Dev Team: Apple Makes It Difficult To Downgrade To Previous iOS Firmware Versions Using SHSH Blobs In iOS 5

iOS 5 SHSH blobs

iPhone Dev team has just revealed in a blog post titled “Blob Monster”, that Apple is making it difficult to downgrade to an older firmware using SHSH blobs in iOS 5.

As you may know, whenever Apple releases a new iOS software update, Dev Team advices iOS device users to save SHSH blobs using tools like TinyUmbrella or via Cydia

This allows users to restore their iOS device with the iOS firmware for which the SHSH blobs has been saved, which is normally not possible as Apple stops signing older iOS firmware files after it releases a new iOS software update (usually used to downgrade to an older version of iOS).

According to iPhone Dev Team, Apple is making this difficult in iOS 5 that will be released later this fall. They explain:

Starting with the iOS5 beta, the role of the “APTicket” is changing – it’s being used much like the “BBTicket” has always been used. The LLB and iBoot stages of the boot sequence are being refined to depend on the authenticity of the APTicket, which is uniquely generated at each and every restore (in other words, it doesn’t depend merely on your ECID and firmware version…it changes every time you restore, based partly on a random number). This APTicket authentication will happen at every boot, not just at restore time. Because only Apple has the crypto keys to properly sign the per-restore APTicket, replayed APTickets are useless.

This will only affect restores starting at iOS5 and onward, and Apple will be able to flip that switch off and on at will (by opening or closing the APTicket signing window for that firmware, like they do for the BBTicket). geohot’s limera1n exploit occurs before any of this new checking is done, so tethered jailbreaks will still always be possible. Also, restoring to pre-5.0 firmwares with saved blobs will still be possible (but you’ll soon start to need to use older iTunes versions for that). Note that iTunes ultimately is *not* the component that matters’s the boot sequence on the device starting with the LLB.

Although it’s always been just “a matter of time” before Apple started doing this (they’ve always done this with the BBTicket), it’s still a significant move on Apple’s part (and it also dovetails with certain technical requirements of their upcoming OTA “delta” updates).

Note: although there may still be ways to combat this, a beta period is really not the time or place to discuss them. We’re just letting you know what Apple has already done in their exisiting beta releases – they’ve stepped up their game!

This means that you have to be even more careful when Apple releases a new iOS software update post iOS 5, until Dev team comes with a solution as there is no way to revert back if you end up accidentally upgrading to it.

Apple continues to up the ante in the cat and mouse game with iPhone jailbreakers and unlockers.  As we reported yesterday, Apple has also blocked the iPhone 4 hardware unlocking solution using Gevey SIM in iOS 5 beta 2.

Please share your views on Apple’s latest move in the comments section below.

[via Dev Team’s blog]