iOS Downgrading - Without Apple's Signing

Discussion in 'iOS 8' started by exist3nce, Apr 14, 2015.

  1. exist3nce macrumors newbie

    Joined:
    Apr 14, 2015
    #1
    I was thinking about jailbreaking today and came to the idea of downgrading to iOS versions that are not currently signed by apple. Is it possible that in an IPSW file, there is an indicator that iTunes reads and recognizes the IPSW as a previous iOS version and does not allow a downgrade? What if these specific identifications were changed to those of lets say, iOS 8.3, which is still currently being signed. Would iTunes allow the downgrade of this unsigned IPSW, thinking it was the iOS 8.3 firmware file?
     
  2. richwoodrocket macrumors 68020

    richwoodrocket

    Joined:
    Apr 7, 2014
    Location:
    Hamburg, NY
    #2
    This has to be in the top 10 questions asked about iOS on macrumors. A simple google search would show you that you cannot downgrade to previous versions of iOS.
     
  3. exist3nce thread starter macrumors newbie

    Joined:
    Apr 14, 2015
    #3
    Yes, but I am not talking about just downloading the firmware and having iTunes update using that firmware. I am talking about unzipping the ipsw, changing the code, and grouping it back up into an ipsw again.
     
  4. richwoodrocket macrumors 68020

    richwoodrocket

    Joined:
    Apr 7, 2014
    Location:
    Hamburg, NY
    #4

    How do you plan on changing the code/what will you change?
     
  5. exist3nce thread starter macrumors newbie

    Joined:
    Apr 14, 2015
    #5
    When the ipsw is unzipped, there is a file named restore.plist . Inside this file, there are lines of code that say things such as <key>ProductBuildVersion</key> and a value for the product build in the next line. If simple code like this is what iTunes reads in order to validate signing, could all these indicators of an unsigned ipsw be changed into those of a signed ipsw and iTunes be tricked into installing a firmware it believes is still being signed?
     

    Attached Files:

  6. richwoodrocket macrumors 68020

    richwoodrocket

    Joined:
    Apr 7, 2014
    Location:
    Hamburg, NY
    #6

    It's probably not that simple, but I guess it doesn't hurt to try....
     
  7. gordon1234 macrumors 6502a

    Joined:
    Jun 23, 2010
    #7
    I would assume that signing is done by comparing the checksum (probably SHA1) with what Apple knows it to be for a particular OS release. The checksum will be different if so much as a single bit in the OS image changes, so you're not going to be able to fool it by tweaking any values.
     
  8. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #8
    It's not as much as what iTunes reads as it is what Apple servers validate. Since we can't change things on Apple's servers we can't really do anything about it or to get around it.
     
  9. Nermal Moderator

    Nermal

    Staff Member

    Joined:
    Dec 7, 2002
    Location:
    New Zealand
    #9
    As noted, changing a single byte in the file will cause the checksum to change. You need create a "fake" server that returns the signature that the iPhone wants (very hard) and then need to make iTunes connect to that server instead (very easy).
     
  10. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #10
    It's not that simple. As everyone else has mentioned, Apple has the signatures for the OS. If you change what's in the ipsw, the signature won't match and it won't install. If this were possible it would be a very significant security risk and Apple would surely patch it almost immediately.
     
  11. sanke1 macrumors 65816

    sanke1

    Joined:
    Nov 9, 2010
    #11
    The only solution would be to emulate a fake activation server which signs the firmware. But how will you obtain those signatures?

    Changing hosts file is easy to point to such server.
     
  12. PsyVamp macrumors newbie

    PsyVamp

    Joined:
    Jun 28, 2017
    #12
    http://boards.4chan.org/g/thread/61131952
    --- Post Merged, Jun 28, 2017 ---
    NOT Very Hard, use a hex editor, Or an Assembly De-compiler, find all IP's / DNS's etc. wright them all down on a piece of paper, then take local host ip's that are not in use like 127.0.0.3, and just replace them all while writing down each one and its replacement, as a "pair" (Original : Modified) then you wright your own app that listens on the new local-host ip's, and when connection/input/output happens you do the same on the Paired : ip, its a perfect man-in-the-middle if you wanted to filter / modify any of the packets on the fly. I Just don't have the time to learn the apple protocol.
    But years ago i did this once for yahoo messenger when Boots was popular. i would only get hit the once per exploit, and i would hard code a filter and never again get booted, also i could turn it around on the sender.
    So yes its (Very Easy)
     
  13. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #13
    And despite all of that there aren't really any viable solutions to downgrading that have been out after all these years.
     

Share This Page