Ios jailbreak related knowledge reference

IOS is iPhone OS. IPhone is a smart phone, and a set of iPhone OS operating system is deployed on the hardware. This operating system is like Windows CE and Windows Mobile. They can be easily described by a comparison, that is, iPhone OS (operating system) is to iPhone (hardware platform), equivalent to Windows XP to our x86 and x64 home PCs, and of course equivalent to WinCE to embedded hardware.

Second, what is the difference between the locked version and the unlocked version?

There are two kinds of IPhone, the locked version and the unlocked version. Having a lock version means adding a network lock, which means binding operators, such as the American version of AT & amp； British T, O2. This kind of mobile phone can only be used by inserting the SIM card of the corresponding operator, but it can't be used by inserting other cards. People usually call this machine Xiaobai. Usually, this kind of iPhone is purchased by signing a 1-2-year network access agreement with an operator, binding the monthly consumption promised by the phone account, and buying the machine at a discount or giving it away for free. In this way, the phone bill of iPhone has been converted into the phone bill of the corresponding operator. If you want to use another card, then the iPhone needs to be jailbroken and unlocked. Only through these two processes can the locked version of iPhone use another carrier's card. About unlocking, it is also divided into hard unlocking and soft unlocking, which will be discussed later.

The unlocked version is also called the official unlocked version, such as the unlocked version of Hong Kong Bank or the United Arab Emirates (Hong Kong also has Hutchison Whampoa's "3" customized iPhone). Generally, the price of this kind of mobile phone will be higher, but the advantage is that any operator's SIM card can successfully help the iPhone to activate and can be used normally. They just need to escape, not unlock.

(How to unlock it, Baidu)

IPhone 2G (first generation) is all locked.

Third, what is prison break? Why did you run away?

Jailbreak refers to taking advantage of some loopholes in the iOS system, obtaining root rights of iOS through instructions, and then changing some programs to strengthen the functions of iPhone and break through the closed environment of iPhone. IPhone was off when it was first bought. As ordinary users, we can't get the root right of iPhoneOS, and we can't install some software into the mobile phone. We can only buy some software through the iTunes Store in iTunes (of course, there are also free software), and then copy the legally obtained software such as mobile phones through Apple-approved methods (iTunes connects to iPhone and synchronizes). But in this way, our users are firmly bound to Apple's jurisdiction. Some useful software that is not necessarily in Apple's interest will not be able to enter the iTunes store. For example, we can't install SSH on iOS, copy files in iOS, and install input methods that are more suitable for us. These softwares all need to use a higher level of permissions, which Apple does not allow.

In order to use our iPhone better, we had to escape from prison. It is not necessary to escape from prison, but it will be more refreshing, convenient and fun to use your mobile phone after you get out of prison. After jailbreaking, you can use a lot of software for free, which can further improve the usability of the mobile phone.

Fourth, what is unlocking? Why unlock it?

Because of the existence of the locked iPhone, if you want to use another carrier's SIM card, you must unlock it. If you don't need to change operators, you certainly don't need to unlock them. But for example, the US version of parallel imports flowing to Chinese mainland cannot use AT & amp； T, can only be unlocked.

There are two ways to unlock, hardware decoding or soft solution. Before the release of soft solutions, it was all hardware decoding, and the most common hardware decoding was using cards. If the card doesn't apply, there is an ultimate unlocking method, but this method can only be done by Apple officials because we don't know the key. Just like the principle that you can't enter a room without a key, you can't completely unlock it without a key. After gradually understanding the iPhone baseband, NOR, firmware, etc. Let's discuss the problem of perfect unlocking in more depth.

Cracking is usually called "unlocking+jailbreaking". For many iPhone users (especially American iPhone users in Chinese mainland), both are necessary (of course, jailbreaking is not necessary, just more fun), so many cracking methods put the methods of unlocking and jailbreaking together for everyone.

5. What is firmware? How to update the firmware?

Firmware is the carrier of iPhone's basic iOS storage and communication module software, which is equivalent to the computer's operating system (such as windows xp) or higher-level BIOS. Without firmware, the iPhone is just a hardware without a brain, which is equivalent to buying a computer without an operating system. Firmware can be considered as an operating system.

Looking deeper, the firmware of iPhone is divided into application part and baseband part. The application part mainly refers to the iPhone OS operating system of iOS, and the baseband is mainly the iPhone communication system. These two parts are combined into a xxxx.ispw file, which contains the firmware of iPhone.

Updating the firmware is equivalent to reinstalling the operating system, which is completed by "iPhone firmware recovery" in iTunes. For the first and second generation phones of iPhone before 3GS, due to the lack of security measures, we can directly download Apple's firmware software (xxx.ipsw) for recovery. However, in 3GS and later versions, it cannot be restored in this way. Because for a firmware downloaded from the network, we can directly modify their internal content and jailbreak, so Apple certainly won't do this. If we want to restore the firmware (or update the firmware) of 3GS after adding encryption method, we must first go to Apple's activation server to check whether the firmware software (xxx.ipsw) we are about to restore comes from Apple's official. They will check the signature of this firmware. If it is not official, then sorry, users can't restore the firmware. This leads to the next topic, SHSH and the self-built Apple Firmware Recovery Authentication Server.

6. What is ECID? What is SHSH? How to back up SHSH? How to revert to the original iOS version?

The fundamental reason for introducing this topic is that Apple forbids you to use the old version of firmware. Once "upgraded", it cannot be "downgraded". When you choose to restore the old firmware, they usually let iTunes receive a command refusing to perform this restore operation, thus preventing you from doing so. You know, the current firmware is signed, and it is signed with a globally unique identifier (that is, ECID) that is unique to your device. Apple uses the unique method to generate a hash value that contains the corresponding version of the firmware file and your ECID. ITunes will receive this hash value and send it to your device. When your device receives it, it will immediately check and verify the signature (make sure that this firmware really comes from Apple's official. The encryption algorithm is very complicated and can't be cracked for the time being. If the signatures match, the firmware recovery operation will continue; If there is no match, the device will report an error and the recovery operation will be suspended.

However, we have to worship Jay Freeman, and now we know how to "fool" iTunes. Apple only provides signatures for the "active" version of the firmware. Therefore, once the new version of the firmware is released, he stops signing the old version of the firmware. That's why you can't get the signature of version 3. 1.2 anymore. Now Apple only signs version 3. 1.3 (iPad is version 3.2) until the next version of firmware is released. Soon, the firmware signature of version 3. 1.3 (and 3.2) will become history, because Apple will only sign the new version of firmware. The current version is very important. If your device (ECID) does not have a valid signature of the corresponding firmware version, it cannot be restored to that firmware version. This problem will occur regularly (after each firmware update).

So, if there is a mechanism to save this signature, we can bypass Apple and restore all versions of firmware at will. If your device is jailbroken, use cydia, and your SHSH file can be saved. On the other hand, if your device is not jailbroken or is not currently jailbroken, it is also a great misfortune, because cydia can only be used after jailbreaking.

ECID, the exclusive chip ID, is the ID number of iPhone3GS/iPhone4, and each iPhone3GS/iPhone4 has its own unique ECID. With this ECID, you can uniquely identify an iPhone. Moreover, the ECID is different from the serial number we got by pressing the mobile phone *#06#, although both of them can uniquely identify a mobile phone. ECID is the unique number of iPhone, while the latter is only the unique number of iPhone communication module.

SHSH is actually a feature code of a specific version of ECID+iOS. For an iPhone 3GS or iPhone 4, if you want to upgrade to a certain version, you need to download a file from Apple's activation server to determine whether this version is legal for this mobile phone. This file is xxxx.shsh

This document is very important for us to escape from prison. We must back up each version of the iOS SHSH file, so that when one day Apple won't let us restore this version, we can set up our own authentication server, and then restore the old and vulnerable version for jailbreak.

To be more verbose, the concepts of ECID and SHSH only apply to 3GS and above, and the first and second generation iPhone need not be considered.

At present, there are two main ways to backup SHSH. One is that the mobile phone escaped from prison. With Cydia, you can see the contents of backup SHSH (but in English) when you enter Cydia's homepage. The other is through the software TinyUmbrella. At present, this software has done very well. When the iPhone is connected to the computer, it can automatically read the ECID number, and then get a specific version of SHSH from Cydia or Apple. Regarding the restoration of firmware, that is, the downgrade of iOS, we still need to use the software TinyUmbrella. After importing the corresponding SHSH, Apple's authentication server can be simulated on the local computer, and the firmware prohibited by Apple can be restored.

7. What is baseband? What is NOR? What is Seczone? What is NCK?

Baseband is the communication system of iPhone, which is used to control mobile phone communication, telephone communication, WiFi wireless communication and Bluetooth communication. IPhone has related communication hardware and needs baseband communication system driver. With the working baseband, you can make phone calls, send and receive short messages and use 3G functions.

Except WIFI, of course. Baseband version can be downloaded from iPhone->; Find the version number used by the modem of this machine. IOS and baseband are relatively independent and work together. After the baseband upgrade, many soft solutions will be invalid, and the locked version of iPhone will be useless. And worst of all, the baseband can hardly be degraded. Therefore, for the locked mobile phone, the baseband upgrade must be cautious, and it must be upgraded after being cracked. Of course, the lock-free version should also be cautious about baseband upgrade.

Nor is it a flash memory chip. Unlike flash NAND. But they are all memory chips. This kind of flash is used in the baseband of iPhone. Nor is it a medium for storing baseband.

Seczone is the internal authentication module of baseband. Belongs to this communication system. This authentication module is very powerful, unless it is a code generated by encryption with Apple's specific private key, other contents will be blocked. This makes the baseband difficult to crack. And it can't be cracked by violence.

NCK is an unlock counter. There are counting values in it. Reach a certain value. It will permanently turn iPhone into AT & amp； T or other national contract operators (note: it depends on the country you buy).

With these concepts, we can discuss the perfect escape.

Further discussion on perfect unlocking;

Eight, how can we achieve perfect unlocking?

The baseband information in iPhone is stored in NOR. Yes, the current state of baseband is stored in NOR, including the current unlocked state of iPhone. When the iPhone left the factory, it was locked in ATT's network. Here, someone wants to ask: it would be perfect if we changed this state to unlock, yes, but the problem is:

1, nor can it only be read and written through the baseband firmware, that is, the baseband operating system. Moreover, the control of seczone in NOR is very strict, so it is impossible to directly send instructions for writing.

2. The baseband firmware is digitally signed by Apple, which means that the baseband will only run if Apple's own 1024 bit firmware is signed by its private key.

3. The most important thing is that we don't know what to write in the NOR seczone to unlock it, because the data in the NOR seczone is encrypted, which is either 0 or lock, and 1 is as simple as unlocking. The NOR of each iPhone can be the same before encryption, but it is different after encryption, and this encryption mechanism can only be cracked by Apple's private key.

So, what do you need to do to achieve perfect unlocking?

In fact, you can send commands to the iPhone's baseband through the iPhone's minicom, and one of them is used to unlock, and we know exactly what this command is, namely: at+clck = "pn ",0," xxxxxxxx ".

Notice the last eight X's? Those X's are your unlock codes, unlock codes, or technically, called NCK and network control keys. This key is different for every iphone. I believe that Apple should generate these unlock codes through some random mechanism, and then link them with IMEI or serial number and put them in its own database. When Apple officially provides unlocking in the future, they will tell you the unlocking code through your IMEI or serial number to achieve perfect unlocking.

But when you send a command, how does your iPhone know if this unlock code is right or wrong? If the iPhone needs to know right or wrong, it means that the iPhone knows the unlock code, so we can find this code from somewhere on the iPhone and unlock it perfectly, right? Don't!

In fact, what is saved on the iPhone is not the hash value generated by hash(code through a special algorithm, and this algorithm is irreversible (just like MD5).

In layman's terms, we can think so. Apple taught iPhone a set of secret codes, told iPhone 1 = duck 2 = chicken 3 = goose, and then coded the unlock code of secret code 123 as "duck, chicken and goose" and stored it in Phone NOR. At this time, the iPhone does not know that the unlock code is 123. It only knows that if someone tells me 123, I will calculate it according to Apple's password. If it is the same as "duck, chicken, goose", then the code spoken by others is correct. Of course, in fact, this process is not that simple, otherwise you can crack this password at a guess. According to the current computer level, it is almost impossible to calculate the unlock code back through the hash value.

So, are we poor? Isn't it just an eight-digit number? We have tried everything from 000000000 to 99999999. There must be one, right? This method is feasible in theory, but not in practice for two reasons:

1, according to the rough settlement, it takes 35 days for the 1 100 million instructions to be sent to the iPhone, and how long it takes for the iPhone to calculate.

2. Crucially, there is an NCK counter in the baseband NOR seczone of iPhone. Once you fail to try 3 times–10, your baseband will be burned to death in AT&; T get up.

So at present, the iPhone has not been unlocked perfectly. I believe that if Apple doesn't make a big mistake, there won't be such a thing, unless Apple officially launches unlocking at that time, which will be a perfect unlocking.