The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "APTicket"
Line 12: | Line 12: | ||
iPad 2 users with iOS 4.3.x SHSH blobs can upload their 4.3.x iBSS via DFU and jump to iOS 5's iBEC. At this point, a signed IPSW can be used to restore to cached iOS 5 blobs. (This method is very effective on WiFi-only models. 3G models require the baseband to be installed/signed... Something like semaphore's TinyCFW can be implemented to get around this). |
iPad 2 users with iOS 4.3.x SHSH blobs can upload their 4.3.x iBSS via DFU and jump to iOS 5's iBEC. At this point, a signed IPSW can be used to restore to cached iOS 5 blobs. (This method is very effective on WiFi-only models. 3G models require the baseband to be installed/signed... Something like semaphore's TinyCFW can be implemented to get around this). |
||
+ | |||
+ | A vulnerability found independently by [[iH8sn0w]] and the [[iPhone dev team]] allowed downgrading all A5 devices running 5.x with their saved APTickets by restoring the latest firmware- verifying APTicket with the [[iBSS]] or [[iBoot]] then restoring the hacked firmware without APTicket- then when the restore ends, the requisite firmware is restored. This method is theoretically works with BBTickets, but such a [[baseband]] downgrade was never out. |
||
==References== |
==References== |
||
− | *[http://blog.iphone-dev.org/post/6952986620/blob-monster Dev-Team Blog] |
+ | *[http://blog.iphone-dev.org/post/6952986620/blob-monster Dev-Team Blog- explanation on APTicket's restrictions] |
+ | *[http://blog.iphone-dev.org/post/22834622159/5x-redux Release post for the A5 downgrade] |
||
+ | |||
==See Also== |
==See Also== |
Revision as of 10:21, 10 July 2012
APTickets are the new type of SHSH blobs, used by iOS 5.0 and newer. The client (iBSS/LLB/iBoot) generates a random string (nonce), then iTunes and the device sends the request for blob signing and the server returns the data, just like the original SHSH protocol.
Contents
Restoring
When iTunes or the on-device firmware upgrader sends a request to Apple's servers to confirm the APTicket, instead of returning the one already stored on the server, a new one is generated. Furthermore, devices with iOS 5 depend on the APTicket being legitimate to be able to boot; the device will enter Recovery Mode if it isn't.
Downgrading
Saurik's original replay attack method of allowing downgrades for any firmware that had been backed up on his server was partially halted for iOS 5 users due to this new system; now it will back up APTickets, but it can't send it directly from his servers; Redsn0w and iFaith can stitch a stock or custom firmware to enable downgrading with APTicket, but it only works for devices vulnerable to Limera1n Exploit.
Faking APTickets is complicated because they are signed with a private key that only Apple knows and they are also partly generated from a random string (nonce).
iOS 4.3.5 and older can still be downgraded if SHSH blobs were saved.
iPad 2 users with iOS 4.3.x SHSH blobs can upload their 4.3.x iBSS via DFU and jump to iOS 5's iBEC. At this point, a signed IPSW can be used to restore to cached iOS 5 blobs. (This method is very effective on WiFi-only models. 3G models require the baseband to be installed/signed... Something like semaphore's TinyCFW can be implemented to get around this).
A vulnerability found independently by iH8sn0w and the iPhone dev team allowed downgrading all A5 devices running 5.x with their saved APTickets by restoring the latest firmware- verifying APTicket with the iBSS or iBoot then restoring the hacked firmware without APTicket- then when the restore ends, the requisite firmware is restored. This method is theoretically works with BBTickets, but such a baseband downgrade was never out.
References
See Also
- Cydia article on Wikipedia
- redsn0w, which has functionality to backup APTickets on devices exploitable with limera1n
- Details from saurik about the replay attack