(已更新)(已经更新工具)实战ios10.2J。b后平刷系统!!!

发表于: 2017-01-31 14:52:54
来自 威锋网页版
24.1w
433
只看楼主
本帖最后由 大天朝扫黄打非 于 2018-1-7 21:33 编辑

2018年1月7日21:29:28更新:
Futurerestore工具用于ios11的降级平刷!!!
使用方法依旧跟10系统的一样
支持11-11.1.2的设备(不支持最新的)
链接:
2017年12月4日16:13:15更新:




2017年10月29日19:59:46更新坏消息
iOS10验证已经全部关闭(除了6s设备)
iOS11固件无法用于iOS10的平刷降级
好消息
时隔八个月10。2.1J。b终于发布!


2017年9月10日10:48:54更新
坏消息:11系统变动较大不知道以后能不能用其固件平刷手机。还有我的手机因升级内存被迫入狱


好消息:暂无


更新futurerestore-latest


2017年6月24日 09:28:00更新

大家平刷一半时可能会出现各种问题
那么在平刷之前先来验证一下你的
shsh2是否有效
验证shsh2文件方法:
首先按照教程进恢复模式
然后在终端输入./futurerestore_macos -t 7203xxxx68816_iPhone6,1_10.2-14C92.shsh2 -w

image


如果显示出图上的代码的话 那么恭喜你的shsh2有效
否则你就洗洗睡吧!
2017年6月13日 10:46:33更新
重新排一下版
几个月过去了 我一直在iOS10.2
期间白苹果了几次 一一被我解决
(直接平刷10.2)
现在基本稳定了smile不能安装虚拟机mac的童鞋
可以用liunx降级
传送门:
教程:
@
在这里还是要感谢J。b大神@qwertyoruiop 以及降级工具作者@tihmstar 没有他们的工具就没有降级
10.2J,b在luca大神添加tfp0以及nonceEnabler后,降级/平刷变为可能。备份了10.2 的shsh2且J。b的锋友们有福了。目前Cydia Eraser未更新,使用futurerestore平刷是最好切最纯净的方法。
需要的东西:
1· 一台安装OS X且可以连接互联网的的电脑(黑苹果白苹果虚拟机均可)
2· futurerestore、已备份且含有NoApnonce的shsh2。
3·一台已经用yalu最新版本J,b(旧版本未添加tfp0和nonceEnabler)的iPhone且iPhone上装有MobileTerminal(这一步可以用电脑连接ssh代替)4·需要降级/平刷的系统版本固件,最新系统的固件(正式版测试版均可)
首先我们在Mac用文本编辑打开NoApnonce下的shsh2文件,我们会发现其内含有一行Generator的代码,这是我们进入恢复模式后需要用到的,我们将它记下来https://images.weiphone.net/data/attachment/forum/201701/31/182512zkaq6czd25cdollk.png

在iPhone中打开MobileTerminal(或用ssh连接设备)
1·键入su后输入密码(默认密码alpine)
2·键入nvram com.apple.System.boot-nonce=xxx (xxx的数值为shsh2文件下的Generator下的代码,我们将它输入后点击键盘的return~~)不想平刷的也应该先做这一步,防止日后白苹果后不能写入。
3·键入nvram -p 查看是否已写入nvram中,如图下便成功写入(出现general error的锋友的请用最新J,b工具重新j。b)
https://images.weiphone.net/data/attachment/forum/201701/31/182732vzmxqt0rh9u1t1x1.png

到了这一步后我们可以打开Mac中的futurerestore,按照方法进行降级~附上最新版本的futurerestore-v89
loading...
futurerestore-latest.zip (787.92 KB, 下载次数: 22)
其实教程早已有的,可以在百度上找到,但是既然都写了前面,就把后面的降级教程也写完吧~smile
---------------------------------------------分割线-----------------------------------------------------
如果遇到futurerestore缺少运行库的请转到二楼
1·在电脑桌面建立一个downgrade文件夹,拖入固件,shsh2文件,futurerestore(举个例子:楼主是平刷,故放入10.2和10.3b1的固件,10.2的shsh2文件。)
2·将最新的版本固件文件尾缀ipsw改为zip格式,并解压。需要降级/平刷的版本固件无需进行修改。
3·打开解压以后的文件夹,复制BuildManifest.plist 进入Firmware文件夹,复制MavxMavy-xx.xx.xx.Release.bbfw(基带版本由手机型号决定)到downgrade文件夹,进入all_flash文件夹,再打开all_flash.nxxap.production(由手机型号决定,不知道的可以下载个安兔兔查看),复制目录下的sep-firmware.nxx.RELEASE.im4p到downgrade文件夹。
4·打开终端 输入cd ~/Desktop/downgrade后回车
5·键入 chmod +x futurerestore_macos
6·接下来开始运行futurerestore。键入./futurerestore_macos查看是否能够运行,顺利运行的如图下
https://images.weiphone.net/data/attachment/forum/201701/31/185338ngwgdv9w98ess8hf.png


7·键入./futurerestore_macos -t shsh2文件.shsh2 -b 基带文件.nnfw -p BuildManifest.plist -s sep-firmware.nxx.RELEASE.im4p -m BuildManifest.plist -w 需要降级的固件.ipsw
(例子:./futurerestore_macos -t 7203xxxx68816_iPhone6,1_10.2-14C92.shsh2 -b Mav7Mav8-7.50.01.Release.bbfw -p BuildManifest.plist -s sep-firmware.n51.RELEASE.im4p -m BuildManifest.plist -w iPhone_4.0_64bit_10.2_14C92_Restore.ipsw
8·如运行顺利iOS设备将进入恢复模式并开始刷机。

https://images.weiphone.net/data/attachment/forum/201701/31/185926lt9w9tda2lw9qlk9.png



如果进入恢复模式无法退出请使用此工具
loading...
RecBoot Version 1.0.1.zip (206.4 KB, 下载次数: 7)
附楼主平刷成功图 5s使用10.3b1的基带和sep,(5s 10.2的基带版本为7.21.00)
https://images.weiphone.net/data/attachment/forum/201701/31/181804jor7vvb5bt7jmyyo.jpg
2017年2月17日22:26:07更新
出现卡waiting for device的是
shsh2备份错误

国外降级视频链接:密码:39to
loading...


2017年2月9日07:33:44更新
mac环境搭建
image


出现这个的可以直接刷机
(需要安装依赖)
image


降级&平刷&升级需要文件
写在最前面 一定要有shsh2文件 反面教材@
因选基带错误而入狱1021
地址
https://bbs.feng.com/read-htm-tid-11059360.html
成功教材
image




image


平刷过程:
macbook-pro-2:futurerestore-latest UserName***$ ssh root@192.168.5.6
root@192.168.5.6's password:
ReveEver-iPhone:~ root# ./nonceEnabler
separt=com.apple.System.sep.art
kbase=0xffff************
kbase=0xffff************
found bytes at 0x 0
kmem=-----com.apple.System.sep.art-----
nextstr=-----com.apple.System.boot-nonce-----
found com.apple.System.sep.art at 0xffff************
found com.apple.System.boot-nonce at 0xffff************
kbase=0xffff************
found bytes at 0x 0
kmem=-----??k ????-----
patching bytes at=0xffff************
done patching
ReveEver-iPhone:~ root# nvram com.apple.System.boot-nonce=0x7936************
ReveEver-iPhone:~ root# nvram auto-boot=false
ReveEver-iPhone:~ root# nvram -p
boot-args
com.apple.System.boot-nonce 0x7936************
auto-boot false
backlight-level 1566
ReveEver-iPhone:~ root# reboot
Connection to 192.168.5.6 closed by remote host.
Connection to 192.168.5.6 closed.
macbook-pro-2:futurerestore-latest UserName***$ ./futurerestore_macos -t 379142615*******_iPhone7,1_10.2-14C92.shsh2 -b Mav10-5.32.00.Release.bbfw -p BuildManifest.plist -s sep-firmware.n56.RELEASE.im4p -m BuildManifest.plist -w iPhone_5.5_10.2_14C92_Restore.ipsw
Version: 6aa188cd06789de1573263aa301a************ - 89
futurerestore init done
reading ticket 379142615*******_iPhone7,1_10.2-14C92.shsh2 done
opening BuildManifest.plist
WARNING: Unable to find BbSkeyId node
User specified not to request a Baseband ticket.
Sending TSS request attempt 1... response successfully received
Did set sep+baseband path and firmware
failed to read BasebandGoldCertID from device! Is it already in recovery?
using tsschecker's fallback to get BasebandGoldCertID. This might result in invalid baseband signing status information
opening BuildManifest.plist
WARNING: Unable to find BbSkeyId node
User specified to request only a Baseband ticket.
ERROR: Unable to get BasebandFirmware node
ERROR: Unable to find required BbGoldCertId in parameters
Sending TSS request attempt 1... response successfully received
Found device in Recovery mode
Device already in Recovery mode
INFO: device serial number is FK2NN4*******
waiting for nonce: 9a 75 c2 7b 20 f4 81 b1 0f 87 eb 7d ed 6b 00 5d f2 f8 b1 08
Got ApNonce from device: 9a 75 c2 7b 20 f4 81 b1 0f 87 eb 7d ed 6b 00 5d f2 f8 b1 08
Device has requested ApNonce now
Found device in Recovery mode
Identified device as n56ap, iPhone7,1
Extracting BuildManifest from IPSW
Product Version: 10.2
Product Build: 14C92 Major: 14
Device supports Image4: true
checking APTicket to be valid for this restore...
findAnyBuildidentityForFilehash: skipping element=BasebandFirmware
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
getBuildIdentityForIM4M: skipping element=ftap
getBuildIdentityForIM4M: skipping element=ftsp
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
hasBuildidentityElementWithHash: skipping element=ftap
hasBuildidentityElementWithHash: skipping element=ftsp
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
hasBuildidentityElementWithHash: skipping element=ftap
hasBuildidentityElementWithHash: skipping element=ftsp
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
hasBuildidentityElementWithHash: skipping element=ftap
hasBuildidentityElementWithHash: skipping element=ftsp
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
getBuildIdentityForIM4M: skipping element=rfta
getBuildIdentityForIM4M: skipping element=rfts
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
hasBuildidentityElementWithHash: skipping element=BasebandFirmware
Verified APTicket to be valid for this restore
Variant: Customer Erase Install (IPSW)
This restore will erase your device data.
Extracting filesystem from IPSW
100.0%
Extracting iBEC.n56.RELEASE.im4p...
Personalizing IMG4 component iBEC...
Sending iBEC (632436 bytes)...
Getting SepNonce in recovery mode... 49 5f 23 92 10 1a 5f ad 29 2a 91 c3 a3 90 0b 2d 18 36 94 5c
Getting ApNonce in recovery mode... 9a 75 c2 7b 20 f4 81 b1 0f 87 eb 7d ed 6b 00 5d f2 f8 b1 08
Recovery Mode Environment:
iBoot build-version=iBoot-3406.30.8
iBoot build-style=RELEASE
Sending RestoreLogo...
Extracting applelogo@3x~iphone.t7000.im4p...
Personalizing IMG4 component RestoreLogo...
Sending RestoreLogo (18834 bytes)...
ramdisk-size=0x10000000
Extracting 058-54560-094.dmg...
Personalizing IMG4 component RestoreRamDisk...
Sending RestoreRamDisk (40330739 bytes)...
Extracting DeviceTree.n56ap.im4p...
Personalizing IMG4 component RestoreDeviceTree...
Sending RestoreDeviceTree (124133 bytes)...
Extracting kernelcache.release.n56...
Personalizing IMG4 component RestoreKernelCache...
Sending RestoreKernelCache (12368816 bytes)...
Trying to fetch new SHSH blob
WARNING: Unable to find BbSkeyId node
Sending TSS request attempt 1... response successfully received
Received SHSH blobs
About to restore device...
Waiting for device...
Device e178068837194a705853d34de975************ is now connected in restore mode...
Connecting now...
Connected to com.apple.mobile.restored, version 14
Device e178068837194a705853d34de975************ has successfully entered restore mode
Hardware Information:
BoardID: 4
ChipID: 28672
UniqueChipID: 379142615*******
ProductionMode: true
Starting FDR listener thread
About to send NORData...
Found firmware path Firmware/all_flash/all_flash.n56ap.production
Getting firmware manifest Firmware/all_flash/all_flash.n56ap.production/manifest
Extracting LLB.n56.RELEASE.im4p...
Personalizing IMG4 component LLB...
Extracting iBoot.n56.RELEASE.im4p...
Personalizing IMG4 component iBoot...
Extracting DeviceTree.n56ap.im4p...
Personalizing IMG4 component DeviceTree...
Extracting applelogo@3x~iphone.t7000.im4p...
Personalizing IMG4 component AppleLogo...
Extracting recoverymode@1920~iphone-lightning.t7000.im4p...
Personalizing IMG4 component RecoveryMode...
Extracting batterylow0@3x~iphone.t7000.im4p...
Personalizing IMG4 component BatteryLow0...
Extracting batterylow1@3x~iphone.t7000.im4p...
Personalizing IMG4 component BatteryLow1...
Extracting batterycharging0@3x~iphone.t7000.im4p...
Personalizing IMG4 component BatteryCharging0...
Extracting batterycharging1@3x~iphone.t7000.im4p...
Personalizing IMG4 component BatteryCharging1...
Extracting glyphplugin@1920~iphone-lightning.t7000.im4p...
Personalizing IMG4 component BatteryPlugin...
Extracting batteryfull@3x~iphone.t7000.im4p...
Personalizing IMG4 component BatteryFull...
Personalizing IMG4 component RestoreSEP...
Personalizing IMG4 component SEP...
Sending NORData now...
Done sending NORData
About to send RootTicket...
Sending RootTicket now...
Done sending RootTicket
Waiting for NAND (28)
Checking filesystems (15)
About to send FDR Trust data...
Sending FDR Trust data now...
Done sending FDR Trust Data
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Creating partition map (11)
Creating filesystem (12)
Creating filesystem (12)
Creating filesystem (12)
About to send filesystem...
Connected to ASR
Validating the filesystem
Filesystem validated
Sending filesystem now...
100.0%
Done sending filesystem
Verifying restore (14)
100.0%
Mounting filesystems (16)
Mounting filesystems (16)
Mounting filesystems (16)
About to send KernelCache...
Extracting kernelcache.release.n56...
Personalizing IMG4 component KernelCache...
Sending KernelCache now...
Done sending KernelCache
Installing kernelcache (27)
Flashing firmware (18)
100.0%
Updating gas gauge software (47)
Updating gas gauge software (47)
Updating baseband (19)
About to send BasebandData...
sending request without baseband nonce
WARNING: Unable to find BbSkeyId node
Sending Baseband TSS request...
Sending TSS request attempt 1... response successfully received
Received Baseband SHSH blobs
Sending BasebandData now...
Done sending BasebandData
Updating Baseband in progress...
About to send BasebandData...
WARNING: Unable to find BbSkeyId node
Sending Baseband TSS request...
Sending TSS request attempt 1... response successfully received
Received Baseband SHSH blobs
Sending BasebandData now...
Done sending BasebandData
Updating Baseband completed.
Updating Stockholm (55)
Updating SE Firmware (59)
About to send FUD data...
Sending FUD data now...
Done sending FUD data
About to send FUD data...
Sending FUD data now...
Done sending FUD data
Fixing up /var (17)
Creating system key bag (50)
Modifying persistent boot-args (25)
Resizing system partition (52)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Got status message
Status: Restore Finished
Cleaning up...
DONE
Done: restoring succeeded.

至此,平刷结束。整个过程较为复杂,需要一定知识基础,基本问题请自行搜索解决。



------------------------分割线------------------------
人家的成功案例:


image




image


传送门:刷机的教程很简单 建议先看这个视频







image
image
image

DeviceUtilz.zip

futurerestore-latest.zip

全部回复(433)
只看楼主
正序查看 倒序查看
liuminhhh
沙发
对大天朝扫黄打非于2017-01-31 14:52:54在楼主发表的人气:+10;
各位看官多多给我加分啊文件都准备好了 等下更新先吊屌你们的胃口
加分在说。
2017-01-31 14:55
来自 iPhone 6S
叫春的猫
板凳
对大天朝扫黄打非于2017-01-31 14:52:54在楼主发表的内容评分:人气:+5;
各位看官多多给我加分啊

文件都准备好了


等下更新先吊屌你们的胃口
13145202
那就满上再说
2017-01-31 14:58
来自 威锋网页版
光头小二
地板
前排就坐
2017-01-31 14:59
来自 iPhone 6S
198602210
4 楼
不要你吊屌
2017-01-31 15:00
来自 威锋网页版
lyg993
5 楼
坐等
2017-01-31 15:02
来自 威锋网页版
岳家子弟
6 楼
已屏蔽
2017-01-31 15:02
来自 威锋网页版
q287941130
7 楼
坐等 成功
2017-01-31 15:03
来自 威锋网页版
我去年卖了个表
8 楼
没有SHSH也可以吗?
2017-01-31 15:05
来自 威锋网页版
itily
9 楼
静坐看戏
2017-01-31 15:05
来自 iPhone 6
12311952
10 楼
对大天朝扫黄打非于2017-01-31 14:52:54在楼主发表的内容评分:人气:+1;
各位看官多多给我加分啊

文件都准备好了


等下更新先吊屌你们的胃口
13145202
威锋有你更精彩:)
2017-01-31 15:05
来自 威锋网页版
首页 123456789 尾页 / 43 页