Firmware downgrading

From The iPhone Wiki
Revision as of 19:15, 14 March 2015 by IAdam1n (talk | contribs) (You forgot the A5 exception.)
Jump to: navigation, search

Downgrading is the process of restoring to an older firmware. Apple does not allow downgrading unless the firmware is being signed. Downgrading is only possible on A4 or older devices that have bootrom exploits such as Limera1n with the exception of iPhone 4s that can be restored from 5.x to 5.x as long as there are valid SHSH blobs saved for both the iOS the device is on and the one the user wants to get. It is also possible to downgrade an iPad 2 to 5.x with 4.x and 5.x SHSH or 4.x with only 4.x SHSH blobs. iPhone 4s and iPad 2 downgrading will require redsn0w.

Reason for downgrading

Some users downgrade since iOS 7 does not run well on older devices like the iPhone 4.

Issues

Devices without a ramdisk change will have an issue in which when iOS reboots or goes into deep sleep, it will verify the LLB and since the LLB is part of the bootchain it will not be overwritten and therefore causes iOS to disable the LCD. To circumvent this, users will have to disable the power management daemon.

Tethered downgrades

Create an IPSW to make Apple's activation server think the IPSW you're restoring to is on a signed version or build one with blobs from the same device model and iOS version you want to go to (you can do this with redsn0w). This means you can use another person's SHSH blobs. For example, GeekGrade is iFaith IPSWs with prevent sleep preinstalled in them or a modified ramdisk. (Keep in mind this was done with iH8sn0w's work and also violates Apple's copyright by redistributing their iOS.) Also, to fix the dead LCD and DFU loop, you can use xpwntool to disable the flashing of a new iOS bootchain.

Restoring to custom firmwares

Downgrade iTunes to 11.0 and then restore in PwnDFU. If you did not change anything in the ramdisk, you should get Error 37 and then get kicked into DFU Mode. If you did, it should show what usually happens after any restore and go into Recovery Mode.

Booting

Limera1n allows us to skip SHSH blob verification during boot time. Therefore a downgraded device with invalid SHSH blobs can boot into iOS without issues. For devices with just the blobs signed without ramdisk modification, you will need to select your IPSW in redsn0w and then select "Recovery fix". Afterwards, you can use the tether boot option. For the ones with a modified ramdisk, you can simply select the stock IPSW needed for that iOS version and then tether boot. Using these methods, your device will boot into iOS. For an iOS 7 tethered downgrade, you require opensn0w to boot the device.