Apple Combating Ability to Downgrade iOS Versions With SHSH Blobs

The iPhone Dev Team has written about Apple ‘has stepped up their game’ to prevent users from restoring to previous iOS versions via saved SHSH blobs. As of now, by using a tool like TinyUmbrella (or Cydia), users have been able to save their SHSH blobs to third party servers, allowing the ability to downgrade to any firmware. Apple will be preventing this action with iOS 5 in an aggressive manner, as documented by The iPhone Dev Team:

Starting with the iOS5 beta, the role of the “APTicket” is changing — it’s being used much like the “BBTicket” has always been used. The LLB and iBoot stages of the boot sequence are being refined to depend on the authenticity of the APTicket, which is uniquely generated at each and every restore (in other words, it doesn’t depend merely on your ECID and firmware version…it changes every time you restore, based partly on a random number). This APTicket authentication will happen at every boot, not just at restore time. Because only Apple has the crypto keys to properly sign the per-restore APTicket, replayed APTickets are useless.

This will only affect restores starting at iOS5 and onward, and Apple will be able to flip that switch off and on at will (by opening or closing the APTicket signing window for that firmware, like they do for the BBTicket). geohot’s limera1n exploit occurs before any of this new checking is done, so tethered jailbreaks will still always be possible for devices where limera1n applies. Also, restoring to pre-5.0 firmwares with saved blobs will still be possible (but you’ll soon start to need to use older iTunes versions for that). Note that iTunes ultimately is *not* the component that matters here..it’s the boot sequence on the device starting with the LLB.

Although it’s always been just “a matter of time” before Apple started doing this (they’ve always done this with the BBTicket), it’s still a significant move on Apple’s part (and it also dovetails with certain technical requirements of their upcoming OTA “delta” updates).

Note: although there may still be ways to combat this, a beta period is really not the time or place to discuss them. We’re just letting you know what Apple has already done in their existing beta releases — they’ve stepped up their game!

To summarize, starting with iOS 5 Beta 2, Apple will be able to control the authentication keys to APTickets, which are uniquely generated during every restore. If you don’t have a proper key, your iPhone can’t restore. Apple will now be able to control the small window when this will take place, with “ON/OFF” capabilities at will.

It’s interesting to note Geohot’s limera1n exploit will still work, so that means tethered jailbreaks will still be available for those devices where it applies. All hope isn’t lost, as there will be ways to combat this during post-beta releases.

What’s Going to Happen with the Future of Jailbreaking?

Is this the end of jailbreaking as we know it? Currently, iOS 5 Beta 2 has a tethered jailbreak via redsn0w. If Apple continues to step up their game combating jailbreakers, what’s going to happen as we move forward? I think the ‘cat and mouse’ game will continue. Apple’s engineers haven’t been able to outsmart the geniuses from the iPhone Dev Team. This ain’t over yet, folks.

[iPhone Dev Team]