Skip to content

Instantly share code, notes, and snippets.

@ichitaso

ichitaso/tutorial-alternate.md

Forked from dhinakg/tutorial-alternate.md
Created January 10, 2022 09:50
Show Gist options
  • Save ichitaso/fb4bee119165625b36e202111983437e to your computer and use it in GitHub Desktop.
Save ichitaso/fb4bee119165625b36e202111983437e to your computer and use it in GitHub Desktop.
Download ZIP
tutorial-alternate.md
Raw
tutorial-alternate.md

Note: This writeup is for advanced users and developers. For a guide that will actually walk you through this, ios.cfw.guide is updated. guides.stkc.win should be soon™️.

So, I got bored and decided to do more research into alternates. Turns out you can still abuse it to update to 14.8 on iOS versions that don't support alternates. You're welcome.

This requires a jailbreak. Of course, you can do the backup editing stuff if you're not JBed but:

a. It's a wack method imo

b. I didn't try it so I'm not gonna explain it

Also, don't do this if you're already on 14.5-14.7.1, there's no point. Just get the alternate profile directly and follow the normal steps.

Steps:

  1. Go through the guide steps until you get up to the "installing the profile" steps (get supervised, etc).
  2. Install an iOS beta profile. It doesn't matter which, as long as it installs.
  3. Get the 14.8 profile marked "Alternate" from my site
    • Option A: I know how to terminal
      1. install plutil (default repo)
      2. plutil -key MobileAssetAssetAudience -string c724cb61-e974-42d3-a911-ffd4dce11eda "/Library/Managed Preferences/mobile/com.apple.MobileAsset.plist"
    • Option B: I don't know how to terminal
      1. Get Filza
      2. Open /Library/Managed Preferences/mobile/com.apple.MobileAsset.plist in Filza
      3. Set MobileAssetAssetAudience to c724cb61-e974-42d3-a911-ffd4dce11eda
  5. Reboot or launchctl reboot userspace
  6. Continue with normal delay OTA procedure (restore rootFS, install update)
  7. Remove the beta profile to remove the channel override.

This expires whenever the alternate expires.

Why this works:

Audience = channel. Channel = iOS release, iOS 15 dev beta, iOS 14 dev beta, iOS 14 public beta, iOS 14 security updates, etc.

The way alternate works is that your device checks the release channel, sees that there's an iOS 15 update, but also sees that the server said there's an alternate update and checks the alternate channel that the server replied with.

Now, if you're on <14.5, the code to check the alternate channel isn't there. However, you can abuse the fact that beta profiles set the channel by editing the plist where the channel is stored to change the channel to the iOS 14 security updates one. From your device's perspective, all it knows about is the alternate channel.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment