Those who have been working with iOS, specifically jailbreaking, for a long time will probably remember the now dead method of downgrade to unsigned firmware version using SHSH blobs. These are essentially files from Apple’s verification server that tell iTunes the iOS version that are for is still being signed and that you can install it. A program called TinyUmbrella was used in order to save these SHSH blobs for use to downgrade in the future.
This method of downgrading hasn’t worked for quite a few years now, but it seems to be making somewhat of a comeback. A new method of backing up the newer SHSH blob files (SHSH2) has now been released. A tool named Prometheus made by iOS developer tihmstar has been released. This tool is able to restore 64-bit iOS devices that are jailbroken, to unsigned iOS versions (provided you have SHSH2 blobs for that version).
The developer of the downgrade tool has released a second tool called tsschecker which allows you to save .shsh2 blob files for your iOS devices. This tool is more complicated to use than traditional methods, but once you know how it works it is relatively easy. There is also another method of saving SHSH blobs which you should also do just to be safe. This tool is called TSSSaver, which is a browser based tool.
Requirements & Notes:
- These tools will only backup SHSH blobs for iOS versions which are still being signed by Apple.
- .shsh2 blob files are unique to each device, meaning you cannot simply use the blobs of another device with your own.
- You do not need to be jailbroken in order to backup .shsh2 blobs.
- You will need the ECID number of your device.
The first thing you will need to backup your .shsh2 blobs is the ECID number of your device. This can be found in one of two ways:
- Plug your device into your computer using a lightning cable.
- Open iTunes on the computer.
- Navigate to the summary page for the device within iTunes.
- Click on the serial number until it changes to ECID.
- To copy the number click the Edit tab in the top tab bar and then click Copy ECID.
Using Cydia (no computer required):
- Open Cydia on your jailbroken iOS device.
- Search for and install UDID Calculator.
- Open the newly installed app and copy the ECID value within.
Method 1 (tsschecker):
- Download the latest version of the tsschecker tool from here. Save the .zip file wherever you want and extract it. Inside the extracted folder you should find several files, including the tsschecker_windows.exe file.
- This file isn’t like a normal .exe file that you just double click to open. This file has to be run with command prompt on a windows computer. To do this open the folder containing the tsschecker_windows.exe file, click the File button in the top left of File Explorer, then click Open in Command Prompt. From here you can execute the tsschecker tool.
- Now that command prompt is opened to the correct directory, you can type the below command to confirm that it is working. If you do not get any errors then everything is working correctly.
- If everything is working correctly you can move on. For the next step you will need both your device’s ECID, and the model number (for example iPhone6,2 for the global iPhone 5s). The model number can be found using the same method as the ECID, instructions for which are above. To see how you need to type the model number in the next step, type the below command into terminal:
- Now that you have all the information you need, you can run the command to save the SHSH2 blobs. In terminal run the command below, making sure to replace the parts in “<>” with your own values*:
tsschecker_windows -d <model> -e <ECID> -i 10.2 -s
- If this works correctly, and the iOS version specified is still be signed by Apple, you should find a .shsh2 file in the same location as the tsschecker_windows.exe file. You should move this file to another folder and backup as many SHSH2 blobs as you can, because each blob has a different APNonce. The more blobs you have, the more likely future downgrades with Prometheus will be successful.
*If you are using an iPhone 7 and get an error message saying iOS 10.2 is not being signed, it either means that Apple has stopped signing iOS 10.2 and a newer version has been released, or you need to specify the devices boardconfig (eg. N71mAP). To find this you can use the BMSSM app from the app store. Simply add
--boardconfig <boardconfig> to the end of the command.
Method 2 (TSSSaver):
- Open your browser of choice and navigate to tsssaver.1conan.com.
- In the ECID box, select either Hex or Dec for the ECID type. If you used iTunes to find the ECID number select Hex, and if you used UDID Calculator select Dec.
- Paste the ECID number you copied for your device into the ECID text box.
- Select your device type and model under the Identifier section.
- Confirm you are not a robot by ticking the I’m not a robot checkbox.
- Click submit, wait a few second, and the page should give you a link to the .shsh2 blobs for your device.
- Click the link and ensure there the folders within contain .shsh2 files. If they do, download them by either clicking the Download ZIP, save to Google Drive, or save to Dropbox options. Keep these files safe as you may need them for future downgrades.