The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "IDeviceReRestore"
(Created page) |
(No difference)
|
Revision as of 08:41, 16 April 2017
Original author(s) | alitek123, Trevor, Jonathan Seals |
---|---|
Developer(s) | alitek123, Trevor, Jonathan Seals |
Initial release | 2 April 2017 |
Stable release | 1.0.2 (macOS) / 1.0 (Linux) / 10 April 2017 |
Development status | Active |
Operating system | macOS / Linux |
Available in | English |
Type | Downgrading |
License | Freeware |
Website | iDeviceReRestore |
iDeviceReRestore is a tool that can be used to downgrade 32-bit devices to any iOS 9 version, provided the user has SHSH Restore blobs for the version. The tool is based off iDeviceRestore by libimobiledevice.
iDeviceReRestore uses a bug discovered in Apple's firmware component signing system. The bug cannot be patched by Apple, due to the fact that when in DFU Mode, the device is waiting to verify a signed firmware component, which is iBSS. When a blob with an iBSS ticket is uploaded, we are not technically evading any security mechanism, but it allows us to upload a signed iBEC next, and this has the necessary no-nonce bug. From there we can initiate a restore of the device, defeating any other software protections and verification checks. The bug is partially present in iOS 8 too, and up to iOS 10.2.1, but cannot be exploited.
Details
- iDeviceReRestore works for 32-bit devices only.
- The destination firmware must be iOS 9.x.
- The starting firmware does not matter.
- The starting firmware does not require a jailbreak.
- The process does not require keys, bundles, or nonces.
- The process requires SHSH blobs for the destination firmware.
- The SHSH blobs cannot be OTA blobs. They can be Erase or Update blobs, though not all of them will work.
- They must have been saved without a nonce.
- If they begin with the string MIIKkj, they are definitely fine. If they do not, they may also be fine, but will need checking to make sure.
- The technique requires a signed baseband, like Prometheus. However, between the currently signed basebands for iOS 10 and the signed OTA basebands most, if not all, devices should be able to get a working baseband without issues.
- iOS 9 -> iOS 9 restores can be done from Recovery Mode, iOS ≠9 -> iOS 9 restores must be done from DFU Mode.
- The blobs must have a separate iBSS ticket to be used for DFU restores. If they don’t, they can only be used for iOS 9 -> iOS 9 restores.