If you are into jailbreaking your iOS devices such as iPhone, iPad, Apple TV and iPod touch, you are often asked to save the SHSH blob or SHSH2 blob (on iOS 10 onwards) of the iOS devices for the purpose of allowing future downgrading of iOS software. This is because once Apple stops signing and issuing signatures for old iOS firmware, which effectively disallows installation of older iOS versions except the most current iOS version.
SHSH blob is a 1024-bit (0x80 bytes) RSA signature that is part of Apple’s digital signature protocol for iOS restores and updates, designed to control the iOS versions that can be installed on iOS devices such as iPhones, iPads, iPod touches, and Apple TVs. SHSH blob is generated by Apple based on hardware keys of the device and the hash of the firmware. While Apple not issues digital signature for old iOS firmware software, but if you have saved the signature for the old iOS version, you may be able to use a replay attack to restore that officially unsigned version.
Thus, many jailbreakers save the SHSH blob and/or SHSH2 blob for iOS versions that have jailbreak tools available, allowing them to downgrade (or upgrade) to jailbreak-friendly iOS software in future.
This tutorial shows you how to save and backup the SHSH2 blob of iOS device, including iPhone, iPad, iPod touch and Apple TV.
- Only SHSH blobs for iOS versions which are still being signed by Apple can be exported and saved.
- .shsh2 blob files are unique for each iOS device so you cannot copy SHSH blob of another device as your own.
- No jailbreak is required in order to backup and save SHSH blob.
- It’s not necessary to have a particular iOS version installed on the iOS device in order to save the SHSH blob for the firmware provided the target firmware is still signed by Apple. For example, you can save SHSH blob of iOS 10.3.1 while device is running iOS 10.3.2 as long as iOS 10.3.1 is still being signed by Apple.
- Saving the SHSH2 blobs does not guarantee the ability to downgrade or reinstall to unsigned iOS version, especially on currently non-jailbroken iOS device. The success very much depends on the availability of community restore utilities, which may or may not be available.
- What’s the differences between SHSH blobs and SHSH2 blobs? Basically, SHSH blobs are APTickets without APNonce while SHSH2 blobs are APTickets with APNounce. APTicket is just a random number (a cryptographic nonce)that is corresponding to the SHSH or SHSH2 blobs. Unless more discovery is found, from iOS 10 and newer, SHSH2 blobs is required for restore, as the tool, Prometheus (Future Restore) requires Generator in SHSH2 blobs. iOS 9 can continue to rely on iDeviceReRestore that requires SHSH blobs.
Get the ECID of iPhone, iPad, Apple TV and iPod touch
- Connect the device to the computer.
- Run iTunes on the computer.
- Navigate to the Summary tab for the iOS device in iTunes.
- Click on the serial number until it changes to show the ECID.
- Right click on the ECID number and select Copy, or hit the Edit in the menu bar, and then select Copy ECID.
Get the Model Identifier of iPhone, iPad, Apple TV and iPod touch
Depending on the tool you used to save SHSH blob, you may not need to know the model identifier (where you just need to know the model of iOS device – the same model of iOS device has the same model identifier).
To know the model identifier of iOS device, repeat steps above for ECID, but keep clicking until the Model Identifier is shown.
Get the Board Configuration / Internal Name / Internal Model of iPhone, iPad, Apple TV and iPod touch
Note: This step is required only for iPhone 6S, iPhone 6S Plus and iPhone SE
- Download and install Battery Memory System Status Monitor (BMSSM) from the App Store onto the device that you want to save the SHSH2 blob.
- Open the BMSSM.
- Tap on the System tab.
- Record the value for Model under the “System”.
Save SHSH2 Blobs With Online TSS Saver
TSS Saver is a online SHSH2 Blobs Saver based on tsschecker developed by Tihmstar., a tool to check TSS signing status of various devices and firmware.
- Visit the following URL:
- Enter the ECID (Hex format by default if copied from iTunes, Dec format if you used UDID Calculator), Identifier (the iOS device model), and optionally Internal Name/Model | Board Configuration (only for iPhone 6S, iPhone 6S Plus and iPhone SE).
- Confirm that you are not a robot by ticking the I’m not a robot checkbox and complete the verification required.
- Click or tap on Submit button.
- Wait for a few seconds, and the website will redirect you to a page with message “Done saving ECID!”, and a link to download and save the .shsh2 blob files of the device.NoteThe .shsh2 blobs of all supported iOS firmware version (currently still signed by Apple) are automatically generated and made available for download and backup.
- Following the links to download the saved .shsh2 blobs.If you lose your download link, just visit the website again using the following URL:
https://tsssaver.1conan.com/shsh/<ECID in DECIMAL>
Where <ECID in DECIMAL> is the ECID number in decimal format. If you’re getting the ECID number from iTunes, it’s in HEX format, and you must convert it to decimal format.
Alternatively, enter your ECID number under the “Lost your link?” section.
TSS Saver will also automatically save the .shsh2 blob for any new iOS version Apple releases in the future, saving you all the hassle to re-entering all the details.