iDevice Central Website

iDevice Central

iOS Jailbreak News, Tutorials and Tools!

iOS Downgrades: Blobs, SEP And Baseband Explained (FutureRestore)

Author:

GeoSn0w

Published:

iOS Downgrades: Blobs, SEP And Baseband Explained (FutureRestore)

If you are planning to downgrade or upgrade to an unsigned iOS version, you will face a few terms that may not be self-explanatory right from the start. Although I have covered them on my channel in hundreds of videos, I will do my best to also explain what each of them represents here.

iOS Downgrades / Upgrades to unsigned iOS are usually done for jailbreak purposes. Rarely do we have jailbreaks available for the latest signed versions of iOS, so the consensus is that you should stay on a lower version and avoid updating until eventually a jailbreak gets released for your version.

The reason jailbreaks are often released for older iOS versions is that security researchers release their vulnerabilities or exploits publicly only after a certain time has passed since the vulnerability was patched in a release firmware. That time frame tends to be 90 days, but not always. As such, older versions tend to have more publicly available vulnerabilities that can be exploited to make a jailbreak possible.




Things get more nuanced when you try to either update from an old unsigned version to another unsigned, but newer version (for example from iOS 14.0 to iOS 15.1.1), or when you straight downgrade from the latest signed version to an older one.

You will likely face these 3 terms:

  • SEP (Secure Enclave Processor)
  • Baseband
  • SHSH2 Blobs

Additionally, you may hear about NONCE, NONCE Setter, TSS, and so on. We will cover those too.

IMPORTANT: Every component on iOS Firmware is signed and the Boot Chain is trusted, which means that every component loaded at boot time will check the signature of the next before loading it. This is what prevents downgrades on iOS by default.

What is SEP (Secure Enclave Processor)?

Technically speaking, SEP is a core on the SoC in your phone and it handles Passcode, Touch ID, FaceID, ApplePay, Encryption / Decryption of user data amongst many other things. But as far as you are concerned for downgrade purposes, SEP is a file inside the IPSW (the iOS installation file) that gets installed alongside the rest when the iPhone is restored.

SEP has to be compatible with the rest of the components inside the IPSW (the firmware), otherwise, everything that relies on SEP will fail and the phone would not be able to boot up.

SEP compatibility is weird. From one firmware to another, SEP may receive changes like any other component of the firmware, but some changes may not be sufficient to break compatibility. For example, on iPhone 7 Plus, the SEP is compatible with any version between iOS 14.0 to 15.4. This means that you could use the SEP component of iOS 15.4 IPSW to restore iOS 14.0 because the changes between the SEPs are either nonexistent (unlikely) or not major enough to break compatibility.

If those changes are major enough though, weird complications may result. For example, on iPhone X, the SEP of iOS 15.4 was almost compatible with the older versions, but enough changes were added that if you used it for upgrade/downgrade, it would have broken FaceID. FaceID is just one of the many things SEP handles so the changes were not that major, just major enough to not work properly.




In the case of iPhone 11 for example, the changes between the SEP of iOS 15.4 and the older ones were so great, that the whole SEP was 100% incompatible. Restoring with it would straight up fail, not only break FaceID.

When you plan to downgrade/upgrade, you need to use the SEP component of the latest signed firmware (or at least A signed firmware). You need to check if that SEP is compatible with the version you want to downgrade to. For that, we keep a compatibility chart available on our website.

What is the Baseband?

The baseband is another component of iOS that handles radio stuff. This includes the standard carrier signal/calls / SMS, and everything related to your SIM card. If something happens to this chip or its firmware, the issues can range from the phone straight up not booting, calls dropping/loss of signal, to even no service at all.

The baseband is also a file inside the IPSW firmware, and just like SEP it may or may not be compatible from a newer version to an older version because of the code changes that take place between one version and another.

IMPORTANT: Not all devices have a baseband chip. WiFi-only models, such as iPad WiFi models, do not have such components so you don’t need to worry about Baseband compatibility on those devices. Generally, everything that has a SIM card, has a Baseband too.

Just like SEP, the baseband you use when you perform a downgrade/upgrade to unsigned iOS is the one from a signed firmware (usually the latest). That may or may not be compatible, so just like with SEP, you need to check the compatibility ahead of time. You can use our compatibility chart to see if Baseband issues are present.

Important takeaway: Both SEP and Baseband components from one of the currently signed iOS versions must be compatible with the version you try to restore to for the restore to succeed. For example, if iOS 15.4.1 is currently the only signed version, and I want to update from iOS 14.0 to iOS 15.1.1 which is no longer signed, I would need to use iOS 15.4.1’s SEP and Baseband for this operation. For my restore to succeed, iOS 15.4.1’s SEP + BB must be fully compatible with iOS 15.1.1.

What are the SHSH2 Blobs?

Every time you try to update / downgrade / restore to a certain iOS firmware (either via IPSW or OTA), the device will send a request to TSS (Tatsu Signing Service), one of Apple’s servers that handle firmware signing. The server will check the request received from the device, will validate if the device is real (Serial Number, Unique IDs, etc.) and then it will check if the iOS version you try to restore to is signed currently.

  • If the version is signed by Apple, TSS will return a personalized response to the device. This response allows the device to install the firmware so the process begins.
  • If the version is no longer signed by Apple, TSS will instead return an error code and no personalized ticket. No personalized ticket means no restore.

Saving blobs or saving SHSH2 blobs (usually with BlobSaver), means sending a request to the server with our device’s unique data, and obtaining the personalized response while the iOS version is still signed. But instead of using this response right away, we store it in a file.




This way, in the future, when Apple no longer signs that version, we won’t need to ask TSS again for a response because we already have the old one from back when it was still signed. So during the restore, FutureRestore will fake the TSS response to the device by using the saved SHSH2 file from earlier.

There is a catch though. The device generates a random alphanumeric string called Generator / NONCE and sends it along to TSS. When the response comes, it is also personalized for that generator. Now the generator resets itself every time you reboot the phone. This is so that you cannot use saved SHSH2 blobs.

Still, what the community did was to create NONCE Setters.

What is a Nonce Setter?

Nonce Setters are iOS applications that utilize a kernel exploit in order to change the NONCE / Generator set inside the device’s NVRAM. This way, the user can set the generator value to the one contained inside their saved SHSH2 Blobs file.

By doing this, the previously saved TSS Response (the SHSH2 blob) becomes valid for the device and the restore can be done.

The catch here is that you need to have a kernel vulnerability powerful enough to unlock and write to the NVRAM to be able to use saved SHSH2 blobs. This is not a problem if you’re updating from an older but jailbroken firmware. For example, if you update from iOS 13 because of App compatibility, you’re jailbroken so there are Nonce Setters available for you.

If you try to downgrade from the latest firmware using SHSH2 blobs, this is where Apple stomps you and why most people believe SHSH2 blobs are useless. You won’t have a Nonce Setter for the latest version because it is likely no kernel exploit available for it, so your SHSH2 blobs won’t work.




People tend to misunderstand SHSH2 blobs and that’s why they get frustrated and believe they are useless. To make things clear, SHSH2 blobs are NOT intended for you to go from the latest version to an older one. If you already made the mistake to update to the latest version, unless there is a signed lower version, you’re kinda screwed for the next few months.

SHSH2 blobs are for updating from an old jailbreak to a newer one (for example from iOS 14 to 15, or from iOS 12 to 14, etc.) for Application Support. They allow you to jump to a newer jailbeakable iOS version with ease but are not a catch-all solution.

For a guide on how to use FutureRestore to perform downgrades or upgrades on iOS, check out our full FutureRestore guide.

About the author

GeoSn0w

An iOS and Jailbreak enthusiast who has been around for quite some time in the community. I’ve developed my own jailbreaks before and I am currently maintaining iSecureOS, one of the first iOS Anti-Malware tools for jailbroken devices. I also run iDevice Central on YouTube with over 146.000 Subscribers! Thank you for being part of this awesome community.

2 responses to “iOS Downgrades: Blobs, SEP And Baseband Explained (FutureRestore)”

  1. NoobSez Avatar
    NoobSez

    Hi geo

  2. Kust Avatar
    Kust

    Very interesting article! Writing this comment from the iPad 3rd generation LTE with iOS 9.3.5, but also there’s another wifi-only same model iPad with iOS 7.1.1 and untethered JB, so if I understand right, I could update that iPad to any iOS version between 7.1.1 and 9.3.6, for example to 9.3.4 where is jailbreakMe untethered JB available, right? However it’s needed to have saved blobs for each of these versions, or otherwise it will be tethered downgrade? In theory, if we can use the BootROM exploit, then blobs are not necessarily need?

Leave a Reply

Latest posts