Add erase-install parameter and a few updates (#18)

* add erase-install parameter and a few updates
* Update README.md
* Update tsschecker versioning
* Update tss auth client version
* Fix a few misaligned whitespaces
* Nonce Entanglement documentation update.
* remove unneeded bitmasks from -u and -E

Author: DanTheMann15

README.md

@@ -12,25 +12,35 @@ tsschecker is a powerful tool to check TSS signing status on combinations of var
 tsschecker is not only meant to be used to check firmware signing status, but also to explore Apple's TSS servers.<br/>
 By using all of its customization possibilities, you might discover a combination of devices and firmware versions that is getting signed but wasn't getting signed before. 
 
-# About nonces:
-## recommended generators for saving tickets:
-* `0xbd34a880be0b53f3` // default on the Electra, Chimera and Odyssey jailbreak apps.
-* `0x1111111111111111` // default on the unc0ver jailbreak app.
+# About Nonces:
+A [Nonce](https://wikipedia.org/wiki/Cryptographic_nonce) ("Number-used-ONCE") is a randomly generated value that is used to randomize apple's signed hash blobs.
 
-## Nonce Entangling (Apple A12/S4 and newer)
-Newer devices, such as the iPhone XR or the Apple Watch Series 4 (and any device newer) have nonce-entangling.
+it is created by the device with a nonce seed (generator) and then hashes that seed to create the nonce.<br/>On arm64e devices, nonce generation works a bit differently, see "Nonce Entangling" for more details.
 
-this means any boot nonce generated by your device is now also UID derived, and consequently device-specific.<br/>to save usable tickets for a newer device, you need to get the boot nonce that your device actually generates from your generator.
+## Recommended nonce-seeds (Generators) for saving tickets:
+* `0xbd34a880be0b53f3` // default on the [Electra](https://coolstar.org/electra/), [Chimera](https://chimera.coolstar.org/) and [Odyssey](https://theodyssey.dev/) jailbreak apps.
+* `0x1111111111111111` // default on the [unc0ver](https://unc0ver.dev) jailbreak app.
 
-for information on how to get your actual boot nonce, [see this post on r/jailbreak](https://www.reddit.com/r/jailbreak/comments/cssh8f/tutorial_easiest_way_to_save_blobs_on_a12/).
+## Nonce Entangling (arm64e devices)
+arm64e devices such as the iPhone XR, Apple Watch Series 4 and all newer devices have nonce-entangling.
+
+Nonce Entangling further randomizes the boot nonce by encrypting a constant value with the [UID key](https://www.theiphonewiki.com/wiki/UID_key) (using AES-256-CBC)<br/>It is then used to encrypt the "generator" value (using AES-128-CBC) before hashing it to become the boot nonce.
+
+In short, nonce entangling makes the boot nonce unique to that device only.
+
+To save reusable tickets for any arm64e device, you must get the boot nonce that the device creates from your generator,<br/>
+the simpliest way to get a nonce/generator pair is to use airsquared's [blobsaver](https://github.com/airsquared/blobsaver) tool and read them from the device.
+
+For more information, visit The iPhone Wiki:<br/>
+[The iPhone Wiki](https://www.theiphonewiki.com/) ([AES Keys](https://theiphonewiki.com/wiki/AES_Keys), [Nonce](https://theiphonewiki.com/wiki/Nonce))
 
 ## Nonce Collisions:
 
 the Nonce Collision method only works on a few firmwares and devices, and is not reliable and not recommended.<br/>it's a lot better to save a ticket with a generator and use the [checkm8](https://github.com/axi0mx/ipwndfu) bootrom exploit or a nonce setter.
 
 Recovery Nonce Collisions only occur on a few iOS versions, like iOS 9.3.3 and iOS 10.1-10.2 on the iPhone 5s<br/>and is not reliable as once you update, your device will almost-certainly not collide nonces anymore.
 
-DFU Nonce Collisions on the other hand, very commonly occur on any device using A7 and A8 chipsets regardless of iOS version and is MUCH more reliable than using recovery collisions.
+DFU Nonce Collisions on the other hand, very commonly occur on any device using A7 and A8 chipsets regardless of iOS version,<br/> and is MUCH more reliable than using recovery collisions.
 
 # Build
 Install or Compile dependencies
@@ -74,32 +84,33 @@ sudo make install
 # Help  
 Usage: `tsschecker [OPTIONS]`
 
-Example: `tsschecker -d iPhone10,1 -B D20AP -e [ECID] -i 13.4.1 --generator 0x1111111111111111 -s`
-
-| option (short) | option (long)               | description                                                                       |
-|----------------|-----------------------------|-----------------------------------------------------------------------------------|
-| `-h`           | `--help`                    | prints usage information                                                          |        
-| `-d`           | `--device MODEL`            | specify device by its model (eg. `iPhone8,1`)                                     |
-| `-i`           | `--ios VERSION`             | specify firmware version (eg. `13.4.1`)                                                 |
-| `-Z`	          | `--buildid BUILD `	         | specific buildid instead of firmware version (eg. `17E255`)							               |
-| `-B` 	         | `--boardconfig BOARD `	     | specific boardconfig instead of device model (eg. `n71ap`)						             |
-| `-o`           | `--ota`	                    | check OTA signing status, instead of normal restore                               |
-| `-b`           | `--no-baseband`             | don't check baseband signing status. Request tickets without baseband            |
-| `-m`           | `--build-manifest`          | manually specify a BuildManifest (can be used with `-d`)                           | 
-| `-s`           | `--save`		     		           | save fetched shsh blobs (mostly makes sense with -e)                              |
-| `-u`           | `--update-install         ` | request update tickets instead of erase                          |  
-| `-l`	          | `--latest`  				            | use the latest public firmware version instead of manually specifying one<br/>especially useful with `-s` and `-e` for saving signing tickets                                                                                              |
-| `-e`           | `--ecid ECID`	              | manually specify ECID to be used for fetching blobs, instead of using random ones.<br/>ECID must be either DEC or HEX eg. `5482657301265` or `ab46efcbf71`                                                          |
-| `-g`           | `--generator GEN`           | manually specify generator in format 0x%%16llx                                                                                                        |
-| `-8`			        | `--apnonce NONCE`   		      | manually specify ApNonce instead of using random ones<br/>(required for saving blobs for A12/S4 and newer devices with generator) |
-| `-9`			        | `--sepnonce NONCE`          | manually specify SepNonce instead of using random ones (not required for saving signing tickets) 		                                                                                                                                  |
-| `-c`           | `--bbsnum SNUM`             | manually specify BbSNUM in HEX to save valid BBTickets (not required for saving blobs)                                                                                                                                   |
-| `-3`			        | `--save-path PATH`          | specify path for saving shsh blobs 		 											 |
-| `-6`           | `--beta`	                   | request ticket for a beta instead of normal release (use with `-o`)                |
-| `-1`           | `--list-devices`            | list all known devices                                                            |
-| `-2`           | `--list-ios`	               | list all known firmware versions                                                       |
-| `-7`           | `--nocache`       	         | ignore caches and re-download required files                                      |
-| `-4`           | `--print-tss-request`       | print the TSS request that will be sent to Apple                                      |
-| `-5`           | `--print-tss-response`      | print the TSS response that comes from Apple                                  |
-| `-r`           | `--raw`                     | send raw file to Apple's TSS server (useful for debugging)                                 |
-| `-0`           | `--debug`                   | print extra tss info(useful for debugging)                                 |
+Example: `tsschecker -d iPhone10,1 -B D20AP -e 5482657301265 -i 14.7.1 --generator 0x1111111111111111 -s`
+
+| option<br/>(short) | option<br/>(long) | description |
+|-------|-------------------------|--------------------|
+| `-h`  | `--help`                | prints usage information |
+| `-d`  | `--device MODEL`        | specify device by its model (eg. `iPhone10,3`) |
+| `-i`  | `--ios VERSION`         | specify firmware version (eg. `14.7.1`) |
+| `-Z`  | `--buildid BUILD`       | specific buildid instead of firmware version (eg. `18G82`) |
+| `-B`  | `--boardconfig BOARD`   | specific boardconfig instead of device model (eg. `d22ap`) |
+| `-o`  | `--ota`                 | check OTA signing status, instead of normal restore |
+| `-b`  | `--no-baseband`         | don't check baseband signing status. Request tickets without baseband |
+| `-m`  | `--build-manifest`      | manually specify a BuildManifest (can be used with `-d`) |
+| `-s`  | `--save`                | save fetched shsh blobs (mostly makes sense with -e) |
+| `-u`  | `--update-install`      | only request tickets for InstallType=Update |
+| `-E`  | `--erase-install`       | only request tickets for InstallType=Erase |
+| `-l`  | `--latest`              | use the latest public firmware version instead of manually specifying one<br/>especially useful with `-s` and `-e` for saving signing tickets |
+| `-e`  | `--ecid ECID`           | manually specify ECID to be used for fetching blobs, instead of using random ones.<br/>ECID must be either DEC or HEX eg. `5482657301265` or `ab46efcbf71` |
+| `-g`  | `--generator GEN`       | manually specify generator in format 0x%%16llx |
+| `-8`  | `--apnonce NONCE`       | manually specify ApNonce instead of using random ones<br/>(required when saving blobs for arm64e devices with a matching generator) |
+| `-9`  | `--sepnonce NONCE`      | manually specify SepNonce instead of using random ones (not required for saving signing tickets) |
+| `-c`  | `--bbsnum SNUM`         | manually specify BbSNUM in HEX to save valid BBTickets (not required for saving blobs) |
+| `-3`  | `--save-path PATH`      | specify path for saving shsh blobs |
+| `-6`  | `--beta`                | request ticket for a beta instead of normal release (use with `-o`) |
+| `-1`  | `--list-devices`        | list all known devices |
+| `-2`  | `--list-ios`            | list all known firmware versions |
+| `-7`  | `--nocache`             | ignore caches and re-download required files |
+| `-4`  | `--print-tss-request`   | print the TSS request that will be sent to Apple |
+| `-5`  | `--print-tss-response`  | print the TSS response that comes from Apple |
+| `-r`  | `--raw`                 | send raw file to Apple's TSS server (useful for debugging) |
+| `-0`  | `--debug`               | print extra tss info(useful for debugging) |

tsschecker/all.h

@@ -9,10 +9,14 @@
 #ifndef all_h
 #define all_h
 
+#define TSSCHECKER_VERSION_MAJOR "0"
+#define TSSCHECKER_VERSION_PATCH "0"
+
 #ifdef DEBUG // this is for developing with Xcode
-#define TSSCHECKER_VERSION_COUNT "Debug"
-#define TSSCHECKER_VERSION_SHA "Build: " __DATE__ " " __TIME__
+#define TSSCHECKER_BUILD_TYPE "DEBUG"
+#define TSSCHECKER_VERSION_SHA "Build: " __DATE__ " " __TIME__ ""
 #else
+#define TSSCHECKER_BUILD_TYPE "RELEASE"
 #endif
 
 #endif /* all_h */

tsschecker/main.c

@@ -43,23 +43,24 @@ static struct option longopts[] = {
     { "ota",                no_argument,       NULL, 'o' },
     { "save",               no_argument,       NULL, 's' },
     { "latest",             no_argument,       NULL, 'l' },
-    { "update-install",     optional_argument, NULL, 'u' },
+    { "update-install",     no_argument,       NULL, 'u' },
+    { "erase-install",      no_argument,       NULL, 'E' },
     { "boardconfig",        required_argument, NULL, 'B' },
     { "buildid",            required_argument, NULL, 'Z' },
-    { "debug",              no_argument,       NULL,  '0'  },
-    { "list-devices",       no_argument,       NULL,  '1'  },
-    { "list-ios",           no_argument,       NULL,  '2'  },
-    { "save-path",          required_argument, NULL,  '3'  },
-    { "print-tss-request",  no_argument,       NULL,  '4'  },
-    { "print-tss-response", no_argument,       NULL,  '5'  },
-    { "beta",               no_argument,       NULL,  '6'  },
-    { "nocache",            no_argument,       NULL,  '7'  },
-    { "apnonce",            required_argument, NULL,  '8'  },
-    { "sepnonce",           required_argument, NULL,  '9'  },
-    { "raw",                required_argument, NULL, 'r'  },
-    { "bbsnum",             required_argument, NULL, 'c'  },
-    { "server-url",         required_argument, NULL, 'S'  },
-    { "bplist",             no_argument,       NULL, 'p'  },
+    { "debug",              no_argument,       NULL, '0' },
+    { "list-devices",       no_argument,       NULL, '1' },
+    { "list-ios",           no_argument,       NULL, '2' },
+    { "save-path",          required_argument, NULL, '3' },
+    { "print-tss-request",  no_argument,       NULL, '4' },
+    { "print-tss-response", no_argument,       NULL, '5' },
+    { "beta",               no_argument,       NULL, '6' },
+    { "nocache",            no_argument,       NULL, '7' },
+    { "apnonce",            required_argument, NULL, '8' },
+    { "sepnonce",           required_argument, NULL, '9' },
+    { "raw",                required_argument, NULL, 'r' },
+    { "bbsnum",             required_argument, NULL, 'c' },
+    { "server-url",         required_argument, NULL, 'S' },
+    { "bplist",             no_argument,       NULL, 'p' },
     { "generator",          required_argument, NULL, 'g' },
     { NULL, 0, NULL, 0 }
 };
@@ -76,13 +77,14 @@ void cmd_help(){
     printf("  -b, --no-baseband\t\tdon't check baseband signing status. Request tickets without baseband\n");
     printf("  -m, --build-manifest\t\tmanually specify a BuildManifest (can be used with -d)\n");
     printf("  -s, --save\t\t\tsave fetched shsh blobs (mostly makes sense with -e)\n");
-    printf("  -u, --update-install\t\trequest update tickets instead of erase\n");
+    printf("  -u, --update-install\t\tonly request tickets for InstallType=Update\n");
+    printf("  -E, --erase-install\t\tonly request tickets for InstallType=Erase\n");
     printf("  -l, --latest\t\t\tuse the latest public firmware version instead of manually specifying one\n");
     printf("                 \t\tespecially useful with -s and -e for saving shsh blobs\n");
     printf("  -e, --ecid ECID\t\tmanually specify ECID to be used for fetching blobs, instead of using random ones\n");
     printf("                 \t\tECID must be either DEC or HEX eg. 5482657301265 or 0xab46efcbf71\n");
     printf("  -g, --generator GEN\t\tmanually specify generator in HEX format 16 in length (eg. 0x1111111111111111)\n\n");
-    printf("  -8  --apnonce NONCE\t\tmanually specify ApNonce instead of using random ones\n\t\t\t\t(required for saving blobs for A12/S4 and newer devices with generator)\n\n");
+    printf("  -8  --apnonce NONCE\t\tmanually specify ApNonce instead of using random ones\n\t\t\t\t(required when saving blobs for arm64e devices with a matching generator)\n\n");
     printf("  -9  --sepnonce NONCE\t\tmanually specify SEP Nonce instead of using random ones (not required for saving blobs)\n");
     printf("  -c  --bbsnum SNUM\t\tmanually specify BbSNUM in HEX to save valid BBTickets (not required for saving blobs)\n\n");
     printf("  -3  --save-path PATH\t\tspecify output path for saving shsh blobs\n");
@@ -154,7 +156,7 @@ char *parseNonce(const char *nonce, size_t *parsedLen){
 int main(int argc, const char * argv[]) {
     int err = 0;
     int isSigned = 0;
-    printf("tsschecker version: 0."TSSCHECKER_VERSION_COUNT"-"TSSCHECKER_VERSION_SHA"\n");
+    printf("tsschecker version: "TSSCHECKER_VERSION_MAJOR"."TSSCHECKER_VERSION_COUNT"."TSSCHECKER_VERSION_PATCH"-"TSSCHECKER_VERSION_SHA"-"TSSCHECKER_BUILD_TYPE"\n");
     printf("%s\n",fragmentzip_version());
 
     dbglog = 1;
@@ -184,7 +186,7 @@ int main(int argc, const char * argv[]) {
         return -1;
     }
 
-    while ((opt = getopt_long(argc, (char* const *)argv, "hd:i:Z:B:e:g:b:u:m:3:8:9:r:c:S:lso0124567p", longopts, &optindex)) > 0) {
+    while ((opt = getopt_long(argc, (char* const *)argv, "hd:i:Z:B:e:g:b:m:3:8:9:r:c:S:uElso0124567p", longopts, &optindex)) > 0) {
         switch (opt) {
             case 'h': // long option: "help"; can be called as short option
                 cmd_help();
@@ -225,15 +227,17 @@ int main(int argc, const char * argv[]) {
                 if (optarg) versVals.basebandMode = atoi(optarg);
                 else versVals.basebandMode = kBasebandModeWithoutBaseband;
                 break;
-            case 'u': // long option: "update"; can be called as short option
-                if (optarg) {
-                    if ((devVals.installType = atoi(optarg)) > 2 || devVals.installType < 0){
-                        warning("unknown installType %d. Setting installType to default (%d)\n",devVals.installType,devVals.installType = kInstallTypeDefault);
-                    }
-                }else
-                    devVals.installType = kInstallTypeUpdate;
+            case 'u': // long option: "update-install"; can be called as short option
+                devVals.installType = kInstallTypeUpdate;
+                update_install = 1;
                 if (devVals.installType)
-                    printf("[TSSC] manually setting install type = %s\n",devVals.installType == kInstallTypeUpdate ? "Update" : "Erase");
+                    printf("[TSSC] Manually setting install type = Update\n");
+                break;
+            case 'E': // long option: "erase-install"; can be called as short option
+                devVals.installType = kInstallTypeErase;
+                erase_install = 1;
+                if (devVals.installType)
+                    printf("[TSSC] Manually setting install type = Erase\n");
                 break;
             case 'l': // long option: "latest"; can be called as short option
                 flags |= FLAG_LATEST_IOS;

tsschecker/tss.c

@@ -27,7 +27,7 @@
 #include <unistd.h>
 #include <curl/curl.h>
 #include <plist/plist.h>
-#define AUTH_VERSION "850.0.2"
+#define AUTH_VERSION "914.40.5"
 #ifdef WIN32
 #define TSS_CLIENT_VERSION_STRING "libauthinstall_Win-"AUTH_VERSION""
 #else

tsschecker/tsschecker.c

@@ -121,6 +121,8 @@ int print_tss_request = 0;
 int print_tss_response = 0;
 int nocache = 0;
 int save_shshblobs = 0;
+int update_install = 0;
+int erase_install = 0;
 int save_bplist = 0;
 const char *shshSavePath = "."DIRECTORY_DELIMITER_STR;
 
@@ -1206,7 +1208,7 @@ int isManifestBufSignedForDevice(char *buildManifestBuffer, t_devicevals *devVal
     if (isSigned && save_shshblobs){
         if (!devVals->installType){
             plist_t tssreq2 = NULL;
-            info("also requesting APTicket for installType=Update\n");
+            info("[TSSC] Also requesting APTicket for installType=Update\n");
             devVals->installType = kInstallTypeUpdate;
             if (tssrequest(&tssreq2, buildManifestBuffer, devVals, basebandMode)){
                 warning("[TSSR] failed to build tssrequest for alternative installType\n");
@@ -1217,7 +1219,14 @@ int isManifestBufSignedForDevice(char *buildManifestBuffer, t_devicevals *devVal
             if (tssreq2) plist_free(tssreq2);
             devVals->installType = kInstallTypeDefault;
         }
-        {
+        if (update_install) {
+            plist_t tssreq2 = NULL;
+        }
+        else if (erase_install) {
+            plist_t tssreq2 = NULL;
+        }
+        else {
+            info("[TSSC] Also requesting APTicket without a nonce\n");
             plist_t tssreq2 = NULL;
             char *apnonce = devVals->apnonce;
             size_t apnonceLen = devVals->parsedApnonceLen;

tsschecker/tsschecker.h

@@ -24,6 +24,8 @@ extern int dbglog;
 extern int print_tss_response;
 extern int nocache;
 extern int save_shshblobs;
+extern int update_install;
+extern int erase_install;
 extern int save_bplist;
 extern const char *shshSavePath;