Last updated: 06/04/2026 at 2:15 PM EST
It may be better to use surrealra1n development branch instead of this guide if you're restoring an A8 device to iOS 10.3.x with blobs. It is way easier to use than following this guide
Here's how to restore to 10.3.x with blobs on an A8 device (eg: iPad mini 4, iPod touch 6, iPhone 6)
THIS WILL NOT WORK ON IPAD AIR 2, DO NOT ASK
Guide is not fully complete (can be rough in some parts), and may not be fully user-friendly
This has been tested with iPhone 6, iOS 10.3.2
Remember that the stuff in brackets [] are placeholders and should be replaced with actual path to the things listed
Baseband will be updated to latest signed baseband as part of this, but latest baseband for A8 devices should be compatible with iOS 10
On devices with biometric hardware, eg: iPhone 6 and 6 Plus, iPad mini 4, will not have working Touch ID after the restore
Terminal knowledge. You should not proceed with this guide if you don't know how to use a terminal on Linux/macOS
Required tools (there will also be a command you can use to fetch such tools)
The IPSW for the version you have blobs for (example: 10.3.2)
Valid SHSH blobs for 10.2 (maybe 10.1.x)-10.3.3. 10.0.2 and lower won't work with this guide due to tvOS 10.2.2 SEP being incompatible below 10.1.x
Custom hax buildmanifest (you can get it here). Download the manifest for your specific device. Also check README.md there for the manifest to download
Open a terminal, make a working directory and cd into it:
mkdir hax
cd hax
Now, fetch the following binaries:
curl -L -o img4 https://github.com/LukeZGD/Semaphorin/raw/refs/heads/main/Linux/img4 && curl -L -o pzb https://github.com/LukeZGD/Semaphorin/raw/refs/heads/main/Linux/pzb && curl -L -o kerneldiff https://github.com/LukeZGD/Semaphorin/raw/refs/heads/main/Linux/kerneldiff && curl -L -o Kernel64Patcher https://github.com/LukeZGD/Semaphorin/raw/refs/heads/main/Linux/Kernel64Patcher && curl -L -o gaster https://github.com/LukeZGD/Legacy-iOS-Kit/raw/refs/heads/main/bin/linux/x86_64/gaster && curl -L -o futurerestore.zip https://github.com/LukeeGD/futurerestore/releases/download/latest/futurerestore-Linux-x86_64-RELEASE-main.zip && unzip -o futurerestore.zip && tar -xf futurerestore-Linux-x86_64-v2.0.0-Build_329-RELEASE.tar.xz && cp futurerestore-Linux-x86_64-v2.0.0-Build_329-RELEASE/* .
And set permissions: chmod +x *
Now, unzip the IPSW for the version you have blobs for
unzip [IPSW] -d firmware
Then, extract the kernelcache for the device from IPSW with img4
For iPhone 6 and 6 Plus, run this:
./img4 -i firmware/kernelcache.release.iphone7 -o kernel.raw
For iPad mini 4, run this:
./img4 -i firmware/kernelcache.release.ipad5 -o kernel.raw
After extracting kernelcache into kernel.raw, patch it with Kernel64Patcher. WE must patch rkrn so the device will actually restore properly
./Kernel64Patcher kernel.raw kernel.patch -u 11 --skip-sks --skip-acm --skip-amfi
Now, create a diff file:
./kerneldiff kernel.raw kernel.patch kernel.diff
Now, apply patches to kernelcache that we will use for restore (iPhone 6 and 6 Plus):
./img4 -i firmware/kernelcache.release.iphone7 -o kernel.im4p -T rkrn -P kernel.diff -J
Use this command instead for iPad mini 4 when applying the patches (this is not required for iPod touch 6):
./img4 -i firmware/kernelcache.release.ipad5 -o kernel.im4p -T rkrn -P kernel.diff -J
Restore kernelcache is ready! Put the device into DFU mode, then pwn with gaster
./gaster pwn && ./gaster reset
Now, download tvOS 10.2.2 SEP firmware:
sudo ./pzb -g Firmware/all_flash/sep-firmware.j42d.RELEASE.im4p https://secure-appldnld.apple.com/tvos10.2.2/091-23452-20170720-5D53229C-6A56-11E7-8577-8B2C4A4DD6D5/AppleTV5,3_10.2.2_14W756_Restore.ipsw
Afterwards, start restoring the device!
If you have an iPhone 6 or 6 Plus, or iPad mini 4 cellular model, run this:
sudo FUTURERESTORE_I_SOLEMNLY_SWEAR_THAT_I_AM_UP_TO_NO_GOOD=1 ./futurerestore -t [SHSH blob] --use-pwndfu --sep sep-firmware.j42d.RELEASE.im4p --sep-manifest [the custom buildmanifest for your device from the cursed sep resources repo] --latest-baseband --rkrn kernel.im4p --no-rsep [IPSW]
If you have an iPad mini 4 Wi-Fi only model, run this:
sudo FUTURERESTORE_I_SOLEMNLY_SWEAR_THAT_I_AM_UP_TO_NO_GOOD=1 ./futurerestore -t [SHSH blob] --use-pwndfu --sep sep-firmware.j42d.RELEASE.im4p --sep-manifest [the custom buildmanifest for your device from the cursed sep resources repo] --no-baseband --rkrn kernel.im4p --no-rsep [IPSW]
If you have an iPod touch 6, run this:
sudo FUTURERESTORE_I_SOLEMNLY_SWEAR_THAT_I_AM_UP_TO_NO_GOOD=1 ./futurerestore -t [SHSH blob] --use-pwndfu --sep sep-firmware.j42d.RELEASE.im4p --sep-manifest [the custom buildmanifest for your device from the cursed sep resources repo] --no-baseband --no-rsep [IPSW]
If the restore succeeds, wait for the Device to reach the Setup screen, then set up the device as normal
The device can take up to 3-5 minutes to boot, this is not a hardware issue. This issue is because the kernel tries to initialize biometric hardware, then fails to initialize it.
The device can freeze at certain parts at Setup, usually after activation, when it goes to Touch ID setup, it will hang for about 30 seconds or so before finally saying "Failed to set up Touch ID".
It can also hang at other parts of setup past that point, wait for it to get past the hang, or if the hang is more than 5-10 minutes, reboot the device (can take 3-5 minutes to fully boot again), then retry device Setup (hangs at certain points may still happen).
Once you complete Setup, the hangs shouldn't happen as much.
Open a terminal, make a working directory and cd into it:
mkdir hax
cd hax
On Apple Silicon Macs, install Rosetta 2 before continuing to fetch binaries:
softwareupdate --install-rosetta
Now, fetch the following binaries:
curl -L -o img4 https://github.com/LukeZGD/Semaphorin/raw/refs/heads/main/Darwin/img4 && curl -L -o pzb https://github.com/LukeZGD/Semaphorin/raw/refs/heads/main/Darwin/pzb && curl -L -o kerneldiff https://github.com/LukeZGD/Semaphorin/raw/refs/heads/main/Darwin/kerneldiff && curl -L -o Kernel64Patcher https://github.com/LukeZGD/Semaphorin/raw/refs/heads/main/Darwin/Kernel64Patcher && curl -L -o gaster https://github.com/LukeZGD/Legacy-iOS-Kit/raw/refs/heads/main/bin/macos/gaster && curl -L -o futurerestore.zip https://github.com/LukeeGD/futurerestore/releases/download/latest/futurerestore-macOS-RELEASE-main.zip && unzip -o futurerestore.zip && tar -xf futurerestore-macOS-v2.0.0-Build_329-RELEASE.tar.xz && cp futurerestore-macOS-v2.0.0-Build_329-RELEASE/* .
And set permissions: chmod +x * && xattr -cr *
Now, unzip the IPSW for the version you have blobs for
unzip [IPSW] -d firmware
Then, extract the kernelcache for the device from IPSW with img4
For iPhone 6 and 6 Plus, run this:
./img4 -i firmware/kernelcache.release.iphone7 -o kernel.raw
For iPad mini 4, run this:
./img4 -i firmware/kernelcache.release.ipad5 -o kernel.raw
After extracting kernelcache into kernel.raw, patch it with Kernel64Patcher. WE must patch rkrn so the device will actually restore properly
./Kernel64Patcher kernel.raw kernel.patch -u 11 --skip-sks --skip-acm --skip-amfi
Now, create a diff file:
./kerneldiff kernel.raw kernel.patch kernel.diff
Now, apply patches to kernelcache that we will use for restore (iPhone 6 and 6 Plus):
./img4 -i firmware/kernelcache.release.iphone7 -o kernel.im4p -T rkrn -P kernel.diff -J
Use this command instead for iPad mini 4 when applying the patches (this is not required for iPod touch 6):
./img4 -i firmware/kernelcache.release.ipad5 -o kernel.im4p -T rkrn -P kernel.diff -J
Restore kernelcache is ready! Put the device into DFU mode, then pwn with gaster
./gaster pwn && ./gaster reset
Now, download tvOS 10.2.2 SEP firmware:
sudo ./pzb -g Firmware/all_flash/sep-firmware.j42d.RELEASE.im4p https://secure-appldnld.apple.com/tvos10.2.2/091-23452-20170720-5D53229C-6A56-11E7-8577-8B2C4A4DD6D5/AppleTV5,3_10.2.2_14W756_Restore.ipsw
Afterwards, start restoring the device!
If you have an iPhone 6 or 6 Plus, or iPad mini 4 cellular model, run this:
sudo FUTURERESTORE_I_SOLEMNLY_SWEAR_THAT_I_AM_UP_TO_NO_GOOD=1 ./futurerestore -t [SHSH blob] --use-pwndfu --sep sep-firmware.j42d.RELEASE.im4p --sep-manifest [the custom buildmanifest for your device from the cursed sep resources repo] --latest-baseband --rkrn kernel.im4p --no-rsep [IPSW]
If you have an iPad mini 4 Wi-Fi only model, run this:
sudo FUTURERESTORE_I_SOLEMNLY_SWEAR_THAT_I_AM_UP_TO_NO_GOOD=1 ./futurerestore -t [SHSH blob] --use-pwndfu --sep sep-firmware.j42d.RELEASE.im4p --sep-manifest [the custom buildmanifest for your device from the cursed sep resources repo] --no-baseband --rkrn kernel.im4p --no-rsep [IPSW]
If you have an iPod touch 6, run this:
sudo FUTURERESTORE_I_SOLEMNLY_SWEAR_THAT_I_AM_UP_TO_NO_GOOD=1 ./futurerestore -t [SHSH blob] --use-pwndfu --sep sep-firmware.j42d.RELEASE.im4p --sep-manifest [the custom buildmanifest for your device from the cursed sep resources repo] --no-baseband --no-rsep [IPSW]
If the restore succeeds, wait for the Device to reach the Setup screen, then set up the device as normal
The device can take up to 3-5 minutes to boot, this is not a hardware issue. This issue is because the kernel tries to initialize biometric hardware, then fails to initialize it.
The device can freeze at certain parts at Setup, usually after activation, when it goes to Touch ID setup, it will hang for about 30 seconds or so before finally saying "Failed to set up Touch ID".
It can also hang at other parts of setup past that point, wait for it to get past the hang, or if the hang is more than 5-10 minutes, reboot the device (can take 3-5 minutes to fully boot again), then retry device Setup (hangs at certain points may still happen).
Once you complete Setup, the hangs shouldn't happen as much.