Apple To Stop Firmware Downgrade By Eliminating Ability To Restore From Saved SHSH Blobs In iOS 5

Whilst the recently released iOS 5 beta 2 brings a host of new improvements for supported devices, many of us don’t know about the changes that Apple has made under the hood. One such change, which is going to have a big impact, is the fact that Apple is now going to combat against firmware downgrades by eliminating the ability to restore iOS firmware using saved or cached SHSH blobs.

This news was broken by none other than MuscleNerd himself, member of the iPhone Dev Team. He tweeted:

Uh oh…the days of restoring with saved SHSH blobs are nearing an end Apple is getting much smarter with the APTicket

Everything is now in place for Apple to do on the AP side what it does on the BB side (nonces with signing windows)

They can’t undo the access limera1n provides (tethered JB booting) but they’re about to eliminate SHSH blob replay attacks

They’ll be enforcing this starting in the LLB. Pre-5.0 restores w/saved blobs will remain OK (with older iTunes though)

These four tweets from MuscleNerd pretty much explain what the whole deal is. It would be evident to you by now that Apple is indeed working to stop iOS firmware downgrades by eliminating SHSH blobs reply attacks usually initiated by TinyUmbrella or Cydia server for validating an older firmware version which Apple has stopped officially signing.

However, this is not enabled in iOS 5 beta 2. Meaning that if you have saved SHSH blobs of previous firmware, you should downgrade now, as when iOS 5 GM build releases, it would be impossible to downgrade from it then. At least it is being said that SHSH blob replay attacks will be eliminated in iOS 5 GM release.

The Dev Team further explains this on their blog:

This will only affect restores starting at iOS5 and onward, and Apple will be able to flip that switch off and on at will (by opening or closing the APTicket signing window for that firmware, like they do for the BBTicket).  geohot’s limera1n exploit occurs before any of this new checking is done, so tethered jailbreaks will still always be possible for devices where limera1n applies.  Also, restoring to pre-5.0 firmwares with saved blobs will still be possible (but you’ll soon start to need to use older iTunes versions for that). Note that iTunes ultimately is *not* the component that matters here..it’s the boot sequence on the device starting with the LLB.

So does this mean that once iOS 5 is publicly released this fall, there will be no way of downgrading from it? Yes, it does mean that, until and unless the devs come up with an entirely new solution for downgrading iOS firmwares to older versions.

Leave a Reply

Your email address will not be published. Required fields are marked *