Skip to content

Commit

Permalink
0.336.0 Release
Browse files Browse the repository at this point in the history 
Merge all changes from the development branch.
  • Loading branch information
@DanTheMann15
DanTheMann15 authored Apr 24, 2022
1 parent 69e4511 commit ea4d7b1
Show file tree
Hide file tree
Showing 7 changed files with 300 additions and 129 deletions.
86 changes: 48 additions & 38 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# tsschecker
tsschecker is a powerful tool to check TSS signing status on combinations of various apple devices and firmware versions.
A Powerful tool to check TSS signing status on combinations of various apple devices and firmware versions.

## Features
* Supports: Apple TV, Apple Watch, HomePod, iPad, iPhone, iPod touch, M1 Macs and the T2 Coprocessor.
Expand All @@ -10,17 +10,25 @@ tsschecker is a powerful tool to check TSS signing status on combinations of var
tsschecker is not only meant to be used to check firmware signing status, but also to explore Apple's TSS servers.<br/>
By using all of its customization possibilities, you might discover a combination of devices and firmware versions that is getting signed but wasn't getting signed before.

# About nonces:
## recommended generators for saving tickets:
* `0xbd34a880be0b53f3` // default on the Electra, Chimera and Odyssey jailbreak apps.
* `0x1111111111111111` // default on the unc0ver jailbreak app.
# About Nonces:
A [Nonce](https://wikipedia.org/wiki/Cryptographic_nonce) ("Number-used-ONCE") is a randomly generated value that is used to randomize apple's signed hash blobs.

## Nonce Entangling (Apple A12/S4 and newer)
Newer devices, such as the iPhone XR or the Apple Watch Series 4 (and any device newer) have nonce-entangling.
it is created by the device with a nonce seed (generator) and then hashes that seed to create the nonce.<br/>On arm64e devices the nonce is also encrypted with the device's UID Key, see "Nonce Entangling" for more details.

this means any boot nonce generated by your device is now also UID derived, and consequently device-specific.<br/>to save usable tickets for a newer device, you need to get the boot nonce that your device actually generates from your generator.
## Recommended nonce-seeds (Generators) for saving tickets:
* `0xbd34a880be0b53f3` // default on the [Electra](https://coolstar.org/electra/), [Chimera](https://chimera.coolstar.org/) and [Odyssey](https://theodyssey.dev/) jailbreak apps.
* `0x1111111111111111` // default on the [unc0ver](https://unc0ver.dev) jailbreak app.

for information on how to get your actual boot nonce, [see this post on r/jailbreak](https://www.reddit.com/r/jailbreak/comments/cssh8f/tutorial_easiest_way_to_save_blobs_on_a12/).
## Nonce Entangling (arm64e devices)
arm64e devices such as the iPhone XR, Apple Watch Series 4 and all newer devices have nonce-entangling.

Nonce Entangling works by further randomizing the boot nonce by encrypting it with the device's [unique ID key](https://www.theiphonewiki.com/wiki/UID_key),<br/>
making the nonce created from the generator specific to that device only.

To save tickets for an arm64e device, you must get the boot nonce that the device creates from your generator,<br/>
the simpliest way to get a nonce/generator pair is to use airsquared's [blobsaver](https://github.com/airsquared/blobsaver) tool and read them from the device.

if you need more information, [see this post on r/jailbreak](https://www.reddit.com/r/jailbreak/comments/cssh8f/tutorial_easiest_way_to_save_blobs_on_a12/).

## Nonce Collisions:

Expand Down Expand Up @@ -66,37 +74,39 @@ To compile, run:
```bash
./autogen.sh
make
sudo make install
make install
```

# Help
Usage: `tsschecker [OPTIONS]`

Example: `tsschecker -d iPhone10,1 -B D20AP -e [ECID] -i 13.4.1 --generator 0x1111111111111111 -s`

| option (short) | option (long) | description |
|----------------|---------------------------|-----------------------------------------------------------------------------------|
| `-h` | `--help` | prints usage information |
| `-d` | `--device MODEL` | specify device by its model (eg. `iPhone8,1`) |
| `-i` | `--ios VERSION` | specify firmware version (eg. `13.4.1`) |
| `-Z` | `--buildid BUILD ` | specific buildid instead of firmware version (eg. `17E255`) |
| `-B` | `--boardconfig BOARD ` | specific boardconfig instead of device model (eg. `n71ap`) |
| `-o` | `--ota` | check OTA signing status, instead of normal restore |
| `-b` | `--no-baseband` | don't check baseband signing status. Request tickets without baseband |
| `-m` | `--build-manifest` | manually specify a BuildManifest (can be used with `-d`) |
| `-s` | `--save` | save fetched shsh blobs (mostly makes sense with -e) |
| `-u` | `--update-install `| request update tickets instead of erase |
| `-l` | `--latest` | use the latest public firmware version instead of manually specifying one<br/>especially useful with `-s` and `-e` for saving signing tickets |
| `-e` | `--ecid ECID` | manually specify ECID to be used for fetching blobs, instead of using random ones.<br/>ECID must be either DEC or HEX eg. `5482657301265` or `ab46efcbf71` |
| `-g` | `--generator GEN` | manually specify generator in format 0x%%16llx |
| | `--apnonce NONCE` | manually specify ApNonce instead of using random ones<br/>(required for saving blobs for A12/S4 and newer devices with generator) |
| | `--sepnonce NONCE` | manually specify SepNonce instead of using random ones (not required for saving signing tickets) |
| | `--bbsnum SNUM` | manually specify BbSNUM in HEX to save valid BBTickets (not required for saving blobs) |
| | `--save-path PATH` | specify path for saving shsh blobs |
| |`--beta` | request ticket for a beta instead of normal release (use with `-o`) |
| |`--list-devices` | list all known devices |
| |`--list-ios` | list all known firmware versions |
| |`--nocache` | ignore caches and re-download required files |
| |`--print-tss-request` | print the TSS request that will be sent to Apple |
| |`--print-tss-response` | print the TSS response that comes from Apple |
| |`--raw` | send raw file to Apple's TSS server (useful for debugging) |
Example: `tsschecker -d iPhone10,3 -B D22AP -e 5482657301265 -i 15.4.1 --generator 0x1111111111111111 -s`

| option (short) | option (long) | description |
| ------------------ | ------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `-h` | `--help` | prints usage information |
| `-d` | `--device MODEL` | specify device by its model (eg. iPhone10,3) |
| `-i` | `--ios VERSION` | specify firmware version (eg. 15.4.1) |
| `-Z` | `--buildid BUILD ` | specify buildid instead of firmware version (eg. 19E258) |
| `-B` | `--boardconfig BOARD ` | specify boardconfig instead of device model (eg. d22ap) |
| `-o` | `--ota` | check OTA signing status, instead of normal restore |
| `-b` | `--no-baseband` | don't check baseband signing status. Request tickets without baseband |
| `-m` | `--build-manifest` | manually specify a BuildManifest (can be used with -d) |
| `-s` | `--save` | save fetched shsh blobs (mostly makes sense with -e) |
| `-u` | `--update-install` | request update tickets instead of erase |
| `-l` | `--latest` | use the latest public firmware version instead of manually specifying one<br/>especially useful with -s and -e for saving shsh blobs |
| `-e` | `--ecid ECID` | manually specify ECID to be used for fetching blobs, instead of using random ones<br/>ECID must be either DEC or HEX eg. 5482657301265 or 0xab46efcbf71 |
| `-g` | `--generator GEN` | manually specify generator in HEX format 16 in length (eg. 0x1111111111111111) |
| | `--apnonce NONCE` | manually specify ApNonce instead of using random ones<br/>(required when saving blobs for arm64e devices with matching generator) |
| | `--sepnonce NONCE` | manually specify SEP Nonce instead of using random ones (not required for saving blobs) |
| | `--bbsnum SNUM` | manually specify BbSNUM in HEX to save valid BBTickets (not required for saving blobs) |
| | `--save-path PATH` | specify output path for saving shsh blobs |
| | `--server-url URL` | manually specify TSS server URL |
| | `--bplist` | save fetched blobs in a binary plist (.bshsh2 format) |
| | `--beta` | request tickets for a beta instead of normal release (use with -o) |
| | `--list-devices` | list known devices from firmwares.json |
| | `--list-versions` | list all known firmware versions for the specified device |
| | `--nocache` | ignore caches and re-download required files |
| | `--print-tss-request` | print the TSS request that will be sent to Apple |
| | `--print-tss-response` | print the TSS response that comes from Apple |
| | `--raw` | send raw file to Apple's TSS server (useful for debugging) |
4 changes: 0 additions & 4 deletions tsschecker/Makefile.am
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,4 @@ tsschecker_LDADD = $(AM_LDFLAGS) libjssy.a
tsschecker_SOURCES = tsschecker.c tss.c download.c main.c
endif

if WINDOWS
tsschecker_LDFLAGS = -lpthread -Wl,--allow-multiple-definition $(AM_LDFLAGS)
else
tsschecker_LDFLAGS = $(AM_LDFLAGS)
endif
30 changes: 18 additions & 12 deletions tsschecker/main.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@
#include "tsschecker.h"
#include "all.h"

#define FLAG_LIST_IOS (1 << 0)
#define FLAG_LIST_VERSIONS (1 << 0)
#define FLAG_LIST_DEVICES (1 << 1)
#define FLAG_BUILDMANIFEST (1 << 2)
#define FLAG_LATEST_IOS (1 << 3)
Expand All @@ -48,7 +48,7 @@ static struct option longopts[] = {
{ "buildid", required_argument, NULL, 'Z' },
{ "debug", no_argument, NULL, 0 },
{ "list-devices", no_argument, NULL, 1 },
{ "list-ios", no_argument, NULL, 2 },
{ "list-versions", no_argument, NULL, 2 },
{ "save-path", required_argument, NULL, 3 },
{ "print-tss-request", no_argument, NULL, 4 },
{ "print-tss-response", no_argument, NULL, 5 },
Expand All @@ -59,6 +59,7 @@ static struct option longopts[] = {
{ "raw", required_argument, NULL, 10 },
{ "bbsnum", required_argument, NULL, 11 },
{ "server-url", required_argument, NULL, 12 },
{ "bplist", no_argument, NULL, 13 },
{ "generator", required_argument, NULL, 'g' },
{ NULL, 0, NULL, 0 }
};
Expand All @@ -68,8 +69,8 @@ void cmd_help(){
printf("Usage: tsschecker [OPTIONS]\n\n");
printf(" -h, --help\t\t\tprints usage information\n");
printf(" -d, --device MODEL\t\tspecify device by its model (eg. iPhone10,3)\n");
printf(" -i, --ios VERSION\t\tspecify firmware version (eg. 14.7.1)\n");
printf(" -Z --buildid BUILD\t\tspecify buildid instead of firmware version (eg. 18G82)\n");
printf(" -i, --ios VERSION\t\tspecify firmware version (eg. 15.4.1)\n");
printf(" -Z --buildid BUILD\t\tspecify buildid instead of firmware version (eg. 19E258)\n");
printf(" -B, --boardconfig BOARD \tspecify boardconfig instead of device model (eg. d22ap)\n");
printf(" -o, --ota\t\t\tcheck OTA signing status, instead of normal restore\n");
printf(" -b, --no-baseband\t\tdon't check baseband signing status. Request tickets without baseband\n");
Expand All @@ -81,14 +82,15 @@ void cmd_help(){
printf(" -e, --ecid ECID\t\tmanually specify ECID to be used for fetching blobs, instead of using random ones\n");
printf(" \t\tECID must be either DEC or HEX eg. 5482657301265 or 0xab46efcbf71\n");
printf(" -g, --generator GEN\t\tmanually specify generator in HEX format 16 in length (eg. 0x1111111111111111)\n\n");
printf(" --apnonce NONCE\t\tmanually specify ApNonce instead of using random ones\n\t\t\t\t(required for saving blobs for A12/S4 and newer devices with generator)\n\n");
printf(" --apnonce NONCE\t\tmanually specify ApNonce instead of using random ones\n\t\t\t\t(required when saving blobs for arm64e devices with matching generator)\n\n");
printf(" --sepnonce NONCE\t\tmanually specify SEP Nonce instead of using random ones (not required for saving blobs)\n");
printf(" --bbsnum SNUM\t\tmanually specify BbSNUM in HEX to save valid BBTickets (not required for saving blobs)\n\n");
printf(" --save-path PATH\t\tspecify output path for saving shsh blobs\n");
printf(" --server-url URL\t\tmanually specify TSS server URL\n");
printf(" --bplist\t\t\tsave fetched blobs in a binary plist (.bshsh2 format)\n");
printf(" --beta\t\t\trequest tickets for a beta instead of normal release (use with -o)\n");
printf(" --list-devices\t\tlist all known devices\n");
printf(" --list-ios\t\tlist all known firmware versions\n");
printf(" --list-devices\t\tlist known devices from firmwares.json\n");
printf(" --list-versions\t\tlist all known firmware versions for the specified device\n");
printf(" --nocache \t\tignore caches and re-download required files\n");
printf(" --print-tss-request\tprint the TSS request that will be sent to Apple\n");
printf(" --print-tss-response\tprint the TSS response that comes from Apple\n");
Expand Down Expand Up @@ -157,6 +159,7 @@ int main(int argc, const char * argv[]) {
dbglog = 1;
idevicerestore_debug = 0;
save_shshblobs = 0;
save_bplist = 0;
int optindex = 0;
int opt = 0;
long flags = 0;
Expand Down Expand Up @@ -250,8 +253,8 @@ int main(int argc, const char * argv[]) {
case 1: // only long option: "list-devices"
flags |= FLAG_LIST_DEVICES;
break;
case 2: // only long option: "list-ios"
flags |= FLAG_LIST_IOS;
case 2: // only long option: "list-versions"
flags |= FLAG_LIST_VERSIONS;
break;
case 3: // only long option: "save-path"
shshSavePath = optarg;
Expand Down Expand Up @@ -284,6 +287,9 @@ int main(int argc, const char * argv[]) {
case 12: // only long option: "server-url"
serverUrl = optarg;
break;
case 13: // only long option: "bplist"
save_bplist = 1;
break;
default:
cmd_help();
return -1;
Expand Down Expand Up @@ -416,14 +422,14 @@ int main(int argc, const char * argv[]) {
free((char*)versVals.version);
if (--versionCnt == 0) reterror(-9, "[TSSC] automatic firmware selection couldn't find non-beta firmware\n");
}
info("[TSSC] selecting latest version of firmware: %s\n",versVals.version);
info("[TSSC] selecting latest version: %s\n",versVals.version);
if (bpos) *bpos= '\0';
if (versions) free(versions[versionCnt-1]),free(versions);
}

if (flags & FLAG_LIST_DEVICES) {
printListOfDevices(firmwareTokens);
}else if (flags & FLAG_LIST_IOS){
}else if (flags & FLAG_LIST_VERSIONS){
if (!devVals.deviceModel)
reterror(-3,"[TSSC] please specify a device for this option\n\tuse -h for more help\n");

Expand All @@ -440,7 +446,7 @@ int main(int argc, const char * argv[]) {
isSigned = isVersionSignedForDevice(firmwareTokens, &versVals, &devVals, serverUrl);
}

if (isSigned >=0) printf("\n%s %s for device %s %s being signed!\n",(versVals.buildID) ? "Build" : "iOS" ,(versVals.buildID ? versVals.buildID : versVals.version),devVals.deviceModel, (isSigned) ? "IS" : "IS NOT");
if (isSigned >=0) printf("\n%s %s for device %s %s being signed!\n",(versVals.buildID) ? "Build" : "Firmware version" ,(versVals.buildID ? versVals.buildID : versVals.version),devVals.deviceModel, (isSigned) ? "IS" : "is NOT");
else{
putchar('\n');
reterror(-69, "[TSSC] checking tss status failed!\n");
Expand Down
Loading

0 comments on commit ea4d7b1

Please sign in to comment.