SHSH blob

Last updated

In computing, a SHSH blob is a digital signature that Apple generates and uses to personalize IPSW firmware files for each iOS device. SHSH blobs are part of Apple's protocol designed to ensure that only trusted software is installed on the device, [1] generally only allowing the newest iOS version to be installable. Apple's public name for this process is System Software Authorization (before iOS 7, System Software Personalization). [2] The term “SHSH blob” is unofficial and based on abbreviations for signed hash and binary large object. An alternative term, ECID SHSH, refers to the device's ECID, a unique identification number embedded in its hardware [3] )

Contents

This process is controlled by the TATSU ("TSS") Signing Server (gs.apple.com) where updates and restores can only be completed by iTunes if the version of iOS is being signed. Developers interested in iOS jailbreaking have made tools for working around this signature system in order to install jailbreakable older iOS versions that are no longer being signed by Apple. [4] [5]

Technical details

SHSH blobs are created by a hashing formula that has multiple keys, including the device type, the iOS version being signed, and the device's ECID. [6] [ non-primary source needed ] When Apple wishes to restrict users' ability to restore their devices to a particular iOS version, Apple can refuse to generate this hash during the restore attempt, and the restore will not be successful (or at least will require bypassing the intended function of the system). [7] [8]

This protocol is part of iPhone 3GS and later devices. [9]

TATSU Signing Server

When iTunes restores or updates an iOS firmware, Apple has added many checkpoints before the iOS version is installed and on-device consolidation begins. At the first "Verifying iPhone software" iTunes communicates with "gs.apple.com" to verify that the IPSW file provided is still being signed. The TATSU server will give back a list of versions being signed. If the version is not being signed, then iBEC and iBoot will decline the image, giving an error of "error 3194" or "declined to authorize the image"

iTunes will communicate with iBoot throughout the process of an update or restore ensuring the firmware has not been modified to a Custom Firmware ("CFW"). iTunes will not update or restore a device when it suspects the file has been modified.

This is a chain process, before installing the firmware, the installed iBoot has to verify the to-be-installed iBoot, and so on. You cannot install unsigned iOS versions, unless 1) you possess SHSH2 blobs and have set nonces (requiring exploits) or 2) you exploit the chain process.

Exploits and countermeasures

The requirement of SHSH Blobs in order to install to unsigned iOS versions can be bypassed using a replay attack, by saving blobs while an iOS firmware is still signed and later using them when installing the firmware. Newer iOS versions require more elements, such as a valid nonce, when saving SHSH blobs. Saving blobs for devices using the A12 SoC or newer also requires getting a matching nonce for a generator from a device to save valid blobs that can be used later in a restore. Even with SHSH blobs saved correctly, it is still sometimes not possible to jump to certain iOS versions due to incompatibility of the SEP (Secure Enclave) between versions.

Tools to save SHSH blobs for newer iOS versions include the application blobsaver and the command line tool tsschecker.

To use SHSH blobs to install an unsigned iOS version on a device, tools like futurerestore (based on idevicerestore) or its GUIs can be used, which allows specification of iOS firmware files and SHSH blobs to be used in the restore.

Previous bypass methods

For iOS 3 and 4, SHSH blobs were made of static keys (such as the device type, iOS version, and ECID), which meant that the SHSH blobs for a specific iOS version and device would be the same upon every restore. To subvert that system using a man-in-the-middle attack, server requests the unique SHSH blobs from Apple for the jailbroken device and caches those SHSH blobs on servers, so that if a user changes the hosts file on a computer to redirect the SHSH blobs check to cache instead of Apple's servers, iTunes would be tricked into checking those cached SHSH blobs and allowing the device to be restored to that version. [9] [10]

iOS 5 and later versions of iOS implement an addition to this system, a random number (a cryptographic nonce) in the "APTicket", [11] making that simple replay attack no longer effective. [12] [13]

First released in 2009, [14] [ self-published source? ] [15] [ dubious discuss ] TinyUmbrella is a tool for finding information about SHSH blobs saved on third party servers, saving SHSH blobs locally, [16] and running a local server to replay SHSH blobs to trick iTunes into restoring older devices to iOS 3 and 4. [17] [ unreliable source? ] [18] In June 2011, iH8sn0w released iFaith, a tool that can grab partial SHSH blobs from a device for its currently-installed iOS version (limited to iPhone 4 and older devices). [19] [20] In late 2011, the iPhone Dev Team added features to redsn0w that include the ability to save SHSH blobs with APTickets and stitch them into custom firmware in order to restore a device to iOS 5 or later. [21]

Replaying SHSH blobs for newer devices (Apple A12 and later) is not always possible, because there are no boot ROM (hardware level) exploits available for these devices. As of October 2012, redsn0w includes features for restoring newer devices between different versions of iOS 5, [22] but it cannot downgrade newer devices from iOS 6 to iOS 5. [23] [24]

See also

Related Research Articles

<span class="mw-page-title-main">Privilege escalation</span> Gaining control of computer privileges beyond what is normally granted

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

iPod Touch Series of mobile devices by Apple (2007–2022)

The iPod Touch is a discontinued line of iOS-based mobile devices designed and marketed by Apple Inc. with a touchscreen-controlled user interface. As with other iPod models, the iPod Touch can be used as a portable media player and a handheld gaming device, but can also be used as a digital camera, a web browser, for email and messaging. It is nearly identical in design to the iPhone, and can run most iPhone third-party apps from the App Store, but it connects to the Internet only through Wi-Fi and uses no cellular network data, as it lacks a cellular modem.

iOS Mobile operating system by Apple

iOS is a mobile operating system developed by Apple Inc. exclusively for its smartphones. It was unveiled in January 2007 for the first-generation iPhone, launched in June 2007.

SpringBoard is the standard application that manages the iPhone's home screen. Other tasks include starting WindowServer, launching and bootstrapping applications and setting some of the device's settings on startup.

On Apple devices running iOS and iOS-based operating systems, jailbreaking is the use of a privilege escalation exploit to remove software restrictions imposed by the manufacturer. Typically it is done through a series of kernel patches. A jailbroken device permits root access within the operating system and provides the right to install software unavailable through the App Store. Different devices and versions are exploited with a variety of tools. Apple views jailbreaking as a violation of the end-user license agreement and strongly cautions device owners not to try to achieve root access through the exploitation of vulnerabilities.

<span class="mw-page-title-main">Cydia</span> iOS package manager

Cydia is a graphical user interface of APT for iOS. It enables a user to find and install software not authorized by Apple on jailbroken iPhones, iPads and iPod Touch devices. It also refers to the digital distribution platform for software on iOS accessed through Cydia software. Most of the software packages available through Cydia are free of charge, although some require purchasing.

blackra1n is a program that jailbreaks versions 3.1, 3.1.1 and 3.1.2 of Apple's operating system for the iPhone and the iPod Touch, known as iOS.

iPad Line of tablet computers by Apple

The iPad is a brand of iOS and iPadOS-based tablet computers that are developed by Apple Inc., first introduced on January 27, 2010. The iPad range consists of the original iPad lineup and the flagship products iPad Mini, iPad Air, and iPad Pro.

Rooting is the process by which users of Android devices can attain privileged control over various subsystems of the device, usually smartphones. Because Android is based on a modified version of the Linux kernel, rooting an Android device gives similar access to administrative (superuser) permissions as on Linux or any other Unix-like operating system such as FreeBSD or macOS.

<span class="mw-page-title-main">JailbreakMe</span> Series of iOS jailbreaks

JailbreakMe is a series of jailbreaks for Apple's iOS mobile operating system that took advantage of flaws in the Safari browser on the device, providing an immediate one-step jailbreak, unlike more common jailbreaks, such as Blackra1n and redsn0w, that require plugging the device into a computer and running the jailbreaking software from the desktop. JailbreakMe included Cydia, a package management interface that serves as an alternative to the App Store. Although it does not support modern devices, it can still be used and the site is up.

greenpois0n is a name shared by a series of iOS jailbreaking tools developed by Chronic Dev Team that use exploits to remove software restrictions on iPhones, iPads, iPod Touches, and Apple TVs. Greenpois0n's initial release in October 2010 jailbroke iOS 4.1, and its second version in February 2011 jailbroke iOS 4.2.1 as well as iOS 4.2.6 on CDMA iPhones. The second generation of the tool, greenpois0n Absinthe, was developed with iPhone Dev Team members and jailbroke iOS 5.0.1 in January 2012, and a second version jailbroke iOS 5.1.1 in May 2012.

iCloud Cloud storage and cloud computing service by Apple

iCloud is a cloud service developed by Apple Inc. Launched on October 12, 2011, iCloud enables users to store and sync data across devices, including Apple Mail, Apple Calendar, Apple Photos, Apple Notes, contacts, settings, backups, and files, to collaborate with other users, and track assets through Find My. It is built into iOS, iPadOS, watchOS, tvOS, macOS, and visionOS. iCloud may additionally be accessed through a limited web interface and Windows application.

iMessage Instant messaging service by Apple

iMessage is an instant messaging service developed by Apple Inc. and launched in 2011. iMessage functions exclusively on Apple platforms – including macOS, iOS, iPadOS, and watchOS – as part of Apple's broader strategic approach to inter device integration, sometimes referred to as the Apple Eco-System.

iPad (3rd generation) Tablet computer made by Apple (2012)

The iPad is a tablet computer, developed and marketed by Apple Inc. It is the third device in the iPad line of tablets. It added a Retina Display, the new Apple A5X chip with a quad-core graphics processor, a 5-megapixel camera, HD 1080p video recording, voice dictation, and support for LTE networks in North America. It shipped with iOS 5, which provides a platform for audio-visual media, including electronic books, periodicals, films, music, computer games, presentations and web browsing.

The Pangu Team, is a Chinese programming team in the iOS community that developed the Pangu jailbreaking tools. These are tools that assist users in bypassing device restrictions and enabling root access to the iOS operating system. This permits the user to install applications and customizations typically unavailable through the official iOS App Store.

PP Jailbreak, also commonly known as PP, PP25 App or PP25 Jailbreak, is a term describing a free Chinese app containing tools capable of jailbreaking iOS 8 devices, except for Apple TV. Eligible products include: iPod Touch, iPhone and iPad. This app was developed by a Chinese iOS hacking community known as PP Assistant. It was first released on January 19, 2015

IPSW, iPhone Software, is a file format used to install iOS, iPadOS, tvOS, HomePod, and most recently, macOS firmware for devices equipped with Apple silicon. All Apple devices share the same IPSW file format for iOS firmware and their derivatives, allowing users to flash their devices through Finder or iTunes on macOS or Windows, respectively. Users can flash Apple silicon Macs through Apple Configurator 2.

UDID is an acronym for Unique Device Identifier. The UDID is a feature of Apple's devices running iOS, tvOS, watchOS, and macOS. It is a unique identifier that is calculated from different hardware values, such as the ECID. It is sent to Apple servers when a user tries to activate the device during Setup. This ID is also used to detect the phone or to communicate with it while restoring the IPSW firmware.

The iOS mobile operating system developed by Apple has had a wide range of bugs and security issues discovered throughout its lifespan, including security exploits discovered in most versions of the operating system related to the practice of jailbreaking, bypassing the user's lock screen, issues relating to battery drain, crash bugs encountered when sending photos or certain Unicode characters via text messages sent through the Messages application, and general bugs and security issues later fixed in newer versions of the operating system.

References

  1. Asad, Taimur (April 30, 2011). "Save SHSH Blobs (ECID SHSH) of iPhone 3.1.3 and iPad 3.2". Redmond Pie. Retrieved December 30, 2012.
  2. Apple Inc. (May 2012). "iOS Security" (PDF). Apple Inc. Archived from the original (PDF) on 21 October 2012. Retrieved 3 December 2012.
  3. Stern, Zack (July 5, 2010). "How to jailbreak your iPad and start multitasking immediately". ITBusiness.ca. Retrieved December 30, 2012.
  4. Nat Futterman (May 25, 2010). "Jailbreaking the iPad: What You Need to Know". Geek Tech. PCWorld. Archived from the original on September 5, 2012. Retrieved August 2, 2011.
  5. Kumparak, Greg (June 27, 2011). "Apple Steps Up Their Game with iOS 5, Makes Jailbreaking More Difficult". TechCrunch. Retrieved December 30, 2012.
  6. Stefan Esser (March 2012). "iOS 5: An Exploitation Nightmare?" (PDF). CanSecWest Vancouver. Retrieved 3 December 2012.
  7. Adam Dachis (April 25, 2011). "Save Your iDevice's SHSH to Avoid Losing the Ability to Jailbreak". Lifehacker. Retrieved August 2, 2011.
  8. Smith, Gina (September 27, 2012). "Apple iOS 6 woes: Save the blobs if you need to downgrade". Apple in the Enterprise. TechRepublic . Retrieved December 30, 2012.
  9. 1 2 Jay Freeman (saurik) (September 2009). "Caching Apple's Signature Server". Saurik.com. Retrieved December 3, 2012.
  10. Hoog, Andrew; Strzempka, Katie (2011). iPhone and iOS Forensics: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices. Elsevier. pp. 47–50. ISBN   9781597496599 . Retrieved December 3, 2012.
  11. Cheng, Jacqui (June 27, 2011). "iOS 5 beta hobbles OS downgrades, untethered jailbreaks". Infinite Loop. Ars Technica. Retrieved December 30, 2012.
  12. Oliver Haslam (June 27, 2011). "iOS 5 Will Halt SHSH Firmware Downgrades On iPhone, iPad, iPod touch". Redmond Pie. Retrieved November 12, 2011.
  13. Levin, Jonathan (2012). Mac OS X and iOS Internals: To the Apple's Core. John Wiley & Sons. p. 214. ISBN   9781118222256 . Retrieved December 29, 2012.
  14. notcom (September 19, 2009). "TinyTSS -- All your iphone restores are belong to you". The Firmware Umbrella. Retrieved 3 December 2012.
  15. notcom (May 20, 2010). "TinyUmbrella - Unified TinyTSS and The Firmware Umbrella in ONE!". The Firmware Umbrella. Retrieved 1 January 2013.
  16. Brownlee, John (November 15, 2011). "TinyUmbrella Updated To Support Backing Up iPhone 4S And iOS 5.0.1 SHSH Blobs". Cult of Mac. Retrieved December 30, 2012.
  17. Sayam Aggarwal (July 26, 2010). "Before Jailbreaking, Extract Your iPhone's SHSH Blobs with Umbrella". Cult of Mac. Retrieved 3 December 2012.
  18. Landau, Ted (April 22, 2011). "TinyUmbrella and ITunes 1013 Error Strike Again". MacWorld. PCWorld. Retrieved December 30, 2012.
  19. Goncalo Ribeiro (June 3, 2011). "How To Save SHSH Blobs Of Any Old Firmware Running On Your iPhone, iPad, iPod touch Using iFaith". Redmond Pie. Retrieved 3 December 2012.
  20. Morris, Paul (December 24, 2011). "Cydia Is Now Saving SHSH Blobs For iOS 5.0.1 Firmware". Redmond Pie. Retrieved December 30, 2012.
  21. Jeff Benjamin (September 27, 2011). "How to Stitch Your SHSH Blobs Using RedSn0w to Create Firmware That Can Always Be Downgraded". iDownloadBlog. Retrieved 3 December 2012.
  22. iPhone Dev Team (October 2012). "Restoration reinvigoration". Dev Team Blog. Retrieved 3 December 2012.
  23. iPhone Dev Team (September 2012). "Blob-o-riffic". Dev Team Blog. Retrieved 3 December 2012.
  24. Morris, Paul (October 14, 2012). "How To Re-Restore iPhone 4S, iPad 3, iPad 2, iPod touch From iOS 5.x To iOS 5.x Using Redsn0w". Redmond Pie. Retrieved December 30, 2012.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.