Tethered Downgrade Guide By Mineek
discord: Mineek#6323
This tutorial was made in half an hour, its really bad but should get you started on your tethered downgrade adventure!
HUGE THANKS TO galaxy#6181. Without him, I wouldn't have known all this to write a guide!
- irecovery
- futurerestore
- pyimg4 (pip3 install pyimg4) (MAKE SURE YOU UPDATED PYTHON AND NOT USING THE BUNDLED ONE!)
- Kernel64patcher (https://github.com/iSuns9/Kernel64Patcher)
- ldid (https://github.com/ProcursusTeam/ldid)
- restored_external64_patcher (https://github.com/iSuns9/restored_external64patcher)
- asr64_patcher (https://github.com/iSuns9/asr64_patcher)
- libimg4patcher (https://github.com/iSuns9/libimg4_patcher)
Make sure to use the forks listed above.
-
Grab yourself your ipsw for iOS 15.1
-
Extract it and grab kernelcache and restore ramdisk (tip: it's the smallest .dmg in the IPSW!)
-
Put kernelcache and ramdisk.dmp in new folder
-
Extract the restore ramdisk with:
pyimg4 im4p extract -i restore_ramdisk_name.dmg -o ramdisk.dmg
-
Mount the restore ramdisk:
hdiutil attach ramdisk.dmg -mountpoint ramdisk
-
patch ASR:
asr64_patcher ramdisk/usr/sbin/asr patched_asr
-
Patch restored_external:
restored_external64_patcher ramdisk/usr/local/bin/restored_external restored_external_patched
-
Patch libimg4:
libimg4_patcher ramdisk/usr/lib/libimg4.dylib libimg4.patched
-
Extract original entitlements from original binaries.
ldid -e ramdisk/usr/local/bin/restored_external >> restored_ents.plist ldid -e ramdisk/usr/sbin/asr >> asr_ents.plist
-
Remove the old ones:
rm -f ramdisk/usr/sbin/asr && rm -f ramdisk/usr/local/bin/restored_external && rm -f ramdisk/usr/lib/libimg4.dylib
-
Resign the binaries:
ldid -Srestored_ents.plist restored_external_patched ldid -Sasr_ents.plist patched_asr ldid -S libimg4.patched
-
chmod the binaries:
chmod 777 restored_external_patched chmod 777 patched_asr chmod 777 libimg4.patched
-
Replace the original binaries with the patched ones:
cp -a restored_external_patched ramdisk/usr/local/bin/restored_external cp -a patched_asr ramdisk/usr/sbin/asr cp -a libimg4.patched ramdisk/usr/lib/libimg4.dylib
-
Unmount the ramdisk:
hdiutil detach ramdisk
-
Repack the ramdisk
pyimg4 im4p create -i ramdisk.dmg -o ramdisk.im4p -f rdsk
-
Extract the kernel:
pyimg4 im4p extract -i kernelcache.release.* -o kernelcache.raw --extra kpp.bin
(If your device does not have KPP which is A10 devices and up do not include --extra kpp.bin
)
-
Patch it:
Kernel64Patcher kernelcache.raw kernelcache.patched -a
-
Repack the kernel: (If your device does not have KPP which is A10 devices and up do not include --extra kpp.bin)
pyimg4 im4p create -i kernelcache.patched -o kernelcache.im4p --extra kpp.bin -f rkrn --lzss
-
Restoring the device with futurerestore:
(MAKE SURE YOU ARE IN PWNDFU WITH SIGCHECKS REMOVED!)
futurerestore -t blob.shsh2 --use-pwndfu --skip-blob --rdsk ramdisk.im4p --rkrn kernelcache.im4p --custom-latest-beta --custom-latest-buildid 19H12 --latest-sep --latest-baseband original-ipsw.ipsw