Search code examples
iosiphonejailbreak

How can I install an unsigned iOS version on an iPhone?

I'm using several devices using older iOS versions to test my apps on actual hardware during development (some features that use the camera or certain Core Image APIs don't work on the simulator). My last app will drop support for iOS 11 soon, and so I'd like to upgrade an iPhone SE that runs iOS 11 to iOS 13.

The IPSW files can be downloaded from websites like ipsw.me, but apparently there is no official way to install such an upgrade, as Apple no longer signs these firmwares. Is there a way to bypass this limitation?

Solution

  • In practice, you can't.

    In theory, there are three ways:

    1. Become an Apple employee.
    2. Break RSA.
    3. Find a vulnerability in Apple's boot chain.

    Assuming number 1 and 2 are not feasible for you, let's look at the third option. All iPhones up to and including the iPhone 8 and X do actually have a known BootROM vulnerability - the one for A5-A11 chips is called checkm8. There's a couple of issues with that though:

    • The bug is in the DFU portion of the BootROM, so in order to use it, you have to put your device into DFU on each boot. You can't just "install" an OS and be done with it.
    • The bug only affects the Application Processor, not the Secure Enclave. So you'd have to patch the system to either update the code that is responsible for talking to the SEP so that it works with a currently signed firmware, or to not talk to the SEP at all.

    Now there is another vulnerability called blackbird - this time in SEPROM. It's limited to A8-A10 chips (which would include your iPhone SE), and allow two potential solutions:

    • Apple's firmware signatures tie a particular version to a particular device. If you had previously saved such a signature while Apple was handing them out, you could use these two bugs to downgrade to such a version, and then continue to use it without a jailbreak.
    • If you had not saved such a signature for your device, you could still load an unsigned SEPOS firmware via DFU, so you could at least boot old versions tethered.

    And now for a self-plug: I'm on the development team of the checkra1n jailbreak and we do plan to implement a reasonable interface for the aforementioned procedures - but we're still quite a way off, and not our top priority.

    So for the time being: you can't install unsigned versions.