diosra2’s blog

iOSの脱獄、ダウングレード

Untethered downgrade using iBoot on iOS 7

This article was translated by Google Translate.

 

You can downgrade iOS 7 iBoot to all versions using "De Rebus Antiquis".

This method seems to be fixed in iOS 8. Therefore, since you need SHSH of iOS 7, you need to save SHSH yourself beforehand except for iPhone 4.

In this article, It goal to modify @xerub's "De Rebus Antiquis" and do a untethered downgrade.

This time I will downgrade to iOS 6.1.3 (10B329) using iBoot of iOS 7.1.2 (11D257) on iPhone3,1.

Link: iloader

Thanks

@xerub: De Rebus Antiquis

@ShadowLee19: Ignore boot-partition nvram value iBoot patch

Boot process

1)iOS 7 LLB and iBoot must be signed by SHSH(blob/APTicket).

2)If you run iBoot again after exploit, iBoot will be able to execute unsigned images.

3)Next, jump to iBoot of iOS version you want to boot. If you are iOS 7 you can boot directly, but if you are booting another version of iOS such as iOS 6 it is recommended to use iBoot that was in that iOS.

 

Patched iBoot allows unsigned kernel. Therefore, you can boot an unsigned version.

 

Modification of exploit

*iBoot (7) Patch

Rewrite the patch part to iBoot described in 0x800-0x900 of ramdisk.

The part goal in this part is to allow iBoot to jump from iBoot to iBoot using iBoot's process of loading "/boot/iBEC" for OTA Update.(3)

 

Delete part of original patch and add new necessary patch.

/* allow unsigned images */

It already exists.

 

/* fsboot-> upgrade patch */

Change the operation at fsboot to the operation at upgrade.

This will cause the upgrade process to run after booting iBoot.

 

5ff44000         dd         0x5ff354e3                                          ; "fsboot", DATA XREF=EntryPoint+140, dword_5ff0031c, sub_5ff00c3c+632, dword_5ff00fdc

5ff44004         dd         0x5ff00acd

5ff44008         dd         0x5ff354ea                                          ; "diags"

5ff4400c         dd         0x5ff00949

5ff44010         dd         0x5ff354f0                                          ; "upgrade"

5ff44014         dd         0x5ff01399

 

5ff44000         dd         0x5ff354e3                                          ; "fsboot", DATA XREF=EntryPoint+140, dword_5ff0031c, sub_5ff00c3c+632, dword_5ff00fdc

5ff44004         dd         0x5ff01399

5ff44008         dd         0x5ff354ea                                          ; "diags"

5ff4400c         dd         0x5ff00949

5ff44010         dd         0x5ff354f0                                          ; "upgrade"

5ff44014         dd         0x5ff01399

 

/* mount upgrade partition=0 patch */

Normally upgrade partition is set to 2(/dev/disk0s1s3). Since exploit is set in this area, change it to 0(/dev/disk0s1s1).

 

5ff358ac         db  0x32 ; '2'                                                 ; DATA XREF=sub_5ff01398+12, dword_5ff01418

5ff358ad         db  0x00 ; '.'

 

5ff358ac         db  0x30 ; '0'                                                 ; DATA XREF=sub_5ff01398+12, dword_5ff01418

5ff358ad         db  0x00 ; '.'

 

/* go command patch */

In the normal upgrade process, iBoot (display lit) -> display extinguished -> iBEC (display lit) is performed.

By forcibly executing go command after loading "/boot/iBEC", you can jump to "/boot/iBEC" without turning off the display.

 

5ff01404         bl         sub_5ff1f78c                                        ; sub_5ff1f78c, CODE XREF=sub_5ff01398+90

5ff01408         ldr        r1, [sp, #0x1c + var_8]                             ; argument #2 for method sub_5ff1e6fc

5ff0140a         movs       r0, #0x2                                            ; argument #1 for method sub_5ff1e6fc

5ff0140c         movs       r2, #0x0

 

5ff01404         bl         sub_5ff011f0                                        ; sub_5ff1f78c, CODE XREF=sub_5ff01398+90

5ff01408         ldr        r1, [sp, #0x1c + var_8]                             ; argument #2 for method sub_5ff1e6fc

5ff0140a         movs       r0, #0x2                                            ; argument #1 for method sub_5ff1e6fc

5ff0140c         movs       r2, #0x0

 

This patch has been applied by ramdiskH_beta4.dmg.

This part is over with this.

 

iBoot (6) Patch

Decrypt iBoot of iOS 6.1.3 with xpwntool and patch it with iBoot32Patcher.

 

./xpwntool iBoot.n90ap.RELEASE.img3 iBoot.dec -k [key] -iv [iv]

./iBoot32Patcher iBoot.dec PwnediBoot.dec -r -d -b "-v cs_enforcement_disable=1 amfi=0xff"

 

/* When not jailbroken (valid only for verbose boot) */

./iBoot32Patcher iBoot.dec PwnediBoot.dec -r -d -b "-v"

 

/* Inject BootArgs */

 

5ff1aece         bl         sub_5ff1ca48                                        ; sub_5ff1ca48

5ff1aed2         ldr        r1, =aBootArgs                                ; dword_5ff1b124,"-v cs_enforcement_disable=1 amfi=0xff"

5ff1aed4         cmp        r4, #0x0

5ff1aed6         ldr        r6, =0x5ff35979                                     ; dword_5ff1b128,0x5ff35979

5ff1aed8         it         ne

5ff1aeda         movne      r6, r1

 

cmp r4, #0x0 -> cmp r4, #0x1

 

5ff1aece         bl         sub_5ff1ca48                                        ; sub_5ff1ca48

5ff1aed2         ldr        r1, =aBootArgs                                ; dword_5ff1b124,"-v cs_enforcement_disable=1 amfi=0xff"

5ff1aed4         cmp        r4, #0x1

5ff1aed6         ldr        r6, =0x5ff35979                                     ; dword_5ff1b128,0x5ff35979

5ff1aed8         it         ne

5ff1aeda         movne      r6, r1

 

Normal patch to iBoot has ended. However, with this method, iBoot crashes. This is because the value of nvram is set to "boot-partition=2".

Therefore, change boot-partition to use hardcoded value instead of nvram value. (Thanks @ShadowLee19!!)

 

Find the boot-partition string in disassembler.

 

5ff00a66         ldr        r0, =aBootpartition                                 ; argument #1 for method sub_5ff171e4, dword_5ff00ad8,"boot-partition"

5ff00a68         movs       r1, #0x0                                            ; argument #2 for method sub_5ff171e4

5ff00a6a         movs       r4, #0x0

5ff00a6c         bl         sub_5ff171e4                                        ; sub_5ff171e4

5ff00a70         add        r6, sp, #0x4

 

0x5ff171e4 is the nvram value loading function.

Patch to Mov R0,#0. (00 20 00 20)

 

5ff00a66         ldr        r0, =aBootpartition                                 ; argument #1, dword_5ff00ad8,"boot-partition"

5ff00a68         movs       r1, #0x0                                            ; argument #2

5ff00a6a         movs       r4, #0x0

5ff00a6c         movs       r0, #0x0

5ff00a6e         movs       r0, #0x0

5ff00a70         add        r6, sp, #0x4

 

This will use the hardcoded value.

(If you set nvram=boot-ramdisk, need to patch boot-ramdisk the same way)

Repack in img3, rename as iBEC (and ibec type)

/* repack in img3 */

./xpwntool PwnediBoot_patched iBEC -t iBoot.n90ap.RELEASE.img3 -k [key] -iv [iv]

 

/* change tag */

 

Restore iOS

This time I am using iPhone 4. Since iPhone 4 has limera1n exploit, it is easy to work.

This method cannot be used with A5 - A6 devices.

 

There are things you need to be careful in restore iOS.

For example, even when restoring to iOS 6, you must use iOS 7's  LLB and iBoot.

Also, be careful about boot logos, Custom boot logo can be applied, but since the process from LLB to iBoot (1) before the first exploit can display only the signed image, the first 2-3 seconds can not be displayed.

 

Create a CFW for iOS 6.1.3 on Odysseus.

Next, unzip 6.1.3 CFW and 7.1.2 OFW ipsw, and introduce the following files to 6.1.3 CFW side.

Access within "Firmware/all_flash/all_flash.n90ap.production/"

Change the following files of 6.1.3 CFW to those of 7.1.2 OFW. (!!Match names!!)

 

applelogo@2x.s5l8930x.img3

batterycharging0@2x.s5l8930x.img3

batterycharging1@2x.s5l8930x.img3

batteryfull@2x.s5l8930x.img3

batterylow0@2x.s5l8930x.img3

batterylow1@2x.s5l8930x.img3

glyphcharging@2x.s5l8930x.img3

glyphplugin@2x.s5l8930x.img3

iBoot.n90ap.RELEASE.img3

LLB.n90ap.RELEASE.img3

recoverymode@2x~iphone.s5l8930x.img3

 

Finally zip it.

 

Restore

Access within "shsh /" of Odysseus

Rename "[ECID]-iPhone3,1-7.1.2.shsh" to "[ECID]-iPhone3,1-6.1.3.shsh".

 

./ipwndfu -p

./idevicerestore -e -w iPhone3,1_6.1.3_10B329_Custom.ipsw

 

When restore is completed, it stops in Recovery Mode.

 

Set of exploits

Boot SSH Ramdisk using limera1n exploit. (Or Just Boot after Jailbreak with redsn0w.)

Create 3rd partition and write exploit there.

 

/* SSH Ramdisk (request gptfdisk and hfs_resize)*/

 

./ipwndfu -p

./ipwndfu -f PwnediBSS

./irecovery -f PWnediBEC

./irecovery -s

--- recovery shell ---

/send DeviceTree.img3

devicetree

/send SSH_Ramdisk.dmg

ramdisk

/send pwnkc.img3

bootx

---- revocery end ----

 

ssh root@127.0.0.1 

 

---- iOS__Device ----- 

/** Create 512 kB 3rd partition [gptfdisk] **/

/** Resize 2nd partition (-512 kB) [hfs_resize] **/

 

mount_hfs /dev/disk0s1s1 /mnt1 

------ iOS_end -------

 

scp iBEC root@127.0.0.1:/mnt1

scp ramdiskH_beta4.dmg root@127.0.0.1:/mnt1 

 

---- iOS__Device -----

nvram boot-partition=2

dd of=/dev/rdisk0s1s3 if=/mnt1/ramdiskH_beta4.dmg bs=512k count=1

reboot

------- iOS_end -------

 

When the exploit works correctly, bootup will start after the logo flashes twice.

 

Video

Untethered downgrade to iOS 7.1.2 using iPhone5,2-11B554a iBoot.

 

Copyright (C) 2017-2018 Diosra2. All Rights Reserved.