OdysseusOTA

From The iPhone Wiki
Jump to: navigation, search
OdysseusOTA
Developer(s) @tihmstar
Initial release 28 Jun 2015 (2015-06-28)
Stable release 2.4 / 9 Jul 2016; 21 months ago
Written in C
Operating system Linux, OS X
Available in English
Type Downgrading
Website YouTube tutorial with download links

OdysseusOTA is downgrading utility that allows the 2011 models of iPad 2 and iPhone 4S to be downgraded to iOS 6.1.3. It is based on Odysseus and will thus only work with devices that are jailbroken. All compatible devices can be updated to 9.3.5 and jailbroken with Phœnix. OdysseusOTA v2.4 is the latest version, and is not to be confused with OdysseusOTA2, a similar, but separate, tool for downgrading to iOS 8.4.1.

How it works

The 2011 devices, iPad 2 and iPhone 4S, cannot be OTA updated directly from iOS 5 to versions above iOS 6.1.3. Instead of forcing users to update through iTunes, Apple never stopped signing iOS 6.1.3 for OTA updates. OdysseusOTA exploits this in three steps:

  1. A custom IPSW is created. All files are decrypted, iBEC, iBSS and ASR are patched, and the build manifest is modified by replacing UPDATE/ERASE hashes with corresponding OTA hashes.
  2. SHSH blobs and an APTicket are requested. The request is accepted because Tatsu is unable to tell that the request does not come from a device that is being OTA updated.
  3. The device is booted into kDFU mode using kloader and the restore process is initiated. Since the boot loaders and ASR have been patched out of all integrity checks, the process will succeed even though the nonce, the root filesystem signature and some hashes would have failed validation. These are never validated after the restore is finished anyway.

The baseband is also flashed in the process. The process will fail if the device has a baseband and the user forgets to pass the -bbupdate parameter when creating a custom IPSW.

Compatibility

Four devices are eligible for OTA downgrading:

  • iPad2,1 (iPad 2 WiFi)
  • iPad2,2 (iPad 2 GSM)
  • iPad2,3 (iPad 2 CDMA)
  • iPhone4,1 (iPhone 4S)

The 2012 iPad 2 is not eligible, neither are the 3rd or 4th generation iPad, the iPhone 5 or the 5th generation iPod touch. Compatibility with these devices cannot and will not be implemented.

Version history

Version Date Changes
1.0 28 Jun 2015 Initial release
1.0.1 28 Jun 2015 Changes to the Mac versions of ipsw and xpwntool
1.0.2 29 Jun 2015 Fixes missing libraries for idevicerestore through static linking on Mac
2.0 5 Jul 2015 iPad2,1 bundle is added
2.2 5 Jul 2015 iPad2,2 bundle is added
2.3 5 Jul 2015 iPad2,3 bundle is added
2.4 9 Jul 2016 Fixes compatibility with OS X El Capitan

FAQ

Below follows a collection of questions answer by tihmstar.

Do i need shsh blobs for downgrade with odysseusOTA?
No, during the process ota blobs are automatically fetched, so you don’t need to have them saved.


Can i downgrade my iPhone4s 8gb to 6.1.3? i always get „could not retrieve device serial number“?
It seems like that model is not compatible. I haven’t heard of anyone who successfully downgraded that device.


Can you make a bundle for device X for iOS Y ? thank you
No, please stop asking. I’m personally only interested in ota downgrades, that means downgrades, for which saved shsh blobs aren’t required and where baseband can be downgraded. I made some bundles for iPad2 on 6.1.3 and i will make 8.4.1 bundles for the devices which are compatible with odysseusOTA2 and for which i have keys. Beside of those i’m not planning to make any bundles.


Can i use odysseusOTA to bypass icloud lock?
No, you need to be jailbroken to put your device in kDFU mode and after downgrade you need to activate your device. That means you do need to know appleID and password in case the device is icloud locked. Neither odysseusOTA nor odysseus will ever support bypassing iCloud lock.


Does odysseusOTA work on iOS X.X.X jailbreak?
To put the device in kDFU mode, the tfp0 patch is required. The only jailbreak i know of, which did not have tfp0 enabled was pangu on iOS 7.1.2, though even that jailbreak has that patch enabled if latest untether is installed. Beside of that (i think that) all currently available jailbreaks have tfp0 enabled, which means they are all compatible with odysseus and odysseusOTA downgrades.


What is the difference between odysseus, odysseusOTA?
Odysseus is a tool/method, which was developed by @xerub to downgrade devices using @winocm’s kloader. It works by booting decrypted and patched bootloader files and ramdisk to put the device in restore mode. After device is in restore mode, the restore process is the same as in iTunes. Odysseus was initially designed to preserve your current baseband, but it was observed that some baseband/iOS combinations work fine, some don’t. In case the baseband does not work, you will have no service on your phone. An option to create custom ipsws in conjunction with OTA buildmanifests was added to odysseus at a later time. This can, essentially, handle OTA/baseband downgrades, but the process is quite convoluted. In OdysseusOTA i added a feature that allows creating custom ipsw, which fetches ota blobs instead of normal blobs. Those can be used for downgrading, but still require the kDFU procedure, because normal ota blobs are signing a different ramdisk. With ota blobs it is possible to downgrade the baseband, which is otherwise not possible. Technically odysseusOTA can do everything what odysseus can, but i only support ota downgrades, so if you want to downgrade with saved shsh blobs to versions where no ota blobs are signed, please use odysseus.


Does that mean odysseus can’t do OTA downgrades?
No, @xerub and i added the OTA downgrade feature at the same time independently. To use @xerub’s ota downgrade method you need to use -bbupdate and -ota parameter and pass a otabuildmanifest.plist (which you can get from TinyUmbrella) when creating the custom.ipsw with the "ipsw“ tool. Even though our methods slightly differ (he uses TU’s buildmanifest.plist, I include the patches in the bundle), after successful downgrading there is no difference for the user.


Can you make a downgrade for device X to iOS Y?
No, i’m only interested in OTA downgrades, because imo they are *easy* for the user.


Will it be possible to downgrade device XY in future?
Right now odysseus’ downgrades are limited to kloader (which only works on 32bit devices) and decrypt keys (which we/I) don’t have for many devices. If we get keys for eg. iPhone 6 in future and if we’ll have something like kloader for 64bit devices, then odysseus will technically be able to support those device. Right now the method is limited to 32bit devices which we have keys for.


Where can i check what ota blobs apple is signing?
I made a tool for that, which can be found here: https://github.com/tihmstar/otachecker


Will baseband work if i downgrade from X to Y?
If you downgrade with odysseusOTA (and don’t forget -bbupdate) you won’t have any problems with your baseband. For every other iOS version: I don’t know


When will you make a windows tool?
I personally don’t like developing on Windows. I tried compiling the tools on windows for a long time and i failed (maybe because i suck). So i gave up and focused my time on other stuff. All tools can be found on my github so if anyone want’s to compile them for windows, please do. Technically it is possible. If you’re on windows you can use a live linux to downgrade your device, i’ve seen a bunch of tutorial how to do that, so google is your friend :P


Can you show us how to make bundles?
No. Making bundles involves advanced reverse engeneering and patching low level bootloader (iBSS and iBEC), kernel and dealing with codesigning. This is not as easy as changing some values in a plist. Beside of that i didn’t bother figuring out how to find these patches. What i do is *copying* patches from one device to another, which is also not as easy as it sounds.

Can you make an easy downgrade tool?
Really? I made a video tutorial, where you just need to copy and paste stuff. I this is easy! Making a one button GUI has really low priority for me, as there are bunch of other stuff which i’d love to work on instead. Maybe one day i might want to make a gui. But definitly not soon.


What devices/iOS versions are supported by odysseusOTA(2) ?
OdysseusOTA supports iOS 6.1.3 for iPhone4,1/iPad2,1/iPad2,2/iPad2,3. OdysseusOTA2 technically can support iOS 8.4.1 for: iPad2,1 iPad2,2 iPad2,3 iPad2,4 iPad2,5 iPad2,6 iPad2,7 iPad3,1 iPad3,2 iPad3,3 iPad3,4 iPad3,5 iPad3,6, iPhone4,1 iPhone5,1 iPhone5,2, iPod5,1. At the time of writing this bundles for iPhone5,1/iPhone5,2 are ready. To check what devices are supported, you should check the description of the videotutorial: https://youtu.be/fh0tB6fp0Sc and there you can find latest download link for odysseusOTA2 along with a list of devices which do have a bundle ready.


Can i use Ubuntu 32Bit?
I did compile the tools on a 64Bit Ubuntu machine so if you want to use my compiled binaries you need 64Bit. But all the tools are on my github (xpwn and idevicerestore) and you can compile them for 32Bit


Will apple stop signing OTA blobs?
Probably not, but only apple knows for sure.


Does your tool work in Italy?
Yes it does.


I don’t know how to use your tool and i don’t want to buy a Mac.
Use the linux version.


Can i make a tool to for odysseusOTA?
Please don’t. I don’t mind if someone makes a really nice gui with some images and buttons and stuff like that, but i’m afraid that people will start making broken scripts which simply execute the commands or something like that. The problem with this is when something with those scripts goes wrong it might fuck up people’s devices so they have to restore to latest (maybe not jailbreakable) firmware. Beside of that i will get bunch of email’s saying „XY went wrong please help“ and i will have to spent bunch of time looking for the problem just to realize it’s not even related to my tool.

Links