Chosen Solution
Okay. I am sick of this whole “touch id is paired to the logic board and blah blah blah only the magical demigods at apple can replace it…” This is ridiculous. I’m asking: You know how the a7 chip only accepts a touch id module that has one (secret) serial number? Well, First of all, which part of the a7 chip has this serial number and does the checking to see if your home button matches it, and second, could we find a way to not try to read this secret key from this part of the chip (apple probably has security guards against this, so this probably wont work), but actually WIPE this area of the chip completely clean? It may be impossible to read from it, but it shouldn’t be impossible to wipe it. Then of course, we have the issue of trying to code another “expected” serial number back in, but we’ll cross that bridge when we come to it.
People are smarter than you, what you can think of, people have already been trying a long time. Wishful thinking gets you nowhere. Back to the topic. It would be reasonable to believe the keys in secure enclave are implemented using e-fuses, which are physically one-time programmable. Once you program the key and set the lock bit, the bootrom reads the lock bit and enters secure boot mode, disables all external debug/test interfaces to protect the secrecy and integrity of keys. You cannot access the secure module because all unauthenticated operations are simply rejected. It may be possible to hack into the button sensors and find a way to program blank buttons straight out of factory, which I believe is Apple’s method to repair Touch ID. They have the software to sign secure commands to enable secure enclave to invoke factory pairing again, which reads the key from the e-fuses and write to blank Touch ID buttons.
OK go ahead and do it.
