How To Save iOS SHSH2 Blobs Using BlobSaver

With each new iOS version, Apple continues to enhance its operating system, bringing new features and improvements to its user base. However, many iOS enthusiasts like to explore the possibilities of jailbreaking and customizing their devices.

One crucial aspect of this process is saving SHSH2 blobs, also known as SHSH Tickets. These blobs allow users to downgrade to a specific iOS version even after Apple stops signing it, but only in specific circumstances.

In this article, we’ll focus on saving SHSH2 blobs on iOS 16.6 Beta 1, which is a recommended version for jailbreak purposes. For this, we’re going to use the popular tool BlobSaver.

Understanding SHSH2 Blobs on iOS

SHSH2 (Signature HaSH blobs 2) are digital signatures generated by Apple servers when your iOS device connects to them for an update or restore. These signatures are specific to your device’s ECID (Exclusive Chip ID) and a particular iOS version.

What is BlobSaver?

BlobSaver is a well-known open-source utility used by the iOS community to save SHSH2 blobs. This powerful tool provides a user-friendly interface, making the process of saving SHSH2 blobs hassle-free.

With Blob Saver you can also save SHSH2 blobs for A12+ devices. Before we dive into the step-by-step guide, let’s cover some prerequisites.

BlobSaver Prerequisites

A computer with macOS, Windows, or Linux operating system.
The latest version of BlobSaver software, available on GitHub.
An iOS device running iOS 14 or newer.

A USB cable to connect your iOS device to the computer.

How to Save SHSH2 Blobs for iOS 16.6 Beta 1 using BlobSaver

Why was saving iOS 16.6 Beta 1 SHSH2 blobs important?

The reason why saving the blobs for iOS 16.6 Beta 1 was important back when this article was written is that the KFD project containing two kernel exploits was released supporting that version.

One of the kernel exploits works from iOS 15.0 all the way up to iOS 16.5 but was patched in iOS 16.5.1. However, iOS 16.6 Beta 1 still has the bug, and it’s currently signed, so it’s possible to go to a version that is vulnerable and can be jailbroken with this bug.

According to Dopamine jailbreak developer, @opa334, if we get a PPL bypass and we combine it with this new kernel exploit, we can make a jailbreak.

In the meantime, KFD has already been used in the Dopamine 2 jailbreak which is now released and supports iOS 16.0 – 16.6.1.

Currently, downgrading with SHSH2 blobs and FutureRestore on iOS versions that are far apart is broken because of the new Cryptex1 component. Still, it’s best to save the blob. It takes a few seconds and history has shown these come in handy at the least expected moment.

Step 1: Downloading BlobSaver

To get started, head to the official BlobSaver repo on GitHub or any other trusted source where you can find the latest version of the software. Download the version suitable for your operating system and architecture.

Note: BlobSaver is available for Windows, macOS (Intel and Apple Chip), and Linux.

Step 2: Installing BlobSaver

After downloading the BlobSaver application, follow the installation instructions specific to your operating system, this varies depending on the operating system. Once installed, launch the application on your computer.

Step 3: Connecting iOS Device

Use the original USB cable to connect your iOS device to the computer. Unlock your device and tap “Trust” if prompted, allowing the computer to access your device.

You don’t have to run the same iOS version for which you try to save the blobs. You can run for example iOS 15.5, yet save the blobs for iOS 16.6 Beta 1 without updating.

Step 4: Identifying ECID

To save SHSH2 blobs for your iOS device, you need to identify its ECID. SHSH2 blobs saved without an ECID, with an incorrect ECID, or with someone else’s ECID are useless for you.

BlobSaver can automatically detect your device’s ECID if you press the READ FROM DEVICE button next to the ECID field.

This has the added benefit that BlobSaver will also detect automatically the iPhone model and variant, which is also needed for the blobs.

Step 5: Saving SHSH2 Blobs

Once BlobSaver has successfully identified your device’s ECID, on the iOS section, check the Include Betas option.

If your device is an A12 device or newer, you need to press the next READ FROM DEVICE button on the APNONCE field. For these devices, blobs without an APNONCE are not valid.

Pressing the button will reboot the device into Recovery Mode to get the NONCE. Once it finishes getting the NONCE, the device will reboot back to normal.

Once everything is ready, your BlobSaver interface may look something like this:

BlobSaver Interface ready to save SHSH2 blobs

Now press the big GO button at the bottom of BlobSaver and the process will start. Wait for the process to complete.

Once complete, the interface will look like this:

BlobSaver saved iOS 16.6 Beta 1 Blobs — BlobSaver saved iOS 166 Beta 1 Blobs

IMPORTANT: You can only save blobs for iOS versions that are signed by Apple currently. Once Apple stops signing an iOS version, it’s no longer possible to save SHSH2 blobs for it. Do it while it’s signed.

Final thoughts

Saving SHSH2 blobs on iOS 16.6 Beta 1 using BlobSaver is a crucial step if you are planning to take advantage of the newly released KFD exploit for iOS 15.0 – 16.5 which still works on 16.6 Beta 1.

BlobSaver simplifies this process of saving the blobs, making it accessible to users of all levels of technical expertise.

By following the steps outlined in this guide, you can confidently save SHSH2 blobs and enjoy the freedom to experiment with your iOS device without fear of losing the opportunity to downgrade to your desired firmware version.

Credits:

Ticket icons created by Nikita Golubev – Flaticon