Running Unsupported iOS on Obsolete Devices

In early 2023, I demonstrated iOS 6 running on an iPod touch 3—the device never officially received this update, with iOS 5.1.1 being its latest. Later, I published a script that generates an iOS 6 restore image compatible with this model. This article explains the technical process behind these experiments, assuming some familiarity with iOS internals.

Understanding iOS Components

iOS comprises several core parts:
– iBoot: the bootloader, with four variants—iBSS, iBEC, LLB, and iBoot—handling startup procedures.
– Kernel cache: a combined image of the operating system kernel and drivers.
– DeviceTree: a structured list of hardware specifics and configuration parameters, heavily modified by iBoot before the kernel takes over.
– Userspace filesystem and restore ramdisk: used during OS installation and for the current root filesystem.
– Firmware for coprocessors like Wi-Fi, Bluetooth, baseband, and multitouch sensors.

Testing on iPhone 3GS

The iPhone 3GS, released alongside the iPod touch 3 in 2009, shares similar hardware (S5L8920X vs. S5L8922X). Notably, it officially supported iOS 6. I first attempted to boot iOS 6.0 on the iPhone using the iOS 5.1.1 iBoot and DeviceTree to observe what would break.

DeviceTree Challenges

iOS 6 introduced many new nodes and properties in the DeviceTree, causing compatibility issues. To address this, I developed a Python script that compares and computes differences between two DeviceTrees, which can then be applied to modify existing DeviceTrees. This tool is available in the SundanceInH2A repository.

Populating the DeviceTree

Much of the DeviceTree is configured dynamically by iBoot at runtime, including the ‘nvram-proxy-data’ property, which must contain a raw NVRAM dump. Omitting this causes the kernel to halt early. When customizing for the iPod touch 3, I filtered out iPhone-specific elements from the DeviceTree diff before applying it.

Modifying iBoot

iBoot didn’t require major changes for this process—main modifications involved signature checks, boot argument injection, and enabling debug mode so the kernel respects Application Mutual Firmware Integrity (AMFI) arguments. Dynamic population of ‘nvram-proxy-data’ during normal boots is essential; I achieved this by replacing the ‘UpdateDeviceTree()’ call with a custom function that injects the actual NVRAM data and a seed value, preventing overwriting issues during synchronization.

Boot Arguments

Adding the ‘amfi=0xff’ parameter disables code signing, a common step in jailbreak procedures. Different iBoot+kernel versions may require additional modifications, so examining the DeviceTree and boot argument structures is important when troubleshooting.

The Kernel Cache

The most complex component is the kernel cache. While the iPod touch 3 didn’t officially support iOS 6, internal build data suggests Apple intended to assign it that version. Many internal pre-release iOS 6 builds contain separate kernel and kernel extension (kext) files tailored for the device. The challenge lies in loading these components simultaneously, similar to how older Mac OS X versions dynamically load extensions during startup.

By understanding and adjusting these components, it’s possible to run unsupported iOS versions on deprecated devices, extending their usable lifespan and exploring the potential of obsolete hardware.

FAQs

Q: Can I run unsupported iOS versions on any old device?
A: Not all devices are compatible, but with enough technical knowledge and adjustments, some unsupported versions can be made to run on deprecated hardware.

Q: What skills are needed to attempt this?
A: Familiarity with iOS internals, firmware modification, and scripting, especially Python, are recommended.

Q: Are there risks involved?
A: Yes, modifying firmware can brick devices or cause instability. Proceed with caution and back up data where possible.

Q: Why would someone want to run unsupported iOS?
A: For experimentation, development, or to revive older devices for basic use when official support has ended.