diosra2’s blog

iOSのJailbreak、ダウングレード

How to exploit iOS 7.1.2 iBoot and downgrade to iOS 4.3.3 or lower on iPhone 4.


 

 
This article was translated by Google Translate.

 

First, Downgrading using the iOS 7 iBoot vulnerability adopts the following method.

1) When the device powers on, it loads the signed LLB. Next, if it is correct then signed iBoot loads.

2) Exploit is triggered. Exploit apply patches and restart iBoot.

3) The restarted iBoot execute upgrade mode, and find "new iBoot" and jumps to it by go command.

4) The new iBoot boot the desired iOS. It is the completion of untethered boot.

However, "new iBoot" crashes in the process of (3) with iOS 4.3.3 or lower.

This does not happen with iOS 4.3.5. Therefore, we can find the cause by comparing iOS 4.3.3 and 4.3.5 iBoot.

Fortunately, there is only three differences between iOS 4.3.3 and 4.3.5 iBoot.

 

iBoot-1072.61~2 VS iBoot-1072.61~6

The only difference with this iBoot is this point.

As a result, iBoot-1072.61~2 (iOS 4.3.3) causes a crash after jumping with go command, and iBoot-1072.61~6 (iOS 4.3.5) jumps normally.

We think that iBoot-1072.61~6 (iOS 4.3.5) should be able to boot iOS 4.3.3, but iBoot-1072.61~6 (iOS 4.3.5) cannot boot iOS 4.3.3 or lower properly.

So, what should we do??

 

Patching iBoot

There are two things we now know.

1) iBoot-1072.61~6 (iOS 4.3.5) can jump with go command

2) There are only three differences between iBoot-1072.61~2 (iOS 4.3.3) and iBoot-1072.61~6 (iOS 4.3.5)

 

For the moment, We use iBoot-1072.61~6 (iOS 4.3.5) at first. We can now jump to a new iBoot without crashing with the go command.

However, this cannot boot iOS 4.3.3.

 

So, I decided to change the contents of iBoot before iBoot executes fsboot.

 

Find the iBoot Start Point.

Insert a patch cord in the area surrounded by the red line.

In this case it is 0x5ff00b91 - 0x1 = "0x5ff00b90".

 

We can add arbitrary code to free space like this.

 

When this function is executed, iBoot's memory is rewritten with two data, which is the difference between iBoot-1072.61~2 (iOS 4.3.3) and iBoot-1072.61~6 (iOS 4.3.5).

 

Let's actually boot it

1) When the device powers on, it loads the signed LLB. Next, if it is correct then signed iBoot loads.

2) Exploit is triggered. Exploit apply patches and restart iBoot.

3) The restarted iBoot execute upgrade mode, and find "iBoot-1072.61~6" and jumps to it by go command.

3.5) When "iBoot-1072.61~6" is executed, iBoot rewrites the contents to "iBoot-1072.61~2".

4) The "rewritten" iBoot-1072.61~2 boot the desired iOS 4.3.3. It is the completion of untethered boot.

 

You can try iOS 4.3.3 on iPhone 4 with this tool. SHSH is unnecessary.

 


Copyright (C) 2017-2018 Diosra2. All Rights Reserved.