Apple added a new piece of security to the iPhone 3GS. I was sending the applelogo to the phone and it kept giving me "Memory Image Not Valid". Puzzled, since I knew iTunes sent this no problem, I dumped the USB communication. Seen that new thing, "Verifying iPhone restore with Apple"? It adds another tag to the img3 file inside the sig checked area, called ECID, which contains a unique id for the phone. INSIDE THE SIG CHECKED AREA. Then the server resigns and sends you a new signature. Basically it generates a custom Img3 which only works on your specific phone.
This is bad news... They almost surely won't authorize downgrades on new phones. They might not even authorize downgrades on older phones. Get a usb dump of a restore to 7A341 if you ever want to go back(which you may need to use exploits). Unless of course it's broken deeply at the hardware level. Then lol @ Apple.
Monday, June 22, 2009
Subscribe to:
Post Comments (Atom)
12 comments:
Thanks for finding this. I put my 3g[s] in dfu and was wondering why the hell it would not execute the iBSS that I was trying to send it, now I know why. I wonder how iTunes gets the ecid, as it's in the chipid section of hw (exclusive chip id, if u didn't know). perhaps it somehow requests it via smth in only the 3g[s] iboot...
Its in the usb descriptor. And real dfu mode doesn't work either, i didn't check that, but I assumed that they wouldn't be that dumb :)
ah yeah I figured that out. interesting. I remember we were doing some iTunes reversing in earlier beta days and posix noticed some code that replaced the signature, but we never messed with it because it wasn't in use yet...that's probably related to this. does Apple send the exclusive chip id to their server and re-sign the image? or how is the re-signing working? I never looked too deeply into it :/ may be an annoying roadblock
cant we fake the server sig, just as Dvd john did it for activations?
@i_max2k2:
And how would you know what to fake? the whole point is that the server gives itunes a signed code specific to your device. had we known the code, we wouldn't have a problem.
So great to know this news. And Im hoping hw level still usefull on 3GS ...
porbably a stupid question but how would I get a usb dump of my 3GS?
Step 1: First of all you will need to obtain your ECID (this is so that jailbreaks are possible on your device). To do this, turn your iPhone OFF by holding down the power button and sliding the red slider. Make sure it is disconnected from your computer, then hold down the HOME button on the front of the device and whilst holding down home, connect the iPhone 3GS to your computer. Keep holding down home until iTunes loads and tells your there is an iPhone in restore mode.
Step 2: Mac Users Only: , load "System Profiler" (easiest way to find this is to Spotlight search for it by using the magnifying glass at the top right of your screen). Then click on USB in the Hardware list on the left, then in one of the USB Device Tree you should see "Apple Mobile Device (Recovery Mode)". Your ECID should be part of the serial number, copy and paste the number immediately to the right of ECID:, it should be 16 digits in length.
Step 2: Windows Users Only: Download and run usbview.exe and select "Config Descriptors" from the Options menu. Now select Refresh from the File Menu. Select the Apple Recovery (iBoot) device from the USB Device Tree in the left panel then Copy (highlight and press Control+c) your ECID from the Descriptor fields on the right.
Step 3: Now visit this website using Safari for Windows (it doesn't work in internet explorer). Purplera1n.com and paste the number into the text field that appears there, then press return. Now "Save" this file for when you need it next week.
I can only seem to get my iPhone 3GS into DFU mode. All the posts make reference to 'Recovery' mode. I use a Macbook 13" October 2008 model running 10.5.7. I can still see the ECID 16 digit number in the system profiler once I have entered DFU mode. Is this OK or do I need to get the phone into the recovery mode?
Got a question for you Geo... Couldn't the owner of PurpleRain uses the hex keys already sent in to calculate a possible range for the 3GS? It seems then the purple rain server could just start downloading all the keys for every 3gs user out there to future proof even the people who don't own one yet.
sorry I'm not tech savy :-)
have an iphone 8GB 2.2.1 version that I purchased in USA but had it unlocked in Dubai and it worked ..but then when it prompted me to upgrade my itune ( June 2009) and it locked my phone...they told me I have to wait for the new iphone version ???
please advice!!!
Post a Comment