Patching iBEC/iBSS

This guide should work for iPhone 5s, didn't check any other device. It follows process of downgrading to any subversion of iOS 10 without previously saved blobs.

Big disclaimer here: I haven't got opportunity of testing this guide myself cause all my workspace is stuck in different city for quarantine time, ughh. It worked back then but now on my second mac I struggle with weird SEP error, other people confirmed me that this guide worked for them though. Be careful, I do not take any responsibility for any device bricked, bootlooped, burned. It's rather safe, but you know, just in case...

First thing you need to do in order to boot unsigned firmware without previously saved blobs is obviously patch iOS bootchain. For more in-depth information how all process works I recommend you watching Tihmstar's talk from 33c3: Downgrading iOS from past to present In short, what we are interested in is: Bootrom -> iBSS -> iBEC -> Kernel

First goes iBSS and iBEC:

  • Decrypting iBSS: img4tool -e --iv "paste iv here, you can find correct online" --key "paste key here" -o iBSS.raw copiediBSS.im4p
  • Decrypting iBSS: img4tool -e --iv "paste iv here" --key "paste key here" -o iBEC copiediBEC.im4p

In next step we patch it using Tihmstar's iBoot64Patcher:

  • Patch iBSS: iBoot64Patcher iBSS.raw iBSS.prepatched
  • Patch iBEC: iBoot64Patcher iBEC.raw iBEC.prepatched If your interested in how those patches work, reading source code of iBoot64patcher and liboffsetfinder64 is definetly worth your time

Now and later you will need SHSH ticket, let's save it:

  • Saving SHSH ticket : ./tsschecker -d iPhone6,2 -e youreicd -m BuildManifest_iPhone6,2_1033_OTA.plist -s mv *.shsh ./ticket.shsh

Now we will have to repack it back to img4: If you want to know more about those formats, again go watch Tihmstar's talk, or if you don't have 50 minutes, just read article on theiphonewiki

  • Creating iBSS im4p with type ibss: img4tool -c iBSS.im4p -t ibss iBSS.prepatched
  • Creating iBEC im4p with type ibec: img4tool -c iBEC.im4p -t ibec iBEC.prepatched
  • Creating iBSS img4 and using ticket as IM4M: img4tool -c iBSS.img4 -p iBSS.im4p -s "ticket.shsh"
  • Creating iBEC img4 and using ticket as IM4M:img4tool -c iBEC.img4 -p iBEC.im4p -s "ticket.shsh"

Replace original iBSS and iBEC indide unpacked IPSW folder:

  • Replacing iBSS: cp -v iBSS.img4 ../iPhone_4.0_64bit_10.1.1_14B100_Restore/Firmware/dfu/iBSS.n53.RELEASE.im4p
  • Replacing iBEC: cp -v iBEC.img4 ../iPhone_4.0_64bit_10.1.1_14B100_Restore/Firmware/dfu/iBEC.n53.RELEASE.im4p

Huge thank's to:

  • @exploit3dguy for helping me figure out issues whenever I was stuck, without you writing this wouldn't be possible.
  • @benfxmth and @rA9_baris for your hints
  • @axi0mx for checkm8 exploit
  • @LinusHenze for ipwndfu fork
  • @nyan_satan for original 32 bit guide and fixkeybag
  • @tihmstar for iBoot64Patcher, liboffsetfinder64, futurerestore and ra1nsn0w
  • @xerub for img4lib
  • @Ralph0045 and @mcg29_ for their dualboot guide
  • @mosk_i for his fork of futurerestore and ra1nsn0w