Futurerestore iOS 14 to 13

Why would you downgrade your iOS version?

Ever since the first iPhone was invented, jailbreaking has shown it can do so much more than what Apple intended. Jailbreaking has been in a cat and mouse game with Apple since Apple usually has the higher ground. This means that the latest iOS versions are seldom jailbreakable, with older versions being the preferred ones for jailbreak enthusiasts because of an abundant amount of Kernel Exploits available.

What are iOS kernel exploits?

A software huge and as complex as the iOS kernel is, would often have bugs. With every new feature or change, Apple developers have the chance to also introduce new bugs in the kernel. Security researchers (hackers if you want) can find these vulnerabilities through lengthy reverse engineering sessions or even by looking at the open-sourced code (although not very frequent). Once such vulnerability is found, an exploit (a program that makes use of that vulnerability) can be written.




Of course, depending on how severe the bug is, it can affect serious security components of the iOS kernel and by using the exploit, a hacker can bypass or disable the sandbox, disable CodeSign which enforces trusted code signing identities, enable full ROOT access, etc. This is the recipe for a jailbreak, and without such kernel exploits, jailbreak as you know it would not exist.

Since the latest version of iOS often does not have publicly known vulnerabilities (unless you talk about a CheckM8-compatible device), the preferred version for jailbreakers is the one that has enough kernel vulnerabilities known in the wild to be able to get a jailbreak going, and that is often 2-3 maybe even 4 versions behind the latest. In such a case, one may wanna use FutureRestore, a tool that can aid in downgrading or upgrading in certain conditions even after Apple stopped signing the vulnerable firmware.

Why does it matter if Apple signs an iOS version?

Apple employs a TSS service (Tatsu Signing Service) that your device talks to every time it wants to install iOS (via Over The Air [OTA] or an IPSW through USB). The iOS device makes a request containing its serial number, IMEI, iOS version, device ID, FairPlay randomness, etc., and sends it to the Apple Signing Server. Once the server gets the request, if Apple still signs lets say iOS 14.3, it will send back a signing ticket personalized for that particular device and the installation will begin.

If the iOS version you try to install is no longer signed, the server will return a stop code and no ticket. No signing ticket = no way to personalize the firmware for the device so the BOOTROM on the device will refuse the installation, thus denying your downgrade / upgrade to whatever version you wanted.

In such a case, saving SHSH2 blobs comes in handy.

What are SHSH or SHSH2 blobs on iOS?

Those are tiny files (a few KB in size) containing the response the Apple TSS Server would have sent to the device if the iOS version you try to restore was still signed. Those are saved by the user while a specific iOS version is still signed, to be used for later.

Imagine these as a permanent record of what the server would have responded back when lets say iOS 14.3 was still signed. Its the response the device awaits in order to begin the installation.

With such file at hand, and with a tool like FutureRestore which can make use of that file instead of talking to the Apple TSS Server, if certain conditions are met, you might just be able to fool the BOOTROM on the device to think the response was received right now and whichever iOS version you try to downgrade to, is still signed.

IMPORTANT: You cannot save SHSH2 blobs / tickets after the iOS version stopped being signed because the server would just return the error code and no ticket. Save those while the iOS version is signed, even if theres no jailbreak available for it yet.
For example: iOS 14.7 is the latest version at the time I am writing this article, but theres no jailbreak for it on A12+ devices. I will save my SHSH2 blobs NOW, because by the time a jailbreak is out, 14.7 will long be unsigned.

What do I need for a FutureRestore downgrade?

In order to be able to downgrade your iPhone, iPad, or iPod Touch with FutureRestore you need a few important files, your device, and a lot of patience and caution. One mistake and you screw up your chance to downgrade.




Heres the materials list, so to speak:

1. FutureRestore tool, available to download here for Linux, Windows, and macOS.
2. Your SHSH2 blob file for the iOS version and device you wanna downgrade. SHSH2 blobs are NOT transferable from a device to another or from an iOS version to another.
3. An IPSW file for the iOS version you wanna downgrade to. You can grab it from ipsw.me.
4. The SEP and Baseband file for your device, from a currently signed iOS version. Make sure it is compatible though, not all are from a version to another.
5. A USB-Lightning cable and your iOS device with the battery charged at least 60%.
6. A Nonce Generator Setter tool for iOS. These usually need a kernel exploit to unlock the NVRAM.

• DOWNLOAD FutureRestore

Question: Can this be done without a computer?

Answer: No. You need at least a Windows or a Linux machine with an internet connection to be able to do this.

What are SEP and Baseband and why do they have to be compatible?

SEP stands for Secure Enclave Processor. Its a core in the Apple A chips which handles security, cryptography, and data protection. Its what handles Touch ID, Face ID, Apple Pay, Passcode, data encryption, etc. This is a vital component without which the device will fail to boot. Apple treats this component as a separate entity on the device, with its own memory separated from the general memory used by the Application Processor.

SEP has its own firmware which is part of the IPSW file. The operating system used by SEP is called SEPOS and it communicates with iOS via mailboxes. I will not enter in details, but SEP and iOS are pretty well separated from each other, with only the data that really has to be there passing through. As the name implies, SEP is very well secured, and as such a properly signed SEPOS is mandatory for an iOS restore.

The Baseband is what handles the Cellular connection. You know, calls, texts, 3G, 4G, 5G, and the general telephony stuff. You need this to be able to place any calls or have any carrier reception whatsoever. It also has its own firmware which has to be signed, but its not as stringent as SEP is.

As for the compatibility

During the FutureRestore downgrade process, you will have to use the SEPOS and the Baseband firmware from a newer (usually latest) version that is signed. Unfortunately, they may not always be compatible. Various compatibility charts are kept online, we also keep a SEP and Baseband compatibility chart updated here, but its being updated as people carry out tests so do be careful.

If between the iOS version you try to downgrade to, and the signed version from which you grab the SEP and Baseband (BB) is a huge gap, they are almost surely not gonna be compatible and the restore will fail or the device will get soft-bricked requiring a restore to the latest version to work again.

Example:

You are running iOS 14.3 and wanna downgrade to iOS 13.7. You have saved SHSH2 blobs for iOS 13.7, and you try to use iOS 14.7s SEP and Baseband because thats the current signed version.

Well, iOS 14.7s SEP and Baseband are not compatible with iOS 13.7. Its just too much of a gap between them, and the downgrade will fail, forcing you to upgrade to iOS 14.7. This means in this case you will also lose your 14.3 jailbreak which sucks.

So SEP and Baseband compatibility should be well researched before proceeding!

What are a Nonce Generator and a Nonce Setter?

Each blob you save contains a unique string called a nonce generator. If you set that back to the devices NVRAM using a Nonce Setter which usually uses Kernel exploits, your device will create a request that will match the pseudo-random data stored in your blob, so the device will believe that the SHSH2 blob is an actual legit response from the Apple TSS Server.

Otherwise, without one, the nonce will be randomized every time the device reboots, and the chances to match the one you have saved in your blob is close to zero.

How to downgrade / upgrade iOS using FutureRestore and saved SHSH2 blobs

In order to downgrade or upgrade your iOS device to an iOS version that is no longer signed, you need to configure your device first. Setting the nonce from the generator is the first step. To locate your nonce generator string inside the saved SHSH2 blobs, you need to open the file with any text editor.

Once you open it, there should be a field called Generator amongst the sea of random strings in there. If you used TSSSaver to save your SHSH2 blobs, its very likely your generator will be 0x1111111111111111, that is 16 1s. Do keep in mind that while very common, this may not be your generator, so do double-check inside the file.

This is how mine looks like opened in a text editor.

The Nonce Generator inside a saved SHSH2 blob

Using a tool like Unc0ver jailbreaks nonce generator (in Unc0vers Settings), or any available Nonce Setter for your iOS version, set the nonce generator to the one you have inside the blob.

After youve successfully set the nonce generator, follow the steps below to downgrade with FutureRestore:

! WARNING: For convenience, I recommend you put all the needed files in one single folder, including the FutureRestore binary.

The command you need to use for FutureRestore has this format:

Commands

On Windows:

futurerestore.exe -t [shsh2-blob-file] -s [SEPOS] -b [baseband] -p [build_manifest] -m [build_manifest] [ipsw file]

On macOS and Linux:

./futurerestore -t [shsh2-blob-file] -s [SEPOS] -b [baseband] -p [build_manifest] -m [build_manifest] [ipsw file]

With this in mind, follow these steps:

1. Open Terminal on macOS or Linux, or open Command Prompt on Windows (Windows Button + R and type CMD).
2. Drag and drop the FutureRestore binary into the Terminal or CMD window to get its path and type -t .
3. Drag the SEP file to the terminal and type -b
4. Drag the SHSH2 blob file into the terminal then type -s
5. Drag the baseband file to the terminal and type -p or type no-baseband if its an iPod or an iPad WiFi.
6. Drag the BuildManifest.plist file in terminal and type -m ,
7. Drag the BuildManifest.plist file again, then drag the IPSW file you wanna downgrade to into the Terminal.

FutureRestore Downgrade Tutorial iOS

The final command should look something like this example:

Example:

./futurerestore -t blobFile.shsh2 -s sep-firmware.n96.RELEASE.im4p -b baseband.bbfw -p BuildManifest.plist -m BuildManifest.plist iOS_14.2_iPhone_RELEASE.ipsw

For iPods and iPad WiFi

If your device does not have Cellular capability (for example iPods or iPad WiFi), instead of specifying a baseband you should specify no-baseband.

The final command would look like this:

./futurerestore -t blobFile.shsh2 -s sep-firmware.n96.RELEASE.im4p no-baseband -p BuildManifest.plist -m BuildManifest.plist iOS_14.2_iPhone_RELEASE.ipsw

An easier way to get the SEP and Baseband

If youre absolutely sure that the latest SEP and Baseband are compatible, you can use the latest-sep latest-baseband switches instead of actual SEP and baseband files. This will fetch the latest SEP and Baseband for you.

The command would end up looking like this:

For iPhone and iPad with Cellular:

./futurerestore -t blobFile.shsh2 latest-sep latest-baseband iOS_14.2_iPhone_RELEASE.ipsw

For iPad WiFi and iPod Touch:

./futurerestore -t blobFile.shsh2 latest-sep no-baseband iOS_14.2_iPhone_RELEASE.ipsw

A video tutorial on how to use FutureRestore to downgrade to unsigned iOS with saved SHSH2 blobs

Troubleshooting FutureRestore Downgrade

• The device is stuck in Recovery Mode. To fix this, drag and drop futurerestore and type exit-recovery then press Enter.
• FutureRestore is not detecting my device. Make sure you have the latest iTunes installed to have the drivers up to date and check the USB cable.
• My device boots for 10 seconds then it bootloops. This is the dreaded fortnight (not Fortnite) bug. It occurs if you downgrade below iOS 12.2 with FutureRestore. The restore technically succeeds, but SEP is in a broken state. The bug only occurs if you have a passcode set up. Its called a fortnight bug because the issues start appearing 2 weeks or 14 days after the FutureRestore downgrade was carried. There are workarounds through backups, but none are easy. The best way would be to NOT set a passcode if you go below iOS 12.2.
• I get ERROR: unable to receive a message from FDR. Could indicate SEPOS or Baseband incompatibility.
• I am stuck in the Update Completed screen. Use iMazing (the free edition) to bypass that.
• I get Device APNonce does not match APTicket nonce (also known as Error -20 in older builds) right when the process begins. This is because your Nonce is wrong. You either forgot to set the one from the blob, or you made a typo.
• I get iBEC error (error code 3, 8, or 10) on Windows. To fix this issue, you need to uninstall all iTunes / Apple drivers from Device Manager. After youre 100% everything related to Apple drivers are uninstalled, download and install iTunes from this link. Do not install the Windows Store version, it will not work. After installation, plug the device in Recovery Mode and wait for iBoot (Recovery Mode) device to show in Device Manager and uninstall it from there. Its under USB. When uninstalling, make sure you uninstall the software too (checkbox). After this, run FutureRestore, unplug the device and plug it back again, then re-open FutureRestore and use it normally. Thanks to @Crypiiic for the tip.

Disclaimer

This is a tedious process that involves downgrading your device, using various unmaintained tools, and relying on compatibility data from the internet. If youre not confident you can do it, or if youre unsure about the compatibility, dont do it. I am not responsible for any data loss or malfunctions to your device that can occur from following this guide. Always backup your data before doing anything like this.

Post navigation