I'm using live ubuntu 20.04 usb and attempting to downgrade iphone 5s
My logs:
******* iOS-OTA-Downgrader *******
Downgrader script by LukeZGD

[Input] Enter ProductType (eg. iPad2,1): iPhone6,1
[Log] Updating firmware...
Already up to date.
[Log] Updating ipwndfu...
Already up to date.

• Platform: linux
• HardwareModel: n51ap
• ProductType: iPhone6,1
• ProductVersion: Unknown
• UniqueChipID (ECID): 0x000006b4086b3fd0

*** Main Menu ***
[Input] Select an option:

1. Downgrade device 3) (Any other key to exit)
2. (Re-)Install Dependencies
   #? 1
   [Log] Option: Downgrade

[Log] Device in DFU mode detected.
[Log] Entering pwnDFU mode with ipwndfu...
*** checkm8 exploit by axi0mX ***
*** modified version by Linus Henze and synackuk ***
*** s5l8965x support by Matthew Pierson ***
Found: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:00 ECID:000006B4086B3FD0 IBFL:1C SRTG:[iBoot-1704.10] PWND:[checkm8]
Device is already in pwned DFU Mode. Not executing exploit.
[Log] Device in pwnDFU mode detected.
[Log] Running rmsigchks.py...
*** SecureROM Signature check remover by Linus Henze ***
Found: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:00 ECID:000006B4086B3FD0 IBFL:1C SRTG:[iBoot-1704.10] PWND:[checkm8]
Applying patches...
Successfully applied patches
Resetting device state
Device is now ready to accept unsigned images
[Log] Downgrading device iPhone6,1 in pwnDFU mode...
[Log] Option: Downgrade
[Log] Extracting IPSW...
[Log] Entering pwnREC mode...
[==================================================] 100.0%
[==================================================] 100.0%
[Log] Found device in pwnREC mode.
[Log] Saving 10.3.3 blobs with tsschecker...

• APNonce: 8f760412c8653de657e8ea2352f706de2e9ca85c
  resources/tools/tsschecker_linux: error while loading shared libraries: libplist-2.0.so.3: cannot open shared object file: No such file or directory
  ls: cannot access '_iPhone6,1_n51ap_10.3.3-.shsh': No such file or directory

[Error] Saving 10.3.3 blobs failed. Please run the script again

• It is also possible that 10.3.3 for iPhone6,1 is no longer signed

hi, dude, could you tell me which password it is, both alpine or my mac password are failed;
`[Log] Found device in DFU mode.

[Log] Extracting IPSW...
[Log] Preparing for futurerestore (starting local server)...
[Log] Will now proceed to futurerestore...

Password:
Sorry, try again.
Password:

Sorry, try again.
Password:
sudo: 3 incorrect password attempts
`

Line 340 of restore.sh should be IPSWSHA1L=$(shasum $IPSW.ipsw | awk '{print $1}') as sha1sum doesn't exist, at least on macOS.

Almost same issue as #14 , just with iPod5,1.
https://pastebin.com/RHTDBhvM

[Input] Enter ProductType (eg. iPad2,1): iPhone4,1
[Log] Updating firmware...
Already up to date.
[Log] Updating ipwndfu...
Already up to date.
[Log] 32-bit device in DFU mode detected.

• Advanced options menu - use at your own risk
• Warning: A6 devices won't have activation error workaround yet when using this method
  [Input] This device is in:

1. kDFU mode 3) pwnDFU mode (checkm8 A5)
2. DFU mode (ipwndfu A6) 4) (Any other key to exit)
   #? 3
   [Log] Downloading iBSS...
   cat: resources/firmware/iPhone4,1//url: No such file or directory
   usage: resources/tools/partialzip_macos [numBytes]
   mv: rename .dfu to saved/iPhone4,1/.dfu: No such file or directory

[Error] Failed to save iBSS. Please run the script again

Marneilxs-iMac:iOS-OTA-Downgrader-master marneilx$

It doesn't work a few days ago.

iOS 8.4.1 Downgrade
[Log] Saving 8.4.1 blobs with tsschecker...
Version: 7d267698cb16ab4699fa9cba20783ee041ac999e - 212
[TSSC] manually specified ecid to use, parsed "919124589996" to dec:919124589996 hex:d600183dac
[TSSC] opening resources/manifests/BuildManifest_iPad2,2_8.4.1.plist
[WARNING] [TSSC] could not get id0 for installType=Erase. Using fallback installType=Update since user did not specify installType manually
[TSSR] Request URL set to https://gs.apple.com/TSS/controller?action=2
[TSSR] Sending TSS request attempt 1... failure
​
iOS 8.4.1 for device iPad2,2 IS NOT being signed!
ls: '_iPad2,2_8.4.1-.shsh2'에 접근할 수 없습니다: 그런 파일이나 디렉터리가 없습니다
[Error] Saving 8.4.1 blobs failed. Please run the script again
It is also possible that 8.4.1 for iPad2,2 is no longer signed
​​

Can I downgrade my device ipad mini 2,5 ?
If It can , which version have support ?

I've got an iPhone 5S (6,1) that I'm unable to downgrade to iOS 10.3.3 using iOS-OTA_Downloader. I was able to downgrade it with futurerestore and Vieux so I figured I would test out this tool as well, but was unable to downgrade.

I've also got an iPhone 5 (5,1) that I was able to downgrade to iOS 8.4.1 using this tool, but that obviously uses a different process than the 64-bit devices.

In any case, below is the log of the failed downgrade. It shows the device is in pwned DFU mode, but then is unable to detect a device in pwnDFU mode. As I said before, I've already gotten this device to downgrade using futurerestore and Vieux so this isn't an issue for me, I just figured I would share my findings and am happy to test anything out to help further development of the script.

******* iOS-OTA-Downgrader ******* 
   Downgrader script by LukeZGD    

[Log] Downloading firmware... 
Cloning into 'firmware'...
remote: Enumerating objects: 586, done.
remote: Counting objects: 100% (586/586), done.
remote: Compressing objects: 100% (287/287), done.
remote: Total 586 (delta 103), reused 581 (delta 101), pack-reused 0
Receiving objects: 100% (586/586), 134.22 KiB | 898.00 KiB/s, done.
Resolving deltas: 100% (103/103), done.
[Log] Downloading ipwndfu... 
Cloning into 'ipwndfu'...
remote: Enumerating objects: 510, done.
remote: Total 510 (delta 0), reused 0 (delta 0), pack-reused 510
Receiving objects: 100% (510/510), 1.89 MiB | 2.71 MiB/s, done.
Resolving deltas: 100% (268/268), done.
* Platform: macos 
* HardwareModel: n51ap 
* ProductType: iPhone6,1 
* ProductVersion: 10.3.3 
* UniqueChipID (ECID): 1234567890123 

*** Main Menu *** 
[Input] Select an option: 
1) Downgrade device	      3) (Any other key to exit)
2) (Re-)Install Dependencies
#? 1
[Log] Option: Downgrade 
[Log] Entering recovery mode... 
[Log] Device in recovery mode detected. Get ready to enter DFU mode 
[Input] Select Y to continue, N to exit recovery (Y/n)  y
* Hold POWER and HOME button for 10 seconds. 
10 9 8 7 6 5 4 3 2 1 
* Release POWER and hold HOME button for 10 seconds. 
10 9 8 7 6 5 4 
[Log] Device in DFU mode detected. 
[Log] Entering pwnDFU mode with ipwndfu... 
*** checkm8 exploit by axi0mX ***
*** modified version by Linus Henze and synackuk ***
*** s5l8965x support by Matthew Pierson ***
Found: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:00 ECID:0000011F71FB04CB IBFL:1C SRTG:[iBoot-1704.10]
Device is now in pwned DFU Mode.
(12.91 seconds)

[Error] Failed to detect device in pwnDFU mode. Please run the script again 
* ./restore.sh Downgrade 

I'm getting this error:

Detected device has no baseband
Version: XXXX - 152
Libipatcher Version: XXXX - 44
Odysseus Support: yes
[INFO] 32bit device detected
futurerestore init done
reading ticket 4394859152137_iPad2,5_8.4.1-12H321_XXXX.shsh2 done

WARNING: user specified not to flash a baseband. This can make the restore fail if the device needs a baseband!
if you added this flag by mistake you can press CTRL-C now to cancel
continuing restore in 5 4 3 2 1
Found device in DFU mode
requesting to get into pwnRecovery later
Found device in DFU mode
Identified device as p105ap, iPad2,5
Extracting BuildManifest from IPSW
Product Version: 8.4.1
Product Build: 12H321 Major: 12
Device supports Image4: false
checking APTicket to be valid for this restore...
Verified ECID in APTicket matches device ECID
[WARNING] skipping ramdisk hash check, since device is in pwnDFU according to user
Variant: Customer Erase Install (IPSW)
This restore will erase your device data.
Extracting iBSS.p105.RELEASE.dfu...
terminate called after throwing an instance of 'libipatcher::exception'
what(): std::exception
./restore.sh: line 145: 6233 Aborted (core dumped) sudo env "LD_PRELOAD=libcurl.so.3" tools/futurerestore_$platform -t $SHSH --no-baseband --use-pwndfu ${IPSW}.ipsw

futurerestore done!
If futurerestore failed to download baseband or for some reason, you can choose to retry
Retry? (y/n)
y

the following code comes to me when I have downloaded the ipsw, so what does it mean? Thank you~

`iOS 6.1.3 for device iPhone4,1 IS being signed!

cp: iPhone4,1_6.1.3_10B329_Restore/Firmware/dfu/iBSS.n94ap.RELEASE.dfu: No such file or directory
[Error] pzb not found! Depends on partialZipBrowser: https://github.com/tihmstar/partialZipBrowser
tian@MacBook-Pro 32bit-OTA-Downgrader-master %
`

Here are the logs

* HardwareModel: p101ap
* ProductType: iPad3,4
* ProductVersion: 10.3.3
* UniqueChipID (ECID): 1832542806961

*** Main Menu ***
[Input] Select an option:
1) Downgrade device		 4) (Re-)Install Dependencies
2) Save OTA blobs		 5) (Any other key to exit)
3) Just put device in kDFU mode
#? 1
[Input] Select iOS version:
1) iOS 8.4.1
2) Other
#? 1
[Log] Option: Downgrade
[Log] Saving 8.4.1 blobs with tsschecker...
Version: b9d193aa6e6d24421094873c830692d02d8b32f5 - 304
libfragmentzip version: 0.59-542a470d7be248681dba71d0f04e7dc8c2718b73
[TSSC] manually specified ECID to use, parsed "1832542806961" to dec:1832542806961 hex:1aaac1023b1
[TSSC] opening resources/manifests/BuildManifest_iPad3,4_8.4.1.plist
[WARNING] [TSSC] could not get id0 for installType=Erase. Using fallback installType=Update since user did not specify installType manually
[TSSR] LOG: device iPad3,4 doesn't need a baseband ticket, continuing without requesting a Baseband ticket
[TSSR] Request URL set to https://gs.apple.com/TSS/controller?action=2
[TSSR] Sending TSS request attempt 1... success
[Error] [TSSR] Error: could not get id0 for installType=Erase
Saved shsh blobs!

iOS 8.4.1 for device iPad3,4 IS being signed!
[Log] Successfully saved 8.4.1 blobs.
[Log] Verifying IPSW...
[Log] Extracting iBSS from IPSW...
Archive:  iPad3,4_8.4.1_12H321_Restore.ipsw
  inflating: saved/iPad3,4/iBSS.p101.RELEASE.dfu  
[Log] Decrypting iBSS...
[Log] IV = a5892a58c90b6d3fb0e0b20db95070d7
[Log] Key = 75612774968009e3f85545ac0088d0d0bb9cb4e2c2970e8f88489be0b9dfe103
/Users/tihmstar/clones/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: ee39c972097dcf9e0263e04bec1931e1caeee152497b00c460c58aa58d35a519d9358834aca7135f5c0910681239c904
[Log] Patching iBSS...
[Log] Mounting device with ifuse...
mkdir: mount: File exists
Failed to start AFC service 'com.apple.afc' on the device.
[Log] Copying stuff to device...
[Log] Unmounting device... (Enter root password of your PC/Mac when prompted)
umount: mount: not currently mounted

* Open MTerminal and run these commands:

$ su
(Enter root password of your iOS device, default is 'alpine')
# cd Media
# chmod +x pwn.sh
# ./pwn.sh

* Press home/power button once when screen goes black on the device
[Log] Finding device in DFU mode...
2020-07-26 19:34:48.066 system_profiler[96594:943381] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:34:48.066 system_profiler[96594:943381] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:34:52.676 system_profiler[98845:946765] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:34:52.676 system_profiler[98845:946765] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:34:57.292 system_profiler[1516:950129] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:34:57.292 system_profiler[1516:950129] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:01.897 system_profiler[3775:953473] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:01.897 system_profiler[3775:953473] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:06.485 system_profiler[6026:956824] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:06.485 system_profiler[6026:956824] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:11.074 system_profiler[8277:960163] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:11.074 system_profiler[8277:960163] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:15.680 system_profiler[10527:963562] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:15.680 system_profiler[10527:963562] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:20.191 system_profiler[12679:966778] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:20.192 system_profiler[12679:966778] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:24.683 system_profiler[14831:969986] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:24.684 system_profiler[14831:969986] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
[Log] Found device in DFU mode.
[Log] Extracting IPSW...
[Log] Preparing for futurerestore... (Enter root password of your PC/Mac when prompted)
[Log] Device iPad3,4 has no baseband
[Log] Proceeding to futurerestore...
Version: 81b98e0425e17250cc83d5badaf9a8cc6399f481 - 245
Libipatcher version: 3159a387584e352f690cca859e013c3a4683f3e8 - 69
Odysseus support: yes
[INFO] 32-bit device detected
futurerestore init done
reading signing ticket 1832542806961_iPad3,4_8.4.1-12H321_7c1b45f5c7e1abeb5fff03aef82d58b98c21a975.shsh2 is done
Found device iPad3,4 p101ap

WARNING: user specified not to flash a baseband. This can make the restore fail if the device needs a baseband!
if you added this flag by mistake you can press CTRL-C now to cancel
continuing restore in 10 Traceback (most recent call last):
  File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/runpy.py", line 194, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/http/server.py", line 1294, in <module>
    test(
  File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/http/server.py", line 1249, in test
    with ServerClass(addr, HandlerClass) as httpd:
  File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/socketserver.py", line 452, in __init__
    self.server_bind()
  File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/http/server.py", line 1292, in server_bind
    return super().server_bind()
  File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/http/server.py", line 138, in server_bind
    socketserver.TCPServer.server_bind(self)
  File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/socketserver.py", line 466, in server_bind
    self.socket.bind(self.server_address)
OSError: [Errno 48] Address already in use
9 8 7 6 5 4 3 2 1 
Found device in DFU mode
requesting to get into pwned DFU later
Found device in DFU mode
Identified device as p101ap, iPad3,4
Extracting BuildManifest from iPSW
Product version: 8.4.1
Product build: 12H321 Major: 12
Device supports IMG4: false
checking APTicket to be valid for this restore...
Verified ECID in APTicket matches device ECID
[WARNING] skipping ramdisk hash check, since device is in pwned DFU according to user
Variant: Customer Erase Install (IPSW)
This restore will erase your device data.
::1 - - [26/Jul/2020 19:35:49] "GET /firmware/iPad3,4/12H321 HTTP/1.1" 301 -
::1 - - [26/Jul/2020 19:35:49] "GET /firmware/iPad3,4/12H321/ HTTP/1.0" 200 -
::1 - - [26/Jul/2020 19:35:49] "GET /firmware/iPad3,4/12H321 HTTP/1.1" 301 -
::1 - - [26/Jul/2020 19:35:49] "GET /firmware/iPad3,4/12H321/ HTTP/1.0" 200 -
Extracting iBSS.p101.RELEASE.dfu...
iBoot32Patch: iBoot-2261 inputted.
patch_rsa_check: Entering...
find_bl_verify_shsh_generic: Entering...
find_bl_verify_shsh_generic: Found LDR instruction at 0x663c
find_bl_verify_shsh_generic: Found BL verify_shsh at 0x69e2
find_bl_verify_shsh_generic: Leaving...
patch_rsa_check: Patching BL verify_shsh at 0x69e2...
patch_rsa_check: Leaving...
iBoot32Patch: Quitting...
Extracting iBEC.p101.RELEASE.dfu...
iBoot32Patch: iBoot-2261 inputted.
patch_ticket_check: Entering...
patch_ticket_check: Found iBoot baseaddr 0xbff00000
patch_ticket_check: Found iboot_vers_str at 0x280
patch_ticket_check: Found str_pointer at 0x308
patch_ticket_check: Found iboot_str_3_xref at 0x2029c
patch_ticket_check: Found ldr_intruction at 0x20208
patch_ticket_check: Found last_good_bl at 0x20210...
patch_ticket_check: Found next_pop at 0x2028e...
patch_ticket_check: Found next_pop at 0xbff2028e...
patch_ticket_check: Found last_branch at 0x20282...
patch_ticket_check: Patching in mov.w r0, #0 at 0x20214...
patch_ticket_check: Patching in mov.w r1, #0 at 0x20218...
patch_ticket_check: NOPing useless stuff at 0x2021c to 0x20284 ...
patch_ticket_check: Leaving...
patch_rsa_check: Entering...
find_bl_verify_shsh_generic: Entering...
find_bl_verify_shsh_generic: Found LDR instruction at 0x1bbf4
find_bl_verify_shsh_generic: Found BL verify_shsh at 0x1c22e
find_bl_verify_shsh_generic: Leaving...
patch_rsa_check: Patching BL verify_shsh at 0x1c22e...
patch_rsa_check: Leaving...
iBoot32Patch: Quitting...
Sending iBSS (78044 bytes)...
[==================================================] 100.0%
Sending iBEC (295132 bytes)...
[==================================================] 100.0%
[Error] ERROR: Unable to connect to recovery device
Done: restoring failed.
Failed with errorcode=-94

[Log] futurerestore done!
[Log] Stopping local server... (Enter root password of your PC/Mac when prompted)
[Log] Downgrade script done!

Here are the logs

* ProductType: iPad3,4
* ProductVersion: 10.3.3
* UniqueChipID (ECID): 1832542806961

*** Main Menu ***
[Input] Select an option:
1) Downgrade device		 4) (Re-)Install Dependencies
2) Save OTA blobs		 5) (Any other key to exit)
3) Just put device in kDFU mode
#? 1
[Input] Select iOS version:
1) iOS 8.4.1
2) Other
#? 1
[Log] Option: Downgrade
[Log] Saving 8.4.1 blobs with tsschecker...
Version: b9d193aa6e6d24421094873c830692d02d8b32f5 - 304
libfragmentzip version: 0.59-542a470d7be248681dba71d0f04e7dc8c2718b73
[TSSC] manually specified ECID to use, parsed "1832542806961" to dec:1832542806961 hex:1aaac1023b1
[TSSC] opening resources/manifests/BuildManifest_iPad3,4_8.4.1.plist
[WARNING] [TSSC] could not get id0 for installType=Erase. Using fallback installType=Update since user did not specify installType manually
[TSSR] LOG: device iPad3,4 doesn't need a baseband ticket, continuing without requesting a Baseband ticket
[TSSR] Request URL set to https://gs.apple.com/TSS/controller?action=2
[TSSR] Sending TSS request attempt 1... success
[Error] [TSSR] Error: could not get id0 for installType=Erase
Saved shsh blobs!

iOS 8.4.1 for device iPad3,4 IS being signed!
[Log] Successfully saved 8.4.1 blobs.
[Log] Verifying IPSW...
[Log] Extracting iBSS from IPSW...
Archive:  iPad3,4_8.4.1_12H321_Restore.ipsw
  inflating: saved/iPad3,4/iBSS.p101.RELEASE.dfu  
[Log] Decrypting iBSS...
[Log] IV = a5892a58c90b6d3fb0e0b20db95070d7
[Log] Key = 75612774968009e3f85545ac0088d0d0bb9cb4e2c2970e8f88489be0b9dfe103
/Users/tihmstar/clones/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: ee39c972097dcf9e0263e04bec1931e1caeee152497b00c460c58aa58d35a519d9358834aca7135f5c0910681239c904
[Log] Patching iBSS...
[Log] Mounting device with ifuse...
mkdir: mount: File exists
Failed to connect to lockdownd service on the device.
Try again. If it still fails try rebooting your device.
[Log] Copying stuff to device...
[Log] Unmounting device... (Enter root password of your PC/Mac when prompted)
Password:
umount: mount: not currently mounted

* Open MTerminal and run these commands:

$ su
(Enter root password of your iOS device, default is 'alpine')
# cd Media
# chmod +x pwn.sh
# ./pwn.sh

* Press home/power button once when screen goes black on the device
[Log] Finding device in DFU mode...
2020-07-26 19:17:35.526 system_profiler[1280:499225] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:17:35.526 system_profiler[1280:499225] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:17:40.097 system_profiler[3539:502593] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:17:40.098 system_profiler[3539:502593] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:17:44.743 system_profiler[5790:505964] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:17:44.744 system_profiler[5790:505964] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:17:49.328 system_profiler[8041:509304] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:17:49.329 system_profiler[8041:509304] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be

I'm getting this error. I've tried reinstalling the dependencies. It's not a SSH problem, because I can connect using "ssh root@[insert IP Address]" My distro is Lubuntu 16.04

`******* 32bit-OTA-Downgrader *******
Downgrade script by LukeZGD

Main Menu

HardwareModel: n94ap
ProductType: iPhone4,1
ProductVersion: 9.3.6
UniqueChipID (ECID):

[Input] Select an option:

1. Downgrade device 4) (Re-)Install Dependencies
2. Save OTA blobs 5) (Any other key to exit)
3. Just put device in kDFU mode
   #? 1
   [Input] Select iOS version:
4. iOS 8.4.1
5. iOS 6.1.3
6. Other
7. Back
   #? 2
   [Log] iOS 6.1.3 Downgrade
   [Log] Saving 6.1.3 blobs with tsschecker...
   Version: 7d267698cb16ab4699fa9cba20783ee041ac999e - 212
   [TSSC] manually specified ecid to use, parsed "" to dec:9 hex:
   [TSSC] opening resources/manifests/BuildManifest_iPhone4,1_6.1.3.plist
   [WARNING] [TSSC] could not get id0 for installType=Erase. Using fallback installType=Update since user did not specify installType manually
   [TSSR] Request URL set to https://gs.apple.com/TSS/controller?action=2
   [TSSR] Sending TSS request attempt 1... success
   Saved shsh blobs!

iOS 6.1.3 for device iPhone4,1 IS being signed!
[Log] Successfully saved 6.1.3 blobs.
[Log] Verifying IPSW...
[Log] Extracting iBSS from IPSW...
Archive: iPhone4,1_6.1.3_10B329_Restore.ipsw
caution: filename not matched: Firmware/dfu/iBSS.n94.RELEASE.dfu
[Log] Downloading iBSS...
resources/tools/pzb_linux: /usr/lib/x86_64-linux-gnu/libcurl.so.4: version CURL_OPENSSL_4' not found (required by resources/tools/pzb_linux) mv: cannot stat 'iBSS.n94.RELEASE.dfu': No such file or directory [Log] Decrypting iBSS... [Log] IV = 147cdef921ed14a5c10631c5e6e02d1e [Log] Key = 6ea1eb62a9f403ee212c1f6b3039df093963b46739c6093407190fe3d750c69c error: cannot open template dd: failed to open 'tmp/iBSS.dec': No such file or directory [Log] Patching iBSS... bspatch: tmp/iBSS.dec2: No such file or directory Make sure SSH is installed and working on the device! Please enter Wi-Fi IP address of device for SSH connection [Input] IP Address: 192.168.2.129 [Log] Connecting to device via SSH... (Enter root password of your iOS device, default is 'alpine') [Log] Copying stuff to device... [email protected]'s password: kloader 100% 51KB 50.8KB/s 00:00 tmp/pwnediBSS: No such file or directory [Error] Cannot connect to device via SSH. Please check your ~/.ssh/known_hosts file and try again

The tool isnt working for me, its just wanting to install the dependencies.

I'm trying to downgrade an iPhone 4S to 6.1.3 on macOS 10.14.6 and the process gets stuck there.
One thing I did is when it said "Press home/power button once when screen goes black on the device" it didn't work, so I held both buttons, and after a while released the power button, and then it detected it. I hope that's not the problem. If needed I can provide the terminal output.

******* iOS-OTA-Downgrader *******
Downgrader script by LukeZGD

[Log] Updating firmware...
Already up to date.
[Log] Updating ipwndfu...
Already up to date.

• Platform: linux
• HardwareModel: j71ap
• ProductType: iPad4,1
• ProductVersion: Unknown
• UniqueChipID (ECID): 0x000002370fb04b64

[Log] Option: install
[Log] A7 device in recovery mode detected. Get ready to enter DFU mode
[Input] Select Y to continue, N to exit recovery (Y/n) y

• Hold POWER and HOME button for 10 seconds.
  10 09 08 07 06 05 04 03 02 01
• Release POWER and hold HOME button for 10 seconds.
  10
  [Log] Device in DFU mode detected.
  [Log] Entering pwnDFU mode with ipwndfu...
  *** checkm8 exploit by axi0mX ***
  *** modified version by Linus Henze and synackuk ***
  *** s5l8965x support by Matthew Pierson ***
  Found: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:10 ECID:000002370FB04B64 IBFL:1C SRTG:[iBoot-1704.10]
  Device is now in pwned DFU Mode.
  (34.30 seconds)
  [Log] Device in pwnDFU mode detected.
  [Log] Running rmsigchks.py...
  *** SecureROM Signature check remover by Linus Henze ***
  Found: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:10 ECID:000002370FB04B64 IBFL:1C SRTG:[iBoot-1704.10] PWND:[checkm8]
  Applying patches...
  Successfully applied patches
  Resetting device state
  Device is now ready to accept unsigned images
  [Log] Downgrading device iPad4,1 in pwnDFU mode...
  [Log] Option: Downgrade
  [Log] Extracting IPSW...
  [Log] Entering pwnREC mode...
  [==================================================] 100.0%
  [==================================================] 100.0%
  [Log] Found device in pwnREC mode.
  [Log] Saving 10.3.3 blobs with tsschecker...
• APNonce: 0f3b31015974dcc5ceb91c6883d6402621e5f1bb
  Version: 62d2b32f782e2735c859ab4f51976461b555e505 - 360
  [TSSC] manually specified ECID to use, parsed "0x000002370fb04b64" to dec:2435509668708 hex:2370fb04b64
  [TSSC] manually specified ApNonce to use, parsed "0f3b31015974dcc5ceb91c6883d6402621e5f1bb" to hex:0f3b31015974dcc5ceb91c6883d6402621e5f1bb
  [TSSC] opening resources/manifests/BuildManifest_iPad4,1_10.3.3.plist
  [TSSR] LOG: device iPad4,1 doesn't need a baseband ticket, continuing without requesting a Baseband ticket
  [TSSR] Request URL set to https://gs.apple.com/TSS/controller?action=2
  [TSSR] Sending TSS request attempt 1... success
  also requesting APTicket for update installing
  [Error] [TSSR] Error: could not get id0 for installType=Update
  [WARNING] [TSSR] faild to build tssrequest for alternative installType
  [TSSR] User specified not to request a baseband ticket.
  [TSSR] Request URL set to https://gs.apple.com/TSS/controller?action=2
  [TSSR] Sending TSS request attempt 1... failure
  [Error] ERROR: TSS request failed (status=128, message=An internal error occurred.)
  Saved signing tickets!

iOS 10.3.3 for device iPad4,1 IS being signed!
ls: cannot access '*_iPad4,1_j71ap_10.3.3-0f3b31015974dcc5ceb91c6883d6402621e5f1bb.shsh': No such file or directory

[Error] Saving 10.3.3 blobs failed. Please run the script again

• It is also possible that 10.3.3 for iPad4,1 is no longer signed

I did reinstall, delete old shsh file, but every time has this error.

This will be done later this month

This will be applied when device is detected in recovery/DFU mode, or if no device is detected

Hi, I'm trying to launch your script on macOS 10.13.6, every time I start restore.sh it's returning

******* 32bit-OTA-Downgrader *******
Downgrade script by LukeZGD

Install Dependencies
[Log] Installing dependencies for macOS with Homebrew...
Uninstalling /usr/local/Cellar/libusbmuxd/HEAD-5cbf763... (14 files, 165.0KB)
Uninstalling /usr/local/Cellar/libimobiledevice/HEAD-dc20b07_6... (70 files, 1.1MB)
Updating Homebrew...
==> Cloning https://github.com/libimobiledevice/libusbmuxd.git
Updating /Users/michal/Library/Caches/Homebrew/libusbmuxd--git
==> Checking out branch master
Already on 'master'
Your branch is up to date with 'origin/master'.
HEAD is now at 5cbf763 configure.ac: Drop AC_FUNC_MALLOC/REALLOC and use AC_CHECK_FUNCS instead to allow cross compiliation
==> ./autogen.sh
==> ./configure --prefix=/usr/local/Cellar/libusbmuxd/HEAD-5cbf763
==> make install
🍺 /usr/local/Cellar/libusbmuxd/HEAD-5cbf763: 14 files, 165.0KB, built in 54 seconds
Updating Homebrew...
==> Cloning https://git.libimobiledevice.org/libimobiledevice.git
Updating /Users/michal/Library/Caches/Homebrew/libimobiledevice--git
==> Checking out branch master
Already on 'master'
Your branch is up to date with 'origin/master'.
HEAD is now at dc20b07 idevicesyslog: Add command line switch to exit when device disconnects
==> ./autogen.sh
==> ./configure --prefix=/usr/local/Cellar/libimobiledevice/HEAD-dc20b07_6 --without-cython --enable-debug-code
==> make install
🍺 /usr/local/Cellar/libimobiledevice/HEAD-dc20b07_6: 70 files, 1.1MB, built in 1 minute 14 seconds
Updating Homebrew...
Warning: libzip 1.6.1 is already installed and up-to-date
To reinstall 1.6.1, run brew reinstall libzip
Warning: lsusb 1.0 is already installed and up-to-date
To reinstall 1.0, run brew reinstall lsusb
Updating Homebrew...
Warning: Cask 'osxfuse' is already installed.

To re-install osxfuse, run:
brew cask reinstall osxfuse
Updating Homebrew...
Warning: ifuse 1.1.3 is already installed and up-to-date
To reinstall 1.1.3, run brew reinstall ifuse
[Log] Install script done! Please run the script again to proceed

next script run gives the same.

BTW. Downgrading to 6.1.3 with latest baseband will give GPS work again on iPhone4S with 6.1.3?

I'm attempting a downgrade to iOS 6.1.3 from 9.3.5 on my iPad 2,1. Everything goes swimmingly until the script starts to send iBEC, where it freezes at 62.4%. I left it for about two hours before throwing in the towel. I tried a number of different things- different USB port, letting the script download the ipsw instead of supplying it- all with the same result. This was all done using a full install of Lubuntu 18.04, and a clean, jailbroken install of 9.3.5. Any guidance on this issue?

cant connect via ssh

noticed it doesn't ask me for an ip
ip is 127.0.0.1 port 2222

have deleted known hosts

Running ubuntu 20.04 liveusb

[Error] Cannot connect to device via SSH.

• Please check your ~/.ssh/known_hosts file and try again

I stumbled upon some small problems in your script.

• The dependency install for Fedora doesn't include git, which is not included in the LiveCD environment of Fedora 32, so git clone fails. I manually installed git, and added --depth 1 because accessing GitHub from China is slow and commit history isn't necessary for this anyway.
• Determining the distro by checking the package manager isn't reliable, as package managers could be installed on different distros than their "home" distros. On the Fedora installation on my hard drive, I have pacman installed for 3DS homebrew development, so I had to comment out the Arch Linux if branch.
• Maybe add some code so that if the hashsum of the openssl rpm matches the previously downloaded one, the script would not download it again when re-installing dependencies? My ISP is shitty and downloading that file took me 5 minutes lol

I tested it on iPad 3 and it worked great in iOS 8.4.1 but the problem is the battery often un charge to power (showing "not charging)

Everything goes well until getting stuck at Waiting for device...
I do get the green screen and I get the restore loading bar, but nothing happens.
I'm running the script on:
Ubuntu 19.10, Kernel 5.3.0-51
I'm trying to downgrade:
Ipad 2,4 to IOS 8.4.1 from IOS 9.3.5 on Pheonix Jailbreak

******* iOS-OTA-Downgrader *******
Downgrader script by LukeZGD

cat: resources/firmware/iPhone6,2/14G60/url: No such file or directory
[Log] Downloading firmware...
[Log] Downloading ipwndfu...

• HardwareModel: n53ap
• ProductType: iPhone6,2
• ProductVersion: Unknown
• UniqueChipID (ECID): 0x000005b7f333c850

*** Main Menu ***
[Input] Select an option:

1. Downgrade device 3) (Any other key to exit)
2. (Re-)Install Dependencies
   #? 1
   [Log] Option: Downgrade
   [Log] A7 device in recovery mode detected. Get ready to enter DFU mode
   [Input] Select Y to continue, N to exit recovery (Y/n)

• Hold POWER and HOME button for 10 seconds.
  10 09 08 07 06 05 04 03 02 01
• Release POWER and hold HOME button for 10 seconds.
  10 09 08 07 06 05 04 03
  [Log] Device in DFU mode detected.
  [Log] Entering pwnDFU mode with ipwndfu...
  *** checkm8 exploit by axi0mX ***
  *** modified version by Linus Henze ***
  *** s5l8965x support by Matthew Pierson ***
  Found: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:02 ECID:000005B7F333C850 IBFL:1C SRTG:[iBoot-1704.10]
  Device is now in pwned DFU Mode.
  (11.55 seconds)
  [Log] Detected device in pwnDFU mode. Running rmsigchks.py...
  *** SecureROM Signature check remover by Linus Henze ***
  Found: CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:02 ECID:000005B7F333C850 IBFL:1C SRTG:[iBoot-1704.10] PWND:[checkm8]
  Applying patches...
  Successfully applied patches
  Resetting device state
  Device is now ready to accept unsigned images
  [Log] Downgrading device iPhone6,2 in pwnDFU mode...
  [Log] Option: Downgrade
  [Log] Verifying IPSW...
  [Log] Extracting IPSW...
  [Log] Preparing custom IPSW...
  adding: 058-74917-062.dmg (stored 0%)
  adding: 058-74940-063.dmg (stored 0%)
  adding: 058-75381-062.dmg (stored 0%)
  adding: BuildManifest.plist (stored 0%)
  adding: Firmware/ (stored 0%)
  adding: Firmware/Mav10-5.62.00.Release.plist (stored 0%)
  adding: Firmware/all_flash/ (stored 0%)
  adding: Firmware/all_flash/recoverymode@1136iphone-lightning.s8003.im4p (stored 0%)
  adding: Firmware/all_flash/glyphplugin@1136iphone-lightning.s5l8960x.im4p (stored 0%)
  adding: Firmware/all_flash/batterylow0@2xiphone.s8003.im4p (stored 0%)
  adding: Firmware/all_flash/batterylow0@2xiphone.s5l8960x.im4p (stored 0%)
  adding: Firmware/all_flash/recoverymode@1136iphone-lightning.s5l8960x.im4p (stored 0%)
  adding: Firmware/all_flash/batterycharging0@2xiphone.s5l8960x.im4p (stored 0%)
  adding: Firmware/all_flash/batterylow0@2xiphone.s8000.im4p.plist (stored 0%)
  adding: Firmware/all_flash/sep-firmware.n69u.RELEASE.im4p (stored 0%)
  adding: Firmware/all_flash/batterylow1@2xiphone.s8000.im4p.plist (stored 0%)
  adding: Firmware/all_flash/batteryfull@2xiphone.s8000.im4p (stored 0%)
  adding: Firmware/all_flash/batterylow0@2xiphone.s8000.im4p (stored 0%)
  adding: Firmware/all_flash/iBoot.n69.RELEASE.im4p (stored 0%)
  adding: Firmware/all_flash/recoverymode@1136iphone-lightning.s5l8960x.im4p.plist (stored 0%)
  adding: Firmware/all_flash/glyphplugin@1136iphone-lightning.s8003.im4p (stored 0%)
  adding: Firmware/all_flash/batterycharging0@2xiphone.s5l8960x.im4p.plist (stored 0%)
  adding: Firmware/all_flash/sep-firmware.n51.RELEASE.im4p (stored 0%)
  adding: Firmware/all_flash/applelogo@2xiphone.s8000.im4p (stored 0%)
  adding: Firmware/all_flash/sep-firmware.n53.RELEASE.im4p.plist (stored 0%)
  adding: Firmware/all_flash/batterylow0@2xiphone.s8003.im4p.plist (stored 0%)
  adding: Firmware/all_flash/DeviceTree.n53ap.im4p (stored 0%)
  adding: Firmware/all_flash/sep-firmware.n51.RELEASE.im4p.plist (stored 0%)
  adding: Firmware/all_flash/batteryfull@2xiphone.s8000.im4p.plist (stored 0%)
  adding: Firmware/all_flash/recoverymode@1136iphone-lightning.s8003.im4p.plist (stored 0%)
  adding: Firmware/all_flash/LLB.iphone6.RELEASE.im4p (stored 0%)
  adding: Firmware/all_flash/applelogo@2xiphone.s8003.im4p.plist (stored 0%)
  adding: Firmware/all_flash/sep-firmware.n69u.RELEASE.im4p.plist (stored 0%)
  adding: Firmware/all_flash/batterylow1@2xiphone.s5l8960x.im4p (stored 0%)
  adding: Firmware/all_flash/recoverymode@1136iphone-lightning.s8000.im4p.plist (stored 0%)
  adding: Firmware/all_flash/batterycharging0@2xiphone.s8003.im4p.plist (stored 0%)
  adding: Firmware/all_flash/applelogo@2xiphone.s5l8960x.im4p.plist (stored 0%)
  adding: Firmware/all_flash/iBoot.n69u.RELEASE.im4p (stored 0%)
  adding: Firmware/all_flash/iBoot.n69u.RELEASE.im4p.plist (stored 0%)
  adding: Firmware/all_flash/batterylow1@2xiphone.s5l8960x.im4p.plist (stored 0%)
  adding: Firmware/all_flash/batterycharging1@2xiphone.s5l8960x.im4p.plist (stored 0%)
  adding: Firmware/all_flash/iBoot.iphone6.RELEASE.im4p.plist (stored 0%)
  adding: Firmware/all_flash/iBoot.iphone6.RELEASE.im4p (stored 0%)
  adding: Firmware/all_flash/LLB.n69u.RELEASE.im4p (stored 0%)
  adding: Firmware/all_flash/batterycharging0@2xiphone.s8000.im4p (stored 0%)
  adding: Firmware/all_flash/glyphplugin@1136iphone-lightning.s8003.im4p.plist (stored 0%)
  adding: Firmware/all_flash/batteryfull@2xiphone.s8003.im4p (stored 0%)
  adding: Firmware/all_flash/batteryfull@2xiphone.s8003.im4p.plist (stored 0%)
  adding: Firmware/all_flash/LLB.iphone6.RELEASE.im4p.plist (stored 0%)
  adding: Firmware/all_flash/DeviceTree.n53ap.im4p.plist (stored 0%)
  adding: Firmware/all_flash/glyphplugin@1136iphone-lightning.s5l8960x.im4p.plist (stored 0%)
  adding: Firmware/all_flash/DeviceTree.n51ap.im4p (stored 0%)
  adding: Firmware/all_flash/LLB.n69.RELEASE.im4p (stored 0%)
  adding: Firmware/all_flash/applelogo@2xiphone.s5l8960x.im4p (stored 0%)
  adding: Firmware/all_flash/DeviceTree.n69ap.im4p.plist (stored 0%)
  adding: Firmware/all_flash/DeviceTree.n69uap.im4p.plist (stored 0%)
  adding: Firmware/all_flash/LLB.n69.RELEASE.im4p.plist (stored 0%)
  adding: Firmware/all_flash/batterycharging1@2xiphone.s5l8960x.im4p (stored 0%)
  adding: Firmware/all_flash/batterycharging1@2xiphone.s8000.im4p.plist (stored 0%)
  adding: Firmware/all_flash/batterycharging0@2xiphone.s8003.im4p (stored 0%)
  adding: Firmware/all_flash/batterylow0@2xiphone.s5l8960x.im4p.plist (stored 0%)
  adding: Firmware/all_flash/batteryfull@2xiphone.s5l8960x.im4p.plist (stored 0%)
  adding: Firmware/all_flash/sep-firmware.n69.RELEASE.im4p (stored 0%)
  adding: Firmware/all_flash/batterylow1@2xiphone.s8003.im4p.plist (stored 0%)
  adding: Firmware/all_flash/applelogo@2xiphone.s8000.im4p.plist (stored 0%)
  adding: Firmware/all_flash/batterylow1@2xiphone.s8000.im4p (stored 0%)
  adding: Firmware/all_flash/batterycharging0@2xiphone.s8000.im4p.plist (stored 0%)
  adding: Firmware/all_flash/DeviceTree.n51ap.im4p.plist (stored 0%)
  adding: Firmware/all_flash/batterylow1@2xiphone.s8003.im4p (stored 0%)
  adding: Firmware/all_flash/glyphplugin@1136iphone-lightning.s8000.im4p.plist (stored 0%)
  adding: Firmware/all_flash/sep-firmware.n53.RELEASE.im4p (stored 0%)
  adding: Firmware/all_flash/batterycharging1@2xiphone.s8003.im4p.plist (stored 0%)
  adding: Firmware/all_flash/DeviceTree.n69ap.im4p (stored 0%)
  adding: Firmware/all_flash/applelogo@2xiphone.s8003.im4p (stored 0%)
  adding: Firmware/all_flash/batteryfull@2xiphone.s5l8960x.im4p (stored 0%)
  adding: Firmware/all_flash/batterycharging1@2xiphone.s8000.im4p (stored 0%)
  adding: Firmware/all_flash/LLB.n69u.RELEASE.im4p.plist (stored 0%)
  adding: Firmware/all_flash/sep-firmware.n69.RELEASE.im4p.plist (stored 0%)
  adding: Firmware/all_flash/iBoot.n69.RELEASE.im4p.plist (stored 0%)
  adding: Firmware/all_flash/recoverymode@1136iphone-lightning.s8000.im4p (stored 0%)
  adding: Firmware/all_flash/glyphplugin@1136iphone-lightning.s8000.im4p (stored 0%)
  adding: Firmware/all_flash/batterycharging1@2xiphone.s8003.im4p (stored 0%)
  adding: Firmware/all_flash/DeviceTree.n69uap.im4p (stored 0%)
  adding: Firmware/Mav10-5.62.00.Release.bbfw (stored 0%)
  adding: Firmware/usr/ (stored 0%)
  adding: Firmware/usr/local/ (stored 0%)
  adding: Firmware/usr/local/standalone/ (stored 0%)
  adding: Firmware/aopfw.im4p (stored 0%)
  adding: Firmware/Mav7Mav8-7.60.00.Release.bbfw (stored 0%)
  adding: Firmware/Mav7Mav8-7.60.00.Release.plist (stored 0%)
  adding: Firmware/dfu/ (stored 0%)
  adding: Firmware/dfu/iBSS.iphone6.RELEASE.im4p.plist (stored 0%)
  adding: Firmware/dfu/iBEC.n69u.RELEASE.im4p (stored 0%)
  adding: Firmware/dfu/iBEC.iphone6.RELEASE.im4p.plist (stored 0%)
  adding: Firmware/dfu/iBSS.n69.RELEASE.im4p.plist (stored 0%)
  adding: Firmware/dfu/iBEC.n69.RELEASE.im4p (stored 0%)
  adding: Firmware/dfu/iBSS.iphone6.RELEASE.im4p (stored 0%)
  adding: Firmware/dfu/iBSS.n69.RELEASE.im4p (stored 0%)
  adding: Firmware/dfu/iBEC.n69.RELEASE.im4p.plist (stored 0%)
  adding: Firmware/dfu/iBEC.iphone6.RELEASE.im4p (stored 0%)
  adding: Firmware/dfu/iBEC.n69u.RELEASE.im4p.plist (stored 0%)
  adding: Firmware/dfu/iBSS.n69u.RELEASE.im4p.plist (stored 0%)
  adding: Firmware/dfu/iBSS.n69u.RELEASE.im4p (stored 0%)
  adding: kernelcache.release.iphone6 (stored 0%)
  adding: kernelcache.release.iphone8b (stored 0%)
  adding: Restore.plist (stored 0%)
  [Log] Entering PWNREC mode...
  [==================================================] 100.0%
  [==================================================] 100.0%
  [Log] Saving 10.3.3 blobs with tsschecker...
• APNonce: b05a70468054cfe94251b34b58f28450054f1aa9
  resources/tools/tsschecker_linux: /lib64/libcurl.so.4: no version information available (required by resources/tools/tsschecker_linux)
  resources/tools/tsschecker_linux: /lib64/libcurl.so.4: no version information available (required by /usr/local/lib/libfragmentzip.so.0)
  Version: 62d2b32f782e2735c859ab4f51976461b555e505 - 360
  [TSSC] manually specified ECID to use, parsed "0x000005b7f333c850" to dec:6287617411152 hex:5b7f333c850
  [TSSC] manually specified ApNonce to use, parsed "b05a70468054cfe94251b34b58f28450054f1aa9" to hex:b05a70468054cfe94251b34b58f28450054f1aa9
  [TSSC] opening resources/manifests/BuildManifest_iPhone6,2_10.3.3.plist
  [TSSR] Request URL set to https://gs.apple.com/TSS/controller?action=2
  [TSSR] Sending TSS request attempt 1... success
  also requesting APTicket for update installing
  [Error] [TSSR] Error: could not get id0 for installType=Update
  [WARNING] [TSSR] faild to build tssrequest for alternative installType
  [TSSR] User specified not to request a baseband ticket.
  [TSSR] Request URL set to https://gs.apple.com/TSS/controller?action=2
  [TSSR] Sending TSS request attempt 1... failure
  [Error] ERROR: TSS request failed (status=128, message=An internal error occurred.)
  Saved signing tickets!

iOS 10.3.3 for device iPhone6,2 IS being signed!
[Log] Successfully saved 10.3.3 blobs.
[Log] Preparing for futurerestore... (Enter root password of your PC/Mac when prompted)
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
[Log] Proceeding to futurerestore...
resources/tools/futurerestore249_linux: /lib64/libcurl.so.4: no version information available (required by resources/tools/futurerestore249_linux)
resources/tools/futurerestore249_linux: /lib64/libcurl.so.4: no version information available (required by /usr/local/lib/libfragmentzip.so.0)
Version: 6885f765aa2bd6c047663a39f94a886e881a1bb1 - 249
Odysseus support: no
INFO: device serial number is F2*******
[INFO] 64-bit device detected
futurerestore init done
reading signing ticket 6287617411152_iPhone6,2_n53ap_10.3.3-14G60_b05a70468054cfe94251b34b58f28450054f1aa9.shsh is done
Found device iPhone6,2 n53ap
[TSSC] opening resources/manifests/BuildManifest_iPhone6,2_10.3.3.plist
[TSSR] User specified doesn't to request a baseband ticket.
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Did set SEP+baseband path and firmware
[WARNING] Failed to read BasebandGoldCertID from device! Is it already in recovery?
[WARNING] Using tsschecker's fallback BasebandGoldCertID. This might result in invalid baseband signing status information
[WARNING] Failed to read BasebandSerialNumber from device! Is it already in recovery?
[WARNING] Using tsschecker's fallback BasebandSerialNumber size. This might result in invalid baseband signing status information
[TSSC] opening resources/manifests/BuildManifest_iPhone6,2_10.3.3.plist
[TSSR] User specified to request only a Baseband ticket.
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Found device in Recovery mode
Device already in Recovery mode
Found device in Recovery mode
Identified device as n53ap, iPhone6,2
Extracting BuildManifest from iPSW
Product version: 10.3.3
Product build: 14G60 Major: 14
Device supports IMG4: true
Got ApNonce from device: b0 5a 70 46 80 54 cf e9 42 51 b3 4b 58 f2 84 50 05 4f 1a a9
checking APTicket to be valid for this restore...
Verified ECID in APTicket matches device ECID
checking APTicket to be valid for this restore...
Verified ECID in APTicket matches device ECID
Variant: Customer Erase Install (IPSW)
This restore will erase your device data.
Using cached filesystem from 'iPhone6,2_10.3.3_14G60_Custom/058-74917-062.dmg'
Extracting iBEC.iphone6.RELEASE.im4p...
Personalizing IMG4 component iBEC...
Sending iBEC (653333 bytes)...
waiting for device to reconnect...
Getting SepNonce in recovery mode... d3 af f3 3b 44 9f d7 6d d0 f2 f9 61 7e 27 02 5c ea 55 13 e0
Getting ApNonce in recovery mode... b0 5a 70 46 80 54 cf e9 42 51 b3 4b 58 f2 84 50 05 4f 1a a9
[WARNING] Setting bgcolor to green! If you don't see a green screen, then your device didn't boot iBEC correctly
Recovery Mode Environment:
iBoot build-version=iBoot-3406.60.10
iBoot build-style=RELEASE
Sending RestoreLogo...
Extracting applelogo@2x~iphone.s5l8960x.im4p...
Personalizing IMG4 component RestoreLogo...
Sending RestoreLogo (11640 bytes)...
ramdisk-size=0x10000000
Extracting 058-74940-063.dmg...
Personalizing IMG4 component RestoreRamDisk...
Sending RestoreRamDisk (41583638 bytes)...
Extracting DeviceTree.n53ap.im4p...
Personalizing IMG4 component RestoreDeviceTree...
Sending RestoreDeviceTree (107919 bytes)...
Extracting kernelcache.release.iphone6...
Personalizing IMG4 component RestoreKernelCache...
Sending RestoreKernelCache (12178427 bytes)...
Trying to fetch new signing tickets
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Received signing tickets
About to restore device...
Waiting for device...
ERROR: Unable to connect to device in restore mode
ERROR: Unable to open device in restore mode
[Error] ERROR: Unable to restore device
Done: restoring failed.
Failed with errorcode=-11

[Log] futurerestore done!
[Log] Stopping local server... (Enter root password of your PC/Mac when prompted)
[Log] Downgrade script done!
[liveuser@localhost-live iOS-OTA-Downgrader]$

/usr/lib/amd64-linux-gnu doesn't exist for me in my 18.04 install, so I get an error. The folder that actually exists is x86_64-linux-gnu.

Tried to downgrade iPad mini (ipad 2,7)
It is always failed on this part after entering in dfu mode.
Using mac os x 10.13/6
Process also stucks when iTunes autoruns when detects that device in dfu mode

find_bl_verify_shsh_generic: Entering...
find_bl_verify_shsh_generic: Found LDR instruction at 0x199e0
find_bl_verify_shsh_generic: Found BL verify_shsh at 0x1a01a
find_bl_verify_shsh_generic: Leaving...
patch_rsa_check: Patching BL verify_shsh at 0x1a01a...
patch_rsa_check: Leaving...
iBoot32Patch: Quitting...
Sending iBSS (78044 bytes)...
[==================================================] 100.0%
Sending iBEC (282844 bytes)...
[==================================================] 100.0%
[Error] ERROR: Unable to connect to recovery device
Done: restoring failed.
Failed with errorcode=-94

[Log] futurerestore done!
[Log] Stopping local server...
[Log] Downgrade script done!

I am attempting to downgrade my iPhone 5s from iOS 12.1.4 to iOS 10.3.3
Here are my logs:

******* iOS-OTA-Downgrader *******
Downgrader script by LukeZGD

[Input] Enter ProductType (eg. iPad2,1): iPhone6,1
[Log] Updating firmware...
Already up to date.
[Log] Updating ipwndfu...
Already up to date.

• Platform: macos
• HardwareModel: n51ap
• ProductType: iPhone6,1
• ProductVersion: Unknown
• UniqueChipID (ECID): 0x0000030f8ebd85ec

[Log] Option: Downgrade
[Log] A7 device in recovery mode detected. Get ready to enter DFU mode
[Input] Select Y to continue, N to exit recovery (Y/n) Y

• Hold POWER and HOME button for 10 seconds.
  10 9 8 7 6 5 4 3 2 1
• Release POWER and hold HOME button for 10 seconds.
  10 9 8 7 6
  [Log] Device in DFU mode detected.
  [Log] Entering pwnDFU mode with ipwndfu...
  sudo: python2: command not found

[Error] Failed to detect device in pwnDFU mode. Please run the script again

• ./restore.sh Downgrade

This is probably a very stupid error on my part but I am curious as to how to fix this

Thanks!

Hi,
First of all thank you for coming up with this toolkit... much appreciated! I'm running Lubuntu 18.04 live USB. Ipad is JB via Phoenix. Ipad has plenty of free space as it has been wiped and set up a new device prior to JB. Everything goes fine with Downgrader until it gets to the part right after I hit the home button and the IPSW is trying to extract. I get the write error below. This repeats for several other files if I choose continue and ultimately fails later on in the process. This appears to be the point at where the failure starts though. Is the write error potentially due to Linux on my liveinstall not having enough RAM or is it referring to writing to the Ipad? Not sure what to do next.
Thanks!

[Log] Found device in DFU mode.
[Log] Extracting IPSW...
iPad3,2_8.4.1_12H321_Restore/058-24297-023.dmg: write error (disk full?). Continue? (y/n/^C)

******* 32bit-OTA-Downgrader *******
Downgrade script by LukeZGD

Main Menu

HardwareModel: J2AP
ProductType: iPad3,2
ProductVersion: 9.3.6
UniqueChipID (ECID): 2487659774762

[Input] Select an option:

1. Downgrade device 4) (Re-)Install Dependencies
2. Save OTA blobs 5) Exit
3. Just put device in kDFU mode
   #? 1
   [Input] Select iOS version:
4. iOS 8.4.1
5. Other
6. Back
   #? 1
   iOS 8.4.1 Downgrade
   [Log] Downloading firmware keys...
   % Total % Received % Xferd Average Speed Time Time Time Current
   Dload Upload Total Spent Left Speed
   100 135 100 135 0 0 401 0 --:--:-- --:--:-- --:--:-- 400
   100 76459 0 76459 0 0 109k 0 --:--:-- --:--:-- --:--:-- 109k
   [Log] Saving 8.4.1 blobs with tsschecker...
   Version: 7d267698cb16ab4699fa9cba20783ee041ac999e - 212
   [TSSC] manually specified ecid to use, parsed "2487659774762" to dec:2487659774762 hex:2433413c32a
   [TSSC] opening resources/manifests/BuildManifest_iPad3,2_8.4.1.plist
   [WARNING] [TSSC] could not get id0 for installType=Erase. Using fallback installType=Update since user did not specify installType manually
   [TSSR] Request URL set to https://gs.apple.com/TSS/controller?action=2
   [TSSR] Sending TSS request attempt 1... success
   Saved shsh blobs!

iOS 8.4.1 for device iPad3,2 IS being signed!
[Log] Verifying IPSW...
[Log] Extracting iBSS from IPSW...
Archive: iPad3,2_8.4.1_12H321_Restore.ipsw
inflating: tmp/iBSS.j2.RELEASE.dfu
[Log] Decrypting iBSS...
IV = 32fcd912cb9a472ef2a6db72596ae01c
Key = 076720d5a07e8011bdda6f6eafaf4845b40a441615cd1d7c1a9cca438ce7db17
/home/tihm/odysseusOTA/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: a40b3d8f62945a12480a15b533acbe1a7b14e51fe34e03e06aabf337aa7cfc1bd89630f75f314d2060af8669e9c18a99
/home/tihm/odysseusOTA/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: a40b3d8f62945a12480a15b533acbe1a7b14e51fe34e03e06aabf337aa7cfc1bd89630f75f314d2060af8669e9c18a99
/home/tihm/odysseusOTA/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: a40b3d8f62945a12480a15b533acbe1a7b14e51fe34e03e06aabf337aa7cfc1bd89630f75f314d2060af8669e9c18a99
1218+1 records in
1218+1 records out
77980 bytes (78 kB, 76 KiB) copied, 0.00482322 s, 16.2 MB/s
[Log] Patching iBSS...
Make sure SSH is installed and working on the device!
Please enter Wi-Fi IP address of device for SSH connection
[Input] IP Address: 192.168.1.131
[Log] Coonecting to device via SSH... Please enter root password when prompted (default is 'alpine')
[Log] Copying stuff to device...
[email protected]'s password:
kloader 100% 51KB 1.3MB/s 00:00
pwnediBSS 100% 76KB 1.8MB/s 00:00
[Log] Entering kDFU mode...

Press home/power button once when screen goes black on the device
[Log] Finding device in DFU mode...
[email protected]'s password:
[Log] Found device in DFU mode.
[Log] Extracting IPSW...
iPad3,2_8.4.1_12H321_Restore/058-24297-023.dmg: write error (disk full?). Continue? (y/n/^C) ^C[Log] Preparing for futurerestore (starting local server)...
[Log] Proceeding to futurerestore...
Version: b99eb8140d8e6c23f34e950102bb79e61c72384d - 152
Libipatcher Version: f32e41d850f51448bd6c588ead9c7d6455733f3c - 44
Odysseus Support: yes
[INFO] 32bit device detected
futurerestore init done
[Error] failed to load apticket at 2487659774762_iPad3,2_8.4.1-12H321_770d60607ff3b40ab72ffbc6bf8bfeddd5a46d44.shsh2
[Error] Fail code=-9
Failed with errorcode=-9

[Log] futurerestore done!
You can choose to retry if futurerestore failed on downloading baseband or for some other reason
[Input] Retry? (y/N) Traceback (most recent call last):
File "/usr/lib/python3.6/runpy.py", line 193, in _run_module_as_main
"main", mod_spec)
File "/usr/lib/python3.6/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/usr/lib/python3.6/http/server.py", line 1211, in
test(HandlerClass=handler_class, port=args.port, bind=args.bind)
File "/usr/lib/python3.6/http/server.py", line 1185, in test
with ServerClass(server_address, HandlerClass) as httpd:
File "/usr/lib/python3.6/socketserver.py", line 456, in init
self.server_bind()
File "/usr/lib/python3.6/http/server.py", line 136, in server_bind
socketserver.TCPServer.server_bind(self)
File "/usr/lib/python3.6/socketserver.py", line 470, in server_bind
self.socket.bind(self.server_address)
OSError: [Errno 98] Address already in use

https://pastebin.com/b2JBjwZe

successfully applied patches
Resetting device state
Device is now ready to accept unsigned images
[Log] Downgrading device iPhone6,2 in pwnDFU mode...
[Log] Option: Downgrade
[Log] Extracting IPSW...
[Log] Entering PWNREC mode...
[==================================================] 100.0%
[==================================================] 100.0%

[Error] Failed to detect device in PWNREC mode. Please try again

Blobs are no longer saving properly.
I have been able to manually save it and it work fine, but they're being saved in a different file name than what's being searched for. It seems as if apple is trying to prevent bots.
Correction:
It looks like you're trying to call based on the hex value, but it's being saved using the decimal of the ECID

It stuck on DFU mode, I tried many times

Will be added as another method of entering pwnDFU mode

Whenever I attempt to run the script I get "[Error] Please put the device in normal mode and jailbroken before proceeding" before I am given any options. Since it's an A7 device I know it should be in DFU mode, so I thought this error was strange.

I was able to run through most of the script (for iPod 5,1 9.3.5 -> 8.4.1) without any problems, but at the very end as I had the Apple logo and progress bar, I received these errors.

ERROR: Unable to send data to ASR. Sent 0 of 1450 bytes.
ERROR: Unable to send filesystem payload
ERROR: Unable to send payload to ASR
ERROR: Unable to send filesystem
ERROR: Unable to successfully restore device
[Error] ERROR: Unable to restore device
Done: restoring failed.
Failed with errorcode=-11

A few weeks ago, when this was 32 bit OTA Downgrader, I was able to downgrade my iPhone 4S with no problems, but this error pushed my iPod into such an unreachable state that I had to pay $30 for Reiboot Pro to recover it. Any help would be appreciated.

this is the code

******* 32bit-OTA-Downgrader *******
    Downgrade script by LukeZGD     

Main Menu

HardwareModel: n94ap
ProductType: iPhone4,1
ProductVersion: 9.3.5
UniqueChipID (ECID): 748767470536

[Input] Select an option:
1) Downgrade device		 4) (Re-)Install Dependencies
2) Save OTA blobs		 5) (Any other key to exit)
3) Just put device in kDFU mode
#? 1
[Input] Select iOS version:
1) iOS 8.4.1
2) iOS 6.1.3
3) Other
4) Back
#? 2
iOS 6.1.3 Downgrade
[Log] Saving 6.1.3 blobs with tsschecker...
Version: 7d267698cb16ab4699fa9cba20783ee041ac999e - 212
[TSSC] manually specified ecid to use, parsed "748767470536" to dec:748767470536 hex:ae5604e3c8
[TSSC] opening resources/manifests/BuildManifest_iPhone4,1_6.1.3.plist
[WARNING] [TSSC] could not get id0 for installType=Erase. Using fallback installType=Update since user did not specify installType manually
[TSSR] Request URL set to https://gs.apple.com/TSS/controller?action=2
[TSSR] Sending TSS request attempt 1... success
Saved shsh blobs!

iOS 6.1.3 for device iPhone4,1 IS being signed!
[Log] Successfully saved 6.1.3 blobs.
[Log] Verifying IPSW...
[Log] Extracting iBSS from IPSW...
Archive:  iPhone4,1_6.1.3_10B329_Restore.ipsw
caution: filename not matched:  Firmware/dfu/iBSS.n94.RELEASE.dfu
[Log] Downloading iBSS...
resources/tools/pzb_linux: /usr/lib/x86_64-linux-gnu/libcurl.so.4: version `CURL_OPENSSL_4' not found (required by resources/tools/pzb_linux)
mv: cannot stat 'iBSS.n94.RELEASE.dfu': No such file or directory
[Log] Decrypting iBSS...
[Log] IV = 147cdef921ed14a5c10631c5e6e02d1e
[Log] Key = 6ea1eb62a9f403ee212c1f6b3039df093963b46739c6093407190fe3d750c69c
error: cannot open template
dd: failed to open 'tmp/iBSS.dec': No such file or directory
[Log] Patching iBSS...
bspatch: tmp/iBSS.dec2: No such file or directory
Make sure SSH is installed and working on the device!
Please enter Wi-Fi IP address of device for SSH connection
[Input] IP Address: 192.168.43.53
[Log] Coonecting to device via SSH... Please enter root password when prompted (default is 'alpine')
[Log] Copying stuff to device...
[email protected]'s password: 
kloader                                                                                                                                                                                                    100%   51KB  50.8KB/s   00:00    
tmp/pwnediBSS: No such file or directory
[Error] Cannot connect to device via SSH.
Please check your ~/.ssh/known_hosts file and try again

[Log] Verifying IPSW...
[Log] Extracting IPSW...
[Log] Preparing custom IPSW...
[Log] Entering PWNREC mode...
[========================================= ] 80.9%
[Error] Failed to detect device in PWNREC mode. Please try again

I hope it's just me doing something wrong :'(. Trying to downgrade an iPad 2,2 here so that it runs so much nicer under iOS 6 (rather than iOS 9) and am getting (on Ubuntu 18.04 LTS)

$ ./restore.sh

******* 32bit-OTA-Downgrader *******
Downgrade script by LukeZGD

Main Menu

HardwareModel: K94AP
ProductType: iPad2,2
ProductVersion: 9.3.5
UniqueChipID (ECID): 2427730887500

[Input] Select an option:

1. Downgrade device 4) (Re-)Install Dependencies
2. Save OTA blobs 5) Exit
3. Just put device in kDFU mode
   #? 2
   [Input] Select iOS version:
4. iOS 8.4.1
5. iOS 6.1.3
6. Back
   #? 2
   iOS 6.1.3 SaveOTABlobs
   [Log] Saving 6.1.3 blobs with tsschecker...
   Version: 7d267698cb16ab4699fa9cba20783ee041ac999e - 212
   [TSSC] manually specified ecid to use, parsed "2427730887500" to dec:2427730887500 hex:2354009834c
   [TSSC] opening resources/manifests/BuildManifest_iPad2,2_6.1.3.plist
   [WARNING] [TSSC] could not get id0 for installType=Erase. Using fallback installType=Update since user did not specify installType manually
   [TSSR] Request URL set to https://gs.apple.com/TSS/controller?action=2
   [TSSR] Sending TSS request attempt 1... failure

iOS 6.1.3 for device iPad2,2 IS NOT being signed!
ls: cannot access '2427730887500_iPad2,2_6.1.3-*.shsh2': No such file or directory
[Error] Saving 6.1.3 blobs failed. Please run the script again

I am running Lubuntu 18.04 in virtualbox.

I have an ipad 3 jailbroken on 9.3.5. I'm trying to downgrade to 8.4.1.

I get to this point in the process.

Do I type in the password and press enter and then press the power/home button together one time? Or do I hold them down? Or do I do nothing?

Just wanted to make a suggestion to add "Homebrew" and "libzip" to the list of "Prerequisites" in the README. On a clean install of Mojave 10.14.6 doing a "Downgrade device > Other" resulted in the error listed below. After installing Homebrew and libzip, it works fine.

dyld: Library not loaded: /usr/local/opt/libzip/lib/libzip.5.dylib
  Referenced from: /Users/SwiftMove/Desktop/iOS-OTA-Downgrader/resources/tools/pzb_macos
  Reason: image not found
./restore.sh: line 213:  5967 Abort trap: 6           $pzb -g Firmware/dfu/$iBSS.dfu -o $iBSS.dfu $(cat $Firmware/$iBSSBuildVer/url)
mv: rename iBSS.n41.RELEASE.dfu to saved/iPhone5,1/iBSS.n41.RELEASE.dfu: No such file or directory

[Error] Failed to save iBSS. Please run the script again```

Hello,

I am running this script on Ubuntu 20.04. It works fine until after getting into DFU. After that, it just stalls at:

Sending iBEC (276760 bytes)... 65.1%

The iPhone 4s is running iOS 9.3.6 jailbroken with Phoenix.

Good day! Could you help me with this kind of error? Iphone5s, Linux mint20. Log is here. As far as i understood, script is trying to get access to python libraries, isn't it? Script running with sudo. Thanks in advance

After entering recovery mode, a green screen appears on the iPad and the following error does not proceed.

lubuntu 18.04 on vm, liveusb have same problem

Thank you!

Here is the full log
`******* 32bit-OTA-Downgrader *******
Downgrade script by LukeZGD

Main Menu

HardwareModel: P103AP
ProductType: iPad3,6
ProductVersion: 10.3.4
UniqueChipID (ECID): 4003647939537

[Input] Select an option:

1. Downgrade device 4) (Re-)Install Dependencies
2. Save OTA blobs 5) Exit
3. Just put device in kDFU mode
   #? 1
   Select iOS version:
4. iOS 8.4.1
5. Other
6. Back
   #? 1
   iOS 8.4.1 Downgrade
   [Log] Firmware keys missing, downloading firmware keys...
   % Total % Received % Xferd Average Speed Time Time Time Current
   Dload Upload Total Spent Left Speed
   100 135 100 135 0 0 227 0 --:--:-- --:--:-- --:--:-- 227
   100 70542 0 70542 0 0 64304 0 --:--:-- 0:00:01 --:--:-- 407k
   [Log] Downloading ota.json...
   % Total % Received % Xferd Average Speed Time Time Time Current
   Dload Upload Total Spent Left Speed
   100 34.8M 0 34.8M 0 0 1913k 0 --:--:-- 0:00:18 --:--:-- 665k
   [Log] Copying ota.json to tmp...
   [Log] Saving 8.4.1 blobs with tsschecker...
   Version: 7d267698cb16ab4699fa9cba20783ee041ac999e - 212
   [TSSC] manually specified ecid to use, parsed "4003647939537" to dec:4003647939537 hex:3a42c0363d1
   [TSSC] opening resources/manifests/BuildManifest_iPad3,6_8.4.1.plist
   [WARNING] [TSSC] could not get id0 for installType=Erase. Using fallback installType=Update since user did not specify installType manually
   [TSSR] Request URL set to https://gs.apple.com/TSS/controller?action=2
   [TSSR] Sending TSS request attempt 1... success
   Saved shsh blobs!

iOS 8.4.1 for device iPad3,6 IS being signed!
[Log] Verifying IPSW...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 40 0 40 0 0 32 0 --:--:-- 0:00:01 --:--:-- 32
[Log] Extracting iBSS from IPSW...
Archive: iPad3,6_8.4.1_12H321_Restore.ipsw
inflating: tmp/iBSS.p103.RELEASE.dfu
[Log] Decrypting iBSS...
IV = 1d99e780d96c32a25ca7e4b1c7fe14c0
Key = 4e2c14927693d61e1da375e340061521c9376007163f6ab55afbe1a03b901fd3
/home/tihm/odysseusOTA/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: c70b425a6aa48d0235d3e54397f5a5e6233eb28270e6e4f0189d05256e52b48c3af93353b32abb5deada325a84176d63
/home/tihm/odysseusOTA/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: c70b425a6aa48d0235d3e54397f5a5e6233eb28270e6e4f0189d05256e52b48c3af93353b32abb5deada325a84176d63
/home/tihm/odysseusOTA/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: c70b425a6aa48d0235d3e54397f5a5e6233eb28270e6e4f0189d05256e52b48c3af93353b32abb5deada325a84176d63
1218+1 records in
1218+1 records out
77980 bytes (78 kB, 76 KiB) copied, 0.00440757 s, 17.7 MB/s
[Log] Patching iBSS...
[Log] Mounting device with ifuse...
[Log] Copying stuff to device...
[Log] Unmounting device...

[Log] Open MTerminal and run these commands:

$ su
(enter root password, default is 'alpine')

cd Media

chmod +x pwn.sh

./pwn.sh

Press home/power button once when screen goes black on the device
[Log] Finding device in DFU mode...
[Log] Found device in DFU mode.
[Log] Extracting IPSW...
[Log] Preparing for futurerestore (starting local server)...
[Log] Proceeding to futurerestore...
Version: b99eb8140d8e6c23f34e950102bb79e61c72384d - 152
Libipatcher Version: f32e41d850f51448bd6c588ead9c7d6455733f3c - 44
Odysseus Support: yes
[INFO] 32bit device detected
futurerestore init done
reading ticket 4003647939537_iPad3,6_8.4.1-12H321_c65de6350551ab4934cd986df22a30843dd43948.shsh2 done
user specified to use latest signed baseband (WARNING, THIS CAN CAUSE A NON-WORKING RESTORE)
[TSSC] opening firmware.json
[DOWN] downloading file https://api.ipsw.me/v2.1/firmwares.json/condensed
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
[TSSC] selecting latest iOS: 10.3.4
[TSSC] got firmwareurl for iOS 10.3.4 build 14G61
100 [===================================================================================================>]
downloading Baseband
100 [===================================================================================================>]
[WARNING] failed to read BasebandGoldCertID from device! Is it already in recovery?
[WARNING] using tsschecker's fallback to get BasebandGoldCertID. This might result in invalid baseband signing status information
[TSSC] opening /tmp/futurerestore/basebandManifest.plist
WARNING: Unable to find BbSkeyId node
[TSSR] User specified to request only a Baseband ticket.
ERROR: Unable to get BasebandFirmware node
ERROR: Unable to find required BbGoldCertId in parameters
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Found device in DFU mode
requesting to get into pwnRecovery later
Found device in DFU mode
Identified device as p103ap, iPad3,6
Extracting BuildManifest from IPSW
Product Version: 8.4.1
Product Build: 12H321 Major: 12
Device supports Image4: false
checking APTicket to be valid for this restore...
Verified ECID in APTicket matches device ECID
[WARNING] skipping ramdisk hash check, since device is in pwnDFU according to user
Variant: Customer Erase Install (IPSW)
This restore will erase your device data.
127.0.0.1 - - [21/Mar/2020 18:29:27] "GET /firmware/iPad3,6/12H321 HTTP/1.1" 301 -
127.0.0.1 - - [21/Mar/2020 18:29:27] "GET /firmware/iPad3,6/12H321/ HTTP/1.0" 200 -
127.0.0.1 - - [21/Mar/2020 18:29:27] "GET /firmware/iPad3,6/12H321 HTTP/1.1" 301 -
127.0.0.1 - - [21/Mar/2020 18:29:27] "GET /firmware/iPad3,6/12H321/ HTTP/1.0" 200 -
Extracting iBSS.p103.RELEASE.dfu...
iBoot32Patch: iBoot-2261 inputted.
patch_rsa_check: Entering...
find_bl_verify_shsh_generic: Entering...
find_bl_verify_shsh_generic: Found LDR instruction at 0x663c
find_bl_verify_shsh_generic: Found BL verify_shsh at 0x69e2
find_bl_verify_shsh_generic: Leaving...
patch_rsa_check: Patching BL verify_shsh at 0x69e2...
patch_rsa_check: Leaving...
iBoot32Patch: Quitting...
Extracting iBEC.p103.RELEASE.dfu...
iBoot32Patch: iBoot-2261 inputted.
patch_ticket_check: Entering...
patch_ticket_check: Found iBoot baseaddr 0xbff00000
patch_ticket_check: Found iboot_vers_str at 0x280
patch_ticket_check: Found str_pointer at 0x308
patch_ticket_check: Found iboot_str_3_xref at 0x2029c
patch_ticket_check: Found ldr_intruction at 0x20208
patch_ticket_check: Found last_good_bl at 0x20210...
patch_ticket_check: Found next_pop at 0x2028e...
patch_ticket_check: Found next_pop at 0xbff2028e...
patch_ticket_check: Found last_branch at 0x20282...
patch_ticket_check: Patching in mov.w r0, #0 at 0x20214...
patch_ticket_check: Patching in mov.w r1, #0 at 0x20218...
patch_ticket_check: NOPing useless stuff at 0x2021c to 0x20284 ...
patch_ticket_check: Leaving...
patch_rsa_check: Entering...
find_bl_verify_shsh_generic: Entering...
find_bl_verify_shsh_generic: Found LDR instruction at 0x1bbf4
find_bl_verify_shsh_generic: Found BL verify_shsh at 0x1c22e
find_bl_verify_shsh_generic: Leaving...
patch_rsa_check: Patching BL verify_shsh at 0x1c22e...
patch_rsa_check: Leaving...
iBoot32Patch: Quitting...
Sending iBSS (78044 bytes)...
[==================================================] 100.0%
Sending iBEC (295132 bytes)...
[==================================================] 100.0%
INFO: device serial number is DMPJTDSNF18W
Using cached filesystem from 'iPad3,6_8.4.1_12H321_Restore/058-24407-023.dmg'
Sending APTicket (2742 bytes)

Getting ApNonce in recovery mode... 45 44 78 a5 27 45 56 14 53 60 13 2b 9b 78 46 b1 d1 d0 e2 97
[WARNING] Setting bgcolor to green! If you don't see a green screen, then your device didn't boot iBEC correctly
Sending APTicket (2742 bytes)
Recovery Mode Environment:
iBoot build-version=iBoot-2261.30.37
iBoot build-style=RELEASE
Sending RestoreLogo...
Extracting applelogo@2x~ipad.s5l8955x.img3...
127.0.0.1 - - [21/Mar/2020 18:29:53] "GET /firmware/iPad3,6/12H321 HTTP/1.1" 301 -
127.0.0.1 - - [21/Mar/2020 18:29:53] "GET /firmware/iPad3,6/12H321/ HTTP/1.0" 200 -
[Error] ERROR: libipatcher failed with reason IV has bad length. Expected=16 actual=0. Got IV=
Done: restoring failed.
Failed with errorcode=377

[Log] futurerestore done!
You can choose to retry if futurerestore failed on downloading baseband or for some other reason
[Input] Retry? (y/N)
`

Trying to downgrade iphone 5s from 12.4.8 to 10.3.3 (with OTA Blobs) [Possible]

but i can't seem to get past the dfu mode as the device refuses to enter ipwndfu

Error detail:

[Error] Failed to detect device in pwnDFU mode. Please run the script again

• ./restore.sh Downgrade

I'm running from Linux Ubuntu 20.04

i think its a common issue with no real fix, so many people talk about it yet no one seems to share something actually helpful

i understand you have to try it 40+ times and i did (100+ times) still not booting to ipwndfu