[How to] Downgrade iOS without SHSH Blobs

Tutorials for Operating Systems, Applications etc can be posted here.
Post Reply
fryPh0ner
Posts: 15
Joined: Sat Apr 23, 2011 12:56 pm

[How to] Downgrade iOS without SHSH Blobs

Post by fryPh0ner »

How to downgrade iPhone 4/3Gs, iPad, iPod Touch 3rd./4th Gen. WITHOUT SHSH Blobs!!!

What you need:
-A jailbroken iPhone, iPad or iPod Touch
-The IPSW-File for the Firmware (iOS) you want to downgrade to(e. g. if you want to downgrade to iOS 4.0.1 get the IPSW for iOS 4.0.1)
-afc2add from Cydia(if not already installed)
-a Program to browse the iDevice's Root-Filesystem(e.g. iPhoneBrowser, DiskAid, iPhoneExplorer)
-7Zip (or other ArchiveManager)
-The Decryption Keys for the Firmware you want to downgrade to (e.g. from theiphonewiki.com)
-vfdecrypt
-TransMac(if on Windows)


(Maybe not necessary, but download it anyways)
-xpwntool(application)(for decrypting the kernel)
-tetheredboot(application)(for booting the old kernel)

Instructions:
1. Open the IPSW-File in 7zip and extract the largest .dmg file(the root filesystem)
2. use vfdecrypt to decrypt the .dmg-file
3. Now open the decrypted .dmg-File:
3.1. On Windows use TransMac(Shareware) to open .dmg-Files, from TransMac extract the Files to a Folder on your Desktop.
3.2. On Mac simpls double-click on the decrypted .dmg, it will be mounted

EDIT: CHECK THAT THERE ARE NO FILES WHICH ARE 0Bytes IN SIZE


MAKE A BACKUP BEFORE DOING ANYTHING!!! I TAKE NO RESPONSIBILITY IF SOMETHING GOES WRONG!!!

4. On your PC start iPhoneBrowser(or similar) now go into the Root-Directory("/")
5. On Windows open the Folder with the Root-Filesystem of the old Firmware, on Mac open the mounted DMG in Finder
6. Now you should begin replacing the Items on the iDevice in this order:

WARNING!!! WHILE REPLACING THE SYSTEM FILES ALL APPLICATIONS ON THE DEVICE WILL CRASH

(6.)1. Go into the "Applications" on the Device and replace all Apps with the ones from the old Firmware
(6.)2. Now replace these Folders in the root-directory("/") of the device: bin, boot, cores, Developer, Library, lib, sbin

(6.)3. Go into the folder "/private" replace the folder "etc"
(6.)4. Go to "/private/var" replace everything except "stash","root","mobile"
(6.)5. Go to "/usr" replace "etc","lib","games","local"
(6.)6. Replace the contents of "bin","sbin","libexec", " include", "share"
(6.)7. Go to "/System/Library" replace "AccessibilityBundles", "Audio","CarrierBundles", "DataClassMigrators","Fonts","Internet Plug-Ins","KeyboardDictionaries","KeyboardLayouts","LaunchDaemons","LinguisticData","PreferenceBundles","PublishingBundles","RegionFeatures","SearchBundles","ScreenReader","Spotlight","SpringBoardPlugIns","TextInput","VoiceServices"

(6.)8. Now very important Syetem Files:"CoreServices","extensions","Frameworks","PrivateFrameworks","Filesystems","SystemConfiguration"

7. Now reboot your Device!
8. If it doesn't boot properly: put the Device in DFU-Mode and use tetheredboot with the kernelcache of the old Firmware(and probably with the iBSS (and iBoot???))


AND TRY TO REPLACE THE FILES/FOLDERS AS FAST AS POSSIBLE, BECAUSE AFTER SOME TIME THE DEVICE REBOOTS/CRASHES!!! SO DISABLE THE BACKUP-FUNCTION OF "iPhoneBrowser"!!!!
Last edited by fryPh0ner on Mon Apr 25, 2011 10:37 am, edited 1 time in total.

asX
Posts: 84
Joined: Sat Apr 24, 2010 11:24 am
Location: Austria

Re: [How to] Downgrade iOS without SHSH Blobs

Post by asX »

Need to try this, but seems to be a very dangerous way :).

Saphiresurf
User avatar
Posts: 26
Joined: Wed Apr 13, 2011 2:03 am

Re: [How to] Downgrade iOS without SHSH Blobs

Post by Saphiresurf »

I would love to try this. Should probably tell people that in case of a endless circle of reboots to DFU restore.
Image

Me: I grew up on the street.
Friends: What!?
Me: Oh, you know, sesame street, I watched it all the time when I was a kid....
(begins drifting off into the memories of watching countless hours of sesame street)

TechDudeGeorge
User avatar
Donator
Posts: 790
Joined: Sun Apr 03, 2011 4:48 pm

Re: [How to] Downgrade iOS without SHSH Blobs

Post by TechDudeGeorge »

I really want to try this to downgrade to 4.1 :/ Does it fully work and act like a previous downgraded firmware? Will it show 4.1 and act like 4.1?
Current Windows 8 Leaks: 7850 / 7929 / 7955 / 7959 (x64) / 7989 (x64)
Current Windows 8 Releases: Windows Developer Preview - 8102 (M3) , Windows 8 Consumer Preview - 8250, Windows 8 Release Preview - 8400
Future Release: Windows 8

xeeynamo
User avatar
Posts: 87
Joined: Fri Mar 21, 2008 12:33 pm
Location: Italy
Contact:

Re: [How to] Downgrade iOS without SHSH Blobs

Post by xeeynamo »

Uhm... Are you already tried? I thought to downgrade in this way some time ago but I saw that some .plist files was 0 bytes when I mount .dmg with MacDrive and I preferred to not try.
Offtopic Comment
Recently I'm unable to boot my iPod Touch 4G (boot loop to Apple Logo), no SSH, no USB, only Recovery and DFU are accessible. Do you know if there is a way to explore/mount/SSHing the user partition in that state? I won't lose all my data =(

fryPh0ner
Posts: 15
Joined: Sat Apr 23, 2011 12:56 pm

Re: [How to] Downgrade iOS without SHSH Blobs

Post by fryPh0ner »

@TechDudeGeorge
If your Device boots after the "Downgrading"-Process, then it means that every thing is working like on the old Firmware...
But don't forget to make Backup...

@All
You should also install OpenSSH to set permissions

TechDudeGeorge
User avatar
Donator
Posts: 790
Joined: Sun Apr 03, 2011 4:48 pm

Re: [How to] Downgrade iOS without SHSH Blobs

Post by TechDudeGeorge »

So if it fails I can just DFU back to 4.2.1 right? I'm just scared of breaking something but want 4.1
Current Windows 8 Leaks: 7850 / 7929 / 7955 / 7959 (x64) / 7989 (x64)
Current Windows 8 Releases: Windows Developer Preview - 8102 (M3) , Windows 8 Consumer Preview - 8250, Windows 8 Release Preview - 8400
Future Release: Windows 8

fryPh0ner
Posts: 15
Joined: Sat Apr 23, 2011 12:56 pm

Re: [How to] Downgrade iOS without SHSH Blobs

Post by fryPh0ner »

Yes, if it fails you can go into DFU or Recovery Mode to go to iOS 4.2.1(if you have SHSH Blobs) or 4.3.2 without SHSH Blobs, but both iOS can now be jailbroken untethered...

Coentje44
Posts: 20
Joined: Sun Apr 17, 2011 4:06 pm

Re: [How to] Downgrade iOS without SHSH Blobs

Post by Coentje44 »

Thanks man! was looking for this for months!

earle97
User avatar
Donator
Posts: 72
Joined: Tue Apr 12, 2011 5:24 pm
Location: Belfast, Northern Ireland
Contact:

Re: [How to] Downgrade iOS without SHSH Blobs

Post by earle97 »

This is great, works a dream thanks. Anyone have any tips on making a cydia theme?
Proud owner of a 2010 MacBook.

Spacemonkey
Posts: 2
Joined: Tue Apr 26, 2011 5:04 am

Re: [How to] Downgrade iOS without SHSH Blobs

Post by Spacemonkey »

Does this mean I can actually restore my 3G MC model iPod Touch from iOS 4.0 to 3.1.3 without SHSH blobs and having it untethered? If yes, you just made my YEAR. I have been having shitty battery life and spent more than $600 on an iPod Touch (had to sell one on craigslist for $230-3rd gen 64GB) the few days before the 4th gen came out. I am extremely frustrated with Apple and their shitty fixes. In retrospect, I could have/should have bought a laptop instead.

fryPh0ner
Posts: 15
Joined: Sat Apr 23, 2011 12:56 pm

Re: [How to] Downgrade iOS without SHSH Blobs

Post by fryPh0ner »

I´m not sure, if it´s tethered or untethered, you need to find a way to write the kernelcache to the device...

SA7039
Posts: 15
Joined: Tue Apr 26, 2011 7:20 am

Re: [How to] Downgrade iOS without SHSH Blobs

Post by SA7039 »

hmm it seems extremely complicated i'd stick to the traditional way unless its absolutely essential for you to downgrade. Say out of curiousity would you be able to downgrade an iPhone 4 to firmware 3.1.x?

fryPh0ner
Posts: 15
Joined: Sat Apr 23, 2011 12:56 pm

Re: [How to] Downgrade iOS without SHSH Blobs

Post by fryPh0ner »

@SA7039
Yes, I could try To downgrade an iPhone 4 To iOS 3.1.x... And if it Works i'll post some Screenshots Here... And a New "How-To" I start experimenting today or tomorrow... But we'll have To use a iOS 4.x Kernel, but I think it will work anyways...


EDIT: The old Apps from 3.1.3(3Gs) won't launch... Tomorrow i'll TRY some other Methods...

atomicgamer
User avatar
Posts: 23
Joined: Sat Jan 24, 2009 2:34 am
Location: South Carolina

Re: [How to] Downgrade iOS without SHSH Blobs

Post by atomicgamer »

I might be doing something wrong. I have tried following those directions, yet for some reason after I decrypt the Root Filesystem (018-7062-093.dmg) or (018-9391-001.dmg), I always get 0kb files mounted in TransMac as a result. I have even tried to copy the entire dmg mounted form TransMac to a local folder but to no avail. I am using an iPod Touch 4G which has SHSH blobs saved up all the way from 4.2.1 and beyond.

I am trying to downgrade to 4.1 and according to theiphonewiki there are two 4.1 builds: the launch build (Baker 8B117) and (Baker 8B118). There does not seem to be much difference between the two, so I do not really care which one. I have tried to replace these files once before, but obviously it failed due to the majority of the files being 0kb. I just do not know what I am doing wrong. It decrypts fine as if it did not I would not be able to browse the dmg using TransMac.

It will be interesting if the makers of tinyumbrella come up with a way to extract the SHSH blobs from the currently installed iOS, then maybe it would be possible to forcibly downgrade to an iOS using this method and then get the SHSH to be able to do this legitly. I've also heard rumors of them trying to find a way to do restores which bypass iTunes and Apple Authorizations completely. But for now I just wish I knew what was going wrong for me to be getting these 0kb files after decryption.

fryPh0ner
Posts: 15
Joined: Sat Apr 23, 2011 12:56 pm

Re: [How to] Downgrade iOS without SHSH Blobs

Post by fryPh0ner »

Try To use 7-Zip To Open the .dmg and then Extract 5.hfsx(i think its called so) and Open it in 7-zip Extract the Folder **Baker**(is the only One there) Tonyou harddisk. Now check again if there any Files which are 0bytes...

Spacemonkey
Posts: 2
Joined: Tue Apr 26, 2011 5:04 am

Re: [How to] Downgrade iOS without SHSH Blobs

Post by Spacemonkey »

fryPh0ner wrote:@SA7039
Yes, I could try To downgrade an iPhone 4 To iOS 3.1.x... And if it Works i'll post some Screenshots Here... And a New "How-To" I start experimenting today or tomorrow... But we'll have To use a iOS 4.x Kernel, but I think it will work anyways...


EDIT: The old Apps from 3.1.3(3Gs) won't launch... Tomorrow i'll TRY some other Methods...
So, have you been successful in downgrading it? I haven't tried yet, seems kind of risky, but I do still want to try. You know, if this works, the internet will explode, because no one will need SHSH blobs anymore. I don't wanna get my hopes up, but if this works, you just made my month.

Post Reply