iOS 7 Tethered Downgrade

Making custom ramdisk

Unfortunately no automated tool exists to make iOS 8 SSH ramdisks and we can't use an iOS 9-12 ramdisk because we need to also downgrade ASP

Keys for decryption of firmware components and proper component names can be found at The Apple Wiki

Creating ramdisk

NOTE: Make sure to use the Restore Ramdisk and not the Update Ramdisk

Download SSH binpack

curl -O

Unpack ramdisk to raw

img4 -i -o ramdisk.dmg -k ivkey

Resize and mount ramdisk

hdiutil resize -size 50M ramdisk.dmg

hdiutil attach ramdisk.dmg

Extract SSH binpack onto ramdisk

gtar -xvf iram.tar -C /Volumes/ramdisk

hdiutil detach /Volumes/ramdisk

Pack ramdisk into img4

img4tool -c ramdisk.im4p -t rdsk ramdisk.dmg

img4tool -c ramdisk.img4 -p ramdisk.im4p -m IM4M

Patch iBSS and iBEC


img4 -i iBSS.boardconfig.RELEASE.im4p -o iBSS.dec -k ivkey

img4 -i iBEC.boardconfig.RELEASE.im4p -o iBEC.dec -k ivkey

Patch signature checks using iPatcher

ipatcher iBSS.dec iBSS.patched

ipatcher iBEC.dec iBEC.patched -b "amfi=0xff cs_enforcement_disable=1 -v rd=md0 nand-enable-reformat=1 -progress"

Pack boot files into img4

img4 -i iBSS.patched -o iBSS.img4 -M IM4M -A -T ibss

img4 -i iBEC.patched -o iBEC.img4 -M IM4M -A -T ibec

Pack Kernelcache and DeviceTree into img4


img4 -i kernelcache.release.boardconfig -o kernelcache.im4p -k ivkey -D

img4 -i kernelcache.im4p -o kernelcache.img4 -M IM4M -T rkrn


img4 -i devicetree.boardconfig.im4p -o dtree.raw -k ivkey

img4 -i dtree.raw -o devicetree.img4 -A -M IM4M -T rdtr

Now we can boot the ramdisk!

Next part → Ramdisk Boot

Dual Booting 64 Bit