These are my notes for upgrading my iPhone 11 from 13.5 (jailbroken on unc0ver) to iOS 14.3RC, which has had a jailbreak released for it recently. I have previously saved blobs via blobsaver, using default settings (reading nonce from phone).

The Setup

I’m currently following a tutorial on Reddit for Windows. I assume my steps will be similar, except for macOS.

A side note

There seems to be some confusion regarding getting the ApNonce for a blob. According to this post, the generator is not set properly by default in the file generated by blobsaver. So you’ll need to manually set it in around line 512. The default generator for unc0ver is 0x1111111111111111, which is what I used. This is kind of arcane magic to me, but I’m doing it anyways.

Ingredients

I’ve got a fork of FutureRestore that is updated to support iOS 14. I’ve also got a 14.3RC ipsw that I’ve gotten from here. Be prepared to install ReiBoot in case things break and you get stuck in recovery mode.

Save a list of installed tweaks. This is where I don’t reinstall tweaks I don’t care about.

Activator
AVLock
Ermete
Filza File Manager
half
Legizmo
Mega UHB IPv4 ONLY
UHB
PerfectTwitter
PerfectYoutube
SwipeSelection
Zenith

Back up the phone. My computer is whirring away now.

The Work Begins

Next step: Restore RootFS. Unc0ver is nice enough to have an uninstallation tool built in. We toggle and run it, and we should be back to stock iOS.

picture of rootfs toggle
Simple enough...

Now that’s done, we can try to run FutureRestore. We have a nicely packaged binary installed (v194) that we can use. What does this do? Let’s check it out.

Tanx@tanx:~/Downloads$ ./futurerestore-v194
Version: 0ab9df3209ee599f581532d05d331e6abe0f53f3 - 194
img4tool version: 0.197-aca6cf005c94caf135023263cbb5c61a0081804f
libipatcher version: 0.82-0b2f79ff0917ef9b8a92475d93d9466b23fc2322
Odysseus for 32-bit support: yes
Odysseus for 64-bit support: yes
Usage: futurerestore [OPTIONS] iPSW
Allows restoring to non-matching firmware with custom SEP+baseband

General options:
  -t, --apticket PATH           Signing tickets used for restoring
  -u, --update                  Update instead of erase install (requires appropriate APTicket)
                                DO NOT use this parameter, if you update from jailbroken firmware!
  -w, --wait                    Keep rebooting until ApNonce matches APTicket (ApNonce collision, unreliable)
  -d, --debug                   Show all code, use to save a log for debug testing
  -e, --exit-recovery           Exit recovery mode and quit

Options for downgrading with Odysseus:
      --use-pwndfu              Restoring devices with Odysseus method. Device needs to be in pwned DFU mode already
      --just-boot="-v"          Tethered booting the device from pwned DFU mode. You can optionally set boot-args

Options for SEP:
      --latest-sep              Use latest signed SEP instead of manually specifying one (may cause bad restore)
  -s, --sep PATH                SEP to be flashed
  -m, --sep-manifest PATH       BuildManifest for requesting SEP ticket

Options for baseband:
      --latest-baseband         Use latest signed baseband instead of manually specifying one (may cause bad restore)
  -b, --baseband PATH           Baseband to be flashed
  -p, --baseband-manifest PATH  BuildManifest for requesting baseband ticket
      --no-baseband             Skip checks and don't flash baseband
                                Only use this for device without a baseband (eg. iPod touch or some Wi-Fi only iPads)

I’m going to pass in our blobs with the -t option, and use the default options for the SEP and baseband. Finally, we’ll pass in the ipsw in the end. Hopefully this goes well.

Tanx@tanx:~/Downloads$ ./futurerestore-v194 -t ~/Documents/Phone/Blobs/ios_14.3RC_iPhone11.shsh2 --latest-sep --latest-baseband iPhone11,8,iPhone12,1_14.3_18C65_Restore.ipsw

(I renamed the blob, yours will be named differently)

I pressed the button, and my phone entered recovery mode shortly.

...
Finished downloading the latest firmware components!
Found device in Normal mode
Entering recovery mode...
ERROR: Failed to place device in recovery mode
futurerestore: failed with exception:
[exception]:
what=Unable to place device into recovery mode from Normal mode

code=9043985
line=138
file=futurerestore.cpp
commit count=194:
commit sha  =0ab9df3209ee599f581532d05d331e6abe0f53f3:

Hmm… Let’s try to rerun the command since it says it’s in recovery mode right now.

And it got past that this time!

[IMG4TOOL] checking hash for "rfts"                    IGN (no digest in BuildManifest)

failed verification with error:
[exception]:
what=verification failed!
code=84279308
line=1286
file=img4tool.cpp
commit count=197:
commit sha  =aca6cf005c94caf135023263cbb5c61a0081804f:

...

Checking for uncollected logs (44)
Checking for uncollected logs (44)
ERROR: Unable to receive message from FDR 0x7fd004c01f80 (-2). 0/2 bytes
ERROR: Unable to receive message from FDR 0x7fd00486da00 (-2). 0/2 bytes
ERROR: Unable to receive message from FDR 0x7fd00486da00 (-2). 0/2 bytes
ERROR: Unable to receive message from FDR 0x7fd00496cdb0 (-2). 0/2 bytes
ERROR: Unable to receive message from FDR 0x7fd00496cdb0 (-2). 0/2 bytes
Unmounting filesystems (29)

...

About to send filesystem...
Connected to ASR
Validating the filesystem
Filesystem validated
Sending filesystem now...
[========================================          ]  79.0%

Some exceptions happened in the logs but seems like they were non-blocking (so far). It takes a while to update of course. This step took a couple of minutes.

...
TSS server returned: STATUS=94&MESSAGE=This device isn't eligible for the requested build.
ERROR: TSS request failed (status=94, message=This device isn't eligible for the requested build.)
Sending TSS request attempt 1... Warning: Unable to fetch Rose ticket using current build_identity, trying again using latest build manifest
Sending Rose TSS request...
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Received Rose ticket
Extracting ftab.bin...
NOTE: Build identity does not have a 'Rap,RestoreRTKitOS' component.
Sending FirmwareResponse data now...
Done sending FirmwareUpdater data
Updating SE Firmware (59)
Sending SE TSS request...
Request URL set to https://gs.apple.com/TSS/controller?action=2
TSS server returned: STATUS=94&MESSAGE=This device isn't eligible for the requested build.
ERROR: TSS request failed (status=94, message=This device isn't eligible for the requested build.)
Sending TSS request attempt 1... Warning: Unable to fetch SE ticket using current build_identity, trying again using latest build manifest
Sending SE TSS request...
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Received SE ticket

I saw these errors in the logs afterwards but it seemed like they were caught successfully.

Got status message
Status: Restore Finished
Cleaning up...
Done: restoring succeeded!

Nice! My phone booted into the new phone state a minute after. Setup involved installing some unspecified software, otherwise my phone wouldn’t be recognized. Click the restore button after connecting to the phone, and it should be good to go.

iphone restore screen in iTunes
Not so hard.

And we’re done! Have fun waiting for all your apps to get redownloaded…

picture of new version
Perfect!

I won’t write anything about jailbreaking since there are tons of tutorials out there. TLDR, just get AltStore, get the unc0ver ipa, and install it like that.