Why would you downgrade your iOS version?
Ever since the first iPhone was invented, jailbreaking has shown it can do so much more than what Apple intended. Jailbreaking has been in a cat and mouse game with Apple since Apple usually has the higher ground. This means that the latest iOS versions are seldom jailbreakable, with older versions being the preferred ones for jailbreak enthusiasts because of an abundant amount of Kernel Exploits available.
What are iOS kernel exploits?
A software huge and as complex as the iOS kernel is, would often have bugs. With every new feature or change, Apple developers have the chance to also introduce new bugs in the kernel. Security researchers (hackers if you want) can find these vulnerabilities through lengthy reverse engineering sessions or even by looking at the open-sourced code (although not very frequent). Once such vulnerability is found, an exploit (a program that makes use of that vulnerability) can be written.
Of course, depending on how severe the bug is, it can affect serious security components of the iOS kernel and by using the exploit, a hacker can bypass or disable the sandbox, disable CodeSign which enforces trusted code signing identities, enable full ROOT access, etc. This is the recipe for a jailbreak, and without such kernel exploits, jailbreak as you know it would not exist.
Since the latest version of iOS often does not have publicly known vulnerabilities (unless you talk about a CheckM8-compatible device), the preferred version for jailbreakers is the one that has enough kernel vulnerabilities known in the wild to be able to get a jailbreak going, and that is often 2-3 maybe even 4 versions behind the latest. In such a case, one may wanna use FutureRestore, a tool that can aid in downgrading or upgrading in certain conditions even after Apple stopped signing the vulnerable firmware.
Why does it matter if Apple signs an iOS version?
Apple employs a TSS service (Tatsu Signing Service) that your device talks to every time it wants to install iOS (via Over The Air [OTA] or an IPSW through USB). The iOS device makes a request containing its serial number, IMEI, iOS version, device ID, FairPlay randomness, etc., and sends it to the Apple Signing Server. Once the server gets the request, if Apple still signs let’s say iOS 14.3, it will send back a signing ticket personalized for that particular device and the installation will begin.
If the iOS version you try to install is no longer signed, the server will return a stop code and no ticket. No signing ticket = no way to personalize the firmware for the device so the BOOTROM on the device will refuse the installation, thus denying your downgrade / upgrade to whatever version you wanted.
In such a case, saving SHSH2 blobs comes in handy.
What are SHSH or SHSH2 blobs on iOS?
Those are tiny files (a few KB in size) containing the response the Apple TSS Server would have sent to the device if the iOS version you try to restore was still signed. Those are saved by the user while a specific iOS version is still signed, to be used for later.
Imagine these as a permanent record of what the server would have responded back when let’s say iOS 14.3 was still signed. It’s the response the device awaits in order to begin the installation.
With such file at hand, and with a tool like FutureRestore which can make use of that file instead of talking to the Apple TSS Server, if certain conditions are met, you might just be able to fool the BOOTROM on the device to think the response was received right now and whichever iOS version you try to downgrade to, is still signed.
IMPORTANT: You cannot save SHSH2 blobs / tickets after the iOS version stopped being signed because the server would just return the error code and no ticket. Save those while the iOS version is signed, even if there’s no jailbreak available for it yet.
For example: iOS 14.7 is the latest version at the time I am writing this article, but there’s no jailbreak for it on A12+ devices. I will save my SHSH2 blobs NOW, because by the time a jailbreak is out, 14.7 will long be unsigned.
What do I need for a FutureRestore downgrade?
In order to be able to downgrade your iPhone, iPad, or iPod Touch with FutureRestore you need a few important files, your device, and a lot of patience and caution. One mistake and you screw up your chance to downgrade.
Here’s the materials list, so to speak:
- FutureRestore tool, available to download here for Linux, Windows, and macOS.
- Your SHSH2 blob file for the iOS version and device you wanna downgrade. SHSH2 blobs are NOT transferable from a device to another or from an iOS version to another.
- An IPSW file for the iOS version you wanna downgrade to. You can grab it from ipsw.me.
- The SEP and Baseband file for your device, from a currently signed iOS version. Make sure it is compatible though, not all are from a version to another.
- A USB-Lightning cable and your iOS device with the battery charged at least 60%.
- A Nonce Generator Setter tool for iOS. These usually need a kernel exploit to unlock the NVRAM.
Question: Can this be done without a computer?
Answer: No. You need at least a Windows or a Linux machine with an internet connection to be able to do this.
What are SEP and Baseband and why do they have to be compatible?
SEP stands for Secure Enclave Processor. It’s a core in the Apple A chips which handles security, cryptography, and data protection. It’s what handles Touch ID, Face ID, Apple Pay, Passcode, data encryption, etc. This is a vital component without which the device will fail to boot. Apple treats this component as a separate entity on the device, with its own memory separated from the general memory used by the Application Processor.
SEP has its own firmware which is part of the IPSW file. The operating system used by SEP is called SEPOS and it communicates with iOS via mailboxes. I will not enter in details, but SEP and iOS are pretty well separated from each other, with only the data that really has to be there passing through. As the name implies, SEP is very well secured, and as such a properly signed SEPOS is mandatory for an iOS restore.
The Baseband is what handles the Cellular connection. You know, calls, texts, 3G, 4G, 5G, and the general telephony stuff. You need this to be able to place any calls or have any carrier reception whatsoever. It also has its own firmware which has to be signed, but it’s not as stringent as SEP is.
As for the compatibility…
During the FutureRestore downgrade process, you will have to use the SEPOS and the Baseband firmware from a newer (usually latest) version that is signed. Unfortunately, they may not always be compatible. Various compatibility charts are kept online, we also keep a SEP and Baseband compatibility chart updated here, but it’s being updated as people carry out tests so do be careful.
If between the iOS version you try to downgrade to, and the signed version from which you grab the SEP and Baseband (BB) is a huge gap, they are almost surely not gonna be compatible and the restore will fail or the device will get soft-bricked requiring a restore to the latest version to work again.
You are running iOS 14.3 and wanna downgrade to iOS 13.7. You have saved SHSH2 blobs for iOS 13.7, and you try to use iOS 14.7’s SEP and Baseband because that’s the current signed version.
Well, iOS 14.7’s SEP and Baseband are not compatible with iOS 13.7. It’s just too much of a gap between them, and the downgrade will fail, forcing you to upgrade to iOS 14.7. This means in this case you will also lose your 14.3 jailbreak which sucks.
So SEP and Baseband compatibility should be well researched before proceeding!
What are a Nonce Generator and a Nonce Setter?
Each blob you save contains a unique string called a nonce generator. If you set that back to the device’s NVRAM using a Nonce Setter which usually uses Kernel exploits, your device will create a request that will match the pseudo-random data stored in your blob, so the device will believe that the SHSH2 blob is an actual legit response from the Apple TSS Server.
Otherwise, without one, the nonce will be randomized every time the device reboots, and the chances to match the one you have saved in your blob is close to zero.
How to downgrade / upgrade iOS using FutureRestore and saved SHSH2 blobs
In order to downgrade or upgrade your iOS device to an iOS version that is no longer signed, you need to configure your device first. Setting the nonce from the generator is the first step. To locate your nonce generator string inside the saved SHSH2 blobs, you need to open the file with any text editor.
Once you open it, there should be a field called “Generator” amongst the sea of random strings in there. If you used TSSSaver to save your SHSH2 blobs, it’s very likely your generator will be 0x1111111111111111, that is 16 “1”s. Do keep in mind that while very common, this may not be your generator, so do double-check inside the file.
This is how mine looks like opened in a text editor.
Using a tool like Unc0ver jailbreak’s nonce generator (in Unc0ver’s Settings), or any available Nonce Setter for your iOS version, set the nonce generator to the one you have inside the blob.
After you’ve successfully set the nonce generator, follow the steps below to downgrade with FutureRestore:
! WARNING: For convenience, I recommend you put all the needed files in one single folder, including the FutureRestore binary.
The command you need to use for FutureRestore has this format:
futurerestore.exe -t [shsh2-blob-file] -s [SEPOS] -b [baseband] -p [build_manifest] -m [build_manifest] [ipsw file]
On macOS and Linux:
./futurerestore -t [shsh2-blob-file] -s [SEPOS] -b [baseband] -p [build_manifest] -m [build_manifest] [ipsw file]
With this in mind, follow these steps:
- Open Terminal on macOS or Linux, or open Command Prompt on Windows (Windows Button + R and type CMD).
- Drag and drop the FutureRestore binary into the Terminal or CMD window to get its path and type “-t “.
- Drag the SEP file to the terminal and type “-b “
- Drag the SHSH2 blob file into the terminal then type “-s “
- Drag the baseband file to the terminal and type “-p ” or type “–no-baseband” if it’s an iPod or an iPad WiFi.
- Drag the BuildManifest.plist file in terminal and type “-m “,
- Drag the BuildManifest.plist file again, then drag the IPSW file you wanna downgrade to into the Terminal.
The final command should look something like this example:
./futurerestore -t blobFile.shsh2 -s sep-firmware.n96.RELEASE.im4p -b baseband.bbfw -p BuildManifest.plist -m BuildManifest.plist iOS_14.2_iPhone_RELEASE.ipsw
For iPods and iPad WiFi
If your device does not have Cellular capability (for example iPods or iPad WiFi), instead of specifying a baseband you should specify “–no-baseband”.
The final command would look like this:
./futurerestore -t blobFile.shsh2 -s sep-firmware.n96.RELEASE.im4p –no-baseband -p BuildManifest.plist -m BuildManifest.plist iOS_14.2_iPhone_RELEASE.ipsw
An easier way to get the SEP and Baseband
If you’re absolutely sure that the latest SEP and Baseband are compatible, you can use the “–latest-sep –latest-baseband” switches instead of actual SEP and baseband files. This will fetch the latest SEP and Baseband for you.
The command would end up looking like this:
For iPhone and iPad with Cellular:
./futurerestore -t blobFile.shsh2 –latest-sep –latest-baseband iOS_14.2_iPhone_RELEASE.ipsw
For iPad WiFi and iPod Touch:
./futurerestore -t blobFile.shsh2 –latest-sep –no-baseband iOS_14.2_iPhone_RELEASE.ipsw