|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "IDeviceReRestore"
(Created page) |
(The bug used is not in iOS 8, nor is it in iOS 10, even partially. 9.x only.) |
||
| Line 16: | Line 16: | ||
| website = [https://downgrade.party iDeviceReRestore] |
| website = [https://downgrade.party iDeviceReRestore] |
||
}} |
}} |
||
| − | '''iDeviceReRestore''' is a tool that can be used to downgrade 32-bit devices to any iOS 9 version, provided the user has [[SHSH]] |
+ | '''iDeviceReRestore''' is a tool that can be used to downgrade 32-bit devices to any iOS 9 version, provided the user has [[SHSH]] blobs for the version. The tool is based off [http://libimobiledevice.org/ iDeviceRestore by libimobiledevice]. |
| − | iDeviceReRestore uses a bug discovered in |
+ | iDeviceReRestore uses a bug discovered in 32 bit iOS 9.x iBoot's APTicket verification routines which allows valid cached tickets with a missing APNonce. The bug has been patched as of iOS 10, however due to the fact that when in [[DFU Mode]], the device is waiting to verify a signed firmware component, which is [[iBSS]]. When a signed iBSS is uploaded, we are not technically evading any security mechanism at this point, as all 32 bit iOS bootroms (other than watch) only verify based on SHSH and never care about APNonce, however, 9.x iBSS has the same bug as all other 9.x 32 bit iBoot, and so you can continue a restore straight from there, whereas on a firmware without the bug, iBSS will not accept your APTicket, and will not continue into the rest of the restore chain. |
| − | The bug is partially present in iOS 8 too, and up to iOS 10.2.1, but cannot be exploited. |
||
==Details== |
==Details== |
||
| Line 31: | Line 30: | ||
**They must have been saved without a nonce. |
**They must have been saved without a nonce. |
||
**If they begin with the string ''MIIKkj'', they are definitely fine. If they do not, they may also be fine, but will need checking to make sure. |
**If they begin with the string ''MIIKkj'', they are definitely fine. If they do not, they may also be fine, but will need checking to make sure. |
||
| + | **Most tickets saved by Cydia seem to be usable for this. |
||
*The technique requires a signed [[baseband]], like [[Prometheus]]. However, between the currently signed basebands for iOS 10 and the signed OTA basebands most, if not all, devices should be able to get a working baseband without issues. |
*The technique requires a signed [[baseband]], like [[Prometheus]]. However, between the currently signed basebands for iOS 10 and the signed OTA basebands most, if not all, devices should be able to get a working baseband without issues. |
||
*iOS 9 -> iOS 9 restores can be done from [[Recovery Mode]], iOS ≠9 -> iOS 9 restores must be done from [[DFU Mode]]. |
*iOS 9 -> iOS 9 restores can be done from [[Recovery Mode]], iOS ≠9 -> iOS 9 restores must be done from [[DFU Mode]]. |
||
Revision as of 04:58, 17 April 2017
| Original author(s) | alitek123, Trevor, Jonathan Seals |
|---|---|
| Developer(s) | alitek123, Trevor, Jonathan Seals |
| Initial release | 2 April 2017 |
| Stable release | 1.0.2 (macOS) / 1.0 (Linux) / 10 April 2017 |
| Development status | Active |
| Operating system | macOS / Linux |
| Available in | English |
| Type | Downgrading |
| License | Freeware |
| Website | iDeviceReRestore |
iDeviceReRestore is a tool that can be used to downgrade 32-bit devices to any iOS 9 version, provided the user has SHSH blobs for the version. The tool is based off iDeviceRestore by libimobiledevice.
iDeviceReRestore uses a bug discovered in 32 bit iOS 9.x iBoot's APTicket verification routines which allows valid cached tickets with a missing APNonce. The bug has been patched as of iOS 10, however due to the fact that when in DFU Mode, the device is waiting to verify a signed firmware component, which is iBSS. When a signed iBSS is uploaded, we are not technically evading any security mechanism at this point, as all 32 bit iOS bootroms (other than watch) only verify based on SHSH and never care about APNonce, however, 9.x iBSS has the same bug as all other 9.x 32 bit iBoot, and so you can continue a restore straight from there, whereas on a firmware without the bug, iBSS will not accept your APTicket, and will not continue into the rest of the restore chain.
Details
- iDeviceReRestore works for 32-bit devices only.
- The destination firmware must be iOS 9.x.
- The starting firmware does not matter.
- The starting firmware does not require a jailbreak.
- The process does not require keys, bundles, or nonces.
- The process requires SHSH blobs for the destination firmware.
- The SHSH blobs cannot be OTA blobs. They can be Erase or Update blobs, though not all of them will work.
- They must have been saved without a nonce.
- If they begin with the string MIIKkj, they are definitely fine. If they do not, they may also be fine, but will need checking to make sure.
- Most tickets saved by Cydia seem to be usable for this.
- The technique requires a signed baseband, like Prometheus. However, between the currently signed basebands for iOS 10 and the signed OTA basebands most, if not all, devices should be able to get a working baseband without issues.
- iOS 9 -> iOS 9 restores can be done from Recovery Mode, iOS ≠9 -> iOS 9 restores must be done from DFU Mode.
- The blobs must have a separate iBSS ticket to be used for DFU restores. If they don’t, they can only be used for iOS 9 -> iOS 9 restores.
