tutorial-alternate-updated.md

tutorial-alternate-updated.md

Note: I took this Guide from https://gist.github.com/dhinakg/5dc595e39440e6d68a24d38e6fea926d and added a way on how to find your AssetAudiences

Note: This writeup is for advanced users and developers. For a guide that will actually walk you through this, ios.cfw.guide is updated. guides.stkc.win should be soon™️.

13.x appears to have issues. 13.5 is confirmed to fail to check updates once you change the audience. If any other versions do this, please let me know.

So, I got bored and decided to do more research into alternates. Turns out you can still abuse it to update to a currently signed Version (15.4.1 as of writing) on iOS versions that don't support alternates. You're welcome.

This requires a jailbreak. Of course, you can do the backup editing stuff if you're not JBed but:

a. It's a wack method imo

b. I didn't try it so I'm not gonna explain it

Also, don't do this if you're already on 14.5-14.7.1, there's no point. Just get the alternate profile directly and follow the normal steps.

Steps:

0. Go through the guide steps until you get up to the "installing the profile" steps (get supervised, etc).
1. Install an iOS beta profile. (https://betaprofiles.com/) Some do not work you just have to try (i used 15.6 Beta at time of writing).
2. Get the Current (15.4.1 as of writing) profile marked "Alternate" from dhinakgs site
3. Know the correct AssetAudienceString of the currently signed Firmware you want to update to (15.4.1 iPhone12 --> 01c1d682-6e8f-4908-b724- 5501fe3f5e5c)
   • If you dont know the AssetAudience:
     1. Get the pallas.sh Script here
     2. Edit the script and set the debug=false Variable to debug=true
     3. Search for your iPhone Model inside of the Script iPhone 12 = iPhone13,2
     4. Run with Filter for your Version / iPhone Combination e.g. ./pallas.sh -n ios 15.4.1 iPhone13,2 for iOS 15.4.1 Iphone 12
     5. You will get Output like dl com.apple.MobileAsset.SoftwareUpdate 01c1d682-6e8f-4908-b724-5501fe3f5e5c iPhone13,2 D53gAP 0 0 (1/14) and also some Failed Requests like Failed to fetch: com.apple.MobileAsset.SoftwareUpdate 84da8706-e267-4554- 8207-865ae0c3a120 iPhone13,2 D53gAP 0 0 Beta.
     6. Compare the strings of failed requests and the request commands that were initiated to get the ones that succeeded
     7. Choose a AssetAudience from the succeeded requests dl com.apple.MobileAsset.SoftwareUpdate 01c1d682-6e8f-4908-b724- 5501fe3f5e5c iPhone13,2 D53gAP 0 0 (1/14) --> 01c1d682-6e8f-4908-b724-5501fe3f5e5c
4. • Option A: I know how to terminal
     1. install plutil (default repo)
     2. plutil -key MobileAssetAssetAudience -string 01c1d682-6e8f-4908-b724-5501fe3f5e5c "/Library/Managed Preferences/mobile/com.apple.MobileAsset.plist"
   • Option B: I don't know how to terminal
     1. Get Filza
     2. Open /Library/Managed Preferences/mobile/com.apple.MobileAsset.plist in Filza
     3. Set MobileAssetAssetAudience to 01c1d682-6e8f-4908-b724-5501fe3f5e5c
5. Reboot or launchctl reboot userspace
6. Continue with normal delay OTA procedure (restore rootFS, install update)
7. Remove the beta profile to remove the channel override.

This expires whenever the alternate expires.

Why this works:

Audience = channel. Channel = iOS release, iOS 15 dev beta, iOS 14 dev beta, iOS 14 public beta, iOS 14 security updates, etc.

The way alternate works is that your device checks the release channel, sees that there's an iOS 15 update, but also sees that the server said there's an alternate update and checks the alternate channel that the server replied with.

Now, if you're on <14.5, the code to check the alternate channel isn't there. However, you can abuse the fact that beta profiles set the channel by editing the plist where the channel is stored to change the channel to the iOS 14 security updates one. From your device's perspective, all it knows about is the alternate channel.

thanks this was very helpful. fwiw it worked with the latest 16 beta for me to go from 13.5 -> 15.4.1 on an iPhone 8.