s
iRecovery> /send ../payload
iRecovery> go blobs
iRecovery> /exit
User$ ./irecovery -g myblob.dump
User$ ./irecovery -s
iRecovery> reboot

Unpack/Validate Blobs

You must download an iPSW file of the firmware you are currently on now.

User$ ./ticket myblob.dump myblob.plist matching.ipsw -z
User$ ./validate myblob.plist matching.ipsw -z

If everything checks out and is valid, that means: Yay! It worked! Now you have a fallback to a still jailbreakable version of iOS in case you do not like your downgrade.

Instructions

1. Download the iPSW file you want to downgrade to here.

2. Validate the Blob(s)

User$ zcat myblob.shsh > myblob.plist
User$ plutil -convert xml1 myblob.plist
User$ ./validate myblob.plist downloaded.ipsw -z

3. Save your Baseband

User$ ./sshtool -s baseband.tar -p 22 deviceIP

4. Build the custom iPSW

User$ ./ipsw downloaded.ipsw custom.ipsw -memory baseband.tar

*You can also specify a size for the rootfs if the default size is not big enough. A reason for this would be if you wanted to add large .tar files, and there wasn’t enough room for them. Add however much you need to the original size and round it off a bit. Just use the -s parameter and then the size in megabytes.

User$ ./xpwntool `unzip -j custom.ipsw 'Firmware/dfu/iBSS*' | awk '/inflating/{print $2}'` pwnediBSS

5. SSH into the device and execute kloader as follows:

User$ ./sshtool -k ../kloader -b pwnediBSS -p 22 deviceIP

6. Make sure the desired VALID SHSH blob is in shsh/ECID-iDeviceModel-Version.shsh. Then restore to the custom iPSW using idevicerestore.

User$ killall iTunesHelper
User$ ./idevicerestore -d -w custom.ipsw

8. Enjoy your downgraded device! If you followed all the instructions to a T, you will be alright, if not, you may be forced to restore to the currently signed, possibly non-jailbreakable firmware.

Download Odysseus v0.999

SHA1 = 23717f90a6b5bf847b996648be4c06046bc590b

MD5 = ba38fcd9b9eabccd213f2c2d38a813f4

Credits

-dayt0n