From The Apple Wiki

A Nonce ("Number-used-ONCE") is a randomly-generated number that is used to randomize the signed hash blobs (SHSH blobs) that Apple uses to sign firmwares.
it is used with the APTicket (firmware signing ticket), the BBTicket (baseband signing ticket), and the SEPTicket (SEP signing ticket).

Method[edit source]

The device's bootloaders (firmware, baseband and SEP) generate a random value using a nonce seed (generator) which is then hashed to create the boot nonce hash (BNCH).

During a Restore or Update, the generated numbers are sent to Apple's TSS Server along with the device's ECID and the hashes of the firmware components to be signed.

If apple is signing the requested firmwares, the TSS Server sends the APTicket/BBTicket/SEPTicket with the certificates matched to the generated nonces for each firmware, and then the blobs are stitched into the firmware files. It is important that the nonces inside the blobs are matched to the nonces generated by the device, if the nonces inside the blobs don't match the device's bootloaders will reject the certificates and the restore will not be successful.

With the T8020 and all newer chipsets, the BNCH is also encrypted with the devices's UID key, which further randomizes the boot nonce, this is known as "Nonce Entangling".

Usage[edit source]

BBTicket[edit source]

APTicket[edit source]

  • Devices with the S5L8900 get SHSH blobs without APTicket on 4.0 - 4.2.1, even though they are not required and can be avoided with Pwnage+Pwnage 2.0.
  • Devices with the S5L8720 get SHSH blobs without APTicket from 3.1.1 and on, even though Bootrom 240.4 doesn't require them and they can be avoided with the 0x24000 Segment Overflow
  • Devices with the S5L8920, S5L8922, S5L8930 and S5L8940 got SHSH blobs without APTicket between 3.0 - 4.3.5, and they can not be avoided (except for the Bootrom 359.3 with the 0x24000 Segment Overflow)
  • Devices with the S5L8920, S5L8922, S5L8930, S5L8940, S5L8942, S5L8945, S5L8950, and S5L8955 get APTicket SHSH blobs on 5.0+. The SHSH requirement can not be avoided (except for the Bootrom 359.3 with 0x24000 Segment Overflow), and the APTicket requirement can only be avoided on devices vulnerable to the limera1n Exploit, or if the device is on iOS 5.1.1 or lower.
  • Devices with the S5L8960 and newer CPU's get APTickets exclusively (with SepNonce, which also needs to match) and they cannot be avoided, but can be utilized with the prometheus method.

Jailbreak difficulties[edit source]

With nonce signatures, signatures can't be cached, because signatures will not match if they have been reused. In other words, the widely used replay attack is no longer possible unless the nonce(s) (SepNonce + ApNonce on 64 bit, ApNonce only on 32 bit) the device generates matches the one on the APTicket.

Nonce Entangling[edit source]

Nonce Entangling on T8020 and all newer CPU's makes saving a reusable APTicket with the proper BNCH more difficult, as the boot nonce generated is also encrypted with the device's UID key. Getting around this requires finding-out what nonce is actually generated with the nonce seed you are using, which usually requires a Jailbreak with a nonce-setter or you can use airsquared's blobsaver to read the nonce/generator from the device.

Another possible attack is to put your device into Recovery Mode, get the generated boot nonce with irecovery or igetnonce, then update or restore your device to a signed firmware while still in recovery mode and then do not update/restore your device until you can jailbreak and dump iBoot to get the IM4R (nonce generator).

See also[edit source]