Advertisement

Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How to save SHSH on A12 devices from the command line
#1
Brick 
Hello everyone in this tutorial I will desscribe how I save my shsh blobs for my A12 device.

My devices is an iPhone XS and it runs 12.1.2 with unc0ver.

I assume that you are on a jailbreable version and you have already jailbroken your device 
so we will start from an already jbroken one.

The first thig to do is to ensure that unc0ver has the "right" generator setted, 
as default generator unc0ver use "1111111111111111", let's check it out.

In unc0ver 3.x:
  • Open Unc0ver got to settings
  • Ensure that "Overwrite Boot Nonce" is set to 0x1111111111111111
  • Close the app.

Now we will chango to MacOS, I run Mojave 10.14.6.

The easiest way to install libmobiledevice and other usefull tool it adding the tap mantained by stek29.

If you don't have already installed Brew you can simply install it executing this command:
Quote:/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebr...er/install)"

after that we will update && upgrade brew befor adding stek29 tap, on the command line execute:
Quote:brew update
brew upgrade

and then add stek29 tap
Quote:brew tap stek29/idevice

You can find a brief list of the packages here: https://github.com/stek29/homebrew-idevice

Now we can add some usefull packages:
Quote:brew install libimobiledevice --HEAD
brew install libirecovery
brew install tsschecker-s0uthwest

Now we can check the APnonce used by our A12 devices for requesting SHSH blobs.

Let's use our fresh tools.

Connect your devices to your mac and pair it if not already done. 

Let's grag our UniqueDeviceID:
Quote:ideviceinfo | grep UniqueDeviceID

Put the phone in recovery mode:
Quote:ideviceenterrecovery UDID

Let's grab our nonce:
Quote:irecovery -q | grep NONC

and then reboot our phone:
Quote:irecovery -n 

Now that we have all the picies that we need we can save our A12 blobls from the command line:
Quote:tsschecker -d iPhone11,2 --boardconfig d321ap -e Q022001100333E00 -i 12.4 -s --generator 0x1111111111111111 --apnonce 0000001010101010100101010101010101010101010010101010010101010101

-e "we will specify our device ECID"
--apnonce "we will specify our apnonce"

That's all folks.

I will appreciate if anyone would point out error and omission, thanks!
Reply
#2
But don’t you need signed firmware to save blobs even you are jailbroken, just wondering
Reply
#3
(09-10-2019, 10:41 PM)Jassy_123 Wrote: But don’t you need signed firmware to save blobs even you are jailbroken, just wondering

Yes, you need firmware to be signed for saving SHSH blobs. Saving SHSH on A12 is different because SHSH are invalidated if are not saved with the nonces that the device enforce; with 12.1.2 we can force generator and also the nonce does not change at every reboot - you can test by yourself.

With 12.4 you can freeze the nonce but I didn't go deep with the topic because mine is on 12.1.2.
Reply
#4
Right it does make sense to me but just wondering if i am 12.1.2 and upgrade to 12.4 , will the nonce will be same ???and don’t we have to set nonce anymore once we set like 0X1111111111111111, they will be static unless we don’t change them.
Please if you could clarify on this .
Thanks in Advanced
Reply
#5
(09-11-2019, 08:25 PM)Jassy_123 Wrote: Right it does make sense to me but just wondering if i am 12.1.2 and upgrade to 12.4 , will the nonce will be same ???and don’t we have to set nonce anymore once we set like 0X1111111111111111, they will be static unless we don’t change them.
Please if you could clarify on this .
Thanks in Advanced

The main difference, as for today 13 September, the main difference for A12 device is that on 12.1.2 we have PAC bypass and so we can set nonce and generator, for 12.4 there is no public PAC bypass but unc0ver dev are working on a PACless bypass. Let’s see.

For now if you have an A12 the best option is to stay on 12.1.2.

The nonce on 12.1.2 are kept across reboot, if you upgrade or reinstall I think they would certainly change so if you upgrade you have to set generator and freeze nonce.
Reply
#6
If anybody is interested, I automated this process and you can download it from my github: https://github.com/laithayoub71/SDIE
It’s open source and it works for iOS 9-12.4.1 (even on all iOS 13 Betas). It currently only works for windows and it supports A12-A12X devices. Have a look and test it out if you’re interested!
Reply
#7
Thank you for taking the time to write this!
Reply
#8
Great tutorial, there is the TSS Saver tweaks that does everything for you with a simple click, you can get it from https://repo.1conan.com/
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)

About Us
    Welcome to the Jailbreak Central Forum! Here you can get the latest iOS Jailbreak News from iDevice Central, ask your jailbreak questions and request help, and find the best iOS modding tools for downgrade, CFW iCloud Bypass, Jailbreak and so on. :-)