iOS 5 is still not official, but you may want to hold off even when it launches.  Seems that there have been some major changes to iOS5 that will make jailbreaking much harder.  Currently, when you jailbreak you phone, you are basically overriding the OS to allow access to certain API calls that are not officially supported.  As all jailbreakers know, once you update the OS, you have jailbreak it again, and reinstall everything again because the new OS does a complete overwrite.  Thats all fine and good and we have gotten use to that.  However, word is going around that the new version of iOS 5 will check the authentic of the OS on every boot, not just load whatever version its told to load.  It does not work exactly like this, I’m explaining this in simple terms.  Here is a more exact description of what is going on straight from the Dev-Team blog..

Starting with the iOS5 beta, the role of the “APTicket” is changing — it’s being used much like the “BBTicket” has always been used.  The LLB and iBoot stages of the boot sequence are being refined to depend on the authenticity of the APTicket, which is uniquely generated at each and every restore (in other words, it doesn’t depend merely on your ECID and firmware version…it changes every time you restore, based partly on a random number).  This APTicket authentication will happen at every boot, not just at restore time.  Because only Apple has the crypto keys to properly sign the per-restore APTicket, replayed APTickets are useless.

So what does that mean to us now?  Basically, as long as you are in iOS4, nothing.  So stay there untill the crack masters figure out a way around this.  I’m guessing the logical approach is at the iBoot stage, let it ‘think’ its loading the correct APTicket, whatever it is, and then redirect to the cracked Blob. Time will tell.
Hopefully this is clear enough, but if you still do not feel like you understand, have a look at a comment made by aksansai. I think he clearified thing quite nicely.  If you have already read this far and still feel confused, give this a read.

1) The new method of signing APTickets will prevent you from moving back and forth in the iOS 5.x branch of releases. Since the iOS 4.x firmware are based on ECID and firmware version, you’ll be able to use your saved SHSH blobs to revert back to iOS 4.x (assuming [a] you have an older iTunes handy [b] have your iOS 4.x SHSH blobs saved [c] have the ability to serve out [replay] the SHSH blobs to iTunes upon restore – via TU, for example). This means that all current devices, with the exception of iPad 2, will be able to move between iOS 4 and iOS 5 (most current ONLY) without issue.

2) The new method does not prevent jailbreaking. At the moment, a tethered jailbreak is still possible due to the ubiquitous limera1n hardware exploit used. If (and when) a usable exploit in the iOS 5.x releases is discovered, an untethered jailbreak can be fashioned.

What this boils down is making the iOS release similar to the baseband release. If you “accidentally” upgrade from one release of iOS 5 to another, you’re stuck at the later release without the ability to downgrade. There’s a plethora of reasons to want to back-peddle to an earlier release of iOS. Downgrading from iOS 4.3 to iOS 4.2.1 in the early phases of the jailbreak was desired because many tweaks were incompatible with the newly introduced ASLR. Folks relying on ultrasn0w *were* limited to using an older release because of incompatibilities with iOS 4.3.

Now, if there is some desired behavior present in iOS 5.0 that is corrected in a later release, you’re fine until you upgrade. If you upgrade and want that desired behavior, you’re forced into a holding pattern until the behavior is made available again in the newer release. This is probably more to do with an untethered jailbreak more than anything else. As long as you’re using a device with the limera1n exploitable bootrom, you have a method of jailbreaking (tethered).

iPad 2/iPhone 5 consumers will no doubt be the biggest headache group due to this change because if they accidentally upgrade to a later version of iOS 5 without a userland exploit (assuming a hardware exploit is not found), they lose their ability to jailbreak altogether until yet another userland exploit is discovered. Considering the difficulties that the Chronic Dev Team and @comex have been facing with the iPad 2 (still without a reliable jailbreak), this is where the headaches will be.

OTA updates for Apple is no doubt a huge boon for them allowing them to hot-patch devices without requiring the user to hook-up, update firmware, and restore from a backup. Assuming that OTAs can be easily disabled, smooth sailing on the installed release of iOS 5 should be peachy. However, older releases of firmware tend to get left out in the cold the older they get via App Store apps. Taking advantage of new features will no doubt cause certain apps to require iOS 5 (much like many require iOS 4 today).

I’m glad that folks like the iPhone Dev Team are keeping watch with these types of changes. I know good and well that Apple’s very keen use of PKI in their architecture gives them a huge advantage, especially given their evolving methods. But, like all things human – nothing is perfect.

Leave a Reply

Your email address will not be published. Required fields are marked *