Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.
11-12-2011, 11:49 PM #1How does APTicket work and why can it not be bypassed in iOS 5
Why can't iOS 5 firmware be downgraded to other iOS versions (like 5.0.1 to 5.0)? I understand that a cryptographical nonce is generated that is to be signed before an iOS 5 firmware can be installed, but I can't how this is a problem. There are no hardware-based measures in place that generate and verify a signed nonce, so if I theoretically had a bit-by-bit copy of all the mutable memory I have on my iPod touch running 5.0, upgraded to 5.0.1, and then restored the iPod's internal memory exactly to its previous state (running 5.0), it would never know that I had upgraded to 5.0.1.
11-13-2011, 12:11 AM #2
Not only is it based on your unique device but now there is an added protection that generates a ticket on a random number on every restore and boot.
11-13-2011, 08:37 AM #3
I understand that, but the process must be explained in more detail and my theoretical situation must be addressed.
11-13-2011, 11:29 PM #4
It the pseudorandom number was generated on every boot then I would have to restore my iPod everytime I turn it off.
11-14-2011, 02:25 AM #5
Patching out the nonce generation in LLB and checks later on in the chain are likely trivial. Problem is, that breaks the cryptographic signature on LLB that is checked every boot by the bootrom. While writing unsigned code is possible via the limera1n exploit, the device will refuse to load LLB and thus not boot...