A Nonce ("Number-used-ONCE") is a randomly-generated number that is used to randomize the signed hash blobs (SHSH blobs) that Apple uses to sign firmwares.
it is used with the APTicket (firmware signing ticket), the BBTicket (baseband signing ticket), and the SEPTicket (SEP signing ticket).
The device's bootloaders (firmware, baseband and SEP) generate a random value using a nonce seed (generator) which is then hashed to create the boot nonce hash (BNCH).
If apple is signing the requested firmwares, the TSS Server sends the APTicket/BBTicket/SEPTicket with the certificates matched to the generated nonces for each firmware, and then the blobs are stitched into the firmware files. It is important that the nonces inside the blobs are matched to the nonces generated by the device, if the nonces inside the blobs don't match the device's bootloaders will reject the certificates and the restore will not be successful.
- No iPod touch (or iPad Wi-Fi) has been signed with the BBTicket, since by definition it has no baseband.
- iPhone (bootloaders can be neutered to cancel this signchecks). iPhone 3G, iPhone 3GS and iPad Wi-Fi+3G - if the baseband is higher or equal (or just higher on bootloader 3.9 on iPhone). Some bootloaders allow downgrade of the baseband if it is still signed.
- iPhone 4 (iPhone3,1), iPhone 4 (iPhone3,3), iPhone 4S, and iPad 2 (iPad2,2) and iPad 2 (iPad2,3) - AT+XNONCE - restores the baseband only if Apple is still signing it. On bootloaders 2.8, 2.13, Trek and Phoenix, both the AT+XNONCE and the "higher or equal" checks happen.
- Devices with the S5L8900 get SHSH blobs without APTicket on 4.0 - 4.2.1, even though they are not required and can be avoided with Pwnage+Pwnage 2.0.
- Devices with the S5L8720 get SHSH blobs without APTicket from 3.1.1 and on, even though Bootrom 240.4 doesn't require them and they can be avoided with the 0x24000 Segment Overflow
- Devices with the S5L8920, S5L8922, S5L8930 and S5L8940 got SHSH blobs without APTicket between 3.0 - 4.3.5, and they can not be avoided (except for the Bootrom 359.3 with the 0x24000 Segment Overflow)
- Devices with the S5L8920, S5L8922, S5L8930, S5L8940, S5L8942, S5L8945, S5L8950, and S5L8955 get APTicket SHSH blobs on 5.0+. The SHSH requirement can not be avoided (except for the Bootrom 359.3 with 0x24000 Segment Overflow), and the APTicket requirement can only be avoided on devices vulnerable to the limera1n Exploit, or if the device is on iOS 5.1.1 or lower.
- Devices with the S5L8960 and newer CPU's get APTickets exclusively (with SepNonce, which also needs to match) and they cannot be avoided, but can be utilized with the prometheus method.
With nonce signatures, signatures can't be cached, because signatures will not match if they have been reused. In other words, the widely used replay attack is no longer possible unless the nonce(s) (SepNonce + ApNonce on 64 bit, ApNonce only on 32 bit) the device generates matches the one on the APTicket.
Nonce Entangling on T8020 and all newer CPU's makes saving a reusable APTicket with the proper BNCH more difficult, as the boot nonce generated is also encrypted with the device's UID key. Getting around this requires finding-out what nonce is actually generated with the nonce seed you are using, which usually requires a Jailbreak with a nonce-setter or you can use airsquared's blobsaver to read the nonce/generator from the device.
Another possible attack is to put your device into Recovery Mode, get the generated boot nonce with irecovery or igetnonce, then update or restore your device to a signed firmware while still in recovery mode and then do not update/restore your device until you can jailbreak and dump iBoot to get the IM4R (nonce generator).