How to save iOS 16 SHSH2 Blobs for Downgrades Without Updating

Why do I need to save my iOS SHSH2 blobs?

Saving your iOS SHSH2 and SHSH blobs have been a practice ever since Apple started signing the iOS firmware components.

In the beginning, users could install any firmware version freely on their device and the updates were not signed by Apple in any way. Once Apple started signing the IPSW files, they could control how long that iOS version can stay available.

Once Apple stops signing a specific iOS version, you will not be able to install it on your device unless you’ve saved your SHSH2 blobs/tickets while the iOS version was still signed by Apple.




Any downgrade or upgrade to an unsigned iOS version will require, aside from SEP and Baseband compatibility, pre-saved SHSH2 blobs.

Can I save iOS SHSH2 blobs without updating my device?

Yes, it is possible to save the SHSH2 blobs even without updating to the version you’re trying to save your blobs for.

So this way, your device can be on iOS 16.0 (for example), while you save the blobs for iOS 16.0.2 without having to update it.

Saving the blobs is easy and only takes a few seconds once you have the right program and the phone connected to the computer.

What are SHSH2 blobs?

These are small files containing a lot of Base64-encoded data personalized for your device. This is essentially the response your device gets from Apple’s Signing Server (TSS) when you try to install a signed iOS version.

It’s the authorization the Apple server gives to your phone to install that version of iOS. Once Apple stops signing that iOS version, the TSS server ceases to give those authorizations, and your device errors out when it tries to install the firmware.

Saving the SHSH2 blobs is like saving that authorization response and replaying it later to the device. the device doesn’t care where the authorization comes from, it just checks to ensure it is indeed signed digitally by Apple, and it matches the device.




SHSH2 blobs are generated by the TSS server for your device (personalized) so you cannot use my SHSH2 blobs or somebody else’s. While the blob would be signed by Apple, the data inside of it contains the Unique IDs of a different device so it wouldn’t work, hence why you always need to save yours.

The NONCE Generator inside the SHSH2 blobs

Inside the SHSH2 blob file, there’s also a field called generator which is usually a hexadecimal value like 0x1111111111111111 and it is pretty important.

When the device reboots, if there isn’t a static generator set in the NVRAM, the device will generate a random APNonce. Normally that’s OK because the TSS server takes that NONCE and generates a blob for it (if the iOS version is signed).

When using SHSH2 blobs to downgrade/upgrade, you cannot generate blobs for random NONCEs. Your saved SHSH2 blob already has one specific NONCE embedded inside of it and your device must have the generator correctly set, otherwise, the NONCE will not match and the blob would be deemed invalid.

To fix this, Blob Savers set an arbitrary generator like 0x1111111111111111 which is used to save the blob, and you set the same generator in the NVRAM of the phone when you try to downgrade with the blob. This way, the device will always generate the same NONCE that is inside the saved blob so everything will match.

How to save iOS 16 SHSH2 Blobs for Downgrades Without Updating

It’s a very simple process, follow the steps below and you will have your blobs saved in no time.

  1. Download Blob Saver by @airsquared (Free and Open Source): WINDOWS / macOS / Linux
  2. Unlock and connect your iPhone to the computer using the USB cable.
  3. Near the ECID field, press the “Read from device” button which should automatically populate the unique ECID number and the correct device model.
BlobSaver by airsquared for iOS
BlobSaver by airsquared for iOS

If your device is an iPhone X / 8 / 8 Plus or OLDER (<=A11), press the “GO” button on the bottom. Your blobs would be saved and that’s it.

If your device is an iPhone XS, XR, XS Max, or NEWER (A12+), check the “Specify APNonce” checkbox and press the “Read from device” button next to the APNonce field. Your phone will reboot.

Once the APNonce field is properly populated, press the “GO” button at the bottom. Your blobs will be saved for all signed iOS versions and that’s it.

Do not attempt to save iPhone XS / XR and newer blobs without a valid APNonce from the device. Those blobs won’t be valid.

That’s all folks!

Credits:

Click to rate this post!
1

By GeoSn0w

An iOS and Jailbreak enthusiast who has been around for quite some time in the community. I've developed my own jailbreaks before and I am currently maintaining iSecureOS, one of the first iOS Anti-Malware tools for jailbroken devices. I also run iDevice Central on YouTube with over 142.000 Subscribers! Thank you for being part of this awesome community.

Leave a Reply

Your email address will not be published. Required fields are marked *