194:
First released in 2009, TinyUmbrella is a tool for finding information about SHSH blobs saved on third party servers, saving SHSH blobs locally, and running a local server to replay SHSH blobs to trick iTunes into restoring older devices to iOS 3 and 4. In June 2011, iH8sn0w released iFaith, a tool
107:
When iTunes restores or updates an iOS firmware, Apple has added many checkpoints before the iOS version is installed and on-device consolidation begins. At the first "Verifying iPhone software" iTunes communicates with "gs.apple.com" to verify that the IPSW file provided is still being signed. The
136:
or newer also requires getting a matching nonce for a generator from a device to save valid blobs that can be used later in a restore. Even with SHSH blobs saved correctly, it is still sometimes not possible to jump to certain iOS versions due to incompatibility of the SEP (Secure
Enclave) between
95:
that has multiple keys, including the device type, the iOS version being signed, and the device's ECID. When Apple wishes to restrict users' ability to restore their devices to a particular iOS version, Apple can refuse to generate this hash during the restore attempt, and the restore will not be
111:
iTunes will communicate with iBoot throughout the process of an update or restore ensuring the firmware has not been modified to a Custom
Firmware ("CFW"). iTunes will not update or restore a device when it suspects the file has been modified.
167:
For iOS 3 and 4, SHSH blobs were made of static keys (such as the device type, iOS version, and ECID), which meant that the SHSH blobs for a specific iOS version and device would be the same upon every restore. To subvert that system using a
132:, by saving blobs while an iOS firmware is still signed and later using them when installing the firmware. Newer iOS versions require more elements, such as a valid nonce, when saving SHSH blobs. Saving blobs for devices using the
210:(hardware level) exploits available for these devices. As of October 2012, redsn0w includes features for restoring newer devices between different versions of iOS 5, but it cannot downgrade newer devices from iOS 6 to iOS 5.
115:
This is a chain process, before installing the firmware, the installed iBoot has to verify the to-be-installed iBoot, and so on. You cannot install unsigned iOS versions, unless 1) you possess SHSH2 blobs and have set
108:
TATSU server will give back a list of versions being signed. If the version is not being signed, then iBEC and iBoot will decline the image, giving an error of "error 3194" or "declined to authorize the image"
46:
generates and uses to control the iOS versions that users can install on their iOS devices generally only allowing the newest iOS version to be installable. Apple's public name for this process is
195:
that can grab partial SHSH blobs from a device for its currently-installed iOS version (limited to iPhone 4 and older devices). In late 2011, the iPhone Dev Team added features to
691:
295:
806:
83:
have made tools for working around this signature system in order to install jailbreakable older iOS versions that are no longer being signed by Apple.
172:, server requests the unique SHSH blobs from Apple for the jailbroken device and caches those SHSH blobs on servers, so that if a user changes the
618:
199:
that include the ability to save SHSH blobs with APTickets and stitch them into custom firmware in order to restore a device to iOS 5 or later.
375:
239:
488:
326:
641:
398:
548:
464:
75:
This process is controlled by the TATSU ("TSS") Signing Server (gs.apple.com) where updates and restores can only be completed by
515:
843:
572:
595:
303:
833:
737:
92:
714:
349:
838:
219:
180:
would be tricked into checking those cached SHSH blobs and allowing the device to be restored to that version.
169:
272:
456:
iPhone and iOS Forensics: Investigation, Analysis and Mobile
Security for Apple iPhone, iPad and iOS Devices
760:
159:
can be used, which allows specification of iOS firmware files and SHSH blobs to be used in the restore.
246:
184:
128:
The requirement of SHSH Blobs in order to install to unsigned iOS versions can be bypassed using a
117:
63:
692:"How To Save SHSH Blobs Of Any Old Firmware Running On Your iPhone, iPad, iPod touch Using iFaith"
807:"How To Re-Restore iPhone 4S, iPad 3, iPad 2, iPod touch From iOS 5.x To iOS 5.x Using Redsn0w"
738:"How to Stitch Your SHSH Blobs Using RedSn0w to Create Firmware That Can Always Be Downgraded"
544:
538:
460:
59:
39:
783:
80:
183:
iOS 5 and later versions of iOS implement an addition to this system, a random number (a
72:, refers to the device's ECID, a unique identification number embedded in its hardware)
827:
664:
188:
129:
96:
successful (or at least will require bypassing the intended function of the system).
176:
on a computer to redirect the SHSH blobs check to cache instead of Apple's servers,
156:
406:
173:
454:
152:
17:
619:"TinyUmbrella Updated To Support Backing Up iPhone 4S And iOS 5.0.1 SHSH Blobs"
43:
151:
To use SHSH blobs to install an unsigned iOS version on a device, tools like
203:
133:
31:
141:
327:"Apple Steps Up Their Game with iOS 5, Makes Jailbreaking More Difficult"
207:
145:
140:
Tools to save SHSH blobs for newer iOS versions include the application
27:
Unofficial term referring to digital signatures Apple generates and uses
196:
516:"iOS 5 Will Halt SHSH Firmware Downgrades On iPhone, iPad, iPod touch"
642:"Before Jailbreaking, Extract Your iPhone's SHSH Blobs with Umbrella"
177:
76:
58:). The term “SHSH blob” is unofficial and based on abbreviations for
376:"Save Your iDevice's SHSH to Avoid Losing the Ability to Jailbreak"
596:"TinyUmbrella - Unified TinyTSS and The Firmware Umbrella in ONE!"
51:
79:
if the version of iOS is being signed. Developers interested in
273:"How to jailbreak your iPad and start multitasking immediately"
431:
399:"Apple iOS 6 woes: Save the blobs if you need to downgrade"
120:(requiring exploits) or 2) you exploit the chain process.
489:"iOS 5 beta hobbles OS downgrades, untethered jailbreaks"
206:
and later) is not always possible, because there are no
715:"Cydia Is Now Saving SHSH Blobs For iOS 5.0.1 Firmware"
573:"TinyTSS -- All your iphone restores are belong to you"
99:
This protocol is part of iPhone 3GS and later devices.
665:"TinyUmbrella and ITunes 1013 Error Strike Again"
540:Mac OS X and iOS Internals: To the Apple's Core
296:"Jailbreaking the iPad: What You Need to Know"
425:
423:
8:
202:Replaying SHSH blobs for newer devices (
187:) in the "APTicket", making that simple
453:Hoog, Andrew; Strzempka, Katie (2011).
430:Jay Freeman (saurik) (September 2009).
230:
543:. John Wiley & Sons. p. 214.
7:
736:Jeff Benjamin (September 27, 2011).
617:Brownlee, John (November 15, 2011).
350:"iOS 5: An Exploitation Nightmare?"
782:iPhone Dev Team (September 2012).
713:Morris, Paul (December 24, 2011).
432:"Caching Apple's Signature Server"
397:Smith, Gina (September 27, 2012).
25:
805:Morris, Paul (October 14, 2012).
155:(based on idevicerestore) or its
759:iPhone Dev Team (October 2012).
690:Goncalo Ribeiro (June 3, 2011).
640:Sayam Aggarwal (July 26, 2010).
325:Kumparak, Greg (June 27, 2011).
514:Oliver Haslam (June 27, 2011).
487:Cheng, Jacqui (June 27, 2011).
56:System Software Personalization
663:Landau, Ted (April 22, 2011).
374:Adam Dachis (April 25, 2011).
294:Nat Futterman (May 25, 2010).
1:
571:notcom (September 19, 2009).
48:System Software Authorization
761:"Restoration reinvigoration"
459:. Elsevier. pp. 47–50.
271:Stern, Zack (July 5, 2010).
124:Exploits and countermeasures
91:SHSH blobs are created by a
348:Stefan Esser (March 2012).
245:. Apple Inc. Archived from
860:
144:and the command line tool
302:. PCWorld. Archived from
220:Digital rights management
537:Levin, Jonathan (2012).
170:man-in-the-middle attack
598:. The Firmware Umbrella
594:notcom (May 20, 2010).
575:. The Firmware Umbrella
403:Apple in the Enterprise
238:Apple Inc. (May 2012).
163:Previous bypass methods
66:. An alternative term,
355:. CanSecWest Vancouver
844:Hardware restrictions
191:no longer effective.
306:on September 5, 2012
103:TATSU Signing Server
834:Apple Inc. software
185:cryptographic nonce
64:binary large object
252:on 21 October 2012
87:Technical details
40:digital signature
18:Exclusive Chip ID
16:(Redirected from
851:
839:IOS jailbreaking
819:
818:
816:
814:
802:
796:
795:
793:
791:
779:
773:
772:
770:
768:
756:
750:
749:
747:
745:
733:
727:
726:
724:
722:
710:
704:
703:
701:
699:
687:
681:
680:
678:
676:
660:
654:
653:
651:
649:
637:
631:
630:
628:
626:
614:
608:
607:
605:
603:
591:
585:
584:
582:
580:
568:
562:
561:
559:
557:
534:
528:
527:
525:
523:
511:
505:
504:
502:
500:
484:
478:
477:
475:
473:
450:
444:
443:
441:
439:
427:
418:
417:
415:
413:
394:
388:
387:
385:
383:
371:
365:
364:
362:
360:
354:
345:
339:
338:
336:
334:
322:
316:
315:
313:
311:
291:
285:
284:
282:
280:
268:
262:
261:
259:
257:
251:
244:
235:
81:iOS jailbreaking
21:
859:
858:
854:
853:
852:
850:
849:
848:
824:
823:
822:
812:
810:
804:
803:
799:
789:
787:
786:. Dev Team Blog
784:"Blob-o-riffic"
781:
780:
776:
766:
764:
763:. Dev Team Blog
758:
757:
753:
743:
741:
740:. iDownloadBlog
735:
734:
730:
720:
718:
712:
711:
707:
697:
695:
689:
688:
684:
674:
672:
662:
661:
657:
647:
645:
639:
638:
634:
624:
622:
616:
615:
611:
601:
599:
593:
592:
588:
578:
576:
570:
569:
565:
555:
553:
551:
536:
535:
531:
521:
519:
513:
512:
508:
498:
496:
486:
485:
481:
471:
469:
467:
452:
451:
447:
437:
435:
429:
428:
421:
411:
409:
396:
395:
391:
381:
379:
373:
372:
368:
358:
356:
352:
347:
346:
342:
332:
330:
324:
323:
319:
309:
307:
293:
292:
288:
278:
276:
275:. ITBusiness.ca
270:
269:
265:
255:
253:
249:
242:
237:
236:
232:
228:
216:
165:
126:
105:
93:hashing formula
89:
28:
23:
22:
15:
12:
11:
5:
857:
855:
847:
846:
841:
836:
826:
825:
821:
820:
797:
774:
751:
728:
705:
682:
655:
632:
609:
586:
563:
549:
529:
506:
495:. Ars Technica
479:
465:
445:
419:
389:
366:
340:
317:
286:
263:
240:"iOS Security"
229:
227:
224:
223:
222:
215:
212:
164:
161:
125:
122:
104:
101:
88:
85:
26:
24:
14:
13:
10:
9:
6:
4:
3:
2:
856:
845:
842:
840:
837:
835:
832:
831:
829:
809:. Redmond Pie
808:
801:
798:
785:
778:
775:
762:
755:
752:
739:
732:
729:
717:. Redmond Pie
716:
709:
706:
694:. Redmond Pie
693:
686:
683:
670:
666:
659:
656:
644:. Cult of Mac
643:
636:
633:
621:. Cult of Mac
620:
613:
610:
597:
590:
587:
574:
567:
564:
552:
550:9781118222256
546:
542:
541:
533:
530:
518:. Redmond Pie
517:
510:
507:
494:
493:Infinite Loop
490:
483:
480:
468:
466:9781597496599
462:
458:
457:
449:
446:
433:
426:
424:
420:
408:
404:
400:
393:
390:
377:
370:
367:
351:
344:
341:
328:
321:
318:
305:
301:
297:
290:
287:
274:
267:
264:
248:
241:
234:
231:
225:
221:
218:
217:
213:
211:
209:
205:
200:
198:
192:
190:
189:replay attack
186:
181:
179:
175:
171:
162:
160:
158:
154:
153:futurerestore
149:
147:
143:
138:
135:
131:
130:replay attack
123:
121:
119:
113:
109:
102:
100:
97:
94:
86:
84:
82:
78:
73:
71:
70:
65:
61:
57:
53:
49:
45:
41:
37:
33:
19:
813:December 30,
811:. Retrieved
800:
788:. Retrieved
777:
765:. Retrieved
754:
742:. Retrieved
731:
721:December 30,
719:. Retrieved
708:
696:. Retrieved
685:
675:December 30,
673:. Retrieved
668:
658:
646:. Retrieved
635:
625:December 30,
623:. Retrieved
612:
600:. Retrieved
589:
577:. Retrieved
566:
556:December 29,
554:. Retrieved
539:
532:
522:November 12,
520:. Retrieved
509:
499:December 30,
497:. Retrieved
492:
482:
470:. Retrieved
455:
448:
436:. Retrieved
434:. Saurik.com
412:December 30,
410:. Retrieved
407:TechRepublic
402:
392:
380:. Retrieved
378:. Lifehacker
369:
357:. Retrieved
343:
333:December 30,
331:. Retrieved
329:. TechCrunch
320:
308:. Retrieved
304:the original
299:
289:
279:December 30,
277:. Retrieved
266:
254:. Retrieved
247:the original
233:
201:
193:
182:
166:
150:
139:
127:
114:
110:
106:
98:
90:
74:
68:
67:
55:
47:
35:
29:
472:December 3,
438:December 3,
60:signed hash
828:Categories
790:3 December
767:3 December
744:3 December
698:3 December
648:3 December
579:3 December
359:3 December
256:3 December
226:References
174:hosts file
146:tsschecker
137:versions.
671:. PCWorld
602:1 January
382:August 2,
310:August 2,
300:Geek Tech
204:Apple A12
142:blobsaver
69:ECID SHSH
36:SHSH blob
32:computing
669:MacWorld
214:See also
208:boot ROM
50:(before
197:redsn0w
134:A12 SoC
547:
463:
178:iTunes
118:nonces
77:iTunes
353:(PDF)
250:(PDF)
243:(PDF)
52:iOS 7
44:Apple
42:that
38:is a
815:2012
792:2012
769:2012
746:2012
723:2012
700:2012
677:2012
650:2012
627:2012
604:2013
581:2012
558:2012
545:ISBN
524:2011
501:2012
474:2012
461:ISBN
440:2012
414:2012
384:2011
361:2012
335:2012
312:2011
281:2012
258:2012
157:GUIs
62:and
34:, a
30:In
830::
667:.
491:.
422:^
405:.
401:.
298:.
148:.
54:,
817:.
794:.
771:.
748:.
725:.
702:.
679:.
652:.
629:.
606:.
583:.
560:.
526:.
503:.
476:.
442:.
416:.
386:.
363:.
337:.
314:.
283:.
260:.
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.