Difference between revisions of "Nonce"

From The iPhone Wiki
Jump to: navigation, search
m (fix links)
m (add a little more info.)
 
(12 intermediate revisions by 6 users not shown)
Line 1: Line 1:
'''Nonce''' is a signing method that randomizes Apple's cryptographic signature hash blobs ([[SHSH]] blobs) and is used with the BBTicket (baseband signing ticket) and the APTicket (firmware signing ticket).
+
A '''Nonce''' (''"Number-used-ONCE"'') is a randomly-generated number that is used to randomize the signed hash blobs ([[SHSH]] blobs) that Apple uses to sign firmwares.<br/>it is used with the APTicket (firmware signing ticket), the BBTicket ([[baseband]] signing ticket), and the SEPTicket ([[Secure Enclave|SEP]] signing ticket).
   
 
==Method==
 
==Method==
  +
The device's bootloaders (firmware, baseband and SEP) generate a random value using a nonce seed (generator) which is then hashed to create the boot nonce hash (BNCH).
The device bootloaders (baseband or firmware) generate a random number at the restore, then send them to iTunes which sends them to Apple. Then Apple sends the APTicket / BBTicket [[SHSH]] certificate with the number generated. This level is the most critical: the number within the certificate is matched to the number generated on device, and if they match iTunes will prepare the matched certificate and finally will stitch the randomized blobs to the firmware. If the blobs don't match the restore will fail and the bootloaders will reject the certificate.
 
  +
  +
During a Restore or Update, the generated numbers are sent to Apple's [[Tatsu Signing Server|TSS Server]] along with the device's [[ECID]] and the hashes of the firmware components to be signed.
  +
  +
If apple is signing the requested firmwares, the TSS Server sends the APTicket/BBTicket/SEPTicket with the certificates matched to the generated nonces for each firmware, and then the blobs are stitched into the firmware files. It is important that the nonces inside the blobs are matched to the nonces generated by the device, if the nonces inside the blobs don't match the device's bootloaders will reject the certificates and the restore will not be successful.
  +
  +
With the [[T8020]] and all newer chipsets, the BNCH is also encrypted with the devices's [[UID key]], which further randomizes the boot nonce, this is known as "[[Nonce#Nonce_Entangling|Nonce Entangling]]".
   
 
==Usage==
 
==Usage==
 
===BBTicket===
 
===BBTicket===
 
*No iPod touch (or iPad Wi-Fi) has been signed with the BBTicket, since by definition it has no baseband.
 
*No iPod touch (or iPad Wi-Fi) has been signed with the BBTicket, since by definition it has no baseband.
*[[M68ap|iPhone 2G]] (bootloaders can be neutered to cancel this signchecks). [[N82ap|iPhone 3G]], [[N88ap|iPhone 3GS]] and [[K48ap|iPad Wi-Fi+3G]] - if the baseband is higher or equal (or just higher on bootloader 3.9 on iPhone 2G). Some bootloaders allow downgrade of the baseband if it is still signed.
+
*[[M68AP|iPhone]] (bootloaders can be neutered to cancel this signchecks). [[N82AP|iPhone 3G]], [[N88AP|iPhone 3GS]] and [[K48AP|iPad Wi-Fi+3G]] - if the baseband is higher or equal (or just higher on bootloader 3.9 on [[M68AP|iPhone]]). Some bootloaders allow downgrade of the baseband if it is still signed.
*[[N90ap|iPhone 4 GSM]], [[N92ap|iPhone 4 CDMA]], [[N94ap|iPhone 4S]], and [[K94ap|iPad 2 Wi-Fi+3G (GSM)]] and [[K95ap|iPad 2 Wi-Fi+CDMA]] - [[AT+XNONCE]] - restores the baseband only if Apple is still signing it. On bootloaders 2.8, 2.13, Trek and Phoenix, both the [[AT+XNONCE]] and the "higher or equal" checks happen.
+
*[[N90AP|iPhone 4 (iPhone3,1)]], [[N92AP|iPhone 4 (iPhone3,3)]], [[N94AP|iPhone 4S]], and [[K94AP|iPad 2 (iPad2,2)]] and [[K95AP|iPad 2 (iPad2,3)]] - [[AT+XNONCE]] - restores the baseband only if Apple is still signing it. On bootloaders 2.8, 2.13, Trek and Phoenix, both the [[AT+XNONCE]] and the "higher or equal" checks happen.
   
 
===APTicket===
 
===APTicket===
 
*Devices with the [[S5L8900]] get [[SHSH]] blobs without APTicket on 4.0 - 4.2.1, even though they are not required and can be avoided with [[Pwnage]]+[[Pwnage 2.0]].
 
*Devices with the [[S5L8900]] get [[SHSH]] blobs without APTicket on 4.0 - 4.2.1, even though they are not required and can be avoided with [[Pwnage]]+[[Pwnage 2.0]].
 
*Devices with the [[S5L8720]] get [[SHSH]] blobs without APTicket from 3.1.1 and on, even though [[Bootrom 240.4]] doesn't require them and they can be avoided with the [[0x24000 Segment Overflow]]
 
*Devices with the [[S5L8720]] get [[SHSH]] blobs without APTicket from 3.1.1 and on, even though [[Bootrom 240.4]] doesn't require them and they can be avoided with the [[0x24000 Segment Overflow]]
*Devices with the [[S5L8920]], [[S5L8922]], [[S5L8930]] and [[S5L8940]] got [[SHSH]] blobs without APTicket between 3.0 - 4.3.5, and they can not be avoided (except for the [[iBoot-359.3]] with the 0x24000 Segment Overflow)
+
*Devices with the [[S5L8920]], [[S5L8922]], [[S5L8930]] and [[S5L8940]] got [[SHSH]] blobs without APTicket between 3.0 - 4.3.5, and they can not be avoided (except for the [[Bootrom 359.3]] with the 0x24000 Segment Overflow)
*Devices with the [[S5L8920]], [[S5L8922]], [[S5L8930]] and [[S5L8940]] get APTicket SHSH blobs on 5.0+, and they can not be avoided (except for the [[Bootrom 359.3]] with 0x24000 Segment Overflow)
+
*Devices with the [[S5L8920]], [[S5L8922]], [[S5L8930]], [[S5L8940]], [[S5L8942]], [[S5L8945]], [[S5L8950]], and [[S5L8955]] get APTicket SHSH blobs on 5.0+. The SHSH requirement can not be avoided (except for the [[Bootrom 359.3]] with 0x24000 Segment Overflow), and the APTicket requirement can only be avoided on devices vulnerable to the [[limera1n Exploit]], or if the device is on iOS 5.1.1 or lower.
  +
*Devices with the [[S5L8960]] and newer [[Application processor|CPU]]'s get APTickets exclusively (with SepNonce, which also needs to match) and they cannot be avoided, but can be utilized with the prometheus method.
 
 
==Jailbreak difficulties==
 
==Jailbreak difficulties==
With nonce signatures, signatures can't be cached, because signatures will not match if they have been reused. In other words, the widely used replay attack is no longer possible.
+
With nonce signatures, signatures can't be cached, because signatures will not match if they have been reused. In other words, the widely used replay attack is no longer possible unless the nonce(s) (SepNonce + ApNonce on 64 bit, ApNonce only on 32 bit) the device generates matches the one on the APTicket.
  +
  +
===Nonce Entangling===
  +
Nonce Entangling on [[T8020]] and all newer CPU's makes saving a reusable APTicket with the proper BNCH more difficult, as the boot nonce generated is also encrypted with the device's UID key. Getting around this requires finding-out what nonce is actually generated with the nonce seed you are using, which usually requires a [[Jailbreak]] with a nonce-setter or you can use airsquared's [https://github.com/airsquared/blobsaver blobsaver] to read the nonce/generator from the device.
  +
  +
Another possible attack is to put your device into [[Recovery Mode]], get the generated boot nonce with [https://github.com/libimobiledevice/libirecovery irecovery] or [https://github.com/tihmstar/igetnonce igetnonce], then update or restore your device to a signed firmware while still in recovery mode and then do not update/restore your device until you can jailbreak and dump [[iBoot]] to get the IM4R (nonce generator).
   
 
==See also==
 
==See also==
 
*[[AT+XNONCE]]
 
*[[AT+XNONCE]]
  +
*[https://opensource.apple.com/source/xnu/xnu-7195.81.3/EXTERNAL_HEADERS/img4/nonce.h.auto.html nonce.h (Apple Open Source)]

Latest revision as of 07:15, 6 December 2021

A Nonce ("Number-used-ONCE") is a randomly-generated number that is used to randomize the signed hash blobs (SHSH blobs) that Apple uses to sign firmwares.
it is used with the APTicket (firmware signing ticket), the BBTicket (baseband signing ticket), and the SEPTicket (SEP signing ticket).

Method

The device's bootloaders (firmware, baseband and SEP) generate a random value using a nonce seed (generator) which is then hashed to create the boot nonce hash (BNCH).

During a Restore or Update, the generated numbers are sent to Apple's TSS Server along with the device's ECID and the hashes of the firmware components to be signed.

If apple is signing the requested firmwares, the TSS Server sends the APTicket/BBTicket/SEPTicket with the certificates matched to the generated nonces for each firmware, and then the blobs are stitched into the firmware files. It is important that the nonces inside the blobs are matched to the nonces generated by the device, if the nonces inside the blobs don't match the device's bootloaders will reject the certificates and the restore will not be successful.

With the T8020 and all newer chipsets, the BNCH is also encrypted with the devices's UID key, which further randomizes the boot nonce, this is known as "Nonce Entangling".

Usage

BBTicket

APTicket

  • Devices with the S5L8900 get SHSH blobs without APTicket on 4.0 - 4.2.1, even though they are not required and can be avoided with Pwnage+Pwnage 2.0.
  • Devices with the S5L8720 get SHSH blobs without APTicket from 3.1.1 and on, even though Bootrom 240.4 doesn't require them and they can be avoided with the 0x24000 Segment Overflow
  • Devices with the S5L8920, S5L8922, S5L8930 and S5L8940 got SHSH blobs without APTicket between 3.0 - 4.3.5, and they can not be avoided (except for the Bootrom 359.3 with the 0x24000 Segment Overflow)
  • Devices with the S5L8920, S5L8922, S5L8930, S5L8940, S5L8942, S5L8945, S5L8950, and S5L8955 get APTicket SHSH blobs on 5.0+. The SHSH requirement can not be avoided (except for the Bootrom 359.3 with 0x24000 Segment Overflow), and the APTicket requirement can only be avoided on devices vulnerable to the limera1n Exploit, or if the device is on iOS 5.1.1 or lower.
  • Devices with the S5L8960 and newer CPU's get APTickets exclusively (with SepNonce, which also needs to match) and they cannot be avoided, but can be utilized with the prometheus method.

Jailbreak difficulties

With nonce signatures, signatures can't be cached, because signatures will not match if they have been reused. In other words, the widely used replay attack is no longer possible unless the nonce(s) (SepNonce + ApNonce on 64 bit, ApNonce only on 32 bit) the device generates matches the one on the APTicket.

Nonce Entangling

Nonce Entangling on T8020 and all newer CPU's makes saving a reusable APTicket with the proper BNCH more difficult, as the boot nonce generated is also encrypted with the device's UID key. Getting around this requires finding-out what nonce is actually generated with the nonce seed you are using, which usually requires a Jailbreak with a nonce-setter or you can use airsquared's blobsaver to read the nonce/generator from the device.

Another possible attack is to put your device into Recovery Mode, get the generated boot nonce with irecovery or igetnonce, then update or restore your device to a signed firmware while still in recovery mode and then do not update/restore your device until you can jailbreak and dump iBoot to get the IM4R (nonce generator).

See also