Downgrading iOS 5 Firmware Using SHSH Blobs Currently Blocked!

by Jawwad in iPad, iPhone, Mobile, News | 5 comments

iOS53 | Downgrading iOS 5 Firmware Using SHSH Blobs Currently Blocked!Many of us know that in the past we were reminded so regularly to save the SHSH blobs of currently installed iOS on the device using the TinyUmbrella for example. The main purpose for this was so that the user can later downgrade to this version after upgrading if intend to do so. In other words, if the SHSH blobs are not saved for the iOS version in question, you can’t downgrade to that later on from an upgraded iOS version! Now coming to the main story it turns out that Apple has blocked the SHSH Blobs saving feature for the iOS for now. Currently it applies only to the iOS 5 and the versions onwards. What it means is that if a new version of the iOS 5 comes in the future say iOS 5.1 then you might not be able to downgrade to iOS 5 if you intend to do. Since you will not have saved SHSH blobs for this version. This issue has already been confirmed by the iPhone Dev Team member Musclenerd. Here is a post from the iPhone Dev-Team blog:

It looks like Apple is about to aggressively combat the “replay attacks” that have until now allowed users to use iTunes to restore to previous firmware versions using saved SHSH blobs.

Those of you who have been jailbreaking for a while have probably heard us periodically warn you to “save your blobs” for each firmware using either Cydia or TinyUmbrella (or even the “copy from /tmp during restore” method for advanced users).  Saving your blobs for a given firmware on your specific device allows you to restore *that* device to *that* firmware even after Apple has stopped signing it.  That’s all about to change.

Starting with the iOS5 beta, the role of the “APTicket” is changing — it’s being used much like the “BBTicket” has always been used.  The LLB and iBoot stages of the boot sequence are being refined to depend on the authenticity of the APTicket, which is uniquely generated at each and every restore (in other words, it doesn’t depend merely on your ECID and firmware version…it changes every time you restore, based partly on a random number).  This APTicket authentication will happen at every boot, not just at restore time.  Because only Apple has the crypto keys to properly sign the per-restore APTicket, replayed APTickets are useless.

This will only affect restores starting at iOS5 and onward, and Apple will be able to flip that switch off and on at will (by opening or closing the APTicket signing window for that firmware, like they do for the BBTicket).  geohot’s limera1n exploit occurs before any of this new checking is done, so tethered jailbreaks will still always be possible for devices where limera1n applies.  Also, restoring to pre-5.0 firmwares with saved blobs will still be possible (but you’ll soon start to need to use older iTunes versions for that). Note that iTunes ultimately is *not* the component that matters’s the boot sequence on the device starting with the LLB.

You can read the whole post here. Of course, this issue has been already identified by jailbreak community and according to the above quoted posted there may be other ways to combat this issue but for now the users will not be able to save the SHSH blobs until there is some workaround. Please note that if you have SHSH blobs saved for an earlier iOS 4.x version, you can still downgrade to that. This issue applies only to the iOS 5 and versions beyond this.

You Might Like:

Get Free Email Updates

Inspired Geek is your primary source for latest tech news, guides and articles on Windows software, games, Apple and Android devices.

  • Get extensive coverage on latest tech news.
  • Exclusive guides on rooting, jailbreaking and unlocking mobile devices.
  • Useful apps and tips&tricks for your iOS and Android devices.
  • Exlclusive Top Countdowns for the best software.

This post was written by...

for Inspired Geek.

Hi! We are trying our best to make this spot most interesting and useful for discovering news, articles, tips & tricks and bringing you the latest in Computer, Mobile and Internet technology areas. Please support our efforts by giving your feedback, subscribing to Inspired Geek RSS (Link on top & bottom of the page), by promoting us on social websites (Facebook, Digg, Twitter, StumbleUpon etc.) or any other way you might feel convenient. Thanks for your support!

  • Sam

    Interesting. But I am not even able to restore to an earlier firmware from 5.0.

    Editing hosts has not worked. Have the required shsh files in cydia but still no luck. Want to go back to 4.3.3.

    Has anything else changed or could it be a cydia problem?

  • Tushar

    Try restoring it on a diff computer. I was on 5.0 on my iphone 4. Downgraded successfully to 4.3.3 since i had my SHSH blobs saved. Try using tinyumbrella and restoring with custom firmware using sn0wbreeze.

    • Sam

      Yeah eventually got it to work with tiny umbrella. Got back to 4.3.3 stock then jailbroke using redsnow. Redsnow is needed to bypass error 1. Jailbreak will freeze so get into recovery and exit recovery using tiny umbrella. But have to make sure to use redsnow version for 4.3.3.

  • tenzin

    what if one doesn’t have the shsh blob saved??? I currently have ios 5 on my iphone 4, but want to downgrade it to 4.3.3. Does anybody have an idea wether it can be done??? Comments appreciated.


    • Sam

      If you don’t have shsh saved then you can’t downgrade. However from 4.3.3 I think cydia automatically saved them. So open up cydia and at the top it will show you what shsh you have saved.

Previous post:

Next post:

wordpress counter