SHSH - A Thing of the Past?

[thecrunked]

you guys see this thing about tinyumbrella not needing shsh files to restore any more?

check it out, what do you think?

iClarified - Apple News - TinyUmbrella Update Will Bypass SHSH Checks and Restore iDevice Without iTunes

[iYeow]

Interesting, we will wait for his release. Thanks

[z3r01]

Interesting...let's see how this plays out...

[blkcadi]

Pretty cool. This should be awesome if it does what it says it does.

[Orby]

So Semaphore possibly used my suggestion (there's no way I could have been the first one to suggest it, or if the suggestion actually works, et cetera) to fool the bootrom.

Exciting stuff, y'all. Cue school-girl-level-giddyness.

EDIT: I shouldn't be such a tease, considering the underlying exploit is both publicly released and in hardware. How I believe (supposition, not known facts) this might work:

I believe that the "SHSH" tag in the IMG3 firmware that is bootrom-checked is taken directly from the "PartialDigest" file in the SHSH blob, verified by the certificate attached.

That field should be the same across all SHSH blobs for any one piece (e.g., iBoot or LLB) for all devices on a particular firmware. For example, examine the blobs for 4.1 for the two 3GS units, ECIDs 0x276DA09B54C and 0x3C7C60A9D2E, available on Cydia (and devices I have control over).

They both have the same "partialdigest" for iBoot (in base64, QAAAAHihAgBax0aH0zfEwI2fcUAmdq9TrlLTXQ==). Further examination shows all 19 or so "partialdigest" values are shared across both devices.

Because of the way I believe limera1n works, we should be able to artificially inject code into the IMG3 files.

Therefore, I believe we can insert the correct ECID (known) and SHSH (since Cydia has a PartialDigest as part of the blob on file for at least one device since iOS 3.0, and since I hypothesize that these values are shared across all devices, therefore known for all firmwares) into the appropriate locations in an IMG3 file, and the bootrom will approve these correctly signed- and digested- values without an accompanying certificate/blob.

Or that's at least how I think it'd work.

MODERATORS: If you know this supposition to be factually incorrect, or believe this information needs to be suppressed to preserve exploits, please remove/redact at your discretion.

[Simon]

Anybody else get that whooossh over their head? You are a smart guy orb

[Orby]

Anybody else get that whooossh over their head? You are a smart guy orb

I'm good at guessing implementations of exploits, but suck at finding tools that will JB iOS 4.0.2.

Probably has something to do with the immediate detection of working versus navel-gazing.

[Simon]

Well you seem to have a very strong knowledge of the inner workings of the exploits and how they work. My knowledge doesnt go that deep for sure. I am more of a expert in what is needed for what and how to use them.

[blkcadi]

Well you seem to have a very strong knowledge of the inner workings of the exploits and how they work. My knowledge doesnt go that deep for sure. I am more of a expert in what is needed for what and how to use them.

A kind of hands on Mr. FixIt. lolz, your are good too Simon. Got some great members in this forum.

[Simon]

We sure do

[Mes]

It definatly makes sense commonality exists. Building a unique hardware / software checker common to all devices that absolutely will not fail in the 100M+ unit field is a daunting task even for Apple. Unfortunately, they will continue to add and refine this technique in future generations.

The cat & mouse game continues. We must remain dilligent .