Presented at 33C3 (2016)
Dec. 28, 2016, 8:30 p.m.
This talk is about the iOS secure boot chain and how it changed throughout different iOS versions, while focusing on downgrading despite countermesures.
It will explain basics like what SHSH blobs and APTickets are and how IMG3 and IMG4 file format works.
Also a new technique called "prometheus" will be introduced which allows for the first time downgrading 64bit devices.
This talk shows how Apple's secure boot chain works and what changes where made with new software and hardware updates.
It explains how the boot/restore process works, what SHSH blobs and APTickets are and how they are structured.
Each time a new feature is introduced to improve the secure boot chain, a technique is shown how it can be bypassed in order to downgrade.
This talk recaps how it was possible to downgrade with TinyUmbrella and limera1n back in the old days and presents a new approach by showing how a technique called odysseus is able to downgrade newer 32bit devices.
It is pointed out why Basebands are such a pain when trying to downgrade, as well as why odysseusOTA is able to downgrade Basebands anyways.
Components new to 64bit devices like IMG4 file format and SEPOS are introduced and embedded into the context of downgrading.
At the end a new technique called "prometheus" is presented, which is the first one to be able to downgrade 64bit device and also the first method since the introduction of APTickets which *can* work without a Jailbreak or Bootrom/iBoot exploits.
I'm a 19-year-old student, living in germany.
I love exploiting and reverse engeneering and i'm especially attracted by apple iOS devices and their security.
I like looking at problems from different angles, to find the best solution.