TSSChecker v434 adds Cryptex1 blob saving support!

Saving blobs is crucial for anyone interested in downgrading their devices. It's the key to downgrading iOS to an unsigned version, allowing you to switch between different iOS releases freely.

For years, Apple tried to prevent this downgrade process with new security measures, including a unique seed (generator) and nonce called Cryptex1, which was introduced with iOS 16.

Now, with the latest update, TSSChecker supports saving Cryptex1 blobs. You can use the x8A4 tool to encrypt the cryptex seed. Here's how it works: you'll need to dump the 0x8A4 key to encrypt this seed.

Download TSSChecker: Get the Latest Version

Get the latest version of TSSChecker for Linux and macOS. You can download the tool from our website, which links directly to the official source. TSSChecker was never reelased for Windows PCs. There is also available a debug version for researchers. The new releases add Cryptex1 blob saving support!

What is TSSChecker?

TSSChecker is a tool designed to check the TSS signing status for various combinations of Apple devices and firmware versions. It supports a wide range of devices, including Apple TV, Apple Watch, HomePod, iPad, iPhone, iPod touch, M1 Macs, and the T2 Coprocessor.

With TSSChecker, you can retrieve lists of supported devices along with their corresponding firmwares and OTA (Over-The-Air) versions for any specified Apple device. You can check the signing status of any firmware version by providing either the firmware version or a BuildManifest.

Although it works without specifying device-specific values, it can also save blobs when provided with an ECID and the --print-tss-response option, though there are more specialized tools for this purpose.

Beyond merely checking firmware signing status, TSSChecker is useful for exploring Apple's TSS servers. By fully utilizing its customization options, you might uncover previously unsigned combinations of devices and firmware versions that are now being signed. TSSChecker v434 adds Cryptex1 blob saving support.

Cryptex1 Blobs: Encrypting Protocol by Apple

iOS 16 introduced a new component named Cryptex1, which comes with its own seed (generator) and nonce. This seed is intricately entangled even on devices equipped with A10(X)/A11 chips, utilizing the 0x8A4 key.

To interact with Cryptex1, a jailbreak is necessary to both save and utilize cryptex blobs. You'll need the checkm8 exploit to work with these blobs in the first place. If your device is jailbroken, you can employ the x8A4 tool to encrypt the cryptex seed. The process involves dumping the 0x8A4 key to prepare for encrypting the seed.

How to install TSSChecker on macOS

Step 1. Download TSSChecker from our website and extract the ZIP archive.

Step 2. Open the terminal app and execute the xattr command to run the app.

Step 3. Lounch the tsschecker from coammand line.

How to encrypt the seed and save cryptex blobs

To encrypt the seed, first dump the 0x8A4 key. You can then use the AES Nonce tool to encrypt the seed.

Step 1. Download 0x8A4 tool, and use it to dump the key.

sudo x8A4 -k 0x8A4

Step 2. Download AES Nonce tool to encrypt the seed.

python3 aes_cryptex_nonce.py <Dumped 0x8A4 Key> <Cryptex Seed>

Example

python3 aes_cryptex_nonce.py DF6A9324032C86159F0DE3A1D477B3F2 11111111111111111111111111111111 -> f7cfa05f0207570426e6c96af9a8da73eeb15a17341a1d09244a3ea05b7b5077

Step 3. Then finally you can save valid arm64e blobs using tsschecker.

tsschecker --device iPhone10,3 --boardconfig d22ap --ecid 0x69 -g 0x1111111111111111 -x 0x11111111111111111111111111111111 -t f7cfa05f0207570426e6c96af9a8da73eeb15a17341a1d09244a3ea05b7b5077 -l -E -s

Written by

Kuba Pawlak

Kuba has over 20 years of experience in journalism, focusing on jailbreak since 2012. He has interviewed professionals from various companies. Besides journalism, Kuba specializes in video editing and drone flying. He studied IT at university before his writing career.

Post a comment