Difference between revisions of "GeekGrade"

From The iPhone Wiki
Jump to: navigation, search
Line 16: Line 16:
 
== Exploitable Devices and Compatible Firmware ==
 
== Exploitable Devices and Compatible Firmware ==
 
iPhone 4 (GSM 3,1)
 
iPhone 4 (GSM 3,1)
- iOS 6.1.2 10B146
+
- iOS 6.1.2
- iOS 6.1 10B144
+
- iOS 6.1
- iOS 5.1.1 9B206
+
- iOS 5.1.1
- iOS 5.1 9B176
+
- iOS 5.1
- iOS 5.0.1 9A495
+
- iOS 5.0.1
- iOS 4.3.5 8L1
+
- iOS 4.3.5
- iOS 4.3.4 8K2
+
- iOS 4.3.4
- iOS 4.3.3 8J2
+
- iOS 4.3.3
- iOS 4.3.1 8G4
+
- iOS 4.3.1
- iOS 4.1 8B117
+
- iOS 4.1
- iOS 4.0.2 8A400
+
- iOS 4.0.2
   
 
iPhone 4 (GSM Rev A 3,2)
 
iPhone 4 (GSM Rev A 3,2)
Line 47: Line 47:
   
 
iPad 1 (iPad 1,1)
 
iPad 1 (iPad 1,1)
- iOS 3.2 7B367
+
- iOS 3.2
   
iphone 3GS- the old bootrom on the 3GS is exploitable with the [[0x24000 Segment Overflow]]. This can be used to load [[limera1n]] and bypass [[SHSH]] blob verification completley, meaning an untethered downgrade. The new bootrom is only exploitable to [[limera1n]] meaning like all other [[limera1n]] devices it must be loaded by redsnow each and every time to boot. As of 2016, no 3GS ispws have been created for geekgrade, although they could be.
+
iPhone 3GS- the old bootrom on the 3GS is exploitable with the [[0x24000 Segment Overflow]]. This can be used to load [[limera1n]] and bypass [[SHSH]] blob verification completley, meaning an untethered downgrade. The new bootrom is only exploitable to [[limera1n]] meaning like all other [[limera1n]] devices it must be loaded by redsnow each and every time to boot. As of 2016, no 3GS ispws have been created for geekgrade, although they could be.

Revision as of 17:23, 9 October 2016

Geekgrade Downgrade is currently the only way to downgrade idevices without SHSH blobs. It only works on devices with the S5L8930 and S5L8920 chips. It is a tethered downgrade.


Exploits used

Geekgrade Downgrade uses many exploits together to create a tethered downgrade without SHSH blobs.They happen in this order:

1.Limera1n- the bootrom exploit that allows pwned dfu mode. Pwned dfu mode puts the device in a state where custom firmware files can be falsely checked as legit when itunes restores to a custom firmware

2.Custom firmware- This only works because iTunes originally only asked the idevice if the firmware was legitimitley from apple. Apple firmware has specific img3 hashes, and itunes asks the idevice if it will accept them. Well, pwned dfu just tells it yes

3.iTunes 11.0-All itunes versions below 11.1 can be exploited with pwned dfu to restore to a custom firmware. This is because itunes previously only asked the idevice if the hashes were correct. All versions above 11.0.5 will recalculate the hash and check it again before restoring.

4.Limera1n-everytime the device is boot tethered, the exploit bypasses SHSH blobs verification, allowing it to boot.


Exploitable Devices and Compatible Firmware

iPhone 4 (GSM 3,1) - iOS 6.1.2 - iOS 6.1 - iOS 5.1.1 - iOS 5.1 - iOS 5.0.1 - iOS 4.3.5 - iOS 4.3.4 - iOS 4.3.3 - iOS 4.3.1 - iOS 4.1 - iOS 4.0.2

iPhone 4 (GSM Rev A 3,2) - iOS 6.1.3

iPhone 4 (CDMA 3,3) - iOS 6.1.3 - iOS 5.1.1

iPod Touch 4G (iPod4,1) - iOS 6.1.3 - iOS 6.1 1 - iOS 6.0 - iOS 5.1.1 - iOS 5.1 - iOS 5.0.1 - iOS 4.3.5 - iOS 4.3.3 - iOS 4.1

iPad 1 (iPad 1,1) - iOS 3.2

iPhone 3GS- the old bootrom on the 3GS is exploitable with the 0x24000 Segment Overflow. This can be used to load limera1n and bypass SHSH blob verification completley, meaning an untethered downgrade. The new bootrom is only exploitable to limera1n meaning like all other limera1n devices it must be loaded by redsnow each and every time to boot. As of 2016, no 3GS ispws have been created for geekgrade, although they could be.