I reported a few weeks back on an interesting new bug for 32-bit devices, which allowed you to restore them to any unsigned iOS 9.x firmware, provided you had blobs for the destination firmware.

At the time, it was thought that the bug would mainly be of use for people downgrading from iOS 9.3.5 to a lower firmware, to jailbreak with Home Depot or Pangu9. However, it turns out the bug is in fact more powerful and wide-ranging than previously thought, and may have much wider utility.

At the time when I was given early tester access to the method, it was used for escaping the unjailbroken iOS 9.3.5 firmware. It worked perfectly to move my iPad 2 back to iOS 9.3.4, where it’s now happily jailbroken.

However, it turns out the bug in fact affects every firmware change in which iOS 9.x is the destination. This means that as long as you are going to iOS 9, you can use it to upgrade from iOS 6-8, or even to downgrade from iOS 10 without a jailbreak.

This is of course big news, and hopefully our readers have been taking our advice and saving their blobs. As long as you have correct blobs saved for any firmware from iOS 9.0-9.3.4, you should be able to downgrade/upgrade to that firmware, and use Pangu9 or Home Depot to jailbreak. Users stuck on iOS 10 can return to a jailbreak, and users on iOS 6-8 who want to upgrade but missed the window can move to iOS 9. iOS 9 users can move up or down as they please, and even use this as a way to restore to the same firmware for a fresh start.

After talking to a couple of the developers of the tool, who were really obliging, some further technical information and restrictions have come to light, which I’ll quickly sum up below.

Requirements

  • 32-bit devices only, do not ask about 64-bit.
  • Destination firmware must be iOS 9.x, do not ask about restoring to any other firmware.
  • Starting firmware can theoretically be any, though only iOS 6, 8, 9 and 10 have so far been tested.
  • Starting firmware does not require a jailbreak.
  • Process does not require keys, bundles, or nonces.
  • Process requires blobs for the destination firmware.
  • The blobs have specific requirements. They must be Erase blobs, not OTA, and they must begin with the string MIIKkj. This is not yet fully understood.

Further details

  • The technique requires a signed baseband, like Prometheus. However, between the currently signed basebands for iOS 10 and the signed OTA basebands most, if not all, devices should be able to get a working baseband without issues.
  • iOS 9 -> iOS 9 restores can be done from Recovery mode, iOS ≠9 -> iOS 9 restores must be done from DFU.

According to a discussion with Markus L, one of the developers working on the technique, release has been set back by the discovery that the bug works with iOS x -> iOS 9, not just iOS 9 -> iOS 9. More testing will now be required to ensure behaviour with the additional firmware combinations, and to take full advantage of this extra power. It will therefore not be released for at least a few weeks more.

A group consisting of @ee_csw, @alitek123, @Thmitt, @DjSn0wfall and @JonathanSeals are working on testing the bug more fully, as well as on a custom tool to allow these downgrades/restores to take place. In the interim, another tool may be released which will check your saved blobs for compatibility with the technique, as unfortunately not all blobs will work.

Advice

  • Save your blobs! Never delete any old blobs, and check to see if any of them are for iOS 9.
  • For 32-bit devices which did not receive iOS 10, iOS 9.3.5 is still signed, so save blobs for that too! A jailbreak for iOS 9.3.5 (by FriedAppleTeam) is much more likely at this point than a 32-bit iOS 10 jailbreak.
  • If on iOS 9.3.5, do not update to iOS 10 (if your device can).
  • Lastly, it is not impossible for Apple to release an iOS 9.3.6, whether to address this, or for another reason. Therefore, save iOS 9.3.5 blobs now, and do not update in the event of a point update being released.

In summation, it may soon be possible for 32-bit devices owners to move back to the sweet jailbroken pastures of iOS 9 from any firmware on which they currently reside. This tool, in combination with iOS 9 blobs, could mean an indefinite jailbreak for all 32-bit devices, protected from accidental updates and restores.

Do you have iOS 9.x blobs saved? Do you have 32-bit devices on iOS 9.3.5/10 that you’d like to downgrade? Let me know in the comments section.

  • This is fantastic. After what happened with Luca Todesco, we NEEDED some good news.

  • Saul

    However who was saving their blobs when everyone thought they were useless. Specially ISO 9.x blobs?

    Even Cydia stopped doing the automatic saving of blobs because they were thought to be useless.

    Does this mean that blobs saved under Tiny umbrella are still good or they would have to be saved under the new .shsh2 format?

    • Rahimo

      I will add another question to your questions: if the tinyumbrella blobs are not supported, then how to get a .shsh2 blobs??

    • Rahimo

      I will add another question to your questions: if the tinyumbrella blobs are not supported, then how to get a .shsh2 blobs??

      • Joaquim Barbosa

        You don’t need .shsh2 for this, .shsh is fine. The blobs from most tools should be fine.

      • Rahimo

        thnx

    • Joaquim Barbosa

      Normal shsh blobs are fine for this, as saved with any of the main tools, including tiny umbrella. As for whether they should have been saved, it’s always been our advice and that of devs to save blobs, even when no tool was ready for release. Hopefully you can find some somewhere from way back!

  • Markus Le.

    Tinyumbrella, savethemblobs, tsschecker and dumped blobs may be useable with the bug, just open them and check the start of the apticket to be sure.

  • Markus Le.

    Tinyumbrella, savethemblobs, tsschecker and dumped blobs may be useable with the bug, just open them and check the start of the apticket to be sure.

    • Rahimo

      Can Tinyumbrella get the blobs for iOS 9.x ?

      • Markus Le.

        it could, yes but the signing window is long closed now

      • Rahimo

        tinyumbrella website is closed!! how can I get it???

    • Rahimo

      Can Tinyumbrella get the blobs for iOS 9.x ?

  • Jan Souček

    Any update on the Fried Apple Team’s JB? For some reason I expected news today during their BlackHat talk… Was disappointed by the radio silence.

    • Joaquim Barbosa

      I haven’t heard anything unfortunately, only their talk slides seem to have been released. I kind of thought they’d release it immediately after the talk, but I guess they maybe haven’t even finished it. I’ll post if and when I hear anything. Thanks for reading!

  • Man… I wish I knew what blobs were back when iOS 9 was still in play.

    It’s awesome that this tool exists, and I’m super happy that 32bit devices are getting some love. But… dammit.

    No way to get blobs from firmwares that are no longer being signed even if you have all the necessary info for your device, is there? Keep hoping that there’s somewhere I can find other peoples’ saved blobs for my phone model and then use some other tool to modify them to fit my device, but I guess that doesn’t exist. #sadpanda

    • Joaquim Barbosa

      Nope, no way to get blobs outside of signing I’m afraid. And no, blobs from another device cannot be altered for yours, they are built in relation to the ECID etc. of your device. Just start saving blobs from now on I guess? Sorry that there’s no workaround…

      • All good. Should have been more on top of my game during iOS 9’s era, so I can’t blame anyone but myself for that one. Thanks to TSS Saver’s site, I’ve now got blobs for 10.21 and 10.3. I’ll just have to keep saving them from here on out.

        Thanks again for always responding to the comments on your articles!

  • Profound Conqueror

    I am on ios 7 any ideas how to get ios 9?

    • Joaquim Barbosa

      If you have blobs, you will be able to use the method that this article is describing when it’s released. What device do you have?

      • Profound Conqueror

        iPhone 5 16 gig

      • Profound Conqueror

        Where can I get the blob for ios 9?

      • Joaquim Barbosa

        If you don’t already have them, you can’t. They must be saved while the firmware is still signed by Apple unfortunately.

  • abhorred

    I’ve ipad2 on 9.3.3 – so home depot jailbreak should work.

    Anyway to save my 9.3.3 blob now (obviously signing window already closed)? In case jailbreak failed and am forced to 9.3.5.

    • Joaquim Barbosa

      There are, but it’s rather technical. Do you have any other 9.x blobs which you just use instead in an emergency?

  • 5723alex .

    Downgrading to 9.x is just great with huge benefits like those 500 security bugs that Apple has plugged since then up to iOS 10.3.2b1 (iOS 10.3 alone plugged 85 security bugs….

    https:// 9to5mac .com /2017/03/28/ios-10-3-other-updates-over-300-security-fixes-why-you-should-care/

    • (JailbreakQA) King Shoot

      With iOS moving on, less hackers will care about the 200-ish devices that downgraded to iOS 9, and will focus on iOS 11.

      So the risk is actually smaller.

      Also, you get better performance, and a jailbreak, far more important than a few exploits that no one will exploit on an old iOS running on old devices.

  • Siri Tim Cook Holness

    But no1 has 32-bit devices anymore, they’re obsolete.

    • Lazy Developers

      Don’t just say there obsolete, it includes
      iPod 1, 2, 3, 4, 5
      iPad 2, 3, 4, Mini
      iPhone 2G, 3G, 3GS, 4, 4S, 5, 5C
      And lots of people have iPod 5’s and iPhone 4(s)’s and 5(c)’s. I have iPod 5 and iPhone 4. The 4 is on 6.1.3 jailbroken, i5 was stuck on iOS 9.3.5, this is useful for me. Hope it works to iOS 6.1.3 on iPod 5, I would be happy with the iPod for once lol.

  • Moshe Schlussel

    I cannot believe this wasn’t discovered before iOS 10 was released… I’m still sitting on an iOS 8.4 jailbreak, and I would really like to restore my device… damnit.

    • Joaquim Barbosa

      No blobs?

  • Joaquim Barbosa

    Yes, with the tool described in this article.

  • Mehul Patel

    BUT THERE MUST B A WAY TO RETURN TO THE CURRENT FIRMWARE U R WITH. SUPPOSE AN IPHONE 5 WITH IOS 8.1.3. CAN BE RESTORED WITH THE SAME FIRMWARE. 8.1.3. GETTING THE BLOBS FROM THE IPHONE

    • Joaquim Barbosa

      There is. It’s just difficult and not the purpose of this article. Try the tools bundled with Odysseus to save onboard blobs

  • Олег Петрович

    About “…they must begin with the string MIIKkj. This is not yet fully understood.”
    Starting with string “MIIKkj” means that base64 Blobs inside must contains SEQUENCE with 4 elements.
    Check it at ASN.1 online decoder