Older iOS 6 SHSH Blobs Saved in Cydia Have Become Unusable
If you have saved your SHSH blobs for iOS 6.0-iOS 6.1.2 in Cydia for later downgrading, Saurik has bad news for you: the TSS data Cydia saved for iOS 6.0-6.1.2 is unusable.
This isn’t the best news in the jailbreak world we are reporting today. From now on if you have a jailbroken device running iOS 6.0/6.1.2, you can no longer downgrade or perform a simple repair, Saurik informs through his webpage (via iDevice). All SHSH certificates for the latest versions of iOS stored on Cydia have become useless.
In a lengthy blog post Saurik gives some background information on how TSS (Tatsu Signing Server) and SHSH works and how it is computed. You can go through it, but it is a technical text explaining how the whole process works and is likely not useful for most people.
When Apple started doing this, we figured out how it worked, and the course of action was clear: to setup a man-in-the-middle attack on this server that would simply store every single SHSH that was returned for every file of every firmware version for every device owned by all of the people who cared about being able to downgrade (both jailbreakers, and App Store developers who need to test their apps on earlier firmware versions).
I built this system as a service and wrote an article about how the process worked and how it could be used. Initially, the system acted only “in the middle”, but it was immediately enhanced to save all of the ECIDs of all of the users in a massive database, so it could go on its own every time Apple released a new firmware version in order to request everyone’s SHSH information “en masse”.
What is important, though, for every jailbreaker: if you have a recent device, iOS 6 APTickets (a new verification scheme introduced by Apple with iOS 5) are entirely useless. Users cannot use them to downgrade or upgrade. In fact, user can’t even use them for restoring the version of iOS they are currently running.
As Saurik points out, about 25.8% of jailbreakers are affected, the rest of 74.2% of Cydia users (iPad, iPhone 4S and iPhone 5 owners) are not affected.
To find out whether you have been burned by this issue, open Cydia and on the main page search for the new TSS center, which will show you the top the blobs that are still saved for your device.
The set of devices that are able to run iOS 6 and that are also old enough to be subject to this exploit is actually fairly small: only the iPhone 3G[S], iPhone 4, and the 4th generation iPod touch meet these requirements. In particular, no iPad, nor any recent iPhone (not even the iPhone 4S) has any known way to use cached iOS 6 TSS information. This means that 74.2% of Cydia users are not affected at all.
Secondly, for the remaining 25.8% of Cydia users for which cached iOS 6 APTickets could be useful, by far the primary purpose is to restore or otherwise recover the version of iOS you are currently running untethered. As an example, a user is currently running 6.1.2 and accidentally upgrades to 6.1.3. Alternatively, they accidentally break their iOS installation so badly that they need to restore.
In either of these two use cases, the alternative to an APTicket exploit is to upgrade to iOS 6.1.3; as this scenario is only applicable to people running older devices (those subject to limera1n), iOS 6.1.3 is still jailbreakable (as should all future versions of iOS on these devices), but the result will not be an untethered jailbreak: many users (including myself) really hate using tethered jailbreaks.
Thankfully, this situation is actually fairly easily solved: redsn0w has the ability to dump the full TSS information from a device (also using that same limera1n exploit). I thereby encourage users of devices capable of being exploited by limera1n (the iPhone 3G[S], iPhone 4, or 4th generation iPod touch) to download this tool right now and use it to upload complete TSS information.
The current version of Redsn0w will copy the active TSS data from the jailbroken iDevice and store them locally on the user’s computer, but it will be able to upload this information to Cydia at a later time. iFaith, however, can be used for immediate upload, but it is limited to Windows users. Mac OS X users will need to wait until the next version of Redsn0w becomes available.