14 DAY TRIAL // A post signed iPhone Dev Team reveals that Apple is "aggressively" combating the “replay attacks” that have allowed users to restore to previous firmware versions using saved SHSH blobs.
According to the crew of hackers, “That’s all about to change.”
A component named ‘APTicket’ is now being used to check the device’s status on each boot, according to the Team.
“Starting with the iOS5 beta, the role of the ‘APTicket’ is changing — it’s being used much like the ‘BBTicket’ has always been used,” they explain.
“The LLB and iBoot stages of the boot sequence are being refined to depend on the authenticity of the APTicket, which is uniquely generated at each and every restore.”
According to the iOS tinkerers, the APTicket authentication will happen not just at restore time, but at every boot.
“Because only Apple has the crypto keys to properly sign the per-restore APTicket, replayed APTickets are useless,” they reveal.
The good news is that this will only affect restores starting at iOS5 and onward.
Those who rely on Geohot’s limera1n exploit can continue to use it as “[it] occurs before any of this new checking is done, so tethered jailbreaks will still always be possible for devices where limera1n applies,” the Team explains.
Moreover, the ability to restore to pre-5.0 firmware versions is still there, so long as the user has saved blobs. There’s a catch, though: users must employ an older version of iTunes.
“Although it’s always been just ‘a matter of time’ before Apple started doing this (they’ve always done this with the BBTicket), it’s still a significant move on Apple’s part (and it also dovetails with certain technical requirements of their upcoming OTA “delta” updates),” the Team writes.
They conclude assuring users that they’re planning to combat this, but not in the iOS 5 beta period.
The purpose of their blog update is solely to keep people informed, and to spread the word that Apple have “stepped up their game.”