iOS Jailbreak [Tutorial] SHSH, Generator/Boot-nonce, APNonce, Nonce Entanglement: What are they? What limitations exist with saving and using them? An All-Inclusive Explanation (+APNonce does not match APTicket solutions)

---

• [Tutorial] SHSH, Generator/Boot-nonce, APNonce, Nonce Entanglement: What are they? What limitations exist with saving and using them? An All-Inclusive Explanation (+APNonce does not match APTicket solutions)
• [Free Release] Thy shy - Dim home screen icons or labels after inactivity iOS 14 (more info in comments)
• [News] My server is unable to connect due to domain issues. repo: cydia.ichitaso.com
• [REQUEST] by tapping the green pill instead of going into full screen bring back de call bar
• [Free Release] Fufu, FREE battery theming, made with themers in mind!
• [Free Release] Déverser Linux
• [Tip]if you have the bug-glitch when you scroll slowly in all of version of u0 6.0.0-6.1.1 , here is the solution.
• [Question] how to get rid of the blur on the quick select?
• [Discussion] Altstore 1.4.4 is refusing to allow reinstallation of uncover 3.5.1 or 6.1.1. I have tried a number of alternatives but nothing seems to work.
• [update] CSources2 iOS 14.4 support.
• [Tutorial]How To Restore Current Firmware w/o FutureRestore/iTunes via Succession
• [request] tweak to disable this/these pop ups.
• [tip] Reprovision and other apps crashing? Try disabling bold text.
• [Request] A tweak for the Favourites section in the phone app to display contacts in grid format.
• [Discussion] The joys of jailbreaking -- putting app "Documents" folders into your desktop computer's "Places" section via SFTP!
• [Discussion] Concept I made for customizable App Library folders
• [Request] A tweak to allow copying of YouTube community media/content such as photos
• [Request] Small ipad tweak that adds option to replace § with ESC
• [Request] Tweak to Export Beta App from TestFlight
• [HELP] Grupi is blocking AutoUnlockX
• [Question] Is anyone else experiencing Bluetooth looping on and off rapidly with unc0ver 6.1.1?
• [Request] can someone make a tweak that puts a small icon somewhere on the screen that lets me disconnect/reconnect my AirPods just by tapping? If that is too hard I wouldn’t mind it being a dedicated icon in CC, I would prefer it to be free but if you have to charge 1-3$ I understand
• [Request] Tweak to fix CVE-2021-1844 if possible.

[Tutorial] SHSH, Generator/Boot-nonce, APNonce, Nonce Entanglement: What are they? What limitations exist with saving and using them? An All-Inclusive Explanation (+APNonce does not match APTicket solutions) Posted: 11 Mar 2021 06:13 PM PST Am I saving blobs correctly? What is the difference between boot-nonce and AP Nonce? What is nonce entangling? Does it affect me? Using FutureRestore and getting this error? Device APNonce does not match APTicket nonce This post will include complex ideas and terminology, most which will be explained. This is not a guide. This is not a simple manual on how to save and use blobs. This is an explanation on what exactly blobs + nonces + SHSH are for those interested in understanding, not just doing without understanding. Table of Contents SHSH What is SHSH? How is SHSH used normally? Saving SHSH blobs AP Nonce and Generator What is an AP Nonce? How is it used? How is it derived? Generator What is hashing? Generator → AP Nonce: ≤A11 ≤A11 Saving Blobs Presets Nonce Entangling ≥A12 Saving Blobs Generator → AP Nonce: ≥A11 AP Nonce does not match AP Ticket What does it mean? Solutions Quick Refs "Can" and "Can't" do's Sources + Disclaimer Disclaimer: I don't know C or Obj C or whatever language iOS uses, whatever language dimentio uses (hopefully my reading of its source code was correct) and my first ever FutureRestore was from 13.5 -> 14.3 on A12. I'm looking to simply share some knowledge I learned. Sources: - Dimentio by 0x7ff source code - Cryptic#6293, a database of iOS knowledge. - iPhone Wiki - Most of all, my own interpretation of the data above. I could not find anything specifically on what I've written and had to draw a lot of conclusions myself. If something is wrong below, please point it out to me—I'm still learning. SHSH What is SHSH? When you update your iOS device normally, your device will make requests with Apple and provide the servers with information. The servers will also provide information back to the device, and the device will eventually accept Apple's firmware + signing, and the device will proceed to install the new firmware. SHSH is a signature attached to the firmware you're getting (normally from Apple) to ensure that your device is installing a firmware that Apple wants you to install. Apple's servers generate this signature for signed iOS versions only—your phone does not generate it. It is not possible to fake an SHSH signature since we do not know Apple's private signing key. How is SHSH used normally? You can request a SHSH signature from Apple by simply making a request to their servers. You will need the following information: Board ID of the target device An identifier shared between all the same types of devices. E.G. All iPhone XR's have the same board identifier, all iPod Touch 5's have the same board id. (For example, 12.5.1 is still being signed for the iPhone 6. This prevents you from using an iPhone 6's SHSH on a newer phone) Chip ID of the target device Chip IDs are shared between devices with the same chip. E.G. iPhone XR and iPhone XS both have the same A12 Bionic chip and thus, chip ID. ECID of the target device This is an identifier specific to your device which attempts to prevent you from being able to use signatures requested from another device. (So you can't use someone else's iPhone 11 blobs on your iPhone 11) APNonce Explained later. Attempts to ensure that your device is only being updated at the time of the request (that you're not saving these signing tickets to update to unsigned firmware at a later time). UniqueBuildID An identifier that tells Apple what version you are trying to upgrade/downgrade/restore to. Ensures that you don't use this signature to downgrade to an iOS version other than the one you are requesting SHSH for. Apple will refuse to give out signatures for old versions after a certain amount of time. This is what happens when someone says that a version is "unsigned." Saving SHSH blobs When you save a SHSH "blob", you are requesting a SHSH signature from Apple and storing it instead of using it. But how can we use this later? We learned that AP Nonce prevents you from doing this. Let's delve into what exactly an AP Nonce is, and how we can manipulate it. AP Nonce & Generator What is an AP Nonce? When your phone decides that it wants to update/restore/downgrade, it calculates it's AP Nonce. This nonce is supposed to be random every time (mathematically, it's extremely unlikely but possible to get the same AP Nonce as one from before after retrying for billions of years). An example of an AP Nonce is 3cc4e7b5dce6ffaba306d37879292e4abc721121e833285f698125703e6a4bc3. How is it used? After the device generates its random AP Nonce, it sends it to Apple in its request for a SHSH signature. The signature is only valid for this AP Nonce, so if you reboot your device, you will need to generate a new AP Nonce. This means you cannot save a SHSH for later, as your AP Nonce will change. How is it derived? Your iOS device needs a way to keep its AP Nonce the same after a reboot, as it reboots a few times during the update and must keep its AP Nonce the same temporarily. How does it do this? Let's take a look at how this AP Nonce is derived. Generator In your phone's NVRAM, memory which stays persistent after reboot, a 'generator' is stored. This generator will eventually be turned into an AP Nonce. An example of a generator is 0x1111111111111111 or 0xb6d96a54d2a8fc37. This generator can only be read and set in jailbroken state. The reason for this generator's existence is due to a device's update/restore/downgrade needing to reboot a few times, and the device needs to temporarily keep the same AP Nonce for the duration of the update/restore/downgrade. What is hashing? When something is hashed, an input is put through a series of complex mathematical algorithms to receive an output. This output is intended to be impossible to turn back into the input. For example, say I had the number 3. I multiply this number by 5 (= 15), square it (= 225) then add 7 (= 232). The input is 3, and the output is 232. If we had another input, like 5, the output would be 632. Both inputs give separate unique outputs, but are almost impossible to determine the input from. Can you reverse that 232 into 3 without knowing the algorithms? Now imagine this, but with extremely complex math algorithms, and a huge amount of steps in between, some requiring using previous inputs (like 225 in our first example) later in the problem, so that it is extremely hard to the point of impossibility to work backwards. Generator → AP Nonce: ≤A11 On A10-A11 devices, the process is as follows: Hash the generator with the SHA-384 algorithm. This will turn 0xb6d96a54d2a8fc37 into 3cc4e7b5dce6ffaba306d37879292e4abc721121e833285f698125703e6a4bc3. Every single A10 and A11 device will get this exact AP Nonce from this specific generator. On A9 and lower devices, the process is as follows: Hash the generator with the SHA-1 algorithm. This will turn 0xb6d96a54d2a8fc37 into 868bf1937c8d7a1dcedbfdb69843401abba63e39. Every single A9 and lower device (that uses AP Nonces) will get this exact AP Nonce from this generator. ≤A11 Saving Blobs To save blobs on A11 or lower, you do not need to be jailbroken. Why? Because our device specific info like the ECID can be read from a computer. We also know an AP Nonce for any generator by simply hashing it (you can do this with any website online). So when the time comes to set your generator in order to FutureRestore, you already have a blob saved with a nonce that you know the generator for. Presets For A10 and A11, you can use 0x1111111111111111 as your generator (that's 16 "1"s) with the AP Nonce being 27325c8258be46e69d9ee57fa9a8fbc28b873df434e5e702a8b27999551138ae. You can save blobs with this pair as long as your know your ECID. For A9 and lower, you can use 0x1111111111111111 as your generator with the AP Nonce being 3a88b7c3802f2f0510abc432104a15ebd8bd7154. You can save blobs with this pair as long as your know your ECID. Nonce Entangling You've probably heard this term before, especially if you are on an A12 or higher device. What does it mean? If your nonce is entangled, it means that your generator is encrypted together with some device specific keys, and then hashed in order to get an AP Nonce. This means that your AP Nonce will be specific to that generator on your device only—nobody else's. You cannot read these device specific keys without being jailbroken, therefore you cannot just find an AP Nonce for a generator. ≥A12 Saving Blobs What does this mean for saving blobs? We cannot save blobs using a known AP Nonce because every device's nonce is different! It would be useless to you, as the device would reject someone else's nonce even if you have the same generator. You can read your current AP Nonce using your computer from an unjailbrakeable firmware. We cannot use this nonce to save blobs, though, because we do not know the generator that created this nonce—it's random at the moment! Remember, the AP Nonce is a hash, and we cannot de-hash it to get the generator again. This is mathematically impossible. Therefore, any blobs you save with an unknown, randomized generator will be useless, as we will have to try random generators for billions of years in order to find the same AP Nonce. But when you are jailbroken, we can read the NVRAM to find our generator, and even better, set our generator. This means we can save blobs with any AP Nonce, and as long as we know the generator that created the AP Nonce, we can set our device's generator to that blob's generator and recreate the AP Nonce. We can also read our device's specific UID keys so that we can save blobs whenever we want, even when not jailbroken anymore. (Note: Since you cannot set generator when unjailbroken, you cannot use these blobs until you are able to set the generator again.) There are no preset pairs for A12 due to it being different for each device. Generator → AP Nonce: ≥A11 On ≥A12 devices, the process is as follows: Encrypt this hex 0x568241656551e0cdf56ff84cc11a79ef (a random constant Apple decided to pick) using your UID Key (you can only read this key while jailbroken). This will give you AES Key 0x8A3, which is specific to your device. Encrypt the Generator using the AES Key 0x8A3, with AES-128 encryption This will give you your Entangled Generator Hash the Entangled Generator, with SHA-384 hashing algorithm This will give you your AP Nonce AP Nonce does not match AP Ticket If you get this error while FutureRestoring, it means that the AP Nonce in your blob does not match the AP Nonce currently set on your device. This means that the generator set when you saved blobs is not the same as the generator you have set currently. Solutions There are a few scenarios for this situation: You haven't set the generator on your phone to the one in your blob. Happens most commonly after a reboot or attempted restore/update/downgrade. Unc0ver sometimes has issues setting your generator, so try dimentio from 1Conan's repo to set your generator and in turn, your AP Nonce. After using dimentio, you can see your Entangled Nonce (AP Nonce) as the last line in the output. Ensure it matches the one that you used when saving your blob. If your generator is set to the one shown in your blob, and you've tried setting your generator to 0x1111111111111111 and 0xbd34a880be0b53f3 (Electra/Chimera/Odyssey's default generator) and the AP Nonce still does not match, you may have saved blobs incorrectly with a randomized generator = randomized AP Nonce. You cannot convert the AP Nonce back into a generator due to hashing. You can attempt to search for blobs that have been saved correctly. Try checking both https://shsh.host and https://tsssaver.1conan.com/v2/ for any blobs with a different AP Nonce than the non-working one. If you cannot find any different blobs, there is nothing you can do in this scenario. (Unlikely) You saved blobs with a specific generator, such as 0x6969696969696969, but your blob saving tool didn't record it. This could happen with blobsaver, as it only saves your AP Nonce in the blob, not generator. There was a period of time where Odyssey (1.2 and 1.2.1) would not allow tools that used dimentio to read generator (and thus, AP Nonce) correctly, leading to invalid blobs being saved. Quick Refs A quick summary of what we can and cannot do. Cannot save ≥A12 blobs while unjailbroken: We can only save useless blobs at any time for any phone. We know the nonce but not the generator, so we cannot recreate our blob's state on our phone. Can save working blobs at any time for ≤A11. As long as you know your phone's ECID (can read it without ever being jailbroken), you can save blobs at any time. Just use a known Nonce-Generator pair. Cannot FutureRestore to 14.0-14.3 with A14 devices (excluding onboard blobs, which will only let you restore to your same version). It's impossible to save blobs on A12+ before a jailbreak as stated above, therefore there are no usable blobs for 14.0-14.3 on A14 devices. Can FutureRestore from the latest version on ≤A11 or below. This has nothing to do with Nonce Entanglement, it is simply because checkra1n exists for those devices, hence you can set your generator. Cannot FutureRestore any devices on unjailbreakable firmware. This is because you cannot set generator and thus cannot use your blob. Too long; didn't read: This is not a post that can have a summary, sorry. Feel free to continue scrolling. submitted by /u/CoocooFroggy [link] [comments]

[Free Release] Thy shy - Dim home screen icons or labels after inactivity iOS 14 (more info in comments) Posted: 11 Mar 2021 08:08 AM PST submitted by /u/haoict [link] [comments]

[News] My server is unable to connect due to domain issues. repo: cydia.ichitaso.com Posted: 11 Mar 2021 04:32 PM PST Please temporarily use repo here: https://ichitaso.tk/apt/ About my paid tweaks (Packix) I'm sorry, my server domain has expired and I can't authenticate. It will not be usable for a while, so please uninstall it. https://twitter.com/ichitaso I will report it on Twitter when it recovers, so please check it if you like. https://booth.pm/ja/items/1493403 RemoveAdsToggle is fine. We apologize for the inconvenience. submitted by /u/ichitaso [link] [comments]

[REQUEST] by tapping the green pill instead of going into full screen bring back de call bar Posted: 11 Mar 2021 06:55 PM PST submitted by /u/Carrillozea [link] [comments]

[Free Release] Fufu, FREE battery theming, made with themers in mind! Posted: 11 Mar 2021 03:02 PM PST Hello r/jailbreak, we meet again. So its been a while since my last post, about starscape. Meanwhile, i have making a huge tweak, and its been in works for over 30+ days. So im proud to present you, Fufu. Themers, When making fufu themes your tree should look exactly like this: YourTheme.fufu ├── batt │ ├── 10.png │ ├── 20.png │ ├── 30.png │ ├── 40.png │ ├── 50.png │ ├── 60.png │ ├── 70.png │ ├── 80.png │ ├── 90.png │ └── 100.png ├── cell │ └── cell.png (Cell Bars icon) ├── lte │ └── lte.png (LTE/Carrier Text) └── wifi ├── one.png (Empty Wifi Bars) ├── two.png (One Wifi Bar) ├── three.png (Two Wifi Bars) └── four.png (Full Wifi Bars) Themes must be placed in /Library/Application Support/Fufu/ Themes must have .fufu at the end. Themes must be folders. ​ Note that cell, WIFI, and LTE will come in a future update, and are not currently implemented. It is advised that your image be high quality, and not scaled down. This can be seen inside the example theme. ​ Fufu has scaling options, your themes do not have to be square. ​ You do not need to include Cell, Wifi, Nor LTE. So lets say you just wanted to make a battery theme? Sure, Cell, Lte, and Wifi are not required. (battery isnt either but well, you'd have an empty theme.) If you wanted to, for example, just have a wifi theme? Sure. ​ If you have any question do not hesitate to contact me on my discord, or my twitter (@DevBedtime). ​ Regular users: Go install battery themes from your favorite creators! (also report bugs to my discord!!) ​ Known issues: Setting a theme erases all settings, can be fixed be going into settings and moving one or two sliders around, and hitting respring. It is not apparent when a theme has been set, need to implement feedback. ​ Add https://bed-time.github.io to your package manager to get it. (Its free!) submitted by /u/bedtime__ [link] [comments]

[Free Release] Déverser Linux Posted: 11 Mar 2021 03:07 PM PST Since 1Conan's method of saving blobs is liable to slowdowns due to the sheer number of requests it gets, I wanted an alternative, but the only one I saw was a shell script written for MacOS users (You can find it here), which broke down if you didn't have img4tool already installed and you're a GNU/Linux user. So I forked it and edited his script so that it fully works with any GNU/Linux Distro. You can get it here. All thanks go to Matty (Matthew Pierson, moski_dev) for making the original shell script. ​ Enjoy! submitted by /u/SimPilotAdamT [link] [comments]

[Tip]if you have the bug-glitch when you scroll slowly in all of version of u0 6.0.0-6.1.1 , here is the solution. Posted: 11 Mar 2021 08:21 PM PST Finally I found a way to resolve it , follow my steps : 1.reboot and rejailbreak 2.when you come to home screen make a user space reboot via powerselector 3.when you come to home disable "bulletindistibutord" deamon via Choicy 4.do some respring to see that the lag doesn't come back 5.enjoy! submitted by /u/karlitoni [link] [comments]

[Question] how to get rid of the blur on the quick select? Posted: 11 Mar 2021 07:47 PM PST submitted by /u/shiftunderscore [link] [comments]

[Discussion] Altstore 1.4.4 is refusing to allow reinstallation of uncover 3.5.1 or 6.1.1. I have tried a number of alternatives but nothing seems to work. Posted: 11 Mar 2021 10:26 PM PST When I attempt to reinstall Uncover because it stopped working, I get the mismatch error message. Can anyone advise the way forward? I have uninstalled Altstore several times and tried to install uncover but the outcome is still the same. submitted by /u/Lower-Hunter-7353 [link] [comments]

[update] CSources2 iOS 14.4 support. Posted: 11 Mar 2021 10:13 AM PST submitted by /u/DirtyBeansDBs [link] [comments]

[Tutorial]How To Restore Current Firmware w/o FutureRestore/iTunes via Succession Posted: 11 Mar 2021 11:35 PM PST I have yet to see any posts in regards to using what I consider a priceless tool that's saved me many a jailbreak, given me a fresh start and allowed me to retain my current firmware. keep in mind that I'm speaking from my own experiences, I cant guarantee this method will work flawless for anyone. That being said, I have personally used the tool, Succession by u/samg_is_a_Ninja , previously on 13.2.3 on my iPhone 11 on U0, and now have also restored 14.3RC1 on multiple occasions recently. for those that do not know what succession is, it allows you to restore a clean IPSW of your current Firmware, and deletes all data as if you did a restore to said firmware. if I've made any mistakes or anyone has suggestions for me to add to this, please chime in. ill do my best to outline the process I used to achieve this goal. this guide assumes you are already jailbroken and are familiar with how to add a repo to your preferred package manager. I added his test repo Succession Test Repo , which got the initial app for Succession on the device. it normally from my understanding, will download a Clean IPSW directly from Succession itself, however, I could not get it to download the proper IPSW properly. in my specific case, it was 14.3RC1, Build ID 18C65 for iPhone 11. luckily, you can supply Succession with the clean IPSW yourself. so I headed over to ipsw.dev chose iPhone 11 as a device, and found my currently installed Firmware, then downloaded it to my PC. then I used i-Funbox, which you can download here, browsed the filesystem for a folder called "Succession", and placed the IPSW file in the root of that folder, also naming it ipsw.ipsw. note that you don't necessarily have to use a PC to download/supply the file to the app. I'm pretty certain you can just download it via Safari on device, however I have not explored this method the full directory is /var/mobile/Media/Succession be sure to name it ipsw.ipsw, to make certain that Succession detects the supplied file. now, when you open succession at this point, it should detect the supplied file. be sure to click " Use Provided IPSW" and Not "Download clean filesystem". if you press prepare for restore it will do some extracting of files. after a few minutes it should allow you to press Begin Restore. i typically place the device on a charger or close on a table. it may seem to freeze up a bit, just give it time. at the end the app should crash to the home screen, then if you wait a little longer, it will reboot to the apple logo and default setup screen, unjailbroken on clean firmware! I would like to note that each and every experience I had with this app was flawless, but that doesn't mean it will definitely work the same for you. I thought id share my experience in a hope to help others in my situation. I would also like to thank u/samg_is_a_Ninja . without his effort to create this tool I would've lost my opportunity to jailbreak many moons ago. submitted by /u/Abskurity [link] [comments]

[request] tweak to disable this/these pop ups. Posted: 11 Mar 2021 09:05 AM PST submitted by /u/jamdeeper [link] [comments]

[tip] Reprovision and other apps crashing? Try disabling bold text. Posted: 11 Mar 2021 08:17 PM PST I tried this and it worked for multiple apps (Reprovision and cr4shed). submitted by /u/bigNhardR [link] [comments]

[Request] A tweak for the Favourites section in the phone app to display contacts in grid format. Posted: 11 Mar 2021 11:48 PM PST Will it be possible to make tweak to show all the favourite contacts in grid view rather than a list view. By doing it we can add more favourites and see them all at once without the need to scroll. submitted by /u/Smahie [link] [comments]

[Discussion] The joys of jailbreaking -- putting app "Documents" folders into your desktop computer's "Places" section via SFTP! Posted: 11 Mar 2021 02:54 PM PST One of the great things about a jailbroken phone with OpenSSH is that you can basically mount any of its folders on your desktop PC (in this case, with Linux (KDE neon) on it), and treat it like any other folder. In this case, I've directly mounted the "Documents" folder of the music player app I use (MusicFolder 2) in Dolphin so I can just drag new music into it. Fun! ​ https://preview.redd.it/t6l98k5hbhm61.png?width=777&format=png&auto=webp&s=763a829eb7667c86c48e4d3f6544bd674c8f795b submitted by /u/Smart_Bonus_1611 [link] [comments]

[Discussion] Concept I made for customizable App Library folders Posted: 11 Mar 2021 05:31 AM PST submitted by /u/Aahil52 [link] [comments]

[Request] A tweak to allow copying of YouTube community media/content such as photos Posted: 11 Mar 2021 03:01 PM PST submitted by /u/YourPalNicky [link] [comments]

[Request] Small ipad tweak that adds option to replace § with ESC Posted: 11 Mar 2021 07:13 AM PST submitted by /u/5thdimensionnut [link] [comments]

[Request] Tweak to Export Beta App from TestFlight Posted: 11 Mar 2021 02:14 PM PST Hey is it possible to export an App from TestFlight so I can still use it after Beta? submitted by /u/No_Willow_5919 [link] [comments]

[HELP] Grupi is blocking AutoUnlockX Posted: 11 Mar 2021 04:26 PM PST ​ As the title suggests, AutoUnlockX doesn't work when Grupi is enabled. Tried turning off "Disable if notifications" but nothing happens. submitted by /u/itachi989 [link] [comments]

[Question] Is anyone else experiencing Bluetooth looping on and off rapidly with unc0ver 6.1.1? Posted: 11 Mar 2021 05:08 PM PST This started a couple days ago but I haven't installed anything new in a week. LdRestart seems to fix it temporarily but eventually it comes back and the only option is to reboot. All suggestions welcome, thanks! submitted by /u/PantsAtAGlance [link] [comments]

[Request] can someone make a tweak that puts a small icon somewhere on the screen that lets me disconnect/reconnect my AirPods just by tapping? If that is too hard I wouldn’t mind it being a dedicated icon in CC, I would prefer it to be free but if you have to charge 1-3$ I understand Posted: 11 Mar 2021 04:50 PM PST submitted by /u/crihyde [link] [comments]

[Request] Tweak to fix CVE-2021-1844 if possible. Posted: 11 Mar 2021 01:33 AM PST submitted by /u/InsaneousOne [link] [comments]

You are subscribed to email updates from iOS Jailbreak (iPhone, iPad, iPod Touch, Apple TV). To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States