Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Amatell4685

macrumors newbie
Original poster
Feb 8, 2019
18
0
Online Apple claim that a system restore via iTunes “erases” the solid state disk on your phone and installs a “new” and current and up to date version of iOS on your iPhone.

My question is: when they say erase - does this mean “properly” erase (Overwrite the contents of each memory location to say 0s), before then reformatting, and then putting on a new (new to your device) iOS image (and not merely your existing iOS, just “reset”)?

Or does it simply “reformat in the sense of writing a new file system with old data still (technically) present, or some variation of the above?

It’s just, if I wanted to “erase” or “wipe” a hard disk, I would use software to write 1’s and 0’s to each memory location on the disk (to truly erase all contents), before then reformatting and reestablishing a fresh file system and installing a fresh os image (ie not leave the existing os image intact - just “reset to factory settings” and in fact remaining the same original software program).

Can I ask how Apple’s “restore” process relates to this?

Many thanks
 

NoBoMac

Moderator
Staff member
Jul 1, 2014
6,244
4,931
It's all in here:

https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf

Basically, once you turn on a passcode for the device, storage gets encrypted, encryption key is stored in Secure Enclave, encrypted to your passcode. Each file is encrypted with a unique encrypted encryption key. Reset a phone, Secure Enclave gets wiped of all old encryption keys and all new encryption keys are generated, and storage is re-encrypted with a new key once passcode is set.
 

Amatell4685

macrumors newbie
Original poster
Feb 8, 2019
18
0
It's all in here:

https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf

Basically, once you turn on a passcode for the device, storage gets encrypted, encryption key is stored in Secure Enclave, encrypted to your passcode. Each file is encrypted with a unique encrypted encryption key. Reset a phone, Secure Enclave gets wiped of all old encryption keys and all new encryption keys are generated, and storage is re-encrypted with a new key once passcode is set.
I see, so that basically means if I were hoping to wipe the device utterly and install a new copy of the iOS - the technique I described essentially doesn’t do this. Downloading a new iOS would not achieve this?
 

Puonti

macrumors 68000
Mar 14, 2011
1,567
1,187
My understanding is that a fresh iOS install used the same method, so no.
 

chabig

macrumors G4
Sep 6, 2002
11,432
9,291
I see, so that basically means if I were hoping to wipe the device utterly and install a new copy of the iOS - the technique I described essentially doesn’t do this. Downloading a new iOS would not achieve this?
There is no benefit to overwriting 1s and 0s to each storage location. So because it is unnecessary, it’s not done. Just install the new OS and you’re good to go.
[doublepost=1556399505][/doublepost]
It’s just, if I wanted to “erase” or “wipe” a hard disk, I would use software to write 1’s and 0’s to each memory location on the disk (to truly erase all contents)
You would not need to do that if the drive is encrypted. Once the key is gone, all that remains is random garbage data.
 

NoBoMac

Moderator
Staff member
Jul 1, 2014
6,244
4,931
^^^^This.

To quote the linked document:

The “Erase all content and settings” option in Settings obliterates all
of the keys in Effaceable Storage, rendering all user data on the device cryptographically inaccessible. Therefore, it’s an ideal way to be sure all personal information is removed from a device before giving it to somebody else or returning it for service.
 
  • Like
Reactions: chabig

Amatell4685

macrumors newbie
Original poster
Feb 8, 2019
18
0
^^^^This.

To quote the linked document:
I see, it’s just the problem I was hoping to overcome was not the removal of my own user data - but the elimination of a version of iOS which I suspect may have been bugged with some spyware. My fear was I may have a (disguised) jail broken iOS, or some other form of modified iOS, in which the spyware may either be:

-somehow a part of a modified os, and thus in an area untouched by a restore (and thus left in tact), if the restore were merely updating iOS 12.1 to 12.2. I assume the encrypted region would not cover the os image, or anything in kernel space?

- or in having kernel access, may be stored in a location untouched by the remodel of just user data,

- or, even more troublingly, in a location that iOS restore would not be able to erase - (I know it is possible for malware to remain in portions of a disk even after attempts to wipe the contents in some instances of sophisticated malware)

Thus essentially what I was hoping to achieve was the true erasure of the existing iOS, as well as the spyware - wherever it was located - as part of the os image or stored elsewhere on the disk.

Essentially I do not know whether going into the apple shop and asking them to wipe the iPhone and install the latest iOS (12.2 rather than 12.1), would have been of any help in this regard?
 

chabig

macrumors G4
Sep 6, 2002
11,432
9,291
I assume the encrypted region would not cover the os image, or anything in kernel space?
There is no encrypted region. Every single bit in storage is encrypted. Also, kernel space doesn’t refer to an area on an SSD or hard disk, it refers to RAM that belongs to the kernel and is not reachable by non kernel processes.
 

Amatell4685

macrumors newbie
Original poster
Feb 8, 2019
18
0
There is no encrypted region. Every single bit in storage is encrypted. Also, kernel space doesn’t refer to an area on an SSD or hard disk, it refers to RAM that belongs to the kernel and is not reachable by non kernel processes.
Many thanks.

Ah, I know it refers to an area of RAM, I just thought perhaps there might be some kind of secondary storage analogous scenario I wasn’t aware of, or some form of partitioning that may separate “os” areas from “user” areas that the restore process would distinguish between. I feared it may not be as complete and total an erasure because of something (like) that.

It’s just I woke up with a colossal headache so (very lazily) I slung the “kernel space” notion in there as a sort of stab in the direction I was hoping to prompt discussion about (in case something along those lines came up). My apologies for asking a question, yet being so sloppy as to assemble it like that. Not feeling 100% today.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.