SHSH blob: Difference between revisions

i win

'''SHSH blobs''' is a Hash signature system ('''S'''ignature '''H'''a'''SH''' blobs) made by [[Apple inc.]] to prevent software downgrades on [[iPhone|iPhones]], [[iPad|iPads]] and [[iPod touch|iPod touches]] meant for [[iOS jailbreaking|Jailbreaking]]. An SHSH is created by an SHSH formula ([[CLI]] Application) with 3 or 4 TSS keys- The device (e.g. iPhone 4 CDMA), the firmware signed (e.g. 4.2.8) and the device's [[ECID]]- a unique chip ID given with every device. The SHSH is given as [[Property list|Plist]] in a SHSH format, built with blobs, each blob is intended for a different part of the software (like [[Kernel (computing)|kernel]] and Apple logo). They are ted to manage which firmware is restorable and which isn't, and when a firmware is not signed any more it is not restorable, that way users can't downgrade and jailbreak.

== Pre-SHSH signing and the LLB ==

From the beginning, [[iOS]] devices with a [[baseband]] were always signed with a random number, (With addition of baseband TSS key) from iOS 1.0 on. When [[iOS jailbreaking|Jailbreak]] started to be developed, Apple has changed the [[LLB]] (Low Level Bootloader) to check the signatures on the kernel. As a combat, jailbreakers used both user-land, iBoot and [[Boot-ROM]] exploits to patch the [[LLB]] to cancel the signature checks. All devices released after [[iPhone 3G]] check if a patched LLB is submitted and will enter hardware [[DFU]], a DFU mode that a device can't quit unless it is restored. only an untethered Boot-ROM exploit can allow a patched LLB submission. But Without SHSH, users can downgrade and jailbreak older versions, or even jailbreak with software upgrade from an old [[firmware]] to a newer one if an exploit is found in restore mode. On devices with an ECID, the LLB executes the boot-ROM checks for SHSH blobs.

== ECID==

The ECID (Unique device ID) is a unique 13-numeral number attached to the hardware of every device, and is not in use for devices that don't require SHSH blobs. Each device has its own ECID and it is not changeable. The ECID is the third TSS key when the SHSH is created and SHSH files for different ECID from the restored device will not be accepted by the device. From iOS 4.0 on, also devices which do not have they're ECID coded for SHSH blobs, that support iOS 4 and on, get SHSH blobs, But are never required for a restore.

==Combat==

Between iOS 3.0-4.3.5, SHSHs for the main firmwares were made of 3 TSS keys- Device, Firmware version and ECID which means the SHSH file for a certain firmware and device would be the same with every restore.As a combat from the jailbreak side, [[Cydia]] would save SHSH files on it servers, cached from Apple, so when the Hosts files on the computers are set on Cydia's servers, [[iTunes]] would take the cached SHSH and restore it. Another method was to save the SHSH locally on the computer. At the beginning [[George Hotz]] saved just the iBSS/iBEC specific SHSH, then [[The Firmware Umbrella]] was released to save the SHSH in a better way and TInyTSS to send the SHSH to the iTunes restore, finally [[TinyUmbrella]] to do both and to fix iTunes errors or manage recovery mode, then iFaith to take the Signed SHSH blobs from device and finally an update to [[Redsn0w]] to verify SHSH, query blobs from Cydia, Fetch SHSH blobs from the device, Submit blobs to [[Cydia]] and stitch SHSH blobs to a firmware. Because of this Behavior from the side of hackers, Apple has randomized the SHSH for each restore to be different. this is referred to as a '''Ticket'''. This random number is saved on Apple's servers, so if [[iTunes]] checks if the blobs are okay with Apple, it will know that the blobs have been requested before, and the restore wouldn't work. As of October 27, 2011, The static SHSH blobs which are given are for 4.1 for iPhone 3G,iPhone 3GS,iPod touch 2G and iPod touch 3G and 4.2.1 for iPhone 3G and iPod touch 2G. The random SHSH blobs which are given currently are for 5.0 for [[iPhone 3GS]], [[iPhone 4]], [[iPhone 4S]], [[iPad (original)|iPad]], [[iPad 2]], [[iPod touch]] from 3rd generation and higher.

==Structure==

SHSH blobs are built from 19 blobs, each one for another place on the firmware (like AppleLogo,RestoreRamdisk, Device tree etc.). The blobs are encrypted and are organized in a [[PLIST]] under the key "blob".

[[Category:Apple Inc. software]]