The iPhone Wiki - User contributions [en]

Talk:SHSH

2010-10-19T19:45:50Z

Mbradley672:

== iDevices affected ==

Just to make sure (I don't have these devices): The [[N82ap|iPhone 3G]] (even the newer MC model) and the [[N72ap|iPod Touch 2nd generation]] (also newer models) don't have shsh checks. (I'm not talking about the new "soft" check.) Can someone confirm this? I always thought these mentioned newer devices also have this certificate check in the [[Bootrom]] built-in. But as someone removed my listed 3G (with a question mark), I assume no [[N82ap|3G]] has this check. What is actually the difference between the old and the new [[Bootrom]] then? Maybe someone can explain how this certificate check works exactly and which software part is doing it. Thanks. -- [[User:Http|http]] 11:25, 20 July 2010 (UTC)
:There's definitely no SHSH checking in the [[N82ap|iPhone 3G]] bootrom. If I'm not mistaken, its bootrom can't even read IMG3 files.

:I'm pretty sure the iPod touch 2G bootrom ''does'' check SHSHs, but only the one supplied in the IPSW; its restore process doesn't require getting a new SHSH from Apple's server. --[[User:Dialexio|Dialexio]] 20:08, 20 July 2010 (UTC)

== Firmware 3.1(.1) ==

What's the difference between 3.1 and 3.1.1? Were both released at the same time? Or is 3.1 just a "short form" for 3.1.1? If yes, we should always write the full name. -- [[User:Http|http]] 21:58, 20 July 2010 (UTC)
:3.1 was released for iPhones, while 3.1.1 was released for iPod touches. Other than that (and the build numbers), they're basically the same thing. --[[User:Dialexio|Dialexio]] 23:25, 20 July 2010 (UTC)

== Apple still signing 4.0.1 -- conspiracy? ==

It seems very un-apple for them to continue signing this firmware. Does anyone have any technical reasons/guesses as to why they are doing this?

I think it's sort of a truce -- in fear of yet another security problem being exploited and requiring a 4.0.3, and possibly de-incentivize the search for exploits. Possibly even more far fetched is an experiment to see if there is a boost in sales of people trying to get jailbreakable devices. Anyone have ideas? [[User:Iemit737|Iemit737]] 17:50, 15 August 2010 (UTC)

:My guess is that because many users upgrade without thinking or saving shsh try to jailbreak at some point in time. Because very many users did a jailbreak by this simple page, Apple would create lots of unsatisfied users. After Antennagate having more unsatisfied users, or those returning their device just to try again wouldn't be good for Apple. Also, I think 4.1 will be released soon (less than a month probably), so they can close signing then. -- [[User:Http|http]] 18:56, 15 August 2010 (UTC)

Good point -- lots of first time jail breakers and possible device returns and otherwise angry people. It still seems very unorthodox for them, being the evil iEmpire and all. I can't wait to see what exploits will be uncovered in 4.1. [[User:Iemit737|Iemit737]] 20:43, 15 August 2010 (UTC)

:It seems like Apple continues signing for the previously-issued firmware if the update is of a hotfix nature. (Remember that 3.0.1 was a hotfix for an SMS character vulnerability, and Apple continued signing for both 3.0 and 3.0.1 until 3.1 came along.) The only reason I can think of is they probably rushed the fix out of the door without testing thoroughly, so perhaps their attitude is "we tested this but not rigorously, so feel free to downgrade if it botches something up?" --[[User:Dialexio|Dialexio]] 21:13, 15 August 2010 (UTC)

==4.1 - Apple signing now?==
I believe they are signing the 4.1 GM seed and it does not have expirations or UDID restrictions, and works with windows iTunes, no? Which means if the final ipsw is the same, they will have been signing it since September 1. Albeit the GM is still considered apple confidential... But at the same time they are surely signing some kind of 4.1 for foxconn to put on touch 4G's... [[User:Iemit737|Iemit737]] 19:39, 4 September 2010 (UTC)

:Yes, they are probably signing 4.1 already, but we cannot confirm that, as we don't have any ipt4 yet and d/l of 4.1 is not possible for any other device yet. That's why I've put the product release date as start date. Regarding GM and final: even if the code is the same, it's probably a different ipsw and therefore a different shsh required. I don't know how beta signing works in detail. -- [[User:Http|http]] 22:06, 4 September 2010 (UTC)

::They're signing 4.1 GM. Just make sure to backup your SHSHs. --[[User:desertsn0w|desertsn0w]] 22:48, 4 September 2010 (UTC)

== Soft-SHSH checks ==

Since iTunes 9.2 (I think) SHSH are checked for iPhones 3G also, but only through iTunes, not by the phone's [[bootrom]]. iTunes 9.2 (I think) was the version that was introduced together with iOS 4.0. But I have a report that iOS 3.1.3 can be installed with iTunes 10. I don't know what his hosts file looks like, but he cannot have SHSH backup on Cydia, because those were issued only since iOS 4.0 (correct?). Does this mean that iTunes checks SHSH only if firmware is >= 4.0? If yes, this would mean that you could downgrade a 3G to any pre-4.0 firmware without using redsn0w. -- [[User:Http|http]] 18:40, 19 October 2010 (UTC)
:These were introduced at the same time as [[iOS] 4.0. I believe they kernel checks they are present and valid. If i'm correct this may mean system's like [[PwnageTool]] can patch out the checks. --[[User:GreySyntax|GreySyntax]] 19:13, 19 October 2010 (UTC)
::So the new SHSH checks are done by the kernel since iOS 4.0! I always thought it was done by iTunes. Reading the blog of the [[iPhone Dev Team]] again seems to confirm that. Aha. -- [[User:Http|http]] 19:44, 19 October 2010 (UTC)

Limera1n

2010-10-10T04:04:03Z

Mbradley672:

On the 9th of October 2010 limera1n was released, delaying the release of [[greenpois0n]]. limera1n is now in Beta 3. It only supports Windows at the moment and a large number of devices have issues.

== Background Information ==
Limera1n is a jailbreak by [[User:Geohot|geohot]]. It is untethered on all supported devices, which include the following:
* [[N88ap|iPhone 3GS]] (New [[bootrom]] is now working with Beta 3)
* [[N90ap|iPhone 4]]
* [[N18ap|iPod touch 3G]]
* [[N81ap|iPod touch 4G]]
* [[K48ap|iPad 1G]]

It has been demonstrated multiple times by geohot, using blog posts on his now private blog. Geohot showed off a high-res picture of Cydia on an iPhone 4. [http://1.bp.blogspot.com/_NJ4JFBfr1tY/TDgkAsTQEmI/AAAAAAAAAcw/ZNHDxMNNL4Y/s1600/iphone4.png Image] He displayed an [[untethered jailbreak]] that met MuscleNerd's requirements for a good video on the iPod touch 3G: [http://www.youtube.com/watch?v=__TR86PLiHw YouTube Video] In addition, he demonstrated Cydia, blackra1n, and a verbose boot on an iPad (before Spirit was released): [http://4.bp.blogspot.com/_NJ4JFBfr1tY/S7_OvGMqJMI/AAAAAAAAAcE/R5WLrCizGw0/s1600/ipad_jb.jpg Image]

== Technical Information ==
=== Basics ===
* This does not use [[SHAtter]].
* This uses a [[bootrom]] exploit (different than the [[greenpois0n]] one) to achieve the tethered jailbreak and unsigned code execution
* This uses a userland exploit to make the jailbreak [[Untethered jailbreak|untethered]], which [[User:Geohot|geohot]] obtained under questionable circumstances from [[User:Comex|comex]].
* [[Chronic Dev (team)|Chronic Dev]] knows about this exploit and has confirmed its legitimacy

=== Exploits ===
limera1n uses an undisclosed [[bootrom]] exploit.

=== Process ===
The jailbreak appears to execute something like the following (in no particular order):
* In recovery1,
"setenv debug-uarts 1
setenv auto-boot false
saveenv"
* In DFU, it uploads a payload.
* In recovery2, it uploads another payload and its ramdisk.

== Controversy ==
The release of this jailbreak is specifically designed to pressure the Chronic Dev team into implementing the exploits in limera1n into greenpois0n. Now that geohot has released limera1n, [[SHAtter]] can't be released without major negative backlash from other hackers, as this would burn a bootrom exploit.

== External Links ==
* [http://loadingchanges.com/wp-content/uploads/2010/10/limetime.jpg Picture of limera1n in action]
* [http://limera1n.com/ Actual Site]
* [http://theiphonewiki.com/limera1n Mirror Site]
* [http://www.twitlonger.com/show/6d31jr Info from cdevwill]
* [http://www.mediafire.com/?5sovoo41rbcdspw Limera1n RC Beta2 Dump]

http://theiphonewiki.com/limera1n <nowiki>is possibly the real site and geohot used </nowiki> If this is true, then switch the actual site and mirror site text...

Limera1n

2010-10-10T04:03:20Z

Mbradley672:

On the 9th of October 2010 limera1n was released, delaying the release of [[greenpois0n]]. limera1n is now in Beta 3. It only supports Windows at the moment and a large number of devices have issues.

== Background Information ==
Limera1n is a jailbreak by [[User:Geohot|geohot]]. It is untethered on all supported devices, which include the following:
* [[N88ap|iPhone 3GS]] (new bootrom is now working with Beta 3)
* [[N90ap|iPhone 4]]
* [[N18ap|iPod touch 3G]]
* [[N81ap|iPod touch 4G]]
* [[K48ap|iPad 1G]]

It has been demonstrated multiple times by geohot, using blog posts on his now private blog. Geohot showed off a high-res picture of Cydia on an iPhone 4. [http://1.bp.blogspot.com/_NJ4JFBfr1tY/TDgkAsTQEmI/AAAAAAAAAcw/ZNHDxMNNL4Y/s1600/iphone4.png Image] He displayed an [[untethered jailbreak]] that met MuscleNerd's requirements for a good video on the iPod touch 3G: [http://www.youtube.com/watch?v=__TR86PLiHw YouTube Video] In addition, he demonstrated Cydia, blackra1n, and a verbose boot on an iPad (before Spirit was released): [http://4.bp.blogspot.com/_NJ4JFBfr1tY/S7_OvGMqJMI/AAAAAAAAAcE/R5WLrCizGw0/s1600/ipad_jb.jpg Image]

== Technical Information ==
=== Basics ===
* This does not use [[SHAtter]].
* This uses a [[bootrom]] exploit (different than the [[greenpois0n]] one) to achieve the tethered jailbreak and unsigned code execution
* This uses a userland exploit to make the jailbreak [[Untethered jailbreak|untethered]], which [[User:Geohot|geohot]] obtained under questionable circumstances from [[User:Comex|comex]].
* [[Chronic Dev (team)|Chronic Dev]] knows about this exploit and has confirmed its legitimacy

=== Exploits ===
limera1n uses an undisclosed [[bootrom]] exploit.

=== Process ===
The jailbreak appears to execute something like the following (in no particular order):
* In recovery1,
"setenv debug-uarts 1
setenv auto-boot false
saveenv"
* In DFU, it uploads a payload.
* In recovery2, it uploads another payload and its ramdisk.

== Controversy ==
The release of this jailbreak is specifically designed to pressure the Chronic Dev team into implementing the exploits in limera1n into greenpois0n. Now that geohot has released limera1n, [[SHAtter]] can't be released without major negative backlash from other hackers, as this would burn a bootrom exploit.

== External Links ==
* [http://loadingchanges.com/wp-content/uploads/2010/10/limetime.jpg Picture of limera1n in action]
* [http://limera1n.com/ Actual Site]
* [http://theiphonewiki.com/limera1n Mirror Site]
* [http://www.twitlonger.com/show/6d31jr Info from cdevwill]
* [http://www.mediafire.com/?5sovoo41rbcdspw Limera1n RC Beta2 Dump]

http://theiphonewiki.com/limera1n <nowiki>is possibly the real site and geohot used </nowiki> If this is true, then switch the actual site and mirror site text...