iPhone 3G and iPod touch (2nd generation) both used SHSH blobs on iOS 4, but following the re-opening on 10 January 2018, all versions (excluding betas) that they ever ran can now be freely installed. iPhone OS 1.x and 2.x didn't use SHSH blobs either. Newer methods such as Odysseus, Prometheus or iDeviceReRestore are used now because other tools have become outdated and newer versions of iTunes prevents restores to custom versions.Īs noted above, the original iPhone and iPod touch didn't use SHSH blobs. Firmwares can be stitched using iFaith, redsn0w or sn0wbreeze.
![old tinyumbrella version old tinyumbrella version](https://cdn.redmondpie.com/wp-content/uploads/2013/04/SHSH2.png)
Blobs must be stitched into a custom firmware, and restored to in Pwned DFU Mode.īlobs can be saved with tools such as iFaith and TinyUmbrella. Since various exploits, such as the limera1n Exploit, are fixed in the bootrom since version Bootrom 838.3 and because iOS versions 5.0 and above includes a nonce in their SHSH hashes, downgrading newer devices is not as simple. The limera1n Exploit is able to provide a tethered downgrade for vulnerable devices. Notable devices vulnerable to untethered bootrom exploits are the iPhone 3GS and iPod touch (2nd generation). These devices can be restored to a custom IPSW in Pwned DFU Mode for any version that is available to that particular device. However, some devices are vulnerable to untethered bootrom exploits, such as 0x24000 Segment Overflow or alloc8. Versions above iPhone OS 3.0 require the iBEC, iBSS, and LLB to be fully signed with an SHSH for the ECID of that device. IPhone OS 1.x and 2.x do not use SHSH signatures, and can therefore be downgraded to at any time, even on devices that do use SHSH signatures, such as iPhone 3G. Older devices ( iPhone and iPod touch) do not use SHSH signatures, so installation of any firmware on these devices is possible.
![old tinyumbrella version old tinyumbrella version](http://4.bp.blogspot.com/_cRjrkK4GKM0/TUvkja6liPI/AAAAAAAAAb8/KX_fyd23C4s/s1600/iPhone-4-1.59.00.jpg)
SHSH blobs are unique to each device by ECID. 4.3.3), while TinyUmbrella gets SHSHs from Apple's servers (whatever firmwares Apple is currently signing). iFaith dumps the SHSHs from your device's storage (whatever's installed on your device, e.g. This is the case for iFaith, but not for TinyUmbrella. Users often misunderstand this system and think that the SHSH firmware version they back up depends on the firmware version they have installed on their device.
![old tinyumbrella version old tinyumbrella version](https://4.bp.blogspot.com/-fQFoNM1Pn9M/UeUt32-oqsI/AAAAAAAAArk/6Rus7XVgJ9o/s1600/Redsn0w-0.9.9b6.png)
It is not necessary that the device is jailbroken to do the backup. With the tools mentioned below it is possible to backup the signature. Therefore it is recommended to save the signature for your device as long as Apple issues it. But if you have saved signatures for an older iOS version, you may be able to use a replay attack to restore that version. Apple only issues signatures for the currently-available iOS version, which disallows installing older iOS versions. This signature is needed to restore a specific iOS version it is generated by Apple based on hardware keys of the device and the hash of the firmware. SHSH often also refers to backup files with this signature ("SHSH blobs"). SHSH, or "Signed Hash" refers to the signature (currently RSA) on boot images or APTickets that the device bootloader will verify before allowing execution of an image.