diosra2’s blog


Downgrade iOS without SHSH.

****My English may be broken.

(:3 [This page is based on Google translation]

What is SHSH ??

"SHSH" is a firmware signing system introduced from iPhone 3GS.

As a result, firmware of iPhone 3GS or later, or iOS 4 or later can not be restore or boot without Apple's signature.

Until iOS 4, you can save SHSH blob during Apple's firmware signing, impersonate Apple's Tatsu Signing server via Cydia Server, TinyUmbrella, etc. and restore using pre-saved SHSH blob.

Since iOS 5 and later, since APTicket was introduced, it is not easy to downgrade to any version easily as described above. iOS 5 or later, we need to take advantage of BootRom Exploit etc. to restore the device to Pwned DFU Mode and restore with custom firmware (CFW).

After A7 device, the signing method differs from before A6 device.


iPhone, iPod touch, iPhone 3G (iOS <4.0) and iPod Touch 2G (iOS <4.0) that do not have SHSH introduction, you can simply restore the firmware by specifying the firmware in iTunes.


Downgrade to firmware without SHSH

In order to downgrade an iOS device without SHSH, Untethered BootRom Exploit is required. For example, on older devices such as iPhone 3GS, CFW can be boot without SHSH by using vulnerabilities such as 0x24000 Segment Overflow and alloc 8 exploit.


Available devices and vulnerabilities to use (iPhone 3GS/iPod 2nd)

0x24000 Segment Overflow

by iPhone Dev Team 

0x24000 Segment Overflow - The iPhone Wiki

Device: iPod Touch 2nd Generation (Old BootRom), iPhone 3GS (Old BootRom)

Untethered BootRom Exploit which can execute unsigned LLB on Bootrom 240.4, Bootrom 359.3 device.

Restore using limera1n exploit, and boot without SHSH by 24kpwn.


alloc8 exploit

by axi0mX

Device: iPhone 3GS

It is Untethered BootRom Exploit that can be used on iPhone 3GS.

Restore using limera1n exploit, and boot without SHSH by alloc8 exploit.

*In the case of Old BR it is better to use 24kpwn.


Tethered Downgrade

Untethered BootRom Exploit has not been found since the A4 device.

However, with A4 devices it is possible to do Tethered Downgrade using Limera1n Exploit.

There is a tool like Sund0wn as an example.

Available devices and vulnerabilities to use

Limera1n Exploit

by geohot

Device: iPhone 3GS, iPhone 4, iPad, iPod Touch 3rd Generation, iPod Touch 4th Generation

It is a Tehered BootRom Exploit that makes unsigned code executable via USB connection.

Although it is possible to downgrade without SHSH, these devices can not be boot without SHSH, so it is necessary to boot with Limera1n Exploit at bootup.(Just Boot)


In order to restore with CFW, patch iBSS/iBEC and disable signature check at restore. Next, patch asr to restore Ramdisk with CFW.

This will not restore the bootchain at restore, so the bootchain (before restoration) will be maintained. Therefore, after restoration, since the bootchain kept maintained can not oot iOS which was newly written, the device stops booting and enters the recovery mode.

In order to bootup it, you need to use Limera1n Exploit to put the device into Pwned DFU Mode and Just Boot the device with redsn0w etc. This operation is required every time it is restarted.

This method is incomplete and can not be recommended.


Dual Boot

There is also a method called Dual Boot using kloader as a method to activate arbitrary iOS.

To dual boot any iOS, partition the device partition and install any iOS Root FileSystem in the newly created area.

There are two boot methods. (Un-tether)

One is NOR Base, which is a method of restoring a custom image for booting iOS that is dual booting before restoring, booting iOS by booting a custom image from LLB patched using kloader. It is necessary to restore iOS in advance.

The other one is based on the OTA Update mechanism. Load patched iBSS/iBEC using multi_kloader. This method does not need to restore iOS. CoolBooter adopts this method.

Both methods require Jailbreak. Also, only 32-bit devices.

Available devices and tools to use


by winocm

Device: already jailbroken 32-bit device. (tfp0/hgsp4 must be available.)

Bootstrap the custom image to RAM with kloader and bootup the newly installed iOS.

Pseudo downgrade using dual boot



Use CoolBooter Untetherer.


色分け: 通常のiOS, デュアルブートするiOS




再起動後にMobile Substrateを利用してSpringBoardが起動した時点でkloaderを自動で実行させること(上記太字下線部)で、電源ONからデュアルブートしたiOSを起動するまでの手順が自動化されます。




欠点としては通常の起動の約2倍、時間がかかります。A4デバイス以降は署名されていないファームウェアのブートができないため、目当てのiOSを起動するためのカスタムイメージの起動に、通常iOSが起動する時間分が犠牲になります。この問題の解消には24kpwnのようなBootRom Exploitなど、強力なローレベルのExploitが必要になります。




GitHub - axi0mX/ios-kexec-utils: boot LLB/iBoot/iBSS/iBEC image from a jailbroken iOS kernel



64-bit device

For 64-bit devices there is no way to downgrade iOS without SHSH.



Copyright (C) 2017-2018 Diosra2. All Rights Reserved.