Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

[UPDATED] Reconstruct 00.SHSH from iBEC/iBSS files?

T

TheHeadFL

macrumors member
Original poster
Jul 9, 2009
79
0
Updated See last post, it is tested and working!

So, I've posted this on modmyi.com forums, but I am also posting it here. Mostly I am bored, but since by profession I am a coder, I'm also the curious type when it comes to this stuff... anyway, here is what I posted:

Theres got to be a way to make use of the iBEC/iBSS files somehow...

When I open my 00.shsh file and look through it, it is essentially a list of every file that I have stored in the folders I saved from the iBEC/iBSS grabber:

Per88E7.tmp\Firmware\all_flash\all_flash.n88ap.pro duction

applelogo, batterycharging0, etc.

The file seems to store something it calls 'Blob' which is evidently a Base64-encoded binary blob of the suffix of the respective file. (In other words, if I open my applelogo.###.img3 file, and I seek to the string 'DICE@' and copy from there to EOF, it almost exactly matches the blob which is Base64'd inside the SHSH file [Note: I am comparing my 3.1 SHSH file to my 3.0 files so I expect there to be a small difference, the files should differ])

There is another very small Base64-encoded item which it terms a 'Partial Digest', which suggests it is a hash of the above blob. It is 28 bytes (224 bits) in length. I haven't been able to work out the hashing algorithm being used (maybe SHA-224?) or if it requires some kind of salt or something.

Does anyone have any insight as to any other details about these files? At first glance it seems like it should be possible to construct a SHSH file from these files and some kind of hashing algorithm.

(Note: I am only attempting this because the Dev-Team previously stated that the iBEC/iBSS files in question are already signed with your ECID, and so I am *crosses fingers* hoping that the steps to reconstruct a SHSH file from these is trivial, at least in terms of cryptography. [In other words, there is no missing information, it just needs to be transformed from one form to another])
 
Ok, so I poked around the code for Umbrella a little bit. (That is the tool that creates a local SHSH file from Apple's and/or Saurik's server)

It seems like the 'Partial Digest' is not unique to each phone. I am guessing the meaning of that would be that it is a hash of everything in the file *except* the signed suffix portion.

Does anybody have a 3.0 SHSH file I can look at? It seems like you could easily use those Partial Digests (in a hard coded fashion) and combine that with the blobs, which seem trivial to generate from a signed iBEC/iBSS, etc.

For reference, this is how I came to this conclusion:

Code: 
(TinyTSS.java) - This is the code that verifies the Partial Digests:
private void verifyCache() {
        log.info("Verifying ecid shsh blobs...");
        try {
            XPath path = XPath.newInstance("key[.='PartialDigest']/following-sibling::data[1]");
            Element ele = (Element)path.selectSingleNode(xmlCache.get("iBSS")[1]);
            String partialDigest = ele.getValue().trim();
            PartialDigest digest = PartialDigest.valueFor(partialDigest);
            //@TODO - Actually validate EACH blob's partial digest
            switch(digest) {
                case THREE_OH:
                    log.info("Detected 3.0 shsh blobs!");
                    if(xmlCache.size() != 20)
                        throw new RuntimeException("Your 3.0 blobs are invalid!");
                    break;
                case THREE_OH_ONE:
                    log.info("Detected 3.0.1 shsh blobs!");
                    if(xmlCache.size() != 20)
                        throw new RuntimeException("Your 3.0.1 blobs are invalid!");
                    break;
                case THREE_ONE:
                    log.info("Detected 3.1 shsh blobs!");
                    if(xmlCache.size() != 20)
                        throw new RuntimeException("Your 3.1 blobs are invalid!");
                    break;
                case INVALID:
                    throw new RuntimeException("Your blobs are invalid!");
            }
            return;
        } catch(Exception e) {
        }
        throw new RuntimeException("Your shsh blobs are malformed... don't delete them they just need to be fixed.");
    }

(PartialDigest.java):
public enum PartialDigest {
    THREE_ONE("QAAAADiBAQBA/9WBGHGeYZeaZuohP+LAiPF8YA=="),
    THREE_OH_ONE("QAAAAHjAAQAcaHpuOT5v3qZFEPSEEMY5xDKQ3w=="),
    THREE_OH("QAAAAPiQAQCcdhu1hCyHWHAez39TmafGGpj00g=="),
    INVALID("-1");

    private String dig;
    PartialDigest(String dig) {
        this.dig = dig;
    }

    public String getDigest() {
        return dig;
    }

    public static PartialDigest valueFor(String str) {
        for(PartialDigest value : values()) {
            if(value.getDigest().equals(str))
                return value;
        }
        return INVALID;
    }
}

In particular it seems to only check the iBSS file partial digest, but that is enough because what is in my file matches what is in that hard-coded enumeration.
 
Yet another update:

Still unable to replicate the partial digest, so I assume it is probably signed by Apple with a private key.

Looking at the partial digests, they are most likely an 8-byte prefix which is not part of the hash (it isn't variable enough to plausibly be the output of a crypto function), followed by a 160-bit hash. (SHA-1 then?)

Either way, if these partial digests are NOT specific to each phone, it should be fairly simple to construct a SHSH file from the signed iBEC/iBSS (and all the other files under the Per####.tmp folders). Grabbing the signed portion (certificate of some sort?) off of the end seems fairly simple.
 
If someone is willing to provide me their 00.SHSH file for 3.0 so I can get the Partial Digests, I will write some code which grabs the signed suffixes and generates a SHSH file with them.

There is no guarantee that this will work, but I figure it is worth a shot...

Note that in order to use this method (assuming it even works!), you would have had to save *all* of the files in the Per####.tmp folders, not just the iBEC and iBSS ones. As far as I can tell, these files are all signed with the ECID.
 
So I was poking around in my purplera1nyday file...

It seems that it contains the first 204 bytes from the signed portion of the iBSS file.

Not particularly helpful, but interesting nonetheless.

The first 204 bytes seem to be the only part that changes from file to file. In particular, bytes 76-204 (128 bytes) are the only bytes that change. This seems to be the signature portion.
 
Thanks to an extremely helpful tip on the other forum, I've gotten the partial digests for 3.0.

(Extract the BuildManifest.plist from the IPSW file and they are contained there)
 
OK, I have most of the code written and I think this is going to work.

I've gotten all the Partial Digests from the Build Manifest, I've processed all that stuff and grabbed the certificate portion of each file specified by the manifest and Base64'd it.

The only piece I am missing now is some confusion as to which file I want for the "RestoreRamDisk" key.... The SHSH files only contain one of them, but there are actually 2 referred to in the Build Manifest. I'm not sure how to tell which one to grab...

I can tell for 3.1 because I have a 3.1 SHSH file, but I can't tell for 3.0 because I don't have a 3.0 SHSH.

Therefore, Can someone please look at their 3.0 SHSH and tell me which file is referred to under the "RestoreRamDisk" key?

For example, in 3.1, there is both:

018-5349-086.dmg
018-5352-086.dmg

However, the SHSH file only contains:

018-5352-086.dmg

It could be something as stupid/simple as taking the higher numbered one or something, but I have no way to know and I just want confirmation...
 
Someone gave me the answer on the other forum for the previous question.

Anyway, major progress update reposted from the other thread:

Alright, I finished writing the tool. It seems to generate a valid 00.SHSH file from my TMP folders...

Since my 3GS is running fine, I'm not going to test a restore yet. (I dont want to screw it up)

The file works with TinyTSS (although it really just does minimal checks) and I'm going to do a little bit more fooling around with it.

If you want to try this, it is up to you, but I make *no guarantees* that this is going to work for you. I would only try this if you are on 3.1 already and want to go back to 3.0 and are not on-file with Cydia. (Because at that point it doesn't hurt to try)

A few notes:

- All this does is generate '00.SHSH'. This isn't going to magically fix any other problems.

- This still relies on you using TinyTSS. Use TinyTSS with the file just as if you had gotten it from Umbrella.

- If you are downgrading from 3.1, it is still going to throw the errors that it always does. (Please see the thread on downgrading, it is a pretty involved process)

- Most importantly, you need to have ALL of the files in the Per####.tmp folders. If you don't have all of them, this won't work for you.

If you want to try this, PM me and I will send you the source and/or a cmdline executable you can use.


EDIT: Updated, see below.

Alright, take back what I just said.

I'm still having some problems with TinyTSS.

I am trying to make Umbrella fetch an 00.SHSH from TinyTSS and its throwing me an error no matter what...

Not just with files I generate, but also with 3.1 SHSH files I obtained from Apple and/or Saurik. Umbrella only generates 39KB when reading from TinyTSS, but the normal 64KB is fetched reading from Apple and/or Saurik.

The error is this:

Code: 
Oct 4, 2009 7:00:49 PM com.semaphore.TinyTSS run
INFO: ***Request***
java.lang.NullPointerException
        at com.semaphore.TinyTSS.parseRequest(TinyTSS.java:336)
        at com.semaphore.TinyTSS.run(TinyTSS.java:315)
Oct 4, 2009 7:00:49 PM com.semaphore.TinyTSS run
INFO: Successfully wrote blob response

Anyone have any ideas? I'm not a Java guy so I'm not exactly sure what is going on here... all I can come up with is that the TinyTSS server is very very very dependent on the order in which iTunes asks for the various items, and Umbrella does not ask for them in that order...
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back