![\"\"](\"http:\/\/blog.xctechs.com\/vlogs\/wp-content\/uploads\/2012\/11\/Shsh-Blobs.png\" "\\"Shsh-Blobs\\"")
<\/p>\n<\/p>\n
SHSH blobs<\/strong>\u00a0is a Hash signature system (S<\/strong>ignature\u00a0H<\/strong>aSH<\/strong>\u00a0blobs) made by\u00a0Apple Inc.\u00a0to control manual software downgrades on\u00a0iPhones,\u00a0iPads, and\u00a0iPod touches\u00a0(a typical prelude to\u00a0Jailbreaking). An SHSH is created by an SHSH formula (CLI\u00a0Application) with 3 or 4 TSS keys: 1) the device (e.g. iPhone 4 CDMA), 2) the firmware version being signed (e.g. 4.2.8) and 3) the device’s\u00a0ECID, a unique ID contained within every device. The SHSH is a\u00a0Plist, built with blobs, with each blob intended for a different part of the software (like\u00a0kernel\u00a0and Apple logo). These blobs control which firmware is restorable and which is not. When Apple wishes to restrict users’ ability to “downgrade” their devices to a prior firmware version, Apple can simply refuse to generate this hash during the downgrade attempt, and the downgrade will not be successful (or at the very least, will require significant technical intervention).<\/p>\n ————————————————————<\/p>\n From the beginning,\u00a0iOS\u00a0devices with a\u00a0baseband processor\u00a0were always signed with a random number, (With addition of baseband TSS key) from iOS 1.0 on. When\u00a0Jailbreak\u00a0started to be developed, Apple has changed the\u00a0LLB\u00a0(Low Level Bootloader) to check the signature on iBoot before jumping to it, which checks the signature of the kernel. As a combat, hackers have used Boot-ROM exploits (Pwnage and 24kpwn) to patch the\u00a0LLB\u00a0to cancel the signature checks, achieving an untethered jailbreak. All devices released after\u00a0iPhone 3G\u00a0check if a patched LLB is submitted and will enter hardware\u00a0DFU, a DFU mode that a device can’t quit unless it is restored. Patched LLBs can only be submitted on pre-A4 processor devices and the old-bootrom iPhone 3GS. But with SHSH, users can downgrade and jailbreak older versions, or even jailbreak with software upgrade from an old\u00a0firmware\u00a0to a newer one if an exploit is found in restore mode.<\/p>\n ————————————————————<\/p>\n The\u00a0ECID (Unique device ID)\u00a0is a unique 13-numeral number attached to the hardware of every device, and is not in use for devices that don’t require SHSH blobs. Each device has its own ECID and it is not changeable. The ECID is the third TSS key when the SHSH is created and SHSH files for different ECID from the restored device will not be accepted by the device. From iOS 4.0 on, also devices which do not have their ECID coded for SHSH blobs, that support iOS 4 and on, get SHSH blobs, but are never required for a restore.<\/p>\n ————————————————————<\/p>\n Between iOS 3.0-4.3.5, SHSHs for the main firmwares were made of 3 TSS keys- Device, Firmware version, and ECID which means the SHSH file for a certain firmware and device would be the same with every restore. As a combat from the jailbreak side,\u00a0Cydia\u00a0would save SHSH files on it servers, cached from Apple, so when the Hosts files on the computers are set on Cydia’s servers,\u00a0iTunes\u00a0would take the cached SHSH and restore it. Another method was to save the SHSH locally on the computer. At the beginning\u00a0George Hotz\u00a0saved just the iBSS\/iBEC specific SHSH, then\u00a0The Firmware Umbrella\u00a0was released to save the SHSH in a better way and TInyTSS to send the SHSH to the iTunes restore, finally\u00a0TinyUmbrella\u00a0to do both and to fix iTunes errors or manage recovery mode, then iFaith to take the Signed SHSH blobs from device and finally an update to\u00a0Redsn0w\u00a0to verify SHSH, query blobs from Cydia, Fetch SHSH blobs from the device, Submit blobs to\u00a0Cydia\u00a0and stitch SHSH blobs to a firmware. Because of this behavior from the side of hackers, Apple has randomized the SHSH for each restore to be different. this is referred to as aTicket<\/strong>. This random number is saved on Apple’s servers, so if\u00a0iTunes\u00a0checks if the blobs are okay with Apple, it will know that the blobs have been requested before, and the restore wouldn’t work. As of October 27, 2011, The static SHSH blobs which are given are for 4.1 for iPhone 3G, iPhone 3GS, iPod touch 2G, and iPod touch 3G and 4.2.1 for iPhone 3G and iPod touch 2G. The random SHSH blobs which are given currently are for 5.0 for\u00a0iPhone 3GS,\u00a0iPhone 4,\u00a0iPhone 4S,\u00a0iPad,\u00a0iPad 2,\u00a0iPod touch\u00a0from 4th generation and higher.<\/p>\n ————————————————————<\/p>\n SHSH blobs are built from 19 blobs, each one for another place on the firmware (like AppleLogo, RestoreRamdisk, Device tree etc.). The blobs are encrypted and are organized in a\u00a0Plist\u00a0under the key “blob”.<\/p>\n<\/div>\n SHSH blobs\u00a0is a Hash signature system (Signature\u00a0HaSH\u00a0blobs) made by\u00a0Apple Inc.\u00a0to control manual software downgrades on\u00a0iPhones,\u00a0iPads, and\u00a0iPod touches\u00a0(a typical prelude to\u00a0Jailbreaking). An SHSH is created by an SHSH formula (CLI\u00a0Application) with 3 or 4 TSS keys: 1) the device (e.g. iPhone 4 CDMA), 2) the firmware version being signed (e.g. 4.2.8) and 3) the device’s\u00a0ECID, a …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[121,125,128,26,177,763,211,222,236,254,290,292,320,390,391,405,444,445,472,478,480,14],"class_list":["post-1354","post","type-post","status-publish","format-standard","","tag-3gs","tag-4-1","tag-4g","tag-apple","tag-blobs","tag-blog","tag-devices","tag-ecid","tag-firmware","tag-hash-tag","tag-iphone","tag-ipod","tag-llb","tag-pre","tag-pre-shsh","tag-random","tag-shsh","tag-signing","tag-ticket","tag-touch","tag-tss","tag-tutorials"],"_links":{"self":[{"href":"https:\/\/xctechs.info\/index.php?rest_route=\/wp\/v2\/posts\/1354","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/xctechs.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xctechs.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xctechs.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/xctechs.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1354"}],"version-history":[{"count":0,"href":"https:\/\/xctechs.info\/index.php?rest_route=\/wp\/v2\/posts\/1354\/revisions"}],"wp:attachment":[{"href":"https:\/\/xctechs.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1354"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xctechs.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1354"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xctechs.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1354"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\nPre-SHSH signing and the LLB<\/h2>\n
ECID<\/h2>\n
Combat<\/h2>\n
Structure<\/h2>\n
<\/div>\n","protected":false},"excerpt":{"rendered":"