Are my shsh2/shsh files valid?

Note: i'm only refering to 64bit devices/shsh2/shsh files in this post.

Hello everyone,
last week we had a lot of news about jailbreaking.
The main things where the iOS 10.1.1 exploits by Ian Beer, the upcoming iOS 10.1.1 jailbreak by @qwertyoruiop and of course a bunch of updates about prometheus.
Prometheus not only allows downgrading, but also upgrading your device to a version which is not signed by apple anymore.
Since many people were jailbroken on iOS 9 already and didn't want to upgrade to iOS 10.1.1 and not be jailbroken for an unknown time, they were looking into using prometheus for updating to 10.1.1 once jailbreak is stable.
To prepare for the upgrade using prometheus shsh2 files needed to be saved while 10.1.1 was still signed. (Right now 10.1.1 is not signed anymore)
A lot of tools and wrappers around tsschecker where released which where meant to make saving shsh2 files easy for everyone. I'm totally fine with that, i don't mind if anyone makes a fancy gui around tsschecker, which makes saving shsh2 files for non-tech people easy. Though you should keep in mind that if a dev messes up anything there is a chance you can't use these shsh2 files. I can't and won't give support for anything but tsschecker, please don't ask me what error X means in tool Y and whether it worked or not.
That being said, let me try to answer most common questions:

Q: I get this error in tsschecker, does that mean saving blobs failed?

[Error] [TSSC] ERROR: device "iPhone8,2" is not in bbgcid.json, which means it's BasebandGoldCertID isn't documented yet.
If you own such a device please consider contacting @tihmstar (tihmstar@gmail.com) to get instructions how to contribute to this project.
[TSSR] WARNING: there was an error getting BasebandGoldCertID, continuing without requesting Baseband ticket
A: No everything is fine. This error tells you that your BasebandGoldCertID is not documented. This means tsschecker can't save a baseband ticket. When i started tsschecker i wanted to make a tool to actually check signing status, as well as sending customizable requests to the tss server, to see what it responds. Later in time i figured that saving the ticket is a handy feature so i implemented that too. A baseband ticket can not be used for anything useful at the moment. It is not needed for prometheus, so if you care about using these blobs for prometheus, you can savely ignore this.

Q: I saved a bunch of shsh2 files using some scripts which gave me a bunch of folders, do i need all of them or can i delete all but one?
A: You should never delete blobs you got! I didn't look at all those script and i don't know what exactly they are saving, but better you saved some blobs more than you need, than regreting having deleted the only blob you really need.




Q: I saved shsh files with savethemblobs, or some other tool. Are they valid? Can i still use them for prometheus?
A: I'll explain in a sec how to check if shsh are valid.
Can they be used with prometheus?
Short: No
Long:  Well it depends. Prometheus needs to make your phone somehow regenerate the nonce inside the apticket (shsh file) to be able to accept it. There are two ways of doing this:
1. write the generator for that nonce to nvram using a jailbreak+nonceEnabler
2. reboot your phone until it regenerates that nonce. Only works if you picked one of the nonces which are generated really really often and requested a ticket for that purposely. If you don't know what that means you probably didn't do it and can't use this method. Also tsschecker is the only tool i know of where you can manually specify a APNonce you want a ticket for.
For the first method you need to know the generator for the nonce. It is not possible to calculate a generator from a nonce, you can only calculate a nonce based on a generator. What tsschecker does is choose a random generator, derive a nonce from that and request a ticket. Then both is saved inside the shsh2 file. This is also the reason why generator is not saved when you manually specify an APNonce to get a ticket for.


Q: What's the difference between shsh2 and shsh files?
A: As seen in the answer of the previous question, shsh2 additionally saves generator (if possible), whereas shsh does not. Beside of that, the files are identical.



Are my shsh files valid? Can they be used for prometheus?
The first answer i gave to this question was "yes". I was thinking that the only thing someone could mess up is either something with the ECID or APNONCE. In case the user entered the wrong ecid the device would simply not accept the ticket. In that case you could still exit recovery and boot up normal (and wouldn't loose jailbreak in case you're jailbroken). If the user messed up something with the generator or the APNonce, the device also would reject the ticket. Again you'd still be able to exit recovery and wouldn't loose jailbreak.


Now this all does apply to iOS 9 and below, but iOS 10 is a bit different.
With iOS 10 Apple being a dick, changed stuff in APTickets. A new element called "OS" was introduced and included inside the tssrequest.




It's the hash of the filesystem being restored (or something like this), which is now also included in the APTicket.
The problem here is that even if the tss request does not include the "OS" tag, the server would return a APTicket without including the OS hash.
You get an APTicket response and think you're fine right? Nope!
When trying to restore with that APTicket the device tries to validate the filesystem hash inside the APTicket, but fails because it can't find any. Unfortunately this happens after the disk has been wiped and formatted, so if the restore fails at that point you end up with no filesystem. This means there is nothing to boot except recovery, which means you need to perform a clean restore (updating to the latest signed version).

I remember tsschecker had a bug where it would get you a ticket without OS tag, but that has been fixed long time ago with tsschecker 1.0.4. You can take a look at the changes here https://github.com/tihmstar/tsschecker/releases
Also 1.0.5 fixed a bug where generator wasn't saved so you're fine if you used tsschecker 1.0.5 or later.
If you recently saved your shsh2 files with tsschecker you're pobably fine, if you look closely tsschecker 1.0.5 was released on 29 Sep. That's the story with tsschecker, but i don't know if the other tools were also updated to include OS in their requets.


But how do i know if the OS tag was included in my APTicket or not?
Well, img4tool comes to the rescue!
http://api.tihmstar.net/builds/img4tool/img4tool-latest.zip
But until i fully implemented the --verify option (nonexisting at the time of writing), to check everything i want to be checked, you need to verify manually.

Let's take a look at an iOS 10.2 ticket with "img4tool -a -s my_10.2_ticket.shsh2"
(Note: use -a to see all entries of the manifest inside the ticket)


When using -a you get a bunch of these lines. I checked my tickets and those which were requested with OS to have the "rosi" tag whereas those which were requested without OS don't have that tag.


So do i simply check for that tag to be inside my shsh2 file?
I guess yes.
If you can't find that tag inside your shsh2 file, your files are invalid and a restore will probably fail.
If you see that tag inside your shsh2 file then your files are probably fine.
I can't gurantee that your restore won't fail, but this is the best i can come up with.


I would recommend to everyone who is planning to use prometheus:
Don't rush the restore and wait for someone to verify it's working. I know there are a lot of people who can't wait and want to be beta tester, but if you're not one of those people you should wait a few days and see how the beta tester are going. It is not likely that the restore will fail if your APTicket is valid, it worked for me several times, but it's also not impossible that there is some bug.
In case there are any bugs in prometheus i can try to fix them and if you don't rush restoring all at once then it's more likely that possible bugs are found before you attempt to restore.





I hope this post cleared up a bit more confusion, than it caused
if you have questions, send me a tweet or ask in /r/jailbreak


greets
tihmstar

Prometheus FAQ

Hello everyone,

many people have asked me lots of questions about my upcoming tool called prometheus.
This post intends to answer common questions:

Q: When prometheus will be released?
A: Planned releasedate is 31.12.16

Q: Will that work on Windows/Linux?
A: I plan to release a compiled commandline tool for OSX and linux. Windows is not planned at the moment. But i also plan to release all my sourcode so you could compile yourself.

Q: Will you make a GUI?
A: I might make a GUI for OSX. Not sure about anything else. It depends a lot on how much time i have.

Q: Does prometheus work with my device?
A: Yes, prometheus technically works with every iOS device. Because this is the first downgrade tool for 64bit i'm mostly focusing on that now. I haven't tested this with 32bit devices, but if there will be any issues i will look into that once i'm done with 64bit.

Q: Does that work with iOS XYZ?
A: So far i belive it works with all iOS versions up to iOS 10.0. I have only tested on iOS 9 and iOS 10, but there is no reason why it wouldn't work on iOS 8 for example. In case Apple changes something now, i will let you know about that, but at the moment all iOS versions should be compatible.

Q: Can i use this to upgrade to an iOS version which is not signed anymore?
A: Yes. Prometheus can not only be used for downgrading, but also for upgrading your device similar to odysseus. This means you can go from iOS 7 to iOS 9 even if only iOS 10 is signed at the moment.

Q: Do i need SHSH blobs / APTicket?
A: Yes. Prometheus heavily depends on APTickets and more important on the ApNonce inside the APTicket. This means that even if you have a valid APTicket, there is a chance this cannot be used (yet?) for downgrading.

Q: I savend my APTicket with savethemblobs/TinyUmbrella/ .... can i use those with prometheus?
A: It depends. Technically it doesn't matter what tool you use to save your APTicket, but what really matters in case of prometheus is the ApNonce. This is what decides if that APTicket can be used or not for downgrading with this method. I don't want to go into details right now, but once prometheus is released i'll explain in detail what conditions need to be met to downgrade, what is possible and what is not.

Q: My APTicket can't be used for prometheus. Does that mean i should delete it, throw my phone away, sell my house and leave my children?
A: NO! Don't ever delete you APTickets! Even if you can't use them with prometheus right now, you never know whether it'll be possible to use them in future with prometheus or a different downgrade tool. Prometheus goes an unusual way, which allows you to do very cool stuff on the one hand, but on the other hand it's usecase is very limited. There is a good chance that there will be different tools in future which can use your APTickets even if they can't be used right now.

Q: Do i need a jailbreak?
A: This is one of the things which excite me the most about prometheus. There are usecases where you can downgrade without the need of a jailbreak! I don't know all of these, but what i've seen so far hints that it's device specific whether you need a jailbreak or not. I've seen noncecollisions on iPhone5s and iPad Air. All devices which have noncecollisions are technically eligable for downgrading without jailbreak, but you need more! There are a few things you need to do to take advantage of these nonce collisions.
1. First you need to figure out what ApNonce is generated the most often. It doesn hurt if you write down the Top 5 nonces.
2. Second you need to request an APTicket for that nonce while apple still signs the iOS version you want to downgrade to.
You can do that with "tsschecker -d DEVICE -l -e ECID -s --apnonce NONCE"
For example: "tsschecker -d iPhone6,2 -l -e 6537582623 -s --apnonce 603be133ff0bdfa0f83f21e74191cf6770ea43bb"
3. Then when that version isn't signed anymore you will be able to downgrade.

Q: Will i still be able to use prometheus when i upgrade to iOS 10?
A: With every update introduced there is a chance that something changed which has influence on how nonces are generated. If your device does generate noncecollisions, you can do the following while the old version is still signed:
1. Update your device (only if you actually want this).
2. Use noncestatistics tool to figure out what nonce is generated the most often.
3. Request an APTicket for that nonce for the older version (iOS 9.3.5 for example) while it's still signed.
4. Done
If your device does not generate any collisions it doesn't matter what iOS version it's on as you'll need a jailbreak for downgrading.
(Unless apple updates stuff which makes prometheus not work on newer iOS, but we can't know about that until a jailbreak is released)

Q: What can i do right now to be able to donwgrade in future?
A: This is a very good question! At the time of writing iOS 10.0.1 is the latest version, but iOS 9.3.5 is still being signed.
What you should do no matter if you have collisions or not is to request APTickets for your device for iOS 9.3.5 (if you want to downgrade to 9.3.5 later) for the following ApNonces:
603be133ff0bdfa0f83f21e74191cf6770ea43bb
352dfad1713834f4f94c5ff3c3e5e99477347b95
42c88f5a7b75bc944c288a7215391dc9c73b6e9f
0dc448240696866b0cc1b2ac3eca4ce22af11cb3
9804d99e85bbafd4bb1135a1044773b4df9f1ba3
One of them should be enough, but it doesn't hurt to get APTickets for all of them. Better have saved a ticket too much than having you ticket you can work with.
If your device generates collisions, you should also save tickets for the nonce generated the most often.

Q: What are these nonces on your blog and why do i have to request APTicket for those?
A: I'll tell you more about that once prometheus is released, but right now it is enough to know that if you have APTickets for those nonces, you will be able to downgrade in futre by using a jailbreak.
(Unless apple does significant changes)

Q: My device generates collisions, do i still need to save APTickets for those nonces?
A: Yes, i would recommend so. It doesn't hurt and you'll be grateful in future when you decide to downgrade.



More questions?
Just send me a mail to tihmstar@gmail.com or ask on twitter @tihmstar :)

greets
tihmstar

Noncestatistics

Hello everybody,
thank you very much for everyone who sent me nonces!

I wanted to research these collisions a bit and now i want to share what i found out so far.
Here are all collisions inside the files i got: https://ghostbin.com/paste/6k62b

It is also interesting that there are collisions between different devices of the same model, with different iOS versions.
You can see thoses stats here: https://ghostbin.com/paste/p74ng

This means that we can use an iPhone5s to generate nonces and find out which nonces are generated the most often with given iOS version. Then other people with iPhone5s can request APTickets with that nonce and hope that they will eventually get that nonce.
You don't need to send me any more nonces.
But you should still take your device, run it for a few hours and check what nonce is generated the most often. In case you're lucky and there is a nonce which repeats every now and then, you should definetly grab tsschecker and grab tickets for that specific apnonce (you can do that with --apnonce parameter), because that means you'll likely be able to downgrade without jailbreak!
Warning: i noticed that nonces change when updating to iOS 10, which means there are different nonces which repeat on my device.
In order to downgrade you need to have the device generate the same nonce you got the APTicket for.

In case your device does not generate collisions you should request some tickets with these nonces:
603be133ff0bdfa0f83f21e74191cf6770ea43bb
352dfad1713834f4f94c5ff3c3e5e99477347b95
42c88f5a7b75bc944c288a7215391dc9c73b6e9f
0dc448240696866b0cc1b2ac3eca4ce22af11cb3
9804d99e85bbafd4bb1135a1044773b4df9f1ba3
this will allow you (unless apple does significant changes to their bootloaders) to downgrade with a jailbreak.
Make sure to request tickets with these nonces even if your device does generate collisions. It doesn't hurt ;)

Stay tuned for more updates
greets tihmstar

prometheus downgrade and nonce collision

Hello everybody,
as some of you might have heared already i've been working on something called prometheus.
Prometheus is much like odysseus a technique for downgrading.
With prometheus it is possible for the first time to downgrade 64bit devices!
A lot of people asked if this is 64bit only and if it's only for iPhone5s.
No it's not, but as this is the first tool to downgrade 64bit devices i'm focusing on that first.
32bit devices are supported by this technique and also are all 64bit devices.
The second question people asked is whether a jailbreak is required for downgrading.
The answer is: for some devices a jailbreak is neccessary, for some it's not.

The problem is i have no idea when a jailbreak is definetly required and when you can also downgrade without jailbreak.
Downgrade with jailbreak is always more likely to be possible than without, that means if you can't downgrade without a jailbreak, there is a chance you still can with a jailbreak.
My iPhone5s does not need a jailbreak, but all my other devices do need one.
I tried an iPhone5s from a friend and his iPhone can't be downgraded without a jailbreak.

I have no idea what is causing this, this is why i need your help!
So the basic idea of this tool is to run a replay attack of your saved APTicket much like in the good old days with iOS 4. Since iOS5 when APTicket were introduced there is a nonce stopping you from "simply replaying the APTicket".
So to be able to replay the APTicket we have to make the device to regenerate the same nonce.
There are two ways (i know of) to make the device regenearet the same nonce.
One requires a jailbreak and one if simply bad randomness.

So for reasons i don't know, my iPhone5s generates a few nonces over and over again so i can simply request a ticket for that nonce as long as it's signed and then keep rebooting it until i get the same nonce. Then i can just replay that APTicket and start the downgrade.
Of course there is more to downgrading than just replaying the APTicket with the nonce, for example there is still SEP and the Baseband. Just don't worry about that i got a plan for this.

Let's focus on the ApNonce for a now.
I need you help to figure out more about this bad randomness.
There is a tool i coded which is called "noncestatistics".
You can download it here: (OSX) https://github.com/tihmstar/noncestatistics/releases/tag/0.2
SHA1 (a1c0f78ad8b3c49bd10ea62006e551080cff5f81)
Sourcecode: https://github.com/tihmstar/noncestatistics

That tool will put your device in recovery mode, read out the ApNonce and write it to a file. Then it will reboot, read the nonce again and again write it to a file. This will continue until you stop it with Ctrl-C. Then it will reboot your device into normal mode and you can use it as if nothing happened. This is completely save. You can use -h for help.
 (in case something doesn't work you can set -a parameter to only set auto-boot to true)
If you want to help me, get this tool, connect your devices let it generate like 1000 or more nonces and email them to me (tihmstar@gmail.com). Make sure to write in the mail what device you're using and what iOS version is installed.
Maybe with this info we can figure out how we can use this for future downgrades.
Also you can do "noncestatistics -s FILE" to figure out what nonce is the one generated the most often (if there is any) and always request and APTicket for that nonce with tsschecker.

That's about it for this post,
stay tuned for more information

greets
tihmstar

ApTicketDumper64

UPDATE:
After i wrote this blogpost and asked for people's opinion on twitter, i've been told, that the file i was trying to extract using an overcomplicated method also does exist on the filesystem at
/System/Library/Caches/apticket.der
Thanks to @eriksmets for pointing that out.
So knowing that file exists, makes releasing the tool completly pointless, as basically all it does is parsing some img4 payloads, extracting exactly this file and putting it into a nice plist. Well, now all of this is completely unnneccessary as you can simply backup this file (via ssh or ifile or sth) if you want to save apticket of your currently installed iOS.
Even though @xerub has pointed out that SEP will be bigger of a problem than i though at first, i still think 64bit downgrades will be possible one day.
At least something like odysseusOTA should work one day.
Meanwhile i need to wait for the latest iOS to be jailbroken, because i will have to restore when running my tests. Also i need to get a 64bit device to play with at first place.
I'll let you know, as soon as there is something interesting ;)

//original post

It's been a while since last time i blogged. I've been busy with studying and bunch of other stuff. I even stopped making videos for my YouTube channel. But hey, i'm still alive, still doing research on things, still coding and spending most of my free time on twitter.
Right now i've been working on some shsh / apticket stuff. I know many of you are interested in downgrade and so i've been making tools for bunch of stuff related to downgrades.
ota.tihmstar.net is a js script which fetches the plist which tells iOS devices to what firmware they can OTA upgrade. It's not exactly an "ota signing status website", because it doesn't give you any information whether some firmware is signed or not. But if ios devices are told they can update OTA to some firmware we can safely assume it's signed.
Those who want to experiment a bit and check real signing status of some device / firmware / ota / baseband combination, should checkout "tsschecker". That's a tool, which requests an apticket from apple and if it get's one, a restore is technically possible. With that tool it is possible to send requests specifying the device, ios, whether to use normal restore or ota update, whether to ask for baseband ticket or not, or even manually specifying a BuildManifest of a beta or sth.
Right now it's almost 3am an i should probably go to sleep, but instead i've been coding on a tool called "ApTicketDumper64". It's late and my ideas for namig tools or making GUIs become pretty bad, i know.
This tool is based on something i found lately. I don't want to go too much into detail right now, because i don't know yet whether i'm going to release the tool yet. That's kinda something i'd like to ask you. But first let me give you some information. I assume this is something which works only on 64bit devices for reasons only apple knows. As i don't have a 64bit testdevice i can only assume stuff and not really test everything i'd like to test. Basically what this tool allows you to do is to dump SHSH blobs / Apticket from a jailbroken device. I really belive that one day it will be possible to downgrade 64bit devices so saving blobs is always a good idea. But what if one missed the signing window and couldn't save blobs? For example i have iOS 9.1 installed on my iPhone 6 but right now the latest signed iOS is 9.3.1. I could use tools to save 9.3.1 blobs (savethemblobs or tinyumbrella etc.) but with ApTicketDumper64 I could save my 9.1 blobs right from device like it was possible with iFaith in the good old limera1n days.
I guess now is a good time for a *DISCLAIMER*: i *belive* that method is able to save blobs. What i'm getting does look like an apticket and imo should work. But i can't tell 100%, because i did not have a chance to test anything.
One could say that having something that's gonna most likely work is still better than having no blobs at all, but the thing is i don't know if apple cares about this. Releasing this tool *might* point them to something they *might* fix. I don't really care about not being able to dump blobs from device, but it might be possible to somehow use this for downgrading. I can't really test this right now, because i don't have a 64bit testdevice and also there is no jailbreak available for latest iOS. Messing around with blobs and stuff means i have to restore after most of my tests. The problem is, having to restore a 64bit device means i have to upgrade to latest ios, which means no jailbreak, which means no more test.
Lot's of people on twitter want to help me testing stuff. Imo there is no point for that, because i might get some information if tests done correctly, but still the person would have to restore, which i don't want.

So the question now is, do i release that tool offering a possibility to save blobs for people who forgot to save, but still have a jailbroken iOS?
On the one hand this would be a safe way of people helping me to get information like: does dumping blobs work for everyone or just a few, does it work across all ios versions etc.
On the other hand it would be a risk that apple might change things in future ios versions and i don't know how it will affect downgrades.
Apple might mess around and make stuff much complicated, but to be honest i don't think that current iOS devices can be blocken from certain downgrade methods once they are figured out.
Please tell me what you think about this, either in the comments section below or on twitter.