Bluefreeze

From The iPhone Wiki
Revision as of 19:39, 22 March 2012 by Cykey (talk | contribs) (fix typo)
Jump to: navigation, search

iFaith has a protection that you don't use it on the wrong firmware to protect you. Bluefreeze, a tool written by a group called The Private Dev Team, modifies the firmware version (and firmware checksum) in the iFaith certificate file, so that this check gets disabled. By doing so, you can install any firmware version on your device, even without having saved the SHSH files. The problem by doing so is that you actually install a firmware without signatures, with all consequences.

Bluefreeze asks you to build and browse to two ipsw's one signed properly and one not signed. Then Bluefreeze swaps the properly signed img3 files in the properly signed firmware file with the incorrectly signed img3 files in the unsigned ipsw thus resulting in an ipsw file with properly signed img3 files. This firmware file is used for the downgrade.

Having an incorrectly signed firmware installed won't let you boot of course. But because the limera1n exploit ignores incorrect signatures we can use the limera1n exploit (DFU mode, then using redsn0w) to boot up your device. The problem is only that you have to repeat this every time (similar to a tethered jailbreak), so it's not a downgrade you would want. This should be your last resort, and only if you absolutely need a downgrade.

This way a downgrade to iOS 4.3, 4.3.5, or 5.0 from 5.0.1 is possible. Supported devices are iPhone 3GS, iPod touch 3G, and all A4 devices.

One common misconception about this downgrade solution is that it may conflict with an untethered jailbreak. This is completely false. If proper exploits are used (anything but a userland one ex: Jailbreakme 3.0) and properly jailbroken this tethered downgrade would become an untethered downgrade.

Another common misconception about this is that you can downgrade and use TinyUmbrella or iFaith to get a valid SHSH blob and use that to restore to that and be untethered. This is false also.

Purpose

With this method you can install a firmware for which you don't have SHSH saved for some tests, for example if you're a software developer and need to do some tests on a specific version.

Alternative

A much easier way to do a "tethered downgrade" (unsure if this still works):

  • 1. Patch ASR on the Ramdisk (you can just create a custom IPSW and use that.)
  • 2. Replace the Rootfs-DMG of the currently signed Firmware with the decrypted Rootfs-DMG of the older Firmware
  • 3. After the Filesystem of the old Firmware is installed, use iRecovery and upload a pwned iBSS, iBEC and Kernel from the old Firmware
  • 4. Send the device the "bootx"-Command using iRecovery.
  • 5. Done! Remember your device will always need to boot tethered.

Download

External Links