Hi
everyone. Many people asking me about flashing custom iOS firmware with
patched Setup.app and I decided to make experiment and verify it. In
theory you can flash modified firmware and unlock device using patched
firmware. If you read instructions to modify firmware it sounds like it
should works.
I
got decryption keys and modified it by myself, and always got error 14
while trying to flash it to iPhone 5. First idea of problem is that it
encrypted incorrectly or maybe used different file structure. I decided
to make simple experiment that will makes understand is it even possible
to flash not modified, but custom firmware.
I
added 1 byte to the end of iOS firmware dmg file and verified that
filesystem structure is easy to decrypt and unpack, so it not damaged
after modification. So I was sure that iOS device will unpack it without
errors and it 100% valid firmware. Finally I tried to flash it, but
always get error 14 via iTunes, and also tried Pangu and other ways to
flash firmware.
It makes understand that flashing firmware works this way:
iTunes or any app just uploading unpacked firmware files to iOS device.
iTunes send command to device “start flash”.
iOS device verify files itself and validate checksums.
If checksum is correct than firmware being flashed, if no, than failed.
In
fact there is no difference between any software that flash iOS
firmware. They are doing same thing, just upload it to device and send
command “start flash”. It makes understand that modification of iTunes
or other application that flash firmware will never helps.
It
really hard to debug and find out how iOS make and verify hashsum
because need access to device memory, but it should be protected by RSA
key and not possible to generate own valid hash.
Result:
flashing custom firmware using only filesystem decryption keys is not
possible. So don’t spend time to flash custom firmware.
No comments:
Post a Comment