iPhone How does ios verify the firmware when restoring?

Discussion in 'Jailbreaks and iOS Hacks' started by demonguy, May 4, 2016.

Tags:
  1. demonguy macrumors newbie

    demonguy

    Joined:
    May 4, 2016
    #1
    As far as i know, ios restore firmware following these steps

    1. transfer ios ipsw firmware into iphone.
    2. iphone calculate firmware hash, and generate a random number
    3. itunes transfer this hash and random number to apple server
    4. if this firmware is legal, then return signature.
    5. iphone then verify the signature, if OK, flash it into emmc.
    But i have an question, how does iphone be able to calculate the hash of firmware? since most ios devices only have 1GB memory, and firmware is bigger then 1GB, i think it's impossible for iphone to calculate the whole hash of firmware, right?

    And another question may be off topic, The lowest level restore method i know is DFU, but DFU is still a software which is in emmc right? what if emmc is erased and empty? Is there any method to flash ios if emmc have nothing?
     
  2. bbrks macrumors 65816

    bbrks

    Joined:
    Dec 17, 2013
    #2
    You are obviously asking these questions, because you have something in mind, right?
    So, why don't you tell us something about it.....
     
  3. demonguy thread starter macrumors newbie

    demonguy

    Joined:
    May 4, 2016
    #3
    I'm not sure what you mean....

    I'm just curious about how does "SHSH BLOB" work.
    If apple server can return a "SHSH blob" for a certain firmware, it means "SHSH BLOB" will definitely have some hash information of the certain firmware, and ios device should verify it. Since most of IOS devices only have 1GB memory. how could it calculate the hash?
     
  4. bbrks macrumors 65816

    bbrks

    Joined:
    Dec 17, 2013
    #4
    Well, OK, than I didn't quite understand you.
    BTW, SHSH blobs don't work anymore, since IOS 6.X
     
  5. demonguy thread starter macrumors newbie

    demonguy

    Joined:
    May 4, 2016
    #5
    I know, i'm not talking about "back up SHSH blobs." There are random numbers in blob, so replaying attack doesn't work. I just want to know how does ios devices verify the firmware
     
  6. Applejuiced macrumors Westmere

    Applejuiced

    Joined:
    Apr 16, 2008
    Location:
    At the iPhone hacks section.
    #6
    It contacts and verifies if the ios version you're trying to install is approved by apple's servers before it allows the restore/update to go thru.
    If the ios version is still signed by Apple's servers the install/restore/update is allowed to go on, if not you get the error message below.
     

    Attached Files:

  7. demonguy thread starter macrumors newbie

    demonguy

    Joined:
    May 4, 2016
    #7
    But if ios doesn't verify the whole firmware, how does it know THIS is the version? I can just replace the contents of the IOS 9.2 by IOS9.1, but still use IOS 9.2 signed version
     
  8. Applejuiced macrumors Westmere

    Applejuiced

    Joined:
    Apr 16, 2008
    Location:
    At the iPhone hacks section.
    #8
    I'm not 100% of every detail but obviously its not as simple as replacing the contents of the .ipsw to something else.
    If it was that easy it would have been done years ago.
     
  9. dembu19 macrumors member

    dembu19

    Joined:
    Dec 14, 2013
    Location:
    Poland
    #9
    Generally It calculates the checksum of the ipsw file and compare with the checksum on the server.
     
  10. Carlanga macrumors 604

    Carlanga

    Joined:
    Nov 5, 2009
    #10
    checksum always causing trouble :p Believe me if it was that easy to spoof a fw then everybody would have done it already.
     
  11. PsyVamp macrumors newbie

    PsyVamp

    Joined:
    Jun 28, 2017
    #11
    I need to know what .dll or .exe file does the checksum, and also for the comparison of the sums.
    I once (with only a hex-editor) hacked the key activation for a program. I figured out which .dll did the math on the key, Did my modification.
    And the end result was, i could put what ever i wanted for the key, even incorrect chars like !@#.?$%^&*()_+-=,
    and it would take it as correct!
     
  12. Applejuiced macrumors Westmere

    Applejuiced

    Joined:
    Apr 16, 2008
    Location:
    At the iPhone hacks section.
    #12
    Good luck, you are not hacking apple's activation and restore servers though.
    Maybe you can bypass some cheap freeware programs restrictions but you will no able to sign and install unsupported ios firmware versions.
     
  13. bbrks macrumors 65816

    bbrks

    Joined:
    Dec 17, 2013
    #13
    It amuses me every single time when I see, how some people are trying to break unbreakable. Such an enthusiasm :)
     
  14. darricksailo macrumors 601

    darricksailo

    Joined:
    Dec 18, 2012
    #14
    If you want to know the details about how the restore process goes, I would give this video a watch:

    Tihmstar describes quite a bit about the iPhone restore process
     

Share This Page