• Welcome to Jailbreak Central!
  • Do not forget to Subscribe to our YouTube channel for the latest news!
  • You can contact GeoSn0w on Twitter: @FCE365
Hello There, Guest! Login Register

Advertisement


Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How to save SHSH on A12 devices from the command line
#1
Brick 
Hello everyone in this tutorial I will desscribe how I save my shsh blobs for my A12 device.

My devices is an iPhone XS and it runs 12.1.2 with unc0ver.

I assume that you are on a jailbreable version and you have already jailbroken your device 
so we will start from an already jbroken one.

The first thig to do is to ensure that unc0ver has the "right" generator setted, 
as default generator unc0ver use "1111111111111111", let's check it out.

In unc0ver 3.x:
  • Open Unc0ver got to settings
  • Ensure that "Overwrite Boot Nonce" is set to 0x1111111111111111
  • Close the app.

Now we will chango to MacOS, I run Mojave 10.14.6.

The easiest way to install libmobiledevice and other usefull tool it adding the tap mantained by stek29.

If you don't have already installed Brew you can simply install it executing this command:
Quote:/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebr...er/install)"

after that we will update && upgrade brew befor adding stek29 tap, on the command line execute:
Quote:brew update
brew upgrade

and then add stek29 tap
Quote:brew tap stek29/idevice

You can find a brief list of the packages here: https://github.com/stek29/homebrew-idevice

Now we can add some usefull packages:
Quote:brew install libimobiledevice --HEAD
brew install libirecovery
brew install tsschecker-s0uthwest

Now we can check the APnonce used by our A12 devices for requesting SHSH blobs.

Let's use our fresh tools.

Connect your devices to your mac and pair it if not already done. 

Let's grag our UniqueDeviceID:
Quote:ideviceinfo | grep UniqueDeviceID

Put the phone in recovery mode:
Quote:ideviceenterrecovery UDID

Let's grab our nonce:
Quote:irecovery -q | grep NONC

and then reboot our phone:
Quote:irecovery -n 

Now that we have all the picies that we need we can save our A12 blobls from the command line:
Quote:tsschecker -d iPhone11,2 --boardconfig d321ap -e Q022001100333E00 -i 12.4 -s --generator 0x1111111111111111 --apnonce 0000001010101010100101010101010101010101010010101010010101010101

-e "we will specify our device ECID"
--apnonce "we will specify our apnonce"

That's all folks.

I will appreciate if anyone would point out error and omission, thanks!
 
Reply
#2
But don’t you need signed firmware to save blobs even you are jailbroken, just wondering
 
Reply
#3
(09-10-2019, 10:41 PM)Jassy_123 Wrote: But don’t you need signed firmware to save blobs even you are jailbroken, just wondering

Yes, you need firmware to be signed for saving SHSH blobs. Saving SHSH on A12 is different because SHSH are invalidated if are not saved with the nonces that the device enforce; with 12.1.2 we can force generator and also the nonce does not change at every reboot - you can test by yourself.

With 12.4 you can freeze the nonce but I didn't go deep with the topic because mine is on 12.1.2.
 
Reply
#4
Right it does make sense to me but just wondering if i am 12.1.2 and upgrade to 12.4 , will the nonce will be same ???and don’t we have to set nonce anymore once we set like 0X1111111111111111, they will be static unless we don’t change them.
Please if you could clarify on this .
Thanks in Advanced
 
Reply
#5
(09-11-2019, 08:25 PM)Jassy_123 Wrote: Right it does make sense to me but just wondering if i am 12.1.2 and upgrade to 12.4 , will the nonce will be same ???and don’t we have to set nonce anymore once we set like 0X1111111111111111, they will be static unless we don’t change them.
Please if you could clarify on this .
Thanks in Advanced

The main difference, as for today 13 September, the main difference for A12 device is that on 12.1.2 we have PAC bypass and so we can set nonce and generator, for 12.4 there is no public PAC bypass but unc0ver dev are working on a PACless bypass. Let’s see.

For now if you have an A12 the best option is to stay on 12.1.2.

The nonce on 12.1.2 are kept across reboot, if you upgrade or reinstall I think they would certainly change so if you upgrade you have to set generator and freeze nonce.
 
Reply
  


Forum Jump:


Browsing: 1 Guest(s)