Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.
09-14-2009, 08:57 PM #1Questions and concerns (for the JB community)
First, lest this sounds like a whiny complaint-fest on my part, I would like to start off by publicly thanking everybody who has worked so hard these past couple years to ensure the freedom of iPhone users everywhere. That includes the iPhone Dev Team and all its members and associates (especially MuscleNerd and Saurik who have both taken time to respond to me personally in other contexts in times past), Chronic Dev, Geohot, and so on. You all rock.
Also, Saurik, your blog post on your SHSH database and iTunes restore proxy service was incredibly well-written and informative. Thank you for taking the time to not only explain the issues, but also to do something active about it for the community.
That said, I still have questions. :-)
Although, before that, I first thought of a potential problem with the SHSH proxy server solution that I thought I would raise, although I don't think it is a problem without a solution itself. It occurred to me that Apple, when processing warranty claims, could run the ECID of a phone being returned to them through this publicly-accessible database, and see if there is an ECID SHSH bundle on file with it for versions of the OS other than the most current public release. It's easy to test: try to restore to an earlier version using Saurik's server (or even write an application that simulates a restore to an earlier version for a given ECID, asking Saurik's server for the bundles of a few known-vulnerable-to-jailbreaking past OS releases for that ECID). If they get a hit, they could just as easily deny warranty service to that phone as they could to a phone that arrived still-jailbroken. It would almost be as good as if they got a confession out of you. So I wonder if maybe future versions of the SHSH proxy could have a mechanism introduced to them which would allow you to tell the proxy server to answer requests for your ECID in the negative until you authenticate yourself to it through some other mechanism (a web site where you used a registered username and password?), which would then give you a small (30-minute, say?) window of time to conduct a restore from the same IP address that you authenticated yourself from.
Just a thought!
Anyway, so I am not numbered among those who managed to "accidentally" upgraded their 3GS from 3.0.1 to 3.1, and am not in a state of panic as a result. My phone still works, is still running unlockable baseband firmware, is still happily jailbroken, and I have no desire to upgrade to 3.1 and no pressing need to perform a firmware restore on my phone to solve one software issue or another.
In the interest of being able to preserve this happy state, lest -- Jupiter forbid -- an accident should occur, either by my own stupidity or some unforseen event outside of my control, I also diligently read about and took all of the precautionary, defensive steps that all of the players involved in the iPhone hacking scene publicly recommended that we as users do, with the reassurance given to us at the time that such actions would be sufficient to protect our freedoms with respect to our phones. This includes, first, grabbing my ra1nyday file from Geohot, and second, grabbing copies of my personally-signed-by-Apple iBSS and iBEC files.
Imagine my surprise, frustration, and confusion when I discovered through Saurik's recent Tweets as well as the aforementioned blog post that this turns out not to be the case. That despite what we were told, somehow having an Apple-signed copy of your own vulnerable iBSS is apparently not enough. That instead, it is complete, signed SHSH "blobs" (whatever they are, and previously unmentioned by anybody else anywhere, as far as I can tell) that are actually the key. That there was only a short weekend of opportunity to grab that key for yourself; that those who didn't happen to think to check Cydia over the weekend preceding Apple's "It's Only Rock and Roll" event are apparently now completely screwed if they ever happen to need or want to conduct a 3.0 restore on their phone. That it sounds like none of the precautions we were assured would be sufficient turned out to be so.
I totally missed Saurik's announcement about the new Cydia version's ability to collect your ECID and then run out and grab 3.0 SHSH's for your phone on your behalf from Apple when it was announced last weekend, otherwise you bet I would have said "okay!" Alas, that small window of time was only open for 3-4 short days, and is now gone.
I'm not blaming anyone. I just want to understand the state of things right now, and what our options are, either now or down the road. Information is seemingly sparse, and the few people who have the knowledge are so busy and swamped that it's hard to get these questions answered (and, trust me, I know what that feels like, and I don't want to burden them further). Saurik's blog post, as well-written as it is, still leaves a few questions unanswered, and perhaps it is this uncertain state of "not knowing" that gnaws at me.
First and foremost, what is an "SHSH blob"? It has yet to be explained what function it serves and why it is needed. I understand what the iBSS is ("iBoot Lite" for DFU, essentially) and how it comes into play for jailbreaking on the 3GS (iBSS has the vulnerability, DFU itself doesn't, or something like that), but neither Saurik's writings nor letmegooglethatforyou.com can shine any light on "SHSH." It's not like I've been slacking off here.
And is there absolutely no way to have your personal SHSH bundle generated based on the signatures that we who were diligent to do so were able to collect? This SHSH collection can truly only come from Apple (who, of course, is not signing for 3.0.x anymore)?
How is it that we all only know about it now? Is there any way that I could have collected my own SHSH bundle when the opportunity was still ripe?
Saurik mentions only collecting 3.0.1 signatures for a very small subset of the 50K ECIDs total that he managed to collect signatures for. In my experience, however, collecting my own iBSS, I found that my signed-by-Apple 3.0 iBSS file was bit-for-bit identical to my 3.0.1 iBSS file, suggesting there was no difference between the signature for 3.0 and that for 3.0.1. So I am confused on this point: is it only the case that the iBSS is the only signature in common between 3.0 and 3.0.1, and that the other components in the complete SHSH "blob" are not the same between 3.0 and 3.0.1? (I guess that would make sense if iBSS code itself did not change between 3.0 and 3.0.1, which it probably didn't, and all components within the "blob," of which iBSS is but a subset, are being signed with something that is based off of your ECID, so that particular file could remain the same while the rest of it might differ.)
Okay, so while writing that last paragraph a light-bulb went on that probably answers some of the questions. If the SHSH collection is a collection of different files needed during the restore process, and iBSS is just one of those files included in the collection, then, yeah, you wouldn't be able to generate signed versions of the other files just with the signed iBSS file. And so Apple would be the only entity who could in fact generate the SHSH bundle. I'm still confused why nobody spoke of this earlier!
For those of us, such as myself, who like 3.0 and are planning on passing on 3.1 entirely even if someone manages to find a way to jailbreak it on the 3GS, are we out of luck if we ever need to do a firmware restore because we missed the opportunity to grab all of the files that Apple's server signed instead of just the iBSS? What options exist if I need to restore my phone?
Thanks for taking the time to read my insane ramblings. I know that I'm really a nobody when it comes down to it, and that there is no reason why my questions should be taken any more seriously than anybody else's, or that they are of a higher priority than anyone else's. I truly have no sense of entitlement to these answers, and I hope that the way in which I have phrased them did not come across otherwise.
But as Saurik himself said in the introduction to his blog post, "I find it much less powerful to say 'do this' than 'do this, here is how it works, and this is why', because the former just causes more confusion and more problems down the road." I totally agree with this, and it is in this same spirit that I present these questions, in the hope that their answers will illuminate the situation we find ourselves in and reduce the chances for confusion and future problems down the road.
Last edited by NathanA; 09-14-2009 at 09:15 PM.
09-14-2009, 09:16 PM #2
purplera1n.com stores an ECID and an SHSH for iBSS (the CERT is always the same, so you don't need to store it).
Capturing the iBSS from the personalized firmware happens to give you all three sections for that file, as they are what personalized it.
Cydia's "on file" stores blobs for /all/ files in the firmware, including the iBSS. This includes the ramdisk and other filesystems.
09-15-2009, 03:12 AM #3
Saurik, you are truly a gentleman. Thank you very much for taking the time to respond.
Technically all you need is the iBSS. However, someone needs to write a tool that uses this as input. Currently there is no motivation to, as it is my understanding that 3.1 has an exploit in it, so people are concentrating right now on a more normal jailbreak tool. [...] The question is going to be whether or not PwnageTool allows you to do a downgrade from a jailbroken 3.1 to a jailbroken 3.0. (Pwnagetool generates custom firmwares that can be installed on any jailbroken version of the firmware, and will be able to help people upgrade from a jailbroken 3.0 to 3.1, and in the future probably 3.1 to anything else.)
The "blob" contains the ECID, SHSH, and CERT. The iBSS is one of the firmware files that contains critical startup code. It is in the form of an IMG3 file. The IMG3 file is modified using the blob from Apple's server to include the ECID, SHSH, and CERT sections and is then considered "personalized". [...snip...] Cydia's "on file" stores blobs for /all/ files in the firmware, including the iBSS. This includes the ramdisk and other filesystems.
...okay, now I see on iphonewiki that an ECID tag has been added to IMG3 and that SHSH is also actually an IMG3 tag. I think this helps me understand a little better, but I'm still confused because...
...due to the wonders of encryption technology, you either need a super computer or a thief in order to generate these files...
What could have copied the /entire/ personalized firmware directories (getting all of the files in them), not just the iBSS and iBEC files.
While the window on 3.0 is closed, it doesn't really matter: 3.1 is the last great stand.
This situation really pisses me off, but as always you guys sound like you are trying to make the best of it. And usually, you manage to succeed. Thanks again for all your hard work.
Last edited by NathanA; 09-15-2009 at 03:16 AM.
09-15-2009, 10:21 AM #4
QUOTE=NathanA;4951619]...it is unclear to me whether the SHSH tag is static across all personalized IMG3s that Apple generates for you (since you say the master "blob" contains the SHSH...) and the issue is encrypting the IMG3 contents to match, or whether the issue is computing and then encrypting/signing the SHSH correctly for each IMG3.[/QUOTE]
There is no "master blob": there is one "blob" per img3 file.
QUOTE=NathanA;4951619]Not sure if you are asking a question here, or making a statement...I'm assuming that if you can write something that is able to do so on your server, then someone could have also written something that would allow someone to capture the necessary files on their own computer. But then again, I'm ***-uming, so... :)[/QUOTE]
That is correct. This is the first notice you have gotten from me about what is useful. Previous notices came from other people with other agendas (and other abilities: I, for example, would have to learn quite a bit to write a tool that uses those purplera1ny files or just an iBSS, so I had to find something simpler).
09-15-2009, 11:09 AM #5
Very interesting read...
My concern is similar, but slightly broader than NathanA
The idea of tracking my ECID SHSH on a 3rd party server is somewhat discomforting. My imagination runs rampant with the various ways in which this information might be used against me in the future. Be it in the form of legal claims, denial of phone and/or warranty services, or malicious use of the data.
Granted, the above scenarios are unlikely given the context of usage. But then again, I am sure there's an army of [pick a word] figuring out ways to combat the freedoms we seek. In terms of malicious use of the data, in no way do I think the great contributors to the iPhone freedom movement would have such nefarious objectives. Unfortunately, the less honorable among us might have different ideas in mind. It seems plausible to me that somehow this information could be detrimental. If not now, perhaps in future releases.
That said, unless I have missed this, I would love to see the "caching service" made available in some form to enable for local capture of the ECID SHSH. 127.0.0.1 go.apple.com....
On the horizon perhaps?
Not sure if you are asking a question here, or making a statement...I'm assuming that if you can write something that is able to do so on your server, then someone could have also written something that would allow someone to capture the necessary files on their own computer. But then again, I'm ***-uming, so...
Last edited by Atreides; 09-15-2009 at 11:10 AM. Reason: Automerged Doublepost