Skip to content

Instantly share code, notes, and snippets.

@0xallie

0xallie/checkm8_downgrade.md

Last active Jan 28, 2023
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Guide to downgrade checkm8 devices from any version
Raw
checkm8_downgrade.md

Important: Please don't use the comment section to ask for help, I most likely won't respond there as I have it muted due to too many notifications. Join r/jailbreak (#genius-bar) or FDR Bureau (#futurerestore-support) instead.

Guide to downgrade checkm8 devices from any version

This is a guide for downgrading (or upgrading) to unsigned versions with futurerestore on checkm8 devices (A11 and below) without needing an actual jailbreak, as the checkm8 exploit itself works in DFU mode regardless. You must have blobs for the version you want to go to, and SEP/BB compatibility may limit how far you can go.

Current SEP compatibility

The currently signed SEP/BB versions are:

  • 15.6 RC (compatible with 14.3+ on A11, 14.0+ on other devices)
  • 16.2 (compatible with 16.0+)
  • 16.3 (compatible with 16.0+)

Compatibility for 15.x SEP:

  • iPhone X: Breaks Face ID when downgrading to 15.3.1 or below. Causes more breakage when downgrading to 14.8 or below, but issues apart from Face ID can be fixed by jailbreaking with unc0ver/checkra1n and then installing OTAEnabler.
  • iPhone 8: Fully compatible down to 14.3
  • A10 and below: Fully compatible down to 14.0 (NOTE: Some issues have been reported, may only work down to 14.3)

SEP/BB Compatibility Chart

Prequisites

Notes

  • If the exploit fails even after multiple attempts or your device reboots out of DFU mode, you'll have to start over from the beginning and be quicker next time. (You don't have to redownload anything though.) You may have to force restart your device if it's stuck in DFU.
  • checkm8 is known to have issues on AMD CPUs and may not work if you have one.

Instructions

Table of Contents
A11
A8(X)/A9(X)/A10(X)

A11

Compatible versions: 14.3 and above

IMPORTANT: On the iPhone X, downgrading to iOS 14.x will break Face ID. The only way to fix it is by updating/restoring to iOS 15.

With iOS 15.4 or newer SEP, downgrading to 15.0-15.3.1 will also break Face ID, and you have to update to 15.4 or above to fix it.

Part 1/4: Entering pwned DFU

macOS
  1. Put your device in DFU mode.
  2. Run wget https://static.palera.in/deps/gaster-Darwin.zip && unzip gaster-Darwin.zip.
  3. If you're on an Apple Silicon (M1/M2) Mac and haven't already installed Rosetta, do softwareupdate --install-rosetta. This only needs to be done once.
  4. Run ./gaster pwn.
  5. Run ./gaster reset.
Linux
  1. Put your device in DFU mode.
  2. Run wget https://static.palera.in/deps/gaster-Linux.zip && unzip gaster-Linux.zip.
  3. Run sudo ./gaster pwn.
  4. Run sudo ./gaster reset.

Part 2/4: Setting nonce

Note: If you want to use OTA blobs, don't tick "Set Nonce" and restore straight from pwned DFU mode. (Ignore this if you don't know what it is.)

  1. Download and open FutureRestore GUI.
  2. Click "Settings", enable "FutureRestore Beta", then click "Save".
  3. Click "Download FutureRestore".
  4. Download the desired version's IPSW from https://ipsw.me/ and select it along with your blobs.
  5. Click "Next", enable "Pwned Restore" and "Set Nonce". Enable "Custom Latest Beta" and set "Custom Latest Build ID" to 19G69.
  6. Click "Next", and then "Start FutureRestore".

Part 3/4: Restoring

  1. Your device should now be in recovery mode. If not, enter it manually.
  2. Go back to the previous tab in FutureRestore GUI and uncheck both "Pwned Restore" and "Set Nonce".
  3. Click "Next", and "Start FutureRestore" again.

Part 4/4: Fixup (iPhone X 14.x restores only)

If you have an iPhone 8, or are restoring to 15.0 or above, you can skip this section.

  1. Once the restore starts looping at "No data to read (timeout)", force restart your device.
  2. When you see the recovery mode screen, press "Exit Recovery".
  3. Go through with setup as usual.
  4. Jailbreak your device with checkra1n or unc0ver (not Odysseyra1n or Taurine). This will create an initial RootFS snapshot, as it doesn't get created when the restore is interrupted. If checkra1n complains about the missing snapshot, tap "Create".
  5. Install OTAEnabler 0.4.0 or newer from https://repo.alexia.lol/ to fix the broken preboot volume which causes issues with OTA updates and Taurine.
  6. (Optional but recommended) Uninstall OTAEnabler and install https://alexia.lol/noota16.mobileconfig or another OTA blocker.
  7. If you want to jailbreak with Odysseyra1n or Taurine, restore RootFS and go ahead with installing your preferred jailbreak.

Note that this is not a complete fix, as Face ID will still be broken. That is most likely not possible to fix as it's due to a firmware incompatibility.

A8(X)/A9(X)/A10(X)

Compatible versions: 14.0 and above

Part 1/3: Entering pwned DFU

macOS
  1. Put your device in DFU mode.
  2. Run wget https://static.palera.in/deps/gaster-Darwin.zip && unzip gaster-Darwin.zip.
  3. If you're on an Apple Silicon (M1/M2) Mac and haven't already installed Rosetta, do softwareupdate --install-rosetta. This only needs to be done once.
  4. Run ./gaster pwn.
  5. Run ./gaster reset.
Linux
  1. Put your device in DFU mode.
  2. Run wget https://static.palera.in/deps/gaster-Linux.zip && unzip gaster-Linux.zip.
  3. Run sudo ./gaster pwn.
  4. Run sudo ./gaster reset.

Part 2/3: Setting nonce

Note: If you want to use OTA blobs, don't tick "Set Nonce" and restore straight from pwned DFU mode. (Ignore this if you don't know what it is.)

  1. Download and open FutureRestore GUI.
  2. Click "Settings", enable "FutureRestore Beta", then click "Save".
  3. Click "Download FutureRestore".
  4. Download the desired version's IPSW from https://ipsw.me/ and select it along with your blobs.
  5. Click "Next", enable "Pwned Restore" and "Set Nonce". Enable "Custom Latest Beta" and set "Custom Latest Build ID" to 19G69.
  6. Click "Next", and then "Start FutureRestore".

Part 3/3: Restoring

  1. Your device should now be in recovery mode. If not, enter it manually.
  2. Go back to the previous tab in FutureRestore GUI and uncheck both "Pwned Restore" and "Set Nonce".
  3. Click "Next", and "Start FutureRestore" again.
@pubglovee
Copy link

hello everyone, i've an 6s plus its A9 device i guess, im on ios 15.2 version. i want to downgrade ios 15.1 i have blobs saved, but i dont have an macOs device, is it possible to make macos usb stick then downgrade will it work?

The only experience is in macOS. I’ve heard of ways on other OS’s, but can’t say for sure if it will work. I don’t think Mac will work from a usb stick like Linux can. Theres lots of guides using Linux. And every time I’ve done a futurerestore downgrade, I’ve lost all data, but I believe the FutureRestore GUI has some options to try to preserve data (untested by me of course).

So unless i've a macOS device i can't downgrade right now, unless there is a working version on Linux, thank you i am out of luck sadly.

@lex77794
Copy link

lex77794 commented Jun 13, 2022
edited

photo_2022-06-13_10-32-40
iPhone 8+ When rolling back from 15.5 to 14.8, the process is interrupted. What could be the matter, blobs workers, before everything worked with them

@xrotorhead
Copy link

Using the futurerestore script vs the GUI works for me. Here’s a summary of that:

https://gist.github.com/nyuszika7h/aac55c97f7925cddcf5ec3167f85dfe8?permalink_comment_id=4144634#gistcomment-4144634

@NikitaChuprin228
Copy link

Hi all. Phone iPhone 7 IOS 15.3. Faced such a problem that when rolling back from 15.3 to 14.7, the ipwndfu patch does not see the connected phone in dfu mode, although the system sees it, changed wires, connectors, python versions, but all in vain, the Linux mint cinnamon system is the latest version, if anyone has come across, please tell me, I will be very grateful. Error: ERROR: No Apple device in DFU Mode 0x1227 detected after 5.00 second timeout. I'm attaching a screenshot of the error.
Снимок+экрана+от+2022-07-10+15-00-18

@fund2022
Copy link

hello i have iphone 8 and ios 15.5 haw i can downgrade ios 14.7? please help

@deargosep
Copy link

I can't pwn dfu on iPad 6th gen iOS 15.5, macOS big sur

@xrotorhead
Copy link

They fist question is were blobs saved for the iOS version you are trying to downgrade to? If not, I’m afraid you’re out of luck until a JB is released compatible with the iOS version you are currently on.

@deargosep
Copy link

I have blobs saved

@xrotorhead
Copy link

I can't pwn dfu on iPad 6th gen iOS 15.5, macOS big sur

Getting the device into pwn/ dfu mode is one of the most challenging parts. I’d look up the procedures for your exact device on YouTube. This one worked for some of the devices I was using: https://youtu.be/IMaD_vz5O3Q

@xrotorhead
Copy link

I have blobs saved

This post (below) summarized step-by-step what worked for me. Hope it helps in your case...

https://gist.github.com/nyuszika7h/aac55c97f7925cddcf5ec3167f85dfe8?permalink_comment_id=4144634#gistcomment-4144634

@deargosep
Copy link

I have blobs saved

This post (below) summarized step-by-step what worked for me. Hope it helps in your case...

https://gist.github.com/nyuszika7h/aac55c97f7925cddcf5ec3167f85dfe8?permalink_comment_id=4144634#gistcomment-4144634

when I'm using noncergulator from your post, it says that libirecovery is not installed. first three times macOS thrown me an error message saying libirecovery is corrupted and should be deleted. after that it asks me for shsh2 file path, I paste it and then there is this error:

Continuing with given SHSH
File verified as SHSH2 file, continuing
Getting generator from SHSH
Your generator is: 0x1111111111111111
 
Either unsupported device or no device found.
Exiting..

@xrotorhead
Copy link

I have blobs saved

This post (below) summarized step-by-step what worked for me. Hope it helps in your case...
https://gist.github.com/nyuszika7h/aac55c97f7925cddcf5ec3167f85dfe8?permalink_comment_id=4144634#gistcomment-4144634

when I'm using noncergulator from your post, it says that libirecovery is not installed. first three times macOS thrown me an error message saying libirecovery is corrupted and should be deleted. after that it asks me for shsh2 file path, I paste it and then there is this error:

Continuing with given SHSH
File verified as SHSH2 file, continuing
Getting generator from SHSH
Your generator is: 0x1111111111111111
 
Either unsupported device or no device found.
Exiting..

In my case, I needed both ldid and libirecovery installed via homebrew for it to work in macOS Monterey.

@deargosep
Copy link

I have blobs saved

This post (below) summarized step-by-step what worked for me. Hope it helps in your case...
https://gist.github.com/nyuszika7h/aac55c97f7925cddcf5ec3167f85dfe8?permalink_comment_id=4144634#gistcomment-4144634

when I'm using noncergulator from your post, it says that libirecovery is not installed. first three times macOS thrown me an error message saying libirecovery is corrupted and should be deleted. after that it asks me for shsh2 file path, I paste it and then there is this error:

Continuing with given SHSH
File verified as SHSH2 file, continuing
Getting generator from SHSH
Your generator is: 0x1111111111111111
 
Either unsupported device or no device found.
Exiting..

In my case, I needed both ldid and libirecovery installed via homebrew for it to work in macOS Monterey.

I installed both via homebrew. Also I have Big Sur, could it be a problem? On homebrew page it says it is supported on Big Sur. Also i have M1 chip on my mac

@xrotorhead
Copy link

I have blobs saved

This post (below) summarized step-by-step what worked for me. Hope it helps in your case...
https://gist.github.com/nyuszika7h/aac55c97f7925cddcf5ec3167f85dfe8?permalink_comment_id=4144634#gistcomment-4144634

when I'm using noncergulator from your post, it says that libirecovery is not installed. first three times macOS thrown me an error message saying libirecovery is corrupted and should be deleted. after that it asks me for shsh2 file path, I paste it and then there is this error:

Continuing with given SHSH
File verified as SHSH2 file, continuing
Getting generator from SHSH
Your generator is: 0x1111111111111111
 
Either unsupported device or no device found.
Exiting..

In my case, I needed both ldid and libirecovery installed via homebrew for it to work in macOS Monterey.

I installed both via homebrew. Also I have Big Sur, could it be a problem? On homebrew page it says it is supported on Big Sur. Also i have M1 chip on my mac

You can try some basics like make sure the Mac sees and “trusts” the phone. Also, I remember once having major issues with a usb-c to lightning cable for JB purposes; and using a usb-a to lightning cable fixed communications between the Mac and the phone. Not sure what kind of ports you have on an M1, but you may need an intermediary usb-c to usb-a (female) adapter to test this.

@deargosep
Copy link

I have blobs saved

This post (below) summarized step-by-step what worked for me. Hope it helps in your case...
https://gist.github.com/nyuszika7h/aac55c97f7925cddcf5ec3167f85dfe8?permalink_comment_id=4144634#gistcomment-4144634

when I'm using noncergulator from your post, it says that libirecovery is not installed. first three times macOS thrown me an error message saying libirecovery is corrupted and should be deleted. after that it asks me for shsh2 file path, I paste it and then there is this error:

Continuing with given SHSH
File verified as SHSH2 file, continuing
Getting generator from SHSH
Your generator is: 0x1111111111111111
 
Either unsupported device or no device found.
Exiting..

In my case, I needed both ldid and libirecovery installed via homebrew for it to work in macOS Monterey.

I installed both via homebrew. Also I have Big Sur, could it be a problem? On homebrew page it says it is supported on Big Sur. Also i have M1 chip on my mac

You can try some basics like make sure the Mac sees and “trusts” the phone. Also, I remember once having major issues with a usb-c to lightning cable for JB purposes; and using a usb-a to lightning cable fixed communications between the Mac and the phone. Not sure what kind of ports you have on an M1, but you may need an intermediary usb-c to usb-a (female) adapter to test this.

Thank you, gonna try with USB a

@deargosep
Copy link

I have blobs saved

This post (below) summarized step-by-step what worked for me. Hope it helps in your case...
https://gist.github.com/nyuszika7h/aac55c97f7925cddcf5ec3167f85dfe8?permalink_comment_id=4144634#gistcomment-4144634

when I'm using noncergulator from your post, it says that libirecovery is not installed. first three times macOS thrown me an error message saying libirecovery is corrupted and should be deleted. after that it asks me for shsh2 file path, I paste it and then there is this error:

Continuing with given SHSH
File verified as SHSH2 file, continuing
Getting generator from SHSH
Your generator is: 0x1111111111111111
 
Either unsupported device or no device found.
Exiting..

In my case, I needed both ldid and libirecovery installed via homebrew for it to work in macOS Monterey.

I installed both via homebrew. Also I have Big Sur, could it be a problem? On homebrew page it says it is supported on Big Sur. Also i have M1 chip on my mac

You can try some basics like make sure the Mac sees and “trusts” the phone. Also, I remember once having major issues with a usb-c to lightning cable for JB purposes; and using a usb-a to lightning cable fixed communications between the Mac and the phone. Not sure what kind of ports you have on an M1, but you may need an intermediary usb-c to usb-a (female) adapter to test this.

I tried with usb a adapter, Mac is trusted on iPad, even reinstalled ldid and libirecovery via rosetta 2, still doesn't work

@showmak
Copy link

showmak commented Jul 15, 2022

hello i have iphone 8 and ios 15.5 haw i can downgrade ios 14.7? please help
Do you have blobs for 14.7?

@xrotorhead
Copy link

xrotorhead commented Jul 15, 2022
edited

hello i have iphone 8 and ios 15.5 haw i can downgrade ios 14.7? please help
Do you have blobs for 14.7?

I’m afraid your stuck until a JB is released for your iOS version. Blobs are device-specific. Perhaps somebody (before you) has saved the blobs for your individual handset - you can go here to investigate; otherwise somebody else’s blobs will not work on your device.

@ceson-l
Copy link

ceson-l commented Jul 29, 2022

hi all. iphone7 ios15.2 can I downgrade the system to any version? like 10.x.x or something. please help

@iyedess
Copy link

iyedess commented Jul 31, 2022

NO SOLUTION FOR A9X IPAD PRO 9.7

@joshuah345
Copy link

joshuah345 commented Aug 11, 2022
edited

NO SOLUTION FOR A9X IPAD PRO 9.7

there's gaster now, so a9x is fine
https://github.com/joshuah345/gaster/tree/imagefix

@robi62
Copy link

robi62 commented Sep 23, 2022
edited

hi its has been a while last time there was not a gui all in terminal I keep getting error
Device did not reconnect Possibly invadid iBEC
What is this error about???
Screenshot 2022-09-23 at 17 38 11

Irebooted laptop and started again and seems to be working it did so happy thanks for your hard work guys

@kirpeace121
Copy link

i tried to upgrade from 14.3 to 14.8. I am getting error signing ticket does not contain generator. But a generator is required for 64 bit pwndfu in iphone 7

@SlimShadys
Copy link

Confirmed working on iPhone X (A11) from 15.7 to 14.6 using 19H12 (15.7) SEP/BB.

Make sure to enable also the --no-rsep option, as it could complain about FDR.

Also, it might show unsuccessful restoring and will pop you back up into recovery mode. As the guide says, click "Exit Recovery" and it will start up the normal boot process.

@lyujie-xm
Copy link

F9C31AAD-5C42-4BB3-8632-554F520FECEE

getting keys failed with error: 14745615 (failed to get FirmwareJson from Server). Are keys publicly available?

A9X

@zillusion
Copy link

zillusion commented Nov 13, 2022
edited

Yesterday upgraded to 15.7.1 and downgraded to 13.3.1 on IPhone SE 2016 - A9 successfully first trying this guide and failing, it's
outdated...
19H12(15.7.0) is no longer being signed, so you'll immediately get an error if you set Build ID to this val.
15.6 RC1 (19G69) is still signed, setting val to this gets you further, but then at the restore step this error stops the process:
getting keys failed with error: 14745615 (failed to get FirmwareJson from Server).

So after some reading I found out that only setting the nonce is needed, not firmware flash. On A9 where 15.7.1 is the final IOS version
So the option to check in step 2 is no rsep - no restore, and as mentioned pwned restore and set nonce.
This sets up our blobs nonce, gets SEP/BB from 15.7.1, and you can just flash original firmware - steps from step 3.
Newer models should use 19G69 and hopefully keys for them will be on the server.

@rilodroid
Copy link

ERROR: Command errored out with exit status 1:
command: /Applications/Xcode.app/Contents/Developer/usr/bin/python3 /Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/site-packages/pip/_vendor/pep517/_in_process.py get_requires_for_build_wheel /var/folders/_w/tcjktqts2ms6ll49jtx63tbm0000gn/T/tmp9od05enm
cwd: /private/var/folders/_w/tcjktqts2ms6ll49jtx63tbm0000gn/T/pip-install-33t7ko64/cryptography

@cuucondiep
Copy link

you fixed it ?

@ziadplayz1
Copy link

PLEASE help me im getting this error "what=getting keys failed with error: 14745615 (failed to get FirmwareJson from Server). Are keys publicly available?"

downgrading from 16 to 14.6 on ipad 6th gen no baseband.

@laatif
Copy link

laatif commented Dec 19, 2022
edited

I keep getting: what=Failed to get apnonce from device! any help ?
Thank you

Screen Shot 2022-12-19 at 9 01 08 PM
Screen Shot 2022-12-19 at 9 01 00 PM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment