Difference between revisions of "Bluefreeze"

From The iPhone Wiki
Jump to: navigation, search
m (Alternative: Cleanup)
m
 
(3 intermediate revisions by 3 users not shown)
Line 1: Line 1:
[[iFaith]] has a protection that you don't use it on the wrong firmware to protect you. '''Bluefreeze''', a tool written by a group called The Private Dev Team, modifies the firmware version (and firmware checksum) in the iFaith certificate file, so that this check gets disabled. By doing so, you can install any firmware version on your device, even without having saved the [[SHSH]] files. The problem by doing so is that you actually install a firmware without signatures, with all consequences.
+
[[iFaith]] has a protection that you don't use it on the wrong firmware to protect you. '''Bluefreeze''', a tool written by a group called The Private Dev Team, modifies the firmware version (and firmware checksum) in the iFaith certificate file, so that this check gets disabled. By doing so, you can install any firmware version on your device, even without having saved the [[SHSH]] files. The problem by doing so is that you actually install a firmware without signatures, with all consequences. This is what is known as a [[Tethered Downgrade]].
   
 
Bluefreeze asks you to build and browse to two ipsw's one signed properly and one not signed. Then Bluefreeze swaps the properly signed img3 files in the properly signed firmware file with the incorrectly signed img3 files in the unsigned ipsw thus resulting in an ipsw file with properly signed img3 files. This firmware file is used for the downgrade.
 
Bluefreeze asks you to build and browse to two ipsw's one signed properly and one not signed. Then Bluefreeze swaps the properly signed img3 files in the properly signed firmware file with the incorrectly signed img3 files in the unsigned ipsw thus resulting in an ipsw file with properly signed img3 files. This firmware file is used for the downgrade.
Line 5: Line 5:
 
Having an incorrectly signed firmware installed won't let you boot of course. But because the limera1n exploit ignores incorrect signatures we can use the limera1n exploit (DFU mode, then using redsn0w) to boot up your device. The problem is only that you have to repeat this every time (similar to a tethered jailbreak), so it's not a downgrade you would want. This should be your last resort, and only if you absolutely need a downgrade.
 
Having an incorrectly signed firmware installed won't let you boot of course. But because the limera1n exploit ignores incorrect signatures we can use the limera1n exploit (DFU mode, then using redsn0w) to boot up your device. The problem is only that you have to repeat this every time (similar to a tethered jailbreak), so it's not a downgrade you would want. This should be your last resort, and only if you absolutely need a downgrade.
 
 
This way a downgrade to [[iOS]] 4.3, 4.3.5, or 5.0 from 5.0.1 is possible. Supported devices are iPhone 3GS, iPod touch 3G, and all [[S5L8930|A4]] devices.
+
This way a downgrade to [[iOS]] 4.3, 4.3.5, or 5.0 from 5.0.1 is possible. Supported devices are iPhone 3GS, iPod touch (3rd generation), and all [[S5L8930|A4]] devices.
   
 
Installing a firmware version using this method (without valid SHSH blobs) is incompatible with an untethered jailbreak. Each time the device boots, the bootrom validates the SHSH blobs for LLB, LLB for iBoot, and so on. Therefore, the image validation function must be patched or bypassed with an appropriate bootrom exploit payload on every boot or the device will be forced into DFU mode.
 
Installing a firmware version using this method (without valid SHSH blobs) is incompatible with an untethered jailbreak. Each time the device boots, the bootrom validates the SHSH blobs for LLB, LLB for iBoot, and so on. Therefore, the image validation function must be patched or bypassed with an appropriate bootrom exploit payload on every boot or the device will be forced into DFU mode.
Line 12: Line 12:
 
With this method you can install a firmware for which you don't have [[SHSH]] saved for some tests, for example if you're a software developer and need to do some tests on a specific version.
 
With this method you can install a firmware for which you don't have [[SHSH]] saved for some tests, for example if you're a software developer and need to do some tests on a specific version.
   
== Alternative ==
+
== Related ==
  +
* [[Firmware downgrading]]
You have to patch a firmware file ([[IPSW]]) which is signed by Apple exactly when you want to perform the downgrade.
 
  +
* [[Tethered Downgrade]]
 
1. Patch out the signature check in [[iBSS]] and [[iBEC]] and apply another patch to iBEC (some lines of code before the patch the string "debug-enabled" is loaded into a register and some lines after the patch the string "development-cert" is loaded. Look at a patched iBEC from an [[iFaith]] IPSW for details).<br>
 
2. Patch the boot-args in [[iBEC]] to "rd=md0 amfi=0xff cs_enforcement_disable=1 pio-error=0" and do an iBEC patch that injects the boot-args.<br>
 
3. Patch asr to return "Image passed signature verification" where it would usually return "Image failed signature verification".<br>
 
4. Update the page hashes of asr with ldid.<br>
 
5. Grow the ramdisk to original size + size of asr (better some bytes larger).<br>
 
6. Rename the original asr and add the patched asr.<br>
 
7. chmod asr to 100755<br>
 
8. Replace the root file system dmg with the decrypted root file system dmg of the older firmware you want to downgrade to. (take care that the decrypted dmg has the format UDZO!)<br>
 
9. Enter pwned [[DFU Mode]].<br>
 
10. Use an old [[iTunes]] version that allows downgrades on your [[iOS]] device and restore to your patched IPSW.<br>
 
11. To start up your device you will have to boot tethered (depending on iOS version [[redsn0w]] or [[opensn0w]]).<br>
 
   
 
== Download ==
 
== Download ==

Latest revision as of 10:03, 26 March 2017

iFaith has a protection that you don't use it on the wrong firmware to protect you. Bluefreeze, a tool written by a group called The Private Dev Team, modifies the firmware version (and firmware checksum) in the iFaith certificate file, so that this check gets disabled. By doing so, you can install any firmware version on your device, even without having saved the SHSH files. The problem by doing so is that you actually install a firmware without signatures, with all consequences. This is what is known as a Tethered Downgrade.

Bluefreeze asks you to build and browse to two ipsw's one signed properly and one not signed. Then Bluefreeze swaps the properly signed img3 files in the properly signed firmware file with the incorrectly signed img3 files in the unsigned ipsw thus resulting in an ipsw file with properly signed img3 files. This firmware file is used for the downgrade.

Having an incorrectly signed firmware installed won't let you boot of course. But because the limera1n exploit ignores incorrect signatures we can use the limera1n exploit (DFU mode, then using redsn0w) to boot up your device. The problem is only that you have to repeat this every time (similar to a tethered jailbreak), so it's not a downgrade you would want. This should be your last resort, and only if you absolutely need a downgrade.

This way a downgrade to iOS 4.3, 4.3.5, or 5.0 from 5.0.1 is possible. Supported devices are iPhone 3GS, iPod touch (3rd generation), and all A4 devices.

Installing a firmware version using this method (without valid SHSH blobs) is incompatible with an untethered jailbreak. Each time the device boots, the bootrom validates the SHSH blobs for LLB, LLB for iBoot, and so on. Therefore, the image validation function must be patched or bypassed with an appropriate bootrom exploit payload on every boot or the device will be forced into DFU mode.

Purpose

With this method you can install a firmware for which you don't have SHSH saved for some tests, for example if you're a software developer and need to do some tests on a specific version.

Related

Download

External Links