When Luca Todesco released the beta of his Yalu iOS 10 – iOS 10.1.1 jailbreak a few days ago, we covered the “event”. A day after that we found that a lot of non-developers were trying the jailbreak on their iOS 10.x devices and getting things wrong. We then published another article showing a step-by-step method for the jailbreak. The articles are linked here for your convenience:

Todesco’s Yalu iOS 10 / 10.1.1 Jailbreak Beta 3 is Here! Download Now, Tutorial Links Included

Yalu Jailbreak iOS 10 to iOS 10.1.1 – What You Must Know Before You Proceed

Please read these two articles before you read on.

Today, we cover how to validate your SHSH2/SHSH2 blobs for iOS 10.x so you know in advance whether or not you can jailbreak. This is for all 64-bit devices that aren’t yet on iOS 10.x but where the device owner does have saved blobs for those versions.

About a week ago we showed you how to save your iOS 10.1.1 shsh2 blobs using a tool called TSS Saver from Reddit user 1Conan. Unfortunately, Apple stopped signing that version the same day so, unless you have the blobs saved already, you will not be able to use this particular tool.

The TSS Saver tool essentially has tsschecker running in the back, and that’s a precursor to a tool called Prometheus being developed by iOS hacker tihmstar. What it does is allow you to upgrade and downgrade to unsigned versions of iOS. But you need have had your SHSH2/SHSH blobs saved while the iOS version in question is still being signed. That’s very important. For example, if you try and save the shsh2 blobs for anything lower than iOS 10.2 now, those files won’t be valid and won’t allow Prometheus to downgrade you.

To check whether your blobs are valid for use in Prometheus, read this explanation from tihmstar on his blog. This is for iOS 9 and lower. To see validation for iOS 10.x blobs, skip this section.

“Prometheus needs to make your phone somehow regenerate the nonce inside the apticket (shsh file) to be able to accept it. There are two ways of doing this:

1. write the generator for that nonce to nvram using a jailbreak+nonceEnabler.

2. reboot your phone until it regenerates that nonce. Only works if you picked one of the nonces which are generated really really often and requested a ticket for that purposely. If you don’t know what that means you probably didn’t do it and can’t use this method. Also tsschecker is the only tool i know of where you can manually specify a APNonce you want a ticket for.

For the first method you need to know the generator for the nonce. It is not possible to calculate a generator from a nonce, you can only calculate a nonce based on a generator. What tsschecker does is choose a random generator, derive a nonce from that and request a ticket. Then both is saved inside the shsh2 file. This is also the reason why generator is not saved when you manually specify an APNonce to get a ticket for.”

APTicket Validation for iOS 10.x

Tihmstar goes on to explain that for iOS 10.x, Apple has added an OS tag that’s included in the APTicket:


Now, if you do not include the OS tag in the tss request, you’ll still get an APTicket but without the tag. That might look fine, but it isn’t. What will happen now is that when you try and restore with that APTicket, the device can’t validate the filesystem hash that it expects to find in the APTicket – which it won’t, obviously. The problem is, by now the disk is wiped and formatted so if the restore fails – which it will – then the only choice you have left is to do a clean restore, which means you’ll be forced to get on iOS 10.2, which is the latest signed version.

Fortunately, you can easily verify if the OS tag is included in your APTicket using this other tool from tihmstar: http://api.tihmstar.net/builds/img4tool/img4tool-latest.zip – (you’ll need to use -a to see all entries of the manifest in your tickets with the img4tool)

The img4tool basically lets you check if the ‘rosi’ tag is present in the ticket, and it should look something like this if it does:


That’s basically it, in a nutshell. If you can see the rosi tag inside your tickets, that means your SHSH2 files are valid. If not, your restore probably won’t work for that iOS version.

That said, tihmstar does advise that you wait before using Prometheus (tsschecker) to upgrade/downgrade to iOS 10.x. You’ll need it for Todesco’s Yalu iOS 10 – iOS 10.1.1 jailbreak to work, of course, but he recommends that you let the pros test out Prometheus properly and let all the bugs be ironed out before proceeding – unless you’re confident of being a beta tester for the software.

Once you have a valid APTicket, you should be able to restore your device to iOS 10.x and then proceed to do the Yalu jailbreak. Note that the Yalu iOS 10 – iOS 10.1.1 jailbreak is also a beta so if you feel more comfortable waiting for a more stable version to come out (not sure when), then do that.

Thanks for reading our work! Please bookmark 1redDrop.com to keep tabs on the hottest, most happening tech and business news from around the world. On Apple News, please favorite the 1redDrop channel to get us in your news feed.

Source: tihmstar’s blog