 | This article is relevant only to legacy hardware or software, and is retained for its historical significance. Please ask at the community portal if you would like to update this article with current information. |
This will create an IPSW that only flashes your device's NOR. It will not touch the operating system or NAND.
- Create a custom IPSW
- Unpack it, remove rootfs DMG
- Decrypt the ramdisk (xpwntool) and mount it.
- Edit options.plist (/usr/local/share/restore/options.plist) on the restore ramdisk:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CreateFilesystemPartitions</key> <false/> <key>UpdateBaseband</key> <false/> <key>SystemImage</key> <false/> </dict> </plist>
- Unmount and reencrypt the restore ramdisk.
- Repack the IPSW.
NOTE: This technique only works on devices that have an untethered bootrom exploit (Pwnage or 0x24000 Segment Overflow).