The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "SHSH"
(→iOS: 11.0.3 is not signed.) |
(→iOS: So 11.0.1 is signed for some devices.) |
||
Line 51: | Line 51: | ||
|- |
|- |
||
| 11.0.3 |
| 11.0.3 |
||
− | | rowspan=" |
+ | | rowspan="2" | [[iPad Air]], [[iPad Air 2]], [[iPad Pro (12.9-inch)]], [[iPad Pro (9.7-inch)]], [[iPad (5th generation)]], [[iPad Pro (12.9-inch, 2nd generation)]], [[iPad Pro (10.5-inch)]], [[iPad mini 2]], [[iPad mini 3]], [[iPad mini 4]], [[iPhone 5s]], [[N61AP|iPhone 6]], [[N56AP|iPhone 6 Plus]], [[iPhone 6s]], [[iPhone 6s Plus]], [[iPhone SE]], [[iPhone 7]], [[iPhone 7 Plus]], [[iPhone 8]], [[iPhone 8 Plus]], [[N102AP|iPod touch (6th generation)]] |
| {{date|2017|10|11}} |
| {{date|2017|10|11}} |
||
| {{date|2017|11|28}} |
| {{date|2017|11|28}} |
||
Line 61: | Line 61: | ||
| {{no|Closed}} |
| {{no|Closed}} |
||
|- |
|- |
||
− | | 11.0.1 |
+ | | rowspan="2" | 11.0.1 |
+ | | [[iPhone 8]], [[iPhone 8 Plus]] |
||
− | | {{date|2017|09|26}} |
||
+ | | rowspan="2" | {{date|2017|09|26}} |
||
+ | | - |
||
+ | | {{yes|Open}} |
||
+ | |- |
||
+ | | rowspan="2" | [[iPad Air]], [[iPad Air 2]], [[iPad Pro (12.9-inch)]], [[iPad Pro (9.7-inch)]], [[iPad (5th generation)]], [[iPad Pro (12.9-inch, 2nd generation)]], [[iPad Pro (10.5-inch)]], [[iPad mini 2]], [[iPad mini 3]], [[iPad mini 4]], [[iPhone 5s]], [[N61AP|iPhone 6]], [[N56AP|iPhone 6 Plus]], [[iPhone 6s]], [[iPhone 6s Plus]], [[iPhone SE]], [[iPhone 7]], [[iPhone 7 Plus]], [[N102AP|iPod touch (6th generation)]] |
||
| {{date|2017|11|16}} |
| {{date|2017|11|16}} |
||
| {{no|Closed}} |
| {{no|Closed}} |
Revision as of 22:38, 28 November 2017
As the SHSH blob article on Wikipedia summarizes it: "SHSH blob is a jargon term for a small piece of data that is part of Apple's digital signature protocol for iOS restores and updates, designed to control the iOS versions that users can install on their iOS devices (iPhones, iPads, iPod touches, and Apple TVs), generally only allowing the newest iOS version to be installable. "
Technically, the SHSH of a firmware image is a 1024-bit (0x80
bytes) RSA signature. This often also refers to backup files with the signature ("SHSH blobs"). This signature is needed to restore a specific iOS version; it is generated by Apple based on hardware keys of the device and the hash of the firmware. Apple only issues signatures for the currently-available iOS version, which disallows installing older iOS versions. But if you have saved signatures for an older iOS version, you may be able to use a replay attack to restore that version. Therefore it is recommended to save the signature for your device as long as Apple issues it.
With the tools mentioned below it is possible to backup the signature. It is not necessary that the device is jailbroken to do the backup. Usually the SHSH signature file is stored on Saurik's server. If it is stored there, then you can see in the top of Cydia (on jailbroken devices) for which version a backup exists. This moved to TSS Center which can be located on the main page and then they are shown at the top of that.
Users often misunderstand this system and think that the SHSH firmware version they back up depends on the firmware version they have installed on their device. This is the case for iFaith, but not for TinyUmbrella. iFaith dumps the SHSHs from your device's storage (whatever's installed on your device, e.g. 4.3.3), while TinyUmbrella gets SHSHs from Apple's servers (whatever firmwares Apple is currently signing).
Using SHSH
Older devices (iPhone and iPod touch) do not use SHSH signatures, so installation of any firmware on these devices is possible.
iPhone OS 1.x and 2.x do not use SHSH signatures, and can therefore be downgraded to at any time, even on devices that do use SHSH signatures, such as iPhone 3G.
Versions above iPhone OS 3.0 require the iBEC, iBSS, and LLB to be fully signed with an SHSH for the ECID of that device.
However, some devices are vulnerable to untethered bootrom exploits, such as 0x24000 Segment Overflow or alloc8. These devices can be restored to a custom IPSW in Pwned DFU Mode for any version that is available to that particular device. Notable devices vulnerable to untethered bootrom exploits are the iPhone 3GS and iPod touch (2nd generation). The limera1n Exploit is able to provide a tethered downgrade for vulnerable devices.
Since various exploits, such as the limera1n Exploit, are fixed in the bootrom since version Bootrom 838.3 and because iOS versions 5.0 and above includes a nonce in their SHSH hashes, downgrading newer devices is not as simple. Blobs must be stitched into a custom firmware, and restored to in Pwned DFU Mode.
Blobs can be saved with tools such as iFaith and TinyUmbrella. Firmwares can be stitched using iFaith, redsn0w or sn0wbreeze.
Newer methods such as Odysseus, Prometheus or iDeviceReRestore are used now because other tools have become outdated and newer versions of iTunes prevents restores to custom versions.
Timeline
As noted above, the original iPhone and iPod touch didn't use SHSH blobs. iPhone OS 1.x and 2.x didn't use SHSH blobs either.
iOS
Apple TV
Marketing Version | OS Version | For Device(s) | From | Until | Status |
---|---|---|---|---|---|
N/A | 11.1 | Apple TV (4th generation), Apple TV 4K | 31 October 2017 | - | Open |
11.0 | 19 September 2017 | - | |||
10.2.2 | Apple TV (4th generation) | 19 July 2017 | - | Open | |
10.2.1 | 15 May 2017 | 9 August 2017 | Closed | ||
10.2 | 27 March 2017 | 27 June 2017 | Closed | ||
10.1.1 | 23 January 2017 | 10 April 2017 | Closed | ||
10.1 | 12 December 2016 | 30 January 2017 | Closed | ||
10.0.1 | 24 October 2016 | 30 January 2017 | Closed | ||
10.0 | 13 September 2016 | 31 October 2016 | Closed | ||
9.2.2 | 18 July 2016 | 18 October 2016 | Closed | ||
9.2.1 | 16 May 2016 | 23 September 2016 | Closed | ||
9.2 | 21 March 2016 | 10 June 2016 | Closed | ||
9.1.1 | 25 January 2016 | 5 April 2016 | Closed | ||
9.1 | 8 December 2015 | 4 February 2016 | Closed | ||
9.0.1 | 9 November 2015 | 21 December 2015 | Closed | ||
9.0 | 29 October 2015 | 14 December 2015 | Closed | ||
7.2.2 | 8.4.2 | Apple TV (3rd generation) | 12 December 2016 | - | Open |
7.2.1 | 8.4.1 | 25 February 2016 | 20 December 2016 | Closed | |
7.2 | 8.3 | 8 April 2015 | 7 April 2016 | Closed | |
7.1 | 8.2 | 9 March 2015 | 4 May 2015 | Closed | |
7.0.3 | 8.1.3 | 27 January 2015 | 23 March 2015 | Closed | |
7.0.2 | 8.1.1 | 17 November 2014 | 1 April 2015 | Closed | |
7.0.1 | 8.1 | 20 October 2014 | 1 December 2014 | Closed | |
7.0 | 8.0 | 17 September 2014 | 22 October 2014 | Closed | |
6.2.1 | 7.1.2 | Apple TV (2nd generation) | 13 February 2017 | - | Open |
17 September 2014 | 13 February 2017 | Closed | |||
6.2 | Apple TV (2nd generation), Apple TV (3rd generation) | 30 June 2014 | 26 September 2014 | Closed | |
6.1.1 | 7.1.1 | 22 April 2014 | 11 July 2014 | Closed | |
6.1 | 7.1 | 10 March 2014 | 30 April 2014 | Closed | |
6.0.2 | 7.0.6 | 21 February 2014 | 10 March 2014 | Closed | |
7.0.4 | 14 November 2013 | 21 February 2014 | Closed | ||
6.0.1 | 7.0.3 | 24 October 2013 | 14 November 2013 | Closed | |
6.0 | 7.0.2 | 24 September 2013 | 29 October 2013 | Closed | |
7.0.1 | 20 September 2013 | 24 September 2013 | Closed | ||
5.3 | 6.1.4 | Apple TV (3rd generation) (AppleTV3,2) | 19 June 2013 | 21 September 2013 | Closed |
Apple TV (2nd generation), Apple TV (3rd generation) (AppleTV3,1) | 13 February 2017 | - | Open | ||
19 June 2013 | 13 February 2017 | Closed | |||
5.2.1 | 6.1.3 | Apple TV (2nd generation), Apple TV (3rd generation) | 19 March 2013 | 20 June 2013 | Closed |
5.2 | 6.1 | 28 January 2013 | 20 March 2013 | Closed | |
5.1.1 | 6.0.1 | Apple TV (2nd generation), Apple TV (3rd generation) (AppleTV3,1) | 26 November 2012 | 20 March 2013 | Closed |
5.1 | 6.0 | 24 September 2012 | 20 March 2013 | Closed | |
5.0.2 | 5.1.1 | 5 June 2012 | 20 March 2013 | Closed | |
5.0.1 | 10 May 2012 | July 2012 (day unknown) | Closed | ||
5.0 | 5.1 | 7 March 2012 | 14 May 2012 | Closed | |
4.4.4 | 5.0.1 | Apple TV (2nd generation) | 15 December 2011 | 8 March 2012 | Closed |
4.4.3 | 17 November 2011 | 11 January 2012(?) | Closed | ||
4.4.2 | 5.0 | 24 October 2011 | 11 January 2012(?) | Closed | |
4.4.1 | 17 October 2011 | ? | Closed | ||
4.4 | 4 October 2011 | ? | Closed | ||
4.3 | 9 March 2011 | ? | Closed | ||
4.2.2 | 4.3 | 11 May 2011 | 18 October 2011 (?) | Closed | |
4.2.1 | 22 March 2011 | 28 May 2011 (?) | Closed | ||
4.2 | 9 March 2011 | 22 March 2011 (?) | Closed | ||
4.1.1 | 4.2.1 | 14 December 2010 | 28 May 2011 (?) | Closed | |
4.1 | 4.2 | 22 November 2010 | 14 December 2010 | Closed | |
4.0 | 4.1 | 29 September 2010 | 2 December 2010 (?) | Closed |
Protocol
To request a SHSH blob from Apple, a simple HTTP request can be made. For a full description, see the separate articles SHSH Protocol and Baseband SHSH Protocol.