SHSH blob: Difference between revisions

Add links
From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Cantaloupe2 (talk | contribs)
5,132 edits
notability is not inherent, a concern mkdw mentioned through 3PO and I agree with the user and I highly endorse merging into something once appropriate target is identified
Cantaloupe2 (talk | contribs)
5,132 edits
→‎Technical details: pull disreputable site called idownloadblog
Line 3: Line 3:


== Technical details ==
== Technical details ==
The term "SHSH blobs" (also called "ECID SHSH"<ref>{{cite web |url= http://www.itbusiness.ca/it/client/en/home/News.asp?id=58209&PageMem=2 |title= How to jailbreak your iPad and start multitasking immediately |last1= Stern |first1= Zack |last2= |first2= |date= July 5, 2010 |work= |publisher= ITBusiness.ca |accessdate=December 30, 2012}}</ref><ref>{{cite web |url= http://www.idownloadblog.com/2010/04/02/how-to-save-iphone-ecid-shsh/ |title= How to Save Your iPhone ECID SHSH |last1= Page |first1= Sebastien |last2= |first2= |date= April 2, 2010 |work= |publisher= iDownloadBlog |accessdate=December 30, 2012}}</ref>) "SHSH blob" is a non-Apple official term referring to [[digital signature]]s that Apple generates and uses to personalize IPSW (iOS software) files for each device; they are part of Apple's protocol designed to ensure that trusted software is installed on the device.<ref name="saurik-shsh"/>{{dubious|date=December 2012}}<ref>{{cite web |url= http://www.redmondpie.com/save-shsh-blobs-ecid-shsh-iphone-3.1.3-ipad-3.2-9140709/ |title= Save SHSH Blobs (ECID SHSH) of iPhone 3.1.3 and iPad 3.2 |last1= Asad |first1= Taimur |last2= |first2= |date= April 30, 2010 |work= |publisher= Redmond Pie |accessdate=December 30, 2012}}</ref> Apple's public name for this process is System Software Personalization.<ref>{{cite web |url= http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf |title= iOS Security |author= Apple Inc. |date= May 2012 |work= |publisher= Apple Inc. |accessdate=3 December 2012}}</ref>
The term "SHSH blobs" (also called "ECID SHSH"<ref>{{cite web |url= http://www.itbusiness.ca/it/client/en/home/News.asp?id=58209&PageMem=2 |title= How to jailbreak your iPad and start multitasking immediately |last1= Stern |first1= Zack |last2= |first2= |date= July 5, 2010 |work= |publisher= ITBusiness.ca |accessdate=December 30, 2012}}</ref>) is a non-Apple official term referring to [[digital signature]]s that Apple generates and uses to personalize IPSW (iOS software) files for each device; they are part of Apple's protocol designed to ensure that trusted software is installed on the device.<ref name="saurik-shsh"/>{{dubious|date=December 2012}}<ref>{{cite web |url= http://www.redmondpie.com/save-shsh-blobs-ecid-shsh-iphone-3.1.3-ipad-3.2-9140709/ |title= Save SHSH Blobs (ECID SHSH) of iPhone 3.1.3 and iPad 3.2 |last1= Asad |first1= Taimur |last2= |first2= |date= April 30, 2010 |work= |publisher= Redmond Pie |accessdate=December 30, 2012}}</ref> Apple's public name for this process is System Software Personalization.<ref>{{cite web |url= http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf |title= iOS Security |author= Apple Inc. |date= May 2012 |work= |publisher= Apple Inc. |accessdate=3 December 2012}}</ref>


SHSH blobs are created by a [[cryptographic hash function|hashing formula]] that has multiple keys, including the device type, the iOS version being signed, and the device's ECID (a unique identification number embedded in its hardware).<ref name="stefanesser">{{cite web |url= http://antid0te.com/CSW2012_StefanEsser_iOS5_An_Exploitation_Nightmare_FINAL.pdf |title= iOS 5: An Exploitation Nightmare? |author= Stefan Esser |date= March 2012 |work= |publisher= CanSecWest Vancouver |accessdate=3 December 2012}}{{dubious|date=January 2013}}</ref> When Apple wishes to restrict users' ability to restore their devices to a particular iOS version, Apple can refuse to generate this hash during the restore attempt, and the restore will not be successful (or at least will require bypassing the intended function of the system).<ref>{{cite web |url= http://lifehacker.com/5795242/save-your-idevices-shsh-to-avoid-losing-the-ability-to-jailbreak-your-idevice |title= Save Your iDevice’s SHSH to Avoid Losing the Ability to Jailbreak |author= Adam Dachis |date= April 25, 2011 |work= |publisher= Lifehacker |accessdate=August 2, 2011}}</ref><ref>{{cite web |url= http://www.techrepublic.com/blog/mac/apple-ios-6-woes-save-the-blobs-if-you-need-to-downgrade/2340 |title= Apple iOS 6 woes: Save the blobs if you need to downgrade |last1= Smith |first1= Gina |last2= |first2= |date= September 27, 2012 |work= Apple in the Enterprise |publisher= TechRepublic |accessdate=December 30, 2012}}</ref>
SHSH blobs are created by a [[cryptographic hash function|hashing formula]] that has multiple keys, including the device type, the iOS version being signed, and the device's ECID (a unique identification number embedded in its hardware).<ref name="stefanesser">{{cite web |url= http://antid0te.com/CSW2012_StefanEsser_iOS5_An_Exploitation_Nightmare_FINAL.pdf |title= iOS 5: An Exploitation Nightmare? |author= Stefan Esser |date= March 2012 |work= |publisher= CanSecWest Vancouver |accessdate=3 December 2012}}{{dubious|date=January 2013}}</ref> When Apple wishes to restrict users' ability to restore their devices to a particular iOS version, Apple can refuse to generate this hash during the restore attempt, and the restore will not be successful (or at least will require bypassing the intended function of the system).<ref>{{cite web |url= http://lifehacker.com/5795242/save-your-idevices-shsh-to-avoid-losing-the-ability-to-jailbreak-your-idevice |title= Save Your iDevice’s SHSH to Avoid Losing the Ability to Jailbreak |author= Adam Dachis |date= April 25, 2011 |work= |publisher= Lifehacker |accessdate=August 2, 2011}}</ref><ref>{{cite web |url= http://www.techrepublic.com/blog/mac/apple-ios-6-woes-save-the-blobs-if-you-need-to-downgrade/2340 |title= Apple iOS 6 woes: Save the blobs if you need to downgrade |last1= Smith |first1= Gina |last2= |first2= |date= September 27, 2012 |work= Apple in the Enterprise |publisher= TechRepublic |accessdate=December 30, 2012}}</ref>

Revision as of 00:08, 10 January 2013

SHSH blob is a jargon term for a small piece of data that is part of Apple's digital signature protocol for iOS restores and updates, designed to control the iOS versions that users can install on their iOS devices (iPhones, iPads, iPod touches, and Apple TVs), generally only allowing the newest iOS version to be installable. Developers interested in iOS jailbreaking have made tools for working around this signature system in order to install jailbreakable older iOS versions that are no longer being signed by Apple.[1][2]

Technical details

The term "SHSH blobs" (also called "ECID SHSH"[3]) is a non-Apple official term referring to digital signatures that Apple generates and uses to personalize IPSW (iOS software) files for each device; they are part of Apple's protocol designed to ensure that trusted software is installed on the device.[4][dubious discuss][5] Apple's public name for this process is System Software Personalization.[6]

SHSH blobs are created by a hashing formula that has multiple keys, including the device type, the iOS version being signed, and the device's ECID (a unique identification number embedded in its hardware).[7] When Apple wishes to restrict users' ability to restore their devices to a particular iOS version, Apple can refuse to generate this hash during the restore attempt, and the restore will not be successful (or at least will require bypassing the intended function of the system).[8][9]

This protocol is part of iPhone 3GS and later devices.[4][10]

Exploits and countermeasures

For iOS 3 and 4, SHSH blobs were made of static keys (such as the device type, iOS version, and ECID), which meant that the SHSH blobs for a specific iOS version and device would be the same upon every restore. To subvert that system using a man-in-the-middle attack, server requests the unique SHSH blobs from Apple for the jailbroken device and caches those SHSH blobs on servers, so that if a user changes the hosts file on a computer to redirect the SHSH blobs check to cache instead of Apple's servers, iTunes would be tricked into checking those cached SHSH blobs and allowing the device to be restored to that version.[4][11]

iOS 5 and later versions of iOS implement an addition to this system, a random number (a cryptographic nonce) in the "APTicket",[12] making that simple replay attack no longer effective.[13][14] Versions of redsn0w after 0.9.9b9 include a way to bypass the nonce requirement, allowing the SHSH blobs and APTicket to both be replayed by "stitching" them into custom firmware.[15]

First released in 2009 (as TinyTSS and Umbrella),[16][17][dubious discuss] TinyUmbrella is a tool for finding out information about SHSH blobs saved on third party servers, saving SHSH blobs locally,[18] and running a local server to replay SHSH blobs to trick iTunes into restoring older devices to iOS 3 and 4.[10][19] In June 2011, iH8sn0w released iFaith, a tool that can grab partial SHSH blobs from a device for its currently-installed iOS version (limited to iPhone 4 and older devices).[20][21] In late 2011, the iPhone Dev Team added comprehensive SHSH blob management features to redsn0w, including the ability to save SHSH blobs with APTickets and stitch them into custom firmware in order to restore a device to iOS 5 or later.[22]

Replaying SHSH blobs for newer devices (iPad 2 and later) is not always possible, because there are no boot ROM (hardware level) exploits available for these devices. As of October 2012, redsn0w includes features for restoring newer devices between different versions of iOS 5,[23] but it cannot downgrade newer devices from iOS 6 to iOS 5.[24][25]

See also

References

  1. ^ Nat Futterman (May 25, 2010). "Jailbreaking the iPad: What You Need to Know". Geek Tech. PCWorld. Retrieved August 2, 2011.
  2. ^ Kumparak, Greg (June 27, 2011). "Apple Steps Up Their Game with iOS 5, Makes Jailbreaking More Difficult". TechCrunch. Retrieved December 30, 2012.
  3. ^ Stern, Zack (July 5, 2010). "How to jailbreak your iPad and start multitasking immediately". ITBusiness.ca. Retrieved December 30, 2012.
  4. ^ a b c Jay Freeman (saurik) (September 2009). "Caching Apple's Signature Server". Saurik.com. Retrieved December 3, 2012.
  5. ^ Asad, Taimur (April 30, 2010). "Save SHSH Blobs (ECID SHSH) of iPhone 3.1.3 and iPad 3.2". Redmond Pie. Retrieved December 30, 2012.
  6. ^ Apple Inc. (May 2012). "iOS Security" (PDF). Apple Inc. Retrieved 3 December 2012.
  7. ^ Stefan Esser (March 2012). "iOS 5: An Exploitation Nightmare?" (PDF). CanSecWest Vancouver. Retrieved 3 December 2012.[dubious discuss]
  8. ^ Adam Dachis (April 25, 2011). "Save Your iDevice's SHSH to Avoid Losing the Ability to Jailbreak". Lifehacker. Retrieved August 2, 2011.
  9. ^ Smith, Gina (September 27, 2012). "Apple iOS 6 woes: Save the blobs if you need to downgrade". Apple in the Enterprise. TechRepublic. Retrieved December 30, 2012.
  10. ^ a b Sayam Aggarwal (July 26, 2010). "Before Jailbreaking, Extract Your iPhone's SHSH Blobs with Umbrella". Cult of Mac. Retrieved 3 December 2012.
  11. ^ Hoog, Andrew; Strzempka, Katie (2011). iPhone and iOS Forensics: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices. Elsevier. pp. 47–50. ISBN 9781597496599. Retrieved December 3, 2012.
  12. ^ Cheng, Jacqui (June 27, 2011). "iOS 5 beta hobbles OS downgrades, untethered jailbreaks". Infinite Loop. Ars Technica. Retrieved December 30, 2012.
  13. ^ Oliver Haslam (June 27, 2011). "iOS 5 Will Halt SHSH Firmware Downgrades On iPhone, iPad, iPod touch". Redmond Pie. Retrieved November 12, 2011.
  14. ^ Levin, Jonathan (2012). Mac OS X and iOS Internals: To the Apple's Core. John Wiley & Sons. p. 214. ISBN 9781118222256. Retrieved December 29, 2012.
  15. ^ iPhone Dev Team (August 2011). "redsn0w iOS5beta". iPhone Dev Blog. Retrieved January 4, 2012.
  16. ^ notcom (September 19, 2009). "TinyTSS -- All your iphone restores are belong to you". The Firmware Umbrella. Retrieved 3 December 2012.[self-published source?]
  17. ^ notcom (May 20, 2010). "TinyUmbrella - Unified TinyTSS and The Firmware Umbrella in ONE!". The Firmware Umbrella. Retrieved 1 January 2013.
  18. ^ Brownlee, John (November 15, 2011). "TinyUmbrella Updated To Support Backing Up iPhone 4S And iOS 5.0.1 SHSH Blobs". Cult of Mac. Retrieved December 30, 2012.
  19. ^ Landau, Ted (April 22, 2011). "TinyUmbrella and ITunes 1013 Error Strike Again". MacWorld. PCWorld. Retrieved December 30, 2012.
  20. ^ Goncalo Ribeiro (June 3, 2011). "How To Save SHSH Blobs Of Any Old Firmware Running On Your iPhone, iPad, iPod touch Using iFaith". Redmond Pie. Retrieved 3 December 2012.
  21. ^ Morris, Paul (December 24, 2011). "Cydia Is Now Saving SHSH Blobs For iOS 5.0.1 Firmware". Redmond Pie. Retrieved December 30, 2012.
  22. ^ Jeff Benjamin (September 27, 2011). "How to Stitch Your SHSH Blobs Using RedSn0w to Create Firmware That Can Always Be Downgraded". iDownloadBlog. Retrieved 3 December 2012.
  23. ^ iPhone Dev Team (October 2012). "Restoration reinvigoration". Dev Team Blog. Retrieved 3 December 2012.
  24. ^ iPhone Dev Team (September 2012). "Blob-o-riffic". Dev Team Blog. Retrieved 3 December 2012.
  25. ^ Morris, Paul (October 14, 2012). "How To Re-Restore iPhone 4S, iPad 3, iPad 2, iPod touch From iOS 5.x To iOS 5.x Using Redsn0w". Redmond Pie. Retrieved December 30, 2012.
Retrieved from "https://en.wikipedia.org/w/index.php?title=SHSH_blob&oldid=532275741"