2025.05.18

iOS update replay attacks — the AP Nonce

The application processor of an iOS device generates a single use number at restore time: the AP Nonce.

As iOS update replay attacks have increased in complexity, so has security on the device. This article briefly delves into the history of how this number is generated, used, and exploited to allow devices to upgrade / restore / downgrade after Apple no longer signs a particular firmware version.

SHSH

What is SHSH?

When an iOS device updates, it will make a request to Apple for a digital signature to personalize the firmware components in the restore. Then, the update will be installed.

An SHSH “blob” signature is the response to this signature request, coming from Apple’s Tatsu signing server (TSS). TSS decides whether to sign a request based on the input parameters or whether to deny it. These blobs can’t be forged since Apple’s signing keys are private.

How is SHSH used?

You can request a signature from Apple by simply making a request to their servers. You will need the following information:

• Board ID of the target device
  • An identifier shared between all the same types of devices. E.G., All iPhone XR’s have the same board identifier, all iPod Touch 5’s have the same board ID.
  • (Why is this important? iOS 12.5.7 is still being signed for the iPhone 6—but not for the iPhone 16 Pro. The specified board ID prevents you from downgrading newer devices to older versions.)
• Chip ID of the target device
  • Chip IDs are shared between devices with the same chip. E.G. iPhone XR and iPhone XS both have the same A12 Bionic chip and thus, chip ID.
• ECID of the target device
  • This is an identifier specific to your device. In a TSS signature, it attempts to prevent you from using signatures for another device. (You can’t use someone else’s iPhone 11 SHSH blobs on your iPhone 11)
• APNonce
  • Explained later. Attempts to ensure that your device is only being updated at the time of the request (that you’re not saving these signing tickets to update to unsigned firmware at a later time).
• UniqueBuildID
  • An identifier that tells Apple what version you are trying to upgrade/downgrade/restore to. Ensures that you don’t use this signature to downgrade to an iOS version other than the one you are requesting SHSH for. TSS will refuse to sign old versions after a certain amount of time.

Saving SHSH blobs

When you save a SHSH “blob”, you are requesting a SHSH signature from Apple and storing it. But how can we use this later in the presence of an AP Nonce? Let’s delve into what exactly an AP Nonce is and how we can manipulate it.

AP Nonce & Generator

What is an AP Nonce?

At restore time, a device generates arbitrary* data to be signed to prevent replay attacks. This is the AP Nonce. An example of an AP Nonce is 3cc4e7b5dce6ffaba306d37879292e4abc721121e833285f698125703e6a4bc3.

Remember, a Tatsu signature / SHSH blob is only valid for this particular set of inputs — board ID, chip ID, etc. including AP Nonce. If the device cancels the restore, the next time it tries to restore, the AP Nonce will be different, and thus will reject the signature.

How is it derived?

An iOS device needs to keep its AP Nonce the same after a reboot: OTA updates from the device need to get the signature and communicate with the Tatsu server before the restore process, as restore mode cannot connect to the internet on its own. Thus, it must retain the same AP Nonce between user mode and restore mode, if temporarily. How is this achieved?

Generator

In a device’s NVRAM, a ‘generator’ (key = com.system.Apple.boot-nonce) can be set. This generator defines what the AP Nonce will be. An example of a generator could be 0x1111111111111111 or 0xb6d96a54d2a8fc37. This NVRAM generator can only be set to a custom value when jailbroken.

To get the AP Nonce from this generator, on ≤A11, we simply hash the generator, and it turns into an AP Nonce. There’s nothing more to it—the AP Nonce is just the generator, but hashed.

Generator → AP Nonce: A10 & A11

On A10 and A11 devices, the process is as follows (using generator 0xb6d96a54d2a8fc37 as an example):

• Reverse the 8 bytes (little to big endian?), turning the generator 0xb6d96a54d2a8fc37 into 0x37fca8d2546ad9b6.
• Hash this with the SHA-384 algorithm and take only the first 32 bytes of output / substring to keep only the first 64 characters.
• This will give us f17a809ef94fcfab8c6d8245a6287c12f172e9edc7170cc5712453509e4f50a7.
• Every single A10 and A11 device will get this exact AP Nonce from this specific generator.

On A9 and lower devices (with AP nonces), the process is as follows:

• Reverse the 8 bytes, turning the generator 0xb6d96a54d2a8fc37 into 0x37fca8d2546ad9b6.
• Hash this with the SHA-1 algorithm.
• This will turn 0x37fca8d2546ad9b6 into a0d0280e91dba467250d54cf43d80db7b7cf7110. Every single A9 and lower device (that uses AP Nonces) will get this exact AP Nonce from this generator.

≤A11 Saving Blobs

To save blobs on A11 or older devices, you do not need a jailbroken device. Why? Because our device-specific info, like the ECID, can be read from a computer. We also know an AP Nonce for any generator by simply hashing it (you can do this with any website online). So when the time comes to set your generator, you already have a blob saved with a nonce that you know the generator for.

Presets

For A10 and A11, you can use 0x1111111111111111 as your generator (that’s 16 “1"s) with the AP Nonce being 27325c8258be46e69d9ee57fa9a8fbc28b873df434e5e702a8b27999551138ae. You can save blobs with this pair as long as your know your ECID.

For A9 and lower, you can use 0x1111111111111111 as your generator with the AP Nonce being 3a88b7c3802f2f0510abc432104a15ebd8bd7154. You can save blobs with this pair as long as your know your ECID.

Nonce Entangling

A12 or later devices introduce nonce entanglement.

If a nonce is entangled, it means that its generator is encrypted together with some device-specific keys, and then hashed to get an AP Nonce. This means that your AP Nonce will be specific to that generator on your device only—nobody else’s. You cannot read these device-specific keys without being jailbroken.

This introduces a bit more complexity — to save valid, reusable blobs, we must have a valid generator–AP Nonce pair for our specific device.

≥A12 Saving Blobs

You can read a device’s current AP Nonce from a computer when it is in recovery mode. Saving blobs with this random AP Nonce with an unknown, randomized generator will be useless. We cannot recreate the state to enable a replay attack.

We could* set a persistent boot-nonce in NVRAM using mobilegestalt (through ideviceinfo or iTunes) by requesting an ApNonce in normal mode. We could then find the generator that creates this AP Nonce by rebooting and requesting BootNonce through mobilegestalt. This has been patched as of iOS 17.0—see my future blog post.

But with a jailbroken device, we can set the generator. This means we can save blobs with any generator → AP Nonce pair, and as long as we remember the generator, we can recreate the AP Nonce and perform a replay attack.

It is also possible to read our device’s specific AES keys (device specific keys) so that we can save blobs with whatever generator whenever we want, even when not jailbroken. (Note: Since you cannot set generator without a jailbreak, you cannot use these blobs until you are able to set the generator again.)

Generator → AP Nonce: ≥A12

On ≥A12 devices, the process is as follows:

• Encrypt this hex 0x568241656551e0cdf56ff84cc11a79ef (a device-wide constant) through the UID Key.
  • This will give you AES Key 0x8A3, which is specific to that device.
• Encrypt the generator using the AES Key 0x8A3, with AES-128 encryption.
  • This will give you an entangled generator.
• Hash the entangled generator, with SHA-384 hashing algorithm and take the first 32 bytes / substring to keep only the first 64 characters.
  • This will give you your AP Nonce.

Sources

• dimentio by 0x7ff
• Cryptic
• iPhone Wiki