iOS 5 to Block SHSH Firmware Downgrades on iPhone, iPad, iPod Touch?

iPhone Dev-Team, in a blog post, explains the clues they found in iOS 5 about Apple’s intend to block SHSH Firmware downgrades on iPhone, iPad and iPod Touch.

It looks like Apple is about to aggressively combat the “replay attacks” that have until now allowed users to use iTunes to restore to previous firmware versions using saved SHSH blobs.

For those unfamiliar, Apple only allows you to restore to the firmwares they ‘sign’. This ‘signing’ of a firmware only lasts for a limited time. Once they stop ‘signing’ the SHSH for a firmware, there is no way to restore that firmware ever again. The core purpose of saving SHSH blobs is to let users downgrade their iPhone, iPad or iPod Touch to an older firmware to secure future jailbreak . If you want to downgrade back to an older iOS 4.x, you will need your SHSH blobs saved either on Cydia or in your computer via TinyUmbrella.

Starting with iOS 5, MuscleNerd thinks that Apple will implement ‘APTicket’ check on each boot of an iDevice. APTicket is uniquely generated at each and every restore (unlike SHSH blobs, it doesn’t depend merely on your ECID and firmware version…it changes every time you restore, based partly on a random number). Because only Apple can sign the per-restore APTicket, replayed tickets are useless.

Starting with the iOS 5 beta, the role of the “APTicket” is changing — it’s being used much like the “BBTicket” has always been used. The LLB and iBoot stages of the boot sequence are being refined to depend on the authenticity of the APTicket, which is uniquely generated at each and every restore (in other words, it doesn’t depend merely on your ECID and firmware version…it changes every time you restore, based partly on a random number). This APTicket authentication will happen at every boot, not just at restore time. Because only Apple has the crypto keys to properly sign the per-restore APTicket, replayed APTickets are useless.

Since all these findings are based on iOS 5 beta release, we’ll have to be patience and wait until iOS 5 final hits masses to see the final shape of Apple’s approach towards SHSH downgrades.

MuscleNerd also explains that Geohot’s Limera1n exploit takes effect before the ‘APTicket’ check, , so tethered jailbreaks will still always be possible for devices where limera1n applies.

Note: This will affect iOS 5 and onward firmwares only. Downgrade to iOS 4.x.x or older firmwares will keep on working. Restoring to iOS 4.3.3 or older firmwares with saved blobs will still be possible (but you’ll soon start to need to use older iTunes versions for that).

This will only affect restores starting at iOS5 and onward, and Apple will be able to flip that switch off and on at will (by opening or closing the APTicket signing window for that firmware, like they do for the BBTicket). geohot’s limera1n exploit occurs before any of this new checking is done, so tethered jailbreaks will still always be possible for devices where limera1n applies. Also, restoring to pre-5.0 firmwares with saved blobs will still be possible (but you’ll soon start to need to use older iTunes versions for that). Note that iTunes ultimately is *not* the component that matters here..it’s the boot sequence on the device starting with the LLB.

You can save SHSH blobs for any latest firmware currently signed by Apple using Cydia, and TinyUmbrella. iFaith can save SHSH blobs for an old firmware currently installed on the iDevice. All guides are linked below:

How to: Save SHSH blobs with TinyUmbrella
How to: Save SHSH blobs of an Old Firmware with iFaith

You can follow us on TwitterGoogle BuzzFacebook, and Subscribed to RSS Feed to receive latest updates.

2 comments… add one
dave June 30, 2011, 12:18 am

Sounds like they are wanting to take all the fun out of owning an Iphone.

Leave a Comment