Download older versions of any iOS app with Brook

https://www.txthinking.com/talks/
Updated at: 2023-03-16
cloud@txthinking.com

Generated by Text to Image

中文

Purpose

Download the old version YouTube v17.15.1

Required software

• Brook.exe and already has CA installed
• iTunes64Setup.exe v12.6.5.3, download from apple.com (Tip: It is a good habit to download only from the official website related to the software)

😉 In theory, it is also possible on macOS, but I did not find the download address of the corresponding version of iTunes

Signin iTunes and Download Never Require Password

1. Disconnect Brook
2. iTunes Menu -> Account -> Sign In
3. iTunes Menu -> Edit -> Preferences -> Store -> Purchases: Never Require. Free Downloads: Never Require

😡 Because Apple's authentication server will block many commercial IPs, we log in and set up in advance to avoid future authentication requests.

We need to find two things

• appid: App ID
• versionid: History version ID

Find App ID and history version ID list

1. Brook: Turn on Fake DNS; turn off Bypass; turn on Programmable; turn on TUN; fill in Script:

   https://raw.githubusercontent.com/txthinking/bypass/master/ipa/history.tengo

   text := import("text")
   f := func(){
       if in_address {
           if in_address.domainaddress && text.has_suffix(in_address.domainaddress, "-buy.itunes.apple.com:443") {
               return {
                    mitm:true,
                    mitmprotocol: "https",
                    mitmwithbody: true,
                    mitmautohandlecompress: true
               }
           }
           return
       }
       if in_httprequest && !in_httpresponse {
           return in_httprequest
       }
       if in_httprequest && in_httpresponse {
           return in_httpresponse
       }
   }
   out := f()
   

2. Connect Brook. Then download the YouTube iPhone App from iTunes.

3. In the MITM log, you should see POST https://p52-buy.itunes.apple.com/WebObjects/MZBuy.woa/wa/buyProduct

   😉 The domain name does not have to be exactly the same as above

4. appid: the songId in the body. Here is 544007664

5. versionid: softwareVersionExternalldentifiers in the body

   😉 This is a list, you can save it first

Find the specified version ID from the history version ID list

The history version ID is like 848374799, how do you know which version ID corresponds to v17.15.1?

The list of history version ID is arranged sequentially. Jump and download it yourself to have a look. I believe that with your ingenuity, you can find the version you want in a while. The video shows how I found it.

Download old App

1. Brook: Turn on Fake DNS, turn off Bypass, turn on Programmable, turn on TUN, and fill in the Script:

   😡 Please fork and modify the appid and versionid variables in the script

   https://raw.githubusercontent.com/txthinking/bypass/master/ipa/downgrade.tengo

   appid := "544007664" // YouTube
   versionid := "848374799" // v17.15.1
   
   text := import("text")
   f := func(){
       if in_address {
           if in_address.domainaddress && text.has_suffix(in_address.domainaddress, "-buy.itunes.apple.com:443") {
               return {
                    mitm:true,
                    mitmprotocol: "https",
                    mitmwithbody: true,
                    mitmautohandlecompress: true
               }
           }
           return
       }
       if in_httprequest && !in_httpresponse {
           if in_httprequest["Method"] == "POST" && text.contains(in_httprequest["URL"], "/WebObjects/MZBuy.woa/wa/buyProduct") {
               s := string(in_httprequest["Body"])
               if text.contains(s, "<string>"+appid+"</string>") {
                   in_httprequest["Body"] = bytes(text.re_replace(`<key>appExtVrsId</key>\s*<string>\d+</string>`, s, "<key>appExtVrsId</key>\n<string>"+versionid+"</string>"))
               }
           }
           return in_httprequest
       }
       if in_httprequest && in_httpresponse {
           return in_httpresponse
       }
   }
   out := f()
   

2. Disconnect Brook and reconnect.

3. Right-click and delete the YouTube App you just downloaded from the iTunes library. Re-download the YouTube iPhone App. From the library, you can see the old version of YouTube that has been downloaded. Right-click to view the ipa location.

Install the ipa file to the phone

ideviceinstaller is used here, and macOS has brew that can be installed directly. If you don't want to compile for windows, here has compiled it, use this here.

😡 Must be the same Apple ID

1. Uninstall YouTube on iPhone first
2. Connect iPhone USB to Windows

3. I use GitBash

   git clone https://github.com/iFred09/libimobiledevice-windows.git
   cd libimobiledevice-windows
   ./ideviceinstaller.exe --install ~/Music/iTunes/iTunes\ Media/Mobile\ Applications/YouTube\ 17.15.1.ipa
   

Tips:

• ideviceinstaller prompts Could not connect to lockdownd. Exiting., I re-plugged the USB several times and it was resolved

Video

https://www.youtube.com/watch?v=8b1ZF0--KGk

You can also do without the server

Read from here