Results 1 to 4 of 4
Discuss Miraculous restore of iOS 3.1.2 without SHSH blob! How?! at the iPhone 3GS - Hackint0sh.org; Here is how I restored an iPhone 3GS old-bootrom that was stuck at the Apple ...
  1. #1
    Newbie Array

    Join Date
    Aug 2011
    Posts
    9
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default Miraculous restore of iOS 3.1.2 without SHSH blob! How?!

    Here is how I restored an iPhone 3GS old-bootrom that was stuck at the Apple logo for hours after an "Erase All Content and Settings":

    1) Installed iTunes 9.

    2) Ran iREB-r4 and clicked iPhone 3G[S]. iREB put the phone into pwned DFU mode

    3) Ran iTunes 9 and shift-restored custom firmware iPhone2,1_3.1.2_7D11_Custom_Restore_Activated.ipsw .

    I didn't use any SHSH blob server or TinyTSS or anything like that. My host file is clean. I don't understand how this worked without a valid SHSH blob. Any idea?

    Here's some background that might help...

    The person who sold the iPhone to me said they had bought it from someone else and didn't seem too knowledgeable. They claimed the phone wasn't unlocked or jailbroken. They were quite paranoid about privacy and wouldn't let me use the phone aside from viewing the Settings->General->About screen. I saw that the iOS "Version" was 3.1.2 and the "Carrier" was "Not available". I wasn't able to check if Cydia was installed. (The price was excellent so I went along with it.) Before giving me the phone, the seller did "Erase All Content and Settings" and drove away. The phone was stuck at the Apple logo for hours. I read that this happens to jailbroken phones, but since this one wasn't supposed to be jailbroken, I was concerned. I decided to attempt a restore.

    On a shift-restore of the official 3.1.2 firmware iTunes would tell me the iPhone "cannot be updated at this time because the iPhone software update server could not be contacted or is temporarily unavailable."

    On a shift-restore of iPhone2,1_3.1.2_7D11_Custom_Restore_Activated.ipsw , I would get an Error 1600. That led me to this page which introduced me to iREB: How to Restore Custom IPSW Made with PwnageTool or Sn0wbreeze? | Jaxov

    To my amazement, after iREB pwned DFUed the iPhone, I was able to shift-restore the custom firmware and iOS booted fine. It's been 5 hours and the phone seems to be working okay.

    How could this work without an SHSH blob or without contacting an SHSH service? Maybe the phone was jailbroken and/or unlocked before, but I would still need an SHSH blob, correct? Could it be an old bootrom vs new bootrom thing? Everything I've read indicates that the old bootrom still requires SHSH validation.

    This is a long shot, but is it possible the correct SHSH blob was already stored on the device and never overwritten?



  2. #2
    Super Moderator Array Olethros's Avatar

    Join Date
    Sep 2007
    Location
    Norway
    Posts
    8,360
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    439

    Default

    A properly made custom IPSW that includes the 24kpwn exploit in LLB (written via geohot's limera1n bootrom exploit or an iBoot exploit) can be used to bypass SHSH blobs on the old bootrom 3GS.
    This is old news

    So basically, an already jailbroken 3GS running iOS 3.x can restore a properly made custom 3.x IPSW

    Newer devices aren't susceptible to the same 24kpwn exploit and SHSH cannot be bypassed. This has caused a shift away from this type of custom IPSW (where the entire bootchain is patched) as that technique only works on the old bootrom 3GS (and older iOS devices that don't check SHSH in hardware).

    So.. those of you lucky enough to have an old bootrom 3GS - have more chance of getting an untethered iOS 5 jailbreak.
    Please read the stickies & search forum before posting!
    How to report an iTunes restore/update fail in a useful manner
    -

    iPad 3G 64GB (4.3.3, Redsn0w) oldest SHSH 3.2.2
    iPhone 4 32GB (4.2.1, Redsn0w JB-monte) oldest SHSH 4.1
    iPhone 3GS 32GB (4.3.3; Pwnagetool) factory unlocked oldest SHSH 3.1
    iPhone 8GB (3.1.3; Pwnagetool) AT&T Locked - Unlocked with bootneuter

    -
    Did we solve your problem? Got a dollar or two spare ? Donate!

  3. #3
    Newbie Array

    Join Date
    Aug 2011
    Posts
    9
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    So does that mean the old-bootrom 3GS running 3.1.2 can be restored with, say, a properly made custom 4.3.3 IPSW without an SHSH blob? Or would I already have to be running a Jailbroken 4.3.3 to restore an old-bootrom 3GS with a properly made custom 4.3.3 IPSW w/o an SHSH blob?

    I'm not doubting you, but could you provide a source so I could read further. I haven't been able to find any evidence of this. Everything I read indicated you would still need an SHSH blob even on the old bootrom. I've read that old bootroms only affect tethering, although even this advantage no longer exists will the latest 4.x.x releases.

  4. #4
    Super Moderator Array Olethros's Avatar

    Join Date
    Sep 2007
    Location
    Norway
    Posts
    8,360
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    439

    Default

    Quote Originally Posted by anontemp123 View Post
    So does that mean the old-bootrom 3GS running 3.1.2 can be restored with, say, a properly made custom 4.3.3 IPSW without an SHSH blob? Or would I already have to be running a Jailbroken 4.3.3 to restore an old-bootrom 3GS with a properly made custom 4.3.3 IPSW w/o an SHSH blob?.
    Okay some history to help explain this.

    The way it used to work was that your currently installed OS needed to be pwned and patched to ignore invalid SHSH blobs, then you could restore a custom IPSW that was also patched to ignore invalid SHSH blobs (the custom IPSW didn't have to be the same version)

    This was a chicken and egg type problem - where a higher level initial exploit was required to initially write the 24kpwned LLB - either via recovery mode (iBoot exploit - for example blackra1n or purplera1n) or from userland (spirit2pwn). These are easily patched in software by a minor iOS update

    Because of this, once you restored with a stock IPSW for an iOS that wasn't vulnerable to the higher level exploit (eg 3.1.3 which blocked blackra1n) you were stuck as you had no way to write the 24kpwn exploit to the device and jailbreak. Unless you had a saved SHSH blob that allowed you to downgrade to a "vulnerable" iOS version.

    Finally geohot revealed his limera1n boortom (DFU level) exploit that can bypass the checking of SHSH during restore of an IPSW (but it can't bypass the SHSH checking during boot).

    However for practical reasons - since limera1n was made public, we have seen a trend of limera1n used in combination with a kernel level exploit. This leaves the pre-kernel boot chain unpatched (so the same technique can give an untethered jailbreak on 3GS old and new bootrom, iPhone 4, iPod Touch 3G, 4G and iPad 1st generation)

    This means one set of jailbreak patches that are the same across all supported devices, easier to maintain and less confusion for inexperienced jailbreakers.

    Quote Originally Posted by anontemp123 View Post
    I'm not doubting you, but could you provide a source so I could read further. I haven't been able to find any evidence of this. Everything I read indicated you would still need an SHSH blob even on the old bootrom. I've read that old bootroms only affect tethering, although even this advantage no longer exists will the latest 4.x.x releases.
    I cannot see any reason why the 24kpwn + limera1n cannot be used indefinitely to jailbreak - untethered - the old bootrom 3GS on future iOS releases. (until Apple stops supporting 3GS in new iOS releases). Apple can't block it permanantly, but they can make it harder for jailbreak authors to update their existing 24kpwn based patches to work on a new iOS version.
    Last edited by Olethros; 08-20-2011 at 06:01 PM.
    Please read the stickies & search forum before posting!
    How to report an iTunes restore/update fail in a useful manner
    -

    iPad 3G 64GB (4.3.3, Redsn0w) oldest SHSH 3.2.2
    iPhone 4 32GB (4.2.1, Redsn0w JB-monte) oldest SHSH 4.1
    iPhone 3GS 32GB (4.3.3; Pwnagetool) factory unlocked oldest SHSH 3.1
    iPhone 8GB (3.1.3; Pwnagetool) AT&T Locked - Unlocked with bootneuter

    -
    Did we solve your problem? Got a dollar or two spare ? Donate!

 

 

Similar Threads

  1. iphone 3g 4.2.1 baseband 5.15 can't save shsh blob or restore?
    By jack_d12 in forum iOS 4.x (iPhone OS 4.x)
    Replies: 0
    Last Post: 10-09-2011, 03:55 AM
  2. Switching SHSH blob
    By sockpuppets in forum iPhone 3GS
    Replies: 3
    Last Post: 07-19-2010, 03:51 PM
  3. SHSH on file, how to restore?
    By znahuja1 in forum iPhone 3GS
    Replies: 1
    Last Post: 05-18-2010, 03:26 PM
  4. Problem with SHSH restore 3.1.2
    By Jounin in forum iPhone 3GS
    Replies: 3
    Last Post: 05-05-2010, 04:14 PM
  5. Question on iphone 3GS 3.0.1 ecid shsh blob
    By imvirus in forum iPhone 3GS
    Replies: 2
    Last Post: 10-21-2009, 11:55 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 07:26 AM.
twitter, follow us!