From The iPhone Wiki
Jump to: navigation, search

Restore / downgrade iPad 2 GSM without baseband

Does anybody know details on how semaphore does a TSS downgrade of an iPad 2 (GSM) firmware, without modifying the baseband and without running into a recovery loop? (see this screenshot) The latest TinyUmbrella release supports such downgrades and there is no bootrom exploit that would allow a kick out of recovery. I thought such a downgrade is possible by getting the SHSH from the local backup and the baseband SHSH from Apple (because of the nonce problem). As long as Apple signs the same baseband, even a baseband downgrade from an iOS5 beta baseband would be possible. Or, in the more common case, a complete restore from iOS 4.3.4 to 4.3.3 (including baseband). But TinyUmbrella doesn't even try to change the baseband, so his method must be totally different. He also twitted me "it is WAY more complicated". Anybody knows more? --http 06:13, 20 July 2011 (MDT)


Where is the source of TinyUmbrella? --XiiiX 16:46, 14 August 2011 (MDT)

Take the Mac (.PKG) file look at the contents. I am on Windows, so I extracted it to a SUB-dir and navigated to a file called Payload and extracted that to get Payload~. Extracted that to get the app and then the .class files are just Java files that can be decompiled with any free Java decompiler. PS, I used 7-Zip for extraction... --5urd 20:10, 14 August 2011 (MDT)


Does anybody know how TU puts the device into recovery mode? And how to go from recovery to DFU? --Dylan Laws 01:18, 22 January 2012 (MST)

The iTunes MobileDevice Library has a function to put the device into Recovery Mode. --rud0lf77 08:36, 22 January 2012 (MST)
Do you know the command? --Dylan Laws 12:32, 22 January 2012 (MST)
Learn Java, decompile the Java scripts, examine. done :) --5urd 13:47, 22 January 2012 (MST)
In the Headers of MobileDevice Library you can find: AMDeviceEnterRecovery , have fun with it. --rud0lf77 14:12, 22 January 2012 (MST)
So, no execution with the DLL through CMD? --Dylan Laws 14:41, 22 January 2012 (MST)
You can't execute DLLs, you have to get the MobileDevice Header, include it in your Application and then link against the dll. --rud0lf77 15:55, 22 January 2012 (MST)