APTicket

From The Apple Wiki

APTickets (short for Application Processor Ticket[1]) are the new type of SHSH blobs, used by iOS 5.0 and newer. The client (iBSS/LLB/iBoot/BootROM) generates a random string (nonce), then iTunes and the device sends the request for blob signing and the server returns the data, just like the original SHSH protocol.

Restoring

When iTunes or the on-device firmware upgrader sends a request to Apple's servers to confirm the APTicket, instead of returning the one already stored on the server, a new one is generated. Furthermore, devices with iOS 5 depend on the APTicket being legitimate to be able to boot; the device will enter Recovery Mode if it isn't.

Downgrading

Saurik's original replay attack method of allowing downgrades for any firmware that had been backed up on his server was partially halted for iOS 5 users due to this new system; now it will back up APTickets, but it can't send it directly from his servers; Redsn0w and iFaith can stitch a stock or custom firmware to enable downgrading with APTicket, but it only works for devices vulnerable to Limera1n Exploit.

Faking APTickets is not known to be possible because they are signed with a private key that only Apple knows and they are also partly generated from a random string (nonce).

iOS 4.3.5 and older can still be downgraded if SHSH blobs were saved.

iPad 2 users with iOS 4.3.x SHSH blobs can upload their 4.3.x iBSS via DFU and jump to iOS 5's iBEC. At this point, a signed IPSW can be used to restore to cached iOS 5 blobs. (This method is very effective on WiFi-only models. 3G models require the baseband to be installed/signed... Something like semaphore's TinyCFW can be implemented to get around this).

A vulnerability found independently by iH8sn0w and the iPhone Dev Team allowed downgrading all A5 devices running 5.x with their saved APTickets by restoring the latest firmware- verifying APTicket with the iBSS or iBoot then restoring the hacked firmware without APTicket- then when the restore ends, the requisite firmware is restored. This method theoretically works with BBTickets, but such a baseband downgrade was never out.

A bug existing in several 32-bit versions of iOS, though only exploitable in iOS 9.x, allows users to downgrade using cached iBSS/LLB blobs and APTicket, provided that the APTicket does not contain a nonce. A missing nonce is not treated as a mismatch, allowing the restore to continue and effectively defeating the improved downgrade prevention introduced by APTickets. The first public tool that exploited the bug was iDeviceReRestore (released on 2 April 2017), which, unlike Odysseus, does not require the device to be jailbroken. This brought a way to restore 32-bit devices to jailbreakable firmware, devices that had not seen a jailbreak for signed firmware since the release of Pangu9 for iOS 9.0.x more than 17 months earlier. The method was later incorporated into futurerestore.

APTicket structure

APTicket is a piece DER encoded data. The format of the data is different for 32-bit and 64-bit devices, but these formats have something in common. Each APTicket has a header, signed DER encoded SET, which contains hashes of all signed images and some additional data, PKCS#1 signature and two certificates. The first certificate is an Apple Secure Boot Certificate and the second one is specific for each TSS server and device CPU.

Old APTicket format

Old APTickets begin with a SEQUENCE which contains a signature type. This signature type shall match one in the first certificate. Next comes a SET with ECID, chip ID, board ID, SHA1 hashes of all signed images and some boolean values indicating true. Seems like tag of each element in the SET describes it's meaning. Old APTickets end with a signature and two certificates. The APTicket is structured as follows:

sequence [
	0: sequence [
		0: object signatureAlgorithm 	- Algorithm used for the signature
	]
	1: set [				- The body of the APTicket, containing many values
		0: [1]
		1: [2]
		2: [3]
		...
	]
	2: octetstring signature 		- The signature itself
	3: [1] (constructed) [ 			- Array of DER certificates
		0: sequence cert1 [ ... ]
		1: sequence cert2 [ ... ]
		...
	]
]

A table of what each tag in the body of the APTicket actually contains is shown below.

Tag Length Name Description
1 8 ApECID (ECID) Exclusive Chip Identifier
2 4 ApChipID (CHIP) CPU Type identifier
3 4 ApBoardID (BORD) Board type
4 4 ApProductionMode (PROD) Tag that denotes if the ticket is for a production or development device.
5 4 ApSecurityDomain (SDOM) Tag to denote the device that the firmware is supposed to be run on
6 18 LLB Build String -
7 20 iBoot Digest The SHA-1 hash of the iBoot image file
8 20 AppleLogo Digest The SHA-1 hash of the AppleLogo image file
9 20 DeviceTree Digest The SHA-1 hash of the Devicetree image file
10 20 KernelCache Digest The SHA-1 hash of the Kernelcache image file
11 ? Diags Digest The SHA-1 hash of the Diags image file (only on LLDiagFilesystem and NonUI builds)
12 20 BatteryCharging Digest The SHA-1 hash of the BatteryCharging image file
13 20 BatteryPlugin Digest The SHA-1 hash of the BatteryPlugin image file
14 20 BatteryLow0 Digest The SHA-1 hash of the BatteryLow0 image file
15 20 BatteryLow1 Digest The SHA-1 hash of the BatteryLow1 image file
16 20 RecoveryMode Digest The SHA-1 hash of the RecoveryMode image file
17 ? NeedService Digest The SHA-1 hash of the NeedService image file
18 20 ApNonce -
19 ? ApPriorTicketID -
20 18 iBSS Build String -
21 ? Host iBoot -
22 18 iBEC Build String -
23 20 RestoreLogo Digest The SHA-1 hash of the AppleLogo image file when used in restores
24 20 RestoreDeviceTree Digest The SHA-1 hash of the Devicetree image file when used in restores
25 20 RestoreKernelCache Digest The SHA-1 hash of the Kernelcache image file when used in restores
26 20 RestoreRamDisk Digest The SHA-1 hash of the ramdisk image file that is used in restores
27 ? OS Digest -
28 20 ApBindingDigest -
29 ? ApServerNonce -
30 ? LLB Partial Digest
31 ? iBoot Partial Digest The partial SHA-1 hash of the iBoot image file
32 ? AppleLogo Partial Digest The partial SHA-1 hash of the AppleLogo image file
33 ? DeviceTree Partial Digest The partial SHA-1 hash of the Devicetree image file
34 ? KernelCache Partial Digest The partial SHA-1 hash of the Kernelcache image file
35 ? Diags Partial Digest The partial SHA-1 hash of the Diags image file (only on LLDiagFilesystem and NonUI builds)
36 ? BatteryCharging Partial Digest The partial SHA-1 hash of the BatteryCharging image file
37 ? BatteryPlugin Partial Digest The partial SHA-1 hash of the BatteryPlugin image file
38 ? BatteryLow0 Partial Digest The partial SHA-1 hash of the BatteryLow0 image file
39 ? BatteryLow1 Partial Digest The partial SHA-1 hash of the BatteryLow1 image file
40 ? RecoveryMode Partial Digest The partial SHA-1 hash of the RecoveryMode image file
41 ? NeedService Partial Digest The partial SHA-1 hash of the NeedService image file
42 ? iBSS Partial Digest The partial SHA-1 hash of the iBSS image file
43 ? iBEC Partial Digest The partial SHA-1 hash of the iBEC image file
44 ? RestoreLogo Partial Digest The partial SHA-1 hash of the AppleLogo image file when used in restores
45 ? RestoreDeviceTree Partial Digest The partial SHA-1 hash of the Devicetree image file when used in restores
46 ? RestoreKernelCache Partial Digest The partial SHA-1 hash of the Kernelcache image file when used in restores
47 ? RestoreRamDisk Partial Digest The partial SHA-1 hash of the ramdisk image file that is used in restores
48 4 iBoot Trusted Flag -
49 4 AppleLogo Trusted Flag -
50 4 DeviceTree Trusted Flag -
51 4 KernelCache Trusted Flag -
52 ? Diags Trusted Flag -
53 4 BatteryCharging Trusted Flag -
54 4 BatteryPlugin Trusted Flag -
55 4 BatteryLow0 Trusted Flag -
56 4 BatteryLow1 Trusted Flag -
57 4 RecoveryMode Trusted Flag -
58 ? NeedService Trusted Flag -
59 4 RestoreLogo Trusted Flag -
60 4 RestoreDeviceTree Trusted Flag -
61 4 RestoreKernelCache Trusted Flag -
62 4 RestoreRamDisk Trusted Flag -
63 ? BbSNUM -
64 ? BbChipID -
65 ? BbProductionMode -
66 ? FlashPSI Build String -
67 ? ModemStack Digest -
68 ? BbNonce -
69 ? BbPriorTicketId -
70 ? RamPSI Build String -
71 ? HostFlashPSI -
72 ? EBL Digest -
73 ? StaticEEP Digest -
74 20 BbApBinding Digest -
75 20 BbServerNonce -
76 ? RamPSI Partial Digest -
77 ? FlashPSI Partial Digest -
78 20 BatteryCharging0 Digest -
79 20 BatteryCharging1 Digest -
80 20 BatteryFull Digest -
81 ? BatteryCharging0 Partial Digest -
82 ? BatteryCharging1 Partial Digest -
83 ? BatteryFull Partial Digest -
84 4 BatteryCharging0 Trusted Flag -
85 4 BatteryCharging1 Trusted Flag -
86 4 BatteryFull Trusted Flag -
87 ? UniqueBuildID -
88 4 BbGoldCertId -
89 20 BbSkeyId -
90 4 Baseband Firmware FlashPSI Version -
91 20 Baseband Firmware ModemStack Digest -
92 4 Baseband Firmware RamPSIVersion -
93 20 Baseband Firmware EBL Digest -
94 20 Baseband Firmware FlashPSISecPack Digest -
95 20 Baseband Firmware ModemStackSecPack Digest -
96 20 Baseband Firmware FlashPSI Digest -
97 ? Baseband Firmware RamPSI Partial Digest -
98 ? Baseband Firmware FlashPSI Partial Digest -
99 ? BbJtagEnable -
101 4 ? -
228 20 LLB Hash Old? LLB Hash
229 20 iBSS Hash Old? iBSS Hash
230 20 iBEC Hash Old? iBEC Hash
231 4 LLB Trusted Flag Old? LLB Trusted Flag
232 4 iBSS Trusted Flag Old? iBSS Trusted Flag
233 4 iBEC Trusted Flag Old? iBEC Trusted Flag

IM4M APTicket/ApImg4Ticket format

These begin with an IA5String "IM4M" and an INTEGER which is likely a version number. SET in these APTickets contains data structures of similar format. Each structure is of constructed type with PRIVATE class and contains a SEQUENCE with IA5String and a SET. The string describes the contents of the SET. Lets call these structures tags and their strings types. Root tag has type MANB and contains all other tags. The first of the MANB tags is MANP. It stores some tags describing the device and some tags which purpose is unknown. Other MANB tags describe each signed image.

References

See Also

Wikipedia has an article about SHSH blob