APTickets (short for Application Processor Ticket[1]) are the new type of SHSH blobs, used by iOS 5.0 and newer. The client (iBSS/LLB/iBoot/BootROM) generates a random string (nonce), then iTunes and the device sends the request for blob signing and the server returns the data, just like the original SHSH protocol.
Restoring
When iTunes or the on-device firmware upgrader sends a request to Apple's servers to confirm the APTicket, instead of returning the one already stored on the server, a new one is generated. Furthermore, devices with iOS 5 depend on the APTicket being legitimate to be able to boot; the device will enter Recovery Mode if it isn't.
Downgrading
Saurik's original replay attack method of allowing downgrades for any firmware that had been backed up on his server was partially halted for iOS 5 users due to this new system; now it will back up APTickets, but it can't send it directly from his servers; Redsn0w and iFaith can stitch a stock or custom firmware to enable downgrading with APTicket, but it only works for devices vulnerable to Limera1n Exploit.
Faking APTickets is not known to be possible because they are signed with a private key that only Apple knows and they are also partly generated from a random string (nonce).
iOS 4.3.5 and older can still be downgraded if SHSH blobs were saved.
iPad 2 users with iOS 4.3.x SHSH blobs can upload their 4.3.x iBSS via DFU and jump to iOS 5's iBEC. At this point, a signed IPSW can be used to restore to cached iOS 5 blobs. (This method is very effective on WiFi-only models. 3G models require the baseband to be installed/signed... Something like semaphore's TinyCFW can be implemented to get around this).
A vulnerability found independently by iH8sn0w and the iPhone Dev Team allowed downgrading all A5 devices running 5.x with their saved APTickets by restoring the latest firmware- verifying APTicket with the iBSS or iBoot then restoring the hacked firmware without APTicket- then when the restore ends, the requisite firmware is restored. This method theoretically works with BBTickets, but such a baseband downgrade was never out.
A bug existing in several 32-bit versions of iOS, though only exploitable in iOS 9.x, allows users to downgrade using cached iBSS/LLB blobs and APTicket, provided that the APTicket does not contain a nonce. A missing nonce is not treated as a mismatch, allowing the restore to continue and effectively defeating the improved downgrade prevention introduced by APTickets. The first public tool that exploited the bug was iDeviceReRestore (released on 2 April 2017), which, unlike Odysseus, does not require the device to be jailbroken. This brought a way to restore 32-bit devices to jailbreakable firmware, devices that had not seen a jailbreak for signed firmware since the release of Pangu9 for iOS 9.0.x more than 17 months earlier. The method was later incorporated into futurerestore.
APTicket structure
APTicket is a piece DER encoded data. The format of the data is different for 32-bit and 64-bit devices, but these formats have something in common. Each APTicket has a header, signed DER encoded SET, which contains hashes of all signed images and some additional data, PKCS#1 signature and two certificates. The first certificate is an Apple Secure Boot Certificate and the second one is specific for each TSS server and device CPU.
Old APTicket format
Old APTickets begin with a SEQUENCE which contains a signature type. This signature type shall match one in the first certificate. Next comes a SET with ECID, chip ID, board ID, SHA1 hashes of all signed images and some boolean values indicating true. Seems like tag of each element in the SET describes it's meaning. Old APTickets end with a signature and two certificates. The APTicket is structured as follows:
sequence [ 0: sequence [ 0: object signatureAlgorithm - Algorithm used for the signature ] 1: set [ - The body of the APTicket, containing many values 0: [1] 1: [2] 2: [3] ... ] 2: octetstring signature - The signature itself 3: [1] (constructed) [ - Array of DER certificates 0: sequence cert1 [ ... ] 1: sequence cert2 [ ... ] ... ] ]
A table of what each tag in the body of the APTicket actually contains is shown below.
| Tag | Length | Name | Description |
|---|---|---|---|
| 1 | 8 | ApECID (ECID) | Exclusive Chip Identifier |
| 2 | 4 | ApChipID (CHIP) | CPU Type identifier |
| 3 | 4 | ApBoardID (BORD) | Board type |
| 4 | 4 | ApProductionMode (PROD) | Tag that denotes if the ticket is for a production or development device. |
| 5 | 4 | ApSecurityDomain (SDOM) | Tag to denote the device that the firmware is supposed to be run on |
| 6 | 18 | LLB Build String | - |
| 7 | 20 | iBoot Digest | The SHA-1 hash of the iBoot image file |
| 8 | 20 | AppleLogo Digest | The SHA-1 hash of the AppleLogo image file |
| 9 | 20 | DeviceTree Digest | The SHA-1 hash of the Devicetree image file |
| 10 | 20 | KernelCache Digest | The SHA-1 hash of the Kernelcache image file |
| 11 | ? | Diags Digest | The SHA-1 hash of the Diags image file (only on LLDiagFilesystem and NonUI builds) |
| 12 | 20 | BatteryCharging Digest | The SHA-1 hash of the BatteryCharging image file |
| 13 | 20 | BatteryPlugin Digest | The SHA-1 hash of the BatteryPlugin image file |
| 14 | 20 | BatteryLow0 Digest | The SHA-1 hash of the BatteryLow0 image file |
| 15 | 20 | BatteryLow1 Digest | The SHA-1 hash of the BatteryLow1 image file |
| 16 | 20 | RecoveryMode Digest | The SHA-1 hash of the RecoveryMode image file |
| 17 | ? | NeedService Digest | The SHA-1 hash of the NeedService image file |
| 18 | 20 | ApNonce | - |
| 19 | ? | ApPriorTicketID | - |
| 20 | 18 | iBSS Build String | - |
| 21 | ? | Host iBoot | - |
| 22 | 18 | iBEC Build String | - |
| 23 | 20 | RestoreLogo Digest | The SHA-1 hash of the AppleLogo image file when used in restores |
| 24 | 20 | RestoreDeviceTree Digest | The SHA-1 hash of the Devicetree image file when used in restores |
| 25 | 20 | RestoreKernelCache Digest | The SHA-1 hash of the Kernelcache image file when used in restores |
| 26 | 20 | RestoreRamDisk Digest | The SHA-1 hash of the ramdisk image file that is used in restores |
| 27 | ? | OS Digest | - |
| 28 | 20 | ApBindingDigest | - |
| 29 | ? | ApServerNonce | - |
| 30 | ? | LLB Partial Digest | |
| 31 | ? | iBoot Partial Digest | The partial SHA-1 hash of the iBoot image file |
| 32 | ? | AppleLogo Partial Digest | The partial SHA-1 hash of the AppleLogo image file |
| 33 | ? | DeviceTree Partial Digest | The partial SHA-1 hash of the Devicetree image file |
| 34 | ? | KernelCache Partial Digest | The partial SHA-1 hash of the Kernelcache image file |
| 35 | ? | Diags Partial Digest | The partial SHA-1 hash of the Diags image file (only on LLDiagFilesystem and NonUI builds) |
| 36 | ? | BatteryCharging Partial Digest | The partial SHA-1 hash of the BatteryCharging image file |
| 37 | ? | BatteryPlugin Partial Digest | The partial SHA-1 hash of the BatteryPlugin image file |
| 38 | ? | BatteryLow0 Partial Digest | The partial SHA-1 hash of the BatteryLow0 image file |
| 39 | ? | BatteryLow1 Partial Digest | The partial SHA-1 hash of the BatteryLow1 image file |
| 40 | ? | RecoveryMode Partial Digest | The partial SHA-1 hash of the RecoveryMode image file |
| 41 | ? | NeedService Partial Digest | The partial SHA-1 hash of the NeedService image file |
| 42 | ? | iBSS Partial Digest | The partial SHA-1 hash of the iBSS image file |
| 43 | ? | iBEC Partial Digest | The partial SHA-1 hash of the iBEC image file |
| 44 | ? | RestoreLogo Partial Digest | The partial SHA-1 hash of the AppleLogo image file when used in restores |
| 45 | ? | RestoreDeviceTree Partial Digest | The partial SHA-1 hash of the Devicetree image file when used in restores |
| 46 | ? | RestoreKernelCache Partial Digest | The partial SHA-1 hash of the Kernelcache image file when used in restores |
| 47 | ? | RestoreRamDisk Partial Digest | The partial SHA-1 hash of the ramdisk image file that is used in restores |
| 48 | 4 | iBoot Trusted Flag | - |
| 49 | 4 | AppleLogo Trusted Flag | - |
| 50 | 4 | DeviceTree Trusted Flag | - |
| 51 | 4 | KernelCache Trusted Flag | - |
| 52 | ? | Diags Trusted Flag | - |
| 53 | 4 | BatteryCharging Trusted Flag | - |
| 54 | 4 | BatteryPlugin Trusted Flag | - |
| 55 | 4 | BatteryLow0 Trusted Flag | - |
| 56 | 4 | BatteryLow1 Trusted Flag | - |
| 57 | 4 | RecoveryMode Trusted Flag | - |
| 58 | ? | NeedService Trusted Flag | - |
| 59 | 4 | RestoreLogo Trusted Flag | - |
| 60 | 4 | RestoreDeviceTree Trusted Flag | - |
| 61 | 4 | RestoreKernelCache Trusted Flag | - |
| 62 | 4 | RestoreRamDisk Trusted Flag | - |
| 63 | ? | BbSNUM | - |
| 64 | ? | BbChipID | - |
| 65 | ? | BbProductionMode | - |
| 66 | ? | FlashPSI Build String | - |
| 67 | ? | ModemStack Digest | - |
| 68 | ? | BbNonce | - |
| 69 | ? | BbPriorTicketId | - |
| 70 | ? | RamPSI Build String | - |
| 71 | ? | HostFlashPSI | - |
| 72 | ? | EBL Digest | - |
| 73 | ? | StaticEEP Digest | - |
| 74 | 20 | BbApBinding Digest | - |
| 75 | 20 | BbServerNonce | - |
| 76 | ? | RamPSI Partial Digest | - |
| 77 | ? | FlashPSI Partial Digest | - |
| 78 | 20 | BatteryCharging0 Digest | - |
| 79 | 20 | BatteryCharging1 Digest | - |
| 80 | 20 | BatteryFull Digest | - |
| 81 | ? | BatteryCharging0 Partial Digest | - |
| 82 | ? | BatteryCharging1 Partial Digest | - |
| 83 | ? | BatteryFull Partial Digest | - |
| 84 | 4 | BatteryCharging0 Trusted Flag | - |
| 85 | 4 | BatteryCharging1 Trusted Flag | - |
| 86 | 4 | BatteryFull Trusted Flag | - |
| 87 | ? | UniqueBuildID | - |
| 88 | 4 | BbGoldCertId | - |
| 89 | 20 | BbSkeyId | - |
| 90 | 4 | Baseband Firmware FlashPSI Version | - |
| 91 | 20 | Baseband Firmware ModemStack Digest | - |
| 92 | 4 | Baseband Firmware RamPSIVersion | - |
| 93 | 20 | Baseband Firmware EBL Digest | - |
| 94 | 20 | Baseband Firmware FlashPSISecPack Digest | - |
| 95 | 20 | Baseband Firmware ModemStackSecPack Digest | - |
| 96 | 20 | Baseband Firmware FlashPSI Digest | - |
| 97 | ? | Baseband Firmware RamPSI Partial Digest | - |
| 98 | ? | Baseband Firmware FlashPSI Partial Digest | - |
| 99 | ? | BbJtagEnable | - |
| 101 | 4 | ? | - |
| 228 | 20 | LLB Hash | Old? LLB Hash |
| 229 | 20 | iBSS Hash | Old? iBSS Hash |
| 230 | 20 | iBEC Hash | Old? iBEC Hash |
| 231 | 4 | LLB Trusted Flag | Old? LLB Trusted Flag |
| 232 | 4 | iBSS Trusted Flag | Old? iBSS Trusted Flag |
| 233 | 4 | iBEC Trusted Flag | Old? iBEC Trusted Flag |
IM4M APTicket/ApImg4Ticket format
These begin with an IA5String "IM4M" and an INTEGER which is likely a version number. SET in these APTickets contains data structures of similar format. Each structure is of constructed type with PRIVATE class and contains a SEQUENCE with IA5String and a SET. The string describes the contents of the SET. Lets call these structures tags and their strings types. Root tag has type MANB and contains all other tags. The first of the MANB tags is MANP. It stores some tags describing the device and some tags which purpose is unknown. Other MANB tags describe each signed image.
References
See Also
 SHSH blob |
- SHSH blob on Wikipedia
- redsn0w, which has functionality to backup APTickets on devices exploitable with limera1n
- Details from saurik about the replay attack