HOW TO: Downgrade From iOS 4.0.2 To iOS 4.0.1 Without SHSH On File ( NOT Working )

A user named CodeBlue has discovered an unconfirmed method that may allow you to downgrade your 4.0.2 iPhone to 4.0.1, jailbreak, patch the safari exploit with Saurik’s patch and be jailbroken safely. This may be your only option if you have an out of the box iPhone with 4.0.2 on it and no other way to jailbreak.

NOTE: this only works due to the similarities in 4.0.2 to 4.0.1 and 4.0. This will not be a way to downgrade to 3.1.x and may not work in future firmware updates.

NOTE: none of us tried this method, because we have the SHSH blobs saved for every iOS device we own. This sounds good in theory and others are reporting some success. After all, you have nothing to lose if you are already stuck on 4.0.2 without an SHSH in Cydia.

NOTE: this only works due to the similarities in 4.0.2 to 4.0.1 and 4.0. This will not be a way to downgrade to 3.1.x and may not work in future firmware updates.

1. Download 4.0.1 ipsw

2. Extract it with winrar or winzip to a folder on the desktop. You may need to rename the firmware file from .ipsw to .zip to do this.

3. Open the buildmanifest.plist with the notepad. Search and replace all – 8A306 with 8A400. Save. Repeat the same with the file restore.plist

4. Download 4.0.2 ipsw and open this with winrar or winzip. Note: do not exact it. Just open it and leave it open. You must use this exact file and not create a new one. If you have to create a new one for reasons like you are on OSX, then use zip command line not explorer or finder to make the zip. I will assume you are using the original file opened in winrar for the rest of this guide.

5. Take all the files from the 4.0.1 and drag them over to the 4.0.2 zip archive that you have open.

6. Delete all the dmg files that have 002 at the end, leaving only the 001 files left.

7. Save the archive. And rename it back to .ipsw if you changed the name to get winrar/winzip to open it.

8. Optional: (this helps ensure you get an shsh file request for the future, but should not be necessary to just restore 4.0.1). Add the 74.208.10.249 gs.apple.com line to the host file.

9. Put the device into DFU, open iTunes and restore the firmware you changed.

[via BigBoss, via CodeBlue]

LATER EDIT:

Notcom, the creator of TinyUmbrella, just explained why this is not working. Sorry iPhone 4 4.0.2 OTB guys 🙁 . Read the notcom’s article below. ( Please don’t send us emails telling us that you updated to 4.0.2 ‘by mistake’. There is no such thing as ‘by mistake’ in this case… )

There is much discussion on many blogs about a potential means of downgrading iOS 4.0.2 to 4.0.1 by simply changing a couple values in the buildmanifest.plist and copying all of the images from 4.0.1 into 4.0.2 and then deleting the files ending with 002. Following all of this, perform a DFU restore and somehow you will be on 4.0.1.

There is a perfectly logical explanation for all of this and I will lay out exactly what is happening and explain why it is working for the folks that are the lucky ones.

Let me get this out first.

  1. This is not a miracle, at least not in the sense you all hope for
  2. SHSHs are STILL required for any iPhone 4, iPhone 3GS, iPad, iPod Touch 3G, and iPod Touch 2G (MC Model)
  3. There is NO way around this… unfortunately this method included.

Let me start by explaining something very important. The buildmanifest is used by iTunes to build much of the TSS request that is used to obtain your SHSH for any given firmware revision. Unfortunately, the BuildNumber has no part to play in the request for SHSH. All that you ended up doing in following these directions is request 4.0.1 SHSH blobs. THAT IS ALL. Since every single one of you that got this to work changed your hosts file to point to Cydia, Cydia responded to the TSS request with an SHSH blob that was ALREADY “on-file”. There was no magic. There was no miracle, apart from the lucky break that your device had been put on Cydia’s SHSH request list at some time in the distant past.

That’s it in a nutshell folks. There was no amazing technique for bypassing Apple’s TSS. There was no amazing exploit that exists in DFU mode allowing for 4.0.2 -> 4.0.1 downgrading. It’s simple; Cydia had your SHSH because at sometime in the past either:

  • Someone saved your SHSH with that device using TinyUmbrella and the default options
  • Someone restored that device with Cydia in the hosts pointing to gs.apple.com
  • Someone jailbroke the device and pressed ‘Make my life easier’

That’s it folks. Sorry to be a buzzkill but there was much confusion about this issue and many blog posts that simply didn’t give the full story of what exactly was going on.