turn1pwastaken
/ ios16_downgrading.txt
Created
June 20, 2023 12:31
— forked from Cryptiiiic/ios16_downgrading.txt
The unfortunate state of iOS downgrading
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Unfortunately I have some bad news for downgrading. | |
| Before I explain the bad news at the end of this post, I first need to introduce a background of iOS devices. | |
| In iOS 16, Apple introduced a new firmware component known as Cryptex1. Technically, this is a "virtual" co-processor. | |
| It's purpose is to allow Apple to push RSRs (Rapid Security Responses) which are separate from traditional iOS updates and can be installed much faster. | |
| Like other firmwares, it also has a signing ticket locked to a cryptographic nonce (number-used-once). | |
| We commonly refer to the Apple signing tickets as SHSH blobs. | |
| Meaning the firmware can't be installed without a valid signing ticket as well as a matching nonce. | |
| The "big two" components we deal with signing/nonces are AP and SEP. AP is basically the main device chip (Application Processor). | |
| SEP is the security chip (Secure Enclave Processor). | |
| With regards to APNonce, Apple conveniently gave us the com.apple.System.boot-nonce NVRAM property which we use to set the APNonce generator. |