Extract SHSH from phone backups

[Arisian]

Is there a way to extract SHSH info from the phones backups I have saved in iTunes?

could be barking up the wrong tree, just a thought.

 

[Arisian]

found this,

http://lph0ne.blogspot.com/2010/03/juicephone-extract-data-from-iphone.html

i seriously doubt it's legitimacy

B

 

[Arisian]

OK - here's what I'm working at.

I actually DID get a backup of my 3gs 3.1.3 exported (see screen shot)

Does anyone know how to extract the SHSH info from these locations? Is that even possible?

FURTHERMORE, even if I do find the SHSH blogs in this dump, - does anyone know what to do then?!

I'd like to downgrade to 3.1.3 and then upgrade to 4.0. if I can find my SHSH/ECID somewhere in here, then Im golden!

Brian

 

[ToroidalZeus]

those backups are your personal data, nothing to due with the shsh file(s) for authorizing a restore.

 

[Arisian]

those backups are your personal data, nothing to due with the shsh file(s) for authorizing a restore.

ok - I assumed I'm actually looking just for the ECID...

I also figured it would be somewhere in all the logs, which are included in this export as well as tons of just info about the phone - which is also there.

I guess the thing that I'm having a difficult time understanding is what the SHSH blobs actually ARE... not what they do, I know what they do

I was just a bit hopeful that if I could find the ECID when the phone was at 3.1.3 then I could go backwards again.

does that make sense?! Theoretically if you can find your ECID, you can create the SHSH blob(s) and upload them to sauriks server- thus retaining the ability to downgrade. https://forums.macrumors.com/threads/886278/

 

[thelatinist]

Arisian: your ECID is easy to find. It does not change with the OS version, it's hard-encoded into your chip. The easiest way to find it is probably just to plug your phone in and run TinyUmbrella, which will tell you your ECID. You can also put your phone in DFU and check it out in a device profiler.

But finding your ECID will not help you. It is not possible to generate your own SHSH just by knowing the ECID. SHSHs can only be obtained from Apple's server, because they have to be signed using Apple's private key. This is why your SHSH for a firmware version can only be obtained while Apple is still signing that version. SHSH stands for signature hash, and is just a technical term for an encrypted signature attached to a message (in this case, the message authorizing installation of a version of the iPhone firmware).

The SHSH is not saved anywhere on your device or in a backup. It is used only briefly to authorize an installation, and is requested anew for each installation. It is different for each version of the firmware. TinyUmbrella can save your SHSH as it is returned by Apple, but only if you request it while Apple is still signing. Same for Cydia. They take advantage of the fact that Apple failed to include a time check in their authorization scheme, so the same SHSH is returned each time you request the same version. This was really poor security design on Apple's part, since it make it possible to spoof Apple's server as long as you cache your SHSH for each version while Apple is still signing.

 

[dhlizard]

Arisian: your ECID is easy to find. It does not change with the OS version, it's hard-encoded into your chip. The easiest way to find it is probably just to plug your phone in and run TinyUmbrella, which will tell you your ECID. You can also put your phone in DFU and check it out in a device profiler.

But finding your ECID will not help you. It is not possible to generate your own SHSH just by knowing the ECID. SHSHs can only be obtained from Apple's server, because they have to be signed using Apple's private key. This is why your SHSH for a firmware version can only be obtained while Apple is still signing that version.

Your SHSH is not saved anywhere on your device or in a backup. It is used only briefly to authorize an installation, and is requested anew for each installation. TinyUmbrella can save your SHSH as it is returned by Apple, but only if you request it while Apple is still signing. Same for Cydia.

Well done, as usual !

 

[Arisian]

Arisian: your ECID is easy to find. It does not change with the OS version, it's hard-encoded into your chip. The easiest way to find it is probably just to plug your phone in and run TinyUmbrella, which will tell you your ECID. You can also put your phone in DFU and check it out in a device profiler.

But finding your ECID will not help you. It is not possible to generate your own SHSH just by knowing the ECID. SHSHs can only be obtained from Apple's server, because they have to be signed using Apple's private key. This is why your SHSH for a firmware version can only be obtained while Apple is still signing that version. SHSH stands for signature hash, and is just a technical term for an encrypted signature attached to a message (in this case, the message authorizing installation of a version of the iPhone firmware).

The SHSH is not saved anywhere on your device or in a backup. It is used only briefly to authorize an installation, and is requested anew for each installation. It is different for each version of the firmware. TinyUmbrella can save your SHSH as it is returned by Apple, but only if you request it while Apple is still signing. Same for Cydia. They take advantage of the fact that Apple failed to include a time check in their authorization scheme, so the same SHSH is returned each time you request the same version. This was really poor security design on Apple's part, since it make it possible to spoof Apple's server as long as you cache your SHSH for each version while Apple is still signing.

beautiful - thanks so much for the excellent explanation. I was getting a bit confused by the custom features on TinyUmbrella where I believed (obviously incorrectly!) that you could create new SHSH hashes for any firmware if you had the ECID... Though I could then upload the 3.1.3 hashes to saurik's server and be golden.

Again, thanks a ton... I'd buy you a coffee...