Ads 468x60px

Sunday, June 26, 2011

Dev-Team: Apple Made Changes to iOS 5 to Prevent Firmware Downgrade via Saved SHSH [EXPLANATION]

Blob monster 

It looks like Apple is about to aggressively combat the "replay attacks" that have until now allowed users to use iTunes to restore to previous firmware versions using saved SHSH blobs.

Those of you who have been jailbreaking for a while have probably heard us periodically warn you to "save your blobs" for each firmware using either Cydia or TinyUmbrella (or even the "copy from /tmp during restore" method for advanced users).  Saving your blobs for a given firmware on your specific device allows you to restore *that* device to *that* firmware even after Apple has stopped signing it.  That's all about to change.

Starting with the iOS5 beta, the role of the "APTicket" is changing — it's being used much like the "BBTicket" has always been used.  The LLB and iBoot stages of the boot sequence are being refined to depend on the authenticity of the APTicket, which is uniquely generated at each and every restore (in other words, it doesn't depend merely on your ECID and firmware version…it changes every time you restore, based partly on a random number).  This APTicket authentication will happen at every boot, not just at restore time.  Because only Apple has the crypto keys to properly sign the per-restore APTicket, replayed APTickets are useless.

This will only affect restores starting at iOS5 and onward, and Apple will be able to flip that switch off and on at will (by opening or closing the APTicket signing window for that firmware, like they do for the BBTicket).  geohot's limera1n exploit occurs before any of this new checking is done, so tethered jailbreaks will still always be possible for devices where limera1n applies.  Also, restoring to pre-5.0 firmwares with saved blobs will still be possible (but you'll soon start to need to use older iTunes versions for that). Note that iTunes ultimately is *not* the component that matters's the boot sequence on the device starting with the LLB.

Although it's always been just "a matter of time" before Apple started doing this (they've always done this with the BBTicket), it's still a significant move on Apple's part (and it also dovetails with certain technical requirements of their upcoming OTA "delta" updates).

Note: although there may still be ways to combat this, a beta period is really not the time or place to discuss them.  We're just letting you know what Apple has already done in their exisiting beta releases — they've stepped up their game!

Let's clarify this a bit - 

1) The new method of signing APTickets will prevent you from moving back and forth in the iOS 5.x branch of releases. Since the iOS 4.x firmware are based on ECID and firmware version, you'll be able to use your saved SHSH blobs to revert back to iOS 4.x (assuming [a] you have an older iTunes handy [b] have your iOS 4.x SHSH blobs saved [c] have the ability to serve out [replay] the SHSH blobs to iTunes upon restore - via TU, for example). This means that all current devices, with the exception of iPad 2, will be able to move between iOS 4 and iOS 5 (most current ONLY) without issue. 

2) The new method does not prevent jailbreaking. At the moment, a tethered jailbreak is still possible due to the ubiquitous limera1n hardware exploit used. If (and when) a usable exploit in the iOS 5.x releases is discovered, an untethered jailbreak can be fashioned. 

What this boils down is making the iOS release similar to the baseband release. If you "accidentally" upgrade from one release of iOS 5 to another, you're stuck at the later release without the ability to downgrade. There's a plethora of reasons to want to back-peddle to an earlier release of iOS. Downgrading from iOS 4.3 to iOS 4.2.1 in the early phases of the jailbreak was desired because many tweaks were incompatible with the newly introduced ASLR. Folks relying on ultrasn0w *were* limited to using an older release because of incompatibilities with iOS 4.3. 

Now, if there is some desired behavior present in iOS 5.0 that is corrected in a later release, you're fine until you upgrade. If you upgrade and want that desired behavior, you're forced into a holding pattern until the behavior is made available again in the newer release. This is probably more to do with an untethered jailbreak more than anything else. As long as you're using a device with the limera1n exploitable bootrom, you have a method of jailbreaking (tethered). 

iPad 2/iPhone 5 consumers will no doubt be the biggest headache group due to this change because if they accidentally upgrade to a later version of iOS 5 without a userland exploit (assuming a hardware exploit is not found), they lose their ability to jailbreak altogether until yet another userland exploit is discovered. Considering the difficulties that the Chronic Dev Team and @comex have been facing with the iPad 2 (still without a reliable jailbreak), this is where the headaches will be. 

OTA updates for Apple is no doubt a huge boon for them allowing them to hot-patch devices without requiring the user to hook-up, update firmware, and restore from a backup. Assuming that OTAs can be easily disabled, smooth sailing on the installed release of iOS 5 should be peachy. However, older releases of firmware tend to get left out in the cold the older they get via App Store apps. Taking advantage of new features will no doubt cause certain apps to require iOS 5 (much like many require iOS 4 today). 

I'm glad that folks like the iPhone Dev Team are keeping watch with these types of changes. I know good and well that Apple's very keen use of PKI in their architecture gives them a huge advantage, especially given their evolving methods. But, like all things human - nothing is perfect.

"Although it's always been just "a matter of time" before Apple started doing this (they've always done this with the BBTicket), it's still a significant move on Apple's part (and it also dovetails with certain technical requirements of their upcoming OTA "delta" updates). " 
wow, at last the iOS devs met the BB firmware devs :) , yeah, that was really expected at sometime since they work at the same place :P 
still i find it very very arrogant and unacceptable to prevent a user from using an older version on his own device, specially when they aren't very clever in keeping things always running good with updates - for me i find 4.2.1 much stable than 4.3.3 in some ways - , the same arrogance that prevent apple from unlocking the no contract at&t locked phones (thu the full price has been paid) despite they ve started selling the phone unlocked just because they don't want to go thru the headaches of it!! (i can't think of any other reason) 
The fact i always thought of is that apple will keep playing arrogant and user controlling as long as the rage of the users is always directed to those trying to help (via intensively working on jailbreaks or unlocks) instead of the mastermind of the problem which is apple itself!! , the same exact situation we have gone thru when the last unlock exploits didn't work out, i can assure you that we have received an amount of insults and rage that apple hasn't faced since its uprise in the 80s :( 
well :) , just a free flow of thoughts, forgive me 
anyway, as always keep your latest working jailbreaks and unlocks (i have to say including the sim hack ones), and avoid any updates till it is declared safe over here 
have a nice day all 
n.b remember, keep it clean here, this isn't twitter, any insults about this unlock thing will be happily received over twitter account :)))
Post from my iPad 2


Post a Comment