futurerestore

futurerestore is a tool that allows for restoring 64-bit iOS devices with provided SHSH blobs. Originally made by tihmstar, it has since been forked and is being maintained in futurerestore nightly.

Legacy iOS Kit has features that can serve it as a futurerestore helper of sorts to make usage of the tool much easier. With this, it also serves as an easier and more updated alternative to FutureRestore GUI.

Before using futurerestore, you will need SHSH blobs for your device, and the target iOS version must be compatible with the latest SEP/Baseband/Cryptex.

Although SEP/BB compatibility mostly does not matter anymore for A9(X)/A10(X) devices thanks to turdus merula. Use that instead for iOS versions that are not compatible with latest SEP, and it also supports tethered downgrades for those without blobs.

Requirements

• A7/A8/A9/A10/A11 device (checkm8 arm64 devices)
• SHSH blobs for target iOS version
• IPSW file for target iOS version

Usage

1. Plug in your device and start the script by running restore.sh
2. When the main menu shows up, select Restore/Downgrade.
3. Select "Other (Use SHSH Blobs)"
   • See notes below about the "Set Nonce Only" option
4. Select the target IPSW file and SHSH blobs, then select Start Restore.
5. When prompted, select your options and follow the given instructions to put the device in recovery/pwnDFU mode.
   • See notes below about the "Pwned Restore Option”
6. After the restore process, your device will be successfully downgraded/restored to your selected target version.

Notes

• See Notes section in the Restore/Downgrade page regarding version compatibility
• One option that will be prompted after selecting Start Restore is the "Pwned Restore Option." (--use-pwndfu) This option is recommended to be enabled at all times, especially for OTA/onboard/factory blobs where this is required to be enabled.
  • For A7 devices, this option is disabled by default mainly because of difficulties pwning A7 devices (especially on Linux). If this is the case for you, it is recommended to set nonce manually for these devices instead.
  • For A7 devices downgrading to iOS 10.3.3 (OTA Downgrade), pwning is done even with the Pwned Restore Option disabled since it is required. In this case, just select the default option.
• There may be instances where blob validation needs to be skipped. This can be enabled by going to Misc Utilities -> Enable Flags -> Enable skip-blob flag, or running Legacy iOS Kit restore.sh with --skip-blob
• There is also an option to "Set Nonce Only" meaning the device's nonce generator will be set to the selected SHSH blob generator, making the device ready for restoring even without the "Pwned Restore Option" enabled.
• In Legacy iOS Kit, the builds of futurerestore currently come from my fork with minimal changes such as disabled update check (fixing the Segmentation Fault that can be encountered when it checks for updates), and 10.11 El Capitan support.
• The build of futurerestore used also depend on the target iOS version. For iOS 15 and lower, the main branch is used. The dev branch is only used when restoring to an iOS 16 or newer version.

Setting nonce generator manually

• There is also the option to set the nonce generator of your device manually. You will need to do this if you want to restore with the "Pwned Restore Option" disabled.
• Using "Set Nonce Only" is also an option as already mentioned in notes above
• This section below can be especially useful for A8(X) devices since those have issues with setting the generator using futurerestore.

Finding generator

• To find the generator for your blob, open the shsh2 file in a text editor and find "generator", you will find something like 0x1111111111111111, take note of it as that is your generator.
• If cannot find any generator in the blob, that blob cannot be used for restoring.

For iOS 10 and older

1. Install MTerminal or NewTerm 2 from https://repo.chariz.com
2. In MTerminal or NewTerm 2, run the following commands:

   su
   alpine (or your root password if you changed it)
   nvram com.apple.System.boot-nonce=[generator]
   

   • For example, if your generator is 0x1111111111111111, the command will be nvram com.apple.System.boot-nonce=0x1111111111111111
3. Run nvram -p to verify

For iOS 11 and newer

1. Add https://repo.1conan.com/ to your sources.
2. Add https://repo.chariz.com/ to your sources.
3. Download and install dimentio
4. Download and install NewTerm 2
5. Open NewTerm 2 on your device and type the following command:

   su root -c 'dimentio [generator]'
   

   • For example, if your generator is 0x1111111111111111, the command will be su root -c 'dimentio 0x1111111111111111'
   • Type your root password when prompted (default is alpine)
6. Run nvram -p to verify

For iOS 14 and newer

1. Add https://lukezgd.github.io/x8a4/ to your sources.
2. Add https://repo.chariz.com/ to your sources.
3. Download the following from the x8A4 repo: libkrw0 1.1.2, libkrw0-tfp0 1.1.2, libx8a4-1, x8A4
4. Download and install NewTerm 2 or NewTerm 3 Beta
5. Open NewTerm on your device and type the following command:

   sudo x8A4 -s [generator]
   

   • For example, if your generator is 0x1111111111111111, the command will be sudo x8A4 -s 0x1111111111111111
   • Type your mobile password when prompted (for iOS 14, default is alpine; for iOS 15 and newer, whatever you set during Dopamine/palera1n setup)
6. x8A4 should say successfully set apnonce