IOS hacker tihmstar has announced the upcoming release of his tool Prometheus. He claims it will be the first tool capable of upgrading and downgrading 64-bit iOS devices to unsigned firmwares.
If successful, this would be welcome news for the jailbreak community, allowing movement between firmwares for which you have saved your blobs, even after Apple’s signing windows have closed.
The first and most important thing to note if you think you may want to use this tool in future is to save your blobs now. The blobs must be saved in a new format called .shsh2, so previously saved blobs will not work. You must save your blobs again using tihmstar’s tool called tsschecker. After downloading tsschecker, save the blobs with it by following a guide. Be warned, whilst not very long and certainly not impossible, this process is not foolproof and requires careful attention.
The news of Prometheus is especially salient to people who are interested in a possible upcoming iOS 10.1.1 jailbreak but who don’t want to jump ship yet and lose their current jailbreak. If you save the .shsh2 blobs for iOS 10.1.1 now, before the signing window closes, you may be able to upgrade from 9.3.3 to 10.1.1 at a later date even if iOS 10.1.1 is no longer being signed. Of course, this is provisional and no foolproof guarantees have been made, but I would recommend saving the blobs anyway as you have little to lose and it doesn’t take long. You may decide later you want to give it a go.
Tihmstar has said that although 32-bit support is possible, Prometheus will initially be just for 64-bit devices. However, several downgrade tools for 32-bit devices already exist, such as tihmstar’s OdysseusOTA2, Dayt0n’s Odysseus, and geeksn0w’s Beehind, so you could try those instead.
As with all downgrade tools, many caveats apply. Some of Prometheus’ requirements are as follows:
64-bit only, at least initially.
Needs a jailbreak on the firmware you are leaving, to get to the one you are aiming for. (This may not be required on some iPhone 5s and iPad Air, but don’t count on it). To attempt to use Prometheus on these devices without a jailbreak, you must save .shsh2 blobs with an specific nonce, which complicates the process. Some guides can be found which show how to do it however, so feel free to try it if you’re feeling optimistic.
Your jailbreak must have “tfp0” functionality (“host_get_special_port” workaround is also fine). This rules out some jailbreaks, so you’ll have to get lucky. Pangu for iOS 9.1 had it, and Luca’s JailbreakMe for 9.3.3 also enables it, but as the latter is semi-untethered it remains to be seen whether it will work as rebooting the device is part of the downgrade process.
You must have .shsh2 blobs for the firmware you want to go to saved with tsschecker.
Tihmstar has elaborated further on the workings of the tool, and also posted a teaser/explanation video which shows the first steps of using it, which you can watch below.
The tentative date for its release seems to be New Year’s Eve, so watch this space! However, for those interested in a possible upgrade to iOS 10.1.1 outside of its signing window, you’ll have to have saved your .shsh2 blobs within the signing window and well before NYE to have a chance of using his tool for iOS 10.1.1. Of course, you can always use it for later firmwares, once you’ve started saving your blobs in the correct format.
For some, the process of saving the .shsh2 blobs may be too much hassle or they may not get round to it in time, but even if not, the release of this tool signifies something exciting for the community. After years of devs and bloggers like me telling people to save their blobs just in case, it has been proven again that given enough time, a way can be found to leverage them in an unsigned downgrade/upgrade. Even if the current usages may be limited (as people may not have the correct .shsh2 saved in time, or may not have a jailbreak to move from), the fact that 64-bit devices can be manipulated in this way is news in and of itself. Who knows what other improvements can be made to the process in future?
- Qwertyoruiop claims PS4 is pwned on f... — Qwertyoruiop is in the news again now claiming to have cracked the PS4 on firmware 4.50 – 4.55 4.50, should work on 4.55 too pic.twitter.com/zWvshihocp — qwertyoruiop (@qwertyoruiopz) April 19, 2017 This comes days after qwertyoruiop publicly released a webkit exploit for firmwares below 4.07 . qwertyoruiop has confirmed that the both the webkit and 4.50 [...]
- Hackers make progress on cracking the... — Since the webkit vulnerability and Pegaswitch were released on the Nintendo Switch a few day after the console’s launch, several hackers have been digging into the internals of the console to learn about its system. Hacker Plutoo of 3DS/Wii U Fame confirmed yesterday that he has been able to grab what appears to be data/API [...]
- Xbox One hack: Xbox One Exploit Proof... — Developer unknownv2 has released a proof of concept exploit for the Xbox One. The exploit leverages a series of known vulnerabilities in the Microsoft Edge Browser (CVE-2016-7200 and CVE-2016-7241). This is an exploit of the ridiculously rebranded Interenet explorer browser dubbed Microsoft Edge. In November last year, several critical vulnerabilities were found in the Edge [...]
- PS4 Webkit hack: SpecterDev explains ... — A few days ago, hacker qwertyoruiop released a Webkit exploit for the PS4, compatible up to firmware 4.07 included. He has since then improved the exploit to include a ROP Chain and basic syscalls, but providing only compatibility for 4.06, the firmware on which he is personally working. SpecterDev, self described as a programmer interested [...]
- PSvita Adrenaline-2 and Easy installe... — Adrenaline version 2 is finally out after being promised by TheFlow in February. Of course, that doesn’t mean that TheFlow wasn’t busy with the Vita as he added USB mass storage device support for easy file transfer and the ability to use a pen drive or external S/HDD via VitaShell. Changelog Allowing you to [...]