I said yesterday, even if I don't believe it, I will download a lot of firmware and wait for the "masters" to be downgraded. I also sacrificed 500g on my hard drive for this. Now I'm really going to be more angry!
Some brothers have also raised the issue of downgrade verification. What's going on here?
Why do we have the mobile phone, but the right to downgrade is in Apple's hands? What I'm going to bring today is Apple's downgrade mechanism-
First, the era of offline upgrade
A long time ago, in the era of allowing offline upgrades, Apple actually could not control the user's system version.
In this way, users can lift the system version at will. (But at that time, users were eager for more functions, and probably only wanted to upgrade rather than downgrade).
There is no information about verification firmware and signature firmware in iPhone 3GS and earlier machines produced before the 49th week of 2009, that is, you can download the firmware directly and brush the machine, just like the current Android system. Therefore, the equipment before this can be brushed at will, and any version can be brushed.
Second, the initial stage of the online upgrade era.
At the initial stage after canceling the offline upgrade, the iOS device will connect to the server, send the device information, and pass the version verification.
Then you can upgrade after you get permission. At this time, the method of cracking is to save the "license" of the server in advance and then replay it. (i.e. save SHSH)
For the machines produced after 49 weeks in 2009 and the iPhone 4 after that, Apple added a verification mechanism through the processor, and the brush machine must sign the firmware.
Obtain the authorization file to sign the firmware. This authorization document is what we call SHSH. By fixing the processor vulnerability, Apple prohibits verifying locally signed firmware in iPhone 4s and later devices, so iPhone 4s and later models cannot bypass verification through local signatures.
When 4S was first introduced, it was iOS5. However, due to the different authentication mechanisms between iOS6 and iOS7, users before iOS6 must upgrade to iOS6 before upgrading to iOS7 and later. Time has passed. At that time, iOS5 could not be directly upgraded to the latest system, while iOS6 supported OTA upgrade to the latest system.
In order to ensure that users of iOS5 can upgrade to the latest version of iOS, Apple has opened up verification, allowing these users to upgrade to iOS 6. 1.3 first, and then upgrade to iOS 9 through iOS 6. 1.3.
The principle of the 4s downgrade tutorial on the network is to change the version number of iOS to iOS 5, then trick Apple into getting the upgrade license of iOS 6, and then install iOS 6 completely. That's why this demotion requires jailbreaking.
At present, Apple's improved online verification method is that when iOS devices are upgraded, in addition to sending device information, a nonce will be generated to participate in the verification. So bootloader can't be fooled by recording and replaying.
The verification logic is realized by bootloader, and the code is protected by the main chip, which is not easy to be tampered with.
The unique key of the chip is hidden in OTP, which can only be used and cannot be read, so it is difficult to forge the client request;
Coupled with the use of asymmetric algorithm, the signature on the server side is also difficult to forge;
Therefore, two-way verification is mandatory+verification logic is protected+verification key is protected, so at present, it is in the skyrocketing stage.
Some brothers may think of forgery, which is ok, but the verification server can forge, but the verification result can't be forged, so we can only intercept the real server result and replay it, which is the power of digital signature.
Third, the brush machine is downgraded.
My old buddy doesn't know if he noticed this when he was brushing the machine:
Contact the iPhone software update server.
Verify the updated iPhone software.
Verify the updated iPhone firmware.
If it is a system version without a verification channel, even if it is successfully swiped in, it will not pass the activation. For example, there was an activation error when the developer didn't have permission to brush the beta before.
Speaking of iphone, you must use iTunes, and you must be connected to the Internet to swipe your card.
Before iTunes starts brushing, it will check whether the current iphone model allows brushing the currently selected firmware. In other words, Apple allows you to brush whatever you want. As for why the server can't be forged, I guess it is verified by SSL certificate. Apple's SSL certificate cannot be forged, so it is impossible to forge the server.
So, if you really want to forge, unless you meet the following two conditions.
1, crack the version of iTunes killing code verification system;
2. Find out the communication protocol between iTunes and Apple authentication server, and make a fake server, so that you can brush in any version of firmware.
Fourth, the brushing process
I'm here to describe the process of brushing, and analyze the reasons why I can't brush at will:
1, you download a firmware in ipsw format from the Internet, open iTunes, connect your mobile phone, and the firmware can be swiped in;
2. In fact, in the process of brushing, the data flows like this: "ipsw file->; iTunes-& gt; Cpu of iOS device->; Flash memory /eMMC for iOS devices "
3. One of the key points is that only CPU can write firmware into Flash/eMMC, so whether you can brush the computer successfully depends on whether CPU agrees or not. If the CPU doesn't agree, you can't brush it in.
4. Since the iOS device is completely encrypted, writing to the flash memory /eMMC should be encrypted first. This encryption key is written inside the CPU, and only the CPU knows it. And the key of each device is different.
5. Therefore, if you don't have the key, you can't write the correct data into Flash/eMMC, even if you remove Flash/eMMC and brush it in.
The CPU's decision needs to verify the firmware signature from the Apple server. If the firmware signature is correct, it can be brushed into the firmware. So iTunes must ask the Apple server for the signature of this firmware and provide it to the CPU. Apple server decides whether to provide signature or not according to the authenticity and version number of this firmware. So the Apple server has the right to decide whether you can brush the firmware.
You can imagine the following scenario:
ITunes: I want to brush in this firmware.
CPU: Then you have to provide the signature of this firmware.
ITunes asks Apple's verification server for the signature of this firmware.
ITunes: This is the signature of this firmware.
CPU: This signature is true! This bag can be brushed in.
If the firmware is out of date, the following will happen:
ITunes: I want to brush in this firmware.
CPU: Then you have to provide the signature of this firmware.
ITunes asks Apple's verification server for the signature of this firmware.
Apple Authentication Server: This firmware has expired, so I can't provide you with a signature. Digital signature uses asymmetric encryption technology, which is unforgeable. So you can't forge your own signature)
Although a digital signature cannot be forged, it can be saved and replayed. A few years ago, you can use SHSH to brush in old firmware, which is the principle. You can imagine the following scenario:
ITunes: I want to brush in this firmware.
CPU: Then you have to provide the signature of this firmware.
ITunes took out an old signature that had been collected for many years.
ITunes: This is the signature of this firmware.
CPU: This signature is true! This bag can be brushed in.
(In fact, a fake verification server will be built to provide iTunes with old signatures collected for many years. )
This replay attack is easy to avoid, so now SHSH is useless. You can imagine the following scenario:
ITunes: I want to brush in this firmware.
CPU: Then you have to provide the signature of this firmware, which contains the random number fasdjhpgia;;
In the old signature in the collection, the random number is not fasdjhpgia, but another one, so it cannot be used.
Finally, an easy-to-understand question:
For example, the iPhone is a submarine that can launch nuclear bombs. At the earliest time, it only needed a command from the captain to launch a nuclear bomb directly (offline upgrade and downgrade era).
Later, the high-level officials thought it was impossible, so they asked to talk to the president before launching the nuclear bomb, confirm it, and launch it after receiving the confirmation instruction (online verification).
But terrorists (hackers) found a way to crack the telephone line in the president's office and connect it to their own homes.
When a nuclear submarine calls for launching a nuclear bomb, terrorists will imitate the tone and voice of the president and make the submarine think it is true.
The top still thinks it's no good. First of all, they overhaul all the telephone lines, which greatly improves the security (there is no way after A5).
Then add a string of passwords generated in time when verifying, and the two sides can only pass after matching, so there is no other way except the equipment leaks.
So if SHSH is saved, it can be downgraded, and some machines with boot holes can be directly downgraded.
But in this case, it cannot be activated, and it can only be pseudo-activated.
Space is limited, so be it. Does the old buddy know Apple's verification mechanism?