Downgrading iOS:

From past to present

By: tihmstar
 Topics:
iOS boot chain + changes

SHSH Blobs & APTickets

Past downgrade tools/methods

IMG3/IMG4 file format

Baseband and SEPOS problem

New 64bit downgrade method

 iOS boot chain
64 bit only

Normal iLLB iBoot Kernel SEPOS

Boot

Bootrom

DFU Ramdisk
iBSS iBEC SEPOS
Kernel
 iOS History
iPhone 2G

iPhone OS 1 - 3: pre-signed, downgrade possible

iPhone 3G

iPhone OS 2 - 3: pre-signed, downgrade possible

iOS 4: software SHSH check

downgrade possible with hacks

 iPhone 3G iOS4

Normal iLLB iBoot Kernel

Boot SHSH SHSH
no
Bootrom
check!

DFU Ramdisk
iBSS iBEC
SHSH SHSH Kernel
 SHSH blobs

Introduced to control what iOS versions can be

installed

Need to be requested from Apple while restoring

SHSH = Signed hash of firmware+ECID

Unique for every device

SHSH/IMG3
iBSS (IMG3)
 iOS History

iPhone 3Gs / iPhone 4

iOS 3 - 4: SHSH check (hardware enforced)

iOS 5 - 7: APTicket
 iPhone 4/3Gs (<iOS5)

Normal iLLB iBoot Kernel

Boot SHSH SHSH

Bootrom SHSH

DFU Ramdisk
iBSS iBEC
SHSH SHSH Kernel
 iOS 3 - 4 downgrade

SHSH blobs = sig(SHA1(iBoot))

replay attack possible!

save SHSH with TinyUmbrella/Cydia/iFaith

replay even if apple doesnt sign anymore

 APTicket (IMG3)
ASN1 formatted container

Contains:

ECID, BoardID, ChipID

Hashes of all boot files

Nonce

Packed in IMG3 and flashed with boot files

 32 bit devices (iOS5+)

Normal iLLB iBoot Kernel

Boot APTicket APTicket

Bootrom SHSH

DFU Ramdisk
iBSS iBEC
Kernel
APTicket APTicket
+nonce +nonce
APTicket (IMG3)
ECID

device vals

nonce

signature
APTicket (IMG3)
Downgrade with limera1n

Patch APTicket checks in iBSS/iBEC

Boot iBSS/iBEC/ramdisk/kernel without APTicket

Restore with previously saved APTicket

Nonce isnt checked on normal boot

limera1n (up to iPhone4)

Normal iLLB iBoot Kernel

Boot APTicket APTicket
SHSH
Bootrom
limera1n
DFU Ramdisk
iBSS iBEC
patch patch Kernel
What about newer
devices?
 Background info

Firmware files are encrypted

Decryption not possible after kernel booted

Disabled by hardware since iPhone4s

iBoot/Bootrom exploit required to get keys

 New possibilities
Private iBoot exploits + hardware hacking gives
us firmware keys

Publicly available for some devices/iOS

kloader by @winocm can bootstrap image from

kernelmode

Allows jumping back to bootloader

(eg. iBSS)
 odysseus (by @xerub)
Uses jailbreak, tfp0 and kloader to bootstrap iBSS

I call this kDFU (kernelDFU) mode

(similar to pwnDFU with limera1n)

Firmware decryption not possible in kDFU

Solution: build custom firmware!

iBSS, iBEC, ramdisk, kernel and filesystem

are decrypted
 odysseus
1. Normal boot
iLLB iBoot Kernel
Bootrom
(old) (old) (old)
SHSH APTicket APTicket
2. Jailbreak
3. kloader
kDFU iBSS iBEC
Ramdisk
(dec) (dec) 4. Restore
patch patch Kernel

5. Boot
iLLB iBoot Kernel
Bootrom (new) (new)
(new)
SHSH APTicket APTicket
 Baseband problem
Baseband security improved too!

Downgrade not really possible

Less people care about Baseband since carriers start

to sell unlocked phones

Common practice: not updating Baseband

Many non-default iOS/Baseband combinations working

Some are not!

 Baseband problem
We know new iOS + old Baseband works

Other way around works too (if gap isnt too big)

odysseus uses this fact

Keeps Baseband (with its signature/ticket)

when downgrading

Since iPhone4s Baseband is stored on filesystem

Patching firmware required for not updating

 odysseusOTA
Apple signs iOS 6.1.3 OTA for iPhone4s and iPad2

Same applies for 8.4.1 OTA for some devices

Idea: use fresh OTA ticket and Baseband ticket for restore

Baseband downgrade possible

Discovered by @xerub and me around the same time

Normal and OTA ticket only differs by ramdisk hash

Doesnt matter because of kloader

 odysseus limitations

odysseus works only for 32bit devices

Firmware keys are required

Custom bundles are required (for patches)

Not available for all devices / iOS combinations

What about 64bit
devices?
 64bit devices
IMG4 file format for boot files

Secure Enclave Processor is new to 64bit devices

Used for TouchID, Encryption and more

(required for booting)

Has its own nonce which needs to be in

APTicket

No known exploits
 IMG4 file format
ASN1 formatted container, DER encoded

Signed IMG4 = IM4P (payload) + IM4M (manifest)

IM4M got from APTicket

Every IMG4 has a copy of IM4M

No need for ticket only file

Required for SEP?

IMG4 file format
 64bit devices
APTicket
Normal iLLB iBoot Kernel SEPOS
Boot
APTicket APTicket APTicket
Bootrom
Ramdisk
iBSS iBEC SEPOS
DFU Kernel

APTicket APTicket APTicket APTicket

+apnonce +apnonce +apnonce +apnonce
+sepnonce +sepnonce +sepnonce +sepnonce
Can we still
downgrade?
YES!
 Downgrade plan 64bit

Baseband/iOS mismatch possible

Does that work for SEP too?

Every IMG4 file contains APTicket (IM4M)

Do they need to be the same?

Downgrade plan 64bit
DFU

nonces dont change!

IBSS

Recovery
 Downgrade plan 64bit
Same nonce for DFU->iBSS->iBEC

Also applies for iBoot->iBEC

SEP nonce is ignored in iBSS, iBEC

Only matters when booting SEP

What if you could predict/re-generate ApNonce?

prometheus (by @tihmstar)
Lets assume we can predict ApNonce

Replay attack -> ramdisk boot possible!

SEP needs to be booted

Just use (possibly newer) signed SEPOS!

Restore signed SEPOS

Restore (possibly newer) signed Baseband

1. Recovery
Boot prometheus
iLLB iBoot
Bootrom
(old) (old)

APTicket APTicket APTicket (rpl)

+apnonce 2. Restore
Ramdisk
SEPOS
iBEC
(signed)
Kernel

APTicket (rpl) APTicket2 (sig)

3. Boot +apnonce +sepnonce
iLLB iBoot Kernel SEPOS
Bootrom
(new) (new) (new) (signed)

APTicket APTicket APTicket APTicket2

How to predict
ApNonce?
 OTA update procedure
Stores ramdisk in memory, sets bootarg and
reboots

Ramdisk not encrypted, boot files are

Cant request APTicket while in recovery

APTicket needs to be requested before recovery

something is stored -> updater can predict

nonce once
 Nvram

IONVRAM.h on opensource.apple.com
 Predict ApNonce
Generator is saved in nvram (once requested from lockdownd)
Is consumed after rebooted once
com.apple.System.boot-nonce=0x0ede59d61b53b8f0
Generates this nonce (on my iPhone6)
04c12ca2bfeb9b6af3e8db318349261190123861
SHA1 of little endian generator,
nonce=SHA1(bytestr(f0b8531bd659de0e))
Permissions=kOFVariablePermKernelOnly
Requires kernelpatch for reading/writing
Writing to nvram
 ApNonce collisions?
Nonce is 20 bytes

2^160 = 1.4615016 *10^48 possibilities

(too many!)

Generator is 8 bytes

2^64 = 1.8446744 *10^19

Still too many (unless youre NSA)

Just for fun I still tried on my iPhone5s

 ApNonce collisions?

5 Nonces make ~ 20%!

We can work with that!

 Community test results
multiple iPhone5s iOS 9.3.2 - 9.3.5 generated same
nonce

multiple iPad Airs (on close iOS versions) generated

same nonces

Seems like collisions are possible for some device/

iOS combinations

This can be used to downgrade without jailbreak!

Do your own tests + get APTickets!

Downgrade scenario (no JB)
Update to new iOS

Figure out what nonces are generated most often

Request APTicket for old iOS (while signed) with

that ApNonce

Downgrade when signing window closes

Chaining up iOS versions is possible

eg. iOS 10 -> 9.3.5 -> 9.3.2
 prometheus limitations
Relies on Baseband/SEP/iOS versions not tied together

Checks can be added

SEP + Baseband are latest signed version

Might not work with old iOS versions

ApNonce must be predictable

iBoot might change how Nonce is generated

eg. Nonce=gen(generator + salt)
 Future downgrades

Saving APTicket is always a good idea!

Even if you cant downgrade now

Maybe new bugs in future

Maybe new techniques in future

 Tools used
tsschecker

For requesting APTicket from apple with lots of customization

possibilities

img4tool

For manipulating IMG4,IM4P,IM4M files

eg. viewing, stitching IMG4, checking IM4M

futurerestore

Allows restoring using prometheus downgrade method

All of these are (or will be) opensource!

Q&A