Difference between revisions of "IDeviceReRestore"

From The iPhone Wiki
Jump to: navigation, search
(Created page)
(No difference)

Revision as of 08:41, 16 April 2017

iDeviceReRestore
Original author(s) alitek123, Trevor, Jonathan Seals
Developer(s) alitek123, Trevor, Jonathan Seals
Initial release 2 April 2017; 7 years ago
Stable release 1.0.2 (macOS) / 1.0 (Linux) / 10 April 2017; 7 years ago
Development status Active
Operating system macOS / Linux
Available in English
Type Downgrading
License Freeware
Website iDeviceReRestore

iDeviceReRestore is a tool that can be used to downgrade 32-bit devices to any iOS 9 version, provided the user has SHSH Restore blobs for the version. The tool is based off iDeviceRestore by libimobiledevice.

iDeviceReRestore uses a bug discovered in Apple's firmware component signing system. The bug cannot be patched by Apple, due to the fact that when in DFU Mode, the device is waiting to verify a signed firmware component, which is iBSS. When a blob with an iBSS ticket is uploaded, we are not technically evading any security mechanism, but it allows us to upload a signed iBEC next, and this has the necessary no-nonce bug. From there we can initiate a restore of the device, defeating any other software protections and verification checks. The bug is partially present in iOS 8 too, and up to iOS 10.2.1, but cannot be exploited.

Details

  • iDeviceReRestore works for 32-bit devices only.
  • The destination firmware must be iOS 9.x.
  • The starting firmware does not matter.
  • The starting firmware does not require a jailbreak.
  • The process does not require keys, bundles, or nonces.
  • The process requires SHSH blobs for the destination firmware.
    • The SHSH blobs cannot be OTA blobs. They can be Erase or Update blobs, though not all of them will work.
    • They must have been saved without a nonce.
    • If they begin with the string MIIKkj, they are definitely fine. If they do not, they may also be fine, but will need checking to make sure.
  • The technique requires a signed baseband, like Prometheus. However, between the currently signed basebands for iOS 10 and the signed OTA basebands most, if not all, devices should be able to get a working baseband without issues.
  • iOS 9 -> iOS 9 restores can be done from Recovery Mode, iOS ≠9 -> iOS 9 restores must be done from DFU Mode.
  • The blobs must have a separate iBSS ticket to be used for DFU restores. If they don’t, they can only be used for iOS 9 -> iOS 9 restores.