+ Reply
Results 1 to 5 of 5

Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.


Thread: How does APTicket work and why can it not be bypassed in iOS 5

is a discussion within the

iPod Touch Jailbreak / Upgrade / Downgrade / Restore

forums, a part of the

iPod Touch

section;
Why can't iOS 5 firmware be downgraded to other iOS versions (like 5.0.1 to 5.0)? I understand that a cryptographical nonce is generated that is to be signed before an
...
  1. #1
    Green Apple
    Join Date
    Jan 2011
    Posts
    31
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default How does APTicket work and why can it not be bypassed in iOS 5
    Why can't iOS 5 firmware be downgraded to other iOS versions (like 5.0.1 to 5.0)? I understand that a cryptographical nonce is generated that is to be signed before an iOS 5 firmware can be installed, but I can't how this is a problem. There are no hardware-based measures in place that generate and verify a signed nonce, so if I theoretically had a bit-by-bit copy of all the mutable memory I have on my iPod touch running 5.0, upgraded to 5.0.1, and then restored the iPod's internal memory exactly to its previous state (running 5.0), it would never know that I had upgraded to 5.0.1.

  2. #2
    iPhoneaholic Megaorange's Avatar
    Join Date
    Nov 2010
    Location
    The Grid
    Posts
    459
    Thanks
    20
    Thanked 113 Times in 97 Posts

    Not only is it based on your unique device but now there is an added protection that generates a ticket on a random number on every restore and boot.

  3. #3
    Green Apple
    Join Date
    Jan 2011
    Posts
    31
    Thanks
    0
    Thanked 0 Times in 0 Posts

    I understand that, but the process must be explained in more detail and my theoretical situation must be addressed.

  4. #4
    Green Apple
    Join Date
    Jan 2011
    Posts
    31
    Thanks
    0
    Thanked 0 Times in 0 Posts

    It the pseudorandom number was generated on every boot then I would have to restore my iPod everytime I turn it off.

  5. #5
    Super Galactic Moderator Orby's Avatar
    Join Date
    Aug 2010
    Location
    Omicron Persei Eight
    Posts
    5,665
    Thanks
    40
    Thanked 567 Times in 519 Posts

    Quote Originally Posted by Melab View Post
    It the pseudorandom number was generated on every boot then I would have to restore my iPod everytime I turn it off.
    I don't think the number is generated every boot, but only as a "run once" command upon being initially written to NAND.

    Patching out the nonce generation in LLB and checks later on in the chain are likely trivial. Problem is, that breaks the cryptographic signature on LLB that is checked every boot by the bootrom. While writing unsigned code is possible via the limera1n exploit, the device will refuse to load LLB and thus not boot...

Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts