Mittwoch, 13. April 2016

ApTicketDumper64

UPDATE:
After i wrote this blogpost and asked for people's opinion on twitter, i've been told, that the file i was trying to extract using an overcomplicated method also does exist on the filesystem at
/System/Library/Caches/apticket.der
Thanks to @eriksmets for pointing that out.
So knowing that file exists, makes releasing the tool completly pointless, as basically all it does is parsing some img4 payloads, extracting exactly this file and putting it into a nice plist. Well, now all of this is completely unnneccessary as you can simply backup this file (via ssh or ifile or sth) if you want to save apticket of your currently installed iOS.
Even though @xerub has pointed out that SEP will be bigger of a problem than i though at first, i still think 64bit downgrades will be possible one day.
At least something like odysseusOTA should work one day.
Meanwhile i need to wait for the latest iOS to be jailbroken, because i will have to restore when running my tests. Also i need to get a 64bit device to play with at first place.
I'll let you know, as soon as there is something interesting ;)

//original post

It's been a while since last time i blogged. I've been busy with studying and bunch of other stuff. I even stopped making videos for my YouTube channel. But hey, i'm still alive, still doing research on things, still coding and spending most of my free time on twitter.
Right now i've been working on some shsh / apticket stuff. I know many of you are interested in downgrade and so i've been making tools for bunch of stuff related to downgrades.
ota.tihmstar.net is a js script which fetches the plist which tells iOS devices to what firmware they can OTA upgrade. It's not exactly an "ota signing status website", because it doesn't give you any information whether some firmware is signed or not. But if ios devices are told they can update OTA to some firmware we can safely assume it's signed.
Those who want to experiment a bit and check real signing status of some device / firmware / ota / baseband combination, should checkout "tsschecker". That's a tool, which requests an apticket from apple and if it get's one, a restore is technically possible. With that tool it is possible to send requests specifying the device, ios, whether to use normal restore or ota update, whether to ask for baseband ticket or not, or even manually specifying a BuildManifest of a beta or sth.
Right now it's almost 3am an i should probably go to sleep, but instead i've been coding on a tool called "ApTicketDumper64". It's late and my ideas for namig tools or making GUIs become pretty bad, i know.
This tool is based on something i found lately. I don't want to go too much into detail right now, because i don't know yet whether i'm going to release the tool yet. That's kinda something i'd like to ask you. But first let me give you some information. I assume this is something which works only on 64bit devices for reasons only apple knows. As i don't have a 64bit testdevice i can only assume stuff and not really test everything i'd like to test. Basically what this tool allows you to do is to dump SHSH blobs / Apticket from a jailbroken device. I really belive that one day it will be possible to downgrade 64bit devices so saving blobs is always a good idea. But what if one missed the signing window and couldn't save blobs? For example i have iOS 9.1 installed on my iPhone 6 but right now the latest signed iOS is 9.3.1. I could use tools to save 9.3.1 blobs (savethemblobs or tinyumbrella etc.) but with ApTicketDumper64 I could save my 9.1 blobs right from device like it was possible with iFaith in the good old limera1n days.
I guess now is a good time for a *DISCLAIMER*: i *belive* that method is able to save blobs. What i'm getting does look like an apticket and imo should work. But i can't tell 100%, because i did not have a chance to test anything.
One could say that having something that's gonna most likely work is still better than having no blobs at all, but the thing is i don't know if apple cares about this. Releasing this tool *might* point them to something they *might* fix. I don't really care about not being able to dump blobs from device, but it might be possible to somehow use this for downgrading. I can't really test this right now, because i don't have a 64bit testdevice and also there is no jailbreak available for latest iOS. Messing around with blobs and stuff means i have to restore after most of my tests. The problem is, having to restore a 64bit device means i have to upgrade to latest ios, which means no jailbreak, which means no more test.
Lot's of people on twitter want to help me testing stuff. Imo there is no point for that, because i might get some information if tests done correctly, but still the person would have to restore, which i don't want.

So the question now is, do i release that tool offering a possibility to save blobs for people who forgot to save, but still have a jailbroken iOS?
On the one hand this would be a safe way of people helping me to get information like: does dumping blobs work for everyone or just a few, does it work across all ios versions etc.
On the other hand it would be a risk that apple might change things in future ios versions and i don't know how it will affect downgrades.
Apple might mess around and make stuff much complicated, but to be honest i don't think that current iOS devices can be blocken from certain downgrade methods once they are figured out.
Please tell me what you think about this, either in the comments section below or on twitter.