This article has multiple issues. Please help improve it or discuss these issues on the talk page.
The topic of this article may not meet Wikipedia's general notability guideline. Please help to establish notability by adding reliable, secondary sources about the topic. If notability cannot be established, the article is likely to be merged, redirected, or deleted., Find sources: "SHSH blob" - news · books · scholar · JSTOR · free images (January 2013)
This article may be unbalanced towards certain viewpoints. Please improve the article by adding information on neglected viewpoints, or discuss the issue on the talk page. (December 2012)
SHSH blob is a jargon term for a small piece of data that is part of Apple's digital signature protocol for iOS restores and updates, designed to control the iOS versions that users can install on their iOS devices (iPhones, iPads, iPod touches, and Apple TVs), generally only allowing the newest iOS version to be installable. Developers interested in iOS jailbreaking have made tools for working around this signature system in order to install jailbreakable older iOS versions that are no longer being signed by Apple.
1 Technical details,
2 Exploits and countermeasures,
3 See also,
The term "SHSH blobs" (also called "ECID SHSH") is a non-Apple official term referring to digital signatures that Apple generates and uses to personalize IPSW (iOS software) files for each device; they are part of Apple's protocol designed to ensure that trusted software is installed on the device. Apple's public name for this process is System Software Personalization.
SHSH blobs are created by a hashing formula that has multiple keys, including the device type, the iOS version being signed, and the device's ECID (a unique identification number embedded in its hardware). When Apple wishes to restrict users' ability to restore their devices to a particular iOS version, Apple can refuse to generate this hash during the restore attempt, and the restore will not be successful (or at least will require bypassing the intended function of the system).
This protocol is part of iPhone 3GS and later devices.
Exploits and countermeasures:
A major contributor to this article appears to have a close connection with its subject. It may require cleanup to comply with Wikipedia's content policies, particularly neutral point of view. Please discuss further on the talk page. (December 2012)
This section may stray from the topic of the article. Please help improve this section or discuss this issue on the talk page. (January 2013)
This section may contain promotional material and other spam. Please remove any content which is not encyclopedic, and any promotional external links in accordance with the external links guideline. (January 2013)
For iOS 3 and 4, SHSH blobs were made of static keys (such as the device type, iOS version, and ECID), which meant that the SHSH blobs for a specific iOS version and device would be the same upon every restore. To subvert that system using a man-in-the-middle attack, server requests the unique SHSH blobs from Apple for the jailbroken device and caches those SHSH blobs on servers, so that if a user changes the hosts file on a computer to redirect the SHSH blobs check to cache instead of Apple's servers, iTunes would be tricked into checking those cached SHSH blobs and allowing the device to be restored to that version.
iOS 5 and later versions of iOS implement an addition to this system, a random number (a cryptographic nonce) in the "APTicket", making that simple replay attack no longer effective. Versions of redsn0w after 0.9.9b9 include a way to bypass the nonce requirement, allowing the SHSH blobs and APTicket to both be replayed by "stitching" them into custom firmware.
First released in 2009 (as TinyTSS and Umbrella), TinyUmbrella is a tool for finding out information about SHSH blobs saved on third party servers, saving SHSH blobs locally, and running a local server to replay SHSH blobs to trick iTunes into restoring older devices to iOS 3 and 4. In June 2011, iH8sn0w released iFaith, a tool that can grab partial SHSH blobs from a device for its currently-installed iOS version (limited to iPhone 4 and older devices). In late 2011, the iPhone Dev Team added comprehensive SHSH blob management features to redsn0w, including the ability to save SHSH blobs with APTickets and stitch them into custom firmware in order to restore a device to iOS 5 or later.
Replaying SHSH blobs for newer devices (iPad 2 and later) is not always possible, because there are no boot ROM (hardware level) exploits available for these devices. As of October 2012, redsn0w includes features for restoring newer devices between different versions of iOS 5, but it cannot downgrade newer devices from iOS 6 to iOS 5.