1. z3r01's Avatar
    i agree... hes just trying to push us in the wrong direction


    i think we need to figure out from someone who has a 3.1.2 shsh file to see whats in there that apple allow for the dowgrade to happen... then maybe tweak around the 3.1.3 shsh file.... nothings impossible we just need a genius to figure it out
    i think that these seven pages are all "i think" and no "i did'....its great to come up with a trillion ideas but who is trying them? organize a team first then you can organize your ideas..till then its just all ideas no action...
    2010-04-24 02:16 PM
  2. gurktomat's Avatar
    I don't know how can I help you, but I'd like
    I did grab shsh from my iPod 3g with umbrella.

    http://n9ghtw.bay.livefilestore.com/...3.1.2.shsh.txt
    http://public.bay.livefilestore.com/...3.1.3.shsh.txt
    Last edited by gurktomat; 2010-04-24 at 04:52 PM.
    2010-04-24 04:44 PM
  3. katmeef's Avatar
    Katmeef...

    Come on ... its actually called EEPROM "Electronically Erasable Programable Read-Only Memory"...If you don't know that, you should do some research on how ROMs work.

    Secondly this BOOT ROM gets updated, if you were to read a little, you would find out that when they updated to 3.1.3 they modified the bootrom to stop the jailbreak bug that everyone was using.

    Thirdly, I would appreciate your help, since I do not have a Mac machine to test with us and try and productively figure a different way of setting everyone free (that is why they called it JAIL BREAK), from the evil claws of apple. Putting everyone down with your comments doesn't really help, and if everyone took the attitude of oh look they are fools, we would all be still on 2.0 with no jailbreak and Apple happily in charge of everything.
    I haven't read of anyone proving conclusively that the bootrom can be flashed via software at all.

    Secondly, the bootrom does not get updated during the upgrade process to 3.1.3 (who needs to read more here?). The OS and the baseband get updated. From the iphone wiki: "iBoot-359.3.2 is the S5L8920 bootrom revision for the iPhone 3GS sold starting September 2009." If what you said were true, everyone who had a pre-september 3GS and upgraded to 3.1.3 then down to 3.1.2 again (because they were able to cache the blobs when apple was still signing them) would have been upgraded to the new bootrom (and would no longer be able to use custom firmwares)... Also, think about the number of bricked iphones apple would be replacing if they tried to upgrade the bootrom on OS upgrades.

    Thirdly, jailbreak tools can be written for windows. And there's a thing called VMware if you really want to play with OSX. Come up with something plausible and I will dedicate my efforts. At this point, you are just grasping at straws and not suggesting anything that hasn't been investigated already.
    Last edited by katmeef; 2010-04-24 at 09:53 PM.
    2010-04-24 09:38 PM
  4. iYeow's Avatar
    Instead of trying to figure out how to edit shsh file to trick Itunes that it is the right file, why don't we concentrate on how to bypass the use of shsh file for verification process so all of us can downgrade whenever we want..
    2010-04-24 09:49 PM
  5. katmeef's Avatar
    I don't know how can I help you, but I'd like
    I did grab shsh from my iPod 3g with umbrella.

    http://n9ghtw.bay.livefilestore.com/...3.1.2.shsh.txt
    http://public.bay.livefilestore.com/...3.1.3.shsh.txt
    i see 41 changes using opendiff, everything appears encrypted however.
    Last edited by katmeef; 2010-04-24 at 10:10 PM.
    2010-04-24 10:08 PM
  6. Cid6.7's Avatar
    i see 41 changes using opendiff, everything appears encrypted however.
    I noticed the same,I wonder if you could take the iBoot Blob from 3.1.2 & stick it in the 3.1.3
    2010-04-24 10:17 PM
  7. katmeef's Avatar
    i think the blobs incorporate (in an encrypted form) not only the hashes of the files to be flashed, but the ECID of the specific device as well.

    If we could decrypt the information, we could at least learn how the data is structured within the blobs and possibly figure out a way to spoof a response. But I think we're missing a few things to be able to do this. Namely, the key to decrypt (and then to key to re-encrypt the blobs so the phone would accept it).

    The 'grasping at straws' :P alternative would be to get many more examples of 3.1.2 and 3.1.3 blobs to try to isolate the encrypted changes, but I don't think this would work without the encryption keys as the ECID is incorporated.

    feel free to rip me kafmeet
    lol no, you're not being pompous. it's comments like 'i'm a veteran programmer' that get me going
    Last edited by katmeef; 2010-04-24 at 10:52 PM. Reason: Automerged Doublepost
    2010-04-24 10:50 PM
  8. eastonl33t's Avatar
    i think the blobs incorporate (in an encrypted form) not only the hashes of the files to be flashed, but the ECID of the specific device as well.

    If we could decrypt the information, we could at least learn how the data is structured within the blobs and possibly figure out a way to spoof a response. But I think we're missing a few things to be able to do this. Namely, the key to decrypt (and then to key to re-encrypt the blobs so the phone would accept it).

    The 'grasping at straws' :P alternative would be to get many more examples of 3.1.2 and 3.1.3 blobs to try to isolate the encrypted changes, but I don't think this would work without the encryption keys as the ECID is incorporated.





    lol no, you're not being pompous. it's comments like 'i'm a veteran programmer' that get me going

    You are wise
    2010-04-25 12:37 AM
  9. jjh4ck3rs's Avatar
    Okay here is my idea . I was reading the thread and I saw someone say how about freezing iTunes with cheat engine ? I was thinking , if we used a normal 3.1.3 firmware file from apple , with the shift restore , and then let iTunes extract the ipsw and let it do the checking with apple thing , and then when it gets to the "preparing iPhone " stage you freeze it . And then switch out the 3.1.3 file that you got from apple with a 3.1.2 file that is from apple , but name it the same name as the 3.1.3 file was named and out it in the same spot . And then unfreeze iTunes and see if it will let you continue with the install , I don't kno if this will work at all , I don't kno if it is worth a try or what ? Or do this kind of method except a little different . So yeh ... Pm me or something if you have any comments or email me [email protected] .. Thanks (:
    2010-04-25 12:55 AM
  10. mr2sweet's Avatar
    I've tried swapping the 3.1.3 files with custom ones after apple verifies the stock 3.1.3 and says it's ok. It starts to restore fine but if you notice halfway through the restore it verifies the firmware. If you leave it it will error put after this step with a code 14. I've also tried to swap a stock firmware back in right after so it will verify and then swap a custom back in after to finish the process but it errors out before I can get the stock one back in. If you place the custom one in after it starts to restore and then verifies. It will finish the restore fine, but the phone won't be jailbroken with the custom firmware. I know someone said that it's all a lit of thoughts and no doing but I've tried almost every idea I've read or can come up with. I've tried changing a bunch of files in the iPhone backup and haven't gotten it to show 3.1.2 at all. I'm willing to try pretty much anything if I have the ability to.
    2010-04-25 01:12 AM
  11. katmeef's Avatar
    ^^ That's because verification takes place within the phone itself. Even if you can get itunes to send it over, the phone requires the correct SHSH response.

    A very interesting thread you guys have here. Let me see if I can help you guys out a bit. To read the shsh file properly on a Mac, open it with a text editor and delete the first line till characters <?.save the file and open with plist edit pro. This will show you which files are signed by apple. The blob for each individual file and the partial digest for each file. The blob is 1024 bytes and the partial digest is 28 bytes. If you copy the blob bytes to a hex edit app. You will see your ECID in the first line. The ECID is byte reversed. The next few lines has the hash signature. The signature is 128 bytes I think. I am sorry for the sketchy details as am using my iPhone to post and giving details from memory. If more details required will be happy to post.
    by byte reversed, do you mean reverse them like wildcard mask vs subnet mask? trying now..
    Last edited by katmeef; 2010-04-25 at 03:38 AM. Reason: Automerged Doublepost
    2010-04-25 03:38 AM
  12. lapaki's Avatar
    there is big endian and little endian as the intel way goes. any background on assembler language? thats a great field of study, search for +fravia or +orc, those guys were the ones who ruled in the time, wish +fravia was still around; he would have helped in these matters, not by giving you the jb, but putting you in the way of learning.
    sigh, i miss the guy
    2010-04-25 03:52 AM
  13. katmeef's Avatar
    yazz2020, were you able to get this to work?
    does anyone have a 3.1.2 SHSH blob from a 32gig 3GS to look at?

    / i can get itunes fooled, it will go as far as 'preparing iphone for restore' when choosing the stock 3.1.2 firmware... but the phone itself is another story, it just sticks in recovery mode, and eventually the process times out. (i am working from another users 16gig 3.1.2 blobs, my phone is 32gig)
    Last edited by katmeef; 2010-04-25 at 07:14 AM.
    2010-04-25 06:48 AM
  14. pheroah's Avatar
    lol no, you're not being pompous. it's comments like 'i'm a veteran programmer' that get me going
    Thanks Katmeef, I was not bein arogant, I have over 15 years of hardcore C++ experiance. I am just new to the mobile arena, so instead of challenging me, let us work together to try and do this.
    2010-04-25 10:47 AM
  15. yazz2020's Avatar
    To get a 3.1.2 shsh for a 3GS just google ECID, alot of folks out there have put their ECID on the net. Once you have it open Umbrella, direct it to Sauriks server and download.
    2010-04-25 11:40 AM
  16. confucious's Avatar
    Why not just use your own ECID - the fact that they are unique means using some else's will be as much use as a chocolate fire-guard.
    He who asks a question looks foolish for 5 minutes. He who doesn't ask a question remains foolish forever.
    2010-04-25 11:50 AM
  17. pheroah's Avatar
    @Confucious because we do not have a SHSH for a ECID that is jailbroken. Thus we are trying to use an ECID from a jailbroken fone that we know has the SHSH files for 3.1.2 uploaded to Cydia so we can try and crack the files.
    2010-04-25 12:51 PM
  18. katmeef's Avatar
    jailbroke or not, i just want to see someone's SHSH blobs who had cached them for 3.1.2 on a 32GB 3GS.

    as the ECID is not in plaintext, (and I'm still not sure what Yazz2020 meant by bit reversed - I tried converting my ECID to binary, swapping 1's to 0's and vice versa, back to hex - and I don't see it), I am instead trying to isolate the characters in the blob which change to identity the ECID, and if other changes occur based on the specific model of the iphone

    the first line, as yazz (?) said, gets past iTunes and it seems to start the process, but something else still isn't right and it seems to not be accepted by my iphone, which sticks in restore mode instead of accepting the upgrade.

    /////

    Thanks Katmeef, I was not bein arogant, I have over 15 years of hardcore C++ experiance. I am just new to the mobile arena, so instead of challenging me, let us work together to try and do this.
    Apologies if I misinterpreted your earlier statement,


    /////

    So I don't think that we will be able to figure this out. The first line in the blob response seems to be nothing more than ECID, as can be seen by comparing a specific users 3.1.2 vs their 3.1.3 blobs.

    however, the next 4 lines seem to change based on a combination of the ECID and something else - maybe the partial digest, maybe some information in a database on apple's side is pulled who knows. but when comparing random 3.1.3 blobs for different ECID, I see all 5 lines changed.

    so the first line in the blob will let itunes try to flash to the phone, but unless the next 4 lines can be deciphered somehow, i don't think we will get anywhere with this.

    <data>
    RElDRUAAAAAIAAAAzCMcGp8CAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAEhTSFOMAAAAgAAAAG/1ZVx3iIJOJo53JeDG
    h1PAKXCAhJcHDpISr+PPeNpnDhLM5wkpBkxeyyPuRlq7WUqeKJ JV4cgR9bhV
    5swoErnBhgGbxBk3ZraGhSz21C5niQvjAuFXoGBZqi6bH3KgXd 89QoqdycA8
    EN0IzHGgC13Yu6ia6Xr2nLsz24hC4eZFVFJFQ4EHAAB1BwAAMI ID+DCCAuCg

    also, all the lines below these first 5 in any of the blob's ive looked at seem to be the same based upon which OS version the blob intends. these first 5 lines seem to be key.
    Last edited by katmeef; 2010-04-25 at 02:10 PM. Reason: Automerged multipost
    2010-04-25 02:09 PM
  19. pheroah's Avatar
    Katmeef a stupid question but just to make sure, did you decode this base-64 strings or are just comparing text based.

    If you haven't done so, decode them first into hex and use a hex editor, that will show the ECID plus some Apple Root Certificate, i am trying to figure out the rest.
    2010-04-25 02:23 PM
  20. yazz2020's Avatar
    jailbroke or not, i just want to see someone's SHSH blobs who had cached them for 3.1.2 on a 32GB 3GS.

    as the ECID is not in plaintext, (and I'm still not sure what Yazz2020 meant by bit reversed - I tried converting my ECID to binary, swapping 1's to 0's and vice versa, back to hex - and I don't see it), I am instead trying to isolate the characters in the blob which change to identity the ECID, and if other changes occur based on the specific model of the iphone

    the first line, as yazz (?) said, gets past iTunes and it seems to start the process, but something else still isn't right and it seems to not be accepted by my iphone, which sticks in restore mode instead of accepting the upgrade.

    /////



    Apologies if I misinterpreted your earlier statement,


    /////

    So I don't think that we will be able to figure this out. The first line in the blob response seems to be nothing more than ECID, as can be seen by comparing a specific users 3.1.2 vs their 3.1.3 blobs.

    however, the next 4 lines seem to change based on a combination of the ECID and something else - maybe the partial digest, maybe some information in a database on apple's side is pulled who knows. but when comparing random 3.1.3 blobs for different ECID, I see all 5 lines changed.

    so the first line in the blob will let itunes try to flash to the phone, but unless the next 4 lines can be deciphered somehow, i don't think we will get anywhere with this.

    <data>
    RElDRUAAAAAIAAAAzCMcGp8CAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAEhTSFOMAAAAgAAAAG/1ZVx3iIJOJo53JeDG
    h1PAKXCAhJcHDpISr+PPeNpnDhLM5wkpBkxeyyPuRlq7WUqeKJ JV4cgR9bhV
    5swoErnBhgGbxBk3ZraGhSz21C5niQvjAuFXoGBZqi6bH3KgXd 89QoqdycA8
    EN0IzHGgC13Yu6ia6Xr2nLsz24hC4eZFVFJFQ4EHAAB1BwAAMI ID+DCCAuCg

    also, all the lines below these first 5 in any of the blob's ive looked at seem to be the same based upon which OS version the blob intends. these first 5 lines seem to be key.
    if your ECID is for example 0000011a2b3c4d5e in a hexedit app the ECID will be byte reversed meaning 5e4d3c2b1a010000. hope this explains it.

    The partial digest seems to be the public key as this remains constant across particular firmware revision.

    use a base64 decorder to get a better idea
    2010-04-25 02:26 PM
160 ... 45678
LINK TO POST COPIED TO CLIPBOARD