Futurerestore iOS 14 to 13
Table of contents of this article
Why would you downgrade your iOS version?Ever since the first iPhone was invented, jailbreaking has shown it can do so much more than what Apple intended. Jailbreaking has been in a cat and mouse game with Apple since Apple usually has the higher ground. This means that the latest iOS versions are seldom jailbreakable, with older versions being the preferred ones for jailbreak enthusiasts because of an abundant amount of Kernel Exploits available. Show
What are iOS kernel exploits?A software huge and as complex as the iOS kernel is, would often have bugs. With every new feature or change, Apple developers have the chance to also introduce new bugs in the kernel. Security researchers (hackers if you want) can find these vulnerabilities through lengthy reverse engineering sessions or even by looking at the open-sourced code (although not very frequent). Once such vulnerability is found, an exploit (a program that makes use of that vulnerability) can be written. Since the latest version of iOS often does not have publicly known vulnerabilities (unless you talk about a CheckM8-compatible device), the preferred version for jailbreakers is the one that has enough kernel vulnerabilities known in the wild to be able to get a jailbreak going, and that is often 2-3 maybe even 4 versions behind the latest. In such a case, one may wanna use FutureRestore, a tool that can aid in downgrading or upgrading in certain conditions even after Apple stopped signing the vulnerable firmware. Why does it matter if Apple signs an iOS version?Apple employs a TSS service (Tatsu Signing Service) that your device talks to every time it wants to install iOS (via Over The Air [OTA] or an IPSW through USB). The iOS device makes a request containing its serial number, IMEI, iOS version, device ID, FairPlay randomness, etc., and sends it to the Apple Signing Server. Once the server gets the request, if Apple still signs lets say iOS 14.3, it will send back a signing ticket personalized for that particular device and the installation will begin. If the iOS version you try to install is no longer signed, the server will return a stop code and no ticket. No signing ticket = no way to personalize the firmware for the device so the BOOTROM on the device will refuse the installation, thus denying your downgrade / upgrade to whatever version you wanted. In such a case, saving SHSH2 blobs comes in handy. What are SHSH or SHSH2 blobs on iOS?Those are tiny files (a few KB in size) containing the response the Apple TSS Server would have sent to the device if the iOS version you try to restore was still signed. Those are saved by the user while a specific iOS version is still signed, to be used for later. Imagine these as a permanent record of what the server would have responded back when lets say iOS 14.3 was still signed. Its the response the device awaits in order to begin the installation. With such file at hand, and with a tool like FutureRestore which can make use of that file instead of talking to the Apple TSS Server, if certain conditions are met, you might just be able to fool the BOOTROM on the device to think the response was received right now and whichever iOS version you try to downgrade to, is still signed.
What do I need for a FutureRestore downgrade?In order to be able to downgrade your iPhone, iPad, or iPod Touch with FutureRestore you need a few important files, your device, and a lot of patience and caution. One mistake and you screw up your chance to downgrade.
Question: Can this be done without a computer? Answer: No. You need at least a Windows or a Linux machine with an internet connection to be able to do this. What are SEP and Baseband and why do they have to be compatible?SEP stands for Secure Enclave Processor. Its a core in the Apple A chips which handles security, cryptography, and data protection. Its what handles Touch ID, Face ID, Apple Pay, Passcode, data encryption, etc. This is a vital component without which the device will fail to boot. Apple treats this component as a separate entity on the device, with its own memory separated from the general memory used by the Application Processor. SEP has its own firmware which is part of the IPSW file. The operating system used by SEP is called SEPOS and it communicates with iOS via mailboxes. I will not enter in details, but SEP and iOS are pretty well separated from each other, with only the data that really has to be there passing through. As the name implies, SEP is very well secured, and as such a properly signed SEPOS is mandatory for an iOS restore. The Baseband is what handles the Cellular connection. You know, calls, texts, 3G, 4G, 5G, and the general telephony stuff. You need this to be able to place any calls or have any carrier reception whatsoever. It also has its own firmware which has to be signed, but its not as stringent as SEP is. As for the compatibility During the FutureRestore downgrade process, you will have to use the SEPOS and the Baseband firmware from a newer (usually latest) version that is signed. Unfortunately, they may not always be compatible. Various compatibility charts are kept online, we also keep a SEP and Baseband compatibility chart updated here, but its being updated as people carry out tests so do be careful. If between the iOS version you try to downgrade to, and the signed version from which you grab the SEP and Baseband (BB) is a huge gap, they are almost surely not gonna be compatible and the restore will fail or the device will get soft-bricked requiring a restore to the latest version to work again. Example: You are running iOS 14.3 and wanna downgrade to iOS 13.7. You have saved SHSH2 blobs for iOS 13.7, and you try to use iOS 14.7s SEP and Baseband because thats the current signed version. Well, iOS 14.7s SEP and Baseband are not compatible with iOS 13.7. Its just too much of a gap between them, and the downgrade will fail, forcing you to upgrade to iOS 14.7. This means in this case you will also lose your 14.3 jailbreak which sucks. So SEP and Baseband compatibility should be well researched before proceeding! What are a Nonce Generator and a Nonce Setter?Each blob you save contains a unique string called a nonce generator. If you set that back to the devices NVRAM using a Nonce Setter which usually uses Kernel exploits, your device will create a request that will match the pseudo-random data stored in your blob, so the device will believe that the SHSH2 blob is an actual legit response from the Apple TSS Server. Otherwise, without one, the nonce will be randomized every time the device reboots, and the chances to match the one you have saved in your blob is close to zero. How to downgrade / upgrade iOS using FutureRestore and saved SHSH2 blobsIn order to downgrade or upgrade your iOS device to an iOS version that is no longer signed, you need to configure your device first. Setting the nonce from the generator is the first step. To locate your nonce generator string inside the saved SHSH2 blobs, you need to open the file with any text editor. Once you open it, there should be a field called Generator amongst the sea of random strings in there. If you used TSSSaver to save your SHSH2 blobs, its very likely your generator will be 0x1111111111111111, that is 16 1s. Do keep in mind that while very common, this may not be your generator, so do double-check inside the file. This is how mine looks like opened in a text editor. The Nonce Generator inside a saved SHSH2 blobUsing a tool like Unc0ver jailbreaks nonce generator (in Unc0vers Settings), or any available Nonce Setter for your iOS version, set the nonce generator to the one you have inside the blob. After youve successfully set the nonce generator, follow the steps below to downgrade with FutureRestore: ! WARNING: For convenience, I recommend you put all the needed files in one single folder, including the FutureRestore binary. The command you need to use for FutureRestore has this format:
With this in mind, follow these steps:
The final command should look something like this example:
For iPods and iPad WiFiIf your device does not have Cellular capability (for example iPods or iPad WiFi), instead of specifying a baseband you should specify no-baseband. The final command would look like this:
An easier way to get the SEP and BasebandIf youre absolutely sure that the latest SEP and Baseband are compatible, you can use the latest-sep latest-baseband switches instead of actual SEP and baseband files. This will fetch the latest SEP and Baseband for you. The command would end up looking like this: For iPhone and iPad with Cellular:
For iPad WiFi and iPod Touch:
A video tutorial on how to use FutureRestore to downgrade to unsigned iOS with saved SHSH2 blobsTroubleshooting FutureRestore Downgrade
DisclaimerThis is a tedious process that involves downgrading your device, using various unmaintained tools, and relying on compatibility data from the internet. If youre not confident you can do it, or if youre unsure about the compatibility, dont do it. I am not responsible for any data loss or malfunctions to your device that can occur from following this guide. Always backup your data before doing anything like this. Share this:
Post navigationFutureRestore iOS Downgrade SEP and Baseband Compatibility Chart |