iOS 7 Tethered Downgrade

Patching boot files

Keys for decryption of firmware components and proper component names can be found at The Apple Wiki

iBSS and iBEC

Decryption

img4 -i iBSS.boardconfig.RELEASE.im4p -o iBSS.dec -k ivkey

img4 -i iBEC.boardconfig.RELEASE.im4p -o iBEC.dec -k ivkey

Patch signature checks using iPatcher

ipatcher iBSS.dec iBSS.patched

ipatcher iBEC.dec iBEC.patched -b "-v rd=disk0s1s1 amfi=0xff cs_enforcement_disable=1 keepsyms=1 debug=0x2014e wdt=-1"

Pack into img4

img4 -i iBSS.patched -o iBSS.img4 -M IM4M -A -T ibss

img4 -i iBEC.patched -o iBEC.img4 -M IM4M -A -T ibec

Kernelcache

Decryption

img4 -i kernelcache.release.boardconfig -o kcache.raw -k ivkey

img4 -i kernelcache.release.boardconfig -o kernelcache.im4p -k ivkey -D

Patch SEP functionality using seprmvr64lite

seprmvr64lite kcache.raw kcache.patched

kerneldiff kcache.raw kcache.patched kc.bpatch

Pack into img4

img4 -i kernelcache.im4p -o kernelcache.img4 -M IM4M -T rkrn -P kc.bpatch

DeviceTree

Decryption

img4 -i devicetree.boardconfig.im4p -o dtree.raw -k ivkey

Pack into img4

img4 -i dtree.raw -o devicetree.img4 -A -M IM4M -T rdtr

Done! Now we are ready for tether boot
Next part → Tether boot

iOS 7 Tethered Downgrade