1. BLiNK's Avatar
    Dev-Team Blog - Blob monster


    Blob monster
    It looks like Apple is about to aggressively combat the replay attacks that has until now allowed users to use iTunes to restore to previous firmware versions using saved SHSH blobs.

    Those of you who have been jailbreaking for a while have probably heard us periodically warn you to save your blobs for each firmware using either Cydia or TinyUmbrella (or even the copy from /tmp during restore method for advanced users). Saving your blobs for a given firmware on your specific device allows you to restore *that* device to *that* firmware even after Apple has stopped signing it. Thats all about to change.

    Starting with the iOS5 beta, the role of the APTicket is changing its being used much like the BBTicket has always been used. The LLB and iBoot stages of the boot sequence are being refined to depend on the authenticity of the APTicket, which is uniquely generated at each and every restore (in other words, it doesnt depend merely on your ECID and firmware versionit changes every time you restore, based partly on a random number). This APTicket authentication will happen at every boot, not just at restore time. Because only Apple has the crypto keys to properly sign the per-restore APTicket, replayed APTickets are useless.

    This will only affect restores starting at iOS5 and onward, and Apple will be able to flip that switch off and on at will (by opening or closing the APTicket signing window for that firmware, like they do for the BBTicket). geohots limera1n exploit occurs before any of this new checking is done, so tethered jailbreaks will still always be possible. Also, restoring to pre-5.0 firmwares with saved blobs will still be possible (but youll soon start to need to use older iTunes versions for that). Note that iTunes ultimately is *not* the component that matters here..its the boot sequence on the device starting with the LLB.

    Although its always been just a matter of time before Apple started doing this (theyve always done this with the BBTicket), its still a significant move on Apples part (and it also dovetails with certain technical requirements of their upcoming OTA delta updates).

    Note: although there may still be ways to combat this, a beta period is really not the time or place to discuss them. Were just letting you know what Apple has already done in their exisiting beta releases theyve stepped up their game!
    06-26-2011 07:39 PM
  2. iRandom's Avatar
    Note: although there may still be ways to combat this, a beta period is really not the time or place to discuss them.
    There will always be hope
    06-27-2011 08:02 PM
  3. Ipheuria's Avatar
    Meh they tried to do it with the baseband check, look how well that worked out. It will just mean more people should be more careful about upgrading like in the old days.
    06-28-2011 09:22 AM
  4. entronp's Avatar
    this doesnt affect custom firmwares made by sn0wbreeze because it doesnt rely on blobs at all....really an amazing program.
    06-30-2011 01:32 AM
LINK TO POST COPIED TO CLIPBOARD