Page 4 of 7 FirstFirst ... 23456 ... LastLast
Results 61 to 80 of 131

Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.


Thread: Downgrade iOS 4.0.2 to 4.0.1 / 4.0 Without SHSH Blobs

  1. #61
    Livin the iPhone Life
    Join Date
    Oct 2009
    Location
    Europe
    Posts
    2,830
    Thanks
    76
    Thanked 382 Times in 368 Posts

    Quote Originally Posted by reeko View Post
    Where have you got 4.0 from? Cydia still says 'pending request' last time I checked.

    If it said 4.0 was available then I would know the SHSH ha been backed up before.

    I got the phone at 3.X and it went straight to 4.0.2, it's never been at 4.0.

    And hello dhamien, nice to see your trying to disprove this over 2 separate forums now. I'm just trying to help people and let them know it does work!
    Ah, I thought you said on the other site that you were able to get 4.0 with TU, my bad. By the way, you can have the 4.0 SHSH without ever having been there.

    Just so you know, I'm not following you around, I just recognized your name notice my post count, I didn't just run to this site to go after you.

    Anywho ... not sure how to say this without saying "I told you so", but yeah, you've read the update on BigBoss' site now. I'm actually glad about the update myself. I've been reading so much about people downgrading with new devices that I didn't know what was going on. From what I gather, from BigBoss' 2nd update, Saurik has started storing SHSHs, somewhere around firmware 4.0, even for devices that haven't asked for it. At least that's how I understand it.

    Quote Originally Posted by Captinsmooth View Post
    Thats my plan is to check it first. It should not have any backups of blobs because it was bought brand new from at&t, its a 8gb 3gs mc model. He knows nothing about jailbreaking it so I know he didnt save them.

    I have a few theories on this whole thing. Even though I am very doubtful that it is truly working and not just oversights of people that did not realize they had blobs saved.

    #1
    4.0 4.0.1 and 4.0.2 all use the same shsh blobs because they were all just hasty patches that were needed for quick damage control. So that allows this downgrading. Not likely but its a thought.

    #2
    Apple is issuing these 3gs 8gb phones now for 99$ so maybe they are refurbs they are selling as new. So maybe the previous owners had saved the blobs from them. Wouldn't surprise me if apple pulled some crap like that...

    #3
    People just do not realize that once they save their shsh blobs for one firmware that it always saves them from that point on.
    From semaphore's twitter, it'd seem that your point #2 is correct.

    Here is someone's twitter post: Twitter / Johnny Wang: @notcom Purchased a new 8G ...
    And here is semaphore's reply: Twitter / semaphore: @Pluto1231 it was a refurb

    So, apparently, Apple is using refurbs to make the new 8GB 3GS.
    Last edited by dhamien; 2010-09-01 at 01:04 AM. Reason: Automerged Doublepost
    We're all just toymakers in the game of life.

  2. #62
    Livin the iPhone Life reeko's Avatar
    Join Date
    Dec 2007
    Location
    England
    Posts
    1,562
    Thanks
    48
    Thanked 164 Times in 135 Posts

    I hate to say it but there is more to it than this.

    Last week I tried everything I could to get this phone back to 4.0.1 as I needed it unlocked. Nothing would work, nothing at all.

    Putting the imei into apples website I can see it was bought in November last year. My money would be on the phone running the same firmware aa it was in November when I got it. It wasn't running properly so I was forced to restore it to
    4.0.2.

    This post drops and I follow the instructions - the answer is my blobs are already backed up on sauriks server - which was not the case a week ago.

    If my shsh have made there way onto sauriks server in the last week without me doing anything then what has happened?

    How has saurik got my blobs since last week?

  3. #63
    Superbad Modder-ator Simon's Avatar
    Join Date
    Nov 2007
    Location
    Bermuda
    Posts
    48,875
    Thanks
    8,108
    Thanked 17,645 Times in 8,025 Posts

    In reference to the post/update from Big Boss about the "make my life easier" not coming up on an iphone that has stored SHSH, I have just updated a 3GS that was on 3.1.3 to 4.0.1, I checked tiny umbrella first, SHSH were there so I was able to restore to 4.0.1 no problem. After jailbreaking opened cydia and lo and behold the make my life easier message came up, so Big Boss statement is not correct (at least not fully correct as I am unaware if SHSH were on file because of pressing it before or the person using one of the other two methods for obtaining SHSH). It should be noted this phone was not jailbroken when it came to me however I have no history on it so dont know if it was in the past.

  4. #64
    i just saw that on spiritjb.org lol. well i saw it a little late..

  5. #65
    Superbad Modder-ator Simon's Avatar
    Join Date
    Nov 2007
    Location
    Bermuda
    Posts
    48,875
    Thanks
    8,108
    Thanked 17,645 Times in 8,025 Posts

    Hmm... I wonder if Saurik has found a way to sign SHSH for 3GS that don't previously have SHSH but is keeping it under wraps so Apple doesn't know that they have to fix it? Sounds too good to be true...

  6. #66
    I am curious if there is a way to show the time or date of the shsh files then it would be able to show what users have or haven't have them on file

  7. #67
    Livin the iPhone Life jkmonkey's Avatar
    Join Date
    Mar 2010
    Location
    Upstate NY
    Posts
    1,433
    Thanks
    67
    Thanked 254 Times in 245 Posts

    I just ran ten sequential ECID's through TU. Cydia returned shsh's for each one.
    Attached Thumbnails Attached Thumbnails -shsh.png   -shsh2.png  
    Last edited by jkmonkey; 2010-09-01 at 05:28 AM.

  8. #68
    Retired Moderator Orby's Avatar
    Join Date
    Aug 2010
    Location
    Omicron Persei Eight
    Posts
    5,851
    Thanks
    42
    Thanked 699 Times in 594 Posts

    Quote Originally Posted by jkmonkey View Post
    I just ran ten sequential ECID's through TU. Cydia returned shsh's for each one.
    There's a 1/10,000,000,000 (ten billion) chance that all ten owners of those devices consciously backed up their blobs (assuming 10% chance of any one iPhone having them). No way that's coincidental.

    Quote Originally Posted by BCollins521 View Post
    I am curious if there is a way to show the time or date of the shsh files then it would be able to show what users have or haven't have them on file
    In all 3GS, iPT3G, i4 4.0.x and iPad 3.2.2 SHSH blobs (that I've seen) have an entry at the end of the SHSH blob (right below the iBoot digest) marked "@Timestamp." I have no clue what that number correlates to, but it's there, and probably meaningful to the correct eyes.

    Quote Originally Posted by x98car View Post
    Hmm... I wonder if Saurik has found a way to sign SHSH for 3GS that don't previously have SHSH but is keeping it under wraps so Apple doesn't know that they have to fix it? Sounds too good to be true...
    Assuming somebody has a way to sign perfect forgeries (meaning they can create identical-to-Apple blobs for any random device on demand), they probably have (or can very quickly isolate) Apple's private RSA signing key.

    This would be on par (if not superior to) a bootrom exploit, because that key's pair (the paired public verifying key and corresponding certificate) I believe is (but am not 100% sure) hard-coded into bootrom on every 8920/8930 processor. It likely CANNOT be changed. Apple must keep signing all SHSH blobs for current 3GS/4/iPT3G/iPad/possibly the iPT4G with the compromised key.

    If Apple also uses this key as its root code-signing key (not likely but not unlikely either) we can now sign compromised LLB/iBSS/iBEC/iBoot/baseband bootloader/baseband firmware on demand as valid (and can make SHSH blobs to match).

    I still think it's more likely that either somebody scripted Cydia to save all/a lot of ECID blobs with 4.0, or Cydia can still retrieve legitimate blobs from Apple through a back door. One can hope however.

    EDIT:

    The five iPT3G I tried obtaining 4.0 blobs for:

    0x2B894911AE
    0x3FCD112856
    0x5AEE3122DD1
    0xA122270965
    0x1EB4421290A

    all had them. However, the five iPads I tried obtaining 3.2.1 blobs for:

    0x4EA11213A8C
    0x66CBFA9043
    0x21EE4F0AADF
    0x5883A219DC
    0x900BE3122A

    none had blobs on file (those five ECIDs now have 3.2.2 blobs backed up for them, however). I couldn't test the iPhone 4, as the baseband's serial number (bbSNUM) is a required value in every SHSH, and Apple doesn't sign the blob with that information. However, because of this limitation (Apple not inserting the value into the blobs and the serial numbers having no correlation to the ECID), I believe it's not feasible for any serious amount of blobs to be magically there for iPhones 4.

    Huh, the devices with 8920 processors (3GS, iPT3G) all seem to be there, but the 8930 (all products with the chip codenamed "A4", i4, iPad, and probably more soon to be announced) seem to be not magically there.

    I'm now seriously leaning compromised 8920 private signing key (and the 8930 using a different, un-compromised key). If it were a script, I think the person who wrote it would be smart enough to include iPad 3.2.1 into the batch of backed up blobs--it can be remotely signed like the 3GS and iPT3G. Their apparent absence is why I don't think a script to mass-back up 4.0/3.2.1 blobs was used.

    However, the SHSH signing key is a 4096-bit RSA key--that's no joke to crack. The computational effort would have to have been massive (and I mean massive, we're talking millennia of constant processing). I just find the cracked-key route most MOST unlikely (unless Geohot's been working on a 25-exaFLOpS quantum processor in his spare time).
    Last edited by Orby; 2010-09-01 at 06:56 AM. Reason: Added results.

  9. #69
    Livin the iPhone Life reeko's Avatar
    Join Date
    Dec 2007
    Location
    England
    Posts
    1,562
    Thanks
    48
    Thanked 164 Times in 135 Posts

    So the chance of someone addin the shsh o sauriks server is pretty slim then.

    The fact stand that 1 week ago - sauriks server was not signing off my downgrade.

    Now, regardless of whether this method works or not - it appears to have signed it off perfectly fine.

    Whatever has happened, has happened in the last week.

  10. #70
    Retired Moderator Orby's Avatar
    Join Date
    Aug 2010
    Location
    Omicron Persei Eight
    Posts
    5,851
    Thanks
    42
    Thanked 699 Times in 594 Posts

    Quote Originally Posted by reeko View Post
    So the chance of someone addin the shsh o sauriks server is pretty slim then.

    The fact stand that 1 week ago - sauriks server was not signing off my downgrade.

    Now, regardless of whether this method works or not - it appears to have signed it off perfectly fine.

    Whatever has happened, has happened in the last week.
    If that's the case, it's either an Apple back-door or somebody figured out how to forge the blobs, or at least the three that have changed (the only parts that have changed from 4.0 to 4.0.1 to 4.0.2 are the kernel cache, the restore kernel cache, and the restore ramdisk).

    Somebody did something. Something epic. I really want to know what exactly happened as to why it's now raining SHSH blobs for everybody with an S5L8920-based device.

  11. #71
    Ya it seems odd that this is happening to people but I for on am extremely grateful to whoever did this or how it's done cause I would have had a 3Gs that wasn't unlockable so it would have been a very pretty iPod touch lol

    Quote Originally Posted by orbyorb View Post

    In all 3GS, iPT3G, i4 4.0.x and iPad 3.2.2 SHSH blobs (that I've seen) have an entry at the end of the SHSH blob (right below the iBoot digest) marked "@Timestamp." I have no clue what that number correlates to, but it's there, and probably meaningful to the correct eyes.
    Now we have to find someone that knows the timestamp and then we can figure out if some of the devices actually had the blobs backup at a point or not
    Last edited by BCollins521; 2010-09-01 at 03:35 PM. Reason: Automerged Doublepost

  12. #72
    My iPhone is a Part of Me Trooper Sam's Avatar
    Join Date
    Jul 2010
    Location
    Somewhere in California
    Posts
    503
    Thanks
    51
    Thanked 78 Times in 62 Posts

    This is getting really weird...like Scooby Doo weird. ZOINKS!

    This does feel like we might be on the edge of something big. I just hope we don't harm it by exposing it.

  13. #73
    Livin the iPhone Life
    Join Date
    Oct 2009
    Location
    Europe
    Posts
    2,830
    Thanks
    76
    Thanked 382 Times in 368 Posts

    Quote Originally Posted by orbyorb View Post
    If that's the case, it's either an Apple back-door or somebody figured out how to forge the blobs, or at least the three that have changed (the only parts that have changed from 4.0 to 4.0.1 to 4.0.2 are the kernel cache, the restore kernel cache, and the restore ramdisk).

    Somebody did something. Something epic. I really want to know what exactly happened as to why it's now raining SHSH blobs for everybody with an S5L8920-based device.
    I think you're on to something. Earlier today I tested random ECIDs for 3GS and they all had the 4.0.1 SHSH on Cydia. I also took the lowest possible ECID and the highest, both were there. Even if Saurik had made a script to ask for SHSHs, he couldn't have gotten all of them. There were something like 9 billion billion unique ECIDs. The chance of him having them gotten from Apple individually are roughly non-existent.

    So, as I see it, Saurik can either generate keys at will, for any version, or he can make 4.0.2 keys work as 4.x

    Just to add, I opened a brand new iPhone 4 today and it couldn't downgrade through Cydia's server. So whatever Saurik can do, it's only for the 3GS and ipt3g.
    We're all just toymakers in the game of life.

  14. #74
    Superbad Modder-ator Simon's Avatar
    Join Date
    Nov 2007
    Location
    Bermuda
    Posts
    48,875
    Thanks
    8,108
    Thanked 17,645 Times in 8,025 Posts

    Sounds like we are finally getting somewhere, so this method and the method in Dough Boy's threads are not what is allowing these phones to be downgraded, it seems it is the simple fact that both methods said to point hosts to cydia which is why it worked. Whatever is going on behind the scenes that is allowing all these 3GS's to have SHSH is definitely welcome, even if it can't be explained.

  15. #75
    My iPhone is a Part of Me Trooper Sam's Avatar
    Join Date
    Jul 2010
    Location
    Somewhere in California
    Posts
    503
    Thanks
    51
    Thanked 78 Times in 62 Posts

    We might owe a few apologies.

  16. #76
    Superbad Modder-ator Simon's Avatar
    Join Date
    Nov 2007
    Location
    Bermuda
    Posts
    48,875
    Thanks
    8,108
    Thanked 17,645 Times in 8,025 Posts

    I definitely apologize for the "its multiple people playing a game" thing. But we were still right in that SHSH were needed for the downgrade so their inherent claim was wrong, however the fact that they were able to downgrade was right, at least on iphone 3GS. I don't know about you but this is one of those times where I am glad I was wrong

    Although somebody did "hack" my account and created a duplicate account with the same member name as me and left me a cocky little visitor message on my real page. Very appreciative to the mods that dealt with that but it goes to show somebody is still playing games around these parts.
    Last edited by Simon; 2010-09-01 at 08:38 PM.

  17. #77
    My iPhone is a Part of Me Trooper Sam's Avatar
    Join Date
    Jul 2010
    Location
    Somewhere in California
    Posts
    503
    Thanks
    51
    Thanked 78 Times in 62 Posts

    Oh, yeah, me too! Being wrong on this one might very well end up being great news for owners of 3GS's.

    I still think Saurik should timestamp SHSHs so we'd know when they'd been saved.

  18. #78
    Superbad Modder-ator Simon's Avatar
    Join Date
    Nov 2007
    Location
    Bermuda
    Posts
    48,875
    Thanks
    8,108
    Thanked 17,645 Times in 8,025 Posts

    I asked semaphore/notcom on twitter if there was a way to decrypt the timestamp at the end of an SHSH but have not received a response back. That would be a very informative thing to be able to see.

  19. #79
    My iPhone is a Part of Me Trooper Sam's Avatar
    Join Date
    Jul 2010
    Location
    Somewhere in California
    Posts
    503
    Thanks
    51
    Thanked 78 Times in 62 Posts

    I just meant for Saurik to put in a date and time that it was saved to Cydia, that shouldn't require any actual looking in the SHSH itself.

  20. #80
    Superbad Modder-ator Simon's Avatar
    Join Date
    Nov 2007
    Location
    Bermuda
    Posts
    48,875
    Thanks
    8,108
    Thanked 17,645 Times in 8,025 Posts

    Quote Originally Posted by Trooper Sam View Post
    I just meant for Saurik to put in a date and time that it was saved to Cydia, that shouldn't require any actual looking in the SHSH itself.
    Ya that would be better

Page 4 of 7 FirstFirst ... 23456 ... LastLast
Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •