iPad Mini iOS 6 Downgrade Without SHSH Blobs is NOT Currently Possible - Dual Boot Instead


Tuesday 19th September 2017

iOS 9 / iOS 6 Home Screen Comparison Slider

As of writing this post, it is not possible to natively downgrade an iPad Mini First Generation to iOS 6.1.3 without SHSH blobs. The only alternative at the moment is to dual-boot iOS 6 with your current OS.

The iPhone 5, iPad Mini 1st Generation, iPad 4th Generation and iPhone 5c are the only 32 bit devices that did not originally ship with iOS 5 or earlier. This is why the iOS 6.1.3 upgrade is not being signed by Apple for these devices, making it impossible to downgrade to it at the moment unless you have saved SHSH blobs.

The reason that Apple still signs 6.1.3 and 8.1.4 for some 32 bit devices is that it is not possible to upgrade from iOS 5 directly to the latest version. You have to hop to 6.1.3, then 8.1.4 before being able to upgrade to the latest supported version. Note that the iPhone 5c originally shipped with iOS 7, so it is probably impossible for it to ever run iOS 6 natively.

Security

The most recent version of iOS 6 is 6.1.3*, which was released on 19th March 2013. This means that there are currently over 4 years of unpatched security vulnerabilities and a lack of all new iOS security features. I highly recommend reading [PDF] Apple's iOS 10 Security White Paper for more information.

*There were 3 further releases of iOS 6 (6.1.4, 6.1.5 and 6.1.6), however these were not released for all devices. They were device-specific bug fix releases for the iPhone 5 and twice for the iPod Touch 4th Generation respectively. Read more here.

Many of the known security vulnerabilities can be mitigated by simply using the device in a highly defensive manner, such as by only visiting known trusted websites, only connecting to trusted Wi-Fi networks, only using disposable online accounts, not reading email, etc. However, there are also numerous remote code execution vulnerabilities that do not require any user interaction what so ever.

Having an iOS 6 device connected to your Wi-Fi access point is a potential risk to your network and is not recommended.

Known Vulnerabilities

Below is a list of all of the iOS update security advisories for versions between 6.1.3 and 10.3.3.

Vulnerabilities that allow for remote code execution (RCE) without user interaction, or vulnerabilities that can not be easily defended against are highlighted.

To clarify, vulnerabilities are highlighted if they still affect you even if you use the device in a highly defensive manner as described above.

This list does not include vulnerabilities that require user interaction or for the attacker to be present on your Wi-Fi network.

The iOS version that they are listed under indicates the version at which they were patched, not the version(s) that they affect.

Many of these vulnerabilities may have been introduced in versions after iOS 6.1.3, however it should still give you a general idea of the state of iOS 6 security.

iOS 7 ------ https://support.apple.com/kb/HT5934
iOS 7.0.2 -- https://support.apple.com/kb/HT5957
iOS 7.0.3 -- https://support.apple.com/kb/HT6010
iOS 7.0.4 -- https://support.apple.com/kb/HT6058
iOS 7.0.6 -- https://support.apple.com/kb/HT6147
iOS 7.1 ---- https://support.apple.com/kb/HT6162
iOS 7.1.1 -- https://support.apple.com/kb/HT6208
iOS 7.1.2 -- https://support.apple.com/kb/HT6297
iOS 8 ------ https://support.apple.com/kb/HT6441
┗━━ CVE-2014-4364 - Credential Theft - An attacker can potentially obtain Wi-Fi credentials by impersonating a trusted access point.
iOS 8.1 ---- https://support.apple.com/kb/HT6541
iOS 8.1.1 -- https://support.apple.com/kb/HT204418
iOS 8.1.2 -- https://support.apple.com/kb/HT204422
iOS 8.1.3 -- https://support.apple.com/kb/HT204245
iOS 8.2 ---- https://support.apple.com/kb/HT204423
┗━━ CVE-2015-1063 - Denial of Service - A malicious Class 0 (Flash) SMS message can cause the device to crash and restart.
iOS 8.3 ---- https://support.apple.com/kb/HT204661
iOS 8.4 ---- https://support.apple.com/kb/HT204941
┗━━ CVE-2015-3728 - Man in the Middle - Devices may auto-associate with an untrusted Wi-Fi access point that is advertising a known SSID, but with a downgraded security type.
iOS 8.4.1 -- https://support.apple.com/kb/HT205030
┗━━ CVE-2015-3778 - Sensitive Information Disclosure - Devices broadcast MAC addresses from previously accessed Wi-Fi networks.
iOS 9 ------ https://support.apple.com/kb/HT205212
iOS 9.0.2 -- https://support.apple.com/kb/HT205284
iOS 9.1 ---- https://support.apple.com/kb/HT205370
iOS 9.2 ---- https://support.apple.com/kb/HT205635
iOS 9.2.1 -- https://support.apple.com/kb/HT205732
iOS 9.3 ---- https://support.apple.com/kb/HT206166
iOS 9.3.1 -- https://support.apple.com/kb/HT206225
iOS 9.3.2 -- https://support.apple.com/kb/HT206568
iOS 9.3.3 -- https://support.apple.com/kb/HT206902
iOS 9.3.4 -- https://support.apple.com/kb/HT207026
iOS 9.3.5 -- https://support.apple.com/kb/HT207107
iOS 10 ----- https://support.apple.com/kb/HT207143
iOS 10.0.1 - https://support.apple.com/kb/HT207145
iOS 10.0.2 - https://support.apple.com/kb/HT207199
iOS 10.0.3 - https://support.apple.com/kb/HT207263
iOS 10.1 --- https://support.apple.com/kb/HT207271
iOS 10.1.1 - https://support.apple.com/kb/HT207287
iOS 10.2 --- https://support.apple.com/kb/HT207422
iOS 10.2.1 - https://support.apple.com/kb/HT207482
iOS 10.3 --- https://support.apple.com/kb/HT207617
┗━━ CVE-2017-2461 - Denial of Service - A malicious SMS message can cause denial of service (resource consumption).
iOS 10.3.1 - https://support.apple.com/kb/HT207688
┗━━ CVE-2017-6975 - Remote Code Execution - An attacker within range may be able to execute arbitrary code on the Broadcom Wi-Fi chip.
iOS 10.3.2 - https://support.apple.com/kb/HT207798
iOS 10.3.3 - https://support.apple.com/kb/HT207923
┣━━ CVE-2017-7063 - Denial of Service - A malicious message possibly delivered by SMS can cause denial of service (memory consumption and application crash).
┗━━ CVE-2017-9417 - Remote Code Execution - An attacker within range may be able to execute arbitrary on the Broadcom Wi-Fi chip (Broadpwn).

When reading through the Apple security advisories, I noticed that there were a lot of vulnerabilities related to UI spoofing/manipulation in Safari, for example CVE-2013-5152 and CVE-2015-5904. This reminds me of the Chrome Punycode URL spoofing bug from April 2017, however in the case of MobileSafari it requires you to visit a malicious website that will then spoof the URL, rather than a non-spoofed URL simply looking like the URL of a legitimate website.

I also wonder how the patch for Broadpwn works. It depends whether the patch actually patches the chip's firmware or is simply an iOS software patch. Perhaps if you upgraded to a version where Broadpwn was patched, but then downgraded back to a version where it is not patched, Broadpwn would still be patched because the change persists in the chip's firmware rather than in iOS itself. That's all just theory, but maybe it's an idea worth putting out there.

Conclusion

Overall, it was definitely an interesting project however due to the security issues with Wi-Fi and that fact that it is not possible to get iOS 6 running natively, I will probably just stick to using iOS 10.3.3 with the low performance. I only use the iPad Mini as a standalone VoIP client anyway, so the low performance in iOS 10 doesn't cause too much of an issue for me.

iOS 11 was released to the public today, and the new iOS 11 security advisory was made available just a few hours ago. I was surprised to see such a small number of patched vulnerabilities. Normally major releases have dozens and dozens of new security patches, whereas iOS 11 has only eight! This could be taken both ways, were fewer vulnerabilities found or are there fewer to find? I guess we'll have to wait and see.

Edit 1st Oct 2017 @ 8:53am: Around a day after the initial release of the new iOS 11 security advisory, Apple updated it with many new vulnerabilities. It still seems to have fewer than the average major release, but my statement about there being "only eight" is definitely not correct anymore.