The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "IDeviceReRestore"
m |
(Rearranged and rephrased stuff.) |
||
Line 3: | Line 3: | ||
| name = iDeviceReRestore |
| name = iDeviceReRestore |
||
| title = iDeviceReRestore |
| title = iDeviceReRestore |
||
− | | author = [https://twitter.com/alitek123 alitek123], [https://twitter.com/Thmitt Trevor], [ |
+ | | author = [https://twitter.com/alitek123 alitek123], [https://twitter.com/Thmitt Trevor], [[User:JonathanSeals|Jonathan Seals]] |
− | | developer = [https://twitter.com/alitek123 alitek123], [https://twitter.com/Thmitt Trevor], [ |
+ | | developer = [https://twitter.com/alitek123 alitek123], [https://twitter.com/Thmitt Trevor], [[User:JonathanSeals|Jonathan Seals]] |
| discontinued = |
| discontinued = |
||
| released = {{start date and age|2017|04|02}} |
| released = {{start date and age|2017|04|02}} |
||
Line 13: | Line 13: | ||
| status = Active |
| status = Active |
||
| genre = Downgrading |
| genre = Downgrading |
||
− | | license = [[wikipedia: |
+ | | license = [[wikipedia:GNU Lesser General Public License|GNU LGPL 2.1]] |
| website = [https://downgrade.party iDeviceReRestore] |
| website = [https://downgrade.party iDeviceReRestore] |
||
}} |
}} |
||
− | '''iDeviceReRestore''' is a tool that can be used to downgrade 32-bit devices to any iOS 9 version, provided the user has [[SHSH]] blobs for the version. |
+ | '''iDeviceReRestore''' is a tool based off of [https://cgit.sukimashita.com/idevicerestore.git/ idevicerestore] that can be used to downgrade 32-bit devices to any iOS 9 version, provided the user has [[SHSH]] blobs for the version. It uses a bug discovered in 32-bit versions of iOS 9.x [[iBoot (Bootloader)|iBoot]]'s APTicket verification routines which allows valid cached tickets with a missing APNonce, regardless of the current nonce. The bug was patched in iOS 10. |
− | + | Due to the fact that when in [[DFU Mode]], the device is waiting to verify a signed firmware component, which is [[iBSS]]. When a signed iBSS is uploaded, we are not technically evading any security mechanism at this point, as all 32 bit iOS bootroms (other than [[Apple Watch]]) only verify based on SHSH and never care about APNonce. Furthermore, 9.x iBSS has the same bug as all other 9.x 32 bit iBoot, and so you can continue a restore straight from there, whereas on a firmware without the bug, iBSS will not accept your APTicket, and will not continue into the rest of the restore chain. |
|
− | == |
+ | == Notes == |
− | *iDeviceReRestore works for 32-bit devices only ( |
+ | * iDeviceReRestore works for 32-bit iOS devices only. (Apple Watch is not included.) |
− | *The |
+ | * The initial firmware does not matter. |
− | *The |
+ | * The initial firmware does not require a [[jailbreak]]. |
− | *The |
+ | * The destination firmware must be iOS 9.x. [[SHSH]] blobs for the destination firmware are required. |
− | *The process does not require [[Firmware Keys|keys]], bundles, or nonces. |
+ | * The process does not require [[Firmware Keys|keys]], bundles, or nonces. |
+ | ** The SHSH blobs cannot be OTA blobs. They can be Erase or Update blobs, though not all of them will work. |
||
− | *The process requires [[SHSH]] blobs for the destination firmware. |
||
+ | ** They must have been saved without a nonce. |
||
− | **The SHSH blobs cannot be OTA blobs. They can be Erase or Update blobs, though not all of them will work. |
||
+ | ** If they begin with the string ''MIIKkj'', they are definitely fine. If they do not, they may also be fine, but will need checking to make sure. |
||
− | **They must have been saved without a nonce. |
||
− | ** |
+ | ** The blobs must have a separate [[iBSS]] ticket to be used for DFU restores. If they don’t, they can only be used for iOS 9 -> iOS 9 restores. |
− | **Most tickets saved by [[Cydia]] seem to be usable for this. |
+ | ** Most tickets saved by [[Cydia]] seem to be usable for this. |
− | *The technique requires a signed [[baseband]], like [[Prometheus]]. However, between the currently signed basebands for iOS 10 and the signed OTA basebands most |
+ | * The technique requires a signed [[baseband]], like [[Prometheus]]. However, between the currently signed basebands for iOS 10 and the signed OTA basebands, most devices (if not all) should be able to get a working baseband without issues. The tool automatically downloads the latest baseband available per device. |
− | *iOS 9 -> iOS 9 restores can be done from [[Recovery Mode]] |
+ | * iOS 9 -> iOS 9 restores can be done from [[Recovery Mode]]. Devices on other firmwares must be restored from [[DFU Mode]]. |
− | *The blobs must have a separate [[iBSS]] ticket to be used for DFU restores. If they don’t, they can only be used for iOS 9 -> iOS 9 restores. |
||
[[Category:Hacking Software]] |
[[Category:Hacking Software]] |
Revision as of 17:47, 17 April 2017
Original author(s) | alitek123, Trevor, Jonathan Seals |
---|---|
Developer(s) | alitek123, Trevor, Jonathan Seals |
Initial release | 2 April 2017 |
Stable release | 1.0.2 (macOS) / 1.0 (Linux) / 10 April 2017 |
Development status | Active |
Operating system | macOS / Linux |
Available in | English |
Type | Downgrading |
License | GNU LGPL 2.1 |
Website | iDeviceReRestore |
iDeviceReRestore is a tool based off of idevicerestore that can be used to downgrade 32-bit devices to any iOS 9 version, provided the user has SHSH blobs for the version. It uses a bug discovered in 32-bit versions of iOS 9.x iBoot's APTicket verification routines which allows valid cached tickets with a missing APNonce, regardless of the current nonce. The bug was patched in iOS 10.
Due to the fact that when in DFU Mode, the device is waiting to verify a signed firmware component, which is iBSS. When a signed iBSS is uploaded, we are not technically evading any security mechanism at this point, as all 32 bit iOS bootroms (other than Apple Watch) only verify based on SHSH and never care about APNonce. Furthermore, 9.x iBSS has the same bug as all other 9.x 32 bit iBoot, and so you can continue a restore straight from there, whereas on a firmware without the bug, iBSS will not accept your APTicket, and will not continue into the rest of the restore chain.
Notes
- iDeviceReRestore works for 32-bit iOS devices only. (Apple Watch is not included.)
- The initial firmware does not matter.
- The initial firmware does not require a jailbreak.
- The destination firmware must be iOS 9.x. SHSH blobs for the destination firmware are required.
- The process does not require keys, bundles, or nonces.
- The SHSH blobs cannot be OTA blobs. They can be Erase or Update blobs, though not all of them will work.
- They must have been saved without a nonce.
- If they begin with the string MIIKkj, they are definitely fine. If they do not, they may also be fine, but will need checking to make sure.
- The blobs must have a separate iBSS ticket to be used for DFU restores. If they don’t, they can only be used for iOS 9 -> iOS 9 restores.
- Most tickets saved by Cydia seem to be usable for this.
- The technique requires a signed baseband, like Prometheus. However, between the currently signed basebands for iOS 10 and the signed OTA basebands, most devices (if not all) should be able to get a working baseband without issues. The tool automatically downloads the latest baseband available per device.
- iOS 9 -> iOS 9 restores can be done from Recovery Mode. Devices on other firmwares must be restored from DFU Mode.