## Thread: Iphone 3gS with ra1ny cert, 3.0 iBSS and iBEC Signed with my ECID

1. Originally Posted by L00i3
So is there any way I could help out to see if what you have come up with will work for a restore? I don't have ANY of those files from the .tmp folder tho. But Like I said earlier, I am willing to tinker with my phone a little bit since I know I can always get back to 3.0

If there is anyway I could try and generate an SHSH with what you have come up with, I would be willing to try.
Well, my tool won't run without the TMP folders, so I don't have a way for you to generate an SHSH directly.

Have you been successful with downgrading from 3.1 before? Did you have to drop into DFU mode?

Someone else had volunteered to test it but they were getting error "20", whatever that is. In DFU mode, it pinged the TinyTSS server, but TinyTSS crashes... so I don't know whats going on there.

Actually there is one thing maybe, are you familiar with any diff tools? (I use WinMerge)

Could I send you my generated 3.0 SHSH file? I'd be curious to see what the differences are between my generated 3.0 SHSH file and your 'genuine' 3.0 SHSH file. Hopefully it would only be the 'critical' 128 bytes in each certificate.

2. I have successfully downgraded using TinyTSS.

I see where the 00.shsh files differ (I ran it how you did, TinyTSS serving to umbrella)

<key>Need Service</key> is the last signature generated in the resulting shsh

it is missing everything after that...
<key>RecoveryMode</key>
<key>RestoreDeviceTree</key>
<key>RestoreKernelCache</key>
<key>RestoreLogo</key>
<key>RestoreRamDisk</key>
<key>iBEC</key>
<key>iBSS</key>
<key>iBoot</key>

3. That is actually good news, because it means my SHSH files behave the same way. That is the same output I had.

There is someone from this thread testing my tool right now and he is on the second restore. I'll let him post up if it works, but I'm encouraged.

4. Question about that .tmp folder. I know you have to be running a restore to capture the files.

My question is do you actually have to run 20 restores in a row to catch all the files, or is there a point when they are all in there at once?

I read the tutorials for capturing iBEC & iBSS and they all said you had to run 2 restores, and capture one file per restore.

5. In reality it can be done with 1 restore, as long as you are in DFU mode.

In my case, I grabbed a tool off a forum somewhere called iBEC_iBSS_Grabber that automates the process.

It captured 9 folders. Most of this is redundant and duplicated. There are like 15 or 20 files total. The iBSS file only appears once, though, I think.

Here is what my code outputs, you can see how it has to search for each file, they are all over the place.

Code:
E:WorkDevsvniPhoneSHSH_ToolbinRelease>SHSH_Tool.exe -tmpfiles E:workdev
iphoneiBEC_iBSS_Grabber -output E:workdevsvniphoneSHSH_Tooltest.SHSH
Found Manifest Files:
- Key: BatteryFull [Digest: QAAAAPggAQDlTu4etE9Hyqd53SfUabSUMQKveg==]
- Key: BatteryLow0 [Digest: QAAAAHjVAAB3neUXu+AZDukKBMXTWAe6Fp1xTA==]
- Key: BatteryLow1 [Digest: QAAAAPj2AAAAhdT0Dah967fFlitKxFuG1UXcvw==]
- Key: DeviceTree [Digest: QAAAAHinAAA7P+D5ybJAvPXdRtUobDSLgoIFxg==]
- Key: KernelCache [Digest: QAAAAHidRwAltMOQ6wzPJKxGr/Dt0WimnI4Jkg==]
- Key: LLB [Digest: QAAAAPgAAQDYvJMWj1lAnuV6KOWG2Pw3Gsc2EQ==]
- Key: NeedService [Digest: QAAAALhHAAAs6oR8k6a1FrNLnQ4RGT3ztMyRKw==]
- Key: RecoveryMode [Digest: QAAAALiyAAAVdGhCcgJizRvKkJLjXWbaaTx+Ig==]
- Key: RestoreDeviceTree [Digest: QAAAAHinAAA7P+D5ybJAvPXdRtUobDSLgoIFxg==]
- Key: RestoreKernelCache [Digest: QAAAAHidRwAltMOQ6wzPJKxGr/Dt0WimnI4Jkg==]
- Key: RestoreRamDisk [Digest: QAAAAPjwwgBIAM3nYNCnt2z33+HaQIMJMp9ePw==]
- Key: iBEC [Digest: QAAAAPiQAQC9Ty8vP15P2iU3qkF4b8wfSo18FA==]
- Key: iBSS [Digest: QAAAAPiQAQCcdhu1hCyHWHAez39TmafGGpj00g==]
- Key: iBoot [Digest: QAAAAPiwAgBzNM32ZeCYkQ+JfYMFXusQQo3TOQ==]
- Key: RestoreRamDisk [Digest: QAAAAPjQwgCnlxrq+5w91+90VitZeWIoPtJj0A==]
Processing TMP files...
- Entering directory: E:workdeviphoneiBEC_iBSS_GrabberPer1624.tmp
- Firmware/all_flash/all_flash.n88ap.production/applelogo.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/DeviceTree.n88ap.img3
- kernelcache.release.s5l8920x
- Firmware/all_flash/all_flash.n88ap.production/DeviceTree.n88ap.img3
- kernelcache.release.s5l8920x
- Firmware/all_flash/all_flash.n88ap.production/applelogo.s5l8920x.img3
- 018-5306-002.dmg
- Firmware/dfu/iBEC.n88ap.RELEASE.dfu
- Entering directory: E:workdeviphoneiBEC_iBSS_GrabberPer310B.tmp
- Firmware/all_flash/all_flash.n88ap.production/glyphcharging.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/batterycharging0.s5l8920x.img3

- Firmware/all_flash/all_flash.n88ap.production/batterycharging1.s5l8920x.img3

- Firmware/all_flash/all_flash.n88ap.production/batteryfull.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/batterylow0.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/batterylow1.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/glyphplugin.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/LLB.n88ap.RELEASE.img3
- Firmware/all_flash/all_flash.n88ap.production/needservice.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/recoverymode.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/iBoot.n88ap.RELEASE.img3
- Entering directory: E:workdeviphoneiBEC_iBSS_GrabberPer88E7.tmp
- Entering directory: E:workdeviphoneiBEC_iBSS_GrabberPer99D6.tmp
- Entering directory: E:workdeviphoneiBEC_iBSS_GrabberPerC7AC.tmp
- Firmware/dfu/iBSS.n88ap.RELEASE.dfu
- Entering directory: E:workdeviphoneiBEC_iBSS_GrabberPerC8F2.tmp
- Entering directory: E:workdeviphoneiBEC_iBSS_GrabberPerD780.tmp
- Entering directory: E:workdeviphoneiBEC_iBSS_GrabberPerE6E9.tmp
- Entering directory: E:workdeviphoneiBEC_iBSS_GrabberPerFA22.tmp
Verifying BLOB Data...
Creating custom SHSH file...
Success!  SHSH File stored at E:workdevsvniphoneSHSH_Tooltest.SHSH
Complete.

6. success

3.1 official -> 3.0 jailbroken using a 3.0 shsh blob which was generated by something other than apples official servers, using my ibec and ibss files

7. Originally Posted by MegaGoo
success

3.1 official -> 3.0 jailbroken using a 3.0 shsh blob which was generated by something other than apples official servers, using my ibec and ibss files
And Apple has officially been outsmarted by 2 guys on a forum. Maybe they will wise up to the fact and let us just do what we want with our property.

You might just have to let me get ahold of your tool (and that grabber program you mentioned) so I can try it out too

8. Originally Posted by L00i3
And Apple has officially been outsmarted by 2 guys on a forum. Maybe they will wise up to the fact and let us just do what we want with our property.

You might just have to let me get ahold of your tool (and that grabber program you mentioned) so I can try it out too
iBEC/iBSS Grabber:

difrnt Blog Archive ECID Grabber & iBEC and iBSS Grabber

I posted a new thread for my tool, incl source and binaries.

9. Werd yo.....

I am gonna downgrade to 3.0 so i can capture my files, upgrade to 3.1, generate a blob with your proggy, then downgrade to 3.0 again (hopefully) with that blob, then jailbreak and go back to 3.1...

Set....
Go!!

10. Awesome

Damn the man!

11. Originally Posted by L00i3
Werd yo.....

I am gonna downgrade to 3.0 so i can capture my files, upgrade to 3.1, generate a blob with your proggy, then downgrade to 3.0 again (hopefully) with that blob, then jailbreak and go back to 3.1...

Set....
Go!!

you're gonna downgrade to 3.0 to capture the ibss/ibec files?

just want to clarify

im on jb 3.0 now, should i upgrade to jb 3.1 and capture my ibss/ibec? i already have my 3.1 blob saved on my local machine AND with cydia. i almost want to grab my 3.1 ibss/ibec (those 2 files ARE firmware specific right??) just in case...... suggestions?

12. Originally Posted by MegaGoo
you're gonna downgrade to 3.0 to capture the ibss/ibec files?

just want to clarify

im on jb 3.0 now, should i upgrade to jb 3.1 and capture my ibss/ibec? i already have my 3.1 blob saved on my local machine AND with cydia. i almost want to grab my 3.1 ibss/ibec (those 2 files ARE firmware specific right??) just in case...... suggestions?
If you've got the blob saved already, I don't think you really need to get the ibss/ibec files. You only would need those if you didnt have the blob. (You can actually construct those files from the blob, i.e. do the reverse of what my tool does, but theres no need really)

13. Originally Posted by MegaGoo
you're gonna downgrade to 3.0 to capture the ibss/ibec files?

just want to clarify
Exactly. I never did that before. I just want to test this method of generating an SHSH blob.

Update 1: First restore done, 1015 error
Update 2: Second restore done, activation complete
Update 3: Upgrade to stock 3.1 done, activation complete (figure I'll test MMS on stock 3.1 real quick)
Update 4: Apparently that ibec/ibss grabber didn't work right. All I get is usage intructions when I try to use SHSH_Tool Oh well, going back to 3.0 now with the blob I already had.

14. BTW, my tool will only work on 3.0 stuff right now. It should also work on 3.1, but I'd need to update the 'template' file to point to the right RestoreRamdisk file.

15. Originally Posted by L00i3
Exactly. I never did that before. I just want to test this method of generating an SHSH blob.

Update 1: First restore done, 1015 error :)
Update 2: Second restore done, activation complete
Update 3: Upgrade to stock 3.1 done, activation complete (figure I'll test MMS on stock 3.1 real quick)
Update 4: Apparently that ibec/ibss grabber didn't work right. All I get is usage intructions when I try to use SHSH_Tool :( Oh well, going back to 3.0 now with the blob I already had.
i kept getting useage instructions too but i realized my syntax was wrong. my command was:

i think i had forgotten to put 30.shsh there at the end. my .tmp directories(ibec/ibss) were located at c:\users\eddie\downloads\shsh_tool\

i would think that if your files didnt get saved right, shsh_tool would output a bunch of errors instead of just giving you a useage problem. my output was:

Code:
Reading IPSW Manifest File...
Found Manifest Files:
- Key: BatteryFull [Digest: QAAAAPggAQDlTu4etE9Hyqd53SfUabSUMQKveg==]
- Key: BatteryLow0 [Digest: QAAAAHjVAAB3neUXu+AZDukKBMXTWAe6Fp1xTA==]
- Key: BatteryLow1 [Digest: QAAAAPj2AAAAhdT0Dah967fFlitKxFuG1UXcvw==]
- Key: DeviceTree [Digest: QAAAAHinAAA7P+D5ybJAvPXdRtUobDSLgoIFxg==]
- Key: KernelCache [Digest: QAAAAHidRwAltMOQ6wzPJKxGr/Dt0WimnI4Jkg==]
- Key: LLB [Digest: QAAAAPgAAQDYvJMWj1lAnuV6KOWG2Pw3Gsc2EQ==]
- Key: NeedService [Digest: QAAAALhHAAAs6oR8k6a1FrNLnQ4RGT3ztMyRKw==]
- Key: RecoveryMode [Digest: QAAAALiyAAAVdGhCcgJizRvKkJLjXWbaaTx+Ig==]
- Key: RestoreDeviceTree [Digest: QAAAAHinAAA7P+D5ybJAvPXdRtUobDSLgoIFxg==]
- Key: RestoreKernelCache [Digest: QAAAAHidRwAltMOQ6wzPJKxGr/Dt0WimnI4Jkg==]
- Key: RestoreRamDisk [Digest: QAAAAPjwwgBIAM3nYNCnt2z33+HaQIMJMp9ePw==]
- Key: iBEC [Digest: QAAAAPiQAQC9Ty8vP15P2iU3qkF4b8wfSo18FA==]
- Key: iBSS [Digest: QAAAAPiQAQCcdhu1hCyHWHAez39TmafGGpj00g==]
- Key: iBoot [Digest: QAAAAPiwAgBzNM32ZeCYkQ+JfYMFXusQQo3TOQ==]
- Key: RestoreRamDisk [Digest: QAAAAPjQwgCnlxrq+5w91+90VitZeWIoPtJj0A==]
Processing TMP files...
- Firmware/all_flash/all_flash.n88ap.production/applelogo.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/glyphcharging.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/batterycharging0.s5l8920x.img3

- Firmware/all_flash/all_flash.n88ap.production/batterycharging1.s5l8920x.img3

- Firmware/all_flash/all_flash.n88ap.production/batteryfull.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/batterylow0.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/batterylow1.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/glyphplugin.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/DeviceTree.n88ap.img3
- kernelcache.release.s5l8920x
- Firmware/all_flash/all_flash.n88ap.production/LLB.n88ap.RELEASE.img3
- Firmware/all_flash/all_flash.n88ap.production/needservice.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/recoverymode.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/DeviceTree.n88ap.img3
- kernelcache.release.s5l8920x
- Firmware/all_flash/all_flash.n88ap.production/applelogo.s5l8920x.img3
- Firmware/all_flash/all_flash.n88ap.production/iBoot.n88ap.RELEASE.img3
- 018-5306-002.dmg
- Firmware/dfu/iBEC.n88ap.RELEASE.dfu
- Firmware/dfu/iBSS.n88ap.RELEASE.dfu
Verifying BLOB Data...
Creating custom SHSH file...
Complete.
(my backslashes in my file paths were removed within the code box for some reason)

16. Originally Posted by L00i3
Exactly. I never did that before. I just want to test this method of generating an SHSH blob.

Update 1: First restore done, 1015 error :)
Update 2: Second restore done, activation complete
Update 3: Upgrade to stock 3.1 done, activation complete (figure I'll test MMS on stock 3.1 real quick)
Update 4: Apparently that ibec/ibss grabber didn't work right. All I get is usage intructions when I try to use SHSH_Tool :( Oh well, going back to 3.0 now with the blob I already had.
If it is showing you usage instructions, you just have a typo.

If the grabber tool failed, you will get a specific message.

you want to do:

SHSH_Tool -tmpfiles X:\path\to\tmp\folders -output X:\path\to\00.SHSH

The tmp folder you give it should be like

x:\grabbed_files

and it should contain all your Per####.tmp folders.

17. now my biggest problem is just spending the time re-setting up my phone with all my settings, music, and apps. i want to do it from scratch because my battery life in 3.1 was seriously awful. i figure a clean fresh install with no restore from backup will help.

woo!

18. No typos. I copied and pasted the path to the folder that had the Per### folders (there were only 2). When I extracted the files required from the ipsw, I got errors saying something like signature not found (or something)

The grabber tool only got like 4 of the files or something like that. Unless I was supposed to hit the start monitoring button more than just the one time before I restored down to 3.0 I think it just malfunctioned. And I am going to bed soon, and I want my phone operational before then. I will try again maybe tomorrow night.

19. Originally Posted by L00i3

Update 4: Apparently that ibec/ibss grabber didn't work right. All I get is usage intructions when I try to use SHSH_Tool Oh well, going back to 3.0 now with the blob I already had.
confused... in the other thread, TheHeadFL said that you can't grab 3.0 ibec/ibss files anymore for 3.0. you could only do it during the time period that apple was signing 3.0.

so if you're downgrading to 3.0 for the sole purpose of catching the ibss/ibec, wont that not work?

20. Maybe that was my problem. Thought since I had my shsh file, that would sign the temp files. It signs the restore, why wouldn't the temp files be signed?

Posting Permissions
• You may not post new threads
• You may not post replies
• You may not post attachments
• You may not edit your posts
•