Archive

Archive for the ‘iPhone’ Category

Why you should save SHSH blobs for 3GS/iPhone 4

August 18, 2010 Leave a comment
Image representing iPhone as depicted in Crunc...
Image via CrunchBase

Avid iPhone hackers know that in order to be safe, they need to store their SHSH blobs for their jailbreaked phone so that if something goes wrong, they can restore their phone. However, even if you do not plan to jailbreak your phone, you should still save your SHSH blobs. Here’s why:

When Apple releases a new firmware for their iPhone/iPod touches, Apple encourages everyone to update their firmware to their latest and greatest release. Old firmwares have vulnerabilities that hackers and jailbreakers effectively use to customize/install non-approved applications into the device. Eventually Apple comes up with a fix and plugs the holes. When you upgrade to the latest firmware from Apple, iTunes goes through a process known as signature verification. It is similar to public key exchange. What it does is that it creates a hash value based on the ECID value of your device (more on this later) and your installed firmware. iTunes then sends a request for the SHSH blob to the iTunes server. The response from the server which has the SHSH blob itself which is then used to authenticate the firmware installation (iOS 4.0 and above has an embedded ECID blob and in other cases, they are generated locally).  iTunes can then activate your newly installed firmware. Unfortunately, there is a signing period for each new firmware. When a new firmware is released, the signing period for the old firmware is terminated within a few days of the release. What this means is that once you have upgraded your device to the new firmware,  you can no longer ‘restore’ your device to an old firmware once it’s signing period has closed. Thus, you are stuck and can no longer go back.

You might ask why would one like to go back? One common issue I have seen people often discussing is that how their old Apple 3G iPhone became irritatingly slow once they installed iOS 4. This will always be an issue with old hardware. As operating systems are being written more and more in consideration with the capabilities of the newer hardware, installing the same OS on an old hardware will make it crawl. We all had this same experience in the PC world. Recall what happened when you installed Windows XP on a PC that once had plenty of horse power for Windows 95! In such situations, often it is best to go back and install an old (and possibly unsupported) operating system on your old hardware or, if you have money, upgrade to newer hardware. The same goes true in the mobile world too.  Therefore, as much as Apple would love you to install their shiny new release, it might be a better idea to go back and downgrade. Unfortunately, once they have closed the signature window, you have no way to go back. Jailbreakers have the same problem too – when they want to go back to an old firmware that had a known vulnerability that they could take advantage of for jailbreaking, they can’t without storing a copy of their SHSH blob against their old firmware (the one that they want to downgrade to).

So how can you save the SHSH blob for your device. Simple. There’s a small utility known as tiny-umbrella (http://thefirmwareumbrella.blogspot.com/). You can download the utility for Mac or Windows or Linux. Download and run the utility (you might have to provide administrator’s username and password). Now connect your iPhone or iPod touch to your computer, first making sure iTunes has been installed). tiny-umbrella will detect your device and correctly decode it’s firmware revision and build, ECID:

8/18/2010 20:08:45.187 Device Detected -
Device: iPhone3GS 4.0.1 (8A306)
Model: XXXX
Name: Ani’s iPhone
UUID: XXXX
Baseband: 05.13.04XXX

Select the server as ‘cydia’. If cydia does not have the SHSH blob, it will automatically contact Apple server and send the reply back to you (and cache it at the same time). Click  ‘save SHSH’. Now tiny-umbrella will contact cydia and get back to you with the following messages:

08/18/2010 20:14:53.221 Processing SHSH Request...

08/18/2010 20:14:53.241 Asking CYDIA for SHSH blobs for iPhone3GS 4.0.1(8A306)...

08/18/2010 20:14:57.965 SHSH SUCCESSFULLY saved! [Click Here to Open]

08/18/2010 20:14:58.004 You have saved your SHSH locally and the request was sent to CYDIA. This means that CYDIA DOES have your SHSH. Do NOT bug semaphore about the Cydia home page showing this version.

08/18/2010 20:14:58.029 Caching shsh files...

08/18/2010 20:14:58.070 Found [1] shsh files to cache...

08/18/2010 20:14:58.140 Cached [1] shsh files

08/18/2010 20:15:32.709 TSS Server has cached the following files:

08/18/2010 20:15:32.729 iPhone3GS 4.0.1 (8A306)-

08/18/201020:15:32.739 Devices with ECIDs matching the above AND restoring to the exact firmware version listed above will succeed!

08/18/2010 20:15:32.752 *Please note that iPad and iPad3G share the exact same SHSH. If you see iPad above and you have an iPad3G THEY WILL WORK JUST FINE. There is just no way for me to tell the difference between iPad and iPad3G from the SHSH alone.

Now click on the ‘click here to open’ link. It will open the file in Finder/Explorer and the file will have a .shsh extension. It’s just an xml file with the requisite blobs.

Now the downgrading part. Once you have saved the blobs locally, you can start a local TSS server using the same tiny-umbrella tool. It starts a local server that iTunes can be made to talk to. Modify your /etc/hosts so that the domain gs.apple.com points to your localhost (127.0.0.1). This way, when iTunes connects to gs.apple.com, it will actually connect to your local tiny-umbrella server. Now when iTunes asks for the signatures, the responses can be easily faked using the cached value of your blobs. You can then safely downgrade your firmware at a later time when you need it.

Alternative way to find your ECID:

Reboot your device in DFU mode and connect it to your Mac. From apple-menu->About this mac->more info navigate to Hardware-> USB section on your left. Find the entry corresponding to your USB device. It should read something like this:

Product ID: 0x1227
Vendor ID: 0x05ac (Apple Inc.)
Version: 0.00
Serial Number: CPID:8920 CPRV:15 CPFM:03 SCEP:03 BDID:00 ECID:000000XXXXXXXXXX SRTG:[iBoot-359.3.2]
Speed: Up to 480 Mb/sec
Manufacturer: Apple Inc.
Location ID: 0xABCD
Current Available (mA): 500
Current Required (mA): 100

As you can see, the ECID value can be found in HEX (obfuscated due to privacy here).

Note: You can read more about SHSH blob from Wikipedia: http://en.wikipedia.org/wiki/SHSH_blob

More info about iPhone 3G:

According to what I have read, you can always downgrade your iPhone 3G (not 3GS) firmware from 4.x to 3.x.x without requiring to save SHSH blobs. I do not have a 3G phone, so I can’t manually test it out. In other words:

iPhone 3G and older: downgrade from iOS 4.x.x  to 3.x.x => SHSH blobs not required (there is no embedded SHSH blobs in the 3.x firmware and the device has no ECID).

iPhone 3G and older: downgrade from iOS 4.x.x to 4.0.0 => SHSH blobs required (from iOS 4.0 onwards, apple has included soft SHSH blobs in the firmware itself).

iPhone 3GS and above: Downgrade from 4.x to any => SHSH blobs required (3GS and iPhone 4 has ECID that can be used for the RSA challenge).

Advertisements
Categories: iPhone