Beruflich Dokumente
Kultur Dokumente
Bootrom
DFU Ramdisk
iBSS iBEC SEPOS
Kernel
iOS History
iPhone 2G
iPhone 3G
DFU Ramdisk
iBSS iBEC
SHSH SHSH Kernel
SHSH blobs
iOS 5 - 7: APTicket
iPhone 4/3Gs (<iOS5)
Bootrom SHSH
DFU Ramdisk
iBSS iBEC
SHSH SHSH Kernel
iOS 3 - 4 downgrade
Contains:
Nonce
Bootrom SHSH
DFU Ramdisk
iBSS iBEC
Kernel
APTicket APTicket
+nonce +nonce
APTicket (IMG3)
ECID
device vals
nonce
signature
APTicket (IMG3)
Downgrade with limera1n
5. Boot
iLLB iBoot Kernel
Bootrom (new) (new)
(new)
SHSH APTicket APTicket
Baseband problem
Baseband security improved too!
Other way around works too (if gap isnt too big)
Idea: use fresh OTA ticket and Baseband ticket for restore
No known exploits
IMG4 file format
ASN1 formatted container, DER encoded
Recovery
Downgrade plan 64bit
Same nonce for DFU->iBSS->iBEC
IONVRAM.h on opensource.apple.com
Predict ApNonce
Generator is saved in nvram (once requested from lockdownd)
Is consumed after rebooted once
com.apple.System.boot-nonce=0x0ede59d61b53b8f0
Generates this nonce (on my iPhone6)
04c12ca2bfeb9b6af3e8db318349261190123861
SHA1 of little endian generator,
nonce=SHA1(bytestr(f0b8531bd659de0e))
Permissions=kOFVariablePermKernelOnly
Requires kernelpatch for reading/writing
Writing to nvram
ApNonce collisions?
Nonce is 20 bytes
Generator is 8 bytes
img4tool
futurerestore