Skip to content

Instantly share code, notes, and snippets.

@m1stadev
Last active March 8, 2024 18:01
Show Gist options
  • Save m1stadev/5464ea557c2b999cb9324639c777cd09 to your computer and use it in GitHub Desktop.
Save m1stadev/5464ea557c2b999cb9324639c777cd09 to your computer and use it in GitHub Desktop.
Short guide on how to get a generator-apnonce pair for A12+ iOS devices (both jailbroken and non-jailbroken).

What's nonce entanglement?

Beginning with devices using an A12 SoC or higher, Apple introduced nonce entangling.

  • This meant that, when saving SHSH blobs, a nonce generator would generate a different ApNonce for each device.
  • When saving SHSH blobs for an A12+ device, you now must find a generator-ApNonce pair for your device, then use that generator-ApNonce pair when saving SHSH blobs.
  • After you have found a generator-ApNonce pair for your device, you can save it and re-use it whenever you save SHSH blobs again.

Getting a generator-ApNonce pair (jailbroken)

  1. (iOS 14+ only) Install an iOS kernel r/w library.
    • On Taurine, install libkernrw.
    • On unc0ver, install libkrw.
    • This is not required on jailbroken iOS devices running iOS 13 or below.
  2. Install TSS Saver from 1Conan's repo.
  3. Open the TSS Saver app and go to the Generator tab.
  4. Copy your generator and write it down somewhere.
    • This value should begin with 0x, and is 18 characters long.
  5. Copy your ApNonce and write it down somewhere.
    • This value should contain both numbers and letters.
    • On A7-A9(X) devices, this is 40 characters long.
    • On A10(x)+ devices, this is 64 characters long.

Getting a generator-ApNonce pair (non-jailbroken)

This requires a PC.

  1. Download, install, and run blobsaver for your OS.
  2. Connect your iOS device to your PC.
  3. Click on the Read from device button next to the APNonce field.
  4. On the prompt that comes up, click on Unjailbroken.
  5. Your device will reboot into recovery mode multiple times while blobsaver retrieves a generator-ApNonce pair.
    • If your device gets stuck in recovery mode, you can exit recovery mode from the Help->Exit Recovery Mode... menu.
  6. Copy your generator and write it down somewhere.
    • This value should begin with 0x, and is 18 characters long.
  7. Copy your ApNonce and write it down somewhere.
    • This value should contain both numbers and letters.
    • On A7-A9(X) devices, this is 40 characters long.
    • On A10(x)+ devices, this is 64 characters long.
@eggrolls-repu
Copy link

grow a brain pls

@nikitacontreras
Copy link

@eggrolls-repu bruh, whats ur problem

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment