Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.
07-15-2010, 10:47 PM #1Downgrade iphone 3GS without shsh on file , from 4.0 to 3.1.3 by modify firmware
Downgrade iphone 3GS ios4 to 3.1.3 - modified firmware ?
I am one of thousands of iphone 3gs users who looking for downgrading from ios4 to 3.1.3, but no luck cos the phone have no shsh of older versions beside 4.0 stored in cydia.
BUT i just figured out a silly idea (may be that ). if it is possible:
- when restoring a firmware, iTune will send iphone ECID and restore file (.ipsw) information to its apple server whether the file is latest build.
=>SO, my idea is, can we modify the information of restore file (.ipsw) of 3.1.3 that it can fake the apple server that it is its latest build of 4.0 to get permission to restore? as we already know that restoration is working offline by iTune, but permission is accessed by apple server.
In short: fake the firmware version information of older restore file rather than shsh on file, Possible?
07-16-2010, 03:41 AM #2
If you ask apple for a 4.0 SHSH, then that's what they give you (assuming they still sign that release). The SHSH hash they send you is keyed to an official 4.0 build. If you try to install any other modified image on the phone, the SHSH almost certainly won't match, and the install will be rejected.
So, unless you can come up with a mod for the 3.1.3 image that happens to hash to your 4.0 SHSH, then you are SOL.
So, short answer is no.
The Following User Says Thank You to mateo_au For This Useful Post:
07-16-2010, 05:54 AM #3
07-16-2010, 07:38 AM #4
Yeah, these pwners/dev-team can't be too bright -- they just run around scaring people about upgrading instead of getting off their butts and writing a simple shsh generator. How hard can it be?
Well, you see, there's this thing called public key encryption. You generate a pair of keys, one key you keep private, the other key you can make public. The keys have a special property such that if a message is encrypted with one key, the message can be decrypted with the other key. However, even if you know the public key, it is very difficult to work out what the other (private) key is.
I don't know the specific implementation details of what Apple has done concerning SHSH hashes, but in principle it would work something like this:
Apple encrypts a message with its private key, saying something like: "I hereby authorise phone with ECID ABC to be allowed to install a release whose bytes add up to a checksum of ABC". This is your SHSH blob. The
phone then takes the encrypted message, and decrypts it using the public key. If anything other than Apple's private key was used to construct the blob, then decrypting with Apple's public key will just result in garbage. However, if Apple's private key was used, then the decrypted message magically reads "I hearby authorise..." etc.. The phone can then compare the checksum inside the message with the checksum of the image you provide. If they don't match, then the code phone's ROM tells you to bugger off. If they match, sweet, the phone's ROM lets you upgrade.
Now it won't happen precisely like that, but this is the basic sort of principle.
Now Dev-Team could analyse the bootroms and extract the public key the phone is using to decrypt the SHSH message. However, even if you know the public key, it is very difficult to work out what the private key is, which is what the Dev-Team would need in order to make an SHSH generator. This difficulty is the "trapdoor" nature of public key encryption.
So, hopefully this explains why Dev-Team is maybe not so dumb and lazy after all, and why they run around warning people off upgrading.
Last edited by mateo_au; 07-16-2010 at 11:58 AM.
07-16-2010, 02:41 PM #5
it is possible i did when when i put your phone in dfu mode, then put the official 3.1.3 onto it, it will go into a recovery loop, then use blakRa1n to brute force it out of the loop and u will be on 3.1.3 it takes a while to do but it works. message back your results
07-16-2010, 04:48 PM #6
@neng212: Are you sure you did this on an iPhone 3GS, and not a 2G or 3G device?
07-17-2010, 01:24 PM #7
07-17-2010, 11:55 PM #8
i have done this and it does work just dont have a compatable sim so cant jailbreak again, why was i so dump and updated
07-18-2010, 05:05 AM #9
07-18-2010, 05:12 AM #10
@neng212 I am also looking to downgrade please give me the results is it possible?
or atleast use my iphone as ipod touch, the thing is i should get past the emergency screen even if there is no cydia also fine.
07-18-2010, 09:13 AM #11
i dont think neng212 is doing it with 3gs.
i have done that with 3G and it was working with successful downgrade and give 1015 ( success sign - just use irecovery to kick out from the loop that's all).
but i hadn't check whether the phone has shsh 3.1.3 or not. cos at that time i was too happy to see it was back to 3.1.3 and gave it to my friend's co-worker.
now we have to get shsh blobs for 4.0.1 soon 4.1 is out we have to get that again too
but my wondering is == why we our dev-team or TheFirmwareUmbrella made brute tool + TinyUmbrella to save our blobs ready ? like making a ready made shsh blobs by sending ECID fromm 00000000000001 to 9999999999999. so all people will never missed their shsh blobs for latest version that is about to out-of-date any time.
Or apple may black list their IP of people running brute tool ??
Last edited by tangbunna; 07-18-2010 at 09:13 AM. Reason: Automerged Doublepost
07-19-2010, 01:42 PM #12
07-19-2010, 02:11 PM #13
The Following User Says Thank You to jacko91 For This Useful Post:
07-19-2010, 02:42 PM #14
07-19-2010, 03:52 PM #15
@neng212; I tried your method but with no success. I need a little bit of clarification. I am using a 3GS, iOS 4.0, BL 3.59.3.
In order to downgrade my firmware:
(1) Added to the CWindows\System32\drivers\etc\hosts 126.96.36.199 gs.apple.com . This was done in order to try to trick the verification process
(2)I downloaded the FW 3.1.3
(3)Booted my iphone into DFU
(4)In iTunes, did a shift-restore in order to specify FW 3.1.3
RESULT: "iphone could not be restored error 3194"
I repeated the whole process again but this time I removed 188.8.131.52 gs.apple.com from the host file. I received the same error 3194
07-19-2010, 05:17 PM #16
Kingaddi I'm with u in this one......
I did the exact same thing as u and get the same error-3194
Can someone please clear this up for me?????
07-20-2010, 06:44 PM #17
Guys, he has is SHSHs saved on the server! That recovery loop he is talking about always happened with me when I downgrade iPhones. You can use many tools to kick it out of recovery, black rain isnt the only one.
There really isn't a way to downgrade if you are on 4.0 and have the NEW bootrom. However, it is possible if you have the OLD bootrom. If you have the old bootrom, you can even have 4.0 jailbroken & unlocked! I've done this numerous times. I repair many iPhones in a week and by now I have become quite experienced at doing all this.
If you are really desperate for 3.1.3, you could try going to the apple store and telling them that you have a problem with your iphone and if they approve to swap yours then you might be in luck. Majority of the ones they swap are old bootroms and can easily be dealt with. Also, the one they were swaping until last week (here in canada) were 3.1.3. I dont know about now.
EVEN if they give you a 4.0 with a new bootrom, no problem, sell it on Kijiji or Craigslist. You should be able to sell for about 420 CDN for a 16gb 3gs. Then go buy an iphone 3gs with 3.1.3 from kijiji or craigslist AND SAVE THE SHSHs
Or just wait until someone releases a 4.0 or 4.0.1 jail break! that is if it will ever come out
07-20-2010, 10:17 PM #18
07-20-2010, 10:20 PM #19
have you saved your SHSH blobs file ?
you must downgrade first down to 3.1.2
07-21-2010, 08:05 AM #20
@ssyed: if you go and buy a 3GS with 3.1.3 from kijiji or craigslist, you won't be able to save the SHSHs because Apple isn't issuing them anymore for 3.1.3 (remember, SHSH blobs don't exist anywhere on the phone, they are certificates supplied from the Apple server on request).
If neng212 has SHSH blobs on file, then he is an idiot: the original poster was asking specifically about the case of downgrading a 3GS from 4.0->3.1.3 WITHOUT SHSH BLOBS ON FILE!!.
Last edited by mateo_au; 07-21-2010 at 08:05 AM. Reason: Automerged Doublepost