IOS5 SHSH Blobs on Cydia

[tron]

Hi guys

For what it's worth, I have saved my Ios5 SHSH blobs using iSH****.

Just noted that the iOS 5 SHSH do not appear on the Cydia home screen like the previous firmwares up to 4.3.5

Any reason for this omission?

Ps I have noted this on Cydia on my 3GS iPhone , iPod touch 4G and iPad 2.

Sent from my iPad using iPF

 

[graywolf]

iOS 5 no longer uses a SHSH system to do upgrades. So every time a new software version comes out, if you upgrade, you are stuck.
Unless the dev team can crack the new system and figure it out.

But I think you can have blobs for the initial iOS 5 software, just not the next versions. I think.
F4780y will come correct me in just a bit.

 

[f4780y]

Almost graywolf

SHSH Blobs are still being used in IOS5, it's just that Apple have improved their security by including a "nonce" component (Cryptographic nonce - Wikipedia, the free encyclopedia) which is the same mechanism they have been using for baseband signing for a while. It's the reason you can't downgrade the baseband on the iPhone or 3G iPads. In theory, this means you will never be able to downgrade to a previous version of 5.x once updates start to appear. Once you upgrade you can never downgrade (assuming the singing window for the previous version has been closed). This will make jailbreaking 5.x devices VERY INTERESTING, particularly the iPhone4S and iPad2. If you mess up your jailbreak with a bad app (or whatever), you will likely lose your jailbreak for a while because you will be forced to restore to the latest version (which should have all known jailbreak holes patched), and have to wait until the a new userland exploit is found to allow it to be jailbroken. We have enjoyed years of being in control of our jailbroken devices, but this next phase will require diligence and patience on our part. If you aren't careful about what you are installing (or deleting with iFile!) you could be out in the cold for a very long time, like anyone who recently messed up their iPad2 3G 4.3.3. jailbreak will understand...

So to get back on topic, whilst you can save your blobs for IOS5, the nonce component renders them useless for replaying at a later date. So, there really is no point in saving them any more. It's not clear whether Saurik has stopped saving them on Cydia now, or whether he will carry on, but personally I just don't see the point. The security is unlikely ever to be cracked as it uses sufficiently strong encryption, so we would need to find another way.

Your 4.x and 3.x saved blobs can still be kept as they will continue to work, but of course the older and older they get, the less likely it is that you will want the ability to restore the old firmwares they relate to.

 

[SweetPoison]

You are so smart and knowledgeable, Leigh. Do you study this stuff in your sleep?

 

[f4780y]

You are so smart and knowledgeable, Leigh. Do you study this stuff in your sleep?

Yes, I dream of jailbreaking

 

[tron]

Yes, I dream of jailbreaking

Well, Leigh, as long as those dreams become reality...go ahead and dream on !

Sent from my iPad using iPF

 

[graywolf]

So, beyond all the gawking at Leigh,
In theory, to downgrade to a previous version, a modification would have to be made to iTunes and you would still have to use some modified version of like iReb to trick the iPad into taking any version, like a custom FW.
But this would only apply to Limera1n devices if a bootrom hack can't be found.

 

[f4780y]

No. A custom firmware still relies on shsh blobs. There is no way round that. It's a much more complicated issue, and no iTunes or iReb mod would fix it. If it was a problem which could be solved in such a way then the issue of baseband downgrades would have been solved a long time ago...

 

[graywolf]

So even if someone found a way to completely disable the shsh check of iTunes, you still couldn't load an earlier version?

 

[f4780y]

So even if someone found a way to completely disable the shsh check of iTunes, you still couldn't load an earlier version?

ITunes is just the middle-man. The check is cooked into both the firmware and the device (at the hardware level).

 

[graywolf]

So, could there be a modification to something like iReb that will leave the iPad unable to control what is loaded onto it?
That sounds possible...

 

[f4780y]

So, could there be a modification to something like iReb that will leave the iPad unable to control what is loaded onto it?
That sounds possible...

I don't see how...

 

[graywolf]

iReb leaves the iPad in a state where it can't tell the difference of a custom FW. So, in theory, a more powerful iReb could leave the iPad in a state of complete apathy, causing it to accept any FW version.

The hard part though, then, would be to get iTunes to activate it on versions where you don't have blobs...

 

[f4780y]

iReb leaves the iPad in a state where it can't tell the difference of a custom FW. So, in theory, a more powerful iReb could leave the iPad in a state of complete apathy, causing it to accept any FW version.

The hard part though, then, would be to get iTunes to activate it on versions where you don't have blobs...

Nope. I still think you think that iTunes does a lot more than it does. It does almost nothing. It's a middle-man as I said before. If it was possible, after 4 years, we would have something that did this already. You have no idea how much motivation there is to be able to downgrade the baseband on an iPhone and we are not able to do that.

Think of the iPad like a nightclub. To get in, first you need to get through the outer door to get into the foyer. Then you need to get out of the foyer and through the main doors into the club. The outer doors are protected by a doorman. The inner doors are protected by an automated ticket scanner.

iReb is really good at distracting the doorman outside the club because he's fallible (he has a bug in his bootrom), but iReb cant do anything about the ticket scanner inside because the machine is inside the club and no matter how much iReb tries to distract it, it simply has no effect.

That's the reason SHSH Blob security can't be broken. It's really easy to load a custom firmware (fooling the doorman), but even a custom firmware needs valid SHSH Blobs (a ticket to get in). No matter how sophisticated you make iReb (or any piece of software on the PC) it CANNOT change the hardware inside which checks the ticket, and it's not like the bootrom which contains bugs, so there is no way to pwn it.

The only way we should ever get past the ticket scanner is if someone discovers Apple's private encryption key. This is pretty unlikely as it is never broadcast anywhere for us to see...

That's probably a totally over simplified way to look at it, and there are probably more holes in that analogy than there are in IOS5, but it gets my point across. pwning the iBoot process is not enough to defeat the signature checking, no matter how sophisticated you make the program.

Another way to look at it is like saying you intend to defeat a servers SSL encryption by modifying your copy of Internet Explorer. Although Internet Explorer is involved in a secure server transaction, you can't just defeat it by changing it to your will... Security just doesn't work like that. If it did, we'd all be losing all our money every time we made an internet purchase...

 

[graywolf]

....