2 years ago, Apple launched iOS 3 together with the iPhone 3GS and introduced a new system that prevents users from restoring to old versions of iOS. Then the Dev Team devised a method to combat this limitation that finally gave us the possibility to save SHSHs that could be used to restore to any old version of iOS for which we had that SHSH saved. For 2 years we struggled with these SHSHs, but Apple seems to want to save us from this pain and in iOS 5 will block the possibility of downgrading for iOS. This means that once you have installed iOS 5.1 you cannot go back to iOS 5.0 at all.
The Dev Team explained last night what the limitation imposed by Apple entails, comparing the new system with the existing one for the baseband downgrade. At the moment it is impossible to downgrade the baseband, except if you have an iPhone 4 and you install a beta version of iOS whose baseband you can return to a lower value. This is what Apple will do with iOS as well, it will implement a system that will generate a unique restore code for each terminal, a code that is checked every time we turn on our device and which is currently impossible to crack or "falsify". That unique code is randomly generated at each restore and does not depend on the ECID like the SHSH, so without Apple's encryption code it is very difficult to "guess" that code and it is very difficult to falsify the terminal's authentication every time it is started.
This new system will be implemented by Apple starting with iOS 5 and the interesting part is that Apple could always give the possibility to return to an old firmware. This possibility can be offered by signing restore codes (similar to SHSH) for old terminals. In general, after the release of a new version of iOS, Apple still signs SHSHs for the old one for a few days, so a similar thing will happen in iOS 5.
The good part for those who have any terminal compatible with iOS 5, without iPad 2, is that limera1n will always allow tethered jailbreak on iOS 5 and we will be able to downgrade to iOS 4, if we have SHSH, but to do this we may have to use old versions of iTunes. The Dev Team claims that Apple will release new versions of iTunes that will contain methods to block the restore to old versions of iOS, so it would be good to save iTunes 10.3 on your computer from now on because you may need the program .
Finally, the Dev Team says that the new system will block the possibility of restoring to old versions of iOS starting with iOS 5 GM which will be released in a few months. I think many expected Apple to implement such a system and it was somewhat normal considering that for 2 years we have been struggling with SHSHs. Just as SHSH appeared 2 years ago, other methods of restoring will appear and the Dev Team has already said that it has several methods to combat these limitations.
In conclusion, starting with iOS 5 we will have to use new methods to restore iOS.
It looks like Apple is about to aggressively combat the "replay attacks" that have until now allowed users to use iTunes to restore to previous firmware versions using saved SHSH blobs.
Those of you who have been jailbreaking for a while have probably heard us periodically warn you to "save your blobs" for each firmware using either Cydia or TinyUmbrella (or even the "copy from /tmp during restore" method for advanced users). Saving your blobs for a given firmware on your specific device allows you to restore *that* device to *that* firmware even after Apple has stopped signing it. That's all about changing.
Starting with the iOS5 beta, the role of the "APTicket" is changing — it's being used much like the "BBTicket" has always been used. The LLB and iBoot stages of the boot sequence are being refined to depend on the authenticity of the APTicket, which is uniquely generated at each and every restore (in other words, it doesn't depend merely on your ECID and firmware version...it changes every time you restore, based partly on a random number). This APTicket authentication will happen at every boot, not just at restore time. Because only Apple has the crypto keys to properly sign the per-restore APTicket, replayed APTickets are useless.
This will only affect restores starting at iOS5 and onward, and Apple will be able to flip that switch off and on at will (by opening or closing the APTicket signing window for that firmware, like they do for the BBTicket). geohot's limera1n exploit occurs before any of this new checking is done, so tethered jailbreaks will still always be possible for devices where limera1n applies. Also, restoring to pre-5.0 firmwares with saved blobs will still be possible (but you'll soon start to need to use older iTunes versions for that). Note that iTunes ultimately is *not* the component that matters here..it's the boot sequence on the device starting with the LLB.
Although it's always been just "a matter of time" before Apple started doing this (they've always done this with the BBTicket), it's still a significant move on Apple's part (and it also dovetails with certain technical requirements of their upcoming OTA delta" updates).
Notes: although there may still be ways to combat this, a beta period is really not the time or place to discuss them. We're just letting you know what Apple has already done in their existing beta releases — they've stepped up their game!
