* HardwareModel: p101ap
* ProductType: iPad3,4
* ProductVersion: 10.3.3
* UniqueChipID (ECID): 1832542806961
*** Main Menu ***
[Input] Select an option:
1) Downgrade device 4) (Re-)Install Dependencies
2) Save OTA blobs 5) (Any other key to exit)
3) Just put device in kDFU mode
#? 1
[Input] Select iOS version:
1) iOS 8.4.1
2) Other
#? 1
[Log] Option: Downgrade
[Log] Saving 8.4.1 blobs with tsschecker...
Version: b9d193aa6e6d24421094873c830692d02d8b32f5 - 304
libfragmentzip version: 0.59-542a470d7be248681dba71d0f04e7dc8c2718b73
[TSSC] manually specified ECID to use, parsed "1832542806961" to dec:1832542806961 hex:1aaac1023b1
[TSSC] opening resources/manifests/BuildManifest_iPad3,4_8.4.1.plist
[WARNING] [TSSC] could not get id0 for installType=Erase. Using fallback installType=Update since user did not specify installType manually
[TSSR] LOG: device iPad3,4 doesn't need a baseband ticket, continuing without requesting a Baseband ticket
[TSSR] Request URL set to https://gs.apple.com/TSS/controller?action=2
[TSSR] Sending TSS request attempt 1... success
[Error] [TSSR] Error: could not get id0 for installType=Erase
Saved shsh blobs!
iOS 8.4.1 for device iPad3,4 IS being signed!
[Log] Successfully saved 8.4.1 blobs.
[Log] Verifying IPSW...
[Log] Extracting iBSS from IPSW...
Archive: iPad3,4_8.4.1_12H321_Restore.ipsw
inflating: saved/iPad3,4/iBSS.p101.RELEASE.dfu
[Log] Decrypting iBSS...
[Log] IV = a5892a58c90b6d3fb0e0b20db95070d7
[Log] Key = 75612774968009e3f85545ac0088d0d0bb9cb4e2c2970e8f88489be0b9dfe103
/Users/tihmstar/clones/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: ee39c972097dcf9e0263e04bec1931e1caeee152497b00c460c58aa58d35a519d9358834aca7135f5c0910681239c904
[Log] Patching iBSS...
[Log] Mounting device with ifuse...
mkdir: mount: File exists
Failed to start AFC service 'com.apple.afc' on the device.
[Log] Copying stuff to device...
[Log] Unmounting device... (Enter root password of your PC/Mac when prompted)
umount: mount: not currently mounted
* Open MTerminal and run these commands:
$ su
(Enter root password of your iOS device, default is 'alpine')
# cd Media
# chmod +x pwn.sh
# ./pwn.sh
* Press home/power button once when screen goes black on the device
[Log] Finding device in DFU mode...
2020-07-26 19:34:48.066 system_profiler[96594:943381] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:34:48.066 system_profiler[96594:943381] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:34:52.676 system_profiler[98845:946765] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:34:52.676 system_profiler[98845:946765] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:34:57.292 system_profiler[1516:950129] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:34:57.292 system_profiler[1516:950129] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:01.897 system_profiler[3775:953473] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:01.897 system_profiler[3775:953473] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:06.485 system_profiler[6026:956824] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:06.485 system_profiler[6026:956824] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:11.074 system_profiler[8277:960163] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:11.074 system_profiler[8277:960163] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:15.680 system_profiler[10527:963562] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:15.680 system_profiler[10527:963562] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:20.191 system_profiler[12679:966778] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:20.192 system_profiler[12679:966778] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:24.683 system_profiler[14831:969986] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
2020-07-26 19:35:24.684 system_profiler[14831:969986] SPUSBDevice: IOCreatePlugInInterfaceForService failed 0xe00002be
[Log] Found device in DFU mode.
[Log] Extracting IPSW...
[Log] Preparing for futurerestore... (Enter root password of your PC/Mac when prompted)
[Log] Device iPad3,4 has no baseband
[Log] Proceeding to futurerestore...
Version: 81b98e0425e17250cc83d5badaf9a8cc6399f481 - 245
Libipatcher version: 3159a387584e352f690cca859e013c3a4683f3e8 - 69
Odysseus support: yes
[INFO] 32-bit device detected
futurerestore init done
reading signing ticket 1832542806961_iPad3,4_8.4.1-12H321_7c1b45f5c7e1abeb5fff03aef82d58b98c21a975.shsh2 is done
Found device iPad3,4 p101ap
WARNING: user specified not to flash a baseband. This can make the restore fail if the device needs a baseband!
if you added this flag by mistake you can press CTRL-C now to cancel
continuing restore in 10 Traceback (most recent call last):
File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/runpy.py", line 194, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/http/server.py", line 1294, in <module>
test(
File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/http/server.py", line 1249, in test
with ServerClass(addr, HandlerClass) as httpd:
File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/socketserver.py", line 452, in __init__
self.server_bind()
File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/http/server.py", line 1292, in server_bind
return super().server_bind()
File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/http/server.py", line 138, in server_bind
socketserver.TCPServer.server_bind(self)
File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/socketserver.py", line 466, in server_bind
self.socket.bind(self.server_address)
OSError: [Errno 48] Address already in use
9 8 7 6 5 4 3 2 1
Found device in DFU mode
requesting to get into pwned DFU later
Found device in DFU mode
Identified device as p101ap, iPad3,4
Extracting BuildManifest from iPSW
Product version: 8.4.1
Product build: 12H321 Major: 12
Device supports IMG4: false
checking APTicket to be valid for this restore...
Verified ECID in APTicket matches device ECID
[WARNING] skipping ramdisk hash check, since device is in pwned DFU according to user
Variant: Customer Erase Install (IPSW)
This restore will erase your device data.
::1 - - [26/Jul/2020 19:35:49] "GET /firmware/iPad3,4/12H321 HTTP/1.1" 301 -
::1 - - [26/Jul/2020 19:35:49] "GET /firmware/iPad3,4/12H321/ HTTP/1.0" 200 -
::1 - - [26/Jul/2020 19:35:49] "GET /firmware/iPad3,4/12H321 HTTP/1.1" 301 -
::1 - - [26/Jul/2020 19:35:49] "GET /firmware/iPad3,4/12H321/ HTTP/1.0" 200 -
Extracting iBSS.p101.RELEASE.dfu...
iBoot32Patch: iBoot-2261 inputted.
patch_rsa_check: Entering...
find_bl_verify_shsh_generic: Entering...
find_bl_verify_shsh_generic: Found LDR instruction at 0x663c
find_bl_verify_shsh_generic: Found BL verify_shsh at 0x69e2
find_bl_verify_shsh_generic: Leaving...
patch_rsa_check: Patching BL verify_shsh at 0x69e2...
patch_rsa_check: Leaving...
iBoot32Patch: Quitting...
Extracting iBEC.p101.RELEASE.dfu...
iBoot32Patch: iBoot-2261 inputted.
patch_ticket_check: Entering...
patch_ticket_check: Found iBoot baseaddr 0xbff00000
patch_ticket_check: Found iboot_vers_str at 0x280
patch_ticket_check: Found str_pointer at 0x308
patch_ticket_check: Found iboot_str_3_xref at 0x2029c
patch_ticket_check: Found ldr_intruction at 0x20208
patch_ticket_check: Found last_good_bl at 0x20210...
patch_ticket_check: Found next_pop at 0x2028e...
patch_ticket_check: Found next_pop at 0xbff2028e...
patch_ticket_check: Found last_branch at 0x20282...
patch_ticket_check: Patching in mov.w r0, #0 at 0x20214...
patch_ticket_check: Patching in mov.w r1, #0 at 0x20218...
patch_ticket_check: NOPing useless stuff at 0x2021c to 0x20284 ...
patch_ticket_check: Leaving...
patch_rsa_check: Entering...
find_bl_verify_shsh_generic: Entering...
find_bl_verify_shsh_generic: Found LDR instruction at 0x1bbf4
find_bl_verify_shsh_generic: Found BL verify_shsh at 0x1c22e
find_bl_verify_shsh_generic: Leaving...
patch_rsa_check: Patching BL verify_shsh at 0x1c22e...
patch_rsa_check: Leaving...
iBoot32Patch: Quitting...
Sending iBSS (78044 bytes)...
[==================================================] 100.0%
Sending iBEC (295132 bytes)...
[==================================================] 100.0%
[Error] ERROR: Unable to connect to recovery device
Done: restoring failed.
Failed with errorcode=-94
[Log] futurerestore done!
[Log] Stopping local server... (Enter root password of your PC/Mac when prompted)
[Log] Downgrade script done!