11

How to downgrade checkm8 devices from iOS 15/16

 1 year ago
source link: https://gist.github.com/0xallie/aac55c97f7925cddcf5ec3167f85dfe8
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

How to downgrade checkm8 devices from iOS 15/16 · GitHub

How to downgrade checkm8 devices from iOS 15/16

Important: Please don't use the comment section to ask for help, I most likely won't respond there as I have it muted due to too many notifications. Join r/jailbreak (#genius-bar) or FDR Bureau (#futurerestore-support) instead.

How to downgrade checkm8 devices from iOS 15/16

This is a guide for downgrading (or upgrading) to unsigned versions with futurerestore on checkm8 devices (A11 and below). You must have blobs for the version you want to go to, and SEP/BB compatibility may limit how far you can go.

Current SEP compatibility

The latest SEP/BB as of right now is iOS 16.0, which is INCOMPATIBLE with anything below. On devices that got iOS 16, you must use 15.6 RC SEP/BB.

Compatibility for 15.x SEP:

  • iPhone X: Breaks Face ID when downgrading to 15.3.1 or below. Causes more breakage when downgrading to 14.8 or below, but issues apart from Face ID can be fixed by jailbreaking with unc0ver/checkra1n and then installing OTAEnabler.
  • iPhone 8: Fully compatible down to 14.3
  • A10 and below: Fully compatible down to 14.0 (NOTE: Some issues have been reported, may only work down to 14.3)

SEP/BB Compatibility Chart

Prequisites

Notes

  • If the exploit fails even after multiple attempts or your device reboots out of DFU mode, you'll have to start over from the beginning and be quicker next time. (You don't have to redownload anything though.) You may have to force restart your device if it's stuck in DFU.
  • checkm8 is known to have issues on AMD CPUs and may not work if you have one.

Instructions

Compatible versions: 14.3 and above

IMPORTANT: On the iPhone X, downgrading to iOS 14.x will break Face ID. The only way to fix it is by updating/restoring to iOS 15.

With iOS 15.4 or newer SEP, downgrading to 15.0-15.3.1 will also break Face ID, and you have to update to 15.4 or above to fix it.

Part 1/4: Entering pwned DFU

  1. Put your device in DFU mode.
  2. Install Python 3.8 or newer.
  3. Run python3 -m pip install --user --force-reinstall https://github.com/hack-different/ipwndfu/archive/main.zip.
  4. Run (cd "$(python3 -m site --user-base)/bin"; ./ipwndfu -p; ./ipwndfu --patch-sigchecks; ./ipwndfu --repair-heap). (If you get a "device has no langid" error but then it's successful, then you can ignore the error.)

Part 2/4: Setting nonce

Note: If you want to use OTA blobs, don't tick "Set Nonce" and restore straight from pwned DFU mode. (Ignore this if you don't know what it is.)

  1. Download and open FutureRestore GUI.
  2. Click "Settings", enable "FutureRestore Beta", then click "Save".
  3. Click "Download FutureRestore".
  4. Download the desired version's IPSW from https://ipsw.me/ and select it along with your blobs.
  5. Click "Next", enable "Pwned Restore" and "Set Nonce". Enable "Custom Latest Beta" and set "Custom Latest Build ID" to 19G69.
  6. Click "Next", and then "Start FutureRestore".

Part 3/4: Restoring

  1. Your device should now be in recovery mode. If not, enter it manually.
  2. Go back to the previous tab in FutureRestore GUI and uncheck both "Pwned Restore" and "Set Nonce".
  3. Click "Next", and "Start FutureRestore" again.

Part 4/4: Fixup (iPhone X 14.x restores only)

If you have an iPhone 8, or are restoring to 15.0 or above, you can skip this section.

  1. Once the restore starts looping at "No data to read (timeout)", force restart your device.
  2. When you see the recovery mode screen, press "Exit Recovery".
  3. Go through with setup as usual.
  4. Jailbreak your device with checkra1n or unc0ver (not Odysseyra1n or Taurine). This will create an initial RootFS snapshot, as it doesn't get created when the restore is interrupted. If checkra1n complains about the missing snapshot, tap "Create".
  5. Install OTAEnabler 0.4.0 or newer from https://repo.cadoth.net/ to fix the broken preboot volume which causes issues with OTA updates and Taurine.
  6. (Optional) Uninstall OTAEnabler and install your preferred OTA blocker.
  7. If you want to jailbreak with Odysseyra1n or Taurine, restore RootFS and go ahead with installing your preferred jailbreak.

Note that this is not a complete fix, as Face ID will still be broken. That is most likely not possible to fix as it's due to a firmware incompatibility.

A10(X)

Compatible versions: 14.0 and above

Part 1/3: Entering pwned DFU

macOS
  1. Put your device in DFU mode.
  2. Download and extract Fugu.
  3. Open the extracted folder in a terminal.
  4. Run ./Fugu rmsigchks.
Linux
  1. Put your device in DFU mode.
  2. Download and extract patched ipwndfu for A10.
  3. Open the extracted folder in a terminal.
  4. Run python2 ipwndfu -p.
  5. Run python2 rmsigchks.py.

Part 2/3: Setting nonce

Note: If you want to use OTA blobs, don't tick "Set Nonce" and restore straight from pwned DFU mode. (Ignore this if you don't know what it is.)

  1. Download and open FutureRestore GUI.
  2. Click "Settings", enable "FutureRestore Beta", then click "Save".
  3. Click "Download FutureRestore".
  4. Download the desired version's IPSW from https://ipsw.me/ and select it along with your blobs.
  5. Click "Next", enable "Pwned Restore" and "Set Nonce". Enable "Custom Latest Beta" and set "Custom Latest Build ID" to 19G69.
  6. Click "Next", and then "Start FutureRestore".

Part 3/3: Restoring

  1. Your device should now be in recovery mode. If not, enter it manually.
  2. Go back to the previous tab in FutureRestore GUI and uncheck both "Pwned Restore" and "Set Nonce".
  3. Click "Next", and "Start FutureRestore" again.

Coming soon...

A8(X)-A9

Requires macOS.

Compatible versions: 14.0 and above

Part 1/3: Entering pwned DFU

  1. Put your device in DFU mode.
  2. Download Eclipsa.
  3. Open the folder in a terminal.
  4. Run killall -STOP AMPDevicesAgent AMPDeviceDiscoveryAgent MobileDeviceUpdater.
  5. Run make and wait for it to compile. (You need to have Xcode installed.) If you cannot compile Eclipsa for some reason, download and extract this zip instead (only compatible with Intel Macs).
  6. If compiled manually, run ./eclipsa. Otherwise, you will need to run the appropriate version for your SoC:
    • A8: ./eclipsa7000
    • A8X: ./eclipsa7001
    • A9: ./eclipsa8000 or ./eclipsa8003
  7. Run killall -CONT AMPDevicesAgent AMPDeviceDiscoveryAgent MobileDeviceUpdater.

Part 2/3: Setting nonce

Note: If you want to use OTA blobs, don't tick "Set Nonce" and restore straight from pwned DFU mode. (Ignore this if you don't know what it is.)

  1. Download and open FutureRestore GUI.
  2. Click "Settings", enable "FutureRestore Beta", then click "Save".
  3. Click "Download FutureRestore".
  4. Download the desired version's IPSW from https://ipsw.me/ and select it along with your blobs.
  5. Click "Next", enable "Pwned Restore" and "Set Nonce". Enable "Custom Latest Beta" and set "Custom Latest Build ID" to 19G69.
  6. Click "Next", and then "Start FutureRestore".

Part 3/3: Restoring

  1. Your device should now be in recovery mode. If not, enter it manually.
  2. Go back to the previous tab in FutureRestore GUI and uncheck both "Pwned Restore" and "Set Nonce".
  3. Click "Next", and "Start FutureRestore" again.

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK