|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "APTicket"
(→Restoring: grammar fix) |
(no longer a stub, although can be largely extended, OAuth is not a style, client nonce is more important for secureboot) |
||
| Line 1: | Line 1: | ||
| − | APTickets are the new type of [[SHSH|SHSH blobs]], used by iOS 5.0 and newer. |
+ | APTickets are the new type of [[SHSH|SHSH blobs]], used by iOS 5.0 and newer. The client generates a random string (nonce), then iTunes and the device sends the request for blob signing and the server returns the data, just like the original [[SHSH Protocol|SHSH protocol]]. |
==Restoring== |
==Restoring== |
||
| − | When iTunes or the on-device firmware upgrader sends a request to Apple's servers to confirm the APTicket, instead of returning the one already stored on the server, a new one is generated. Furthermore, devices with iOS 5 depend on the APTicket being legitimate to be able to boot; the device will enter [[Recovery Mode]] if it isn't. |
+ | When iTunes or the on-device firmware upgrader sends a request to Apple's servers to confirm the APTicket, instead of returning the one already stored on the server, a new one is generated. Furthermore, devices with iOS 5 depend on the APTicket being legitimate to be able to boot; the device will enter [[Recovery Mode]] if it isn't. |
| + | |||
==Downgrading== |
==Downgrading== |
||
| − | Saurik's original replay attack method of allowing downgrades for any firmware that had been backed up on his server was partially halted for iOS 5 users due to this new system; now it will back up APTickets but can't allow restoring yet. |
+ | Saurik's original replay attack method of allowing downgrades for any firmware that had been backed up on his server was partially halted for iOS 5 users due to this new system; now it will back up APTickets but can't allow restoring yet. |
| + | |||
| − | Faking APTickets is complicated because they are signed with a private key that only Apple knows, and they are also partly generated from a random string. |
||
| + | Faking APTickets is complicated because they are signed with a private key that only Apple knows and they are also partly generated from a random string (nonce). |
||
| + | |||
iOS 4.3.5 and older can still be downgraded if SHSH blobs were saved. |
iOS 4.3.5 and older can still be downgraded if SHSH blobs were saved. |
||
| + | |||
==References== |
==References== |
||
*[http://blog.iphone-dev.org/post/6952986620/blob-monster Dev-Team Blog] |
*[http://blog.iphone-dev.org/post/6952986620/blob-monster Dev-Team Blog] |
||
| + | |||
==See Also== |
==See Also== |
||
*[[wikipedia:Cydia#iOS_.22signature.22_feature|Cydia article on Wikipedia]] |
*[[wikipedia:Cydia#iOS_.22signature.22_feature|Cydia article on Wikipedia]] |
||
*[[redsn0w]], which has functionality to backup APTickets on devices exploitable with [[limera1n Exploit|limera1n]] |
*[[redsn0w]], which has functionality to backup APTickets on devices exploitable with [[limera1n Exploit|limera1n]] |
||
*[http://www.saurik.com/id/12 Details from saurik about the replay attack] |
*[http://www.saurik.com/id/12 Details from saurik about the replay attack] |
||
| − | |||
| − | {{stub}} |
||
Revision as of 13:23, 10 February 2012
APTickets are the new type of SHSH blobs, used by iOS 5.0 and newer. The client generates a random string (nonce), then iTunes and the device sends the request for blob signing and the server returns the data, just like the original SHSH protocol.
Contents
Restoring
When iTunes or the on-device firmware upgrader sends a request to Apple's servers to confirm the APTicket, instead of returning the one already stored on the server, a new one is generated. Furthermore, devices with iOS 5 depend on the APTicket being legitimate to be able to boot; the device will enter Recovery Mode if it isn't.
Downgrading
Saurik's original replay attack method of allowing downgrades for any firmware that had been backed up on his server was partially halted for iOS 5 users due to this new system; now it will back up APTickets but can't allow restoring yet.
Faking APTickets is complicated because they are signed with a private key that only Apple knows and they are also partly generated from a random string (nonce).
iOS 4.3.5 and older can still be downgraded if SHSH blobs were saved.
References
See Also
- Cydia article on Wikipedia
- redsn0w, which has functionality to backup APTickets on devices exploitable with limera1n
- Details from saurik about the replay attack
