fbpx
Wikipedia

SHSH blob

August 22, 2023

In computing, a SHSH blob is a digital signature that Apple generates and uses to personalize IPSW firmware files for each iOS device. SHSH blobs are part of Apple's protocol designed to ensure that only trusted software is installed on the device,[1] generally only allowing the newest iOS version to be installable. Apple's public name for this process is System Software Authorization (before iOS 7, System Software Personalization).[2] The term “SHSH blob” is unofficial and based on abbreviations for signed hash and binary large object. An alternative term, ECID SHSH, refers to the device's ECID, a unique identification number embedded in its hardware[3])

This process is controlled by the TATSU ("TSS") Signing Server (gs.apple.com) where updates and restores can only be completed by iTunes if the version of iOS is being signed. Developers interested in iOS jailbreaking have made tools for working around this signature system in order to install jailbreakable older iOS versions that are no longer being signed by Apple.[4][5]

Technical details

SHSH blobs are created by a hashing formula that has multiple keys, including the device type, the iOS version being signed, and the device's ECID.[6][non-primary source needed] When Apple wishes to restrict users' ability to restore their devices to a particular iOS version, Apple can refuse to generate this hash during the restore attempt, and the restore will not be successful (or at least will require bypassing the intended function of the system).[7][8]

This protocol is part of iPhone 3GS and later devices.[9]

TATSU Signing Server

When iTunes restores or updates an iOS firmware, Apple has added many checkpoints before the iOS version is installed and on-device consolidation begins. At the first "Verifying iPhone software" iTunes communicates with "gs.apple.com" to verify that the IPSW file provided is still being signed. The TATSU server will give back a list of versions being signed. If the version is not being signed, then iBEC and iBoot will decline the image, giving an error of "error 3194" or "declined to authorize the image"

iTunes will communicate with iBoot throughout the process of an update or restore ensuring the firmware has not been modified to a Custom Firmware ("CFW"). iTunes will not update or restore a device when it suspects the file has been modified.

This is a chain process, before installing the firmware, the installed iBoot has to verify the to-be-installed iBoot, and so on. You cannot install unsigned iOS versions, unless 1) you possess SHSH2 blobs and have set nonces (requiring exploits) or 2) you exploit the chain process.

Exploits and countermeasures

The requirement of SHSH Blobs in order to install to unsigned iOS versions can be bypassed using a replay attack, by saving blobs while an iOS firmware is still signed and later using them when installing the firmware. Newer iOS versions require more elements, such as a valid nonce, when saving SHSH blobs. Saving blobs for devices using the A12 SoC or newer also requires getting a matching nonce for a generator from a device to save valid blobs that can be used later in a restore. Even with SHSH blobs saved correctly, it is still sometimes not possible to jump to certain iOS versions due to incompatibility of the SEP (Secure Enclave) between versions.

Tools to save SHSH blobs for newer iOS versions include the application blobsaver and the command line tool tsschecker.

To use SHSH blobs to install an unsigned iOS version on a device, tools like futurerestore (based on idevicerestore) or its GUIs can be used, which allows specification of iOS firmware files and SHSH blobs to be used in the restore.

Previous bypass methods

For iOS 3 and 4, SHSH blobs were made of static keys (such as the device type, iOS version, and ECID), which meant that the SHSH blobs for a specific iOS version and device would be the same upon every restore. To subvert that system using a man-in-the-middle attack, server requests the unique SHSH blobs from Apple for the jailbroken device and caches those SHSH blobs on servers, so that if a user changes the hosts file on a computer to redirect the SHSH blobs check to cache instead of Apple's servers, iTunes would be tricked into checking those cached SHSH blobs and allowing the device to be restored to that version.[9][10]

iOS 5 and later versions of iOS implement an addition to this system, a random number (a cryptographic nonce) in the "APTicket",[11] making that simple replay attack no longer effective.[12][13]

First released in 2009,[14][self-published source?][15][dubious discuss] TinyUmbrella is a tool for finding information about SHSH blobs saved on third party servers, saving SHSH blobs locally,[16] and running a local server to replay SHSH blobs to trick iTunes into restoring older devices to iOS 3 and 4.[17][unreliable source?][18] In June 2011, iH8sn0w released iFaith, a tool that can grab partial SHSH blobs from a device for its currently-installed iOS version (limited to iPhone 4 and older devices).[19][20] In late 2011, the iPhone Dev Team added features to redsn0w that include the ability to save SHSH blobs with APTickets and stitch them into custom firmware in order to restore a device to iOS 5 or later.[21]

Replaying SHSH blobs for newer devices (iPad 2 and later) is not always possible, because there are no boot ROM (hardware level) exploits available for these devices. As of October 2012, redsn0w includes features for restoring newer devices between different versions of iOS 5,[22] but it cannot downgrade newer devices from iOS 6 to iOS 5.[23][24]

See also

References

  1. ^ Asad, Taimur (April 30, 2011). "Save SHSH Blobs (ECID SHSH) of iPhone 3.1.3 and iPad 3.2". Redmond Pie. Retrieved December 30, 2012.
  2. ^ Apple Inc. (May 2012). (PDF). Apple Inc. Archived from the original (PDF) on 21 October 2012. Retrieved 3 December 2012.
  3. ^ Stern, Zack (July 5, 2010). "How to jailbreak your iPad and start multitasking immediately". ITBusiness.ca. Retrieved December 30, 2012.
  4. ^ Nat Futterman (May 25, 2010). "Jailbreaking the iPad: What You Need to Know". Geek Tech. PCWorld. Retrieved August 2, 2011.
  5. ^ Kumparak, Greg (June 27, 2011). "Apple Steps Up Their Game with iOS 5, Makes Jailbreaking More Difficult". TechCrunch. Retrieved December 30, 2012.
  6. ^ Stefan Esser (March 2012). "iOS 5: An Exploitation Nightmare?" (PDF). CanSecWest Vancouver. Retrieved 3 December 2012.
  7. ^ Adam Dachis (April 25, 2011). "Save Your iDevice's SHSH to Avoid Losing the Ability to Jailbreak". Lifehacker. Retrieved August 2, 2011.
  8. ^ Smith, Gina (September 27, 2012). "Apple iOS 6 woes: Save the blobs if you need to downgrade". Apple in the Enterprise. TechRepublic. Retrieved December 30, 2012.
  9. ^ a b Jay Freeman (saurik) (September 2009). "Caching Apple's Signature Server". Saurik.com. Retrieved December 3, 2012.
  10. ^ Hoog, Andrew; Strzempka, Katie (2011). iPhone and iOS Forensics: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices. Elsevier. pp. 47–50. ISBN 9781597496599. Retrieved December 3, 2012.
  11. ^ Cheng, Jacqui (June 27, 2011). "iOS 5 beta hobbles OS downgrades, untethered jailbreaks". Infinite Loop. Ars Technica. Retrieved December 30, 2012.
  12. ^ Oliver Haslam (June 27, 2011). "iOS 5 Will Halt SHSH Firmware Downgrades On iPhone, iPad, iPod touch". Redmond Pie. Retrieved November 12, 2011.
  13. ^ Levin, Jonathan (2012). Mac OS X and iOS Internals: To the Apple's Core. John Wiley & Sons. p. 214. ISBN 9781118222256. Retrieved December 29, 2012.
  14. ^ notcom (September 19, 2009). "TinyTSS -- All your iphone restores are belong to you". The Firmware Umbrella. Retrieved 3 December 2012.
  15. ^ notcom (May 20, 2010). "TinyUmbrella - Unified TinyTSS and The Firmware Umbrella in ONE!". The Firmware Umbrella. Retrieved 1 January 2013.
  16. ^ Brownlee, John (November 15, 2011). "TinyUmbrella Updated To Support Backing Up iPhone 4S And iOS 5.0.1 SHSH Blobs". Cult of Mac. Retrieved December 30, 2012.
  17. ^ Sayam Aggarwal (July 26, 2010). "Before Jailbreaking, Extract Your iPhone's SHSH Blobs with Umbrella". Cult of Mac. Retrieved 3 December 2012.
  18. ^ Landau, Ted (April 22, 2011). "TinyUmbrella and ITunes 1013 Error Strike Again". MacWorld. PCWorld. Retrieved December 30, 2012.
  19. ^ Goncalo Ribeiro (June 3, 2011). "How To Save SHSH Blobs Of Any Old Firmware Running On Your iPhone, iPad, iPod touch Using iFaith". Redmond Pie. Retrieved 3 December 2012.
  20. ^ Morris, Paul (December 24, 2011). "Cydia Is Now Saving SHSH Blobs For iOS 5.0.1 Firmware". Redmond Pie. Retrieved December 30, 2012.
  21. ^ Jeff Benjamin (September 27, 2011). "How to Stitch Your SHSH Blobs Using RedSn0w to Create Firmware That Can Always Be Downgraded". iDownloadBlog. Retrieved 3 December 2012.
  22. ^ iPhone Dev Team (October 2012). "Restoration reinvigoration". Dev Team Blog. Retrieved 3 December 2012.
  23. ^ iPhone Dev Team (September 2012). "Blob-o-riffic". Dev Team Blog. Retrieved 3 December 2012.
  24. ^ Morris, Paul (October 14, 2012). "How To Re-Restore iPhone 4S, iPad 3, iPad 2, iPod touch From iOS 5.x To iOS 5.x Using Redsn0w". Redmond Pie. Retrieved December 30, 2012.

August 22, 2023
shsh, blob, computing, digital, signature, that, apple, generates, uses, personalize, ipsw, firmware, files, each, device, part, apple, protocol, designed, ensure, that, only, trusted, software, installed, device, generally, only, allowing, newest, version, in. In computing a SHSH blob is a digital signature that Apple generates and uses to personalize IPSW firmware files for each iOS device SHSH blobs are part of Apple s protocol designed to ensure that only trusted software is installed on the device 1 generally only allowing the newest iOS version to be installable Apple s public name for this process is System Software Authorization before iOS 7 System Software Personalization 2 The term SHSH blob is unofficial and based on abbreviations for signed hash and binary large object An alternative term ECID SHSH refers to the device s ECID a unique identification number embedded in its hardware 3 This process is controlled by the TATSU TSS Signing Server gs apple com where updates and restores can only be completed by iTunes if the version of iOS is being signed Developers interested in iOS jailbreaking have made tools for working around this signature system in order to install jailbreakable older iOS versions that are no longer being signed by Apple 4 5 Contents 1 Technical details 2 TATSU Signing Server 3 Exploits and countermeasures 3 1 Previous bypass methods 4 See also 5 ReferencesTechnical details EditSHSH blobs are created by a hashing formula that has multiple keys including the device type the iOS version being signed and the device s ECID 6 non primary source needed When Apple wishes to restrict users ability to restore their devices to a particular iOS version Apple can refuse to generate this hash during the restore attempt and the restore will not be successful or at least will require bypassing the intended function of the system 7 8 This protocol is part of iPhone 3GS and later devices 9 TATSU Signing Server EditWhen iTunes restores or updates an iOS firmware Apple has added many checkpoints before the iOS version is installed and on device consolidation begins At the first Verifying iPhone software iTunes communicates with gs apple com to verify that the IPSW file provided is still being signed The TATSU server will give back a list of versions being signed If the version is not being signed then iBEC and iBoot will decline the image giving an error of error 3194 or declined to authorize the image iTunes will communicate with iBoot throughout the process of an update or restore ensuring the firmware has not been modified to a Custom Firmware CFW iTunes will not update or restore a device when it suspects the file has been modified This is a chain process before installing the firmware the installed iBoot has to verify the to be installed iBoot and so on You cannot install unsigned iOS versions unless 1 you possess SHSH2 blobs and have set nonces requiring exploits or 2 you exploit the chain process Exploits and countermeasures EditThe requirement of SHSH Blobs in order to install to unsigned iOS versions can be bypassed using a replay attack by saving blobs while an iOS firmware is still signed and later using them when installing the firmware Newer iOS versions require more elements such as a valid nonce when saving SHSH blobs Saving blobs for devices using the A12 SoC or newer also requires getting a matching nonce for a generator from a device to save valid blobs that can be used later in a restore Even with SHSH blobs saved correctly it is still sometimes not possible to jump to certain iOS versions due to incompatibility of the SEP Secure Enclave between versions Tools to save SHSH blobs for newer iOS versions include the application blobsaver and the command line tool tsschecker To use SHSH blobs to install an unsigned iOS version on a device tools like futurerestore based on idevicerestore or its GUIs can be used which allows specification of iOS firmware files and SHSH blobs to be used in the restore Previous bypass methods Edit For iOS 3 and 4 SHSH blobs were made of static keys such as the device type iOS version and ECID which meant that the SHSH blobs for a specific iOS version and device would be the same upon every restore To subvert that system using a man in the middle attack server requests the unique SHSH blobs from Apple for the jailbroken device and caches those SHSH blobs on servers so that if a user changes the hosts file on a computer to redirect the SHSH blobs check to cache instead of Apple s servers iTunes would be tricked into checking those cached SHSH blobs and allowing the device to be restored to that version 9 10 iOS 5 and later versions of iOS implement an addition to this system a random number a cryptographic nonce in the APTicket 11 making that simple replay attack no longer effective 12 13 First released in 2009 14 self published source 15 dubious discuss TinyUmbrella is a tool for finding information about SHSH blobs saved on third party servers saving SHSH blobs locally 16 and running a local server to replay SHSH blobs to trick iTunes into restoring older devices to iOS 3 and 4 17 unreliable source 18 In June 2011 iH8sn0w released iFaith a tool that can grab partial SHSH blobs from a device for its currently installed iOS version limited to iPhone 4 and older devices 19 20 In late 2011 the iPhone Dev Team added features to redsn0w that include the ability to save SHSH blobs with APTickets and stitch them into custom firmware in order to restore a device to iOS 5 or later 21 Replaying SHSH blobs for newer devices iPad 2 and later is not always possible because there are no boot ROM hardware level exploits available for these devices As of October 2012 redsn0w includes features for restoring newer devices between different versions of iOS 5 22 but it cannot downgrade newer devices from iOS 6 to iOS 5 23 24 See also EditDigital rights managementReferences Edit Asad Taimur April 30 2011 Save SHSH Blobs ECID SHSH of iPhone 3 1 3 and iPad 3 2 Redmond Pie Retrieved December 30 2012 Apple Inc May 2012 iOS Security PDF Apple Inc Archived from the original PDF on 21 October 2012 Retrieved 3 December 2012 Stern Zack July 5 2010 How to jailbreak your iPad and start multitasking immediately ITBusiness ca Retrieved December 30 2012 Nat Futterman May 25 2010 Jailbreaking the iPad What You Need to Know Geek Tech PCWorld Retrieved August 2 2011 Kumparak Greg June 27 2011 Apple Steps Up Their Game with iOS 5 Makes Jailbreaking More Difficult TechCrunch Retrieved December 30 2012 Stefan Esser March 2012 iOS 5 An Exploitation Nightmare PDF CanSecWest Vancouver Retrieved 3 December 2012 Adam Dachis April 25 2011 Save Your iDevice s SHSH to Avoid Losing the Ability to Jailbreak Lifehacker Retrieved August 2 2011 Smith Gina September 27 2012 Apple iOS 6 woes Save the blobs if you need to downgrade Apple in the Enterprise TechRepublic Retrieved December 30 2012 a b Jay Freeman saurik September 2009 Caching Apple s Signature Server Saurik com Retrieved December 3 2012 Hoog Andrew Strzempka Katie 2011 iPhone and iOS Forensics Investigation Analysis and Mobile Security for Apple iPhone iPad and iOS Devices Elsevier pp 47 50 ISBN 9781597496599 Retrieved December 3 2012 Cheng Jacqui June 27 2011 iOS 5 beta hobbles OS downgrades untethered jailbreaks Infinite Loop Ars Technica Retrieved December 30 2012 Oliver Haslam June 27 2011 iOS 5 Will Halt SHSH Firmware Downgrades On iPhone iPad iPod touch Redmond Pie Retrieved November 12 2011 Levin Jonathan 2012 Mac OS X and iOS Internals To the Apple s Core John Wiley amp Sons p 214 ISBN 9781118222256 Retrieved December 29 2012 notcom September 19 2009 TinyTSS All your iphone restores are belong to you The Firmware Umbrella Retrieved 3 December 2012 notcom May 20 2010 TinyUmbrella Unified TinyTSS and The Firmware Umbrella in ONE The Firmware Umbrella Retrieved 1 January 2013 Brownlee John November 15 2011 TinyUmbrella Updated To Support Backing Up iPhone 4S And iOS 5 0 1 SHSH Blobs Cult of Mac Retrieved December 30 2012 Sayam Aggarwal July 26 2010 Before Jailbreaking Extract Your iPhone s SHSH Blobs with Umbrella Cult of Mac Retrieved 3 December 2012 Landau Ted April 22 2011 TinyUmbrella and ITunes 1013 Error Strike Again MacWorld PCWorld Retrieved December 30 2012 Goncalo Ribeiro June 3 2011 How To Save SHSH Blobs Of Any Old Firmware Running On Your iPhone iPad iPod touch Using iFaith Redmond Pie Retrieved 3 December 2012 Morris Paul December 24 2011 Cydia Is Now Saving SHSH Blobs For iOS 5 0 1 Firmware Redmond Pie Retrieved December 30 2012 Jeff Benjamin September 27 2011 How to Stitch Your SHSH Blobs Using RedSn0w to Create Firmware That Can Always Be Downgraded iDownloadBlog Retrieved 3 December 2012 iPhone Dev Team October 2012 Restoration reinvigoration Dev Team Blog Retrieved 3 December 2012 iPhone Dev Team September 2012 Blob o riffic Dev Team Blog Retrieved 3 December 2012 Morris Paul October 14 2012 How To Re Restore iPhone 4S iPad 3 iPad 2 iPod touch From iOS 5 x To iOS 5 x Using Redsn0w Redmond Pie Retrieved December 30 2012 Retrieved from https en wikipedia org w index php title SHSH blob amp oldid 1171598655, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.