Donnerstag, 15. September 2016

Prometheus FAQ

Hello everyone,

many people have asked me lots of questions about my upcoming tool called prometheus.
This post intends to answer common questions:

Q: When prometheus will be released?
A: Planned releasedate is 31.12.16

Q: Will that work on Windows/Linux?
A: I plan to release a compiled commandline tool for OSX and linux. Windows is not planned at the moment. But i also plan to release all my sourcode so you could compile yourself.

Q: Will you make a GUI?
A: I might make a GUI for OSX. Not sure about anything else. It depends a lot on how much time i have.

Q: Does prometheus work with my device?
A: Yes, prometheus technically works with every iOS device. Because this is the first downgrade tool for 64bit i'm mostly focusing on that now. I haven't tested this with 32bit devices, but if there will be any issues i will look into that once i'm done with 64bit.

Q: Does that work with iOS XYZ?
A: So far i belive it works with all iOS versions up to iOS 10.0. I have only tested on iOS 9 and iOS 10, but there is no reason why it wouldn't work on iOS 8 for example. In case Apple changes something now, i will let you know about that, but at the moment all iOS versions should be compatible.

Q: Can i use this to upgrade to an iOS version which is not signed anymore?
A: Yes. Prometheus can not only be used for downgrading, but also for upgrading your device similar to odysseus. This means you can go from iOS 7 to iOS 9 even if only iOS 10 is signed at the moment.

Q: Do i need SHSH blobs / APTicket?
A: Yes. Prometheus heavily depends on APTickets and more important on the ApNonce inside the APTicket. This means that even if you have a valid APTicket, there is a chance this cannot be used (yet?) for downgrading.

Q: I savend my APTicket with savethemblobs/TinyUmbrella/ .... can i use those with prometheus?
A: It depends. Technically it doesn't matter what tool you use to save your APTicket, but what really matters in case of prometheus is the ApNonce. This is what decides if that APTicket can be used or not for downgrading with this method. I don't want to go into details right now, but once prometheus is released i'll explain in detail what conditions need to be met to downgrade, what is possible and what is not.

Q: My APTicket can't be used for prometheus. Does that mean i should delete it, throw my phone away, sell my house and leave my children?
A: NO! Don't ever delete you APTickets! Even if you can't use them with prometheus right now, you never know whether it'll be possible to use them in future with prometheus or a different downgrade tool. Prometheus goes an unusual way, which allows you to do very cool stuff on the one hand, but on the other hand it's usecase is very limited. There is a good chance that there will be different tools in future which can use your APTickets even if they can't be used right now.

Q: Do i need a jailbreak?
A: This is one of the things which excite me the most about prometheus. There are usecases where you can downgrade without the need of a jailbreak! I don't know all of these, but what i've seen so far hints that it's device specific whether you need a jailbreak or not. I've seen noncecollisions on iPhone5s and iPad Air. All devices which have noncecollisions are technically eligable for downgrading without jailbreak, but you need more! There are a few things you need to do to take advantage of these nonce collisions.
1. First you need to figure out what ApNonce is generated the most often. It doesn hurt if you write down the Top 5 nonces.
2. Second you need to request an APTicket for that nonce while apple still signs the iOS version you want to downgrade to.
You can do that with "tsschecker -d DEVICE -l -e ECID -s --apnonce NONCE"
For example: "tsschecker -d iPhone6,2 -l -e 6537582623 -s --apnonce 603be133ff0bdfa0f83f21e74191cf6770ea43bb"
3. Then when that version isn't signed anymore you will be able to downgrade.

Q: Will i still be able to use prometheus when i upgrade to iOS 10?
A: With every update introduced there is a chance that something changed which has influence on how nonces are generated. If your device does generate noncecollisions, you can do the following while the old version is still signed:
1. Update your device (only if you actually want this).
2. Use noncestatistics tool to figure out what nonce is generated the most often.
3. Request an APTicket for that nonce for the older version (iOS 9.3.5 for example) while it's still signed.
4. Done
If your device does not generate any collisions it doesn't matter what iOS version it's on as you'll need a jailbreak for downgrading.
(Unless apple updates stuff which makes prometheus not work on newer iOS, but we can't know about that until a jailbreak is released)

Q: What can i do right now to be able to donwgrade in future?
A: This is a very good question! At the time of writing iOS 10.0.1 is the latest version, but iOS 9.3.5 is still being signed.
What you should do no matter if you have collisions or not is to request APTickets for your device for iOS 9.3.5 (if you want to downgrade to 9.3.5 later) for the following ApNonces:
One of them should be enough, but it doesn't hurt to get APTickets for all of them. Better have saved a ticket too much than having you ticket you can work with.
If your device generates collisions, you should also save tickets for the nonce generated the most often.

Q: What are these nonces on your blog and why do i have to request APTicket for those?
A: I'll tell you more about that once prometheus is released, but right now it is enough to know that if you have APTickets for those nonces, you will be able to downgrade in futre by using a jailbreak.
(Unless apple does significant changes)

Q: My device generates collisions, do i still need to save APTickets for those nonces?
A: Yes, i would recommend so. It doesn't hurt and you'll be grateful in future when you decide to downgrade.

More questions?
Just send me a mail to or ask on twitter @tihmstar :)


Freitag, 9. September 2016


Hello everybody,
thank you very much for everyone who sent me nonces!

I wanted to research these collisions a bit and now i want to share what i found out so far.
Here are all collisions inside the files i got:

It is also interesting that there are collisions between different devices of the same model, with different iOS versions.
You can see thoses stats here:

This means that we can use an iPhone5s to generate nonces and find out which nonces are generated the most often with given iOS version. Then other people with iPhone5s can request APTickets with that nonce and hope that they will eventually get that nonce.
You don't need to send me any more nonces.
But you should still take your device, run it for a few hours and check what nonce is generated the most often. In case you're lucky and there is a nonce which repeats every now and then, you should definetly grab tsschecker and grab tickets for that specific apnonce (you can do that with --apnonce parameter), because that means you'll likely be able to downgrade without jailbreak!
Warning: i noticed that nonces change when updating to iOS 10, which means there are different nonces which repeat on my device.
In order to downgrade you need to have the device generate the same nonce you got the APTicket for.

In case your device does not generate collisions you should request some tickets with these nonces:
this will allow you (unless apple does significant changes to their bootloaders) to downgrade with a jailbreak.
Make sure to request tickets with these nonces even if your device does generate collisions. It doesn't hurt ;)

Stay tuned for more updates
greets tihmstar

Donnerstag, 8. September 2016

prometheus downgrade and nonce collision

Hello everybody,
as some of you might have heared already i've been working on something called prometheus.
Prometheus is much like odysseus a technique for downgrading.
With prometheus it is possible for the first time to downgrade 64bit devices!
A lot of people asked if this is 64bit only and if it's only for iPhone5s.
No it's not, but as this is the first tool to downgrade 64bit devices i'm focusing on that first.
32bit devices are supported by this technique and also are all 64bit devices.
The second question people asked is whether a jailbreak is required for downgrading.
The answer is: for some devices a jailbreak is neccessary, for some it's not.

The problem is i have no idea when a jailbreak is definetly required and when you can also downgrade without jailbreak.
Downgrade with jailbreak is always more likely to be possible than without, that means if you can't downgrade without a jailbreak, there is a chance you still can with a jailbreak.
My iPhone5s does not need a jailbreak, but all my other devices do need one.
I tried an iPhone5s from a friend and his iPhone can't be downgraded without a jailbreak.

I have no idea what is causing this, this is why i need your help!
So the basic idea of this tool is to run a replay attack of your saved APTicket much like in the good old days with iOS 4. Since iOS5 when APTicket were introduced there is a nonce stopping you from "simply replaying the APTicket".
So to be able to replay the APTicket we have to make the device to regenerate the same nonce.
There are two ways (i know of) to make the device regenearet the same nonce.
One requires a jailbreak and one if simply bad randomness.

So for reasons i don't know, my iPhone5s generates a few nonces over and over again so i can simply request a ticket for that nonce as long as it's signed and then keep rebooting it until i get the same nonce. Then i can just replay that APTicket and start the downgrade.
Of course there is more to downgrading than just replaying the APTicket with the nonce, for example there is still SEP and the Baseband. Just don't worry about that i got a plan for this.

Let's focus on the ApNonce for a now.
I need you help to figure out more about this bad randomness.
There is a tool i coded which is called "noncestatistics".
You can download it here: (OSX)
SHA1 (a1c0f78ad8b3c49bd10ea62006e551080cff5f81)

That tool will put your device in recovery mode, read out the ApNonce and write it to a file. Then it will reboot, read the nonce again and again write it to a file. This will continue until you stop it with Ctrl-C. Then it will reboot your device into normal mode and you can use it as if nothing happened. This is completely save. You can use -h for help.
 (in case something doesn't work you can set -a parameter to only set auto-boot to true)
If you want to help me, get this tool, connect your devices let it generate like 1000 or more nonces and email them to me ( Make sure to write in the mail what device you're using and what iOS version is installed.
Maybe with this info we can figure out how we can use this for future downgrades.
Also you can do "noncestatistics -s FILE" to figure out what nonce is the one generated the most often (if there is any) and always request and APTicket for that nonce with tsschecker.

That's about it for this post,
stay tuned for more information