This page has been robot translated, sorry for typos if any. Original content here.

Save the SHSH certificate (ECID SHSH, SHSH blobs) [updated 01/08/2014]

Сохранить SHSH сертификат (ECID SHSH, SHSH blobs)

What is SHSH and why save it?

SHSH certificate (ECID SHSH, SHSH blobs) is a digital signature unique to every iDevice that a firmware file is signed before it is poured into the device. SHSH issues a special Apple server ( ) in response to the identifier of the firmware to be sent to iTunes . The signing system debuted in the summer of 2009, along with the release of the iPhone 3GS. Beginning with firmware 3.1.1, the signing system was extended to iPod touch 2G and 3G, and since the release of iOS 4.0 SHSH, the iPhone 3G has also been subscribed. For iPhone 2G, iPod touch 1G and Apple TV 1G SHSH are not used, therefore these devices can always be flashed on any available version of iOS . Б.

The principle of operation of this restriction is simple. When attempting to downgrade (downgrade the firmware), iTunes communicates with the Apple server and sends some data to your device, including the unique identifier of its chip. The SHSH certificate required for the boot module (iBoot) comes in response. If this does not happen, iTunes will issue an error and interrupt the restore process. If you have saved a certificate for the firmware to which you want to restore, you can always do this bypassing the Apple server.

If you upgrade the firmware of one of these devices, you will not be able to install the older firmware back, as SHSH differs for each new firmware . Saving the SHSH- certificate is necessary first of all so that you always have the opportunity to install an older firmware.

Using SHSH on iOS 5

Until the release of iOS 5.0 in the fall of 2011, the availability of SHSH provided a guaranteed opportunity to roll back any gadget to any old version of iOS. But then Apple significantly modified the firmware signature system. But if before iTunes sent only the device ID and the firmware version to the Apple server, now the iOS device generates a random number before the firmware, which also participates in the creation of SHSH. This new type is called APTicket .

Impact of APTicket

The consequences were very serious. Previously, SHSH had no expiration date and could be used an unlimited number of times. Starting with iOS 5.0, any SHSH is only valid once. At the next reboot, the iOS gadget generates a new random number, and the old SHSH does not work for it anymore. Decipher APTicket is almost impossible - for this it is necessary to crack the security key of Apple, and you can do this only by brute force.

According to the idea of ​​Apple programmers, APTicket will make it impossible to restore any Apple devices to non-signed firmware. However, it is not.

Fighting the APTicket test

As it turned out, the APTicket check can also be bypassed, but only on devices with Apple A4 processors and weaker on the iPhone 3G, iPhone 3GS, iPhone 4, iPod touch 3G, iPod touch 4G, iPad 1G and Apple TV 2G. During the firmware of these devices, you can turn off random number generation and force iTunes to accept the old SHSH from the same device.

In addition, in all iOS 5.x firmware, a vulnerability has been discovered that opens up additional opportunities for firmware rollback even on new Apple devices. iPad 2, iPad 3 and iPhone 4S can be stitched to any version of iOS 5.x from any other version of iOS 5.x, subject to the following two conditions:

  • You must have SHSH from the version of iOS you are booting to, and the version of iOS you are booting to
  • The firmware that you installed now should not be installed through an air update. If you were updated or restored to it via iTunes, then everything is fine

Is it possible to roll back from iOS 6?

  • iPhone 3GS, iPhone 4, iPod touch 4G and Apple TV 2G can be rolled back with iOS 6 (for Apple TV this software 5.1) on any old version of iOS provided that you have SHSH from this old version
  • iPad 2 can be rolled back with iOS 6 on iOS 4.3.x , provided that there is SHSH from the fourth firmware
  • iPad 2 can be rolled back from iOS 6 to iOS 5.x if you have SHSH from any iOS 4.3.x firmware and the 5.x firmware to which you want to roll
  • iPhone 4S and iPad 3 can not be rolled back with iOS 6, even with all SHSH . For these gadgets, firmware rollback is possible only within iOS 5.x
  • iPhone 5, iPod touch 5G, iPad mini and iPad 4 can not be rolled back with iOS 6 , because iOS 5.x firmware was not released for these devices

Using SHSH on iOS 6

If you saved the SHSH-certificates for the operating system iOS 6.0 - iOS 6.1.2 in Cydia, then to roll back the firmware to the previous version, we hasten to disappoint you, but the saved data is completely unsuitable for use.

"Now if you have a hacked device running iOS 6.0 - iOS 6.1.2, you can no longer do downgrade," Saurik said on his web page. All SHSH-certificates of the latest version of iOS, which were stored in Cydia, became useless. Jay Freeman (also Saurik) also gives some background information on how SHSH certificates work and what features and new limitations of digital certificates SHSH blobs and APTickets have appeared.

The following information is important for each jailbreak user. If you own a relatively newer device, SHSH-certificates iOS 6 are completely useless. If before the release of iOS 5.0 saved SHSH-certificates guaranteed the rollback of the gadget to any previous version of iOS, now this is impossible, since Apple has significantly changed the entire system of signing firmware. To roll back to iOS 6.1.2 or iOS 6.0 from iOS 6.1.3 and higher for devices running on A5 / A5X / A6 / A6X processors is impossible.

If earlier, in order to make downdown, it was enough to save SHSH-certificates, but now before each firmware your device generates random numbers, which later take part in the creation of certificates. This type of hash is APTicket , a digital signature.

It was this digital signature that was introduced into the updated operating system iOS 6.1.3. Now users will not be able to use SHSH-certificates iOS 6 to lower or update the firmware. The user will not even be able to use them to restore the current version of iOS on their device.

Saurik cites the following data: about 25.8% of jailbreakers suffered from this. On the remaining 74.2% of the "users" iPhone (3GS, 4), iPod touch (4G) this does not affect. But, if iOS 6 SHSH certificates have been downloaded locally using tools such as TinyUmbrella, redsn0w or iFaith, the rollback from iOS 6.1.3 will be done for iPhone devices (3GS, 4), iPod touch (4G).

Сайт surik(а)

How to save SHSH and how to use it?

The first way to save SHSH is to click on the " Make my life easier " button in Cydia. (If it's not there, you've already pressed it, and now all the necessary hashes are automatically saved). After clicking this button, the SHSH- certificate for your device will be saved on the Saurik server, at the top, in the main Cydia window , saved certificates for your device are written :


The drawback of this method is that you can not install Cydia without making a jailbreak . Therefore - you can not save SHSH immediately after installing the new firmware. And it's better to save SHSH at once, because after the release of the next firmware version, you can not save SHSH for the current version .

The program TinyUmbrella does not have such a drawback. The advantage of this solution is also that TinyUmbrella can store SHSH not only on the Saurik server, but also on your computer.

To whom and on what firmwares do I need to store certificates?

Owners of iPhone (3GS, 4, 4S, 5, 5C, 5S), iPod touch (4G, 5G), iPad (2, 3, 4, Air), iPad mini (1, 2) -> for all firmware.

You can save SHSH only for the latest current firmware available on the Apple server!

At the moment it's> iOS 7.1.1, iOS 7.1.2!

For safety, send certificates to your e-mail!

С помощью TinyUmbrella (не актуально для устройств с процессором A7)

Using TinyUmbrella (not relevant for devices with an A7 processor)

Kind of program TinyUmbrella

  • Device Model - the model of the device, is necessary for determining bootrom in iPod Touch 2G players, as well as for determining the country for which the device is manufactured and as a result - it is blocked or is a non-key (if it is attached to another operator)
  • Installed Frimeware Version - The current firmware on the device, determines the ability of the jail.
  • ECID - is now specified in both the decimal and hexadecimal system, if there is an error or a device is not on hand - you can enter it manually to find out your ECID without Umbrella you need to use the usbview utility for Windows, once you connect your device to Recovery Mode and select the USB port, ECID will appear in the list of device information on this port. But as a rule Umbrella correctly defines ECID and there is no need for it.
  • Serial Number - serial number, determines the bootrom version and as a consequence the method used to install custom firmwares.
  • IMEI - IMEI he is in Africa IMEI. The individual identifier used by the ops to indicate the device in the network state.
  • Saved SHSH - SHSH stored locally, i.e. on the hard disk of this computer, and therefore those that you can use to restore the firmware using TSS Server'a.

Сайт surik(а) TinyUmbrella , requires Java

We save the certificate.

Start TinyUmbrella, then in the upper left corner of the program Show All SHSHs -> Connected Devices select our device and press Save SHSH

Be sure to clear the checkbox with Advanced -> "Request SHSH From Cydia" before saving the certificate. Instructions

By default, stored certificates are stored:

  • Windows XP - From: \ Documents and Settings \ UserName \ .shsh
  • Windows Vista / 7/8 - C: \ Users \ UserName \ .shsh
  • Mac OS X - ~ / .shsh

After finishing work with TinyUmbrella, it is necessary to return the "native" parameters of hosts

  • Windows - C: \ Windows \ System32 \ drivers \ etc \ hosts
  • MAC - / private / etc / hosts or / etc / hosts (Open the hosts file with a text editor and delete the line -> "")

For safety, send the certificate to your e-mail.

With attention to the version of TinyUmbrella. As a rule, the name of the program (TinyUmbrella-7.11.00) contains figures specific to the latest version of iOS (7.1.1) at the time of the program's release, which means that version 7.11.00 will not be able to save certificates from newer iOS firmware (7.1. 2), since the author of the program did not update it to work with new versions of iOS. Be careful!

Download TinyUmbrella 7.12.00 [WIN] TinyUmbrella 7.12.00 [WIN] TinyUmbrella 7.12.00 [WIN] Virus Free by KAV
Download TinyUmbrella 7.12.00 [OSX] TinyUmbrella 7.12.00 [OSX] TinyUmbrella 7.12.00 [OSX] Virus Free by KAV
Download TinyUmbrella 5.00.11 [WIN] TinyUmbrella 5.00.11 [WIN] TinyUmbrella 5.00.11 [WIN] Virus Free by KAV
Download TinyUmbrella 5.00.11 [OSX] TinyUmbrella 5.00.11 [OSX] TinyUmbrella 5.00.11 [OSX] Virus Free by KAV
Download TinyUmbrella 4.33.00 [WIN] TinyUmbrella 4.33.00 [WIN] TinyUmbrella 4.33.00 [WIN] Virus Free by KAV

С помощью iFaith (не актуально для устройств с процессором A7)

Using iFaith (not relevant for devices with an A7 processor)

iFaith allows you to save certificates (SHSH) from the version of iOS that is installed on your device, regardless of its relevance, as well as save the latest, relevant.

Download the certificates from the Cydia server and save the new ones.

-> Actual for all iDevice

Launch iFaith -> Show Available SHSH Caches on Server , iFaith recognizes our device and prompts you to select the desired action:

  1. 1. To save certificates for the latest, current firmware, select -> Fetch the latest SHSH blobs Apple is actively signing .
  2. 2. If you have certificates that need to be sent to the Cydia server, select -> Submit SHSH blobs to Cydia for this device .
  3. 3. To save certificates from the Cydia server, select -> Show list of available SHSH blobs on TSS server (s) . iFaith will show the available certificates on the Cydia server, which you can unload -> Downloads all available blobs , then save them to the specified location and verify. Instructions

We extract the certificate.

-> Actual for iPhone (3GS, 4), iPod touch (4G)

Launch iFaith -> Dump SHSH Blobs , enter the device in DFU mode, wait for the end of the process and get a certificate from the installed firmware. Instructions

For safety, send the certificate to your e-mail.

We sign the firmware.

-> Actual for iPhone (3GS, 4), iPod touch (4G)

Launch iFaith -> Build * signed * IPSW w / Blobs -> Browse for SHSH blobs and specify the path to * .ifaith, * .shsh, * .plist file (previously saved certificate), then iFaith will determine for which device which version of iOS belongs certificate and offer to specify the firmware -> Browse for an IPSW or download firmware -> Download it for me . iFaith will check the certificate and firmware.

After a successful check, iFaith will offer to create a signed firmware -> Build IPSW . We are waiting for iFaith to sign the firmware. After creating the firmware, iFaith will prompt you to enter the device into DFU mode, then launch iTunes ( you need a version no later than 11.0.0 ), hold SHIFT (ALT on Mac OS) + "Restore" and specify the signed firmware ( B5CD_iFaith_iPhone_4-4.3.3_ (8J2) _signed .ipsw ). We are waiting for the end of the firmware, we are happy. Instructions .

С помощью redsn0w (на данный момент не актуально)

Using redsn0w (currently not relevant)

redsn0w redsn0w .

We save the certificate.

Run the redsn0w -> Extras -> SHSH blobs -> New , the instruction (It will be necessary to specify the firmware! If updated via iTunes, there is no need to download again -> Where iTunes firmware is stored) .

Redsn0w saves the certificate to the address -> C: \ Users \ UserName \ AppData \ Roaming \ redsn0w \ shsh -> it is advisable to send it to the mail for safekeeping.

С помощью iSHSHit (на данный момент не актуально)

Using iSHSHit (currently not relevant)

-> Actual for devices with Jailbreak

iSHSHit allows you to store certificates (SHSH) directly from your device. This program automatically sends your certificates to the Cydia server, and can also send saved certificates (SHSH) via email. Download and install iSHSHit via Cydia in the BigBoss repository for free.

We save the certificate.

Run iSHSHit -> Firmware select All Versions, click Save . After saving the certificates -> Manage SHSH , click Send All and send it to your e-mail.

С помощью 25PP (не актуально для устройств с процессором A7)

Using 25PP (not relevant for devices with an A7 processor)

25PP 25PP .

We save the certificate.

Running 25PP -> pic , then click on the umbrella -> pic , select our device and click -> pic , wait for the end of the process and you will see a list of saved certificates, click -> pic a folder with the saved certificates will open. Instructions .

For safety, send the certificate to your e-mail.

С помощью W|NbR3LL@<

With the help of W | NbR3LL @

W|NbR3LL@, W | NbR3LL @,, requires .Net Framwork 4.0

We save the certificate.

Run W | NbR3LL @ -> Check Blobs , the program will check the availability of previously saved certificates and show the possibility of saving the certificate from the latest, current firmware -> Latest iOS - Apple , then select the latest version of iOS and click -> Download from Apple , the certificate will be saved in Applebobs folder with the program. Instructions .

For safety, send the certificate to your e-mail.


Rollback for devices iPhone (4S, 5, 5C, 5S), iPod touch (5G), iPad (2, 3, 4, Air), iPad mini (1, 2) -> is impossible, even if there are SHSH certificates.

Rollback for these devices is not possible from 7.x to 7.x, 7.x to 6.x, 6.x to 6.x, 6.x to 5.x, etc., rollback to either side is not possible.!

Rollback is available only for iPhone (3GS, 4) and iPod touch 4G with SHSH certificates.

Question: I have an iPhone (4S, 5, 5C, 5S), iPod touch (5G), iPad (2, 3, 4, Air), iPad mini (1, 2). With iOS firmware (5.1.1, 6.0, 6.0.1, 6.0.2, 6.1, 6.1.1, 6.1.2, 6.1.3, 7.1). All SHSH are saved !. Will I be able to roll back to iOS (6.0, 6.0.1, 6.0.2, 6.1, 6.1.1, 6.1.2, 6.1.3, 7.0.6)?
Answer: You can not! A tool to do this is not!

Verify iOS 6 certificate

Launch iFaith -> Build * signed * IPSW w / Blobs -> Browse for SHSH blobs and specify the path to * .ifaith, * .shsh, * .plist file (previously saved certificate) and see what the program says.

Certificate of employment

Сертификат рабочий

Certificate of non-working

Сертификат нерабочий

Advanced settings:

  • Save ALL Avialable SHSH - Save all available SHSH in one click.

  • Set Hosts on Cydia on Exit - Leave the forwarding settings in the Hosts file on the Cydia server after logging out. Quite conveniently, if you have SHSH then when TinyUmbrella is off, you can still recover using the Cydia server instead of the local TSS.

  • Request SHSH from Cydia - to remove requests to the server Cydia, if ticked off - TinyUmbrella, will contact Apple.

  • Overwrite SHSH on "Save SHSH" - overwrite SHSH with each request.

  • When connecting device, prefer my custom name ... - display the name of the device as it is set in iTunes.
Downgrade firmware with saved SHSH:
First, consider the case where the required SHSHs are stored via TinyUmbrella on your computer :
  • Put your device into recovery mode (To enter recovery mode, simultaneously hold down the Home and Power buttons and hold them until the iTunes icon and USB cable appear on the screen). Connect it to the computer. Make sure that iTunes is not running . Run TinyUmbrella .
  • Click the " Start TSS Server " button and enter the system administrator password to start the local TSS server. The program itself will change the hosts file, you do not need to do this. The button will look like this:

    The " Servers " tab displays the server log - you can view it in case of errors.

  • After that, launch iTunes and roll back with Shift + Restore (Windows) or Alt + Restore (Mac OS X) by selecting the firmware (you can install any firmware for which you have saved the SHSH- certificate).

    At the end of the flashing you will get error 1015 , you need to read it to read it: read here

    • Disconnect the phone from the computer.
    • Close iTunes .
    • Connect the phone to the computer.
    • Run TinyUmbrella and press the " Exit Recovery " button (the emergency call mode will be available in the phone).
    • Then launch iTunes and the phone is activated.

    - If this did not work, try resetting it (using the Home + Power buttons until the device reboots).
    - Or use the program iReb-r4 by clicking on the " Fix Recovery Mode Loop " (only for iPhone 2G, iPhone 3G, and iPod Touch 1G / 2G [MB]).

Attention! Umbrella does not create SHSH packages , but only downloads them. This means that it is useless to choose the firmware for which you did not have time or could not save SHSH . If you want to get SHSH from the server of Sidia, then choose only the firmware that Sidia saved (you can check it in Cydia itself), if you want to get SHSH from Apple, then choose only the last stable firmware. The others will not give you anyway.
If TinyUmbrella can not redirect the certificate check to the Saurik server, or for other reasons, you will need to manually edit the hosts file :

Host file location:

  • Windows - C: \ Windows \ System32 \ drivers \ etc \ hosts
  • MAC - / private / etc / hosts or / etc / host

The following line is required: (Apple server)
Replaced by (server Saurik'a)

After a successful "rollback" of the firmware, it is recommended to return the "native" hosts parameters to the file (to the Apple server).

Possible TinyUmbrella warnings are usually associated with the inability to access certain ports:

Can not Start TSS Service
DO NOT TRY RESTORING YOUR DEVICE !!! (PID: xxxx) must be killed !!

- Run as Administrator
- Run in compatibility mode with XP SP3 (for Windows version)
- Enter the command line
  tskill PID

, where PID is the process that Ambrel told you

Can not Start TSS Service
TinyUmbrella MUST be run as an Administrator!

- Add the tinyumbrella file to firewall and antivirus exceptions.

Exit Recovery Loop:
How to get iOS out of Recovery Loop after rollback to iOS 4.3.3 and below?

Recovery Loop "Restore Loop", the phenomenon in which recovery to any firmware returns you to the recovery mode. It is expressed in the form that the device immediately goes into Recovery (Lace + iTunes icon) at boot time. Usually it is typical for errors 29, 1013, 1015 and several others (the above are most probable). What is it caused by? In 99% of cases iTunes'om, because at the end of the recovery process, it checks the integrity of the system and its components, if some parts do not correspond to what it actually restored the only conclusion is that the recovery was an error, and it needs to be reworked. And so on a circle.

TinyUmbrella allows us to get out of this circle by forcefully pushing the check to the end.

After downloading TinyUmbrella, run it and just click on " Exit Recovery ". After a couple of seconds your gadget will load into normal mode.

If TinyUmbrella does not help (the device is still in recovery mode) then we use the Fix Recovery program:

If you are not sure what could have provoked the loop, I strongly recommend that you first read the list of iTunes errors .

  • Download ( Fix Recovery ) for iOS 4.3.x ( 4.2.1 ) ( Windows | Mac )
  • Download Zlib1.dll from here and place it in the same folder where you unpacked fixrecovery43.exe
  • Start iTunes and leave it running in the background.
  • Now go to the DFU mode.

    For this:
    • Connect your iPhone, iPad, iPod Touch to your computer.
    • Turn off the iPhone, iPad, iPod Touch.
    • Press and hold Power and Home at the same time for 10 seconds.
    • Release Power but do not release Home for another 10 seconds.
    • If you did everything correctly, the device will go into DFU mode.
    • iTunes will need to recognize your gadget.

  • Run fixrecovery43.exe and wait for the utility to transfer your iPhone or iPad to normal mode. Make sure that you are connected to the Internet, since all the necessary files from the Apple servers must be downloaded. The whole process should take several minutes, depending on the speed of the Internet.
  • Once you see Exiting libpois0n in the program window, you can disable your iPhone or iPad. The rest of the procedure will run autonomously on your gadget. The gadget will go into normal mode in about two minutes.

Remember that if you do not know what the Recovery loop was called on, you did not try to manipulate the modem of the phone by any instructions and it arose on the official firmware in the form of errors with a two-digit number, forced exit from the loop does not guarantee the performance of your device! This is just a method of bypassing some mechanisms, not a utility for repair and maintenance.