If you have an iPhone 4 or other iOS 4 compatible device, you’re probably running iOS 4.0.1. Great. But what if you want to downgrade back to iOS 4.0 or iOS 3.1.3? Too bad. You probably won’t be able to do it. At least not easily. There are several roadblocks that get in your way.
The source of these roadblocks is Apple. They have deliberately made it difficult to downgrade. Why have they done this? How have the done this? And how you can circumvent their obstacles?
You are about to learn the answers to all of these questions. To get started, let’s consider one further question: Why would a user ever want to downgrade their iOS device in the first place?
Why downgrade the iOS?
There are at least 4 reasons that an iOS user might want to downgrade the iOS on their device:
• Incompatibility. After updating, you may discover that some app that is critical to your use of the iOS device no longer works — because the app is incompatible with the update. Eventually, an updated version of the app is likely to be released. While you’re waiting for that update, you may prefer to downgrade the iOS so you can continue using the app.
Similarly, there may be a bug in the iOS itself that did not exist in the prior version. If you update and decide that the bug is a deal-breaker for you, you might want to downgrade the iOS — until Apple releases a bug-fix iOS update. [Update: As noted in Observer Comments below, the iOS 4 slowdown on iPhone 3G models is a good example of this.]
A less common but still possible situation would be if the iOS update removed a desirable feature. For example, there was a hack that allowed you to enable Internet Tethering in iOS 3.0 — well before AT&T officially sanctioned it. Apple blocked this hack in a subsequent update. If you updated (perhaps before you realized what Apple had done), you might want to downgrade to the prior iOS version.
• Testing. As a developer, a tech journalist, or an inquisitive iPhone owner, you may wish to compare how certain iOS features work under different versions of the iOS. One solution is to have multiple devices, each running a different iOS version. This can get expensive. Even so, you may find yourself in a situation where you want to revert to an iOS version older than that on any of your devices. Or, for a troubleshooting article you’re writing (as happened to me), you may want to repeatedly test out the restore process itself.
In all of these cases, downgrading the iOS will likely be required.
• Restore without upgrading. Here’s a situation where you don’t exactly want to downgrade. Rather, you want to prevent an enforced upgrade.
Suppose, for whatever reason, you are running something other than the latest version of the iOS and wish to keep doing so. Unfortunately, some glitch occurs and you get the message in iTunes that says you need to restore your iPhone. At this point, you will not be given the option to restore the device to your presently installed iOS version. Instead, you are required to update to the latest version.
• Jailbreaking. If you jailbreak your iPhone and upgrade to a new version of the iOS, your jailbreak changes are removed. If you did this just after the upgrade was released, it’s almost certain that you cannot yet jailbreak the new iOS version. This is because Apple explicitly revises each iOS upgrade so as to prevent current jailbreak tools from working — and updated versions of the required jailbreak tools are typically not immediately available. If you update by mistake (perhaps due to a temporary memory lapse, as happened to me) or otherwise regret updating, you’ll want to downgrade so as to get back to an iOS version that can be jailbroken.
In a related scenario, suppose you buy a new iPhone 4 that ships with iOS 4.1 (I’m predicting the future here). Assuming the tools to jailbreak iOS 4.1 are not yet out, you might want to downgrade your new iPhone to iOS 4.0.x — which (hopefully by that time) can be jailbroken.
You mean you can’t just erase and restore an iOS device to a prior version?
Nope. That’s exactly the point. Yes, there are potential work-arounds. But they are increasingly difficult to carry out.
What’s the ultimate cause of the downgrade prohibition?
As I’ve already indicated, the answer can be summarized in one word: Apple.
There is no inherent reason that downgrades of the iOS should not work. Ignoring the complications of firmware modifications to the iPhone’s baseband, if you do a full restore your iPhone (which is pretty much required as part of a downgrade), you completely replace the iOS software — so downgrading should be no problem. i’m assuming, of course, that your downgrade is to an iOS version that was initially compatible with the device; don’t expect an iPhone 4 to run iOS 3.0.
The major obstacles to downgrading are the prohibitions Apple has put in place. Apple does this primarily for the purpose of defeating attempts at jailbreaking. One other possible rationale is, if you’ve installed apps that only work in the latest OS version, and you downgrade, these apps will no longer work. However, as such apps typically do not reinstall after a downgrade and restore, it’s not a situation that should lead to incompatible apps on the iOS device. At worst, you lose access to a few apps.
How would downgrading work if there were no obstacles?
It would work very simply:
- With your iPhone connected to iTunes on your Mac, hold down the Option key and click the Restore button in the iPhone’s Summary screen.
- From the Open dialog that appears, locate the Software Update file for your desired downgrade. The default location for these files is: ~/Library/iTunes/iPhone Software Updates (for iPads and iPod touches, the the last folder name would change accordingly). If the file you seek is not there, as is likely the case, get it from wherever it is on your drive (as I discuss next). As for the names of these files, they all follow a similar structure. As one example, the file for iPhone OS 4.0.1 on an iPhone 4 is: iPhone3,1_4.0.1_8A306_Restore.ipsw.
- Click Choose. After this, the procedure is identical to any other “normal” restore of your iPhone.
Unfortunately, there are two major obstacles that can prevent this procedure from working.
What’s the first obstacle?
In the early days of the iPhone, ipsw files accumulated in the Update folder cited above. That is, after six updates, you’d have six files there. At some point (over a year ago), Apple changed this.
Now, every time you download and install a new update, any older update files are moved to the Trash. Actually, as far as I can tell, it’s worse than that. The very next time you launch iTunes after an update has been released, iTunes will move any older ipsw files to the Trash — even if your iOS device is not connected to iTunes at the moment. In such a case, the relevant Software Update folder will remain empty until you update the device.
There are two solutions here.
The first is proactive: Maintain current backups (at some other location) of all the files in the Software Update folders. At the very least, whenever you are aware that a new iOS version has been released, make a copy of the now older update file before launching iTunes. Check the Trash if you’ve already launched iTunes and can’t otherwise find the file; if you haven’t emptied the Trash, it should still be there.
If all traces of the desired file have been deleted from your hard drive, the second solution is to locate the file online and download it. Apple does not provide access to these older files, but various third-party repositories do. A simple Google search should locate the file you want.
What’s the second obstacle?
There’s good news and bad news about the second obstacle. The good news is that for older iPhones and iPod touches, there is no second obstacle. If you have the needed .ipsw file, you should be good to go. The downgrade should work via the steps described above.
Thee bad news is that, starting with a revised hardware-updated version of the iPhone 3G and continuing with the iPhone 3GS and 4, as well as the third-generation iPod touch and all iPads, the Option-Restore method will not work even if you have the needed .ipsw file. If you try, you will eventually get an error message and a failed restore. I believe the restriction also requires that you use iOS 3.1.3 or later, but I am not certain of this.
How exactly does this second obstacle work?
With the just noted iOS devices and iOS versions (together with the more recent versions of iTunes), Apple established a challenge/response verification method for determining if a given .ipsw file can be used for updating or restoring. The method works by exchanging data over the Internet between iTunes and a signature server set up by Apple. Glossing over various technical details (which I am remain a bit fuzzy about, despite all that I have read, such as this article), here’s how the system works:
Whenever you attempt to restore (or update) and iOS device, a verification process is initiated. The verification process makes use of a trio of items from your iOS device. These include the iBSS and iBEC files, needed to “iBoot” each device. It also use the ECID (chip ID) number — which is hard-coded into the firmware of recent iOS devices and is unique to each device.
When attempting an update or restore of your iOS device, parts of the relevant data are packaged together (and temporarily stored on your Mac) and sent via iTunes to Apple’s signature server. You can typically tell this is happening because a “Verifying restore with Apple…” message will appear on the screen. The “verifying” message may sometimes appear as soon as you connect your iOS device to iTunes, even if you are not yet attempting a restore or update.
If Apple’s server confirms that the package it receives is valid, it will verify or “sign off” on the device, returning a confirming ECID signature hash blob (often shortened to SHSH blob or just blob) to iTunes. This acts as an OK message, permitting a restore (or update) to proceed.
Note that the exact content of the blobs will change with each software update. This means that the blobs that work to sign iOS 4.0, for example, will not work for iOS 4.0.1.
When a new version of the iOS is released, Apple’s server is said to “stop signing” the prior version. This means that, for the relevant hardware, any attempt to reinstall or downgrade to the prior version will no longer validate — and the restore or update will fail. This is why you can’t even reinstall the iOS version you presently have on your iOS device, unless it is already the latest version. Without an Internet connection, no verification is possible. In this case, you may not be able to do a restore at all — even to the latest iOS version and even if the .ipsw file is already on your drive.
Apple attempts to make it difficult to retrieve the needed validation data, especially the ECID number. This, in turn, prevents hackers from using the data to fool iTunes into allowing a restore that would otherwise be blocked. At this task, the process largely (but not entirely) succeeds.
It gets worse. I have read that there are new checks built into iTunes 9.2.x as well as the firmware of the iPhone 4 (and presumably all future iOS devices) that will make circumventing these restrictions even harder than they already are.
A primary motivation behind all of this is to prevent jailbreaking. For example, at one time, it was possible to jailbreak an iPhone simply by doing a normal restore with a customized “jailbroken” .ipsw file. No more. The customized file will not validate.
Wow! Apple seems really serious about blocking jailbreaking. True?
Absolutely. Apple has put a great deal of effort into this procedure. If anyone tells you that Apple largely ignores jailbreaking, such people are so far off base as to be in a different stadium from reality.
Apple is an intense continual battle to find a way to completely eradicate jailbreaking. Every time a new iOS version or new iOS device is released, jailbreakers hold their breath to see whether or not Apple may have finally won. So far, they have not. The fact that jailbreaking is now “legal” has no bearing on this cat-and-mouse game. The new ruling simply says that jailbreaking does not violate DMCA restrictions; it does not force Apple to halt its attempts at blocking jailbreaking.
Is there any way to circumvent these signature-server-enforced restrictions?
Yes. What these ways are and how they work are the subject of the conclusion of this two-part series, to be posted next time.