[Howto] Create a 00.SHSH from your signed iBEC/iBSS files/folders

[faremoney]

ok theheadfl... thanks anyway
i'm stucked with 3.1 official.... thanks for your work! i give up.

[MegaGoo]

it sucks that it wasnt more clearly explained that users should be grabbing the entire directory. i happened to copy my tmp files just "to be on the safe side", but if i recall, it seems dev team and/or geohot was only saying you would only need: your ecid, ibss, and ibec files. is this just flat out not enough? there is no way to create those other files some kind of way based off the ibec/ibss?

[TheHeadFL]

it sucks that it wasnt more clearly explained that users should be grabbing the entire directory. i happened to copy my tmp files just "to be on the safe side", but if i recall, it seems dev team and/or geohot was only saying you would only need: your ecid, ibss, and ibec files. is this just flat out not enough? there is no way to create those other files some kind of way based off the ibec/ibss?

In theory there is a way to make it work with just the iBSS... that is all that those guys were grabbing.

As I understand it, the issue is getting a vulnerable iBoot on there which will then allow you to load whatever you want.

I'm unsure of what behavior would occur if you had a valid iBSS SHSH and the rest of the hashes were invalid. I think iTunes would probably let the restore occur, but then would you be able to boot... I don't know.

Maybe someone wants to try? I can hack the tool to allow this...

[buangsampah2003]

Hi HeadFL,
I have multiples of 3GS Ibec and Ibss (I managed to jailbreak several 3GS phones for mine and my buddies) that I captured on and before August 21, 2009.
But when I used your tools, it said as follows:
DIPHONE\SHSH_Tool>shsh_tool -tmpfiles diphone\shsh_tool\to\tmp\grabber -outpu
Reading IPSW Manifest File...
Found Manifest Files:
- Key: AppleLogo [Digest: QAAAADgdAACl9/Hr04uQMR6Jr7pX8UInUnEoKA==]
- Key: BatteryCharging [Digest: QAAAADhHAACqYV/La3TahgUWPEoriCD0ihj8cQ==]
- Key: BatteryCharging0 [Digest: QAAAALhEAAD0jN9cTCXlGeLIHl9zoSujK6IReA==]
- Key: BatteryCharging1 [Digest: QAAAAPhYAAADzc0E4UGku60PLueuWJuAavaj3Q==]
- Key: BatteryFull [Digest: QAAAAPggAQDlTu4etE9Hyqd53SfUabSUMQKveg==]
- Key: BatteryLow0 [Digest: QAAAAHjVAAB3neUXu+AZDukKBMXTWAe6Fp1xTA==]
- Key: BatteryLow1 [Digest: QAAAAPj2AAAAhdT0Dah967fFlitKxFuG1UXcvw==]
- Key: BatteryPlugin [Digest: QAAAADhDAAAjiTnnqWZwxykMPlXw4tnObaJ1CQ==]
- Key: DeviceTree [Digest: QAAAAHinAAA7P+D5ybJAvPXdRtUobDSLgoIFxg==]
- Key: KernelCache [Digest: QAAAAHidRwAltMOQ6wzPJKxGr/Dt0WimnI4Jkg==]
- Key: LLB [Digest: QAAAAPgAAQDYvJMWj1lAnuV6KOWG2Pw3Gsc2EQ==]
- Key: NeedService [Digest: QAAAALhHAAAs6oR8k6a1FrNLnQ4RGT3ztMyRKw==]
- Key: RecoveryMode [Digest: QAAAALiyAAAVdGhCcgJizRvKkJLjXWbaaTx+Ig==]
- Key: RestoreDeviceTree [Digest: QAAAAHinAAA7P+D5ybJAvPXdRtUobDSLgoIFxg==]
- Key: RestoreKernelCache [Digest: QAAAAHidRwAltMOQ6wzPJKxGr/Dt0WimnI4Jkg==]
- Key: RestoreLogo [Digest: QAAAADgdAACl9/Hr04uQMR6Jr7pX8UInUnEoKA==]
- Key: RestoreRamDisk [Digest: QAAAAPjwwgBIAM3nYNCnt2z33+HaQIMJMp9ePw==]
- Key: iBEC [Digest: QAAAAPiQAQC9Ty8vP15P2iU3qkF4b8wfSo18FA==]
- Key: iBSS [Digest: QAAAAPiQAQCcdhu1hCyHWHAez39TmafGGpj00g==]
- Key: iBoot [Digest: QAAAAPiwAgBzNM32ZeCYkQ+JfYMFXusQQo3TOQ==]
- Key: RestoreRamDisk [Digest: QAAAAPjQwgCnlxrq+5w91+90VitZeWIoPtJj0A==]
Processing TMP files...
- Entering directory: diphone\shsh_tool\to\tmp\grabber\Per14.tmp
- Firmware/all_flash/all_flash.n88ap.production/applelogo.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/DeviceTree.n88ap.img3
- kernelcache.release.s5l8920x
- Firmware/all_flash/all_flash.n88ap.production/DeviceTree.n88ap.img3
- kernelcache.release.s5l8920x
- Firmware/all_flash/all_flash.n88ap.production/applelogo.s5l8920x.img3
- 018-5306-002.dmg
- Firmware/dfu/iBEC.n88ap.RELEASE.dfu
- Entering directory: diphone\shsh_tool\to\tmp\grabber\Per15.tmp
- Entering directory: diphone\shsh_tool\to\tmp\grabber\Per16.tmp
- Firmware/all_flash/all_flash.n88ap.production/glyphcharging.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/batterycharging0.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/batterycharging1.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/batteryfull.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/batterylow0.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/batterylow1.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/glyphplugin.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/LLB.n88ap.RELEASE.img3
- Firmware/all_flash/all_flash.n88ap.production/needservice.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/recoverymode.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/iBoot.n88ap.RELEASE.img3
- Entering directory: diphone\shsh_tool\to\tmp\grabber\Per18.tmp
- Entering directory: diphone\shsh_tool\to\tmp\grabber\Per19.tmp
Verifying BLOB Data...
- ERROR: Could not read signed BLOB data for Firmware/dfu/iBSS.n88ap.RELEASE.dfu
There were errors while trying to create SHSH file.
Complete.

(The funny part, my own ECID has been registered to cydia and I manage to downgrade and restore to 3.0 iphone 3G)

What could be wrong here? and why the tools gave me this message:
- ERROR: Could not read signed BLOB data for Firmware/dfu/iBSS.n88ap.RELEASE.dfu
If this is due to it has not been signed by apple, then it is funny, caused I have it registered with cydia and can perform the restore to 3.0?

[TheHeadFL]

(The funny part, my own ECID has been registered to cydia and I manage to downgrade and restore to 3.0 iphone 3G)

What could be wrong here? and why the tools gave me this message:
- ERROR: Could not read signed BLOB data for Firmware/dfu/iBSS.n88ap.RELEASE.dfu
If this is due to it has not been signed by apple, then it is funny, caused I have it registered with cydia and can perform the restore to 3.0?

Unfortunately, when you saved those files you were unable to capture the iBSS file, which is the most 'elusive' one.

You can only get that file during a DFU restore.

The fact that you are on file with Cydia doesn't have anything to do with whether your iBSS file was generated. If you were on file with Cydia, however, it is possible to reconstruct your iBSS file from the SHSH file. It would be pointless for you, though, since you already have an SHSH.

[tonev]

In theory there is a way to make it work with just the iBSS... that is all that those guys were grabbing.

As I understand it, the issue is getting a vulnerable iBoot on there which will then allow you to load whatever you want.

I'm unsure of what behavior would occur if you had a valid iBSS SHSH and the rest of the hashes were invalid. I think iTunes would probably let the restore occur, but then would you be able to boot... I don't know.

Maybe someone wants to try? I can hack the tool to allow this...

I would be willing to try this

If this fails does that mean i will be stuck on stock 3.1? or does it mean my iphone could be bricked?

[faremoney]

I would be willing to try this

If this fails does that mean i will be stuck on stock 3.1? or does it mean my iphone could be bricked?

me too... but i second the question....

[TheHeadFL]

I would be willing to try this

If this fails does that mean i will be stuck on stock 3.1? or does it mean my iphone could be bricked?

Short answer is that I don't really know what is going to occur...

I dont think its truly possible to really brick it. Worst case I think you have to do a DFU restore to 3.1 official.

The obvious upshot of all this is that this is unknown to me and so I can't promise you what will or will not happen.

[sw10]

In theory there is a way to make it work with just the iBSS... that is all that those guys were grabbing.

As I understand it, the issue is getting a vulnerable iBoot on there which will then allow you to load whatever you want.
...

Bad luck..... I only keep one temp folder for iBEC/iBSS and one temp folder for iBEC. Not enough, right?

By the way, is it possible to find a way to skip the verification process of firmware version in iTunes and directly jump to the next step for copying the firmware into iPhone?

[faremoney]

Short answer is that I don't really know what is going to occur...

I dont think its truly possible to really brick it. Worst case I think you have to do a DFU restore to 3.1 official.

The obvious upshot of all this is that this is unknown to me and so I can't promise you what will or will not happen.

thehead i'm ready to test. just tell me what to do, i'll take the responsability .

[MegaGoo]

Bad luck..... I only keep one temp folder for iBEC/iBSS and one temp folder for iBEC. Not enough, right?

By the way, is it possible to find a way to skip the verification process of firmware version in iTunes and directly jump to the next step for copying the firmware into iPhone?

cant skip verification. need a blob of 3.0 to restore to 3.0

[TheHeadFL]

Bad luck..... I only keep one temp folder for iBEC/iBSS and one temp folder for iBEC. Not enough, right?

By the way, is it possible to find a way to skip the verification process of firmware version in iTunes and directly jump to the next step for copying the firmware into iPhone?

No it isn't possible to skip it.

I am working on an experiment whereby I *might* be able to just use the iBSS file. Don't get your hopes up yet though.

thehead i'm ready to test. just tell me what to do, i'll take the responsability .

I will try to code up a tool tonight which does that. I'll post back when I have it ready.

Remember, best case this gets you to 3.1 JB. This won't help you get back to 3.0 JB, at least not as far as I know.

[faremoney]

No it isn't possible to skip it.

I am working on an experiment whereby I *might* be able to just use the iBSS file. Don't get your hopes up yet though.

we are with you

No it isn't possible to skip it.

I am working on an experiment whereby I *might* be able to just use the iBSS file. Don't get your hopes up yet though.



I will try to code up a tool tonight which does that. I'll post back when I have it ready.

Remember, best case this gets you to 3.1 JB. This won't help you get back to 3.0 JB, at least not as far as I know.

it would be wonderful.... good work mate!

[sw1tch]

we are with you




it would be wonderful.... good work mate!

I'm also awaiting this iBSS-only method. Currently i'm stuck with official 3.1 and all i have is iBSS and iBEC from 3.0. All i need is JB 3.1, dont care for 3.0 so i guess this might save me

Did Dev Team actually say capture entire folder and not only iBEC iBSS back then?

[CyrusTheVirus81]

I'm also awaiting this iBSS-only method. Currently i'm stuck with official 3.1 and all i have is iBSS and iBEC from 3.0. All i need is JB 3.1, dont care for 3.0 so i guess this might save me

Did Dev Team actually say capture entire folder and not only iBEC iBSS back then?

I only remember them saying to get the iBEC/iBSS so even though I used ibec grabber I only saved the 2 files and deleted the rest. Whish I woulda saved the whole folder now.

[sw1tch]

Yeah, me too.. something told me save the whole damn thing but i went thinking what the heck Dev Team did it so many times, they cant be wrong..

Well anyway im waiting for some luck going from official 3.1 to JB 3.1 using 3.0/3.0.1 iBSS only soon

Edit: By the way i have a working 00.shsh for 3.1 for my device that allows me to restore to official 3.1 and local server method. However when trying to restore the jailbroken 3.1 ipsw it says preparing iphone for ages and then fails with error 1600. Anything i can do here other than wait for the above please? I.e. it never even does the "Verifying software update with Apple"-thing. iPhone never restarts even

I should mention that i created the 3.1 ipsw which im trying to restore to running my old JB 3.0.1 firmware. Cant see why it shouldnt work?

Sorry if im hijacking the thread but it doesnt feel right to make a new one for my specific problem. Or should i?

[TheHeadFL]

I'm also awaiting this iBSS-only method. Currently i'm stuck with official 3.1 and all i have is iBSS and iBEC from 3.0. All i need is JB 3.1, dont care for 3.0 so i guess this might save me

Did Dev Team actually say capture entire folder and not only iBEC iBSS back then?

No, they didn't, unfortunately. It is a shame because that is the ticket here.

[VonSwanko]

I'm in for any testing also. I have my iBEC and IBSS and ECID and rainyday files. Worst case is brick and get a new phone right? Then just a wait for Greenpois0n.

[TheHeadFL]

Ok, here is a package that is for TESTING PURPOSES ONLY.

For those that want to test and understand the risk, I've created a new package:

-Link Removed- The experiment failed, you guys are out of luck, sorry

This contains a mode that you enable with the "-override" command line switch.

This will do a 'best attempt' at generating a SHSH file from whatever files you happen to have. For the files you don't have, it will substitute some 'fake' data that looks like a valid hash.

* What might happen?

Best case scenario: You are able to restore through iTunes in DFU mode and see a bunch of errors. You may need to do this twice as in the downgrading tutorial. After this, (maybe?) you try to jailbreak using either purplera1n or redsn0w. I don't know which (if any) of these will work. After this your phone probably still will not boot. It might, however, and this is the optimistic bit, allow you to restore to a custom 3.1 JB you obtained from PwnageTool. Maybe. We hope.

Why might this work? What is going on here? Well, since supposedly the iBSS is the only file you *really* need, this will (possibly) fool iTunes into loading your phone with (mostly) gibberish, but also an actual valid iBSS file. It is hoped that this is enough of a 'foot in the door' to allow the iBoot to be compromised and thus allow the loading of a jailbroken (custom) 3.1 IPSW file.

Likely Scenario: You are unable to restore using this SHSH. Either iTunes rejects it or something else fails along the way. You can't proceed and you have to restore to 3.1 Official.

Worst Case Scenario: Your phone won't boot at all and you have to do a DFU restore.

Even Worse Case Scenario: You brick your phone. (I am not sure if this is even possible, but I want you to know the risks fully)

Good luck, and remember, if you attempt this, you are accepting the risk. I am not a member of any Dev Team, this is just my best guess at how things *might* work.

i think it is because we just have iBEC*.dfu and iBSS*.dfu

I think there is a folder structure that these files need to be in. ie: P*.tmp or something.

Can someone confirm this?

Sorry I missed that before, yes, that is correct.

The tool expects to find the files under folders named P*.tmp, and beneath that folder it expects to follow the directory structure that it prints out in the error messages.

[CyrusTheVirus81]

Well no luck so far. It gets stuck on preparing iphone for restore (1604 error). It seems to pass the shsh check but gets stuck and upon reboot goes into recovery mode.