Caching Apple’s Signature Server

Πριν λίγα λεπτά ο saurik έκανε το παρακάτω post στο twitter… αυτό μας εξηγεί καλύτερα πως έχουν τα πράγματα με το iPhone 3GS και το jailbreak του!
Screenshot 2009-09-15 03h 30m 11s

Παρακάτω θα βρείτε αναλυτικά αυτά που γράφει και στο site του!


Please, for the love of all that is holy, do not e-mail me if you have problems. Instead, go to ModMyi.com, where there is a special forum called 3G[S] Downgrading, created for the purposes of this article.

Seriously: there is no way I could possibly hope to answer even the number of e-mails I’m currently receiving regarding this, and the article isn’t even out yet. There is this wonderful scene from Bruce Almighty where Bruce sees his e-mail inbox: that happens to me every day. 🙁

I have very little respect for Apple at this point: I make no secret of this fact. Apple, as a company, has turned into a corporate hypocracy, embodying the very ideals that it claims to be rebelling against. “Think Different”, as a slogan, has become a cold criticism of their own actions with regards to their product lines.

The Next Hope

Apple is not just a computer company: Apple is a movement. This concept was finally and truly cemented in the public mindset when Apple carved itself a lasting place in the history of marketing with its 1984 superbowl commercial for Macintosh.

Styled after the classic Orwellian distopia, 1984, this commercial was set in a future where all aspects of individuality had been stamped out by the overlords, constantly vigilant, watching from their television monitors.

This world, as well as everyone in it, was rendered in a blue and gray: some believe we are to see the overlords as IBM, well reknowned for their corporate beaurocracy, and soon to be hated for trying to control our very thoughts with their bland machinery.

Others, including the creative director of the commercial, Lee Clow, state that the commercial represents the abstract struggle of “the few against the many”: Apple’s Macintosh standing as a symbol of “empowerment”. [Wikipedia]

The True Enemy

However, as time grew on, Apple’s real stance on individual expression and “empowerment” in particular, became clear: they are staunchly against it. Apple’s insistence on controlling the experience of their products sounds very similar to the “garden of pure ideology” expoused by the Big Brother in their own commercial.

Today we celebrate the first glorious anniversary of the Information Purification Directives. We have created, for the first time in all history, a garden of pure ideology: where each worker may bloom, secure from the pests of any contradictory… thoughts.

Our Unification of Thoughts is more powerful a weapon than any fleet or army on Earth. We are one people: with one will, one resolve, one cause. Our enemies shall talk themselves to death and we will bury them with their own confusion. We shall prevail!

The Point of Jailbreaking

This is why many of us (upwards of 10% of all iPhone users, in fact) “jailbreak” our devices: we want choice. We believe that Apple has maintained its lead as the best mobile hardware platform provider, and we encourage that innovation by purchasing not only their devices but also numerous applications from their App Store; but, and this is important: we want more.

Sometimes, it is “only” marketing restrictions: there is no fundamental reason why only the 3G[S] can record video (although the quality of the camera on the iPhone 2G and 3G is not very high), or why the iPhone 2G is somehow unable to do MMS.

Applications like Google Latitude or Voice are likewise “rejected” (Apple likes to claim that they didn’t reject these applications, they simply “didn’t accept” them…) from the App Store because they might “confuse” the user by replacing functionality that exists with better equivalents.

Our need for “more”, however, goes deeper: jailbreaking isn’t just about applications that Apple “rejected”, but is also about taking provided tools and going in a new direction. The most popular packages available in Cydia aren’t even “applications”, but are “extensions”: seamless and pervasive modifications to existing software.

An Exploit a Day…

On desktop computers such markets are implicit: the computer is yours, and you can do whatever you want with it. You can purchase any kind of hardware, download any kind of software, and make any modifications you feel to be fit. However, Apple doesn’t want us treating our iPhones like computers, no matter how similar they seem.

This means that those of us who demand to have the freedom to use the device we rightfully own the way we want to use it are in a constant battle with Apple. Each time they release a new product, or even just a software upgrade for an old one, we have to go to work defeating any new protections.

This arms race is what defines the “homebrew” community on most devices: each upgrade to the PlayStation Portable, for example, brings not only new features but also new restrictions, requiring users to find a new “exploit” to defeat the new defense.

What makes the iPhone platform special, however, is PwnageTool from the iPhone Dev Team: the trust chain on these devices has been completely defeated, and only with new hardware can Apple fix the issues to keep us out.

The Signature Server

Of course, new hardware comes every year, and Apple decided to strike hard with the new iPhone 3G[S]. Rather than just throw in new local protections, Apple decided that every restore of the device would be verified as being valid and safe by Apple itself.

To do this, during the restore process, users see “Verifying restore with Apple…”, during which time a challenge/response protocol is used between the iPhone and Apple: a “partial digest” of the firmware files being used is sent to a server, which can then decide to sign off on the result… or not.

Not only does this allow Apple to keep custom firmwares from getting loaded onto the device, but it also allows them to recall existing firmwares by keeping people from restoring to them in the future. To do this they simply would refuse to ever sign, for example, iPhoneOS 3.0 again.

However, to make this model secure, one must verify that their system is not subject to a simple “replay attack”: where one just stores a copy of Apple’s sign off and then returns it at a later point. This is a “beginner’s attack”, and one that is easily mitigated by any of a number of strategies.

For a Purple Ra1ny Day

Apple’s 3G[S] security mechanism, however, fails this test. Rather than even using a simple random number, they use a hardcoded challenge per device. The specific number they have chosen is the device’s ECID, or “unique-chip-id”, a number that all devices have so far had, although we haven’t seen any previous use for it.

This means that, given an ECID, one can ask Apple’s signature server to sign any firmware that they currently consider “OK” (which returns a blob that includes the critical SHSH, which is the signature hash) and then store the result forever.

In practice, there is only one critical file that we need signed: the one with the bug. ;P This is the iBSS, which is one of the modes of iBoot. Given that ECID/iBSS signature, one can load the buggy code and then continue with the jailbreak.

This is, in fact, what purplera1n.com was doing: it returned to you a file that contained just the signature hash for the iBSS file, as that is “sufficient”. Eventually someone may write a tool to use this file.

Personalized Firmware

What iTunes does with these blobs is to “personalize” the firmware file, integrating the ECID, SHSH, and CERT blocks into it, so that the iPhone can verify the result. It does this in a temporary directory where users can actually just watch and grab the files.

So, many users have gone in and carefully gotten both the iBSS and iBEC files from this personalization mechanism. The iBSS file from this process actually contains no more information than the tiny purplera1nyday file.

However, and this is unfortunate: just because this information is “sufficient to jailbreak”, doesn’t mean it is convenient. Without someone writing a special jailbreak tool that uses these files as input you are pretty much stuck.

Your iPhone 3G[S] has an ECID SHSH on file.

Instead, what you really want, is to store the entire personalized firmware set required by iTunes to do a restore (or, more realistically: a full set of SHSH blobs). At this point you should be able to use iTunes to do a “normal” restore of the device.

This functionality was offered, very near to the end of the window, by Cydia: one needed only to agree to have the process done, and your ECID was used on Cydia’s server to generate and store a full set of SHSH blobs using Apple’s signature process.

In doing this, over 50,000 3G[S] devices got their ECID SHSHs “on file”, and are now prepared to continue to restore to iPhoneOS 3.0 indefinitely.

A Narrow Window

Unfortunately, due to the timing of the release (it took a while for me to figure out how to do this effectively), many users failed to get their ECID’s in by Apple’s cutoff. However, while this means these users will not be able to downgrade to (or even stay at) 3.0, an exploit has (supposedly) been found in 3.1.

This means that, at some point in the tangable but unknown future, users will be able to use iPhoneOS 3.1 on their 3G[S] to jailbreak their devices.

To faciliate this, the Cydia “on file” system is going to come back online tonight and start signing ECIDs using the 3.1 firmware, to prepare for the coming release from Apple when users will once again be locked out.

Hopefully, by then, we’ll have hundreds of thousands of users fully protected against Apple’s “Information Purification Directives”.

Bypassing the Overlord

To this end, I have constructed a server that duplicates the functionality exposed by Apple’s signature server, except using “on file” results rather than live requsests.

All we need, then, is to make iTunes use it. Luckily, most operating systems also have the ability to locally define bypasses on specific hostnames through a file called hosts. Using this, we can redirect requests to Apple’s signature server to Cydia.

So, open the file C:\Windows\System32\drivers\etc\hosts (Windows) or /etc/hosts (Mac OS X) and add the following entry to the bottom of the file.

74.208.105.171 gs.apple.com

Now, when iTunes thinks it is talking to Apple, it is talking to Cydia instead. Doing this will allow iTunes to access signatures already stored by Cydia’s “on file” feature.

This server will also act as a cache for any SHSH blobs it hasn’t seen, acting as an intermediary to Apple’s server. This effectively registers your device with the “on file” mechanism, which means you can now enjoy the protections of being able to downgrade your firmware in the future even if you aren’t jailbroken.

This point should be stressed: even if you don’t jailbreak, and even if you never intend to jailbreak, you should consider using the new “on file” service.

Let’s say that Apple releases an OS upgrade in the future, you take it, and they break something important. Maybe they break your e-mail account, or your todo list. Your business is now crippled.

If only you could downgrade, right? Alas, Apple won’t let you anymore. That’s where the new signature cache server comes in: by doing your restores through this server you secure your ability to not accept upgrades from Apple if the need is dire.

Performing the Restore

Now, one would have hoped that the process would be as easy as “restore using the 3.0 IPSW”. If only we were that lucky. The first problem is that a downgrade from 3.1 to 3.0 must be initiated in DFU mode.

So, we begin: hold down the lock and menu buttons (some call these the power and home buttons) for 10 seconds, letting go of the lock button but continuing to hold menu until iTunes recognizes the device with the message: “iTunes has detected an iPhone in recovery mode. You must restore this iPhone before it can be used with iTunes.”.

Note that, at this point, your iPhone’s screen should be entirely black. Many people confuse “DFU” with “recovery” (and in fact, iTunes itself glosses over this), but they are quite different. If you see anything on your screen, such as the iTunes logo and a sync cable, or a cartoon of Steve Jobs swearing in Cyrillic, you are in recovery mode and need to try again. One can find videos online that may help.

At this point, you should do a “normal” restore to the 3.0 software. When doing this, remember to hold down the option key (on Mac OS X) or the shift key (Windows) while clicking the Restore button in iTunes. Select the firmware (which is probably named iPhone2,1_3.0_7A341_Restore.ipsw), and things should be on their way.

If you encouter “unknown error (3002)”, you probably do not have your ECID SHSH’s for 3.0 “on file” with Cydia. Unfortunately, as Apple is no longer allowing users to sign the 3.0 firmware, it is no longer possible to register your device with Cydia.

Luckily, it has been reported that iPhoneOS 3.1 is vulnerable to another exploit. This means that, once a jailbreak is released for 3.1, users be able to prepare themselves for future jailbreaks even if they missed the first round of signature storage (which I unfortunately was only able to start very late in the 3.0 game).

Once you even attempt to use this service (or if you tell Cydia to “make your life easier”) you will be signed up for the signature tracker, and Cydia HQ will do its best to manage your ability to restore.

And again, if you have any issues with this process, please please please do not e-mail me. Instead, go to ModMyi.com, where there is a special forum called 3G[S] Downgrading, created for the purposes of this article.

NAND Format Invalid

If you were already using 3.0 then this process should “just work”. However, if you had already upgraded to 3.1 you will encounted a nasty error: “The iPhone “iPhone” could not be restored. An unknown error occured (1015).”. This is expected behavior

For people who are curious, what has happened is that a section of the NAND storage has been slightly reorganized in 3.1, and the 3.0 iBoot can no longer parse it. If we pulled out iRecovery and checked the iBoot logs over USB we’d see the following messages (the typos are Apple’s).

[WMR:ERR] NAND format invalid (mismatch, corrupt, read error or blank NAND device)

[WMR:ERR] boolSignatureFound false  boolProductionFormatVerified true nSig 0x0

******************************************************************************

******************************************************************************

AND: NAND initialisaton failed due to format mismatch or uninitialised NAND.

AND: Please reboot with reformatting enabled.

******************************************************************************

******************************************************************************

NAND FTL failed initialisation

The first time this happened to me I actually spent a while with MuscleNerd working out how to do what it asked: “reboot with reformatting enabled”. That was a severe waste of time: after you fix this, it still won’t boot, and you will need to go through a second restore to finish the process.

However, it turns out a second restore also formats the NAND correctly by itself. So, without bothering to do anything else to the device (leaving it in the recovery mode it is now in: DFU is no longer required), just start the restore over again in the same manner as before, once again selecting the 3.0 firmware.

Stuck in Restore

Unfortuntaely, this second restore is also going to fail (*sigh*), and irritatingly enough it is going to cause the exact same error message: “The iPhone “iPhone” could not be restored. An unknown error occured (1015).”. This is still expected behavior.

For those who are again curious, what has happened is that when the device turns on it has to decide what it is going to do: wait for instructions over USB, or continue into the boot process. This is determined by an NVRAM variable named auto-boot, which is currently set to “false”.

Normally this is set at the end of the restore process, but technically we were unable to finish the restore: it is my understanding that this is because upgrading to 3.1 installed the 3.1 baseband (which is currently not unlockable, btw), and the baseband upgrade in the 3.0 release then fails, stopping the restore.

However, that seems to be the last and least important part of the restore, so we technically won: we are never, though, going to be able to restore back to 3.0 without hitting this 1015 again, though.

Jailbreak with redsn0w or purplera1n

You have three options at this point. The first is to use iRecovery to manually do an fsboot, the second is to use iRecovery to set auto-boot to “true”, and the third is to just go ahead and jailbreak your device.

We will go ahead and do the last of these, as even just getting iRecovery working on your computer is something that I don’t look forward to trying to describe. ;P (In fact, it still isn’t working on my Windows computer.)

At this point, you can just run your jailbreak tool of choice, which should jailbreak the device and boot it into the normal operating system. Congratualations, you just overthrew your orwellian overlord, and have taken back control of your device.

At least today, we will prevail!

via saurik