Skip to content

Instantly share code, notes, and snippets.

@TheRealKeto
Last active Aug 5, 2021
Embed
What would you like to do?
Explaining what nonce collisions are, how they work, and why they should be obtained (along side how to obtain them)

Nonce Collisions

Nonce collisions are used in order to save SHSH blobs without nessesarly having a jailbreak. They can be achieved when the device generates the same nonce more than once.

Essensially, if Apple signs one of these nonces during a signing window, you can be reasonably sure that your device will eventually generate the same nonce later on, which can be used to save blobs.

How they work

When you're installing a iOS firmware on your device, a random value, or a nonce, is generated. This value is sent to Apple alongsisde the has of the firmware you're currently installing. If the firmware is being signed by Apple, then these values will be combined and signed as well, and your device will check for these values before proceeding to install the firmware.

However, on some device, the random nonce generator does not work as intended, causing these device to sometimes generate one or a few nonces on a regular basis.

Previously, nonce collisions could be obtained through Recovery Mode, however, that was "patched". You can still obtain nonce collisions through DFU mode, as said method can't be patched by Apple.

Which devices support nonce collisions?

Devices containing an A7/A8/A8X processor are the only devices that are able to obtain nonce collisions. A7/A8/A8X devices consist of:

  • iPhone 5s
  • iPhone 6(+)
  • iPad Air (1st and 2nd generation)
  • iPad mini (1st, 2nd, 3rd, and 4th generation)
  • iPod Touch (6th generation)

How to obtain them (+ Usage)

In order to obtain nonce collisions, you will need to download a few things, such as:

Once you download these files, put them in a folder on your Desktop, named noncecollisions, connect your device to your PC, then:

  1. Put your device in DFU Mode
  2. Open Command Prompt/Terminal (Command Prompt should be opened as an Administrator)
  3. Drag igetnonce from your noncecollisions folder onto your terminal, then hit enter

This should display an APNonce on your terminal. Copy this string, save it on a text file inside your noncecollisions folder, then repeat the same steps for around 15-20 times. (for more accurate nonce collisions)

Once you have a good amount of APNonces inside your text file:

  1. Drag noncestatistics from your noncecollisions folder, then type -s
  2. Drag your text file contatining your gathered APNonces

This should display information about which is are the most commmon APNonces on your text file. Copy the most common APNonce (or most common APNonces), and start saving blobs with said APNonce(s) using TSSSaver.

If you'd like to use your blobs you saved thanks to nonce collisions in order to upgrade, downgrade, or re-restore to an unsigned iOS firmware using Futurerestore, follow this guide.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment