You may remember the amazing news about a vulnerability found in iOS 9.x firmware that allows you to restore
If you have a digital signature, this utilityallows you to restore any 32-bit device to any version of iOS 9.x firmware, regardless of the installed initial version, without any keys, additional software, or even without performing a jailbreak procedure.
As you can see from this description, this gap insecurity has great potential and allows you to restore all 32-bit devices. In conjunction with the Home Depot jailbreak for versions of iOS 9.1-9.3.4, all compatible devices will never be left without a jailbreak, they will always retain the ability to return to iOS 9 without fear of an update or recovery procedure.
The good news is that the development of the utilityiDeviceReRestorecompleted and available to all users. Release of the final version of a time-tested toolidevicerestoretook place thanks to the developers@alitek123, @Thmitt, and @JonathanSeals, who took advantage of the security flaw discovered by @alitek123. The beta testing process is carried out by the developers @Mirko, @ee_csw and @DjSn0wfall.
To check the operation of the tool in action, itcan be downloaded from the iDeviceReRestore website. The current utility number is 1.0.1, which solved the problem of dependency management that was present in the original version of the tool. Currently, there are versions of the tool for running Linux and macOS. There is no version for running under Windows OS, but I know of many examples of successful use of this tool in virtual machine mode.
Details about the operation of the tool:
- Supportonly32-bit devices.
- Recoveryonlyon firmware versioniOS 9.x.
- The original firmware version may beany, tested versions from iOS 6 to iOS 10.
- Availability of jailbreak for the original versionnot necessary.
- The process does not require keys, additional software and other special tools for this case.
- NecessarilyPresence of saved digital signatures for the installed firmware version.
- There are special requirements for digital signatures.Digital signatures cannot be from the category of thosethat received "by air." You can use signatures from the category "Erase" or "Update", although not all of them will be suitable for the process. Digital signatures must be stored without a special one-time code for this case. If the digital signature begins with the line “MIIKkj", then everything is fine, it can be used. If not, then it may work, but additional verification is required.
- The method requires a signed "baseband",e.g. Prometheus. However, most, if all devices, should have a working baseband without problems starting from the current version for iOS 10 and the signed version received "over the air".
- Recovering from iOS 9 to iOS 9 can be done in recovery mode, restoring from a non-iOS 9 version to iOS 9 needs to be done in "DFU" mode only.
- Digital signatures must have separate ticketsiBSS for recovery in DFU mode. In case of their absence, these digital signatures can only be used to restore from iOS 9 firmware version to iOS 9 firmware version.
To check the compatibility of existing digitalsignatures with the iDeviceReRestore utility, you can use this nonce-checker service. Or, open a digital signature in a text editor and check it for the contents of iBSS tickets and the contents of the original line.
According to developer @ DjSn0wfall, the companyApple will not be able to close this vulnerability for the following reasons. In DFU mode, the device is in standby mode for checking the legitimacy of the signature component, which is an iBSS ticket. After downloading a digital signature with an iBSS ticket, strictly speaking, we do not violate the security mechanism, which allows us to download the signed iBEC component in the next step, which already contains the necessary gap - the absence of a special one-time “no-nonce. After that, we initialize the device recovery process, ignoring any other security requirements and integrity checks. It should be noted that this exploit is also partially present starting from version iOS 8 and up to version iOS 10.2.1, but in these versions this exploit cannot be used.