|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "SHSH"
(4.3 signing appears to be closed...) |
(added iPad 2 and removed comment that ATV2G is "later 2010 model") |
||
| Line 5: | Line 5: | ||
To downgrade the firmware, simply change your hosts file to map any request to an Apple server to point to [[Saurik]]'s server instead, if your certificate is there. If you have the file yourself, run [[TinyUmbrella]] on your local machine. |
To downgrade the firmware, simply change your hosts file to map any request to an Apple server to point to [[Saurik]]'s server instead, if your certificate is there. If you have the file yourself, run [[TinyUmbrella]] on your local machine. |
||
| − | Not all devices have this check built in. Older devices allow installation of any correctly signed firmware, so no backup of the certificate is necessary. Devices that need Apple signatures are: [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[K48ap|iPad]], [[n81ap|iPod touch 4G]], [[K66ap|Apple TV 2G]] |
+ | Not all devices have this check built in. Older devices allow installation of any correctly signed firmware, so no backup of the certificate is necessary. Devices that need Apple signatures are: [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[K48ap|iPad]], [[iPad 2]], [[n81ap|iPod touch 4G]], [[K66ap|Apple TV 2G]] and all newer devices. (Note that no versions of the [[iPod touch 2G]] requires SHSH blobs: even the 'MC' models). To restore to arbitrary versions of iOS 4.0, the SHSH is also needed for the [[N72ap|iPod touch 2G]] and [[N82ap|iPhone 3G]]. Not only does [[DFU Mode]] require the [[iBSS]]/[[iBEC]] files to be signed with an SHSH that includes the device's [[ECID]], but the normal boot-chain requires the [[LLB]] to be fully signed with an [[ECID]]+SHSH, so a downgrade [[IPSW File Format|IPSW]] is not possible without a bootrom exploit of normal boot-chain (e.g. [[0x24000 Segment Overflow]]). See also the [http://blog.iphone-dev.org/post/833937433 Dev Team Blog post] about this. |
| − | With the tools mentioned below it is possible to backup the signature. It is not necessary that the device is jailbroken to do the backup. Usually the shsh signature file is stored on [[ |
+ | With the tools mentioned below it is possible to backup the signature. It is not necessary that the device is jailbroken to do the backup. Usually the shsh signature file is stored on [[Saurik]]'s server. If it is stored there, then you can see in [[Cydia]] (on jailbroken devices) for which version a backup exists. |
Users usually make the mistake that (even if they understand all this) they think the shsh firmware version they backup depends on the firmware version they have installed on their device. It does NOT depend on the device which signature you can save - it only depends on which version Apple signs. And that depends on the date. For example in April 2010 you could only backup the certificate for firmware 3.1.3, even if you have still 3.1.2 installed on you phone. Here's a timeline: |
Users usually make the mistake that (even if they understand all this) they think the shsh firmware version they backup depends on the firmware version they have installed on their device. It does NOT depend on the device which signature you can save - it only depends on which version Apple signs. And that depends on the date. For example in April 2010 you could only backup the certificate for firmware 3.1.3, even if you have still 3.1.2 installed on you phone. Here's a timeline: |
||
| Line 14: | Line 14: | ||
{| class="wikitable" style="text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1" |
{| class="wikitable" style="text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1" |
||
|- |
|- |
||
| − | ! |
+ | !width="50"| iOS |
| − | ! |
+ | !width="480"| for Device(s) |
| − | ! |
+ | !width="130"| From |
| − | ! |
+ | !width="130"| Until |
| − | ! width="130" | Status |
||
| − | |- |
||
| − | | <= 3.1.3 |
||
| − | | [[M68ap|iPhone 2G]], [[N82ap|3G]], [[N45ap|iPod touch 1G]], [[N72ap|iPod touch 2G]] |
||
| − | | Unused |
||
| − | | Unused |
||
| − | | {{partial|Unused}} |
||
|- |
|- |
||
| 3.0 |
| 3.0 |
||
| Line 30: | Line 23: | ||
| 19 June 2009 |
| 19 June 2009 |
||
| 9 September 2009 |
| 9 September 2009 |
||
| − | | {{no|Closed}} |
||
|- |
|- |
||
| 3.0.1 |
| 3.0.1 |
||
| Line 36: | Line 28: | ||
| 31 July 2009 |
| 31 July 2009 |
||
| 9 September 2009 |
| 9 September 2009 |
||
| − | | {{no|Closed}} |
||
|- |
|- |
||
| 3.1 |
| 3.1 |
||
| Line 42: | Line 33: | ||
| 9 September 2009 |
| 9 September 2009 |
||
| 8 October 2009 |
| 8 October 2009 |
||
| − | | {{no|Closed}} |
||
|- |
|- |
||
| 3.1.1 |
| 3.1.1 |
||
| Line 48: | Line 38: | ||
| 9 September 2009 |
| 9 September 2009 |
||
| 8 October 2009 |
| 8 October 2009 |
||
| − | | {{no|Closed}} |
||
|- |
|- |
||
| 3.1.2 |
| 3.1.2 |
||
| Line 54: | Line 43: | ||
| 8 October 2009 |
| 8 October 2009 |
||
| 2 February 2010 |
| 2 February 2010 |
||
| − | | {{no|Closed}} |
||
|- |
|- |
||
| 3.1.3 |
| 3.1.3 |
||
| Line 60: | Line 48: | ||
| 2 February 2010 |
| 2 February 2010 |
||
| 21 June 2010 |
| 21 June 2010 |
||
| − | | {{no|Closed}} |
||
|- |
|- |
||
| 3.2 |
| 3.2 |
||
| Line 66: | Line 53: | ||
| 3 April 2010 |
| 3 April 2010 |
||
| 15 July 2010 |
| 15 July 2010 |
||
| − | | {{no|Closed}} |
||
|- |
|- |
||
| 3.2.1 |
| 3.2.1 |
||
| Line 72: | Line 58: | ||
| 15 July 2010 |
| 15 July 2010 |
||
| 19 August 2010 |
| 19 August 2010 |
||
| − | | {{no|Closed}} |
||
|- |
|- |
||
| 3.2.2 |
| 3.2.2 |
||
| [[K48ap|iPad]] |
| [[K48ap|iPad]] |
||
| 11 August 2010 |
| 11 August 2010 |
||
| + | | {{yes|open}} |
||
| − | | 2 December 2010 (?) |
||
| − | | {{no|Closed}} |
||
|- |
|- |
||
| 4.0 |
| 4.0 |
||
| Line 84: | Line 68: | ||
| 21 June 2010 |
| 21 June 2010 |
||
| 9 September 2010 |
| 9 September 2010 |
||
| − | | {{no|Closed}} |
||
|- |
|- |
||
| 4.0 |
| 4.0 |
||
| Line 90: | Line 73: | ||
| 21 June 2010 |
| 21 June 2010 |
||
| 19 August 2010 |
| 19 August 2010 |
||
| − | | {{no|Closed}} |
||
|- |
|- |
||
| 4.0 |
| 4.0 |
||
| Line 96: | Line 78: | ||
| 21 June 2010 |
| 21 June 2010 |
||
| 15 July 2010 |
| 15 July 2010 |
||
| − | | {{no|Closed}} |
||
|- |
|- |
||
| 4.0 |
| 4.0 |
||
| Line 102: | Line 83: | ||
| 24 June 2010 |
| 24 June 2010 |
||
| 15 July 2010 |
| 15 July 2010 |
||
| − | | {{no|Closed}} |
||
|- |
|- |
||
| 4.0.1 |
| 4.0.1 |
||
| Line 108: | Line 88: | ||
| 15 July 2010 |
| 15 July 2010 |
||
| 9 September 2010 |
| 9 September 2010 |
||
| − | | {{no|Closed}} |
||
|- |
|- |
||
| 4.0.1 |
| 4.0.1 |
||
| Line 114: | Line 93: | ||
| 15 July 2010 |
| 15 July 2010 |
||
| 19 August 2010 |
| 19 August 2010 |
||
| − | | {{no|Closed}} |
||
|- |
|- |
||
| 4.0.2 |
| 4.0.2 |
||
| Line 120: | Line 98: | ||
| 11 August 2010 |
| 11 August 2010 |
||
| 18 September 2010<!--Apple may have ceased signing earlier.--> |
| 18 September 2010<!--Apple may have ceased signing earlier.--> |
||
| − | | {{no|Closed}} |
||
|- |
|- |
||
| 4.0.2 |
| 4.0.2 |
||
| Line 126: | Line 103: | ||
| 11 August 2010 |
| 11 August 2010 |
||
| 9 September 2010 |
| 9 September 2010 |
||
| − | | {{no|Closed}} |
||
|- |
|- |
||
| 4.1 |
| 4.1 |
||
| − | | [[N82ap|iPhone 3G]], [[N72ap|iPod touch 2G]] |
+ | | [[N82ap|iPhone 3G]], [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N72ap|iPod touch 2G]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]] |
| 8 September 2010 |
| 8 September 2010 |
||
| + | | {{yes|open}} |
||
| − | | - |
||
| − | | {{yes|Open}} |
||
| − | |- |
||
| − | | 4.1 |
||
| − | | [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]] |
||
| − | | 8 September 2010 |
||
| − | | 2 December 2010 (?) |
||
| − | | {{no|Closed}} |
||
|- |
|- |
||
| 4.1 |
| 4.1 |
||
| [[K66ap|Apple TV 2G]] |
| [[K66ap|Apple TV 2G]] |
||
| 29 September 2010 |
| 29 September 2010 |
||
| + | | {{yes|open}} |
||
| − | | 2 December 2010 (?) |
||
| − | | {{no|Closed}} |
||
| − | |- |
||
| − | | 4.2 |
||
| − | | [[K66ap|Apple TV 2G]] |
||
| − | | 22 November 2010 |
||
| − | | 14 December 2010 |
||
| − | | {{no|Closed}} |
||
| − | |- |
||
| − | | 4.2.1 |
||
| − | | [[K48ap|iPad]], [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]] |
||
| − | | 22 November 2010 |
||
| − | | 11 March 2011 |
||
| − | | {{No|Closed}} |
||
| − | |- |
||
| − | | 4.2.1 |
||
| − | | [[N82ap|iPhone 3G]], [[N72ap|iPod touch 2G]] |
||
| − | | 22 November 2010 |
||
| − | | - |
||
| − | | {{yes|Open}} |
||
| − | |- |
||
| − | | 4.2.1 |
||
| − | | [[K66ap|Apple TV 2G]] |
||
| − | | 14 December 2010 |
||
| − | | 11 March 2011 |
||
| − | | {{No|Closed}} |
||
| − | |- |
||
| − | | 4.2.5 |
||
| − | | [[N92ap|iPhone 4 CDMA]] |
||
| − | | 11 January 2011 |
||
| − | | closed before product release |
||
| − | | {{No|Closed}} |
||
| − | |- |
||
| − | | 4.2.6 |
||
| − | | [[N92ap|iPhone 4 CDMA]] |
||
| − | | 1 February 2011 |
||
| − | | - |
||
| − | | {{yes|Open}} |
||
| − | |- |
||
| − | | 4.3 |
||
| − | | [[K48ap|iPad]], [[iPad 2]], [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]] |
||
| − | | 9 March 2011 |
||
| − | | 27 March 2011 (?) |
||
| − | | {{No|Closed}} |
||
| − | |- |
||
| − | | 4.3.1 |
||
| − | | [[K48ap|iPad]], [[iPad 2]], [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]] |
||
| − | | 25 March 2011 |
||
| − | | - |
||
| − | | {{yes|Open}} |
||
|} |
|} |
||
| Line 199: | Line 119: | ||
==Links and Tools== |
==Links and Tools== |
||
| − | * [[TinyUmbrella]] |
+ | * [[TinyUmbrella]] requires Java installed |
* [http://www.saurik.com/id/12 Detailed background info from Saurik] |
* [http://www.saurik.com/id/12 Detailed background info from Saurik] |
||
[[Category:Firmware Tags]] |
[[Category:Firmware Tags]] |
||
| + | [[Category:Firmware Parsing]] |
||
Revision as of 23:04, 1 April 2011
0x80 byte RSA signature of a firmware image.
This often also refers to the backup file with the signature. This signature is needed to restore a specific firmware version. The signature is being created by Apple and is being generated based on some hardware keys of the device and the hash of the firmware. Using a replay attack, with the saved signature old firmware can be restored, although Apple doesn't issue the signatures anymore and therefore disallows installing older firmware. Therefore it is recommended to save the signature for your device as long as Apple issues it.
To downgrade the firmware, simply change your hosts file to map any request to an Apple server to point to Saurik's server instead, if your certificate is there. If you have the file yourself, run TinyUmbrella on your local machine.
Not all devices have this check built in. Older devices allow installation of any correctly signed firmware, so no backup of the certificate is necessary. Devices that need Apple signatures are: iPhone 3GS, iPhone 4, iPod touch 3G, iPad, iPad 2, iPod touch 4G, Apple TV 2G and all newer devices. (Note that no versions of the iPod touch 2G requires SHSH blobs: even the 'MC' models). To restore to arbitrary versions of iOS 4.0, the SHSH is also needed for the iPod touch 2G and iPhone 3G. Not only does DFU Mode require the iBSS/iBEC files to be signed with an SHSH that includes the device's ECID, but the normal boot-chain requires the LLB to be fully signed with an ECID+SHSH, so a downgrade IPSW is not possible without a bootrom exploit of normal boot-chain (e.g. 0x24000 Segment Overflow). See also the Dev Team Blog post about this.
With the tools mentioned below it is possible to backup the signature. It is not necessary that the device is jailbroken to do the backup. Usually the shsh signature file is stored on Saurik's server. If it is stored there, then you can see in Cydia (on jailbroken devices) for which version a backup exists.
Users usually make the mistake that (even if they understand all this) they think the shsh firmware version they backup depends on the firmware version they have installed on their device. It does NOT depend on the device which signature you can save - it only depends on which version Apple signs. And that depends on the date. For example in April 2010 you could only backup the certificate for firmware 3.1.3, even if you have still 3.1.2 installed on you phone. Here's a timeline:
Timeline
| iOS | for Device(s) | From | Until |
|---|---|---|---|
| 3.0 | iPhone 3GS | 19 June 2009 | 9 September 2009 |
| 3.0.1 | iPhone 3GS | 31 July 2009 | 9 September 2009 |
| 3.1 | iPhone 3GS | 9 September 2009 | 8 October 2009 |
| 3.1.1 | iPod touch 3G | 9 September 2009 | 8 October 2009 |
| 3.1.2 | iPhone 3GS, iPod touch 3G | 8 October 2009 | 2 February 2010 |
| 3.1.3 | iPhone 3GS, iPod touch 3G | 2 February 2010 | 21 June 2010 |
| 3.2 | iPad | 3 April 2010 | 15 July 2010 |
| 3.2.1 | iPad | 15 July 2010 | 19 August 2010 |
| 3.2.2 | iPad | 11 August 2010 | open |
| 4.0 | iPod touch 2G | 21 June 2010 | 9 September 2010 |
| 4.0 | iPod touch 3G | 21 June 2010 | 19 August 2010 |
| 4.0 | iPhone 3G, iPhone 3GS | 21 June 2010 | 15 July 2010 |
| 4.0 | iPhone 4 | 24 June 2010 | 15 July 2010 |
| 4.0.1 | iPhone 3G | 15 July 2010 | 9 September 2010 |
| 4.0.1 | iPhone 3GS, iPhone 4 | 15 July 2010 | 19 August 2010 |
| 4.0.2 | iPhone 3G, iPod touch 2G | 11 August 2010 | 18 September 2010 |
| 4.0.2 | iPhone 3GS, iPhone 4, iPod touch 3G | 11 August 2010 | 9 September 2010 |
| 4.1 | iPhone 3G, iPhone 3GS, iPhone 4, iPod touch 2G, iPod touch 3G, iPod touch 4G | 8 September 2010 | open |
| 4.1 | Apple TV 2G | 29 September 2010 | open |
Protocol
To request a SHSH blob from Apple, a simple HTTP request can be made. For a full description, please see the separate article SHSH Protocol.
Links and Tools
- TinyUmbrella requires Java installed
- Detailed background info from Saurik
