iPhone How does ios verify the firmware when restoring?

[demonguy]

As far as i know, ios restore firmware following these steps

1. transfer ios ipsw firmware into iphone.
2. iphone calculate firmware hash, and generate a random number
3. itunes transfer this hash and random number to apple server
4. if this firmware is legal, then return signature.
5. iphone then verify the signature, if OK, flash it into emmc.

But i have an question, how does iphone be able to calculate the hash of firmware? since most ios devices only have 1GB memory, and firmware is bigger then 1GB, i think it's impossible for iphone to calculate the whole hash of firmware, right?

And another question may be off topic, The lowest level restore method i know is DFU, but DFU is still a software which is in emmc right? what if emmc is erased and empty? Is there any method to flash ios if emmc have nothing?

 

[bbrks]

You are obviously asking these questions, because you have something in mind, right?
So, why don't you tell us something about it.....

 

[demonguy]

You are obviously asking these questions, because you have something in mind, right?
So, why don't you tell us something about it.....

I'm not sure what you mean....

I'm just curious about how does "SHSH BLOB" work.
If apple server can return a "SHSH blob" for a certain firmware, it means "SHSH BLOB" will definitely have some hash information of the certain firmware, and ios device should verify it. Since most of IOS devices only have 1GB memory. how could it calculate the hash?

 

[bbrks]

Well, OK, than I didn't quite understand you.
BTW, SHSH blobs don't work anymore, since IOS 6.X

 

[demonguy]

Well, OK, than I didn't quite understand you.
BTW, SHSH blobs don't work anymore, since IOS 6.X

I know, i'm not talking about "back up SHSH blobs." There are random numbers in blob, so replaying attack doesn't work. I just want to know how does ios devices verify the firmware

 

[Applejuiced]

I know, i'm not talking about "back up SHSH blobs." There are random numbers in blob, so replaying attack doesn't work. I just want to know how does ios devices verify the firmware

It contacts and verifies if the ios version you're trying to install is approved by apple's servers before it allows the restore/update to go thru.
If the ios version is still signed by Apple's servers the install/restore/update is allowed to go on, if not you get the error message below.

 

[demonguy]

But if ios doesn't verify the whole firmware, how does it know THIS is the version? I can just replace the contents of the IOS 9.2 by IOS9.1, but still use IOS 9.2 signed version

 

[Applejuiced]

I'm not 100% of every detail but obviously its not as simple as replacing the contents of the .ipsw to something else.
If it was that easy it would have been done years ago.

 

[dembu19]

But if ios doesn't verify the whole firmware, how does it know THIS is the version? I can just replace the contents of the IOS 9.2 by IOS9.1, but still use IOS 9.2 signed version

Generally It calculates the checksum of the ipsw file and compare with the checksum on the server.

 

[Carlanga]

But if ios doesn't verify the whole firmware, how does it know THIS is the version? I can just replace the contents of the IOS 9.2 by IOS9.1, but still use IOS 9.2 signed version

checksum always causing trouble Believe me if it was that easy to spoof a fw then everybody would have done it already.

 

[PsyVamp]

Generally It calculates the checksum of the ipsw file and compare with the checksum on the server.

I need to know what .dll or .exe file does the checksum, and also for the comparison of the sums.
I once (with only a hex-editor) hacked the key activation for a program. I figured out which .dll did the math on the key, Did my modification.
And the end result was, i could put what ever i wanted for the key, even incorrect chars like !@#.?$%^&*()_+-=,
and it would take it as correct!

 

[Applejuiced]

I need to know what .dll or .exe file does the checksum, and also for the comparison of the sums.
I once (with only a hex-editor) hacked the key activation for a program. I figured out which .dll did the math on the key, Did my modification.
And the end result was, i could put what ever i wanted for the key, even incorrect chars like !@#.?$%^&*()_+-=,
and it would take it as correct!

Good luck, you are not hacking apple's activation and restore servers though.
Maybe you can bypass some cheap freeware programs restrictions but you will no able to sign and install unsupported ios firmware versions.

 

[bbrks]

It amuses me every single time when I see, how some people are trying to break unbreakable. Such an enthusiasm

 

[darricksailo]

As far as i know, ios restore firmware following these steps

1. transfer ios ipsw firmware into iphone.
2. iphone calculate firmware hash, and generate a random number
3. itunes transfer this hash and random number to apple server
4. if this firmware is legal, then return signature.
5. iphone then verify the signature, if OK, flash it into emmc.

But i have an question, how does iphone be able to calculate the hash of firmware? since most ios devices only have 1GB memory, and firmware is bigger then 1GB, i think it's impossible for iphone to calculate the whole hash of firmware, right?

And another question may be off topic, The lowest level restore method i know is DFU, but DFU is still a software which is in emmc right? what if emmc is erased and empty? Is there any method to flash ios if emmc have nothing?

If you want to know the details about how the restore process goes, I would give this video a watch:

Tihmstar describes quite a bit about the iPhone restore process