We highly recommend reading our previous post about Prometheus downgrade tool, we already talked about it in detail.
Background
Prometheus is not a single GUI tool, but a collection of tools including “nonceenablerâ€, “futurerestore†and “img4toolâ€. Together, they have the upgrade/downgrade functionality.
Prometheus can be used in two ways. One uses “nonceenabler†and “futurerestore†together. This is more reliable and faster, but requires a jailbreak, and .shsh2 blobs saved with a generator. The second way uses only “futurerestoreâ€, does not require a jailbreak, but uses a probabilistic attack which may take a long time to work (or not work at all). This second way still requires .shsh2 blobs, but saved with a specific nonce and no generator. This only seems to work for certain devices, and may take forever.
Requirements
- A 64-bit device, excluding the iPhone 7(+). Do not bother trying with a 32-bit device or an iPhone 7(+).
- In most cases, a jailbreak on the firmware you are leaving.
(Not be required on some iPhone 5s and iPad Air, when using the nonce collision method). - If using Prometheus with a jailbreak, saved .shsh2 blobs for the firmware you want to restore to, with a generator. The generator is a field within the .shsh2 file, which can be seen by opening it and looking near the end of the document.
- If using Prometheus with no jailbreak, saved .shsh2 blobs for the firmware you want to restore to, created using one (or more) of the 5 specific nonces given out by tihmstar, which have been found to work most often in a probabilistic attack.
- If using Prometheus with a jailbreak, the jailbreak must have “tfp0†functionality (“host_get_special_port†workaround is also fine). This rules out some jailbreaks.
Process
There is some confusion over how to follow tihmstar’s process, as it is not unified. Depending on your situation, you may have to follow more than one video to complete the process. If you have your blobs saved with a generator and have a current jailbreak, follow Steps 1 and 2. If you have your blobs saved with the 5 nonces tihmstar made public, and are attempting the process without a jailbreak, go straight to Step 2.
1) The video below shows you how to use your jailbreak to set a specific nonce on your device. The advantage of this is that once the specific nonce has been manually set (which will match the generator in the .shsh2 files you saved), the restore will be accepted immediately on the first try, as the nonce and .shsh2 generators match.
Therefore, using Prometheus this way is recommended if you have a jailbreak. Follow the above video and set your nonce with “nonceenablerâ€. Once the nonce is set and the device is in recovery mode (from 0:00 – 10:35 in the above video), you can move onto Step 2.
2) The video below shows how to restore an unsigned firmware onto your device, using the “futurerestore†component of Prometheus. If you just came from Step 1 and have set your nonce, follow the instructions from the beginning of the video up to 5:53, but ignore any talk about the nonce collision method. At 5:53, pay close attention to what he says. Your device will already be in recovery mode and you must leave out the “-w†flag here. Then continue with the instructions (you will not have to wait through the rebooting stage which the video shows).
If you just came from Step 1 and have set your nonce, follow the instructions from the beginning of the video up to 5:53, but ignore any talk about the nonce collision method. At 5:53, pay close attention to what he says. Your device will already be in recovery mode and you must leave out the “-w†flag here. Then continue with the instructions (you will not have to wait through the rebooting stage which the video shows).
If you have no jailbreak and started at Step 2, follow the entirety of the video below to the letter, using one of the most generated nonces. It may take a few minutes, or an unknown amount of time, because you will have to use the nonce-collision method. This is probabilistic and relies on some luck/time. You cannot use your jailbreak to immediately create the right nonce for you.
Together, these two videos cover the whole process of downgrading with Prometheus, using both the “nonceenabler jailbreak method†and the “nonce collision no-jailbreak methodâ€.
