Firmware downgrades are something that jailbreakers have used over the years to thwart Apple’s attempts to stop jailbreaking. Even when Apple stopped signing firmware, jailbreakers found a way around that by saying .shsh blobs and using them to restore to unsigned firmware. But more recently, changes made on Apple’s end appear to have made even this process less than usable.
FutureRestore contributor @Cryptiiiic shared some important insight into the state of firmware downgrades in a blog post published to their GitHub page on Tuesday, and it underscores the dire situation that downgraders are up against in the face of new security mechanisms introduced in iOS & iPadOS 16, especially with respect to newer handsets.
While downgrades were once an easy process requiring just a saved .shsh blob, also known as an Apple signing ticket, the introduction of the Secure Enclave Processor (SEP) made things a bit more complicated, requiring users to also check SEP compatibility between firmware downgrades before they could reliably proceed. Sometimes the SEP of a newer firmware worked with older firmware, but not always.
Up to and including iOS & iPadOS 15 devices, A11 chip-equipped handset users could use an APNonce Generator to move forward with downgrades. The FutureRestore team noticed changes in how nonce seeds were encrypted on A12 chip and newer-equipped handsets, but managed to pull off some trickery to make things work, assuming the user’s SEP worked with the desired firmware downgrade.
Unfortunately, iOS & iPadOS 16 changed things once again, and now there is no longer a way to persist nonce seeds. This effectively breaks the “trickery” we mentioned in the above paragraph, and means that A12 chip and newer-equipped devices will no longer be able to downgrade unless some other workaround can be found.
What would happen if you tried anyway? It’s probably a good idea that you don’t try…
According to @Cryptiiiic, using the iOS or iPadOS 16.3.1 Cryptex1 when downgrading to iOS or iPadOS 16.0-16.1.2 can cause failure to boot on the affected handset. Attempting a downgrade to iOS or iPadOS 16.2 may look more promising, however upon getting to the country selection screen, you would quickly find that the device would freeze and you wouldn’t be able to get any further.
This all sums up to one thing: firmware downgrades are likely to be impossible on A12 chip and newer-equipped handsets running iOS or iPadOS 16 for the foreseeable future, and there’s no telling if that will ever change. The only silver lining here is that A11 chip and older-equipped handsets, I.E. checkm8 bootrom exploit-compatible devices, can continue to downgrade to various version(s) of iOS & iPadOS 16 as usual.
Since @Cryptiiiic is the real expert on everything going on under the hood here, we highly recommend reading their full blog post to better understand all the gears and cogs that make FutureRestore work and how things have changed over the years, up to and including iOS & iPadOS 16. There, you might be able to learn more about why things have gotten to the point they are.
So for now, it looks like firmware downgrades on iOS & iPadOS 16 are dead for A12 chip-equipped devices and anything newer. But if you have an A11 chip-equipped device or older, then you should be good to go… for now.
What are your thoughts on the state of firmware downgrades after reading @Cryptiiiic’s blog post? Be sure to let us know in the comments section down below.