HITS

Tuesday, 18 July 2017

iPhone Custom Firmware | iPhone iCloud Bypass

Hi everyone. Many people asking me about flashing custom iOS firmware with patched Setup.app and I decided to make an experiment and verify it. In theory, you can flash modified firmware and unlock the device using patched firmware. If you read instructions to modify firmware it sounds like it should work.

I got decryption keys and modified it by myself, and always got error 14 while trying to flash it to iPhone 5. First idea of problem is that it encrypted incorrectly or maybe used different file structure. I decided to make simple experiment that will makes understand is it even possible to flash not modified, but custom firmware.

I added 1 byte to the end of iOS firmware dmg file and verified that file system structure is easy to decrypt and unpack, so it not damaged after modification. So I was sure that iOS device will unpack it without errors and it 100% valid firmware. Finally, I tried to flash it, but always get error 14 via iTunes, and also tried Pangu and other ways to flash the firmware.

It makes understand that flashing firmware works this way:

  • iTunes or any app just uploading unpacked firmware files to an iOS device.
  • iTunes send a command to device “start flash”.
  • iOS device verifies files itself and validates checksums.
  • If the checksum is correct than firmware being flashed, if no, then failed.

In fact, there is no difference between any software that flashes iOS firmware. They are doing the same thing, just upload it to the device and send command “start flash”. It makes understand that modification of iTunes or other application that flash firmware will never help.

It really hard to debug and find out how iOS make and verify hash sum because need access to device memory, but it should be protected by RSA key and not possible to generate an own valid hash.

Result: flashing custom firmware using only filesystem decryption keys is not possible. So don’t spend any time to flash custom firmware.