iOS Downgrading - Without Apple's Signing

exist3nce

macrumors newbie
Original poster
Apr 14, 2015
3
0
I was thinking about jailbreaking today and came to the idea of downgrading to iOS versions that are not currently signed by apple. Is it possible that in an IPSW file, there is an indicator that iTunes reads and recognizes the IPSW as a previous iOS version and does not allow a downgrade? What if these specific identifications were changed to those of lets say, iOS 8.3, which is still currently being signed. Would iTunes allow the downgrade of this unsigned IPSW, thinking it was the iOS 8.3 firmware file?
 

richwoodrocket

macrumors 68020
Apr 7, 2014
2,132
111
Buffalo, NY
This has to be in the top 10 questions asked about iOS on macrumors. A simple google search would show you that you cannot downgrade to previous versions of iOS.
 

exist3nce

macrumors newbie
Original poster
Apr 14, 2015
3
0
Yes, but I am not talking about just downloading the firmware and having iTunes update using that firmware. I am talking about unzipping the ipsw, changing the code, and grouping it back up into an ipsw again.
 

exist3nce

macrumors newbie
Original poster
Apr 14, 2015
3
0
How do you plan on changing the code/what will you change?
When the ipsw is unzipped, there is a file named restore.plist . Inside this file, there are lines of code that say things such as <key>ProductBuildVersion</key> and a value for the product build in the next line. If simple code like this is what iTunes reads in order to validate signing, could all these indicators of an unsigned ipsw be changed into those of a signed ipsw and iTunes be tricked into installing a firmware it believes is still being signed?
 

Attachments

richwoodrocket

macrumors 68020
Apr 7, 2014
2,132
111
Buffalo, NY
When the ipsw is unzipped, there is a file named restore.plist . Inside this file, there are lines of code that say things such as <key>ProductBuildVersion</key> and a value for the product build in the next line. If simple code like this is what iTunes reads in order to validate signing, could all these indicators of an unsigned ipsw be changed into those of a signed ipsw and iTunes be tricked into installing a firmware it believes is still being signed?

It's probably not that simple, but I guess it doesn't hurt to try....
 

gordon1234

macrumors 6502a
Jun 23, 2010
571
162
I would assume that signing is done by comparing the checksum (probably SHA1) with what Apple knows it to be for a particular OS release. The checksum will be different if so much as a single bit in the OS image changes, so you're not going to be able to fool it by tweaking any values.
 

C DM

macrumors Sandy Bridge
Oct 17, 2011
48,133
16,411
It's not as much as what iTunes reads as it is what Apple servers validate. Since we can't change things on Apple's servers we can't really do anything about it or to get around it.
 

Nermal

Moderator
Staff member
Dec 7, 2002
18,733
1,205
New Zealand
As noted, changing a single byte in the file will cause the checksum to change. You need create a "fake" server that returns the signature that the iPhone wants (very hard) and then need to make iTunes connect to that server instead (very easy).
 

chrfr

macrumors G3
Jul 11, 2009
8,589
2,769
Would iTunes allow the downgrade of this unsigned IPSW, thinking it was the iOS 8.3 firmware file?
It's not that simple. As everyone else has mentioned, Apple has the signatures for the OS. If you change what's in the ipsw, the signature won't match and it won't install. If this were possible it would be a very significant security risk and Apple would surely patch it almost immediately.
 

sanke1

macrumors 65816
Nov 9, 2010
1,067
430
The only solution would be to emulate a fake activation server which signs the firmware. But how will you obtain those signatures?

Changing hosts file is easy to point to such server.
 

PsyVamp

macrumors newbie
Jun 28, 2017
2
0
I was thinking about jailbreaking today and came to the idea of downgrading to iOS versions that are not currently signed by apple. Is it possible that in an IPSW file, there is an indicator that iTunes reads and recognizes the IPSW as a previous iOS version and does not allow a downgrade? What if these specific identifications were changed to those of lets say, iOS 8.3, which is still currently being signed. Would iTunes allow the downgrade of this unsigned IPSW, thinking it was the iOS 8.3 firmware file?
http://boards.4chan.org/g/thread/61131952
[doublepost=1498704487][/doublepost]
As noted, changing a single byte in the file will cause the checksum to change. You need create a "fake" server that returns the signature that the iPhone wants (very hard) and then need to make iTunes connect to that server instead (very easy).
NOT Very Hard, use a hex editor, Or an Assembly De-compiler, find all IP's / DNS's etc. wright them all down on a piece of paper, then take local host ip's that are not in use like 127.0.0.3, and just replace them all while writing down each one and its replacement, as a "pair" (Original : Modified) then you wright your own app that listens on the new local-host ip's, and when connection/input/output happens you do the same on the Paired : ip, its a perfect man-in-the-middle if you wanted to filter / modify any of the packets on the fly. I Just don't have the time to learn the apple protocol.
But years ago i did this once for yahoo messenger when Boots was popular. i would only get hit the once per exploit, and i would hard code a filter and never again get booted, also i could turn it around on the sender.
So yes its (Very Easy)
 

C DM

macrumors Sandy Bridge
Oct 17, 2011
48,133
16,411
[doublepost=1498704487][/doublepost]

NOT Very Hard, use a hex editor, Or an Assembly De-compiler, find all IP's / DNS's etc. wright them all down on a piece of paper, then take local host ip's that are not in use like 127.0.0.3, and just replace them all while writing down each one and its replacement, as a "pair" (Original : Modified) then you wright your own app that listens on the new local-host ip's, and when connection/input/output happens you do the same on the Paired : ip, its a perfect man-in-the-middle if you wanted to filter / modify any of the packets on the fly. I Just don't have the time to learn the apple protocol.
But years ago i did this once for yahoo messenger when Boots was popular. i would only get hit the once per exploit, and i would hard code a filter and never again get booted, also i could turn it around on the sender.
So yes its (Very Easy)
And despite all of that there aren't really any viable solutions to downgrading that have been out after all these years.
 

clayfigley

macrumors newbie
Dec 13, 2017
1
0
I was thinking about jailbreaking today and came to the idea of downgrading to iOS versions that are not currently signed by apple. Is it possible that in an IPSW file, there is an indicator that iTunes reads and recognizes the IPSW as a previous iOS version and does not allow a downgrade? What if these specific identifications were changed to those of lets say, iOS 8.3, which is still currently being signed. Would iTunes allow the downgrade of this unsigned IPSW, thinking it was the iOS 8.3 firmware file?
The way it works is:
1.) Apple releases an IPSW firmware
2.) Apple stores multiple hash values for those files
3.) You modify one bit on that IPSW and the hash becomes different
4.) Even if you successfully modified the firmware to "tell" apple signing servers it's up to date, the hash value isn't going to match the original hash it gets checked against on their servers

You can't modify a software package like that anymore. It's been decades or longer since that was fixed.