#futurerestore-help

now that is genius-like

dw i’ll give the credit to the owners by adding @ Geniuses to the end of every message

Dead chat

At least you're alive

I have the perfect amount of blobs that just fit on one page

u have ios 13 blobs?

damn

Yeah but this is A12

So pwndfu won't work

what website is that?

r/jb telegram bot?

Yeah

Well it's just jb telegram bot

Shsh host basically

gm hotties

oh yeah aren’t that + shsh.host + sysinfo all connected

Yeah arx8x Incorporated

Good evening chaps

Wow dead chat

@lilac wren wake up mf

Ok

At least you're alive

wym

Wow that emoji is

Something else

its a classic

sad it died

Lol

I'm just happy you're here

I appreciate you ❤️

ty ig

@rustic blaze just let me know if 204 works or fails

I want to fix 32bit

I found v 194 om m1sta github

cant find 204

sharing the log

this iphone 5 is a gsm model

for sure'

Takes 3 seconds

????

Sorry but a dumb question

How do we find the model number of a iPhone

Settings about tapping the model number doesn’t do anything

settings > about > Model Name, Model Number

@rustic blaze

@valid adder did u happen to check the log

It’s saying invalid ap ticket

posible downgrade ios 14.5.1 to 12.1 with shshblob? iphone 6S?

What log?

@ebon mirage you can’t go below 13.4

ok bro thanks

@rustic blaze what log

doubt it

14.2 sep allowed me to go to 13.7

even on a11

but since 14.3 we have the sep panic

yes

X

baseband was incompatible and I think I used the wrong savagefw accidently

https://zootopia.fandom.com/wiki/Night_howler_sickness

This movie all I remember is everyone saying "he's gone savage!!"

Lmho

@zinc moon savage is the faceid firmware

ō = long o sound

Otherwise o = "aww"

Like in octopus

I shared a log

Trying to downgrade with v194

no because I used the wrong savage @zinc moon

It stopped at invalid ap ticket

@valid adder

@rustic blaze 32bit is still broken idk how to fix that but Ill try

I meant like in phonetics... ō = long o, any vowel with a line on top = long sound

gm

Oh lol

But u said u will fix it

I'm about to go to bed lol it's midnight

Any way to downgrade

32 bit

5am lol

With valid blobs

Can’t you use iOS OTA downgrader

Why is apple signing those random firmwares ota lol

its wildly known

Let me try iOS ota downgrade

Something about the millennium bug iirc

For 32-bit

Lol fr?

I thought it was because the jump was too big

I remember my aunt's ipad I upgraded from ios 7 to 10 like 3 years ago and it had to OTA to 8 first

Something like that

Maybe it was 8 -> 9 first before 10

yeah everyone has to

iTunes showed the correct one though

wot

I'm hopefully getting 8 hours if I go to bed right right now so gn everyone!!

gn

Good night Cryptic we love you

This came up in my feed and I think this is fitting

not really

for A14 maybe

Delayed OTA: Am I a joke to you?

Delayed ipsw eta when :(

😭

oddly specific

technically the device doesn’t boot when it’s at 0% so is that a bootloop

literally no energy is required for the low battery screen to be displayed

but phones do shut down with a tiny bit of charge left at least

After there’s no more charge to turn on it won’t

well unless you’re on a blackberry

shared cellular network

No sim card can call 911 so long as it's cellular capable right

At least in the UK

you can call from any WiFi/Cellular device

What's 911 in the uk

999

333 or something right

Oh ok

My sister works there

Ooh that's cool but a bit scary

Stressful lol

And a bit chilling

Yeah I could never do that

Respect

makes about 23£ an hour tho

good pay especially on a low level

Did i brick my iphone? It bootlooped and I tried to futurerestore (no success), tried dfu restoring through itunes (no success) also checked for all windows updates, tried using a macbook to restore (10.15.7). the phone always reboots itself to recovery during first seconds of restore. The last thing i did it with my phone was restoring rootfs with taurine

tf

You’re using OTA blobs for an IPSW restore

Use idevicerestore from DFU mode

With --erase and --latest

dont wake him up

lol

joes mother

still awake?

me?

yes

its 1230am

not that late

Oh

Keep forgetting America has dimensionally different time zones

I guess thats how they thought the sun works

aparrently the sun also changes up on you

It’s 2:35 AM for me

they change their clocks every so often

I didn't know the sun magically jumps

lol ikr

i tried to restore but its giving me an unable to place device in restore mode and crashes

after "restorekernelcache"

now the device wont boot anymore and default goes into recovery mode

this is on a mac

what version of futurerestore

180

why so old

dunno

use the updated one

its the one at the root of github repo

no

hmm

guess im on the wrong one

wheres the right place to download

https://github.com/m1stadev/futurerestore

who hasnt

im on this one

https://github.com/tihmstar/futurerestore

old

ah ok

You boutta bootloop everyone

How is clicking on “Update iPhone” gonna restore the phone?

downgrading sometimes bootloops especially if it’s from 14.5+ down to 14.5-

never know when apple bricks their /var compatibility

the point is the fact that it happened means it could happen again

this tutorial isn’t only for now

If you’re gonna make them do a backup

Just tell them to restore

no tell them to click restore instead of update

Also

It isn’t Alt + Click

You have a mac and you still don’t know

It’s Option + Click

yes

hmm

i updated and its suck in waiting for device to disconnect

Ys

Yes

You’ll get an error in about 5 seconds

Just run futurerestore again

@zinc moon ys

that button is option

Idk

the phone is stuck on an empty screen now

is it supposed to be like that

Whats the futurerestore output

waiting to reconnect?

and its stuck on failed to put in restore mode

what device is this

DM me your blob if you can

the 8

what version

hmm

2.0.0-1

lol

lol

what is nonce_d

fucked up the output

!t libimobiledevice

I’m assuming digest

btw Siguza said that nvram/dimentio working on checkra1n as mobile is probably a bug

Inb4 policy update

tf is happening

also

pog ios 15 coming in 1 week

Yeah it's option

If you hold fn and press it it's alt I think

Gm

you slept for

I think

How long uh

6?

7?

idk

7 + 30 min

Time to read everything in the gc

lol

Downgraded using iOS ota downgraded script

Fantastic work

Congrats

By luke

Nice to know that still works

Yep

pog

Can we do OTA downgrader manually

By just getting OTA blobs with a tss request

And then using pwndfu in FR

Oh but SEP and BB

Does pwndfu use the SEP from blob or how does that work

Sure

no, it just uses latest SEP/BB like normal

How does OTA downgrader work then

you could save the OTA blobs if you want to reuse them with pwndfu, but at that point why not just use tsssaver or tsschecker to get them

creates unsigned firmware bundle, then used pwndfu to patch all the checks

10.3.3 is fully OTA signed including SEP/BB

Oh ok

I think that might be it, or maybe it's just compatible

signs it using blob then loads onto device

to make it untethered

Yeah that makes sense

well, actually yeah since it's still being signed, it can just request fresh SEP/BB ticket with whatever nonce

So you probably couldn't use FR then

but I think it may work even without that because people were saying to save 10.3.3 OTA blobs

Do you think 15 will support A9?

Is that 6s

probably not but idk

some of the legacy devices/iOS versions didn't even have regular OTA downgrade prevention, but I think 10.3.3 already needs a specialized tool... not 100% familiar with legacy stuff

iPhone 6s had ios 9? Lol wow

you used to be able to quite literally spoof systemversion and downgrade with OTA

Lol

Well Deon did that on 14

I think iOS 10 or 11 blocked that, and maybe the introduction of SEP also had a part in breaking that

Might be more recent than we think

If deon is to be believed

not sure but I've seen multiple threads on reddit

saying OTA downgrade (from settings) doesn't work anymore, from years ago

and people mentioned iOS updates and SEP breaking it

Something doesnt match up then

Nooo not intune lol

My boy Scott from Airwatch has me covered

Rip

Yes

when that 14.5.1 jb comes out can i just futurerestore with my blobs or do i have to downgrade normally

if you're on A12 or above you have to downgrade now while it's signed

okay. i’m on a10 so i’ll just wait for it to come out and maybe i’ll futurerestore.

Hi! Can i ask how to get jb on iphone 11 ios 14.5.1?

There is none

And don’t ask here

Hey can someone help me please? I'm on iPhone XS on Chimera. I have 14.3 blobs saved from a while ago and I've finally decided to upgrade/Futurerestore from iOS 12.0 to 14.3 before jailbreaking again.

I followed this guide: https://www.reddit.com/r/jailbreak/comments/m0r24m/free_release_futurerestore_gui_a_userfriendly/ but got "Device ApNonce does not match APTicket nonce" error once I started the Futurerestore.

I then following this guide: https://ios.cfw.guide/futurerestore#getting-started and got to step 3 "Once the command executes, a lot of text should appear" which didn't happen.

try login as root

run su

the password should be alpine

then just run dimentio 0x111111111111111 or whatever it is

probably have the wrong or outdated dimentio

yup have tried that

do you guys know the best dimentio repo?

the one mentioned on that guide seems to have been taken down

https://repo.1conan.com

so i installed a random one on reddit

it hasnt

weird, let me check again

yeah its not there for me 😫

Remove the one you already have

yep have done so. let me try refresh sileo app

Do you want a link to the deb

ahhh still not there

yes please (although i may need some help from there)

this is why you refresh sources

also use the search in the bottom right

https://repo.1conan.com/./debs/com.0x7ff.dimentio_2.0.7-1_iphoneos-arm.deb

i refreshed, removed source, re-added, searched, everything haha. its very strange

thanks!

do i download/open that on phone?

Yeah you can just import it to sileo

what

didnt know root was called dimentio

why hasn't this mf responded to my github reply yet...

this pissed me off

lol

lol

told you

mf's post an issue on github then leave never to return

which is why discord is better

reaching back to ppl on discord is easier imo

hey can you fix my stereo? then they leave and never pick up the fixed stereo

free stereo

@zealous bridge fixing it was murder because the brand doesn't let the manufacturer hand out schematics or parts so it ended up costing double the original msrp to begin with

#righttorepair

I can't believe I just got mad at a hypothetical situation

lmao

Since when did Apple sell stereos

if you feel bad about it maybe apologising will make you feel better, then again there isn’t much to apologise about, your point was valid, just delivered a bit passive aggressively lol

ive downloaded it to my filza, how do i import to sileo?

Edit > Select File > More > Open with > Sileo

Im saying I can't believe I went on a rant complaining about something that never happened

It wasnt really a rant

Just a mildly aggressive speech

2006

rip

https://en.wikipedia.org/wiki/IPod_Hi-Fi?wprov=sfti1

Lmfao

Just dont get caught

Ew where’s the ublock origin

theres the problem

you aren't using firefox

Yeah whatever money you spent towards that you might as well just throw away

true

An actually good adblocker

the best adblocker

doesnt have outdated shit

i dont get it whats wrong with macos safari

always updated

these are the addons yall should get

Instead of the garbage Adblock [plus]

also open source

bro how do you not know ublock origin

I like Safari

firefox better imo

i made all my teachers dl that straight away lol

@soft turtle do u have these yet

bitwarden > lastpass

imagine using the internet

This

Open source >>

Wow too many extensions lol, I only use ublock out of those

@green onyx lastpass family, I don't pay for it

same with spotify

ah, but tbh bitwarden does the same thing and free

and its open source

@green onyx but lastpass does what I need it too

on the internet

oh, its manifest v3 chrome is dogshit

true

switched to firefox when manifest v3 came out

I still use LastPass without paying also

@soft turtle you will get buttfucked soon

I just never updated the LastPass app on my phone so I don’t have to deal with the device restrictions

lastpass will eventually kick in the trial end

which is why u use bitwarden if u cant pay

I’ve been using LastPass for years

it will let you transfer between mobile and desktop a maximum of 5 times

when the end trial kicks in

then you are stuck on that platform until u pay

Yeah it doesn’t know that I’m transferring because I haven’t updated the app

see that's why you use bitwarden, it's free and unlimited

this

only paid thing in it is the option to store 2FA codes in bitwarden too, for $10/year

It probably is better but im too lazy to switch

also cloud storage

no it doesn't

BitWarden has migration from LastPass lol

<@&557588738881093648>

I’m pretty sure I’ve seen it

Oh didn’t even know

That would make it much easier

probably some script from github can do it

https://bitwarden.com/help/article/import-from-lastpass/ even better, it’s native

yeah bc that's pingable

damn

lol

I used to use an online password manager called Mibbit, then another one called Passpack, then I went to LastPass, 1Password and now Bitwarden

well and KeePass too at some point (local)

I wish there was a native app for bitwarden, don’t want to add yet another electron app

bitwarden has a native app

???

It’s electron

damn fr?

they use Xamarin for iOS, for desktop I just use the Chrome addon

better than UWP

chrome

I think the english language did

^

Xamarin also supports desktop too, surprised they don’t port it

Count your lucky stars JTV hasn’t seen this yet

Yeah unfortunately

I think it’s been used before in security research before iOS jailbreaking was a thing

damn rip

I’d rather Electron than UWP on Windows

true

UWP is trash

its slow af

And you need to download it from the Microsoft Store

swiftui > uwp

yup

wait actually we can get a native bitwarden app

since the xamarin mobile app is open source, we can compile it for desktop or catalyst i think

@green onyx have you ever tried gaining permissions of a file in a UWP app

shits a nightmare

probably, u probably need some changes tho

you have to takeown the entire WindowsApps folder

seems legit

Even elevevated users cant del files inside uwp apps

I had to go to Linux and mount it that way

isnt it stored in system32 or smthn?

idk

ProgramFiles lol

@soft turtle https://github.com/skyelights/valawarden theres a native app for elementary

for minecraft it's C:\Program Files\WindowsApps\Microsoft.MinecraftUWP_1.16.10004.0_x64__8wekyb3d8bbwe\data, gl tryna get into that tho

also one for macos https://github.com/jnsdrtlf/bitwarden-menubar

oh wow had no idea

wonder how hard it would be to port that to macos then

. kinda native imo

i think it still uses the browser extension with so not fully native but at least better than electron

i got all of the dimentio/newterm terminal to work as expected (ran scripts etc). im running futurerestore again but still get this error. im using chimera so i used "0xbd34a880be0b53f3". any ideas? 😩

upload ur blob to https://verify.shsh.host and screenshot it here

hide ecid

okay cool, do i select my current ios version or my blob ios version

no, select the ios version that u saved the blob for

uh

what device is this?

yeah uh im guessing you saved with blobsaver v2.X or the tss saver website without a generator?

@keen bay try doing 0x1111111111111111

iphone xs

gg

@keen bay what ios version are u on?

i used this guide a while ago: https://www.reddit.com/r/jailbreak/comments/g38zic/tutorial_easiest_way_to_save_blobs_for_a12a13/ it seemed like the easiest thing at the time. im not tech-savvy in this field unfortunately

ios 12.0

cool ill try that

Yeah that isn’t the best

what jailbreak did u use?

when u saved those blobs

If 0x1111… gives you the same error you’re probably screwed

chimera

haha damn. as long as i dont lose my current jailbreak, then its cool

you can use this to do it faster

chimera might not have set nonce properly during jb

https://routinehub.co/shortcut/9065/

it’ll prompt you to choose a generator then it’ll check if it matches

just make sure you have openssh

@soft turtle what is this -_-

(optional) Use a jailbreak tool or nonce setter on your device to set the generator; this will allow you to use the blobs even if your device's nonce changes.

if neither of the defaults work you’re probably screwed

The nonce changes every reboot unjailbroken...

This was not optional lol

You don’t know how many people got screwed cause of that

I hated blobsaver before lol

same

I almost did blobsaver lol bc I was too lazy to get a generator nonce pair

Before I realized what it was

when 14.3 jb first came out

at least 50 people got their nonces fucked up (in this channel)

okay cool thanks! ill look into it, im a noob at this 😫 already sounds like headache

what are u using to set generator

the chimera app?

yep

yeah probably not the best idea

if you use the shortcut i gave you it’ll do it properly

yikes ok, on reddit when i posted about it for most people who messaged me at least, the apnonce didn't change across reboots

is it too late to do it now? or can i still do it and then futurerestore to 14.3?

Probably bc they set generator

u can try

they were all unjailbroken

lol that makes no sense, nonce means to use only once, apnonce was designed to change every reboot

I'm so lucky I used tss saver and got valid 14.3, getting ap nonce generator pair was a nightmare back then

do it now

not too late

okay thanks guys. have to head out for a bit but ill try again later

maybe tomorrow

Tuesday is sometimes unsigning day

Idk why but it did work 🤷‍♂️

For some people at least

yeah if we did a controlled experiment right now i would back what i said to win lol

probably circumstantial

They might not be unsigning it because it’s Memorial Day

also maybe most of them were using checkra1n and had generator set in nvram, persists even when unjb

I mean getting nonce in normal mode sets a random generator which causes it to freeze until one of the following:

• device is rebooted AND another apnonce request is made in normal mode (iTunes/OTA update check, or manual igetnonce/etc.)
• device is restored or updated

blobsaver used nonce from recovery

generator persists when unjailbroken regardless of the jailbreak, just might reset in the above cases

which doesn’t cause a freeze

that alone doesn't if they used v2.x, but if it was already frozen before for some reason then...

This was blobsaver 2.0 though

it's possible that even just downloading an OTA update freezes your nonce 🤔

Yeah I never did a large amount of testing on it so idk

idk if there's anything in place to clear it if the user doesn't actually end up updating, or maybe it's only set when you press install

It worked fine for my friends who had a12 and a lot of other people who messaged

they would’ve been one time use blobs anyway

So I posted that hoping there would be a chance it would be usable

Yes

so that’s probably why

Better than no blobs at least is what I was thinking when I posted

ppl save blobs for long term tho

for "future"restore

well still a very different impression you gave out tho

doesnt matter, blobsaver 2.0 was a mess and thats it

blobsaver 3.0 is good imo

Well yeah ofc not ideal but at least having blobs that you can use once is still better than having no blobs

I agree though I should have been clearer about what exactly it was, that was a mistake

Already on homebrew

its there

lol

it’s not “one use blobs” as in you can use it once whenever, you can use it once on that particular reboot lol

Thats how nonces work

Not even one use

0 use

Unless you stay in recovery until 14.3 comes out

In multiple tests on my friends’ devices and other people who messaged it worked across reboots

guys

we should stop arguing

and let it pass for airsquared imo

its fine

yeah that’s probably because they had a generator set somehow, i can’t think of any other way lol

You seem to have a knack for thinking everyone’s arguing when they’re just talking normally lol

I’m just explaining how nonces work and why that method of saving blobs was kinda wack

They never jailbroke before so idk how they had a generator set but idk

mb

idk

i felt like everyone was attacking airsquared

mb

all good lol

Ty for the concern tho lol

Someone could probably test it with a fresh restore with iTunes

Nah the specification is either GSM or Global

just use read from device

which is done with device identifiers

so you don’t rly need board config

https://github.com/airsquared/blobsaver/blob/master/src/main/resources/airsquared/blobsaver/app/boardconfigs.properties

Here is the map

don't some of them have multiple boardconfigs

yeah they’re commented out

like 6s

Yeah if it’s not in the boardconfigs file it will ask for a boardconfig

yes

It doesn’t use OTA manifest that’s why

inside joke

how did he get it to 5.1.1

with blobs?

the joke isn't related to the downgrade at all

yes ik

oh wait

Lmfaooo

you know, why not just do

lockdownd_get_value("HardwareModel")

❯ ideviceinfo -k HardwareModel
D221AP

wen Advanced Comedian role

TSSchecker doesn’t need the board config unless it’s for devices with multiple ones

Just the device ID does it

tsschecker is trash

kinda but hasn't even got off the ground

ios for ATV?

lol

yeah Apple TV 3rd gen wasn't tvOS yet

officially iOS 8.x for Apple TV is called "Apple TV Software 7.x"

because it's Apple

not really

there's still the + services..

atv2 eol

Another webkit exploit for 14.6

tf

https://twitter.com/theori_io/status/1397584885649313796?s=21

14.6 is vulnerable

don’t know about 14.7 beta

probably might

ios 14 is ripe for webkit based jailbreaks

there’s a couple that can be used for 8.00 to 8.03 jbs iirc

dk about the latest version

still needs a kernel exploit

that's the same vuln

just different exploit method

weird enough that webkits dont work on ios 14.5- but work 14.5+

Lol apple trying to add new features but using shitty code to do so

oh

that's because the feature that introduced the bug was added in Safari 14.1 (iOS 14.5)

iOS 14.6 has 14.1.1 but still vulnerable

help

how do i upgrade my safari

without updating my ios /s

safari blobs eta wen

https://twitter.com/rpwnage/status/1399467964076859408

yo what

told you

geosn0w boutta be like NEW EXPLOIT JAILBREAK

14.6 RIGHT NOW

lol

(Safari Jailbreak)

Yeah maybe it won’t be unsigned today

One more day bois

Already does that, what I meant was that it’ll show the text box that can be filled in with the read from device button

oh nice

was too lazy to check the code and my iPX doesn't have multiple boardconfigs for the same device code so

Oh lol

Yeah I just like to include it in the tsschecker arguments anyway because when new devices are added I don’t have to update tsschecker every time

I only then have to update the properties file

dead chat

At least you're alive

Lmao my dog licked my phone and she hit the home button which switch apps because swipe right

Lol my dog paws the keyboard on my laptop and either writes junk or presses enter, sending a half written email or something lol

i want a dog that can code for me

At that point you just hire someone lol

how can i put a iphone 8 into dfu mode from off state

!t dfu

the device isnt on

if it doesn’t turn on then it’s hardware damage lol

Take it to an Apple store

nnono like

when i try to normally turn it on it gets stuck in a bootloop

shows apple logo for a few seconds

goes black

turns off

repeat

Then go to dfu

yea thats what im asking lol

Lol then do it

the instructions said to do it and i saw a video for it but the demo was when the phone was on

and when i try that when its off it doesnt workk

just gets into the same loop

Dfu always works

You just need to get the timing right

Try it when the phone is in the bootloop instead if you want

your bootloop describes a problem I had with my 8 plus about a year ago, for me restoring in iTunes fixed it
sure, I lost the data that was on it at the time, but at least I had a working phone again after that

you don't have to restore if you don't want, but restoring is what fixed it for me

That’s why you have auto backup

the boot is completely broken on it lol

im getting a 3504 error on itunes

and the error codes list says nothing about it

I didn't sadly at the time

Why didn’t you recommend idevicerestore

iTunes is useless software

because I actually had experienced this situation before and a restore through iTunes for Mac fixed it.

hello

I am getting this error

ERROR: tss_send_request: Unhandled status code 162

I honestly don't know what to do for that, maybe try reinstalling iTunes and/or just restoring the iPhone altogether if you haven't tried that

Never use iTunes after a restore fail

idevicerestore ofc

Use idevicerestore

also never use idevicerestore on windows

I am getting this error when it is downloading baseband ERROR: tss_send_request: Unhandled status code 162

That way if it does end up failing you can see what happened/where it failed which could be of some help, instead of a random error code

TSS server returned: STATUS=162&MESSAGE=An internal error occurred.

im trying but i cant seem to get openssl installed properly

did brew install openssl and it worked

but autogen still says missing

is there a place to download a compiled version

i have blobs saved for 14.4, how would i go from 13.3 to 14.4? would i need to update normally to 14.6 and then go to 14.4 with blobs?

really?

i am on a12

i am waiting for the webkit jailbreak

and i have no other blobs

i already saved blobs for 14.5.1

is there a way to update with blobs without restoring

yeah ok then

Hey man I am upgrading to 14.4 from 14.2 using future restore but it’s giving me this error TSS server returned: STATUS=162&MESSAGE=An internal error occurred.

Check your network connection

Also what futurerestore version

I’m on v194 and network is good

Lol googling futurerestore first result is tihm

Yes I’m on iPhone 12

@celest basalt A14 doesn’t work rn

Ah fuck well thanks

I know jailbreaking just isn’t really for me and I want to be able to play nvidia gforce now

But I did wanna be able to try that WebKit jb so yeah

@celest basalt Mac or Windows?

Mac

Try the futurerestore in pins

Wdym?

v204

the futurerestore in the pins

#futurerestore-help message

ripbozo

what generator do you set when there's no generator?

actually.. yes. Given the apnonce is saved and the device is set on that nonce

unless you restored/updated

indeed, hopefully the user(s) didn't

I don't think succession resets it...

it shouldn’t

doesn’t really touch nvram

then in that case.. my point above is still valid

could’ve at least explained the apnonce error but eh

I didn't want to make it a 5-minute read

just keep it simple

theres a difference between keeping it simple and omitting inportant info

there's also a difference between getting to the point and elaborating on every "what do you mean.."

wdym

Pretty random

i've never used an apnonce blob

generators always worked

uh

wot

you realise a blob isn’t valid without an apnonxe

indeed

there's two kinds

noapnonce blobs have an apnonce lol

they’re just stupidly named

because noapnonce is almost always 0x1111….

and funny enough.. ATV refuses to use the apnonce ones

it /needs/ the generator

The generator list for the apnonce blobs is in the pins

btw conan recently nuked noapnonce blobs so you’re stuck

ofc

meh, i just do onboard

True

yes

I've made a tweak that saves them

have yet to update it...

No, that’s for Aaron

I could actually but that question is more for Aaron

Or Eric

@zealous bridge question nonce stayed the same after restore from recovery mode even in iTunes right

yes if it was in nvram before

Have you tried dfu

No

Lol gonna try dfu on my A12 rn guys

/a

.

Wait why can’t FutureRestore work from DFU

DFU nonce is different to normal nonce

(The normal nonce is what we save APTickets for)

For real?

It just ignores generator or what

Don’t believe me try irecovery -q

in recovery + DFU

Oh ok will do

Will it reset generator

Test it

You won’t update anyway

Ok

Recovery won’t

DFU not tested but i’m sure it won’t

Wen eta DFU nonce setter

That’d be something for Cryptic to reverse engineer

Don’t believe anyone’s looked at it before

At least not on modern devices

"DFU nonce setters" just kick you into recovery so yeah

Yeah it’s not really the “DFU nonce”

actually I think checkm8-nonce-setter doesn't even modify the normal apnonce, it just boots up a patched iBEC/iBSS with changed nonce

because IIRC if I reboot after checkm8-nonce-setter the nonce resets

it loads a ibss without the generator blacklist in nvram

so we can just setenv

pwndfu exists

Hopefully someone updates pwndfu with checkra1n’s implementation of checkm8 so it becomes much more reliable

they are very different

axi0mx’s implementation is so old and finnicky

checkra1n team improved it a lot but it’s closed source lol

It’s a blacklist??

yeah theres like 4 nvram variables blacklisted from recovery mode

boot-nonce being one of them

On VMWare I had to set sip nvram variable, but misspelled by 1 letter and then edit it in some weird mode to make it right

Oh it’s a whitelist

Lmfao

yeah how would only 4 variables be blacklisted

👏

lol wot

Aww

What are the 4 then

Auto boot is 1 right

Yes

Bootdelay is another

Breadcrumbs or something as well right

need to look on iboot

yes

iboot wouldn’t tell me

and probably backlight

Printenv doesn’t work

breadcrumbs, backlight, auto-boot and boot-nonce

info about what’s happening in the bootloader

normally thats what it means

Boot nonce isn’t whitelisted tho

well, the thing is

oh yeah

i mean

boot-breadcrumbs, backlight-nits, auto-boot and backlight-level

I 100% remember updating my XR via an IPSW to the same version and it definitely cleared my generator

but that generator was set by requesting apnonce in normal mode

idk if that makes any difference

lol we need nvram unlocked to know for sure

Yeah tb said it only happened in recovery

Ofc

Normal mode would overwrite

the way I know it cleared my generator is I ran noncestatistics in recovery before and after - before it was generating a constant nonce, after it was random on every reboot

we need someone to test dimentio then recovery mode restore

It makes sense for the apnonce requested in normal mode to be cleared after a restore, the way apple implemented it however shit it is it’s meant to be cleared after a restore

@green onyx do you have an A12+ device on latest you can just restore to latest to test something

or an A12+ you can FutureRestore with

He finally stopped going thru time

(uwu)

YAY

lol

A12+?

nope

if you can get him ¯_(ツ)_/¯

oh yeah

yay

whats happening

why do u need a latest guy

Yeah, if you have 14.3 blobs (and this works) you can go back

Who said anything about latest

I just said recovery mode restore

guys

actually

someone fill me in

why do u need a latest guy

ah

okie so restores from recovery on A11- don't reset your nonce, even iTunes restores, so we wanna test that with A12+

ah

ok

thank you for informing me

but we don't want to FutureRestore bc that's risky for no reason

wait

wot

we could use getnonce to set generator nvm this will work

Nyu said it didnt

Like 5 minutes ago

nyu did from normal mode they said

ok

?

what does getnonce do

you just said it didnt work from normal mode lol

sets generator on latest

no it doesnt, it freezes nonce by requesting one from normal mode

literally all itunes restores use getnonce, but without grabbing the generator

yeah by setting random generator

lol

no lol, it doesn’t set anything

it does and even returns the generator it set

in mobilegestalt

the boot-nonce is never set directly

lol he’s having a moment

yeah the phone sets it randomly

ok so how does getnonce set it

like OTA

OTA sets a random generator

all it does is idevicediagnostics mobilegestalt ApNonce from normal mode

which requests a random apnonxe

which is exactly what happens in every restore from normal mode

and sets a random generator at the same time

guys is this not how it works

@celest basalt

please lol

I'm like 90% sure that it sets a random generator

otherwise how would nonce stay the same after reboots

the nonce is frozen

That’s why

???

there's no 'frozen' nonce as far as I'm aware

what

getnonce sets a random generator right

froggy’s having a moment understanding getnonce lol

when you request apnonce in normal mode

it sets a random generator

yes, if you request an apnonce in normal mode, it sets a random generator in nvram

if you request it again in normal mode without rebooting, it won't change the apnonce/generator, but if you do it again after a reboot it will

LOL

guys

see

🧠

#futurerestore-help message

thats what i said

but

how would getnonce get a generator if there was no generator

nvram is never directly touched lol

you said it "freezes" nonce... I said it sets a random generator

dimentio does

it sets a random generator in nvram

it does freeze nonce

bro what are you even defending lol

well yeah, of course the OS handles the "set random generator" part and you can't control what the value will be but...

Nyu just proved exactly what I said lol

yeah

it does have an effect of freezing the nonce but that's because of the generator

^^

like I said, there's no "freezing" nonce just setting a generator

Lol

oh lol

Thanks nyu

guys you're being like JTV, confidently incorrect lol

lol ok, explain why on A11- directly setting the nonce in nvram keeps the same nonce after restore works, but requesting one from normal mode resets it

lmao

there’s a difference which is proven

that’s my point lol

requesting one from normal mode isn't the issue, restoring from normal mode is

and that's besides the point lol

restoring from normal mode = requesting apnonce from normal mode

lol

says the guy saying 'froggy see a doctor' lol

you can request a nonce from normal mode and still restore from recovery...

requesting one from normal mode resets it
that's because the normal mode request overwrites the existing generator

guys I gotta do my theology final let's talk later

after the restore

I think he meant resets it after the restore

like the weird apple oversight thing in iOS 14

yeah

another interesting thing I just found: requesting apnonce in normal mode overwrites dimentio generator but not the generator that was set by requesting apnonce during the same boot

no i meant when you’re restoring from normal mode it requests an apnonce from normal mode

which means its the same as getnonce

requesting an apnonce from normal mode

forget generator for now

• sudo dimentio 0x1111111111111111 -> 27325C8258BE46E69D9EE57FA9A8FBC28B873DF434E5E702A8B27999551138AE
• ideviceinfo -k ApNonce -> 47b4ecb8a1a7b2a413ac6e8c9a257256687b6d13f71024acb3f136f39a8d733f
• ideviceinfo -k ApNonce -> 47b4ecb8a1a7b2a413ac6e8c9a257256687b6d13f71024acb3f136f39a8d733f
• reboot
• ideviceinfo -k ApNonce ->
  f8b983c53bbb1a748f6efe536c06934b857394fff9bc69a1f054d651f125123d
• ideviceinfo -k ApNonce -> f8b983c53bbb1a748f6efe536c06934b857394fff9bc69a1f054d651f125123d

lol

well it’s probably because iTunes requests it multiple times during the same boot

so it can’t change

otherwise restore is invalid

yeah but it doesn't seem to actually set it to that random ap nonce if you run dimentio again with no args

it's weird

wait

I fucked it up

there

it probably checks "was apnonce already requested" rather than "is generator set" before overwriting

lol this whole time i was trying to say that maybe dimentio isn’t the same as requesting apnonce from normal mode

if you do dimentio 0x1111 again it will let you request apnonce again

which would be tested by the restore

soo

but again it doesn't seem like it's actually doing anything if you run dimentio no args

it was already set to 0x111 supposedly

yeah reading out what’s in nvram probably isn’t gonna affect anything

let me rephrase lol

but again, it doesn't seem like it's actually doing; this can be proven by running dimentio no args, the output stays the same

you can use nvram -p instead of dimentio if you don't trust it

on checkra1n at least

not on u0/Taurine iOS 14

ah at the time of testing I couldn't bc A12

not on A12+

makes no difference though

dimentio probably uses nvram directly

then where is that random ap nonce coming from though

if it can

otherwise it does that whole KPAC bypass

ok now this is funny

looks like requesting apnonce in normal mode won't touch the actual generator at all if it was already set during the current boot

yeah that's what I said

ideviceinfo and dimentio now disagree on what the nonce is

nvram is probably right

^

❯ ideviceinfo -k ApNonce | base64 -d | xxd -p -c256
6368d701c4cc189430ea6804ef916293cd8c4186996e3b0eb4477236c743bbb9

iPhone-X:~ mobile% dimentio
nvram_entry: 0x1307
Current nonce is 0x1111111111111111
nonce_d: 27325C8258BE46E69D9EE57FA9A8FBC28B873DF434E5E702A8B27999551138AE

iPhone-X:~ mobile% nvram -p
boot-args
auto-boot       true
com.apple.System.boot-nonce     0x1111111111111111
[...]

ideviceinfo seemed to be just spewing a random nonce

but the question is

I think lockdownd just caches the apnonce value after the first request on each boot

what triggers with dimentio when you do 0x1111 again that allows apnonce key to be triggered again

I requested apnonce first and got 6368..., then dimentio, then requested apnonce again and got the same 6368...

yeah it’s not like there’s any “generator_set” variable

so it doesn't really trigger anything again

it just doesn't check the nvram after the first request

doesn’t that mean that apple know when the generator is set

and uses the cached value

meaning getnonce was on purpose

are you sure? when I tested, I could do request apnonce, dimentio 0x1111, request apnonce and it would be different every time

i was planning on spamming that thousands of times to see if collision exists lol

you can't spam it in normal mode to collide

Collision only worked because the device tended to generate different apnonces more than others

I did though

i mean not to collide

spam apnonce

well, what you're saying doesn't work for me

idk why

ill try later today

normally the only way to collide is to clear generator and keep rebooting in recovery

lemme try that