Difference between revisions of "SHSH"

From The iPhone Wiki
Jump to: navigation, search
(ATV2 4.3 (4.3) is closed)
m (added info about aptickets)
Line 3: Line 3:
 
This often also refers to the backup file with the signature. This signature is needed to restore a specific firmware version. The signature is being created by Apple and is being generated based on some hardware keys of the device and the hash of the firmware. Using a [[wikipedia:replay attack|replay attack]], with the saved signature old firmware can be restored, although Apple doesn't issue the signatures anymore and therefore disallows installing older firmware. Therefore it is recommended to save the signature for your device as long as Apple issues it.
 
This often also refers to the backup file with the signature. This signature is needed to restore a specific firmware version. The signature is being created by Apple and is being generated based on some hardware keys of the device and the hash of the firmware. Using a [[wikipedia:replay attack|replay attack]], with the saved signature old firmware can be restored, although Apple doesn't issue the signatures anymore and therefore disallows installing older firmware. Therefore it is recommended to save the signature for your device as long as Apple issues it.
   
To downgrade the firmware, simply change your hosts file to map any request to an Apple server to point to [[Saurik]]'s server instead, if your certificate is there. If you have the file yourself, run [[TinyUmbrella]] on your local machine.
+
To downgrade the firmware, simply change your hosts file to map any request to an Apple server to point to [[Saurik]]'s server instead, if your certificate is there. If you have the file yourself, run [[TinyUmbrella]]'s TSS Server on your local machine. Note, though, that downgrades to iOS 5 or newer are currently not available.
   
 
Not all devices have this check built in. Older devices allow installation of any correctly signed firmware, so no backup of the certificate is necessary. Devices that need Apple signatures are: [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[K48ap|iPad]], [[iPad 2]], [[n81ap|iPod touch 4G]], [[K66ap|Apple TV 2G]] and all newer devices. The [[N88ap|iPhone 3G]] and [[N72ap|iPod touch 2G]] bootroms do not require these SHSHs; however, newer versions of iOS require them (unless the chain of trust is broken and custom firmwares are installed). To restore to arbitrary versions of iOS 4.0, the SHSH is also needed for the [[N72ap|iPod touch 2G]] and [[N82ap|iPhone 3G]]. Not only does [[DFU Mode]] require the [[iBSS]]/[[iBEC]] files to be signed with an SHSH that includes the device's [[ECID]], but the normal boot-chain requires the [[LLB]] to be fully signed with an [[ECID]]+SHSH, so a downgrade [[IPSW File Format|IPSW]] is not possible without a bootrom exploit of normal boot-chain (e.g. [[0x24000 Segment Overflow]]). See also the [http://blog.iphone-dev.org/post/833937433 Dev Team Blog post] about this.
 
Not all devices have this check built in. Older devices allow installation of any correctly signed firmware, so no backup of the certificate is necessary. Devices that need Apple signatures are: [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[K48ap|iPad]], [[iPad 2]], [[n81ap|iPod touch 4G]], [[K66ap|Apple TV 2G]] and all newer devices. The [[N88ap|iPhone 3G]] and [[N72ap|iPod touch 2G]] bootroms do not require these SHSHs; however, newer versions of iOS require them (unless the chain of trust is broken and custom firmwares are installed). To restore to arbitrary versions of iOS 4.0, the SHSH is also needed for the [[N72ap|iPod touch 2G]] and [[N82ap|iPhone 3G]]. Not only does [[DFU Mode]] require the [[iBSS]]/[[iBEC]] files to be signed with an SHSH that includes the device's [[ECID]], but the normal boot-chain requires the [[LLB]] to be fully signed with an [[ECID]]+SHSH, so a downgrade [[IPSW File Format|IPSW]] is not possible without a bootrom exploit of normal boot-chain (e.g. [[0x24000 Segment Overflow]]). See also the [http://blog.iphone-dev.org/post/833937433 Dev Team Blog post] about this.

Revision as of 09:52, 10 February 2012

0x80 byte RSA signature of a firmware image.

This often also refers to the backup file with the signature. This signature is needed to restore a specific firmware version. The signature is being created by Apple and is being generated based on some hardware keys of the device and the hash of the firmware. Using a replay attack, with the saved signature old firmware can be restored, although Apple doesn't issue the signatures anymore and therefore disallows installing older firmware. Therefore it is recommended to save the signature for your device as long as Apple issues it.

To downgrade the firmware, simply change your hosts file to map any request to an Apple server to point to Saurik's server instead, if your certificate is there. If you have the file yourself, run TinyUmbrella's TSS Server on your local machine. Note, though, that downgrades to iOS 5 or newer are currently not available.

Not all devices have this check built in. Older devices allow installation of any correctly signed firmware, so no backup of the certificate is necessary. Devices that need Apple signatures are: iPhone 3GS, iPhone 4, iPod touch 3G, iPad, iPad 2, iPod touch 4G, Apple TV 2G and all newer devices. The iPhone 3G and iPod touch 2G bootroms do not require these SHSHs; however, newer versions of iOS require them (unless the chain of trust is broken and custom firmwares are installed). To restore to arbitrary versions of iOS 4.0, the SHSH is also needed for the iPod touch 2G and iPhone 3G. Not only does DFU Mode require the iBSS/iBEC files to be signed with an SHSH that includes the device's ECID, but the normal boot-chain requires the LLB to be fully signed with an ECID+SHSH, so a downgrade IPSW is not possible without a bootrom exploit of normal boot-chain (e.g. 0x24000 Segment Overflow). See also the Dev Team Blog post about this.

With the tools mentioned below it is possible to backup the signature. It is not necessary that the device is jailbroken to do the backup. Usually the SHSH signature file is stored on Saurik's server. If it is stored there, then you can see in the top of Cydia (on jailbroken devices) for which version a backup exists.

Users usually make the mistake that (even if they understand all this) they think the SHSH firmware version they back up depends on the firmware version they have installed on their device. This is the case for iFaith, but not for TinyUmbrella. iFaith dumps the SHSHs from your device's storage (whatever's installed on your device, e.g. 4.3.3), while TinyUmbrella gets SHSHs from Apple's servers (whatever firmwares Apple is currently signing).

Timeline

iOS for Device(s) From Until Status
<= 3.0 iPod touch 2G Unused Unused Unused
<= 3.1.3 iPhone 2G, iPhone 3G, iPod touch 1G Unused Unused Unused
3.0 iPhone 3GS 19 June 2009 9 September 2009 Closed
3.0.1 31 July 2009 9 September 2009 Closed
3.1 9 September 2009 8 October 2009 Closed
3.1.1 iPod touch 2G 9 September 2009 21 June 2010 Closed
3.1.1 iPod touch 3G 9 September 2009 8 October 2009 Closed
3.1.2 iPod touch 2G 8 October 2009 21 June 2010 Closed
3.1.2 iPhone 3GS, iPod touch 3G 8 October 2009 2 February 2010 Closed
3.1.3 iPod touch 2G 2 February 2010 21 June 2010 Closed
3.1.3 iPhone 3GS, iPod touch 3G 2 February 2010 21 June 2010 Closed
3.2 iPad 3 April 2010 15 July 2010 Closed
3.2.1 15 July 2010 19 August 2010 Closed
3.2.2 11 August 2010 2 December 2010 (?) Closed
4.0 iPod touch 2G 21 June 2010 9 September 2010 Closed
4.0 iPod touch 3G 21 June 2010 19 August 2010 Closed
4.0 iPhone 3G, iPhone 3GS 21 June 2010 15 July 2010 Closed
4.0 iPhone 4 GSM 24 June 2010 15 July 2010 Closed
4.0.1 iPhone 3G 15 July 2010 9 September 2010 Closed
4.0.1 iPhone 3GS, iPhone 4 GSM 15 July 2010 19 August 2010 Closed
4.0.2 iPhone 3G, iPod touch 2G 11 August 2010 18 September 2010 Closed
4.0.2 iPhone 3GS, iPhone 4 GSM, iPod touch 3G 11 August 2010 9 September 2010 Closed
4.1 iPhone 3G, iPhone 3GS, iPod touch 2G, iPod touch 3G 8 September 2010 - Open
4.1 iPhone 4 GSM, iPod touch 4G 8 September 2010 2 December 2010 (?) Closed
Template:Nowrap Apple TV 2G 29 September 2010 2 December 2010 (?) Closed
Template:Nowrap 22 November 2010 14 December 2010 Closed
4.2.1 iPad, iPhone 3GS, iPhone 4 GSM, iPod touch 3G, iPod touch 4G 22 November 2010 11 March 2011 Closed
4.2.1 iPhone 3G, iPod touch 2G 22 November 2010 - Open
Template:Nowrap Apple TV 2G 14 December 2010 28 May 2011 (?) Closed
4.2.5 iPhone 4 CDMA 11 January 2011 closed before product release Closed
4.2.6 1 February 2011 19 April 2011 (?) Closed
4.2.7 14 April 2011 6 May 2011 Closed
4.2.8 4 May 2011 18 July 2011 Closed
4.2.9 15 July 2011 27 July 2011 Closed
4.2.10 25 July 2011 18 October 2011 Closed
4.3 iPad, iPad 2, iPhone 3GS, iPhone 4 GSM, iPod touch 3G, iPod touch 4G 9 March 2011 27 March 2011 (?) Closed
Template:Nowrap Apple TV 2G 9 March 2011 22 March 2011 (?) Closed
Template:Nowrap 22 March 2011 28 May 2011 (?) Closed
Template:Nowrap 11 May 2011 18 October 2011 (?) Closed
Template:Nowrap 1 August 2011 ? Closed
4.3.1 iPad, iPad 2, iPhone 3GS, iPhone 4 GSM, iPod touch 3G, iPod touch 4G 25 March 2011 19 April 2011 (?) Closed
4.3.2 14 April 2011 6 May 2011 Closed
4.3.3 4 May 2011 18 July 2011 Closed
4.3.4 15 July 2011 27 July 2011 Closed
4.3.5 25 July 2011 18 October 2011 Closed
4.4 Apple TV 2G 4 October 2011 ? Closed
4.4.1 17 October 2011 ? Closed
4.4.2 24 October 2011 11 January 2012(?) Closed
4.4.3 17 November 2011 11 January 2012(?) Closed
4.4.4 15 December 2011 - Open
5.0 iPad, iPad 2, iPhone 3GS, iPhone 4, iPod touch 3G, iPod touch 4G 4 October 2011 10 November 2011(?) Closed
5.0 iPhone 4S 14 October 2011 10 November 2011(?) Closed
5.0.1 iPad, iPad 2, iPhone 3GS, iPhone 4, iPhone 4S, iPod touch 3G, iPod touch 4G 9 November 2011 - Open

Protocol

To request a SHSH blob from Apple, a simple HTTP request can be made. For a full description, please see the separate article SHSH Protocol and Baseband SHSH Protocol.

Links and Tools