Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
How to downgrade checkm8 devices from iOS 15/16

Important: Please don't use the comment section to ask for help, I most likely won't respond there as I have it muted due to too many notifications. Join r/jailbreak (#genius-bar) or FDR Bureau (#futurerestore-support) instead.

How to downgrade checkm8 devices from iOS 15/16

This is a guide for downgrading (or upgrading) to unsigned versions with futurerestore on checkm8 devices (A11 and below). You must have blobs for the version you want to go to, and SEP/BB compatibility may limit how far you can go.

Current SEP compatibility

The latest SEP/BB as of right now is iOS 16.0, which is INCOMPATIBLE with anything below. On devices that got iOS 16, you must use 15.6 RC SEP/BB.

Compatibility for 15.x SEP:

  • iPhone X: Breaks Face ID when downgrading to 15.3.1 or below. Causes more breakage when downgrading to 14.8 or below, but issues apart from Face ID can be fixed by jailbreaking with unc0ver/checkra1n and then installing OTAEnabler.
  • iPhone 8: Fully compatible down to 14.3
  • A10 and below: Fully compatible down to 14.0 (NOTE: Some issues have been reported, may only work down to 14.3)

SEP/BB Compatibility Chart

Prequisites

Notes

  • If the exploit fails even after multiple attempts or your device reboots out of DFU mode, you'll have to start over from the beginning and be quicker next time. (You don't have to redownload anything though.) You may have to force restart your device if it's stuck in DFU.
  • checkm8 is known to have issues on AMD CPUs and may not work if you have one.

Instructions

Table of Contents
A11
A10(X)
A9X
A8(X)

A11

Compatible versions: 14.3 and above

IMPORTANT: On the iPhone X, downgrading to iOS 14.x will break Face ID. The only way to fix it is by updating/restoring to iOS 15.

With iOS 15.4 or newer SEP, downgrading to 15.0-15.3.1 will also break Face ID, and you have to update to 15.4 or above to fix it.

Part 1/4: Entering pwned DFU

  1. Put your device in DFU mode.
  2. Install Python 3.8 or newer.
  3. Run python3 -m pip install --user --force-reinstall https://github.com/hack-different/ipwndfu/archive/main.zip.
  4. Run (cd "$(python3 -m site --user-base)/bin"; ./ipwndfu -p; ./ipwndfu --patch-sigchecks; ./ipwndfu --repair-heap). (If you get a "device has no langid" error but then it's successful, then you can ignore the error.)

Part 2/4: Setting nonce

Note: If you want to use OTA blobs, don't tick "Set Nonce" and restore straight from pwned DFU mode. (Ignore this if you don't know what it is.)

  1. Download and open FutureRestore GUI.
  2. Click "Settings", enable "FutureRestore Beta", then click "Save".
  3. Click "Download FutureRestore".
  4. Download the desired version's IPSW from https://ipsw.me/ and select it along with your blobs.
  5. Click "Next", enable "Pwned Restore" and "Set Nonce". Enable "Custom Latest Beta" and set "Custom Latest Build ID" to 19G69.
  6. Click "Next", and then "Start FutureRestore".

Part 3/4: Restoring

  1. Your device should now be in recovery mode. If not, enter it manually.
  2. Go back to the previous tab in FutureRestore GUI and uncheck both "Pwned Restore" and "Set Nonce".
  3. Click "Next", and "Start FutureRestore" again.

Part 4/4: Fixup (iPhone X 14.x restores only)

If you have an iPhone 8, or are restoring to 15.0 or above, you can skip this section.

  1. Once the restore starts looping at "No data to read (timeout)", force restart your device.
  2. When you see the recovery mode screen, press "Exit Recovery".
  3. Go through with setup as usual.
  4. Jailbreak your device with checkra1n or unc0ver (not Odysseyra1n or Taurine). This will create an initial RootFS snapshot, as it doesn't get created when the restore is interrupted. If checkra1n complains about the missing snapshot, tap "Create".
  5. Install OTAEnabler 0.4.0 or newer from https://repo.cadoth.net/ to fix the broken preboot volume which causes issues with OTA updates and Taurine.
  6. (Optional) Uninstall OTAEnabler and install your preferred OTA blocker.
  7. If you want to jailbreak with Odysseyra1n or Taurine, restore RootFS and go ahead with installing your preferred jailbreak.

Note that this is not a complete fix, as Face ID will still be broken. That is most likely not possible to fix as it's due to a firmware incompatibility.

A10(X)

Compatible versions: 14.0 and above

Part 1/3: Entering pwned DFU

macOS
  1. Put your device in DFU mode.
  2. Download and extract Fugu.
  3. Open the extracted folder in a terminal.
  4. Run ./Fugu rmsigchks.
Linux
  1. Put your device in DFU mode.
  2. Download and extract patched ipwndfu for A10.
  3. Open the extracted folder in a terminal.
  4. Run python2 ipwndfu -p.
  5. Run python2 rmsigchks.py.

Part 2/3: Setting nonce

Note: If you want to use OTA blobs, don't tick "Set Nonce" and restore straight from pwned DFU mode. (Ignore this if you don't know what it is.)

  1. Download and open FutureRestore GUI.
  2. Click "Settings", enable "FutureRestore Beta", then click "Save".
  3. Click "Download FutureRestore".
  4. Download the desired version's IPSW from https://ipsw.me/ and select it along with your blobs.
  5. Click "Next", enable "Pwned Restore" and "Set Nonce". Enable "Custom Latest Beta" and set "Custom Latest Build ID" to 19G69.
  6. Click "Next", and then "Start FutureRestore".

Part 3/3: Restoring

  1. Your device should now be in recovery mode. If not, enter it manually.
  2. Go back to the previous tab in FutureRestore GUI and uncheck both "Pwned Restore" and "Set Nonce".
  3. Click "Next", and "Start FutureRestore" again.

A9X

Coming soon...

A8(X)-A9

Requires macOS.

Compatible versions: 14.0 and above

Part 1/3: Entering pwned DFU

  1. Put your device in DFU mode.
  2. Download Eclipsa.
  3. Open the folder in a terminal.
  4. Run killall -STOP AMPDevicesAgent AMPDeviceDiscoveryAgent MobileDeviceUpdater.
  5. Run make and wait for it to compile. (You need to have Xcode installed.) If you cannot compile Eclipsa for some reason, download and extract this zip instead (only compatible with Intel Macs).
  6. If compiled manually, run ./eclipsa. Otherwise, you will need to run the appropriate version for your SoC:
    • A8: ./eclipsa7000
    • A8X: ./eclipsa7001
    • A9: ./eclipsa8000 or ./eclipsa8003
  7. Run killall -CONT AMPDevicesAgent AMPDeviceDiscoveryAgent MobileDeviceUpdater.

Part 2/3: Setting nonce

Note: If you want to use OTA blobs, don't tick "Set Nonce" and restore straight from pwned DFU mode. (Ignore this if you don't know what it is.)

  1. Download and open FutureRestore GUI.
  2. Click "Settings", enable "FutureRestore Beta", then click "Save".
  3. Click "Download FutureRestore".
  4. Download the desired version's IPSW from https://ipsw.me/ and select it along with your blobs.
  5. Click "Next", enable "Pwned Restore" and "Set Nonce". Enable "Custom Latest Beta" and set "Custom Latest Build ID" to 19G69.
  6. Click "Next", and then "Start FutureRestore".

Part 3/3: Restoring

  1. Your device should now be in recovery mode. If not, enter it manually.
  2. Go back to the previous tab in FutureRestore GUI and uncheck both "Pwned Restore" and "Set Nonce".
  3. Click "Next", and "Start FutureRestore" again.
@pubglovee
Copy link

pubglovee commented May 24, 2022

or can we do it with linux for a9 device?

@xrotorhead
Copy link

xrotorhead commented May 24, 2022

Hey guys! Im currently on ios 15.0 using an iphone x, do you guys think i should wait for the jailbreak, or do i just downgrade? and also, if i did downgrade and then a ios 15.0 jailbreak released, can i upgrade to specifically ios 15.0? if so, how? thank you

As of this writing, you can downgrade as low as 14.3 on iPhone X (but will break faceID) provided you have your blobs saved for the specific iOS version you are trying to downgrade to. And when you wanna upgrade to a higher version, that will also be possible provided (again) that you have your saved blobs for the version you are trying to futurerestore to AND the SEP/BB files that Apple is currently signing are compatible with the iOS version you are trying to futurerestore to.

@xrotorhead
Copy link

xrotorhead commented May 24, 2022

hello everyone, i've an 6s plus its A9 device i guess, im on ios 15.2 version. i want to downgrade ios 15.1 i have blobs saved, but i dont have an macOs device, is it possible to make macos usb stick then downgrade will it work?

My only experience is in macOS. I’ve heard of ways on other OS’s, but can’t say for sure if it will work. Mac won’t boot to the full OS from a usb stick like Linux can. I have come across several guides to futurerestore using Linux in the past. Every time I’ve done a futurerestore downgrade, I’ve lost all data, but I believe the FutureRestore GUI has some options to try to preserve data (untested by me of course).

@pubglovee
Copy link

pubglovee commented May 25, 2022

hello everyone, i've an 6s plus its A9 device i guess, im on ios 15.2 version. i want to downgrade ios 15.1 i have blobs saved, but i dont have an macOs device, is it possible to make macos usb stick then downgrade will it work?

The only experience is in macOS. I’ve heard of ways on other OS’s, but can’t say for sure if it will work. I don’t think Mac will work from a usb stick like Linux can. Theres lots of guides using Linux. And every time I’ve done a futurerestore downgrade, I’ve lost all data, but I believe the FutureRestore GUI has some options to try to preserve data (untested by me of course).

So unless i've a macOS device i can't downgrade right now, unless there is a working version on Linux, thank you i am out of luck sadly.

@lex77794
Copy link

lex77794 commented Jun 13, 2022

photo_2022-06-13_10-32-40
iPhone 8+ When rolling back from 15.5 to 14.8, the process is interrupted. What could be the matter, blobs workers, before everything worked with them

@xrotorhead
Copy link

xrotorhead commented Jun 13, 2022

Using the futurerestore script vs the GUI works for me. Here’s a summary of that:

https://gist.github.com/nyuszika7h/aac55c97f7925cddcf5ec3167f85dfe8?permalink_comment_id=4144634#gistcomment-4144634

@NikitaChuprin228
Copy link

NikitaChuprin228 commented Jul 11, 2022

Hi all. Phone iPhone 7 IOS 15.3. Faced such a problem that when rolling back from 15.3 to 14.7, the ipwndfu patch does not see the connected phone in dfu mode, although the system sees it, changed wires, connectors, python versions, but all in vain, the Linux mint cinnamon system is the latest version, if anyone has come across, please tell me, I will be very grateful. Error: ERROR: No Apple device in DFU Mode 0x1227 detected after 5.00 second timeout. I'm attaching a screenshot of the error.
Снимок+экрана+от+2022-07-10+15-00-18

@fund2022
Copy link

fund2022 commented Jul 12, 2022

hello i have iphone 8 and ios 15.5 haw i can downgrade ios 14.7? please help

@deargosep
Copy link

deargosep commented Jul 13, 2022

I can't pwn dfu on iPad 6th gen iOS 15.5, macOS big sur

@xrotorhead
Copy link

xrotorhead commented Jul 13, 2022

They fist question is were blobs saved for the iOS version you are trying to downgrade to? If not, I’m afraid you’re out of luck until a JB is released compatible with the iOS version you are currently on.

@deargosep
Copy link

deargosep commented Jul 13, 2022

I have blobs saved

@xrotorhead
Copy link

xrotorhead commented Jul 13, 2022

I can't pwn dfu on iPad 6th gen iOS 15.5, macOS big sur

Getting the device into pwn/ dfu mode is one of the most challenging parts. I’d look up the procedures for your exact device on YouTube. This one worked for some of the devices I was using: https://youtu.be/IMaD_vz5O3Q

@xrotorhead
Copy link

xrotorhead commented Jul 13, 2022

I have blobs saved

This post (below) summarized step-by-step what worked for me. Hope it helps in your case...

https://gist.github.com/nyuszika7h/aac55c97f7925cddcf5ec3167f85dfe8?permalink_comment_id=4144634#gistcomment-4144634

@deargosep
Copy link

deargosep commented Jul 13, 2022

I have blobs saved

This post (below) summarized step-by-step what worked for me. Hope it helps in your case...

https://gist.github.com/nyuszika7h/aac55c97f7925cddcf5ec3167f85dfe8?permalink_comment_id=4144634#gistcomment-4144634

when I'm using noncergulator from your post, it says that libirecovery is not installed. first three times macOS thrown me an error message saying libirecovery is corrupted and should be deleted. after that it asks me for shsh2 file path, I paste it and then there is this error:

Continuing with given SHSH
File verified as SHSH2 file, continuing
Getting generator from SHSH
Your generator is: 0x1111111111111111
 
Either unsupported device or no device found.
Exiting..

@xrotorhead
Copy link

xrotorhead commented Jul 13, 2022

I have blobs saved

This post (below) summarized step-by-step what worked for me. Hope it helps in your case...
https://gist.github.com/nyuszika7h/aac55c97f7925cddcf5ec3167f85dfe8?permalink_comment_id=4144634#gistcomment-4144634

when I'm using noncergulator from your post, it says that libirecovery is not installed. first three times macOS thrown me an error message saying libirecovery is corrupted and should be deleted. after that it asks me for shsh2 file path, I paste it and then there is this error:

Continuing with given SHSH
File verified as SHSH2 file, continuing
Getting generator from SHSH
Your generator is: 0x1111111111111111
 
Either unsupported device or no device found.
Exiting..

In my case, I needed both ldid and libirecovery installed via homebrew for it to work in macOS Monterey.

@deargosep
Copy link

deargosep commented Jul 14, 2022

I have blobs saved

This post (below) summarized step-by-step what worked for me. Hope it helps in your case...
https://gist.github.com/nyuszika7h/aac55c97f7925cddcf5ec3167f85dfe8?permalink_comment_id=4144634#gistcomment-4144634

when I'm using noncergulator from your post, it says that libirecovery is not installed. first three times macOS thrown me an error message saying libirecovery is corrupted and should be deleted. after that it asks me for shsh2 file path, I paste it and then there is this error:

Continuing with given SHSH
File verified as SHSH2 file, continuing
Getting generator from SHSH
Your generator is: 0x1111111111111111
 
Either unsupported device or no device found.
Exiting..

In my case, I needed both ldid and libirecovery installed via homebrew for it to work in macOS Monterey.

I installed both via homebrew. Also I have Big Sur, could it be a problem? On homebrew page it says it is supported on Big Sur. Also i have M1 chip on my mac

@xrotorhead
Copy link

xrotorhead commented Jul 15, 2022

I have blobs saved

This post (below) summarized step-by-step what worked for me. Hope it helps in your case...
https://gist.github.com/nyuszika7h/aac55c97f7925cddcf5ec3167f85dfe8?permalink_comment_id=4144634#gistcomment-4144634

when I'm using noncergulator from your post, it says that libirecovery is not installed. first three times macOS thrown me an error message saying libirecovery is corrupted and should be deleted. after that it asks me for shsh2 file path, I paste it and then there is this error:

Continuing with given SHSH
File verified as SHSH2 file, continuing
Getting generator from SHSH
Your generator is: 0x1111111111111111
 
Either unsupported device or no device found.
Exiting..

In my case, I needed both ldid and libirecovery installed via homebrew for it to work in macOS Monterey.

I installed both via homebrew. Also I have Big Sur, could it be a problem? On homebrew page it says it is supported on Big Sur. Also i have M1 chip on my mac

You can try some basics like make sure the Mac sees and “trusts” the phone. Also, I remember once having major issues with a usb-c to lightning cable for JB purposes; and using a usb-a to lightning cable fixed communications between the Mac and the phone. Not sure what kind of ports you have on an M1, but you may need an intermediary usb-c to usb-a (female) adapter to test this.

@deargosep
Copy link

deargosep commented Jul 15, 2022

I have blobs saved

This post (below) summarized step-by-step what worked for me. Hope it helps in your case...
https://gist.github.com/nyuszika7h/aac55c97f7925cddcf5ec3167f85dfe8?permalink_comment_id=4144634#gistcomment-4144634

when I'm using noncergulator from your post, it says that libirecovery is not installed. first three times macOS thrown me an error message saying libirecovery is corrupted and should be deleted. after that it asks me for shsh2 file path, I paste it and then there is this error:

Continuing with given SHSH
File verified as SHSH2 file, continuing
Getting generator from SHSH
Your generator is: 0x1111111111111111
 
Either unsupported device or no device found.
Exiting..

In my case, I needed both ldid and libirecovery installed via homebrew for it to work in macOS Monterey.

I installed both via homebrew. Also I have Big Sur, could it be a problem? On homebrew page it says it is supported on Big Sur. Also i have M1 chip on my mac

You can try some basics like make sure the Mac sees and “trusts” the phone. Also, I remember once having major issues with a usb-c to lightning cable for JB purposes; and using a usb-a to lightning cable fixed communications between the Mac and the phone. Not sure what kind of ports you have on an M1, but you may need an intermediary usb-c to usb-a (female) adapter to test this.

Thank you, gonna try with USB a

@deargosep
Copy link

deargosep commented Jul 15, 2022

I have blobs saved

This post (below) summarized step-by-step what worked for me. Hope it helps in your case...
https://gist.github.com/nyuszika7h/aac55c97f7925cddcf5ec3167f85dfe8?permalink_comment_id=4144634#gistcomment-4144634

when I'm using noncergulator from your post, it says that libirecovery is not installed. first three times macOS thrown me an error message saying libirecovery is corrupted and should be deleted. after that it asks me for shsh2 file path, I paste it and then there is this error:

Continuing with given SHSH
File verified as SHSH2 file, continuing
Getting generator from SHSH
Your generator is: 0x1111111111111111
 
Either unsupported device or no device found.
Exiting..

In my case, I needed both ldid and libirecovery installed via homebrew for it to work in macOS Monterey.

I installed both via homebrew. Also I have Big Sur, could it be a problem? On homebrew page it says it is supported on Big Sur. Also i have M1 chip on my mac

You can try some basics like make sure the Mac sees and “trusts” the phone. Also, I remember once having major issues with a usb-c to lightning cable for JB purposes; and using a usb-a to lightning cable fixed communications between the Mac and the phone. Not sure what kind of ports you have on an M1, but you may need an intermediary usb-c to usb-a (female) adapter to test this.

I tried with usb a adapter, Mac is trusted on iPad, even reinstalled ldid and libirecovery via rosetta 2, still doesn't work

@showmak
Copy link

showmak commented Jul 15, 2022

hello i have iphone 8 and ios 15.5 haw i can downgrade ios 14.7? please help
Do you have blobs for 14.7?

@xrotorhead
Copy link

xrotorhead commented Jul 15, 2022

hello i have iphone 8 and ios 15.5 haw i can downgrade ios 14.7? please help
Do you have blobs for 14.7?

I’m afraid your stuck until a JB is released for your iOS version. Blobs are device-specific. Perhaps somebody (before you) has saved the blobs for your individual handset - you can go here to investigate; otherwise somebody else’s blobs will not work on your device.

@ceson-l
Copy link

ceson-l commented Jul 29, 2022

hi all. iphone7 ios15.2 can I downgrade the system to any version? like 10.x.x or something. please help

@iyedess
Copy link

iyedess commented Jul 31, 2022

NO SOLUTION FOR A9X IPAD PRO 9.7

@joshuah345
Copy link

joshuah345 commented Aug 11, 2022

NO SOLUTION FOR A9X IPAD PRO 9.7

there's gaster now, so a9x is fine
https://github.com/joshuah345/gaster/tree/imagefix

@robi62
Copy link

robi62 commented Sep 23, 2022

hi its has been a while last time there was not a gui all in terminal I keep getting error
Device did not reconnect Possibly invadid iBEC
What is this error about???
Screenshot 2022-09-23 at 17 38 11

Irebooted laptop and started again and seems to be working it did so happy thanks for your hard work guys

@kirpeace121
Copy link

kirpeace121 commented Oct 5, 2022

i tried to upgrade from 14.3 to 14.8. I am getting error signing ticket does not contain generator. But a generator is required for 64 bit pwndfu in iphone 7

@SlimShadys
Copy link

SlimShadys commented Nov 3, 2022

Confirmed working on iPhone X (A11) from 15.7 to 14.6 using 19H12 (15.7) SEP/BB.

Make sure to enable also the --no-rsep option, as it could complain about FDR.

Also, it might show unsuccessful restoring and will pop you back up into recovery mode. As the guide says, click "Exit Recovery" and it will start up the normal boot process.

@lyujie-xm
Copy link

lyujie-xm commented Nov 12, 2022

F9C31AAD-5C42-4BB3-8632-554F520FECEE

getting keys failed with error: 14745615 (failed to get FirmwareJson from Server). Are keys publicly available?

A9X

@zillusion
Copy link

zillusion commented Nov 13, 2022

Yesterday upgraded to 15.7.1 and downgraded to 13.3.1 on IPhone SE 2016 - A9 successfully first trying this guide and failing, it's
outdated...
19H12(15.7.0) is no longer being signed, so you'll immediately get an error if you set Build ID to this val.
15.6 RC1 (19G69) is still signed, setting val to this gets you further, but then at the restore step this error stops the process:
getting keys failed with error: 14745615 (failed to get FirmwareJson from Server).

So after some reading I found out that only setting the nonce is needed, not firmware flash. On A9 where 15.7.1 is the final IOS version
So the option to check in step 2 is no rsep - no restore, and as mentioned pwned restore and set nonce.
This sets up our blobs nonce, gets SEP/BB from 15.7.1, and you can just flash original firmware - steps from step 3.
Newer models should use 19G69 and hopefully keys for them will be on the server.

@rilodroid
Copy link

rilodroid commented Dec 1, 2022

ERROR: Command errored out with exit status 1:
command: /Applications/Xcode.app/Contents/Developer/usr/bin/python3 /Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/site-packages/pip/_vendor/pep517/_in_process.py get_requires_for_build_wheel /var/folders/_w/tcjktqts2ms6ll49jtx63tbm0000gn/T/tmp9od05enm
cwd: /private/var/folders/_w/tcjktqts2ms6ll49jtx63tbm0000gn/T/pip-install-33t7ko64/cryptography

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment