Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.
03-03-2010, 02:47 AM #1Apple ECID Formating and Methods?
I am by no means a computer expert and it is usually uncommon for me to post topics on forums but this new issue with apple signing ECID's for firmware upgrades has forced me to "come out of my shell." After spending 4-5+ hours researching ways to downgrade my new 3GS that I just got as a replacement due to factory defect.
The iPhone arrived with 3.1.3 OTB and also contained the new boot ROM which really isn't that surprising. From what I've read the only remote possibility of jailbreaking/downgrading this flavor of iPhone is by doing the technique where you downgrade your iTunes to 8.2 (or whichever low version) and trick it into proceeding with the firmware restore until of course when it tries to write to the new boot ROM and stalls out leaving you in a restore mode cycle which forces you to run iRecovery and reset the auto_boot variable leaving you with a makeshift restored iPhone. BUT, this method no longer works for some reason which I cannot understand.
If the majority of this method is done offline and the same method worked for the same firmware weeks ago, there shouldn't be any variable that could have changed to cause it not to work. Of course its going to be confusing when a majority of the posts here are hard to understand and have questionable legitimacy.
So what I've concluded is that apple has definitely adopted this new signing method and has gotten comfortable with it so it doesn't seem like it's going to be going anywhere soon. There have been other posts suggesting that the 128 bit HASH be cracked, (I'm not going to even act like I understand anything about encryption), but they all are shot down saying that it would take too many resources and is unpractical, but not impossible.
If one were to wonder what these ways are that seem impossible just because they are almost rediculous, but if one had unlimited resources, particularly storage and processing speed, what new methods would be unlocked?
The iPhone-Dev team constantly warns us to backup our SHSH "blobs" for each firmware and back them up locally and also on Saurik's server. I was diligent in keeping up with firmware releases and jailbreaking news and stayed on top of my SHSH backups, but because I was forced to trade in my phone, now all of my work is completely useless. "If only I had known what the ECID of my new phone would be I would have backed it up."
An ECID is formatted like so: 00000E2CBA43BF2. (Of course I randomized the significant numbers) But from what I can tell, the numbers used Hex digits which are composed of numbers 0-9 and letters A-F which means it is a 16 digit long string of characters that has a possibility of 16 different characters per digit meaning there are exactly 18,446,744,100,000,000,000 different combinations to form the ECID.
This is where it would be considered rediculous at first glance to even consider retrieving that many "blobs" but if you look closer at the number you can see that apple only populates the last 11 digits, which decreases the number to 17,592,186,000,000 which is very significantly less than the former. Secondly after attempting to follow this pattern for the first 20 I noticed that only a fraction of about 12/20 of the ECID's would register with Apple's server which cuts this number almost in half.
Assuming that the network is consistent and that it would take around 3 seconds to obtain and backup the "blob", if you were to process each request one after another it would take 610,839,792 days to process every possible ECID hash for that particular firmware version of iPhone. This is not including the fact that a high end server can theoretically run hundreds of threads to connect to Apples server and retrieve data without using any significant amount of CPU load. So for with a cluster of 50 servers all running processes one at a time where each request would take 3 seconds, it would take 12,216,795 days. If the servers were to run 5 requests simultaneously it would take 2,443,359 days and so on.
After calculating different methods of running this formula, I have concluded that in order to have a completed ECID table of a firmware in less than 20 days, it would be necessary for close to 900,000 clients to be constantly running requests at no less than 10 requests per second. The amount of connections alone would crash Apple's server which makes this unrealistic as it would take to long to computer all the ECIDs and a new firmware would be released by the time it finished. Unless someone discovers a formula for discovering which ECIDs will be used by a device and which are unused, the sheer amount of time and data is just to overwhelming.
If apple signed all of the last 11 digits of the ECID, it would take over 105,553 Terabyes of COMPRESSED data just to store one firmware version for one device. But if we knew exactly which ECIDs were used, then it would be significantly easier to create the table. Using the fact that there are around 6.4 million iPhone users in the US we can project the amount of work it would take to compute the SHSH blobs.
(17,592,186,000,000(Total ECIDs) compared to 6,400,000(iPhone users in US)).
To compute the ECID SHSH Blobs for every iPhone in the US it would take 50 servers running 5 requests per second 7.104 hours to complete the entire table requiring only 38.4 Gigabytes of storage.
I am by no means expecting any of this to happen, but only suggesting an potential idea that would undoubtedly solve countless numbers of people's problems. If you had recently bought a new device and were dissapointed to find that it came out of the box installed with a firmware that was jailbreak proof, you would simply need to read the ECID and send it to a server storing all of the blobs which would run a quick query and return you the result. Having a database setup for each device and each firmware version would solve the problem of ever having to worry about not being able to upgrade/downgrade to the version of your choice. I don't think any of us could imagine it being so easy.
10-15-2012, 07:17 PM #2ECID cracking
I'm no expert on the matter of encryption either, but you'd think that with all the stored SHSH blobs of the millions of devices and ECID's, you could start to find the common denominators and get a better grasp of the algorithms and start looking into a program that could generate SHSH blobs just by simply entering one's ECID string. I know its not nearly as complex, but they used to crack wifi encryption by capturing packets and running a program that would do the very same thing and eventually it would generate the WEP key of the network and you gain access. As I said, I'm no expert, but I have been thinking of ways of doing this. I'm reasonably sure someone else has already thought of this, but its food for thought anyhow. Maybe someone has come up with a way to do it but simply hasn't gotten the chance to try it? Maybe we should take donations and bribe an apple employee for the algorithms and our problem would be solved xD j/k.