diosra2’s blog

iOSの脱獄、ダウングレード

Downgrade iOS without SHSH.

****My English may be broken.

(:3 [This page is based on Google translation]

What is SHSH ??

"SHSH" is a firmware signing system introduced from iPhone 3GS.

As a result, firmware of iPhone 3GS or later, or iOS 4 or later can not be restore or boot without Apple's signature.

Until iOS 4, you can save SHSH blob during Apple's firmware signing, impersonate Apple's Tatsu Signing server via Cydia Server, TinyUmbrella, etc. and restore using pre-saved SHSH blob.

Since iOS 5 and later, since APTicket was introduced, it is not easy to downgrade to any version easily as described above. iOS 5 or later, we need to take advantage of BootRom Exploit etc. to restore the device to Pwned DFU Mode and restore with custom firmware (CFW).

After A7 device, the signing method differs from before A6 device.

 

iPhone, iPod touch, iPhone 3G (iOS <4.0) and iPod Touch 2G (iOS <4.0) that do not have SHSH introduction, you can simply restore the firmware by specifying the firmware in iTunes.

 

Downgrade to firmware without SHSH

In order to downgrade an iOS device without SHSH, Untethered BootRom Exploit is required. For example, on older devices such as iPhone 3GS, CFW can be boot without SHSH by using vulnerabilities such as 0x24000 Segment Overflow and alloc 8 exploit.

 

Available devices and vulnerabilities to use (iPhone 3GS/iPod 2nd)

0x24000 Segment Overflow

by iPhone Dev Team 

0x24000 Segment Overflow - The iPhone Wiki

Device: iPod Touch 2nd Generation (Old BootRom), iPhone 3GS (Old BootRom)

Untethered BootRom Exploit which can execute unsigned LLB on Bootrom 240.4, Bootrom 359.3 device.

Restore using limera1n exploit, and boot without SHSH by 24kpwn.

 

alloc8 exploit

by axi0mX

Device: iPhone 3GS

It is Untethered BootRom Exploit that can be used on iPhone 3GS.

Restore using limera1n exploit, and boot without SHSH by alloc8 exploit.

*In the case of Old BR it is better to use 24kpwn.

 

Tethered Downgrade

Untethered BootRom Exploit has not been found since the A4 device.

However, with A4 devices it is possible to do Tethered Downgrade using Limera1n Exploit.

There is a tool like Sund0wn as an example.

Available devices and vulnerabilities to use

Limera1n Exploit

by geohot

Device: iPhone 3GS, iPhone 4, iPad, iPod Touch 3rd Generation, iPod Touch 4th Generation

It is a Tehered BootRom Exploit that makes unsigned code executable via USB connection.

Although it is possible to downgrade without SHSH, these devices can not be boot without SHSH, so it is necessary to boot with Limera1n Exploit at bootup.(Just Boot)

Method

In order to restore with CFW, patch iBSS/iBEC and disable signature check at restore. Next, patch asr to restore Ramdisk with CFW.

This will not restore the bootchain at restore, so the bootchain (before restoration) will be maintained. Therefore, after restoration, since the bootchain kept maintained can not oot iOS which was newly written, the device stops booting and enters the recovery mode.

In order to bootup it, you need to use Limera1n Exploit to put the device into Pwned DFU Mode and Just Boot the device with redsn0w etc. This operation is required every time it is restarted.

This method is incomplete and can not be recommended.

 

Dual Boot

There is also a method called Dual Boot using kloader as a method to activate arbitrary iOS.

To dual boot any iOS, partition the device partition and install any iOS Root FileSystem in the newly created area.

There are two boot methods. (Un-tether)

One is NOR Base, which is a method of restoring a custom image for booting iOS that is dual booting before restoring, booting iOS by booting a custom image from LLB patched using kloader. It is necessary to restore iOS in advance.

The other one is based on the OTA Update mechanism. Load patched iBSS/iBEC using multi_kloader. This method does not need to restore iOS. CoolBooter adopts this method.

Both methods require Jailbreak. Also, only 32-bit devices.

Available devices and tools to use

kloader/multi_kloader

by winocm

Device: already jailbroken 32-bit device. (tfp0/hgsp4 must be available.)

Bootstrap the custom image to RAM with kloader and bootup the newly installed iOS.

Pseudo downgrade using dual boot

デュアルブートを行う場合には、デュアルブートするiOSしか利用しない/通常のiOSは使わない/SHSHがないため仕方なくデュアルブートをしている/etc..といった場合があるでしょう。

デュアルブートをする方法の重要部である、kloader実行部分をブートプロセスに組み込むことで擬似的にSHSHなしのダウングレードを実装することもできます。

Use CoolBooter Untetherer.

・起動順序

色分け: 通常のiOS, デュアルブートするiOS

電源ON->通常のiOSのブート(Signed)--Jailbreak(untether実行)-->SpringBoard起動(Jailbroken)->MobileSubstrateでkloaderを起動---LLB(unsigned)ロード->iBoot(unsigned)->kernel(unsigned)->iOS起動

f:id:diosra2:20180125123506p:plain

 

再起動後にMobile Substrateを利用してSpringBoardが起動した時点でkloaderを自動で実行させること(上記太字下線部)で、電源ONからデュアルブートしたiOSを起動するまでの手順が自動化されます。

(要約すると、電源ONするだけでデュアルブートしたiOSが起動します。)

セーフモードで起動させることでMSのdylibのロードを阻止して通常起動させることもできるため安全に実行可能かと思います。

条件として、通常起動するiOSは完全脱獄である必要があります。

欠点としては通常の起動の約2倍、時間がかかります。A4デバイス以降は署名されていないファームウェアのブートができないため、目当てのiOSを起動するためのカスタムイメージの起動に、通常iOSが起動する時間分が犠牲になります。この問題の解消には24kpwnのようなBootRom Exploitなど、強力なローレベルのExploitが必要になります。

その他、高バージョンのiOSをデュアルブートで起動する場合は問題が起きる場合もあるため注意が必要です。

 

ポイントとして、kloaderにはaxi0m氏のものを使用します。

GitHub - axi0mX/ios-kexec-utils: boot LLB/iBoot/iBSS/iBEC image from a jailbroken iOS kernel

このkloaderは実行後、2秒程度で自動でデバイスを起動できるため、すべての動作を自動化する場合はこのkloaderが必要です。(通常のkloaderでは実行後にホームボタンなどを押す必要がある。)

 

64-bit device

For 64-bit devices there is no way to downgrade iOS without SHSH.

 

 

Copyright (C) 2017-2018 Diosra2. All Rights Reserved.