This rather sad piece of news just caught our eye. It turns out, Apple is very close to patch restoring with saved SHSH blobs. The confirmation comes from iPhone Dev Team member MuscleNerd, who has previously been running tests as well on the latest iOS 5 beta and has reported what hidden changes Apple has done in iOS 5 beta 2.
In a string of tweets just minutes earlier, MuscleNerd has revealed the following details about Apple nearly ending the ability to restore to older iOS firmwares using saved SHSH blobs.
Uh oh...the days of restoring with saved SHSH blobs are nearing an end Apple is getting much smarter with the APTicket
Everything is now in place for Apple to do on the AP side what it does on the BB side (nonces with signing windows)
They can't undo the access limera1n provides (tethered JB booting) but they're about to eliminate SHSH blob replay attacks
They'll be enforcing this starting in the LLB. Pre-5.0 restores w/saved blobs will remain OK (with older iTunes though)
For those who do not know what SHSH is, basically a SHSH Blob is a 1024 bit RSA signature which is used to verify the validity of firmware. What this means is that if for example, Apple has released iOS 4.3.3, you will only be able to restore your device to iOS 4.3.3 using iTunes then, and not iOS 4.3.2 even if you have previously downloaded its IPSW and have saved it. Since Apple stops signing previous firmwares when a new version releases, hence you can not restore your device on it if a newer version is available.
Here's how the firmware validation procedure works:
SHSH Blobs are used in a challenge-response authentication of the firmware, where the challenge key comes in a combination of a hash of the firmware and the Exclusive Chip ID (ECID) of the device. The response from Apple is the SHSH itself, the digital signature required to validate the firmware.
So how was it possible to downgrade iOS firmware to older versions using saved SHSH blobs?
Because the challenge key is static, a cached copy of the signature may be used in a replay attack to trick the signing software (iTunes) into validating an old firmware.Using this technique is necessary to restore to previous versions of the iOS on the iPhone 3GS, iPhone 4, iPod Touch 2G, iPod Touch 3G, iPod Touch 4G, iPad, and iPad 2. Downgrading the iOS in such a manner may be used for iOS jailbreaking, since older software may have known exploits.
What will change when Apple ends the ability to restore via saved SHSH blobs? Well, Apple is yet to actually enable this, and it is expected that it would be done in the GM release of iOS 5. When that happens, those who would have upgraded to iOS 5 GM build will then not be able to downgrade back to iOS 4.x. However, if you are on older firmwares like iOS 4.3.3, 4.3.2 etc, you will still be able to downgrade firmware using saved SHSH blobs and a older version of iTunes.
What does this mean for iFaith, the new software which dumps SHSH blobs of your iOS device, creates a signed IPSW and also backs them up on its remote server? Developer iH8sn0w has tweeted the following just minutes earlier:
I wonder if iFaith's method of grabbing/restoring blobs is broken in iOS5b2 aswell...
@GreggJTurner @MuscleNerd iFaith packs the dumped shsh. Will do testing later tonight. : )
@iWtopia The shsh replay via TinyUmbrella/Saurik's server but iFaith may live on. Result pending.
Final word on iFaith's life span will obviously come after iH8sn0w gets done with testing, hopefully by tonight. We'll let you know what the result is, as soon as it gets out. Do you think its a wise move by the company to stop iOS downgrades by ending the ability to restore using saved SHSH blobs? Drop a line in the comments below!