Skip to content

Instantly share code, notes, and snippets.

@verygenericname

verygenericname/ios_14_downgrade.md

Forked from 0xallie/checkm8_downgrade.md
Last active March 26, 2024 01:34
Show Gist options
  • Save verygenericname/ba12d031d672b55c61d9a5b130c3ab59 to your computer and use it in GitHub Desktop.
Save verygenericname/ba12d031d672b55c61d9a5b130c3ab59 to your computer and use it in GitHub Desktop.
Download ZIP
How to downgrade from iOS 15 to iOS 14
Raw
ios_14_downgrade.md

Important: Please don't use the comment section to ask for help. Join r/jailbreak (#futurerestore-help) or FDR Bureau (#support) instead.

How to downgrade from iOS 15 to iOS 14

The latest SEP/BB as of right now is iOS 15.3.1, and is partially or fully compatible with iOS 14 depending on your device. See the appropriate section for exact compatibility info.

Prequisites

Notes

  • If the exploit fails even after multiple attempts or your device reboots out of DFU mode, you'll have to start over from the beginning and be quicker next time. (You don't have to redownload anything though.) You may have to force restart your device if it's stuck in DFU.
  • checkm8 is known to have issues on AMD CPUs and may not work if you have one.

Instructions

Table of Contents
A12 and newer
A11
A10(X)
A9X
A8(X)

A12 and newer

Nope, you can't. At least not until a jailbreak for iOS 15 comes out, but SEP/BB will probably be fully incompatible by then.

A11

IMPORTANT: On the iPhone X, downgrading to iOS 15.3.1 or below with 15.4 SEP will break Face ID. The only way to fix it is by updating/restoring to iOS 15.

This very likely also affects A12 and above, but you can't downgrade those devices from iOS 15 currently anyway. It does also apply to upgrading from an earlier version with FutureRestore, though.

There are no issues with iPhone 8(+), Touch ID will work fine.

Compatible versions: 14.3-14.8

Part 1/4: Entering pwned DFU

  1. Put your device in DFU mode.
  2. Install Python 3.8 or newer.
  3. Run python3 -m pip install --user --force-reinstall https://github.com/hack-different/ipwndfu/archive/main.zip.
  4. Run ipwndfu -p && ipwndfu --patch-sigchecks && ipwndfu --repair-heap.

Part 2/4: Setting nonce

  1. Download and open FutureRestore GUI.
  2. Click "Settings", enable "FutureRestore Beta", then click "Save".
  3. Click "Download FutureRestore".
  4. Download the desired version's IPSW from https://ipsw.me/ and select it along with your blobs.
  5. Click "Next", enable "Pwned Restore" and "Set Nonce", and leave SEP and Baseband on latest. (If you see a "64 Bit Checkm8" option, update FRGUI. You should not use that option.)
  6. Click "Next", and then "Start FutureRestore".

Part 3/4: Restoring

  1. Put your device in recovery mode.
  2. Go back to the previous tab in FutureRestore GUI and uncheck both "Pwned Restore" and "Set Nonce".
  3. Click "Next", and "Start FutureRestore" again.

Part 4/4: Fixup (iPhone X only)

  1. Once the restore starts looping at "No data to read (timeout)", force restart your device.
  2. When you see the recovery mode screen, press "Exit Recovery".
  3. Go through with setup as usual.
  4. Jailbreak your device with checkra1n or unc0ver (not Odysseyra1n or Taurine). This will create an initial RootFS snapshot, as it doesn't get created when the restore is interrupted. If checkra1n complains about the missing snapshot, tap "Create".
  5. Install OTAEnabler 0.4.0 or newer from https://repo.cadoth.net/ to fix the broken preboot volume which causes issues with OTA updates and Taurine.
  6. (Optional) Uninstall OTAEnabler and install your preferred OTA blocker.
  7. If you want to jailbreak with Odysseyra1n or Taurine, restore RootFS and go ahead with installing your preferred jailbreak.

Note that this is not a complete fix, as Face ID will still be broken. That is most likely not possible to fix as it's due to a firmware incompatibility.

A10(X)

Compatible versions: 14.0-14.8

Part 1/3: Entering pwned DFU

macOS
  1. Put your device in DFU mode.
  2. Download and extract Fugu.
  3. Open the extracted folder in a terminal.
  4. Run ./Fugu rmsigchks.
Linux
  1. Put your device in DFU mode.
  2. Download and extract patched ipwndfu for A10.
  3. Open the extracted folder in a terminal.
  4. Run python2 ipwndfu -p.
  5. Run python2 rmsigchks.py.

Part 2/3: Setting nonce

  1. Download and open FutureRestore GUI.
  2. Click "Settings", enable "FutureRestore Beta", then click "Save".
  3. Click "Download FutureRestore".
  4. Download the desired version's IPSW from https://ipsw.me/ and select it along with your blobs.
  5. Click "Next", enable "Pwned Restore" and "Set Nonce", and leave SEP and Baseband on latest. (If you see a "64 Bit Checkm8" option, update FRGUI. You should not use that option.)
  6. Click "Next", and then "Start FutureRestore".

Part 3/3: Restoring

  1. Put your device in recovery mode.
  2. Go back to the previous tab in FutureRestore GUI and uncheck both "Pwned Restore" and "Set Nonce".
  3. Click "Next", and "Start FutureRestore" again.

A9X

Coming soon...

A8(X)-A9

Requires macOS.

Compatible versions: 14.0-14.8

Part 1/3: Entering pwned DFU

  1. Put your device in DFU mode.
  2. Download Eclipsa.
  3. Open the folder in a terminal.
  4. Run killall -STOP AMPDevicesAgent AMPDeviceDiscoveryAgent MobileDeviceUpdater.
  5. Run make and wait for it to compile. (You need to have Xcode installed.) If you cannot compile Eclipsa for some reason, download and extract this zip instead (only compatible with Intel Macs).
  6. If compiled manually, run ./eclipsa. Otherwise, you will need to run the appropriate version for your SoC:
    • A8: ./eclipsa7000
    • A8X: ./eclipsa7001
    • A9: ./eclipsa8000 or ./eclipsa8003
  7. Run killall -CONT AMPDevicesAgent AMPDeviceDiscoveryAgent MobileDeviceUpdater.

Part 2/3: Setting nonce

  1. Download and open FutureRestore GUI.
  2. Click "Settings", enable "FutureRestore Beta", then click "Save".
  3. Click "Download FutureRestore".
  4. Download the desired version's IPSW from https://ipsw.me/ and select it along with your blobs.
  5. Click "Next", enable "Pwned Restore" and "Set Nonce", and leave SEP and Baseband on latest. (If you see a "64 Bit Checkm8" option, update FRGUI. You should not use that option.)
  6. Click "Next", and then "Start FutureRestore".

Part 3/3: Restoring

  1. Put your device in recovery mode.
  2. Go back to the previous tab in FutureRestore GUI and uncheck both "Pwned Restore" and "Set Nonce".
  3. Click "Next", and "Start FutureRestore" again.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment