Word: There’s a new technique of downgrading/upgrading that does not require Apple to be at present signing, and it really works on newer gadgets that are not current within the first checklist of my reply beneath. The device for it’s known as futurerestore (codenamed Prometheus). The largest caveat to this device is that you just have to be jailbroken generally earlier than initiating the restore (and also you solely have one shot, so a failed restore will power you to put in a signed firmware) (if that signed firmware can be jailbreakable, then technically you get second possibilities, however it’s uncommon for that to be the case except there is a bootrom exploit on your machine). Proper now, one of the best tutorial for Prometheus is by @iPodHacks142 and is endorsed by the writer of Prometheus, @tihmstar. I can be updating this reply later to elucidate extra about it, however I wished to get this info posted right here sooner reasonably than later.
Different Word: I’m lacking details about the unique Odysseus which permits a couple of 32-bit iOS gadgets to downgrade within the iOS 6 and seven vary.
Different Different Word: There’s an even newer technique of downgrading/upgrading that may permit virtually all 32-bit gadgets (does not embody the 32-bit gadgets that may set up iOS 10) to go from iOS 9.3.5 firmware to every other iOS 9.X firmware.
Different Different Different Word: There’s an new bootrom exploit for A5 to A11 gadgets known as checkm8. It might permit you to set up any IPSW so long as legitimate SHSH blobs are supplied (it’s unclear in case you want a sound APTicket as effectively, as it has been demonstrated it is not obligatory in some instances).
After I discover a while, I’ll add these to the reply beneath. My reply continues to be up-to-date (apart from something having to do with these notes).
Briefly, except you’ve one of many following gadgets (gadgets with A4 processors or earlier, hereafter known as “pre-A5 gadgets”), you can not set up something aside from the iOS variations that Apple at present indicators:
- iPhone (1st technology)
- iPhone 3G
- iPhone 3GS
- iPhone 4
- iPod contact (1st technology)
- iPod contact (2nd technology)
- iPod contact (third technology)
- iPod contact (4th technology)
- iPad (1st technology)
- Apple TV (2nd technology)
The next subset of gadgets don’t make the most of SHSH blobs, and might due to this fact set up any model of iOS at-will:
- iPhone (1st technology)
- iPod contact (1st technology)
You will need to word that whereas all gadgets listed within the first part do have working bootrom exploits, there are several types of bootrom exploits, and every permit for various ranges of boot manipulation.
The next gadgets can make the most of a particular bootrom exploit that permits for putting in any model of iOS with out SHSH blobs:
- iPhone 3G
- iPhone 3GS (outdated bootrom)
- iPod contact (2nd technology)
- iPod contact (third technology)
The next gadgets have a unique bootrom exploit often called limera1n, which permits set up of any model of iOS so long as legitimate SHSH blobs are supplied:
- iPhone 3GS (new bootrom)
- iPhone 4
- iPod contact (4th technology)
- iPad (1st technology)
- Apple TV (2nd technology)
Further Info
Putting in iOS on any machine utilizing a bootrom exploit requires you to place your machine right into a state often called Pwned DFU, which lets you set up customized firmware. You may additionally want:
In case you do occur to fall into the small group of customers which have all of those items, take into account your self fortunate, as you should utilize iFaith by iH8sn0w to sew your SHSH blobs into the firmware to create a customized IPSW that you should utilize with iTunes after you place your machine into Pwned DFU utilizing iREB inside iFaith.
Additional Analysis
Not all situations of the iPhone 3GS are the identical. Fashions manufactured in early 2010 or earlier (outdated bootrom) have a bootrom exploit that permits for downgrading with out SHSH blobs, whereas newer fashions (new bootrom) have a separate exploit that permits for downgrading with SHSH blobs.
It’s in reality potential to put in iOS variations that Apple is not singing anymore on gadgets newer than pre-A5 gadgets in very particular circumstances. The 2 gadgets that qualify are the iPhone 4S and the iPad (2nd technology). Utilizing redsn0w, the iPad (2nd technology) will be downgraded to iOS 5 from any newer model, and the iPhone 4S can transfer from any model of iOS 5.x to every other model of iOS 5.x. Each of those operations require a number of particular units of legitimate SHSH blobs and APTickets.
For all gadgets which comprise an SEP chip (Safe Enclave Processor) (i.e. iPhone 5s and past), an exploit can be obligatory towards the chip itself along with a bootrom exploit, or else the SEP chip will reject the firmware. You possibly can, nevertheless, assemble an .ipsw that accommodates an older model of the SEP firmware as long as that older model is being signed or you’ve an exploit that permits you to replay the outdated signature. If the older model is just not supported on the model of iOS that you just’re putting in, Contact ID and different SEP-dependent options can be disabled.
You possibly can save SHSH blobs throughout the signing window and handle them your self, or you should utilize iFaith to have them be saved and managed for you with Saurik’s Cydia server.
For pre-A5 gadgets, it’s often potential to extract legitimate SHSH blobs and APTickets for the present firmware no matter that firmware’s signing standing. iFaith was developed to carry out this operation. A scenario through which this might not be potential could be in case you arrived in your present firmware through an OTA (over the air) replace.
iH8sn0w has some unreleased downgrade exploits for gadgets that don’t comprise an SEP chip.
@unimp0rtanttech (recognized extra generally as n00neimp0rtant within the jailbreak group) has hinted that he additionally has some downgrade exploits within the works.
Some iOS OTA (over-the-air) firmware photographs (for sure variations of iOS for sure gadgets) are nonetheless being signed by Apple. Set up of those photographs is feasible, and there’s a device known as OdysseusOTA (a derivation of Odysseus) to do exactly that. You have to be jailbroken to make use of the device, as a result of you have to have tfp0 enabled (to bootstrap a customized firmware picture in RAM, which requires modification of the kernel’s VM area). The device bootstraps a customized iBSS that manually installs an OTA firmware picture fully-signed by Apple.
This reply can be stored up-to-date as a lot as potential.
