What's new
By:

IOS5 SHSH Blobs on Cydia

T

tron

iPF Noob
Hi guys

For what it's worth, I have saved my Ios5 SHSH blobs using iSH****.

Just noted that the iOS 5 SHSH do not appear on the Cydia home screen like the previous firmwares up to 4.3.5

Any reason for this omission?

Ps I have noted this on Cydia on my 3GS iPhone , iPod touch 4G and iPad 2.

Sent from my iPad using iPF
 
iOS 5 no longer uses a SHSH system to do upgrades. So every time a new software version comes out, if you upgrade, you are stuck.
Unless the dev team can crack the new system and figure it out.

But I think you can have blobs for the initial iOS 5 software, just not the next versions. I think.
F4780y will come correct me in just a bit.
 
Almost graywolf ;)

SHSH Blobs are still being used in IOS5, it's just that Apple have improved their security by including a "nonce" component (Cryptographic nonce - Wikipedia, the free encyclopedia) which is the same mechanism they have been using for baseband signing for a while. It's the reason you can't downgrade the baseband on the iPhone or 3G iPads. In theory, this means you will never be able to downgrade to a previous version of 5.x once updates start to appear. Once you upgrade you can never downgrade (assuming the singing window for the previous version has been closed). This will make jailbreaking 5.x devices VERY INTERESTING, particularly the iPhone4S and iPad2. If you mess up your jailbreak with a bad app (or whatever), you will likely lose your jailbreak for a while because you will be forced to restore to the latest version (which should have all known jailbreak holes patched), and have to wait until the a new userland exploit is found to allow it to be jailbroken. We have enjoyed years of being in control of our jailbroken devices, but this next phase will require diligence and patience on our part. If you aren't careful about what you are installing (or deleting with iFile!) you could be out in the cold for a very long time, like anyone who recently messed up their iPad2 3G 4.3.3. jailbreak will understand...

So to get back on topic, whilst you can save your blobs for IOS5, the nonce component renders them useless for replaying at a later date. So, there really is no point in saving them any more. It's not clear whether Saurik has stopped saving them on Cydia now, or whether he will carry on, but personally I just don't see the point. The security is unlikely ever to be cracked as it uses sufficiently strong encryption, so we would need to find another way.

Your 4.x and 3.x saved blobs can still be kept as they will continue to work, but of course the older and older they get, the less likely it is that you will want the ability to restore the old firmwares they relate to.
 
So, beyond all the gawking at Leigh, :)
In theory, to downgrade to a previous version, a modification would have to be made to iTunes and you would still have to use some modified version of like iReb to trick the iPad into taking any version, like a custom FW.
But this would only apply to Limera1n devices if a bootrom hack can't be found.
 
No. A custom firmware still relies on shsh blobs. There is no way round that. It's a much more complicated issue, and no iTunes or iReb mod would fix it. If it was a problem which could be solved in such a way then the issue of baseband downgrades would have been solved a long time ago...
 
Last edited:
So even if someone found a way to completely disable the shsh check of iTunes, you still couldn't load an earlier version?
 
graywolf said:
So even if someone found a way to completely disable the shsh check of iTunes, you still couldn't load an earlier version?
Click to expand...

ITunes is just the middle-man. The check is cooked into both the firmware and the device (at the hardware level).
 
So, could there be a modification to something like iReb that will leave the iPad unable to control what is loaded onto it?
That sounds possible...
 
graywolf said:
So, could there be a modification to something like iReb that will leave the iPad unable to control what is loaded onto it?
That sounds possible...
Click to expand...

I don't see how...
 
iReb leaves the iPad in a state where it can't tell the difference of a custom FW. So, in theory, a more powerful iReb could leave the iPad in a state of complete apathy, causing it to accept any FW version.

The hard part though, then, would be to get iTunes to activate it on versions where you don't have blobs...
 
graywolf said:
iReb leaves the iPad in a state where it can't tell the difference of a custom FW. So, in theory, a more powerful iReb could leave the iPad in a state of complete apathy, causing it to accept any FW version.

The hard part though, then, would be to get iTunes to activate it on versions where you don't have blobs...
Click to expand...

Nope. I still think you think that iTunes does a lot more than it does. It does almost nothing. It's a middle-man as I said before. If it was possible, after 4 years, we would have something that did this already. You have no idea how much motivation there is to be able to downgrade the baseband on an iPhone and we are not able to do that.

Think of the iPad like a nightclub. To get in, first you need to get through the outer door to get into the foyer. Then you need to get out of the foyer and through the main doors into the club. The outer doors are protected by a doorman. The inner doors are protected by an automated ticket scanner.

iReb is really good at distracting the doorman outside the club because he's fallible (he has a bug in his bootrom), but iReb cant do anything about the ticket scanner inside because the machine is inside the club and no matter how much iReb tries to distract it, it simply has no effect.

That's the reason SHSH Blob security can't be broken. It's really easy to load a custom firmware (fooling the doorman), but even a custom firmware needs valid SHSH Blobs (a ticket to get in). No matter how sophisticated you make iReb (or any piece of software on the PC) it CANNOT change the hardware inside which checks the ticket, and it's not like the bootrom which contains bugs, so there is no way to pwn it.

The only way we should ever get past the ticket scanner is if someone discovers Apple's private encryption key. This is pretty unlikely as it is never broadcast anywhere for us to see...

That's probably a totally over simplified way to look at it, and there are probably more holes in that analogy than there are in IOS5, but it gets my point across. pwning the iBoot process is not enough to defeat the signature checking, no matter how sophisticated you make the program.

Another way to look at it is like saying you intend to defeat a servers SSL encryption by modifying your copy of Internet Explorer. Although Internet Explorer is involved in a secure server transaction, you can't just defeat it by changing it to your will... Security just doesn't work like that. If it did, we'd all be losing all our money every time we made an internet purchase...
 
Last edited:
You must log in or register to reply here.

Most reactions

Similar threads

nammi
Cydia no longer showing saved SHSH Blobs
Replies
2
Views
6K
nammi
nammi
f4780y
SHSH Blobs now saved automatically by Cydia
Replies
1
Views
33K
SweetPoison
SweetPoison
Averros
Cydia misreporting SHSH Blob?
Replies
2
Views
2K
Averros
Averros
f4780y
  • Locked
SHSH Blobs - Frequently Asked Questions - UPDATED
7 8 9
Replies
128
Views
104K
ejonesss
E
G
4.3.2 SHSH blob
Replies
1
Views
5K
f4780y
f4780y

Latest posts

Back
Top