[Howto] Create a 00.SHSH from your signed iBEC/iBSS files/folders

[AbrasBR]

TheHeadFL what in short, does your software do? i.e it removes a string from each file, and put together to create a blob?
Abras

[TheHeadFL]

TheHeadFL what in short, does your software do? i.e it removes a string from each file, and put together to create a blob?
Abras

This is the basic explanation:

The contents of a SHSH file is basically just 17 unique 'blobs'. These blobs are Base64-encoded binary 'certificates'. These certificates are what are generated by Apple (and can only be generated by Apple) during a restore process.

When iTunes tries to restore your phone, it contacts Apples servers and delivers your ECID and a manifest (list of files and their hashes) which serves as your signing request.

Apple's servers respond with certificates for each file, signed by Apple's private keys and your ECID. This means each certificate is not only specific to the exact file being signed, it is also specific to the exact phone it will be used on. In short, these files cannot be counterfeited.

Once the certificates are received by iTunes, it extracts the 17 unique files (note that the files are not the same as the blobs. The files themselves are not signed yet) and saves them to your Per####.tmp directories with the certificate appended to the end. These files are now signed by your ECID and can only be used on your phone.

During a restore operation, these files are loaded onto the phone. The bootrom in the phone verifies these files match your phone. If the files don't match, the phone will reject them and you are unable to restore.

All my tool does is take the last 2125 bytes of each file, which, as I just explained, is really just the certificate returned by Apple, and Base64 encodes them (as the 'blobs') and saves them in the format that is expected by TinyTSS. TinyTSS then reads the 'blobs' and repeats them verbatim when iTunes asks for them.

Because the blobs are signed by your phone, your phone accepts them and everything works.

If you try to use any files not signed by your ECID, your phone will not boot. Period. There is no workaround for this.

[AbrasBR]

Thanks a lot,
The restoring part I already got it, i just wanted to understand your code so I can mod it to make a working Blob from only IBBS and IBEC, if possible.
Abras

Edit:
Also, with your tool, can i generate the blobs for IBBS and IBEC?I know it wont work, but as i dont have here a 3.0SHSH blob, only 3.1, id like to have at least those two "pre-blob", so i could compare and study the differences between 3.0 and 3.1. I got the string from each file from 3.1, and they are basically the same, except for a small part.


Edit2:
Also, something very strange i noticed here. I have here with me my 3.1SHSH blob. I have here 20blobs inside, instead of 17. I was checking, and it looks like i have some of them twice, like i.e Firmware/all_flash/all_flash.n88ap.production/applelogo.s5l8920x.img3.

[TheHeadFL]

Yes, there are 3 duplicates.

There is nothing to really see with the blobs, but, if you really want to see your blobs, copy the last 2125 bytes from your iBEC and iBSS files into a Base64 converter. The output = your blob. (You can google for base64 converters)

[AbrasBR]

Yes, but what I saw while I was checking my blobs, was that the each string inside the file's data, is almost the same, except for one small part.
If possible, could you send me your 3.0 and 3.1 SHSH blobs? Thanks
Abras

[TheHeadFL]

Yes, but what I saw while I was checking my blobs, was that the each string inside the file's data, is almost the same, except for one small part.
Abras

That is correct. They are the same except for a 128 byte signature.

128 bytes may not sound like much, but cryptographically its unbreakable.

UPDATE:

Tool has been updated for 3.0.1 thanks to Controllator's diffs.

Added more error checking for people who are trying to do crazy things like use their friends files. It now makes sure all the ECIDs from every file are the same. (In other words don't do this.)

Tool also now looks for files regardless of directory structure.

[AbrasBR]

Oh, so this small part is actually the individual signature for each file?
Isnt it possible to generate those strings with the ones from IBSS and IBEC files?
Abras

[CyrusTheVirus81]

I was thinkin the same thing

[chinaa108]

I tried this with new software but it keeps saying error file not found, all the files are there any help? please

[TheHeadFL]

Oh, so this small part is actually the individual signature for each file?
Isnt it possible to generate those strings with the ones from IBSS and IBEC files?
Abras

No.

Please believe me when I keep telling you it is not possible.

Only Apple possesses the encryption keys required to create these hashes, and they aren't going to give them out any more. Therefore, it is not possible to generate these hashes any other way.

Read up on public key cryptography and signing.

[chinaa108]

I tried this with new software but it keeps saying error file not found, all the files are there any help? please

[Rehner]

Hey there!

So i finally messed it up! I only stored iBEC & iBSS Files of my Phone. And the one created trough the purplera1n-Hompeage aswell. If i got you right, NONE of these Files will be usefull to downgrade a 3GS to 3.0 now AND in future. Did i get it right? (Please tell me i'didn't )

Regards Rehner

[TheHeadFL]

I tried this with new software but it keeps saying error file not found, all the files are there any help? please

If you want help, you need to give more information. Try posting the output of the tool.

Hey there!

So i finally messed it up! I only stored iBEC & iBSS Files of my Phone. And the one created trough the purplera1n-Hompeage aswell. If i got you right, NONE of these Files will be usefull to downgrade a 3GS to 3.0 now AND in future. Did i get it right? (Please tell me i'didn't )

Regards Rehner

They may be useful to *jailbreak* in the future, but probably not to downgrade to 3.0.

Don't delete them, I'm just saying you can't use them with my tool or any other tool like it.

[AbrasBR]

No.

Please believe me when I keep telling you it is not possible.

Only Apple possesses the encryption keys required to create these hashes, and they aren't going to give them out any more. Therefore, it is not possible to generate these hashes any other way.

Read up on public key cryptography and signing.

Dude, i believe you. I know some stuff about this, I have some knowledge in cryptography, so I know what we are dealing here. I know that 128b is a lot and is unbreakable. But i never said that we would generate new hashes, or create one ourselves, i said we could fool itunes with the only 2 hashes we have. Saurik already said, that with only both files is possible to downgrade, thats why im being this annoying to figure it out how we can do it. Cause it is possible, we only dont know how.

Abras

[TheHeadFL]

Dude, i believe you. I know some stuff about this, I have some knowledge in cryptography, so I know what we are dealing here. I know that 128b is a lot and is unbreakable. But i never said that we would generate new hashes, or create one ourselves, i said we could fool itunes with the only 2 hashes we have. Saurik already said, that with only both files is possible to downgrade, thats why im being this annoying to figure it out how we can do it. Cause it is possible, we only dont know how.

Abras

What Saurik said is that it may be possible to use those files to jailbreak in the future.

That means creating a custom IPSW with your signed 3.0 iBSS file. This would only allow you to jailbreak, however, not to downgrade. You can't forge the signature on the 3.0 files, so no matter what you do, your only real hope is getting to a jailbroken 3.1 or newer. You won't be able to go back to 3.0.

Others have already tested all the methods available with the iBSS hashes we have, and it isn't a simple matter to accomplish even this. If a tool is ever going to be created to use the iBSS file, it is going to have to come from the Dev Team, and it will not be for 3.0.

[chinaa108]

hi a quick question i read somewhere that within one of these files you can find your ecid number, where is it and how can i get it?

the errors i get are:

CUsers\iphone\Desktop\SHSH_Tool.Build3>shsh_tool.ex e -tmpfiles c:/users/chint
an/desktop/shsh.tmp/perbpf4.tmp -output c:/users/iphone/desktop/01.shsh
Operating in 3.0 Mode
Reading IPSW Manifest File...
Found Manifest Files:
- Key: AppleLogo [Digest: QAAAADgdAACl9/Hr04uQMR6Jr7pX8UInUnEoKA==]
- Key: BatteryCharging [Digest: QAAAADhHAACqYV/La3TahgUWPEoriCD0ihj8cQ==]
- Key: BatteryCharging0 [Digest: QAAAALhEAAD0jN9cTCXlGeLIHl9zoSujK6IReA==]
- Key: BatteryCharging1 [Digest: QAAAAPhYAAADzc0E4UGku60PLueuWJuAavaj3Q==]
- Key: BatteryFull [Digest: QAAAAPggAQDlTu4etE9Hyqd53SfUabSUMQKveg==]
- Key: BatteryLow0 [Digest: QAAAAHjVAAB3neUXu+AZDukKBMXTWAe6Fp1xTA==]
- Key: BatteryLow1 [Digest: QAAAAPj2AAAAhdT0Dah967fFlitKxFuG1UXcvw==]
- Key: BatteryPlugin [Digest: QAAAADhDAAAjiTnnqWZwxykMPlXw4tnObaJ1CQ==]
- Key: DeviceTree [Digest: QAAAAHinAAA7P+D5ybJAvPXdRtUobDSLgoIFxg==]
- Key: KernelCache [Digest: QAAAAHidRwAltMOQ6wzPJKxGr/Dt0WimnI4Jkg==]
- Key: LLB [Digest: QAAAAPgAAQDYvJMWj1lAnuV6KOWG2Pw3Gsc2EQ==]
- Key: NeedService [Digest: QAAAALhHAAAs6oR8k6a1FrNLnQ4RGT3ztMyRKw==]
- Key: RecoveryMode [Digest: QAAAALiyAAAVdGhCcgJizRvKkJLjXWbaaTx+Ig==]
- Key: RestoreDeviceTree [Digest: QAAAAHinAAA7P+D5ybJAvPXdRtUobDSLgoIFxg==]
- Key: RestoreKernelCache [Digest: QAAAAHidRwAltMOQ6wzPJKxGr/Dt0WimnI4Jkg==]
- Key: RestoreLogo [Digest: QAAAADgdAACl9/Hr04uQMR6Jr7pX8UInUnEoKA==]
- Key: RestoreRamDisk [Digest: QAAAAPjwwgBIAM3nYNCnt2z33+HaQIMJMp9ePw==]
- Key: iBEC [Digest: QAAAAPiQAQC9Ty8vP15P2iU3qkF4b8wfSo18FA==]
- Key: iBSS [Digest: QAAAAPiQAQCcdhu1hCyHWHAez39TmafGGpj00g==]
- Key: iBoot [Digest: QAAAAPiwAgBzNM32ZeCYkQ+JfYMFXusQQo3TOQ==]
- Key: RestoreRamDisk [Digest: QAAAAPjQwgCnlxrq+5w91+90VitZeWIoPtJj0A==]
Processing TMP files...
- Firmware/all_flash/all_flash.n88ap.production/applelogo.s5l8920x.img3
- ERROR: Magic string not found! (DICE@)
Verifying BLOB Data...
- ERROR: Invalid signed data for Firmware/all_flash/all_flash.n88ap.production/
applelogo.s5l8920x.img3
- ERROR: File not found for Firmware/all_flash/all_flash.n88ap.production/glyph
charging.s5l8920x.img3
- ERROR: File not found for Firmware/all_flash/all_flash.n88ap.production/batte
rycharging0.s5l8920x.img3
- ERROR: File not found for Firmware/all_flash/all_flash.n88ap.production/batte
rycharging1.s5l8920x.img3
- ERROR: File not found for Firmware/all_flash/all_flash.n88ap.production/batte
ryfull.s5l8920x.img3
- ERROR: File not found for Firmware/all_flash/all_flash.n88ap.production/batte
rylow0.s5l8920x.img3
- ERROR: File not found for Firmware/all_flash/all_flash.n88ap.production/batte
rylow1.s5l8920x.img3
- ERROR: File not found for Firmware/all_flash/all_flash.n88ap.production/glyph
plugin.s5l8920x.img3
- ERROR: File not found for Firmware/all_flash/all_flash.n88ap.production/Devic
eTree.n88ap.img3
- ERROR: File not found for kernelcache.release.s5l8920x
- ERROR: File not found for Firmware/all_flash/all_flash.n88ap.production/LLB.n
88ap.RELEASE.img3
- ERROR: File not found for Firmware/all_flash/all_flash.n88ap.production/needs
ervice.s5l8920x.img3
- ERROR: File not found for Firmware/all_flash/all_flash.n88ap.production/recov
erymode.s5l8920x.img3
- ERROR: File not found for Firmware/all_flash/all_flash.n88ap.production/Devic
eTree.n88ap.img3
- ERROR: File not found for kernelcache.release.s5l8920x
- ERROR: File not found for Firmware/all_flash/all_flash.n88ap.production/apple
logo.s5l8920x.img3
- ERROR: File not found for 018-5306-002.dmg
- ERROR: File not found for Firmware/dfu/iBEC.n88ap.RELEASE.dfu
- ERROR: File not found for Firmware/dfu/iBSS.n88ap.RELEASE.dfu
- ERROR: File not found for Firmware/all_flash/all_flash.n88ap.production/iBoot
.n88ap.RELEASE.img3
There were errors while trying to create SHSH file.
Complete.

CUsers\iphone\Desktop\SHSH_Tool.Build3>

[TheHeadFL]

That means that file you have there isn't signed. Where did you get it from?

[chinaa108]

TheHeadFL this is my file from my external hard drive, which one is wrong cause i have four different manifest files thanks for all your help! :-)

hi a quick question i read somewhere that within one of these files you can find your ecid number, where is it and how can i get it?

[AbrasBR]

What Saurik said is that it may be possible to use those files to jailbreak in the future.

That means creating a custom IPSW with your signed 3.0 iBSS file. This would only allow you to jailbreak, however, not to downgrade. You can't forge the signature on the 3.0 files, so no matter what you do, your only real hope is getting to a jailbroken 3.1 or newer. You won't be able to go back to 3.0.

Others have already tested all the methods available with the iBSS hashes we have, and it isn't a simple matter to accomplish even this. If a tool is ever going to be created to use the iBSS file, it is going to have to come from the Dev Team, and it will not be for 3.0.

What he said is that it may be possible to generate the signature for 3.0 with IBBS and IBEC, required to restore your 3GS. Restore, downgrade, update, they are all the same. If you can restore to 3.0 being on 3.0, then you can downgrade to 3.0 being on 3.1. You only need the signature required, the SHSH blobs, that you manage to generate from all those files.

Abras

[L00i3]

What he said is that it may be possible to generate the signature for 3.0 with IBBS and IBEC, required to restore your 3GS. Restore, downgrade, update, they are all the same. If you can restore to 3.0 being on 3.0, then you can downgrade to 3.0 being on 3.1. You only need the signature required, the SHSH blobs, that you manage to generate from all those files.

Abras

Read again

...In practice, there is only one critical file that we need signed: the one with the bug. ;P This is the iBSS, which is one of the modes of iBoot. Given that ECID/iBSS signature, one can load the buggy code and then continue with the jailbreak....


Personalized Firmware

What iTunes does with these blobs is to "personalize" the firmware file, integrating the ECID, SHSH, and CERT blocks into it, so that the iPhone can verify the result. It does this in a temporary directory where users can actually just watch and grab the files.

So, many users have gone in and carefully gotten both the iBSS and iBEC files from this personalization mechanism. The iBSS file from this process actually contains no more information than the tiny purplera1nyday file.

However, and this is unfortunate: just because this information is "sufficient to jailbreak", doesn't mean it is convenient. Without someone writing a special jailbreak tool that uses these files as input you are pretty much stuck.