[How to]Downgrade without ANY saved SHSH blobs

Status
Not open for further replies.

KingShoot007

macrumors member
Original poster
Jul 19, 2013
99
0
Starfleet Academy
A while back I posted a tutorial on how to downgrade iOS version using corrupt SHSH or SHSH from other devices. While this is useful, most people don't have corrupt SHSH and they can't find any SHSH from other devices.

That is why I have decided to write this tutorial, showing you how to downgrade without any SHSH, local or Cydia.

What you need:

1) A4 device or older.

2) iReb r7

3) Custom IPSW's for the firmware you want to downgrade to(links bellow)

4) iTunes 11.05 or earlier

5) redsn0w 0.9.15b3

6) Normal IPSW for the firmware you are downgrading too (for any iOS 6, you need iOS 6.0 IPSW)

CUSTOM IPSW LINKS

iPhone 4 GSM (3,1) iOS 5.1.1 Mirror! (Google Drive):
https://docs.google.com/file/d/0ByxMOiAf78kIeXM2MkJJUndWUDA/edit

iPod Touch 4th gen (4,1) iOS 4.1 Mirror! (Google Drive):
https://docs.google.com/file/d/0ByxMOiAf78kIVERJanFOZC1GOVE/edit

iPod Touch 4th gen (4,1) iOS 5.1.1 Mirror! (Google Drive):
https://docs.google.com/file/d/0ByxMOiAf78kIQngwaHNDZDBaOGc/edit

iPod Touch 4th gen (4,1) iOS 4.3.3 Mirror! (Google Drive):
https://docs.google.com/file/d/0ByxMOiAf78kIRGh4WGZnZEtCUXM/edit

iPhone 4 GSM Rev A (3,2) iOS 6.1.3 Mirror! (Google Drive):
https://docs.google.com/file/d/0ByxMOiAf78kISEVXRFdPeFhoTGc/edit

More can be found here: GeekGrade


TUTORIAL

BEFORE DOING ANYTHING,MAKE SURE YOU HAVE A CLEAN RESTORE.NO JAILBREAK,NO APPS,NOTHING.

First of all, connect your device to your computer. Launch iReb r7 and select your device. Follow the steps to put your device into Pwned DFU mode.


Download whatever Custom IPSW you want from the links bellow. Also make sure sure your iTunes version is 11.05 or earlier.

Open iTunes, and click on your device tab. iTunes will say your device is in Recovery mode. Ignore that.
Hold Shift and click the Restore button. Chose your custom IPSW and let iTunes do the rest.





After about 10 minutes, the process will finish and your device will reboot itself in Recovery Mode (iTunes + cable logo). Don't worry if you see the Recovery Image of the old firmware, it's normal!
You have to do a boot tethered in order to load the operating system. You must do this every time you want to switch it on after a shutdown. So let's see how to do that!

Open redsn0w, go to Extras>Select IPSW and select the IPSW for the firmware you downgraded to. If you downgraded to iOS 6 versions, you will need the 6.0 IPSW. Go back, and click Just Boot.



That's it. You are now downgraded to whatever iOS version you chose. If you don't like it, you can always restore back to the latest by pressing Restore in iTunes, but you will need iTunes 11.1 before you do that
 
Last edited:

Intell

macrumors P6
Jan 24, 2010
18,872
368
Inside
It won't work with another device's SHSH blobs because they are unique to each device. iTunes will error out and the iDevice will be stuck in a non-recoverable recovery mode or DFU mode.
 

KingShoot007

macrumors member
Original poster
Jul 19, 2013
99
0
Starfleet Academy
It won't work with another device's SHSH blobs because they are unique to each device. iTunes will error out and the iDevice will be stuck in a non-recoverable recovery mode or DFU mode.
iTunes is supposed to give an error. And the device is supposed to be stuck in DFU. Then we can use redsn0w to boot it up into iOS using limera1n. The problem is that if the device sleeps, it will detect that the keys in the SHSH used for downgrading don't match what the device needs, and it will forcefully put it into DFU again. Then you need to use redsn0w again
 

Intell

macrumors P6
Jan 24, 2010
18,872
368
Inside
The custom firmware for another device won't even be restored to the device because of the ECID mismatch. The iDevice will be wiped by iTunes, then it'll fail out due to the mismatch. You can't kick it out of recovery mode, because there is no OS on the device for it to boot to.
 

KingShoot007

macrumors member
Original poster
Jul 19, 2013
99
0
Starfleet Academy
The custom firmware for another device won't even be restored to the device because of the ECID mismatch. The iDevice will be wiped by iTunes, then it'll fail out due to the mismatch. You can't kick it out of recovery mode, because there is no OS on the device for it to boot to.
Did you even try doing this? It works. I'll make a video if you don't believe me. Tether downgrading has been confirmed by major jailbreakers but they don't really talk about it because the devices will have a tethered jailbreak and horrible battery life.

Read my post here and you will see others have also done this

Love your profile photo BTW ;)
 

Intell

macrumors P6
Jan 24, 2010
18,872
368
Inside
This isn't a tethered downgrade, this isn't even a downgrade. This is way to force people to the latest signed version of iOS. I've tried this, back when you first posted it. Nothing happens but a wipe and DFU boot. Your linked page has people stating that it doesn't work with many errors as a result.
 

KingShoot007

macrumors member
Original poster
Jul 19, 2013
99
0
Starfleet Academy
This isn't a tethered downgrade, this isn't even a downgrade. This is way to force people to the latest signed version of iOS. I've tried this, back when you first posted it. Nothing happens but a wipe and DFU boot. Your linked page has people stating that it doesn't work with many errors as a result.
You obviously didn't do something right. You need to select Jailbreak in redsn0w right after the DFU kicks in if you followed the first tutorial. There are a lot of steps to follow and doing just one wrong will force you to try again or go the latest iOS version. That's why you should always dump blobs with iFaith before doing this

I understand what is really going on- MacRumors won't accept this because it is easier to tell people they can't downgrade.
 

Intell

macrumors P6
Jan 24, 2010
18,872
368
Inside
I have tried that. Same results. Jailbreaking isn't the problem, getting past the initial iTunes restore is the problem. It fails and refuses to proceed with the restore after wiping the device.
 

KingShoot007

macrumors member
Original poster
Jul 19, 2013
99
0
Starfleet Academy
I have tried that. Same results. Jailbreaking isn't the problem, getting past the initial iTunes restore is the problem. It fails and refuses to proceed with the restore after wiping the device.
Oh, I get it, you got an iTunes error before iTunes even started the downgrade process. Did you put in PWNED DFU? And did you use iTunes 11.05 or earlier?
 

Intell

macrumors P6
Jan 24, 2010
18,872
368
Inside
Yes. The problem is the ramdisk isn't properly signed with the device's ECID, causing the iDevice to not be able to boot from it to start the restore process. No amount of pwning it will fix that.
 

KingShoot007

macrumors member
Original poster
Jul 19, 2013
99
0
Starfleet Academy
Yes. The problem is the ramdisk isn't properly signed with the device's ECID, causing the iDevice to not be able to boot from it to start the restore process. No amount of pwning it will fix that.
Hmm, I really don't know how some of us did it successfully then. You know what, I will just make a video and post it. Seems like the only way to show how to correctly do it

In the meantime, here are some +1's for you for discussing this with me ;)
 

Intell

macrumors P6
Jan 24, 2010
18,872
368
Inside
The only possible way that it could have been done is of the SHSH blobs for the device were stored somewhere. Any other explanation isn't valid as it cannot be done. The only device that could theoretically downgrade without SHSH blobs is the old bootrom 3Gs. The new bootrom 3GS and A4 devices don't have an exploit early enough in the boot sequence to fully bypass the SHSH blob sign check.
 

Intell

macrumors P6
Jan 24, 2010
18,872
368
Inside
We know that this is a futile attempt to downgrade and will lead to nothing but broken hopes and more problems for others to fix.
 

KingShoot007

macrumors member
Original poster
Jul 19, 2013
99
0
Starfleet Academy
We know that this is a futile attempt to downgrade and will lead to nothing but broken hopes and more problems for others to fix.
Then explain to me- How did I downgrade, first too 5.1.1 and now to 4.3.3, and how am i using my device right now to type this? Simple: Because tethered downgrading works. It is not my fault if MacRumors members have brain issues to understand the tutorial
 

Intell

macrumors P6
Jan 24, 2010
18,872
368
Inside
Videos are easily faked and are of no proof. Explain then, how did you bypass the RSA Signature Hash checks in the LLB to permit the restore ramdisk to boot on the device whose SHSH blobs you are not using?
 

KingShoot007

macrumors member
Original poster
Jul 19, 2013
99
0
Starfleet Academy
Videos are easily faked and are of no proof. Explain then, how did you bypass the RSA Signature Hash checks in the LLB to permit the restore ramdisk to boot on the device whose SHSH blobs you are not using?
Here is the exact procedure I did:

To iOS 5

1) Got blobs from another iPod 4
2) Made a custom 5.1.1 firmware with it
3) Opened iReb r6
4) Put into Pwned DFU
5) Selected the custom 5.1.1 IPSW in iTunes 11.05
6) After error 37, opened redsn0w and selected Jailbreak
7) After jailbreak selected Just Boot
DONE
---------------------------

To iOS 4
1) Downloaded the 4.3.3 IPSW from the link above
2) Opened iReb r7 and put into Pwned DFU
3) Selected the custom 4.3.3 IPSW in iTunes 11.05
4) After the restore and after the iTunes logo showed up, I opened redsn0w, selected a normal 4.3.3 IPSW and clicked Just Boot
DONE

I have no idea how I didn't encounter the error messages you did, I just did this. Nothing else
 

Intell

macrumors P6
Jan 24, 2010
18,872
368
Inside
You're still failing to explain how you bypassed the RSA Signature Hash checks in the LLB. limera1n can't do that, only the Pwnage and 24kpwn exploits can do that.
 

Status
Not open for further replies.