You’ve decided that you want to downgrade the iOS software on your iPhone or other iOS device. Depending upon the particular device you own and iOS version you are running, your ability to do a downgrade can vary from slightly tricky to virtually impossible. This is because Apple has done its best to prevent downgrading.
In my previous column, I described the numerous reasons why you might want to downgrade as well as the rationale behind Apple’s effort’s to prevent you from doing so. In addition, I went into the details behind Apple’s main downgrade roadblock: On newer iOS devices (starting with the iPhone 3GS), before you can install any iOS Software Update, there is a required online exchange of data, mediated via iTunes, between your iOS device and an Apple server. If Apple’s server does not send iTunes the “correct” “SHSH blobs” for the version of the iOS you want to install, the install is blocked. Apple has set this system up so that only the most recent compatible version of the iOS for a particular device is accepted. This is why you cannot downgrade an iOS in any simple manner.
In today’s column, concluding this two-part series, I explain how you can none-the-less work-around Apple’s obstacles and achieve downgrade success!
The General Idea
The primary method for circumventing Apple’s roadblock is to fool iTunes into thinking that Apple has approved the (downgrade) iOS version your are attempting to install.
Suppose, for example, you want to downgrade your iPad from iOS 3.2.1 (currently the most recent version) to iOS 3.2. Using a variation of the basic Option-Restore method (as explained below in “Downgrade and Restore”), you select the iOS 3.2 Software Update file. Without any advance preparation, this would still fail. Apple’s server would block the downgrade, as it permits only iOS 3.2.1 to be installed.
To work-around this obstacle, you need the data (SHSH blobs) that Apple’s server would ordinarily send back to iTunes to greenlight the iOS 3.2 install. More generally, as the specific SHSH blobs vary with each iOS version and each iOS device, you should ideally save a separate set of blobs for each combination of iOS device and iOS version that you might ever want to use for downgrading.
A critical point is that the window to save blobs for a given iOS version is open only during the time when the iOS is the current version — that is, when the iOS is the one that Apple’s server is currently signing as okay. This is because obtaining the blobs depends upon getting information generated from Apple’s server. When an iOS version stops being signed, you can no longer obtain this information.
Thus, to downgrade back to iOS 3.2, you needed to save the blobs for iOS 3.2 when iOS 3.2 was the current iOS for the iPad. Now that iOS 3.2.1 is the current iOS, you can no longer save the 3.2 blobs. If you haven’t already saved the needed blobs, you are out-of-luck. That’s why you should save the blobs for each iOS version as soon as possible. If you wait until after Apple releases a new version of the iOS, it will be too late.
To pull off the entire downgrade magic trick, three goals must be achieved:
- There needs to be an alternate server where the relevant SHSH blobs are maintained.
- You need to save the relevant SHSH blobs (for your device and iOS version) to that server.
- iTunes needs to be fooled into contacting the alternate server, instead of Apple’s server, when you attempt the downgrade. The alternate server will send iTunes the saved blobs required for your downgrade. iTunes will then give its approval and the download can successfully proceed.
Fortunately, there are relatively easy ways to accomplish all of these goals. Exactly how you do so depends upon whether or not you are starting with a jailbroken device.
How to Save Blobs from a Jailbroken iOS device
Let’s use a time machine to travel back to when iOS 3.2 was the most recent version of the iOS for the iPad. You are, of necessity, running iOS 3.2. At this point, let’s assume you jailbroke your iPad via a utility called Spirit. This jailbreak does not require the iOS blobs or anything else that we’ve been talking about. You just run Spirit with your iPad connected and in a few seconds, you’re done. The iOS device restarts and you are ready to go. No need to restore your device or do anything else.
As part of the jailbreak, Spirit installs an app on your iPad called Cydia. This app is a jailbreak-equivalent of Apple’s App Store. It’s what you use to download jailbreak-dependent apps to your iOS device. Cydia can also perform another function, critical to our downgrading task: saving your blobs. Here’s how it works:
- After jailbreaking your device, launch Cydia.
- From the home screen, tap the button (probably called “Make My Life Easier”) to store the current SHSH blobs for your device (e.g., iOS 3.2 for the iPad) on a server maintained by Jay Freeman (saurik, the author of Cydia).
- You should now see text at the top of the home screen that says: “This device has SHSHs on file for iPhone OS/iOS 3.2”. You have now accomplished the first and second of the three goals cited above.
Figure 1: The Cydia screen showing that iOS 3.2 (as well as 3.2.1 in this case) SHSH blobs have been stored to the Cydia server.
Let’s fast-forward back to the present. The current iOS for the iPad is 3.2.1. For whatever reason (perhaps because of a momentary memory lapse), you upgrade to iOS 3.2.1. Oops. Your jailbreak is gone (as I explained in my previous column). You return to the Spirit website only to find (at least as of August 5) big bold text stating: “DO NOT UPDATE TO 3.2.1” because it “breaks Spirit.” In other words, you cannot jailbreak iOS 3.2.1 with Spirit.
Downgrade and Restore
What can you do at this point — with Spirit no longer an option?
One possibility is to stick with the un-jailbroken iOS 3.2.1 for the moment, waiting for an updated version of Spirit (or other entirely new) jailbreak utility to be released.
Note: With the just-released JailbreakMe 2.0, you can directly jailbreak an iPad running iOS 3.2.1 (as well as any devices running iOS 4.0 and 4.0.1, including the iPhone 4). It works directly from Safari on your iOS device (at least until Apple plugs the security leak that the jailbreak exploits, which Apple is expected to do soon). For the sake of this discussion, let’s assume that JailbreakMe (or any other updated) jailbreak tool is not yet available.
The alternative, needed if you want your jailbreak back ASAP, is to downgrade back to iOS 3.2 (giving up on whatever fixes and new features may have been in the 3.2.1 update), so you can re-jailbreak your iPad with Spirit.
To do the downgrade, you’ll use the blobs you stored on the Cydia server:
- Modify the
hostsfile on your Mac so that iTunes uses the Cydia server, instead of Apple’s server, when it seeks to verify the downgrade iOS request. To do this:
A. Use the Go To Folder command in the Finder and go to/etc.
B. Locate the file namedhosts. Ideally, save a backup of the file — in case you make unintended modifications to the original.
C. Open the hosts file, using a utility that permits admin users to edit files owned by root. I use TextWrangler.
D. At the end of the text, add the following line:74.208.10.249 gs.apple.com. This is what will direct iTunes to the Cydia server.
E. Save the modified file, following TextWrangler’s prompts to modify a root-owned file.
Note: If, on some later occasion, you find that iTunes will not connect to Apple’s server to sign an Apple-approved update, remove this added line.
- Restore your iPad to iOS 3.2. It would be convenient, at this point, if you could just connect your iPad to iTunes, use Option-Restore to select the desired iPad 3.2 Software Update file (which you had previously saved, as described in my previous column) and click to proceed. Unfortunately, this is not likely to work.
Instead, you first need to put your iPad into DFU mode (which is slightly but importantly different from recovery mode, as described here). When the “recovery mode” message appears in iTunes, click OK. You can now use Option-Restore to select the iOS 3.2 Update file.
Via Cydia’s server and the blobs you stored there, the downgrade attempt will succeed. You have accomplished the third and last of the three prior-cited goals.
While more technophobic users may be hesitant to give this procedure a try, I have done it several times without any hassles. It is not difficult and I suspect most people reading this column will have no trouble with it. If you want more details on how to do all of this, there are numerous tutorials on the Web— such as this one from Cult of Mac.
How to Save Blobs from a Non-Jailbroken iOS device
Here’s a different scenario: Imagine you just purchased an iPad with iOS 3.2.1 pre-installed. Or maybe you have an iPhone with iOS 4.0.1 pre-installed. You’d like to immediately save the blobs for the current iOS version — in anticipation of the day you might need them. One problem (or at least let’s again assume it’s still a problem at the time you purchase your device): there isn’t yet any way to jailbreak the current iOS on your device. This means you have no access to Cydia, which means you can’t use Cydia to store your blobs. You expect a jailbreak to be released eventually, but you don’t want to wait for this. Or maybe you’d just like to be able to downgrade at some point without ever doing a jailbreak.
Can you save the current blobs — even without jailbreaking your device? Yes. Here’s how:
- Download The Firmware Umbrella (also known as TinyUmbrella), version 4.01.01 or later for the Mac. Connect your iOS device to your Mac and launch the Umbrella program.
- After Umbrella detects that your iOS device is connected, click the “Save My SHSH” button (leaving the Advanced options alone).
When the process is complete, a message will appear in the Log stating that “SHSH successfully saved”. At this point, your SHSH blob data have been simultaneously stored locally on your hard drive (in an invisible .shsh folder located in your Home directory) as well as with Cydia’s server. Mission accomplished.
Figure 2: The Firmware Umbrella window, after having successfully saved the blobs of my iPhone 4, running iPhone OS 4.0.1
Reminder: This procedure stores the blobs for the latest version of the iOS for your device, not necessarily the iOS version currently on your device (which may be an older version). There is no way to store blobs for any version other than the latest version. However, once stored, a version’s blobs remain available even after a newer version of the iOS is released.
Downgrade and Restore via The Firmware Umbrella
After saving your blobs with the The Firmware Umbrella, you can downgrade the iOS and restore your device, via the Cydia server, using the exact same procedure as described in the “Downgrade and Restore” section above.
Alternatively (although I have not tested this out to confirm it), you should be able to downgrade and restore your device via a local server on your drive, set up by clicking the “Start TSS Server” button in The Firmware Umbrella.
When using the local server, the line you need to add to the hosts file is 127.0.0.1 gs.apple.com, rather than 74.208.10.249 gs.apple.com. Otherwise, the procedure is, yet again, the same as described in the section above.
Downgrade without Blobs?
With iOS devices older than the iPhone 3GS, none of these blob-related tasks are needed. These devices should generally downgrade successfully with just a basic Option-Restore, as I described in my previous column. For example, using this method, I downgraded a second generation iPod touch from iOS 4.0 to iOS 3.1.3. The only hitch was that I could not restore my saved backup data to the iPod touch. A message informed me that the downgraded OS was “too old” for the backup. Thus, I had to set up the iPod touch as a new machine.
What about the newer devices that do require the blobs for signing the restore? Is there any way to downgrade these devices without having saved the blobs in advance? In a word (as I have already said), no.
One iOS device does not appear to exactly fit in either category: the iPhone 3G. It appears to be a “transitional” device. At least some iPhone 3G units cannot be downgraded via a simple Option-Restore — yet can be downgraded without the need for saved blobs. [I remain uncertain as to exactly why the 3G is an exception here; if you know the specifics, please email me the details.]
This is especially good news for those users who upgraded their iPhone 3G to iOS 4.x and discovered that it runs unacceptably slow. Downgrading back to 3.1.3 gets their 3G moving again.
There are at least two variations for doing a 3G downgrade. One, as detailed at the MacLife.com and FunkeySpaceMonkey.com websites, uses a Terminal-mediated iRecovery tool. The other, as detailed at the LifeHacker website, requires a slightly more user-friendly utility called RecBoot.
Note: Prior to the official release of iOS 4, you could apparently use either of these two procedures to downgrade an iPhone 3GS running a beta version of iOS 4. After the final release of iOS 4, at which point Apple stopped signing the iOS 3.1.3 version, the procedures no longer worked for the 3GS.
If you attempt any of these downgrades and it fails to work, you may wind up with an iOS device that does not successfully start up. Not to worry. You can still put the device in recovery mode and reinstall the latest version of the iOS. You lose the downgrade, but your iOS device is back in action again. This has never failed to work for me.
Bottom Line
If you feel a bit overwhelmed after reading all of this, I understand. There is no doubt that downgrading most iOS devices is more complicated than it need be or ought to be. While Apple may have valid reasons for restricting the procedure in some cases, the end result is that it prevents all iPhone users from easily accomplishing a task that they have legitimate reasons to do. Don’t expect this logic to sway Apple. If anything, downgrading is likely to become even more difficult with the release of iPhone 4.1 later this year.