I built this system as a service and wrote an article about how the process worked and how it could be used. I say signed “again”, as the original files distributed by Apple are already signed, but they do not contain this device-specific information and are entirely generic. Retrieved December 30, I thereby encourage users of devices capable of being exploited by limera1n the iPhone 3G[S], iPhone 4, or 4th generation iPod touch to download this tool right now and use it to upload complete TSS information. Navigation menu Personal tools Log in. I thereby reached out to MuscleNerd while building TSS home, who provided to me a sketch of an algorithm that could be used to validate blobs as they were uploaded in the same way that an iPhone would verify them during boot. The personalization process thereby involves taking the build manifest, building a TSS request, sending it to Apple, getting the result, and then modifying each of the files that were listed by replacing the signature section with the blobs returned by TSS.

Uploader: JoJohn
Date Added: 18 October 2008
File Size: 28.39 Mb
Operating Systems: Windows NT/2000/XP/2003/2003/7/8/10 MacOS 10/X
Downloads: 76606
Price: Free* [*Free Regsitration Required]

Navigation menu Personal tools Log in.

To subvert that system using a man-in-the-middle attackserver requests the unique SHSH blobs from Apple for the jailbroken device and caches those SHSH blobs on servers, so that if a user changes the hosts file on a computer to redirect the SHSH blobs check to cache instead of Apple’s servers, iTunes would be tricked into checking those cached SHSH blobs and allowing the device to be restored to that version.

When Apple started doing this, we figured out how it worked, and the course of action was clear: Another opportunity allows you to sidestep the APTicket process by way of iOS 4, which predates the introduction of that feature.

apdump – Dump onboard SHSH Blobs without Jailbreak

The set of devices that are able to run iOS 6 and that are also old enough to be subject to this exploit is actually fairly small: When iTunes or the on-device firmware upgrader sends a request to Apple’s servers to confirm the APTicket, instead of shsh+apticcket the one already stored on the server, a new one is generated.


It may require cleanup to comply with Wikipedia’s content policies, particularly neutral point of view. It therefore happened that developers such as MuscleNerd and ehsh+apticket do not personally test their tools against data saved for users by Cydia’s TSS client.

Developers interested in iOS jailbreaking have made tools for working around this signature system in order to install jailbreakable older iOS versions that are no longer being signed by Apple. Taking advantage of these mistakes has allowed for a few interesting tricks, such as allowing people to switch from one version of iOS 5 to another, or allowing the iPad 2 to be downgraded to iOS 5 from iOS 6 if you have TSS information saved for iOS 4, to use as an intermediary.

The resulting modified files are sent to the device, which verifies the ECID inside of them, and also validates the signature hash. Second, this is a complex verification system, involving a lot of little steps; as an example, at some point you have to reset the nonce: Additionally, it means that if you have a device you haven’t used in a very long time, and many software revisions have been released between then and now, you could choose to upgrade to any sush+apticket those versions, not just the latest.

Where did my iOS 6 TSS data go? – Jay Freeman (saurik)

Retrieved November 12, I thereby encourage users of devices capable of being exploited by limera1n the iPhone 3G[S], iPhone 4, or 4th generation iPod touch to download this tool right now and use it to upload complete TSS information. As I described earlier, shsh+aptiket Offering such a service, where data is uploaded by random devices, has a serious problem: Sadly, that is not why I have been working on this article: As the ECID of a device never changes, if you can then save the SHSH of a personalized file, you can always use it later to install that file, even if Apple is no longer willing to sign it: Retrieved December 3, Of course, that assumption is unrealistic for a system as complex as the iPhone: The word “useless” is important, as it is not accurate to use the word “corrupt”: However, shsu+apticket that were downloaded or otherwise obtained by tools such as redsn0wiFaithor TinyUmbrella, will work fine.


Thankfully, this situation is actually fairly easily solved: If the version is not being signed, shsh+aapticket iBEC and iBoot will decline the image, giving an error of “error ” or “declined to authorize the image”. Alternatively, they accidentally break their iOS installation so badly that they need to restore. No real changes were made to the system to make these APTickets happen: This can be done with a tool that can dump this information using the limera1n bootrom exploit, such as redsn0w or iFaithand upload the replacement to Cydia.

Follow me on Twitter! This protocol is part of iPhone 3GS and later devices. For those who don’t care about the long explanation below: This means that there is an efficient way to “continue hashing a file from where you left off” when using SHA Apple shsh+aptickett this trick to generate its personalized signatures: One would expect at this point that when Apple introduced APTickets, that all of the work attempting to store and process this data for later use would have stopped. A major contributor to this article appears to have a close connection with its subject.