iOS 5 Will Halt SHSH Firmware Downgrades On iPhone, iPad, iPod touch

Bad news for the jailbreakers amongst us. Coming out of the Dev-Team tonight, with a post on the groups blog explaining that Apple’s iOS 5 betas are providing clues as to how the company intends to combat saving SHSH Blobs moving forward.

It looks like Apple is about to aggressively combat the “replay attacks” that have until now allowed users to use iTunes to restore to previous firmware versions using saved SHSH blobs.

The jailbreaking supremos’ post explains that Apple is now beginning to make more use of the ‘APTicket’ which, once iOS 5 and beyond are installed, will be checked on each boot of an iDevice.

The problem here is that the ‘APTicket’ will be uniquely generated each time an iPhone, iPad or iPod touch is restored, meaning that existing methods of saving SHSH Blobs will no longer work – Apple are the only ones who will know what the APTicket should be.

Starting with the iOS5 beta, the role of the “APTicket” is changing — it’s being used much like the “BBTicket” has always been used.  The LLB and iBoot stages of the boot sequence are being refined to depend on the authenticity of the APTicket, which is uniquely generated at each and every restore (in other words, it doesn’t depend merely on your ECID and firmware version…it changes every time you restore, based partly on a random number).  This APTicket authentication will happen at every boot, not just at restore time.  Because only Apple has the crypto keys to properly sign the per-restore APTicket, replayed APTickets are useless.

The Dev-Team does take pains to mention that while this does point to a new approach from Apple, talking about, or working on, iOS 5 beta released probably isn’t the best way to approach things. Until Apple brings the final release of iOS 5 to the masses, we really are guessing at what they intend to do.

It is also worth remembering that Geohot’s Limera1n takes affect before any ‘APTicket’ checks are made so, in theory at least, tethered jailbreaks should still be possible.

This will only affect restores starting at iOS5 and onward, and Apple will be able to flip that switch off and on at will (by opening or closing the APTicket signing window for that firmware, like they do for the BBTicket).  geohot’s limera1n exploit occurs before any of this new checking is done, so tethered jailbreaks will still always be possible for devices where limera1n applies.  Also, restoring to pre-5.0 firmwares with saved blobs will still be possible (but you’ll soon start to need to use older iTunes versions for that). Note that iTunes ultimately is *not* the component that matters’s the boot sequence on the device starting with the LLB.

Firmwares older than iOS 5 are unaffected.

You can follow us on Twitter or join our Facebook fanpage to keep yourself updated on all the latest from Microsoft, Google and Apple.