Monday, August 30, 2010

The truth about shsh

I see many users in the forums telling "I have successfully downgraded from 4.0.2 to 4.0.1. You don't need shsh backup, I don't even know what it is". Or another one tells "I downgraded my new out-of-the-box 3GS phone; you don't need shsh backups". Or another person tells "I downgrade every day more than 10 iPhones 3GS without shsh backup." Or somebody tells "This works only for 3GS, but not for iPhone 4." Other are asking "It didn't work for you? Where do you live? Maybe it only works in U.S." There are hundrets of reports of people successfully downgrading their iPhones from 4.0.2 to 4.0.1 without knowing of what shsh backups are. I want to explain this in detail in this blog.

First of all, here a tutorial for the n00b users on how to downgrade. You can skip this, if you know what to do and are interested only in the explanation and why it doesn't work without a shsh backup.

First method:
  1. Go to http://www.felixbruns.de/iPod/firmware/ and download the firmware 4.0.1 for your iPhone. Make sure you select the correct phone. If you download the version for iPhone 4 and you have an iPhone 3GS it won't work of course.
  2. Make sure the downloaded file has a file extension of *.ipsw. Some browsers (Internet Explorer, Firefox) rename it when you download it. To rename the file extension, you have to enable them first. In Windows Explorer (not Internet Explorer), go to menu Tools, Folder Options. Then select the View tab. Make sure the option "Hide extensions for known file types" is not set. Look at the downloaded file and if it ends with *.rar or *.zip, rename it to *.ipsw.
  3. Open Windows Explorer and go to the folder C:\Windows\System32\drivers\etc There is a file called "hosts". This is for Windows users. Mac users will have the same file, but probably in another folder. Open that file with Notepad. Usually you can just double-click on it and select Notepad from the list.
  4. Edit this hosts file. Usually there are lots of lines of comments (starting with #) and two lines declaring the localhost:
    127.0.0.1 localhost
    ::1 localhost
    Now add a new line at the end:
    74.208.105.171 gs.apple.com
  5. Save this file. If you cannot save or edit it, make sure it is not set with an attribute to read-only.
  6. Now start iTunes and connect your iPhone. If iTunes doesn't recognize your phone, you have to put it into DFU mode first (not described here). Select your device in the DEVICES list on the left side. On the right side there are three areas (iPhone, Version, Option). Hold down the Shift key (Apple users the Option key) and click on the Restore button in the Version area.
  7. Now you can select the downloaded *.ipsw file and downgrade your iPhone.
Second method:
  1. Do steps 1 and 2 from the previous method.
  2. Download the latest version of TinyUmbrella: http://thefirmwareumbrella.blogspot.com/
  3. Donate something to semaphore for his great tool if you want.
  4. TinyUmbrella requires Java 32-bit to run. It doesn't work with 64-bit Java. Download and install Java from here: http://www.java.com/en/download/manual.jsp and make sure you don't install another toolbar you don't need.
  5. Start TinyUmbrella (Windows Vista and Window 7 users have to right-click and select "Run as administrator").
  6. Enable "Advance Options" checkbox
  7. In "Request From" make sure "Cydia" is selected. In "Device/Version" make sure you select the version you want to downgrade to.
  8. Click on "Save My SHSH".
  9. If no error occured, you can click on "Start TSS Server" button.
  10. Continue with step 6 of the above first method.
If you received an error in iTunes while trying to downgrade, like "Error 3194" or "This device isn't eligible for the request build" or similar, or if for the second method you receive an error message in TinyUmbrella, this means you cannot downgrade to that version. If you tried 4.0.1, you can still retry for version 4.0. Make sure you downloaded the matching firmware.

Now what is a shsh backup and why is all that needed and what does the hosts file do and why does it work for some users, but not for others?

When iTunes tries to install a firmware to your phone, the first thing it does is that it gets the ECID of your phone (that's something similar to your serial number) and it gets the version of the firmware (actually it's not the version, it's the hash-codes etc., but no details here) and sends a request to Apple asking if this phone may install this firmware build. The Apple server answers with a certificate, the shsh file we were talking about here and a success/fail flag. If it was successful, iTunes sends the new firmware and the shsh file to your phone. Your phone checks if the certificate (the shsh) is valid. Because this check is being done within your phone, you cannot circumvent this. And this certificate cannot be generated somewhere else, because to generate it, you need the private key that only Apple has. If your phone says that the certificate is ok, it installs the new (or old) firmware.

When a new firmware comes out, Apple can just say that you are not allowed to install any old version of the firmware anymore, by just refusing to return a certificate. Because you cannot generate this certificate yourself, there is no way to downgrade. And you cannot take the certificate of your friend's phone, because the certificate is different for every ECID (like the serial of the phone).

Now what can be done to downgrade? We can use a replay-attack. This means, we just record all traffic and replay the situation. This is how the whole process works. During the time when Apple signs a firmware (Apple signed firmware 4.0.1 until August 19, 2010) you can just save this shsh certificate. Now, as Apple doesn't sign firmware 4.0.1 anymore, we still have this shsh certificate and can return this to iTunes and iTunes to your phone. That way you can still install this old firmware, that Apple didn't allow to install.

How does this work in detail? Saurik, the owner of Cydia, does this for you. He has set up a server that works exactly like Apple's certificate server. When you ask Saurik's server to install a specific firmware, it returns the shsh certificate to you. This is done by changing the hosts file. iTunes still "thinks" it is asking Apple's server gs.apple.com, but the IP address 74.208.105.171 actually belongs to telesphoreo.org. This is Saurik's server, or Cydia's server. That way iTunes gets fooled and gets the certificate not from Apple, but from Cydia (first method). But there is one problem. The Cydia server cannot "produce" these certificates like Apple can do that. But it can save them while they are available in a big database. You just have to tell Cydia the ECID of your device and from then on Cydia saves all your shsh certificates and can give them back to iTunes later when you want to downgrade.

When you ask Cydia server for a specific version of shsh for your phone it first looks up its database and if it's there, it gives it back to the requestor. If Cydia doesn't have the shsh, it asks Apple for the file. If Apple still issues the shsh's, then Cydia stores it in it's database from then on. When you run TinyUmbrella and select Cydia, the same will happen. If you have ever jailbroken your device and ran the Cydia tool, it probably asked you if you want to "make your life easier" (if it didn't crash on the first run). If you selected yes there, then your ECID is stored in Cydia's database and Cydia will try to get the shsh certificates for all new firmware versions that come out.

Method 2 is a little different. TinyUmbrella has the button to "Save My SHSH". Clicking this button does not save the shsh to Cydia, but it asks Cydia if it has the requested shsh. If not, it tries to get it from Apple and then stores it in Cydia. But the main thing there is that after clicking that button, a copy of the shsh file is saved on your PC. It goes into the folder C:\Users\[your name]\.shsh (for Windows users). You can click on the button "Display SHSHs" to show the versions of SHSH that are stored locally on your PC. When you run the TSS Server, the hosts file also gets changed. But actually it gets changed to point to your PC itself. So if iTunes asks gs.apple.com, it asks your PC. Your PC (TSS Server) will answer with the shsh file from your folder mentioned before. Actually this is the same as before, but instead of asking Cydia server, you're doing this on your PC. This avoids the dependency of the Cydia server, but is actually the same.

This is why you cannot downgrade without a backup of shsh. And "having a backup" just means that Cydia has a backup of the shsh file in its database. Even users that have no idea on how this works may have their shsh file backuped there.

Now what about the users that buy a brand-new iPhone 3GS 8GB unwrap the box find iOS 4.0.2 installed and can downgrade to 4.0.1 using one of the two methods above? They also had the shsh backup for 4.0.1 on Cydia. But how did it get there?

Well, I don't know what happened for your iPhone, because I simply don't know all the history of your device. A co-worker of me has an iPhone 3GS. He always installed the newest firmware and has never jailbroken his device, according to his statements. When he came back from his vacations a few days ago, he had still firmware 4.0.1 installed. I showed him how easy jailbreaking is - he didn't even have to downgrade, because he still was on firmware 4.0.1. When he ran the Cydia tool, it showed that he had shsh backuped since 3.1.3. This confirms that since then ECID is known to Cydia. Maybe someone made a test with his phone or whatever. But it shows that users don't know everything what has happened to their device. And I just like to mention that he's is working in some high-skill IT job, so he's not just somebody that doesn't know what he does.

Now what about the freshly unwrapped 3GS? Thousands of users return their phone to Apple because the screen has a bright pixel or any other defect. I think that Apple doesn't even produce iPhones 3GS anymore. So if you buy a new 3GS now, you will actually get a refurbished one. This means that you receive one that is actually a fixed one with a new display for example. To make it really new, they get a new case, etc. But actually the electronics inside were in use already by someone else. And maybe that person has jailbroken the device and therefore saved the ECID to Cydia. You just didn't know. You can look at the serial number of your device. The digits 3,4,5 tell you the year and week of production. I'm not sure what it reads for refurbished ones. Maybe they also get a new serial number. But the ECID remains the same in any case.

So why do the above methods work for 3GS and not for iPhones 4? Because it is very rare that someone has jailbroken your newly bought iPhone 4 before you received it. But the chance for a 3GS are much, much higher.

If you tell me "I have downgraded and I am sure this phone has never been jailbroken before", I just don't believe you. Why? Because you simply don't know it. You didn't see how your phone was produced. And probably at some time your friend had it in his hands and clicked jailbreakme or whatever else. You simply don't know.

Fact is, that since August 19, 2010 Apple doesn't issue shsh certificates for firmware 4.0.1 anymore and there is no way to get them since then. Without this certificate you simply cannot downgrade. If you did downgrade, you probably did a jailbreak. Start Cydia then. In the top line it says which versions of the shsh file are on the Cydia server. If it says 4.0.1 there, then voilĂ , you know that this was the reason. shsh certificates cannot get created by anybody else than Apple and Apple stopped creating them after August 19, so it cannot get there by your jailbreak or anything else you have done.

One word about older phones. The old iPhone 3G doesn't have this shsh certificate check built-in. This means that you can always downgrade the iPhone 3G to any version. But the new iTunes 9.2 (required for firmware 4.0 and higher) now also checks the shsh certificate. But you can still install any version by using another tool like redsn0w.

For a timeline when which version of firmware was signed by Apple and for some more technical details, you can find this on the iPhone Wiki: http://theiphonewiki.com/wiki/index.php?title=SHSH

Thanks for reading. Let me know if this helped you understand how it works. If you have specific questions about downgrading your phone, please post a new thread at the GSM Forum http://forum.gsmhosting.com/vbb/f456/ I will not answer specific questions here, only general discussions about how this works.

Edit:
There are some reports that by editing the plist file within the ipsw you could still downgrade without shsh backup. This has been confirmed as not working. See the blog of semaphore, the writer of TinyUmbrella.