The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "GeekGrade"
(Created page with "Geekgrade Downgrade is currently the only way to downgrade idevices without SHSH blobs. It only works on devices with the S5L8930 and S5L8920 chip. It is a tet...") |
m |
||
(10 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
+ | '''GeekGrade''' is a [[Tethered Downgrade|tethered downgrade]] for the [[S5L8930]] and [[S5L8920]] chips that does not require [[SHSH]] blobs. It was developed by [https://twitter.com/blackgeektuto BlackGeekTutorial], and was found at [http://geeksn0w.it/GeekGrade/ geeksn0w.it]. |
||
− | Geekgrade Downgrade is currently the only way to downgrade [[idevices]] without [[SHSH]] blobs. It only works on devices with the [[S5L8930]] and [[S5L8920]] chip. It is a tethered downgrade. |
||
− | |||
== Exploits used == |
== Exploits used == |
||
− | + | GeekGrade uses many exploits together to create a tethered downgrade without [[SHSH]] blobs. They happen in this order: |
|
+ | |||
+ | 1.[[limera1n]] - the bootrom exploit that allows pwned [[DFU Mode]]. Pwned DFU mode puts the device in a state where custom firmware files can be falsely checked as legitimate when [[iTunes]] restores to a custom firmware |
||
+ | |||
+ | 2.Custom firmware - This only works because iTunes originally only asked the device if the firmware was legitimately from Apple. Apple firmware has specific img3 hashes, and iTunes asks the device if it will accept them. Pwned DFU mode allows the device to 'say yes'. The custom firmware uses [[SHSH]] blobs "donated for the project" and although they don't match the device, [[limera1n]] bypasses iOS' verification for correct blobs. |
||
+ | |||
+ | 3.[[iTunes]] 11.0 - All iTunes versions below 11.1 can be exploited with pwned DFU mode to restore to a custom firmware. This is because iTunes previously only asked the device if the hashes were correct. All versions above 11.0.5 will recalculate the hash and check it again before restoring. |
||
+ | |||
+ | 4.[[limera1n]] - everytime the device is booted tethered, the exploit bypasses [[SHSH]] blobs verification, allowing it to boot. |
||
+ | |||
+ | |||
+ | == Exploitable Devices and Compatible Firmware == |
||
+ | iPhone 4 (iPhone3,1) |
||
+ | - iOS 6.1.2 |
||
+ | - iOS 6.1 |
||
+ | - iOS 5.1.1 |
||
+ | - iOS 5.1 |
||
+ | - iOS 5.0.1 |
||
+ | - iOS 4.3.5 |
||
+ | - iOS 4.3.4 |
||
+ | - iOS 4.3.3 |
||
+ | - iOS 4.3.1 |
||
+ | - iOS 4.1 |
||
+ | - iOS 4.0.2 |
||
+ | |||
+ | iPhone 4 (iPhone3,2) |
||
+ | - iOS 6.1.3 |
||
+ | iPhone 4 (iPhone3,3) |
||
− | 1.[[Limera1n]]- the bootrom exploit that allows pwned dfu mode. Pwned dfu mode puts the device in a state where custom firmware files can be falsely checked as legit when itunes restores to a custom firmware |
||
+ | - iOS 6.1.3 |
||
+ | - iOS 5.1.1 |
||
+ | iPod touch (4th generation) (iPod4,1) |
||
− | 2.Custom firmware- This only works because iTunes originally only asked the [[idevice]] if the firmware was legitimitley from apple. Apple firmware has specific img3 hashes, and itunes asks the [[idevice]] if it will accept them. Well, pwned dfu just tells it yes |
||
+ | - iOS 6.1.3 |
||
+ | - iOS 6.1 1 |
||
+ | - iOS 6.0 |
||
+ | - iOS 5.1.1 |
||
+ | - iOS 5.1 |
||
+ | - iOS 5.0.1 |
||
+ | - iOS 4.3.5 |
||
+ | - iOS 4.3.3 |
||
+ | - iOS 4.1 |
||
+ | iPad (iPad1,1) |
||
− | 3.iTunes 11.0-All itunes versions below 11.1 can be exploited with pwned dfu to restore to a custom firmware. This is because itunes previously only asked the [[idevice]] if the hashes were correct. All versions above 11.0.5 will recalculate the hash and check it again before restoring. |
||
+ | - iOS 3.2 |
||
+ | [[Category:Downgrading]] |
||
− | 4.[[Limera1n]]-everytime the device is boot tethered, the exploit bypasses [[SHSH]] blobs verification, allowing it to boot. |
Latest revision as of 10:59, 12 April 2017
GeekGrade is a tethered downgrade for the S5L8930 and S5L8920 chips that does not require SHSH blobs. It was developed by BlackGeekTutorial, and was found at geeksn0w.it.
Exploits used
GeekGrade uses many exploits together to create a tethered downgrade without SHSH blobs. They happen in this order:
1.limera1n - the bootrom exploit that allows pwned DFU Mode. Pwned DFU mode puts the device in a state where custom firmware files can be falsely checked as legitimate when iTunes restores to a custom firmware
2.Custom firmware - This only works because iTunes originally only asked the device if the firmware was legitimately from Apple. Apple firmware has specific img3 hashes, and iTunes asks the device if it will accept them. Pwned DFU mode allows the device to 'say yes'. The custom firmware uses SHSH blobs "donated for the project" and although they don't match the device, limera1n bypasses iOS' verification for correct blobs.
3.iTunes 11.0 - All iTunes versions below 11.1 can be exploited with pwned DFU mode to restore to a custom firmware. This is because iTunes previously only asked the device if the hashes were correct. All versions above 11.0.5 will recalculate the hash and check it again before restoring.
4.limera1n - everytime the device is booted tethered, the exploit bypasses SHSH blobs verification, allowing it to boot.
Exploitable Devices and Compatible Firmware
iPhone 4 (iPhone3,1) - iOS 6.1.2 - iOS 6.1 - iOS 5.1.1 - iOS 5.1 - iOS 5.0.1 - iOS 4.3.5 - iOS 4.3.4 - iOS 4.3.3 - iOS 4.3.1 - iOS 4.1 - iOS 4.0.2
iPhone 4 (iPhone3,2) - iOS 6.1.3
iPhone 4 (iPhone3,3) - iOS 6.1.3 - iOS 5.1.1
iPod touch (4th generation) (iPod4,1) - iOS 6.1.3 - iOS 6.1 1 - iOS 6.0 - iOS 5.1.1 - iOS 5.1 - iOS 5.0.1 - iOS 4.3.5 - iOS 4.3.3 - iOS 4.1
iPad (iPad1,1) - iOS 3.2