From The iPhone Wiki
Revision as of 20:39, 26 October 2011 by Http (talk | contribs) (iOS 5+: nonce details?)
Jump to: navigation, search

iDevices affected

Just to make sure (I don't have these devices): The iPhone 3G (even the newer MC model) and the iPod Touch 2nd generation (also newer models) don't have shsh checks. (I'm not talking about the new "soft" check.) Can someone confirm this? I always thought these mentioned newer devices also have this certificate check in the Bootrom built-in. But as someone removed my listed 3G (with a question mark), I assume no 3G has this check. What is actually the difference between the old and the new Bootrom then? Maybe someone can explain how this certificate check works exactly and which software part is doing it. Thanks. -- http 11:25, 20 July 2010 (UTC)

There's definitely no SHSH checking in the iPhone 3G bootrom. If I'm not mistaken, its bootrom can't even read IMG3 files.
I'm pretty sure the iPod touch 2G bootrom does check SHSHs, but only the one supplied in the IPSW; its restore process doesn't require getting a new SHSH from Apple's server. --Dialexio 20:08, 20 July 2010 (UTC)

Firmware 3.1(.1)

What's the difference between 3.1 and 3.1.1? Were both released at the same time? Or is 3.1 just a "short form" for 3.1.1? If yes, we should always write the full name. -- http 21:58, 20 July 2010 (UTC)

3.1 was released for iPhones, while 3.1.1 was released for iPod touches. Other than that (and the build numbers), they're basically the same thing. --Dialexio 23:25, 20 July 2010 (UTC)

Apple still signing 4.0.1 -- conspiracy?

It seems very un-apple for them to continue signing this firmware. Does anyone have any technical reasons/guesses as to why they are doing this?

I think it's sort of a truce -- in fear of yet another security problem being exploited and requiring a 4.0.3, and possibly de-incentivize the search for exploits. Possibly even more far fetched is an experiment to see if there is a boost in sales of people trying to get jailbreakable devices. Anyone have ideas? Iemit737 17:50, 15 August 2010 (UTC)

My guess is that because many users upgrade without thinking or saving shsh try to jailbreak at some point in time. Because very many users did a jailbreak by this simple page, Apple would create lots of unsatisfied users. After Antennagate having more unsatisfied users, or those returning their device just to try again wouldn't be good for Apple. Also, I think 4.1 will be released soon (less than a month probably), so they can close signing then. -- http 18:56, 15 August 2010 (UTC)

Good point -- lots of first time jail breakers and possible device returns and otherwise angry people. It still seems very unorthodox for them, being the evil iEmpire and all. I can't wait to see what exploits will be uncovered in 4.1. Iemit737 20:43, 15 August 2010 (UTC)

It seems like Apple continues signing for the previously-issued firmware if the update is of a hotfix nature. (Remember that 3.0.1 was a hotfix for an SMS character vulnerability, and Apple continued signing for both 3.0 and 3.0.1 until 3.1 came along.) The only reason I can think of is they probably rushed the fix out of the door without testing thoroughly, so perhaps their attitude is "we tested this but not rigorously, so feel free to downgrade if it botches something up?" --Dialexio 21:13, 15 August 2010 (UTC)

4.1 - Apple signing now?

I believe they are signing the 4.1 GM seed and it does not have expirations or UDID restrictions, and works with windows iTunes, no? Which means if the final ipsw is the same, they will have been signing it since September 1. Albeit the GM is still considered apple confidential... But at the same time they are surely signing some kind of 4.1 for foxconn to put on touch 4G's... Iemit737 19:39, 4 September 2010 (UTC)

Yes, they are probably signing 4.1 already, but we cannot confirm that, as we don't have any ipt4 yet and d/l of 4.1 is not possible for any other device yet. That's why I've put the product release date as start date. Regarding GM and final: even if the code is the same, it's probably a different ipsw and therefore a different shsh required. I don't know how beta signing works in detail. -- http 22:06, 4 September 2010 (UTC)
They're signing 4.1 GM. Just make sure to backup your SHSHs. --desertsn0w 22:48, 4 September 2010 (UTC)

Soft-SHSH checks

Since iTunes 9.2 (I think) SHSH are checked for iPhones 3G also, but only through iTunes, not by the phone's bootrom. iTunes 9.2 (I think) was the version that was introduced together with iOS 4.0. But I have a report that iOS 3.1.3 can be installed with iTunes 10. I don't know what his hosts file looks like, but he cannot have SHSH backup on Cydia, because those were issued only since iOS 4.0 (correct?). Does this mean that iTunes checks SHSH only if firmware is >= 4.0? If yes, this would mean that you could downgrade a 3G to any pre-4.0 firmware without using redsn0w. -- http 18:40, 19 October 2010 (UTC)

These were introduced at the same time as [[iOS] 4.0. I believe they kernel checks they are present and valid. If i'm correct this may mean system's like PwnageTool can patch out the checks. --GreySyntax 19:13, 19 October 2010 (UTC)
So the new SHSH checks are done by the kernel since iOS 4.0! I always thought it was done by iTunes. Reading the blog of the iPhone Dev Team again seems to confirm that. Aha. -- http 19:44, 19 October 2010 (UTC)

iOS 4.2 SHSH for Apple TV

As I see iOS 4.2 for Apple TV is still signed. I could save the SHSH of my new Apple TV 2G and I can restore it without any SHSH blobs from Saurik or TinyUmbrella to iOS 4.2. --The preceding unsigned comment was added by Christoph (talk) 9:05, January 7, 2011. Please consult this page for more info on how to sign pages, and how to fix this.

Puzzling, maybe they are still signed, but Apple doesn't require them for restore... --Balloonhead66 23:18, 7 January 2011 (UTC)

3.1.x for iPod touch 2G

I need someone with an iPod touch 2G (old bootrom) to verify this... I believe Apple actually introduced soft SHSH checks with iOS 3.1.1 for the iPod touch 2G. Further evidence includes my inability to restore to iOS 3.1.1 and 3.1.2 (unless I use SHSHs that I apparently saved, or a custom IPSW), and iTunes says it will verify the restore with Apple. I know that Apple was still signing iOS 3.1.1 and 3.1.2 when they released iOS 3.1.3, though. Is anyone able to back up my info? Do not respond with "No, Apple introduced the SHSH check with 4.0" unless you have tested this yourself. --Dialexio 01:55, 14 February 2011 (UTC)

I had thought there was something weird going on with this. I was guessing that iTunes phone'd home to Apple to see if the firmware was acceptable/current/safe before restoring it [provided the IPSW has the right tags to indicate it is a production firmware]. I think, but it is probably wrong, that when you point the your hosts file to Saurik he mimicks the response that the firmware is acceptable but does not actually give hashes for it. On the other hand I'm probably totally wrong because I remember tinyumbrella let you save hashes for 3.1.x. Iemit737 00:46, 15 February 2011 (UTC)

Error 3194 on iPod Touch 2G

I am unable to get hashes for my friend's MC iPod Touch 2G. iTunes simply will not issue them. I have tried restore and I keep getting error 3194, any suggestions? Revolution 03:27, 26 May 2011 (UTC)

I thought it is clearly mentioned in the article that the ipt2g does not use SHSH blobs. This means you can install any possible iOS version. Error 3194 usually indicates missing SHSH, but could also be something else. This wiki cannot support user problems. Anyway: I would suggest to check if hosts file is clean, iTunes is newest version and iOS version is supported on device. Contact me on Twitter or ask jailbreakqa site for help if this doesn't solve your problem. --http 06:41, 26 May 2011 (UTC)

iOS 5+

Does it make sense to continue this list beyond iOS 4.x? Since 5.0 nonces are used, so the replay attack doesn't work anymore anyway. So why list the signing periods? We already have the release dates. -- http 00:52, 25 October 2011 (MDT)

I think it's still good to show if 5.0 is still being signed or not; Apple might wind up taking a few days to stop signing it. --Dialexio 10:57, 25 October 2011 (MDT)
I think we should keep it. --Balloonhead66 13:59, 26 October 2011 (MDT)

Something totally different related to iOS 5+: Ok, nonces are used and we can't use the replay attack anymore. But why? If I understood that correctly, then the nonce is created in the bootrom. Then it goes all the way up into kernel, iTunes, Apple Server, signed SHSH and during the restore it will get compared again by the bootrom. If it doesn't match, no restore will be possible. If this is not in the bootrom, then we could simply patch it out by pwning the device. And as we have a bootrom exploit for all devices except the iPhone 4S and the iPad 2, we could even patch out this check - and even remove the requirement for valid SHSH at all. But why does this not work? Just not implemented yet? Or is the limerain exploit at such a stage where it's too late for patching this check? But at least we could patch the SHSH comparison if it would be in the kernel/iBoot/any later stage (with the nonce) and restore old 5.x versions with saved SHSH + known nonce. Any insider can clarify that? -- http 14:39, 26 October 2011 (MDT)