Downgrading and upgrading iOS to an unsigned version is quite a challenge nowadays when Apple tries to lock the system from all sides. Saving SHSH2 blobs while a version is signed by Apple can be the ticket to update or downgrade in the future, but it’s not all black and white.
Saving the SHSH2 blobs is only half the picture. SEP and Baseband compatibility is also a vital step because we cannot downgrade these components freely. Developers in the jailbreak community came up with an interesting trick to counter this – using the latest SEP and Baseband components that Apple currently signs.
This trick works, and it has allowed many people to downgrade or upgrade to the desired version, but it’s not always reliable. The more distance is between the iOS version you try to downgrade to and the latest SEP, the more chances that SEP won’t be compatible anymore and the downgrade will fail.
SEP compatibility issues are caused by the fact that from one version to another, Apple may update SEP too. New code, new APIs, old code scrapped or refactored. However, the old iOS you try to downgrade to many expect SEP to behave in a certain way which is now deprecated, so many calls to SEP could fail rendering the device broken. If you’re lucky and SEP hasn’t changed much between the latest version and your target iOS, your downgrade will go through.
What is FutureRestore GUI?
FutureRestore GUI is a graphical user interface for the FutureRestore command line utility. While the CLI version of FutureRestore works, many people find it hard to mess with the Terminal and all the FutureRestore switches and arguments.
You can actually cause more harm than good to your device if you attempt to restore with the wrong parameters. Unfortunately, that holds true with the GUI version too. For example, if your device has a Baseband (it can accept a SIM card) but you specify the “No Baseband” option in FutureRestore, the upgrade/downgrade will go through, but your device will be stuck in a bootloop because it expects a Basebanmd which you did not give.
FutureRestore GUI makes it easier to downgrade because it’s much easier to use. The layout is clean and easy to understand, and there are a lot of checks to ensure you selected the correct options. Instead of having to give FutureRestore the correct arguments, you just have to populate the GUI with the right files (SHSH2 blob, IPSW, etc). It will do the heavy lifting in the background.
There’s also the advantage that FutureRestore GUI will automatically fetch the proper / latest version of FutureRestore for you. There are dozens of forks of FutureRestore on GitHub, and unless you know a priori, it’s not easy to tell which version is the latest one you should use.
Many developers have picked the FutureRestore project from the original repo made by tihmstar, and as such, GitHub is full of outdated forks. FutureRestore GUI knows where to look for the latest updated and maintained version so you don’t have to worry about using an outdated or broken one.
What operating systems does FutureRestore GUI support?
FutureRestore GUI is extremely versatile. It is available for most major operating systems, so you can perform your downgrades and upgrade for iOS on any of the following OS’:
- Linux (Universal)
Precompiled binaries are available for all operating systems mentioned above, but you may also compile it from source code if you wish. However, if you chose to compile it yourself, you will need to have the prerequisites installed first.
How to Downgrade iOS using FutureRestore GUI and saved SHSH2 Blobs
To perform a downgrade or upgrade to an unsigned iOS version using FutureRestore GUI, first make sure you have all the necessary stuff available.
- A valid SHSH2 blob for the iOS version you try to restore to.
- An IPSW of the iOS version you try to restore to (you can find IPSW files for your device on our iOS Signing Status Page, click the blue build number next to the iOS version you want).
- FutureRestore GUI installed and the latest FutureRestore downloaded (by pressing Download FutureRestore inside the Files section of FutureRestore GUI).
- A USB to Lightning cable for your phone.
- Your phone, fully charged.
Once you have all these in place, you need to ensure you can do the downgrade, to begin with. The biggest challenge would be SEP and Baseband compatibility, so you need to check that ahead of time.
To check SEP and Baseband Compatibility, head over to our SEP and Baseband Compatibility chart. If your device is listed as being able to go from the latest version to whatever you want, then it’s safe to proceed. Otherwise, forget about downgrading.
If SEP and Baseband are not compatible, it’s game over, the restore will fail, forcing you to restore to the latest available version to fix the phone.
Once you confirmed SEP and Baseband are compatible and you have everything ready, there’s one more thing you need to do. You need to set the NONCE generator from your blob to your device. This can be done in two ways, but it may not be doable on your device depending on what version you’re currently running.
How to find the NONCE Generator inside the blob?
The SHSH2 blob file is nothing but a glorified text file containing lots of base64-encoded data. Amongst all the base64 stuff, you will find a section that looks like this:
To find it easier, you can CTRL+F / CMD + F and search for “generator”.
So my generator is
0x1111111111111111. Your blob may contain a different generator, so make sure you set yours correctly. If it’s the same as mine, that is 0x, and then sixteen “1”. Copy the value between the <string> tag. You will need to set that in the NVRAM of the device. This step is required, otherwise, your SHSH2 blob won’t work.
How to set the NONCE Generator in the NVRAM?
If you have a checkm8 device
CheckM8 devices (iPhone 5S all the way up to iPhone X) can take advantage of the checkm8 exploit to set the NONCE Generator at any time, regardless of what iOS version runs on the device.
Now inside FutureRestore GUI, navigate to Options and check the following boxes:
- Pwned Restore
- Set Device Nonce
And paste the value you copied from the BLOB’s generator section into the text field next to the “Set Device Nonce” option in FutureRestore.
Make sure you are using the Latest SEP option, and if your device has a SIM card slot, use the Latest Baseband option too. If your device is an iPod Touch or an iPad without a SIM slot, use the “No Baseband” option!
Now go back to the Files tab and select your BLOB and your IPSW file for the iOS version you try to downgrade to, then go to the Controls tab.
With everything ready, connect your device in DFU MODE, and press “Start FutureRestore“.
If entering PWNED DFU mode fails (the exploit is not 100% reliable), you may need to repeat the procedure until you get it right.
If everything is good, the device will get into restore mode and you can monitor the restore progress in the FutureRestore GUI window. DO NOT disconnect the device during the restore. You know you are in restore mode when you see the Apple logo with a progress bar underneath.
First successful iOS 15 downgrade done with Blizzard Jailbreak’s auxiliary tools (boot chain patcher + Generator Setter, etc). pic.twitter.com/cBSng8i01u
— GeoSn0w (@FCE365) September 11, 2022
If you have an A12+ device (iPhone XS / XR or newer)
If you have any of the newer devices (everything newer than iPhone X), you will not be able to use the PWNED DFU mode to set the NONCE Generator. In this case, make sure any options under Pwned Args remain disabled, otherwise, the restore won’t start.
Since you cannot use FutureRestore GUI to set the generator, you will need a NONCE Setter application. This kind of application requires a Kernel Exploit and may or may not be available for you depending on what iOS version you are currently running.
You will have to do some research and see if anything is available for your device. Google is your friend here, but if you’re running iOS 15.2 or newer, it’s safe to assume for now there is no NONCE Setter app for A12+ devices.
If such an application exists for your iOS version, install it using Sideloadly or AltStore, and set the generator from inside your blob (the same one mentioned above) inside the app. If the application confirms the generator was set, it’s safe to continue.
Once the generator is set, open FutureRestore GUI and populate the Files tab with the IPSW and Blob file for the iOS version you try to restore.
In the Options tab, make sure you are using the Latest SEP option, and if your device has a SIM card slot, use the Latest Baseband option too. If your device is an iPod Touch or an iPad without a SIM slot, use the “No Baseband” option! DO NOT enable the “AP Nonce Collision”.
Connect your device in unlocked, normal mode and press “Start FutureRestore“. You can monitor the restore in the FutureRestore GUI window. You know everything is good if the Apple logo with a progress bar appears on the screen. It means the restore has begun and the NONCE Generator was set correctly.
Now you have to wait until you see the following lines in the FutureRestore GUI log:
Got status message Status: Restore Finished Cleaning up... Done: restore succeeded! FutureRestore process ended.
If your FutureRestore GUI says anything other than “Done: restore succeeded!” at the end, something went wrong and the restore likely failed. There could be a million reasons why, so you’ll have to ask for help. You can contact me on Twitter (@FCE365).
Other guides from iDevice Central
- iOS SEP and Baseband Compatibility Chart
- Why CheckRa1n Jailbreak Doesn’t Work on iOS 15 and Will it Ever Work Again?
- How To Run Linux on iPhone / iPad & How They Achieved This
- How to actually extend your iPhone’s Battery Life (Tips and Tricks)
- Unpatchable Apple M1 Chip Vulnerability discovered by MIT
- How to create a bootable Windows 10 USB Flash Drive on Mac
- iOS Jailbreak Downloads – Download Jailbreak Tools for All iOS Versions