|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Tethered Downgrade"
m (No.) |
m (Fix link) |
||
| (6 intermediate revisions by 6 users not shown) | |||
| Line 1: | Line 1: | ||
| − | '''Tethered Downgrades''' are downgrades which |
+ | '''Tethered Downgrades''' are downgrades which flash unsigned iOS versions in a way that meets certain [[iTunes]] requirements to complete a restore. It is possible to perform a tethered downgrade on any device that is vulnerable to the [[limera1n Exploit]]. |
| − | Installing a firmware version using this method (without valid SHSH blobs) |
+ | Installing a firmware version using this method (without valid SHSH blobs) will result in a '''permanently tethered''' jailbreak. Each time the device boots, the bootrom validates the SHSH blobs for LLB, LLB for [[iBoot]], and so on. Therefore, the image validation function must be patched or bypassed with an appropriate bootrom exploit payload on every boot or the device will be forced into DFU mode or recovery mode depending on the method. |
== Dead LCD Bug == |
== Dead LCD Bug == |
||
| + | Locking a device with an unsigned [[bootchain]] (specifically the [[LLB]]) while on battery power causes iOS to disable the LCD. A restore to the latest iOS is needed to fix this. |
||
| − | |||
| − | Locking a device with an unsigned [[bootchain]] (speficially the [[LLB]]) while on battery power causes iOS to disable the LCD. A restore to the latest iOS is needed to fix this. |
||
== LCD Incompatibility == |
== LCD Incompatibility == |
||
| + | Some [[iOS]] versions (such as iOS 5) cannot boot when the device has a counterfeit display. A workaround is available [http://www.reddit.com/r/LegacyJailbreak/comments/2ohrw5/how_to_boot_ios_5_and_below_on_the_iphone_4_with/ here]. |
||
| − | |||
| − | Some [[iOS]] versions (such as iOS 5) cannot boot when the device has a counterfeit display. A workaround for this has been [http://www.reddit.com/r/LegacyJailbreak/comments/2ohrw5/how_to_boot_ios_5_and_below_on_the_iphone_4_with/ found]. |
||
== Method == |
== Method == |
||
{| class="wikitable" |
{| class="wikitable" |
||
! Name |
! Name |
||
| − | ! LCD Fix |
||
! Description |
! Description |
||
|- |
|- |
||
| − | ! [[ |
+ | ! [[GeekGrade]] |
| − | | Yes? |
||
| − | | |
||
| − | * [[Bluefreeze]], a tool written by a group called The Private Dev Team, modifies the firmware version (and firmware checksum) in the iFaith certificate file, so that this check gets disabled. By doing so, you can install any firmware version on your device, even without having saved the SHSH files. The problem by doing so is that you actually install a firmware without signatures, with all consequences. |
||
| − | |- |
||
| − | ! [http://www.reddit.com/r/jailbreak/comments/23vu98/psahowto_successfully_tether_downgrade_iphone_4/ GeekGrade Beta 1] |
||
| − | | Partial |
||
| − | | |
||
| − | * IPSWs made via Sn0wbreeze, ramdisk modified to have BlackGeek's logo, and preinstalled with mobile substrate and a deep sleep disabler. Once the device is running, the device will not go into deep sleep, causing severe battery draining. This workaround avoids the display failure issue but locking via safe mode will cause the display to fail. |
||
| − | |- |
||
| − | ! REALLY BAD METHOD™ |
||
| − | | NO |
||
| − | | |
||
| − | * Grab someone's blobs and make an IPSW with iFaith. Then restore with it when in PWNED DFU. basically what Bluefreeze does. |
||
| − | |- |
||
| − | ! [http://geeksn0w.it/GeekGrade/ GeekGrade 1.0] |
||
| − | | Yes |
||
| |
| |
||
| − | * Instead of making the IPSW via sn0wbreeze, it's made via iFaith. The ramdisk is modified to remove iH8sn0w's iFaith logo and to replace it with BlackGeek's logo. It also sets FlashNOR to false in option.plist. This last modification allows the bootchain to stay signed (if it was signed prior to restore). This method fixes the display failure bug |
+ | * Instead of making the IPSW via sn0wbreeze, it's made via iFaith. The ramdisk is modified to remove iH8sn0w's iFaith logo and to replace it with BlackGeek's logo. It also sets FlashNOR to false in option.plist. This last modification allows the bootchain to stay signed (if it was signed prior to restore). This method fixes the display failure bug. The device is then sent to recovery mode (instead of DFU) because the bootchain is signed but fails to load iOS. |
|- |
|- |
||
|- |
|- |
||
| + | ! [[iFaith]] |
||
| − | ! iFaith + Custom Ramdisk |
||
| − | | Yes |
||
| |
| |
||
| − | * Make an IPSW in iFaith with [https://drive.google.com/open?id=0ByxMOiAf78kITnB2MEVkU3J4aGs&authuser=0 someone else's valid blobs] for your |
+ | * Make an IPSW in iFaith with [https://drive.google.com/open?id=0ByxMOiAf78kITnB2MEVkU3J4aGs&authuser=0 someone else's valid blobs] for your specific device and swap that IPSW's ramdisk with the one in GeekGrade's IPSWs or make the modified ramdisk yourself. |
|- |
|- |
||
! [[Sund0wn]] |
! [[Sund0wn]] |
||
| − | | Yes |
||
| |
| |
||
| + | * Downgrade utility for Windows written by iSuns9 that allows tether and untether downgrades for all models of the iPhone 3GS, iPhone 4, and iPod touch (4th generation). |
||
| − | * Sund0wn is a downgrade utility which allows tether and untether downgroades for iOS 6.0-7.1.2 for the iPhone 4. It is for the Windows family of operating systems written by iSuns9. It works on all iPhone 4 models. This is useful if you want to use older iOS versions. Even if Apple doesn't sign that firmware anymore, sund0wn creates a restoreable IPSW so that you can install the firmware and tether boot after. |
||
|} |
|} |
||
== Purpose == |
== Purpose == |
||
| − | With this method you can install a firmware for which you don't have [[SHSH]] saved for |
+ | With this method you can install a firmware for which you don't have [[SHSH]] saved for. This is handy in the case that you're a software developer and need to do some tests on a specific version or if you prefer older iOS versions. |
== Alternative == |
== Alternative == |
||
| Line 62: | Line 41: | ||
# Rename the original asr and add the patched asr. |
# Rename the original asr and add the patched asr. |
||
# chmod asr to 100755 |
# chmod asr to 100755 |
||
| − | # Replace the root file system dmg with the decrypted root file system dmg of the older firmware you want to downgrade to. |
+ | # Replace the root file system dmg with the decrypted root file system dmg of the older firmware you want to downgrade to. |
# Enter pwned [[DFU Mode]]. |
# Enter pwned [[DFU Mode]]. |
||
# Use an old [[iTunes]] version that allows downgrades on your [[iOS]] device and restore to your patched IPSW. |
# Use an old [[iTunes]] version that allows downgrades on your [[iOS]] device and restore to your patched IPSW. |
||
# To start up your device you will have to boot tethered (depending on iOS version [[redsn0w]] or [[opensn0w]]). |
# To start up your device you will have to boot tethered (depending on iOS version [[redsn0w]] or [[opensn0w]]). |
||
| − | [[Category: |
+ | [[Category:Downgrading]] |
Revision as of 10:58, 12 April 2017
Tethered Downgrades are downgrades which flash unsigned iOS versions in a way that meets certain iTunes requirements to complete a restore. It is possible to perform a tethered downgrade on any device that is vulnerable to the limera1n Exploit.
Installing a firmware version using this method (without valid SHSH blobs) will result in a permanently tethered jailbreak. Each time the device boots, the bootrom validates the SHSH blobs for LLB, LLB for iBoot, and so on. Therefore, the image validation function must be patched or bypassed with an appropriate bootrom exploit payload on every boot or the device will be forced into DFU mode or recovery mode depending on the method.
Dead LCD Bug
Locking a device with an unsigned bootchain (specifically the LLB) while on battery power causes iOS to disable the LCD. A restore to the latest iOS is needed to fix this.
LCD Incompatibility
Some iOS versions (such as iOS 5) cannot boot when the device has a counterfeit display. A workaround is available here.
Method
| Name | Description |
|---|---|
| GeekGrade |
|
| iFaith |
|
| Sund0wn |
|
Purpose
With this method you can install a firmware for which you don't have SHSH saved for. This is handy in the case that you're a software developer and need to do some tests on a specific version or if you prefer older iOS versions.
Alternative
You have to patch a firmware file (IPSW) which is signed by Apple exactly when you want to perform the downgrade.
- Patch out the signature check in iBSS and iBEC and apply another patch to iBEC (some lines of code before the patch the string "debug-enabled" is loaded into a register and some lines after the patch the string "development-cert" is loaded. Look at a patched iBEC from an iFaith IPSW for details).
- Patch the boot-args in iBEC to "rd=md0 amfi=0xff cs_enforcement_disable=1 pio-error=0" and do an iBEC patch that injects the boot-args.
- Patch asr to return "Image passed signature verification" where it would usually return "Image failed signature verification".
- Update the page hashes of asr with ldid.
- Grow the ramdisk to original size + size of asr (better some bytes larger).
- Rename the original asr and add the patched asr.
- chmod asr to 100755
- Replace the root file system dmg with the decrypted root file system dmg of the older firmware you want to downgrade to.
- Enter pwned DFU Mode.
- Use an old iTunes version that allows downgrades on your iOS device and restore to your patched IPSW.
- To start up your device you will have to boot tethered (depending on iOS version redsn0w or opensn0w).
