창고에서 썪어가던 iPad2 를 꺼내어 먼지를 털어내고 전원을 연결하여 켜봤다.
음 작동은 잘하는 군, 하지만 9버전으로 업데이트 후 사용 불가능할 정도로 느려진 iPad 였던 탓에 창고에 넣어뒀었지.
8.1.4 또는 6.1.3 으로 되돌려 빠른 속도로 사용하고 싶어져, 이것 저것 찾아보다 결국은 8.1.4 로 돌리는데 성공하였다.
웹서핑으로 찾은 내용 중 하기의 내용대로 라면 9.3.5 -> 8.1.4 로 돌아가는 단 하나의 방법이 남아 있다.
음. 리눅스를 이용한 훨씬 더 복잡한 과정을 거치면 되는건가?
32 bit OTA 다운 그레이드
32 bit iOS 기기를 iOS 8.4.1 또는 iOS 6.1.3으로 다운 그레이드 / 복원 (아래 지원되는 기기 참조)
지원되는 장치 (iOS 8.4.1) :
- iPhone5,3 및 5,4 (iPhone 5C)를 제외한 모든 A5, A5X, A6 및 A6X 장비가 지원됩니다
지원되는 장치 (iOS 6.1.3) :
- iPad2,4 (iPad 2 Rev A)를 제외한 iPhone 4S 및 iPad 2 장비 만 지원됩니다
- 참고로 나의 장비는 iPad2,4 였다. 모델명은 iPad 2 (Mid 2012)
전제 조건 :
- 모든 버전에서 지원되는 32 비트 iOS 기기 탈옥
- 기기의 iOS 8.4.1 또는 6.1.3 IPSW (스크립트를 통해 다운로드 할 수도 있음)
-> 스크립트를 실행하면 자동으로 다운로드 된다. - 64 비트 Linux 설치 / 라이브 USB (아래에서 테스트 한 배포판 참조) ( balenaEtcher 또는 Rufus 와 같은 도구를 사용하여 라이브 USB를 쉽게 만들 수 있음)
-> 가상머신에 우분투 설치로 가능함 - macOS (10.13 및 10.14에서만 테스트)도 작동하지만 스크립트가 중단되면 지원을 제공 할 수 없습니다
- iOS 7/8 Pangu 사용자 : 최신 Pangu 7.1.x Untether (deb) 또는 최신 Pangu 8.0-8.1.x Untether (deb) 설치
- iOS 9 이하 사용자 : OpenSSH 설치; SSH가 작동하려면 컴퓨터와 iOS 장치가 동일한 네트워크에 있어야합니다.
-> 나의 경우는 다운그레이드 전 상태인 9.3.5 탈옥에서 OpenSSH 만 설치했음 - iOS 10 사용자 : MTerminal 설치
다운그레이드 스크립트 사용시 주의점:
donz@ubuntu:~/Downloads/32bit-OTA-Downgrader-master$ ./restore.sh
******* 32bit-OTA-Downgrader *******
Downgrade script by LukeZGD
Main Menu
HardwareModel: K93aAP
ProductType: iPad2,4
ProductVersion: 9.3.5
UniqueChipID (ECID): 2953278254381
[Input] Select an option:
1) Downgrade device 4) (Re-)Install Dependencies
2) Save OTA blobs 5) Exit
3) Just put device in kDFU mode
#? 1
Select iOS version:
1) iOS 8.4.1
2) Other
3) Back
#? 1
iOS 8.4.1 Downgrade
[Log] Copying ota.json to tmp...
[Log] Saving 8.4.1 blobs with tsschecker...
Version: 7d267698cb16ab4699fa9cba20783ee041ac999e - 212
[TSSC] manually specified ecid to use, parsed "2953278254381" to dec:2953278254381 hex:2af9d19ed2d
[TSSC] opening resources/manifests/BuildManifest_iPad2,4_8.4.1.plist
[WARNING] [TSSC] could not get id0 for installType=Erase. Using fallback installType=Update since user did not specify installType manually
[WARNING] [TSSC] A BasebandGoldCertID is not required for iPad2,4
[TSSR] LOG: device iPad2,4 doesn't need a Baseband ticket, continuing without requesting a Baseband ticket
[TSSR] Request URL set to //gs.apple.com/TSS/controller?action=2
[TSSR] Sending TSS request attempt 1... success
Saved shsh blobs!
iOS 8.4.1 for device iPad2,4 IS being signed!
Archive: iPad2,4_8.4.1_12H321_Restore.ipsw
inflating: tmp/iBSS.k93a.RELEASE.dfu
[Log] Decrypting iBSS...
IV = 976aa656929ac699fff36715de96876d
Key = 5fe5c47b5620c2b40b1ca2bd1764a92d568901a24e1caf8faf0cf0f84ae11b4e
/home/tihm/odysseusOTA/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: ebd7f2088760381f2f9fb7e28de820d607026b4ab2b7ac4cbd122075572e514c940fb209a8eed03d95652ffb8de71d99
/home/tihm/odysseusOTA/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: ebd7f2088760381f2f9fb7e28de820d607026b4ab2b7ac4cbd122075572e514c940fb209a8eed03d95652ffb8de71d99
/home/tihm/odysseusOTA/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: ebd7f2088760381f2f9fb7e28de820d607026b4ab2b7ac4cbd122075572e514c940fb209a8eed03d95652ffb8de71d99
1218+1 records in
1218+1 records out
77980 bytes (78 kB, 76 KiB) copied, 0.00452379 s, 17.2 MB/s
[Log] Patching iBSS...
Make sure SSH is installed and working on the device!
Please enter Wi-Fi IP address of device for SSH connection
[Input] IP Address: 192.168.1.158
[Log] Will now connect to device using SSH, please enter root password when prompted (default is 'alpine')
[Input] Copying stuff to device...
's password:
kloader 100% 51KB 1.8MB/s 00:00
pwnediBSS 100% 76KB 1.5MB/s 00:00
[Log] Entering kDFU mode...
Press home/power button once when screen goes black on the device
<--"'s password: " 에서 명령 prompt 상태가 되는데, 이때 프롬프트에 암호를 넣고, iPad2 의 전원버튼과 홈버튼을 동시에 2초 정도 눌러 줘야 함[Log] Finding device in DFU mode...
's password:
[Log] Found device in DFU mode.
[Log] Extracting IPSW...
[Log] Preparing for futurerestore (starting local server)...
[Log] Will now proceed to futurerestore...
[Log] Device iPad2,4 has no baseband
[sudo] password for donz:
Version: b99eb8140d8e6c23f34e950102bb79e61c72384d - 152
Libipatcher Version: f32e41d850f51448bd6c588ead9c7d6455733f3c - 44
Odysseus Support: yes
[INFO] 32bit device detected
futurerestore init done
reading ticket 2953278254381_iPad2,4_8.4.1-12H321_bc9493665f3e9620ef2c4b027b653180ec1e4f48.shsh2 done
WARNING: user specified not to flash a baseband. This can make the restore fail if the device needs a baseband!
if you added this flag by mistake you can press CTRL-C now to cancel
continuing restore in 5 Serving HTTP on 0.0.0.0 port 80 (//0.0.0.0:80/) ...
4 3 2 1
Found device in DFU mode
requesting to get into pwnRecovery later
Found device in DFU mode
Identified device as k93aap, iPad2,4
Extracting BuildManifest from IPSW
Product Version: 8.4.1
Product Build: 12H321 Major: 12
Device supports Image4: false
checking APTicket to be valid for this restore...
Verified ECID in APTicket matches device ECID
[WARNING] skipping ramdisk hash check, since device is in pwnDFU according to user
Variant: Customer Erase Install (IPSW)
This restore will erase your device data.
127.0.0.1 - - [17/Mar/2020 20:02:06] "GET /firmware/iPad2,4/12H321 HTTP/1.1" 301 -
127.0.0.1 - - [17/Mar/2020 20:02:06] "GET /firmware/iPad2,4/12H321/ HTTP/1.0" 200 -
127.0.0.1 - - [17/Mar/2020 20:02:06] "GET /firmware/iPad2,4/12H321 HTTP/1.1" 301 -
127.0.0.1 - - [17/Mar/2020 20:02:06] "GET /firmware/iPad2,4/12H321/ HTTP/1.0" 200 -
Extracting iBSS.k93a.RELEASE.dfu...
iBoot32Patch: iBoot-2261 inputted.
patch_rsa_check: Entering...
find_bl_verify_shsh_generic: Entering...
find_bl_verify_shsh_generic: Found LDR instruction at 0x63c8
find_bl_verify_shsh_generic: Found BL verify_shsh at 0x676e
find_bl_verify_shsh_generic: Leaving...
patch_rsa_check: Patching BL verify_shsh at 0x676e...
patch_rsa_check: Leaving...
iBoot32Patch: Quitting...
Extracting iBEC.k93a.RELEASE.dfu...
iBoot32Patch: iBoot-2261 inputted.
patch_ticket_check: Entering...
patch_ticket_check: Found iBoot baseaddr 0x9ff00000
patch_ticket_check: Found iboot_vers_str at 0x280
patch_ticket_check: Found str_pointer at 0x308
patch_ticket_check: Found iboot_str_3_xref at 0x1de7c
patch_ticket_check: Found ldr_intruction at 0x1dde8
patch_ticket_check: Found last_good_bl at 0x1ddf0...
patch_ticket_check: Found next_pop at 0x1de6e...
patch_ticket_check: Found next_pop at 0x9ff1de6e...
patch_ticket_check: Found last_branch at 0x1de62...
patch_ticket_check: Patching in mov.w r0, #0 at 0x1ddf4...
patch_ticket_check: Patching in mov.w r1, #0 at 0x1ddf8...
patch_ticket_check: NOPing useless stuff at 0x1ddfc to 0x1de64 ...
patch_ticket_check: Leaving...
patch_rsa_check: Entering...
find_bl_verify_shsh_generic: Entering...
find_bl_verify_shsh_generic: Found LDR instruction at 0x197d8
find_bl_verify_shsh_generic: Found BL verify_shsh at 0x19e12
find_bl_verify_shsh_generic: Leaving...
patch_rsa_check: Patching BL verify_shsh at 0x19e12...
patch_rsa_check: Leaving...
iBoot32Patch: Quitting...
Sending iBSS (78044 bytes)...
[==================================================] 100.0%
Sending iBEC (282844 bytes)...
[==================================================] 100.0%
INFO: device serial number is DKVJJ0DRDKPH
Using cached filesystem from 'iPad2,4_8.4.1_12H321_Restore/058-23840-023.dmg'
Sending APTicket (2738 bytes)
Getting ApNonce in recovery mode... 8a 46 2e a9 86 b9 28 9b 26 c6 d2 4c fa 4e 39 c1 86 86 21 cf
[WARNING] Setting bgcolor to green! If you don't see a green screen, then your device didn't boot iBEC correctly
Sending APTicket (2738 bytes)
Recovery Mode Environment:
iBoot build-version=iBoot-2261.30.37
iBoot build-style=RELEASE
Sending RestoreLogo...
Extracting applelogo.s5l8942x.img3...
127.0.0.1 - - [17/Mar/2020 20:02:26] "GET /firmware/iPad2,4/12H321 HTTP/1.1" 301 -
127.0.0.1 - - [17/Mar/2020 20:02:26] "GET /firmware/iPad2,4/12H321/ HTTP/1.0" 200 -
Sending RestoreLogo (5224 bytes)...
ramdisk-size=0x4000000
Extracting 058-23992-023.dmg...
127.0.0.1 - - [17/Mar/2020 20:02:27] "GET /firmware/iPad2,4/12H321 HTTP/1.1" 301 -
127.0.0.1 - - [17/Mar/2020 20:02:27] "GET /firmware/iPad2,4/12H321/ HTTP/1.0" 200 -
Sending RestoreRamDisk (16621660 bytes)...
Extracting DeviceTree.k93aap.img3...
127.0.0.1 - - [17/Mar/2020 20:02:31] "GET /firmware/iPad2,4/12H321 HTTP/1.1" 301 -
127.0.0.1 - - [17/Mar/2020 20:02:31] "GET /firmware/iPad2,4/12H321/ HTTP/1.0" 200 -
Sending RestoreDeviceTree (74480 bytes)...
Extracting kernelcache.release.k93a...
127.0.0.1 - - [17/Mar/2020 20:02:32] "GET /firmware/iPad2,4/12H321 HTTP/1.1" 301 -
127.0.0.1 - - [17/Mar/2020 20:02:32] "GET /firmware/iPad2,4/12H321/ HTTP/1.0" 200 -
Sending RestoreKernelCache (9210940 bytes)...
About to restore device...
Waiting for device...
Device 78ee9479b7432ec0af47dcf6baf7b6c534176249 is now connected in restore mode...
Connecting now...
Connected to com.apple.mobile.restored, version 13
Device 78ee9479b7432ec0af47dcf6baf7b6c534176249 has successfully entered restore mode
Hardware Information:
BoardID: 6
ChipID: 35138
UniqueChipID: 2953278254381
ProductionMode: true
Starting FDR listener thread
ERROR: Unable to connect to FDR client (-2)
ERROR: Failed to start FDR Ctrl channel
About to send RootTicket...
Sending RootTicket now...
Done sending RootTicket
Waiting for NAND (28)
Unmounting filesystems (29)
Unmounting filesystems (29)
Creating partition map (11)
Creating filesystem (12)
Creating filesystem (12)
Mounting filesystems (16)
Mounting filesystems (16)
Resizing system partition (51)
Unmounting filesystems (29)
Unmounting filesystems (29)
About to send filesystem...
Connected to ASR
Validating the filesystem
Filesystem validated
Sending filesystem now...
[==================================================] 100.0%
Done sending filesystem
Verifying restore (14)
[==================================================] 100.0%
Mounting filesystems (16)
Mounting filesystems (16)
About to send KernelCache...
Extracting kernelcache.release.k93a...
Not personalizing component KernelCache...
Sending KernelCache now...
Done sending KernelCache
Installing kernelcache (27)
About to send NORData...
Found firmware path Firmware/all_flash/all_flash.k93aap.production
Getting firmware manifest from Firmware/all_flash/all_flash.k93aap.production/manifest
Extracting LLB.k93a.RELEASE.img3...
Personalizing IMG3 component LLB...
reconstructed size: 150042
Extracting DeviceTree.k93aap.img3...
Not personalizing component DeviceTree...
Extracting applelogo.s5l8942x.img3...
Not personalizing component AppleLogo...
Extracting batterycharging0.s5l8942x.img3...
Not personalizing component BatteryCharging0...
Extracting batterycharging1.s5l8942x.img3...
Not personalizing component BatteryCharging1...
Extracting batteryfull~ipad.s5l8942x.img3...
Not personalizing component BatteryFull...
Extracting batterylow0~ipad.s5l8942x.img3...
Not personalizing component BatteryLow0...
Extracting batterylow1~ipad.s5l8942x.img3...
Not personalizing component BatteryLow1...
Extracting glyphplugin~ipad-30pin.s5l8942x.img3...
Not personalizing component BatteryPlugin...
Extracting iBoot.k93a.RELEASE.img3...
Not personalizing component iBoot...
Extracting recoverymode~ipad-30pin.s5l8942x.img3...
Not personalizing component RecoveryMode...
Sending NORData now...
Done sending NORData
Flashing firmware (18)
[==================================================] 100.0%
Updating gas gauge software (46)
Updating gas gauge software (46)
Fixing up /var (17)
Creating system key bag (49)
Modifying persistent boot-args (25)
Resizing system partition (51)
Unmounting filesystems (29)
Unmounting filesystems (29)
Got status message
Status: Restore Finished
Cleaning up...
DONE
Done: restoring succeeded.
futurerestore done!
If futurerestore failed to download baseband or for some reason, you can choose to retry
[Input] Retry? (y/N) N
[Log] Stopping local server (PID 2191)...
[Log] Downgrade script done!
donz@ubuntu:~/Downloads/32bit-OTA-Downgrader-master$