Downgrade iOS 5 Impossible As Apple Close To Patch Restoring With Saved SHSH Blobs

Ads

This rather sad piece of news just caught our eye. It turns out, Apple is very close to patch restoring with saved SHSH blobs. The confirmation comes from iPhone Dev Team member MuscleNerd, who has previously been running tests as well on the latest iOS 5 beta and has reported what hidden changes Apple has done in iOS 5 beta 2.

In a string of tweets just minutes earlier, MuscleNerd has revealed the following details about Apple nearly ending the ability to restore to older iOS firmwares using saved SHSH blobs.

Uh oh...the days of restoring with saved SHSH blobs are nearing an end Apple is getting much smarter with the APTicket

Everything is now in place for Apple to do on the AP side what it does on the BB side (nonces with signing windows)

They can't undo the access limera1n provides (tethered JB booting) but they're about to eliminate SHSH blob replay attacks

They'll be enforcing this starting in the LLB. Pre-5.0 restores w/saved blobs will remain OK (with older iTunes though)

For those who do not know what SHSH is, basically a SHSH Blob is a 1024 bit RSA signature which is used to verify the validity of firmware. What this means is that if for example, Apple has released iOS 4.3.3, you will only be able to restore your device to iOS 4.3.3 using iTunes then, and not iOS 4.3.2 even if you have previously downloaded its IPSW and have saved it. Since Apple stops signing previous firmwares when a new version releases, hence you can not restore your device on it if a newer version is available.

Here's how the firmware validation procedure works:

SHSH Blobs are used in a challenge-response authentication of the firmware, where the challenge key comes in a combination of a hash of the firmware and the Exclusive Chip ID (ECID) of the device. The response from Apple is the SHSH itself, the digital signature required to validate the firmware.

So how was it possible to downgrade iOS firmware to older versions using saved SHSH blobs?

Because the challenge key is static, a cached copy of the signature may be used in a replay attack to trick the signing software (iTunes) into validating an old firmware.Using this technique is necessary to restore to previous versions of the iOS on the iPhone 3GS, iPhone 4, iPod Touch 2G, iPod Touch 3G, iPod Touch 4G, iPad, and iPad 2. Downgrading the iOS in such a manner may be used for iOS jailbreaking, since older software may have known exploits.

What will change when Apple ends the ability to restore via saved SHSH blobs? Well, Apple is yet to actually enable this, and it is expected that it would be done in the GM release of iOS 5. When that happens, those who would have upgraded to iOS 5 GM build will then not be able to downgrade back to iOS 4.x. However, if you are on older firmwares like iOS 4.3.3, 4.3.2 etc, you will still be able to downgrade firmware using saved SHSH blobs and a older version of iTunes.

What does this mean for iFaith, the new software which dumps SHSH blobs of your iOS device, creates a signed IPSW and also backs them up on its remote server? Developer iH8sn0w has tweeted the following just minutes earlier:

I wonder if iFaith's method of grabbing/restoring blobs is broken in iOS5b2 aswell...

@GreggJTurner @MuscleNerd iFaith packs the dumped shsh. Will do testing later tonight. : )

@iWtopia The shsh replay via TinyUmbrella/Saurik's server but iFaith may live on. Result pending.

Final word on iFaith's life span will obviously come after iH8sn0w gets done with testing, hopefully by tonight. We'll let you know what the result is, as soon as it gets out. Do you think its a wise move by the company to stop iOS downgrades by ending the ability to restore using saved SHSH blobs? Drop a line in the comments below!

  • Ord2365

    i have ios 5 beta 2 on my ipad 2 WIFI, will i be able to downgrade to ios 4.3.3 now?
    when the ipad 2 jailbreak is out?
    thanks.

    • http://www.iphoneism.com Lota Man

      Yes.
      Sent from my BlackBerry® Smartphone provided by Ufone

      • http://www.facebook.com/profile.php?id=100000717873752 Mason Schmitt

        irony, u have a blackberry haha

    • Dzkilnd

      How were you able to downgrade? I still cannot … stumped!

      • technologiq

        Download IOS 4.3.3 for your device, and do a restore. I just did it and it works fine.

  • http://twitter.com/makbook Sean Heffernan

    um… you could always just put your device in dfu mode and restore in itunes. it will always restore to the most recent PUBLICLY AVAILABLE (NOT iOS 5 beta x)
    version of iOS.

    • http://www.iphoneism.com Lota Man

      So for example, when iOS 5.1 comes out, will it be possible to downgrade to iOS 5? NO. Because restoring with saved SHSH would be blocked and because it won’t be the, to quote you, the most recent publicly available version of iOS. That’s why SHSH replay attacks were used in the first place.
      Sent from my BlackBerry® Smartphone provided by Ufone

      • http://twitter.com/makbook Sean Heffernan

        Exactly. The most recent publicly available version (a.k.a Tested by apple, confimed to be 99% bug free, confirmed to work with 99% of iOS apps). Why would anyone want to go back to 5.0? and if they did, for some reason, they could just find the firmware on the web, and option (or alt) click restore in itunes after putting their device in dfu mode to go back to the firmware they desire.

        • http://www.iphoneism.com Lota Man

          Unless and untill there’s a SHSH reply attack, you can NOT restore your device to a previous firmware as Apple stops signing it. Meaning that iTunes will not, by default, proceed with the restore if you’re on iOS 5.1 and are restoring to iOS 5. DFU won’t even help.
          Sent from my BlackBerry® Smartphone provided by Ufone

      • http://twitter.com/makbook Sean Heffernan

        (This is a reply to your most recent reply (3:03 PST))
        How do you know this? And if that’s the case, then download an older version of iTunes.

        • http://www.iphoneism.com Lota Man

          Because I’ve personally done all of this.
          Sent from my BlackBerry® Smartphone provided by Ufone

        • http://twitter.com/makbook Sean Heffernan

          That’s impossible. Apple hasn’t released 5.0 or 5.1.

          • http://www.iphoneism.com Lota Man

            I said “For example” in the very first reply. I was giving an example of what will happen to downgrading using saved SHSH blobs when iOS 5 releases. Kindly read all of the comments again.
            Sent from my BlackBerry® Smartphone provided by Ufone

    • http://www.iphoneism.com Lota Man

      So for example, when iOS 5.1 comes out, will it be possible to downgrade to iOS 5? NO. Because restoring with saved SHSH would be blocked and because it won’t be the, to quote you, the most recent publicly available version of iOS. That’s why SHSH replay attacks were used in the first place.
      Sent from my BlackBerry® Smartphone provided by Ufone

  • collin

    so i can downgrade my ipad 2 beta 2 to ios 4.3.3 using dfu mode restore?

    • http://www.iphoneism.com Lota Man

      Yes you can.

  • http://www.facebook.com/paulieman20 Paul M Baker

    I have tried downgrading from iOS 5.0 beta 2 for a couple of hours now…. without any luck…. Tried DFU mode, simply just trying a restore… just says i am not eligible? weird

    • http://www.iphoneism.com Lota Man

      Remove iTunes 10.5 beta 2. Install the latest PUBLIC beta of iTunes. Then download the iOS 4.3.3 ipsw and do a shift+restore on your iPad 2.

  • Ifdanntsaid3

    im at 4.3.5 how do i downgrade my my ipad 2 (wireless) to 4.3.3 without sshs file?

    • http://www.iphoneism.com Lota Man

      Not possible.

      Sent from my iPad

  • Guest

    As an iOS developer I can only say that it sucks. For me it is close to impossible to truly support older versions as I can’t just downgrade/upgrade firmware for testing as needed.

    I have a relatively low volume app but from the stats I see that every single iOS version is used by my customers. People just run old version because they don’t hook up their ipad/iphone to a PC or Mac at all.

    Today I had someone reporting an issue running iOs 3.2 on iPad. There is currently no way for me to revert back to that version so all I could ask is to upgrade. I rather would have just fixed the issue and let him used whatever iOs version he has/likes/needs/wants.

  • Guest

    As an iOS developer I can only say that it sucks. For me it is close to impossible to truly support older versions as I can’t just downgrade/upgrade firmware for testing as needed.

    I have a relatively low volume app but from the stats I see that every single iOS version is used by my customers. People just run old version because they don’t hook up their ipad/iphone to a PC or Mac at all.

    Today I had someone reporting an issue running iOs 3.2 on iPad. There is currently no way for me to revert back to that version so all I could ask is to upgrade. I rather would have just fixed the issue and let him used whatever iOs version he has/likes/needs/wants.