Oğuzhan Varsak

Oğuzhan Varsak

Developer

How Apple Completely Prevented Users from Downgrading iOS

Part 1

Long time ago, Apple allowed firmware updates while offline, this make it impossible for them to control the firmware version on these devices.

After canceling this feature (in the early days), iOS devices will connect to an Apple server, send their device information, and through “signed” firmware, the devices receives a Digital Signature in order to upgrade their device.

The way to bypass this function is to save the Digital Signature, and replay it in the future. (aka “Saving SHSH”)

The way Apple fixed this problem is to send a random string of code called “nonce” while upgrading the device, so you couldn’t use that way to trick through the bootloader.

 

We come to the first conclusion :

  • Verification logic is run by bootloader, the codes are protected by the main chip called “secure boot”, so it’s hard to change the code. (Changing the code as a “Middle man”)
  • The only key is hidden in OTP, you can only USE the key but you can’t READ it, so it’s theoretically impossible to fake a client request.
  • It uses asymmetric cryptography, that surely makes it’s hard to counterfeit the server’s Digital Signature…

So, forced data exchange verification + protected logic verification + protected verification key, this is currently impossible to crack.

 

Part 2

Part 1 gives detailed information about how the code is securely processed by the system, but I’ll explain why you can’t flash the device to a specific version whenever you like to and give you an easier concept to understand how the flash process works.

A normal procedure of flashing a iOS device works like this :

  • You download a firmware with the file extension .ipsw
  • open up iTunes, connect your phone
  • and the firmware can be easily flashed into your device.

 

In fact, during the process of flashing a device, this shows how data is being transmitted :

  • .ipsw —> iTunes —> iOS’s CPU —> iOS’s Flash/eMMC

 

The key to this whole thing is that ONLY the CPU can write the firmware into Flash/eMMC, so it all depends on if the CPU agrees you to flash the device, if the CPU calls you fake news, the success rate of you flashing the firmware into the device is 0.00069%.

(Now people would ask question like “why don’t you just bypass the CPU and write directly into Flash/eMMC? The is because a iDevice is COMPLETELY ENCRYPTED (yes the whole thing), this means that everything (data) that’s going towards Flash/eMMC HAS to be encrypted. This encryption key is written INSIDE the CPU, only the CPU knows the key, and every device has an different key.)

(So without the key, you wont be able to write the correct data to Flash/eMMC, even soldering off the chips itself (pointing at Flash/eMMC) off the motherboard wont work)

So how does the CPU decide if it should flash the device? You need the firmware verification from the Apple Server. Supposing the firmware signature is correct, then you can flash in the firmware. So iTunes has to request the firmware signature from the Apple server and provide it to the CPU. The Apple Server will check the firmware’s authenticity and firmware version to decide if it should provide the Digital Signature. So, ONLY the Apple server has the power to flash the firmware

 

You can think if it this way (Role-Play) :

iTunes: I wanna flash a device using this firmware

CPU: you need to provide a verified signature that matches this firmware

(iTunes asks the Apple server for the signature)

iTunes: here’s the signature

CPU: this signature is real! This firmware can be used to flash this device

 

If Apple stops signing this firmware, it’ll look like this :

iTunes: I wanna flash a device using this firmware

CPU: you need to provide a verified signature that matches this firmware

(iTunes asks the Apple server for the signature)

Apple Server: this firmware is unsigned, I can’t provide you a signature.

 

(Digital Signature uses asymmetric cryptography, meaning it’s impossible to counterfeit a signature)

 

But even tho Digital Signature can’t be counterfeited, you can keep it and use it when you need to.

Few years ago you could use SHSH to flash in the firmware is also using this principle.

 

Think of it this way :

iTunes: I wanna flash a device using this firmware

CPU: you need to provide a verified signature that matches this firmware

(iTunes takes out the Digital Signature it collected a long time ago from your computer)

iTunes: here’s the signature

CPU: this signature is real! This firmware can be used to flash this device

 

(In reality, the tools you use for blobs/shsh would need to create a fake server to iTunes)

 

This replay attack is really easy to be prevented, now SHSH no longer works anymore.

 

Think of it this way :

iTunes: I wanna flash a device using this firmware

CPU: you need to provide a verified signature, and that signature needs to include some random generated Digits/Number as follow “GuvfNppbhagJnfOnaarqSbeZrzrf,……(lbhgh.or/5-I-HvrRhMV)”; In this old Digital Signature, these random digits “GuvfNppbhagJnfOnaarqSbeZrzrf,……(lbhgh.or/5-I-HvrRhMV)” isn’t included, so this Digital Signature is invalid

 

You can counterfeit the verification server, but the results of the verification cannot be counterfeited, you can only intercept the real server’s Digital Signature and replay it to the CPU, and that’s what made the Digital Signature so powerful.

 

It wasn’t completely blocked in the good old dayz, the first iPhone and iPod Touch could be flashed anytime, iPod Touch 2nd generation can be downgraded to 2.x, iPhone 3GS, iPod Touch 3rd generation can be directly downgraded to iOS 4.1.

Speaking of how they restrict custom flashing, it’s just that the bootloader doesn’t have the exploits anymore (patched) to counterfeit the firmware; and server verification flashing plus disk partition hashing and Digital Signature, adding up A5 chip and above added the nonce to prevent apps like TinyUmbrella.

62 Comments

  1. Avatardesenvolvimento peniano

    Thank you for another informative blog. Where else may I get that type of info written in such a
    perfect way? I have a undertaking that I’m just now working on, and
    I’ve been on the glance out for such info.

    Reply
  2. Avatarcomo almentar o penes naturalmente

    I have been surfing on-line more than 3 hours nowadays, yet I by no means found any fascinating article like yours.
    It is beautiful worth enough for me. Personally, if all
    website owners and bloggers made excellent content as you probably did, the net
    will likely be a lot more useful than ever before.

    Reply
  3. AvatarRigoberto

    Currently it looks like Movable Type is the top blogging platform out
    there right now. (from what I’ve read) Is that what you’re using
    on your blog?

    Reply
  4. Avatarhttps://medium.com

    I was just looking for this information for a while. After six hours of continuous Googleing, at last
    I got it in your website. I wonder what’s the lack
    of Google strategy that do not rank this type
    of informative web sites in top of the list. Usually the
    top websites are full of garbage.

    Reply
  5. Avatarhttps://www.openstreetmap.org/

    I believe everything said was very logical. However, what about this?
    what if you added a little content? I am not suggesting your content is not
    good., but suppose you added a headline to maybe get
    a person’s attention? I mean How Apple Completely Prevented Users from Downgrading
    iOS – Oğuzhan Varsak is a little plain. You should peek at Yahoo’s home page and
    see how they create news headlines to grab people
    to open the links. You might add a video or a related pic or
    two to get readers excited about what you’ve
    written. In my opinion, it would bring your posts a little livelier.

    Reply
  6. Avatarwww.instructables.com

    I loved as much as you will obtain carried out proper here.
    The sketch is attractive, your authored subject matter stylish.
    however, you command get got an shakiness over that you want be handing over the following.

    in poor health indubitably come further until now once more since precisely the same nearly a lot often inside case you shield this hike.

    Reply
  7. AvatarClaire

    Hi there! Someone in my Facebook group shared this website with us so I came to take a look.

    I’m definitely enjoying the information. I’m book-marking and will be tweeting this to my followers!
    Outstanding blog and brilliant style and design.

    Reply
  8. AvatarBeau

    If some one needs expert view regarding running
    a blog then i suggest him/her to pay a quick visit this blog, Keep up the pleasant work.

    Reply
  9. Avatarhttps://www.bombstat.com

    I liked as much as you will obtain carried out proper here.
    The caricature is attractive, your authored subject matter stylish.
    nevertheless, you command get got an edginess over that you
    want be handing over the following. ill no doubt come further before again since precisely the similar nearly very incessantly within case you shield this increase.

    Reply
  10. AvatarEmmett

    As I site possessor I believe the content matter here is rattling great , appreciate it for your hard work.
    You should keep it up forever! Good Luck.

    Reply
  11. Avatarspeakerdeck.com

    Hello There. I found your blog using msn. This is a very well written article.
    I’ll be sure to bookmark it and return to read more of your useful information. Thanks for the post.
    I will certainly comeback.

    Reply
  12. Avatarvurtilopmer

    naturally like your web-site however you need to test the spelling on several of your posts. Several of them are rife with spelling problems and I find it very bothersome to tell the reality then again I?¦ll definitely come back again.

    Reply
  13. AvatarChastity

    As I website possessor I believe the content material here is rattling wonderful , appreciate it for your efforts.
    You should keep it up forever! Good Luck.

    Reply
  14. AvatarDuane

    I like what you guys are up too. Such smart work and reporting!
    Keep up the excellent works guys I have incorporated you guys to my blogroll.

    I think it will improve the value of my site :).

    Reply
  15. AvatarFreddy

    If some one desires expert view about blogging and site-building then i
    suggest him/her to pay a quick visit this blog, Keep up the
    nice work.

    Reply
  16. Avatara.pr-cy.ru

    Keep up the good work, I read few articles on this internet
    site and I think that your web site is really interesting and contains lots of superb info.

    Reply
  17. Avatarwhois.ipchecker.info

    Hey very cool web site!! Man .. Beautiful .. Wonderful ..

    I will bookmark your blog and take the feeds additionally?
    I am glad to seek out a lot of helpful info right here in the put up, we
    want develop more strategies on this regard, thank you for sharing.

    . . . . .

    Reply
  18. Avatarwww.london.umb.edu

    I think what you said made a lot of sense. However, what about this?
    what if you typed a catchier post title? I mean, I don’t
    wish to tell you how to run your blog, but suppose you added a title that grabbed people’s attention? I mean How Apple Completely Prevented Users
    from Downgrading iOS – Oğuzhan Varsak is a little
    vanilla. You ought to peek at Yahoo’s front page
    and see how they create article headlines to grab viewers interested.

    You might try adding a video or a related
    picture or two to grab people excited about what you’ve got to
    say. In my opinion, it would bring your blog a little livelier.

    Reply
  19. Avatarjob posting

    Hello this is kind of of off topic but I was wondering if
    blogs use WYSIWYG editors or if you have to manually
    code with HTML. I’m starting a blog soon but have no coding knowledge so I wanted to get guidance from someone with experience.
    Any help would be greatly appreciated!

    Reply
  20. Avatarthis blog

    Hello it’s me, I am also visiting this site regularly, this site is
    really pleasant and the visitors are really sharing pleasant thoughts.

    Reply

DROP A COMMENT

Your email address will not be published. Required fields are marked *