This page has been robot translated, sorry for typos if any. Original content here.

Save SHSH certificate (ECID SHSH, SHSH blobs) [updated 08/01/2014]

Сохранить SHSH сертификат (ECID SHSH, SHSH blobs)

What is SHSH and why save it?

The SHSH certificate (ECID SHSH, SHSH blobs) is a digital signature that is unique to each iDevice with which the firmware file is signed before it is poured into the device. SHSH writes out a special Apple server ( ) in response to the device identifier being sent to iTunes . The signing system debuted in the summer of 2009, along with the release of the iPhone 3GS. Starting with firmware 3.1.1, the signing system was extended to iPod touch 2G and 3G, and since the release of iOS 4.0 SHSH, iPhone 3G also began to subscribe. For iPhone 2G, iPod touch 1G and Apple TV 1G SHSH are not used, so these devices can always be flashed to any available version of iOS . Б.

The principle of operation of this restriction is simple. When attempting to downgrade (downgrade firmware), iTunes contacts the Apple server and sends some data from your device to it, including the unique identifier of its chip. In response, a SHSH certificate is received that is required for the boot module (iBoot). If this does not happen, then iTunes will give an error and interrupt the recovery process. If you have saved the certificate for the firmware to which you want to recover, then you can always do it, bypassing the Apple server.

If you update the firmware of one of these devices, then you will not be able to install older firmware back, because SHSH is different for each new firmware . Saving the SHSH certificate is necessary first of all so that you always have the opportunity to install an older firmware.

Using SHSH in iOS 5

Up until the release of iOS 5.0 in the fall of 2011, the availability of SHSH provided a guaranteed opportunity to roll back any gadget to any old version of iOS. But then Apple significantly modified the firmware signing system. But if before iTunes transferred only the device identifier and the firmware version to the Apple server, then before flashing the iOS device generates a random number, which also participates in the creation of SHSH. This new type is called APTicket .

Implications of the introduction of an APTicket

The consequences were very serious. Previously, SHSH had no shelf life and could be used an unlimited number of times. Starting with iOS 5.0, any SHSH is valid only once. The next time you restart, the iOS gadget generates a new random number, and the old SHSH will no longer work for it. It is almost impossible to decrypt an APTicket — for this, you need to crack the Apple security key, and this can only be done by brute force.

According to the idea of ​​Apple programmers, APTicket will make it impossible to restore any Apple devices to unsigned firmware. However, it is not.

Anti-APTicket checkout

As it turned out, APTicket can also be bypassed, but only on devices with Apple A4 processors and weaker - on iPhone 3G, iPhone 3GS, iPhone 4, iPod touch 3G, iPod touch 4G, iPad 1G and Apple TV 2G. During the firmware of these devices, you can turn off random number generation and force iTunes to accept the old SHSH from the same device.

In addition, in all iOS 5.x firmware found a vulnerability that opens up additional opportunities for rollback firmware even on new Apple devices. iPad 2, iPad 3 and iPhone 4S can be flashed to any version of iOS 5.x from any other version of iOS 5.x under two conditions:

  • You must have SHSH from the version of iOS with which you are stitching, and the version of iOS to which you are stitching
  • The firmware that you have installed should not be installed via an update over the air. If you updated or restored to it via iTunes, then everything is fine

Is it possible to roll back from iOS 6?

  • iPhone 3GS, iPhone 4, iPod touch 4G and Apple TV 2G can be rolled back from iOS 6 (for Apple TV this is software 5.1) to any old version of iOS , provided that you have SHSH from this old version
  • iPad 2 can be rolled back from iOS 6 to iOS 4.3.x , subject to the availability of SHSH from the fourth firmware
  • iPad 2 can be rolled back from iOS 6 to iOS 5.x while you have SHSH from any iOS 4.3.x firmware and 5.x firmware you want to roll back to
  • iPhone 4S and iPad 3 can not be rolled back from iOS 6, even with all SHSH . For these gadgets, rolling back firmware is possible only within iOS 5.x
  • iPhone 5, iPod touch 5G, iPad mini and iPad 4 cannot be rolled back from iOS 6 because iOS 5.x firmware has not been released for these devices.

Using SHSH in iOS 6

If you have saved SHSH certificates for the iOS 6.0-iOS 6.1.2 operating system in Cydia in order to roll back the firmware to the previous version, we hasten to disappoint you, but the saved data is completely unsuitable for use.

"Now if you have a hacked device running iOS 6.0 - iOS 6.1.2, you can no longer downgrade," Saurik said on his web page. All SHSH certificates of the latest version of iOS, which were stored in Cydia, have become useless. Jay Freeman (aka Saurik) also provides some background information on how SHSH certificates work and what features and new limitations of the SHSH digital certificates blobs and APTickets have appeared.

The following information is important for every jailbreaker user. If you own a relatively updated device, iOS 6 SHSH certificates are completely useless. If, before the release of iOS 5.0, the saved SHSH – certificates guaranteed the rollback of the gadget to any previous version of iOS, now this is impossible, since Apple has significantly changed the entire system of firmware signing. It is impossible to roll back to iOS 6.1.2 or iOS 6.0 from iOS 6.1.3 and higher for devices running on A5 / A5X / A6 / A6X processors.

If earlier, in order to make a downgrade, it was enough to keep SHSH certificates, now, before each firmware, your device generates random numbers, which later take part in the creation of certificates. This type of hash is an APTicket — a digital signature.

It is this digital signature that was introduced into the updated iOS 6.1.3 operating system. Now users will not be able to use the SHSH – certificates of iOS 6 to downgrade or upgrade the firmware. The user will not even be able to use them to restore the current version of iOS on his device.

Saurik cites the following data: about 25.8% of jailbreakers suffered from this. The remaining 74.2% of iPhone users (3GS, 4), iPod touch (4G) will have no effect. But, if iOS 6 SHSH – certificates were downloaded locally, by using tools like TinyUmbrella, redsn0w or iFaith, you can roll back from iOS 6.1.3 for iPhone devices (3GS, 4), iPod touch (4G).

Сайт surik(а)

How to save SHSH and how to use it?

The first way to save SHSH is to click on the button Make my life easier in Cydia (If it is not there, then you have already clicked it, and now all the necessary hashes are saved automatically). After pressing this button, the SHSH certificate for your device will be saved on the Saurik server, in the upper part, in the main Cydia window , saved certificates for your device are written :


The disadvantage of this method is that you can not install Cydia without making a jailbreak . Therefore, you cannot save SHSH immediately after installing a new firmware. And it is better to save SHSH right away, because after the next firmware version is released, SHSH for the current version you can no longer save .

The TinyUmbrella program does not have this disadvantage. The advantage of this solution is that TinyUmbrella can save SHSH not only on Saurik’s server, but also on your computer.

Who and what firmwares need to save certificates?

Owners of iPhone (3GS, 4, 4S, 5, 5C, 5S), iPod touch (4G, 5G), iPad (2, 3, 4, Air), iPad mini (1, 2) -> for all firmware.

Save SHSH is possible only for the latest, current at the moment firmware available on the Apple server!

At the moment it is -> iOS 7.1.1, iOS 7.1.2!

For safety, send certificates to your email!

С помощью TinyUmbrella (не актуально для устройств с процессором A7)

Using TinyUmbrella (not relevant for devices with an A7 processor)

View of the program TinyUmbrella

  • Device Model - a device model that is required to determine the bootrom in iPod Touch 2G players, as well as to determine the country for which the device was made and, as a result, it is locked or is a non-locking device (if it is locked to which operator)
  • Installed Frimeware Version - The current firmware on the device, determines the possibility of jail.
  • ECID - now indicated both in the decimal and hexadecimal system, if an error occurs in it or the device is not on hand - you can enter it manually to find out your ECID without Umbrella, you need to use the usbview utility for Windows, as soon as you connect your device in Recovery Mode and Select the USB port, the ECID will appear in the list of device information on this port. But as a rule, Umbrella correctly defines ECID and there is no need for it.
  • Serial Number is the serial number, determines the version of bootrom and, as a result, the method used to install custom firmware.
  • IMEI - IMEI he and IMEI in Africa. Individual identifier used by the device to designate a device in the social network.
  • Saved SHSH - SHSH saved locally, i.e. on the hard disk of this computer, and therefore those that you can use to restore the firmware using TSS Server.

Сайт surik(а) TinyUmbrella , requires Java

Save the certificate.

Launch TinyUmbrella, then in the upper left corner of the Show All SHSHs -> Connected Devices program, select our device and click Save SHSH

Be sure to uncheck Advanced -> "Request SHSH From Cydia" before saving the certificate. Instruction

By default, stored certificates are stored:

  • Windows XP - C: \ Documents and Settings \ UserName \ .shsh
  • Windows Vista / 7/8 - C: \ Users \ UserName \ .shsh
  • Mac OS X - ~ / .shsh

After you finish working with TinyUmbrella, you need to return the "native" parameters of the hosts.

  • Windows - C: \ Windows \ System32 \ drivers \ etc \ hosts
  • MAC - / private / etc / hosts or / etc / hosts (Open the hosts file with a text editor and delete the line -> "")

For safekeeping, send the certificate to your email.

C attention to the version of TinyUmbrella. As a rule, the program name (TinyUmbrella-7.11.00) contains numbers specific to the latest version of iOS (7.1.1) at the time of the program's release, which means that version 7.11.00 will not be able to save certificates from newer iOS firmware (7.1. 2), as the author of the program did not update it to work with new versions of iOS. Be careful!

Download TinyUmbrella 7.12.00 [WIN] TinyUmbrella 7.12.00 [WIN] TinyUmbrella 7.12.00 [WIN] Virus Free by KAV
Download TinyUmbrella 7.12.00 [OSX] TinyUmbrella 7.12.00 [OSX] TinyUmbrella 7.12.00 [OSX] Virus Free by KAV
Download TinyUmbrella 5.00.11 [WIN] TinyUmbrella 5.00.11 [WIN] TinyUmbrella 5.00.11 [WIN] Virus Free by KAV
Download TinyUmbrella 5.00.11 [OSX] TinyUmbrella 5.00.11 [OSX] TinyUmbrella 5.00.11 [OSX] Virus Free by KAV
Download TinyUmbrella 4.33.00 [WIN] TinyUmbrella 4.33.00 [WIN] TinyUmbrella 4.33.00 [WIN] Virus Free by KAV

С помощью iFaith (не актуально для устройств с процессором A7)

Using iFaith (not relevant for devices with an A7 processor)

iFaith allows you to save certificates (SHSH) from the version of iOS that is installed on your i-device regardless of its relevance, as well as to keep the latest relevant.

Download certificates from Cydia server and save new ones.

-> Actual for all iDevays

Launch iFaith -> Show Available SHSH Caches on Server , iFaith recognizes our device and prompts you to select the necessary action:

  1. 1. To save certificates for the latest, up-to-date firmware, select -> Fetch the latest SHSH blobs Apple is actively signing .
  2. 2. If you have certificates that need to be sent to the Cydia server, select -> Submit SHSH blobs for this device .
  3. 3. To save certificates from Cydia server, select -> Show list of available SHSH blobs on TSS server (s) . iFaith will show the available certificates on the Cydia server, which you can upload -> Downloads all available blobs , then save them to the specified location and check. Instruction

Extract the certificate.

-> Actual for iPhone (3GS, 4), iPod touch (4G)

Run iFaith -> Dump SHSH Blobs , enter the device in DFU mode, wait for the end of the process and get a certificate from the installed firmware. Instruction

For safekeeping, send the certificate to your email.

Sign the firmware.

-> Actual for iPhone (3GS, 4), iPod touch (4G)

Run iFaith -> Build * signed * IPSW w / Blobs -> Browse for SHSH blobs specify the path to * .ifaith, * .shsh, * .plist file (previously saved certificate), then iFaith will determine for which device which version of iOS belongs certificate and will offer to specify the firmware -> Browse for an IPSW or download the firmware -> Download it for me . iFaith will verify the certificate and firmware.

After successful verification, iFaith will offer to create a signed firmware -> Build IPSW . We are waiting for iFaith to sign the firmware. After creating the firmware, iFaith will offer to enter the device in DFU mode, then launch iTunes ( version no later than 11.0.0 is needed ), hold down SHIFT (ALT on Mac OS) + “Restore” and specify the signed firmware ( B5CD_iFaith_iPhone_4-4.3.3_ (8J2) _signed .ipsw ) We are waiting for the end of the firmware, we are happy. Instructions .

С помощью redsn0w (на данный момент не актуально)

Using redsn0w (currently not relevant)

redsn0w redsn0w .

Save the certificate.

Run redsn0w -> Extras -> SHSH blobs -> New , instructions (You will need to specify the firmware! If updated via iTunes, there is no need to download again -> Where to save the iTunes firmware) .

Redsn0w saves the certificate to the address -> C: \ Users \ Username \ AppData \ Roaming \ redsn0w \ shsh -> it is advisable to send it to your mail for safekeeping.

С помощью iSHSHit (на данный момент не актуально)

Using iSHSHit (not currently relevant)

-> Actual for devices with jailbreak

iSHSHit allows you to save certificates (SHSH) directly from your device. This program automatically sends your certificates to Cydia's server, and can also send saved certificates (SHSH) by email. Download and install iSHSHit via Cydia in the BigBoss repository for free.

Save the certificate.

Launch iSHSHit -> Firmware, select All Versions, click Save . After saving the certificates -> Manage SHSH , click Send All and send it to the mail.

С помощью 25PP (не актуально для устройств с процессором A7)

Using 25PP (not relevant for devices with an A7 processor)

25PP 25PP .

Save the certificate.

Run 25PP -> pic , then click on the umbrella -> pic , choose our device and click -> pic waiting for the end of the process and you will see a list of stored certificates, click -> pic A folder with saved certificates will open. Instructions .

For safekeeping, send the certificate to your email.

С помощью W|NbR3LL@<

Using W | NbR3LL @

W|NbR3LL@, W | NbR3LL @,, requires .Net Framwork 4.0

Save the certificate.

Run W | NbR3LL @ -> Check Blobs , the program will check for previously saved certificates and show the ability to save the certificate from the latest, current firmware -> Latest iOS - Apple , then select the latest iOS version and click -> Download from Apple , the certificate will be saved to Appleblobs folder with the program. Instructions .

For safekeeping, send the certificate to your email.


Rollback for iPhone (4S, 5, 5C, 5S), iPod touch (5G), iPad (2, 3, 4, Air), iPad mini (1, 2) devices -> is impossible, even with SHSH certificates.

Rollback for these devices is not possible from 7.x to 7.x, 7.x to 6.x, 6.x to 6.x, 6.x to 5.x, etc., rollback to any direction is impossible.!

Rollback is available only for iPhone (3GS, 4) and iPod touch 4G with SHSH certificates.

Question: I have an iPhone (4S, 5, 5C, 5S), iPod touch (5G), iPad (2, 3, 4, Air), iPad mini (1, 2). With iOS firmware (5.1.1, 6.0, 6.0.1, 6.0.2, 6.1, 6.1.1, 6.1.2, 6.1.3, 7.1). All SHSH saved !. Will I be able to roll back to iOS (6.0, 6.0.1, 6.0.2, 6.1, 6.1.1, 6.1.2, 6.1.3, 7.0.6)?
Answer: No, you can not! The tool allows you to do this - no!

IOS 6 Certificate Verification

Run iFaith -> Build * signed * IPSW w / Blobs -> Browse for SHSH blobs specify the path to * .ifaith, * .shsh, * .plist file (previously saved certificate) and see what the program says.

Work certificate

Сертификат рабочий

Non-working certificate

Сертификат нерабочий

Advanced settings:

  • Save ALL Avialable SHSH - Save all available SHSH in one click.

  • Set Hosts on Cydia on Exit - Leave the redirection settings in the Hosts file on the Cydia server after exiting. Quite convenient, if you have SHSH, then with TinyUmbrella turned off, you can still recover using Cydia server instead of local TSS.

  • Request SHSH from Cydia - to send requests to the Cydia server, if unchecked - TinyUmbrella, will contact Apple.

  • Overwrite SHSH on "Save SHSH" - overwrite SHSH with each request.

  • When connecting device, prefer my custom name ... - display the name of the device as defined in iTunes.
Downgrade firmware with saved SHSH:
First, consider the case when the necessary SHSH is saved via TinyUmbrella on your computer :
  • Put your device into recovery mode (To enter recovery mode, hold down the Home and Power buttons at the same time and hold them until the iTunes icon and USB cable appear on the screen). Connect it to the computer. Make sure iTunes is NOT running . Launch TinyUmbrella .
  • Click the " Start TSS Server " button and enter the system administrator password to start the local TSS server. The program itself will change the file hosts, you do not need to do this. The button will look like this:

    On the Servers tab, the server log is displayed - you can view it in case of errors.

  • After that, launch iTunes and roll back using Shift + Restore (Windows) or Alt + Restore (Mac OS X) by selecting the firmware (you can install any firmware for which you have saved the SHSH certificate).

    At the end of the flashing you will receive an error 1015 , to fix it you need to: read here

    • Disconnect the phone from the computer.
    • Close iTunes .
    • Connect the phone to the computer.
    • Launch TinyUmbrella and press the “ Exit Recovery ” button (an emergency call mode will become available in the phone).
    • After that, run iTunes and the phone is activated.

    - If this does not help, try restarting it (using the Home + Power buttons until the device reboots).
    - Or use the iReb-r4 program by clicking on the " Fix Recovery Mode Loop " (only for iPhone 2G, iPhone 3G, and iPod Touch 1G / 2G [MB]).

Attention! Umbrella does not create SHSH packages , but only downloads them. This means that it is useless to choose the firmware for which you did not have time or could not save SHSH . If you want to get SHSH from the Sidia server, then choose only the firmware that Sidia saved (you can check it in Cydia itself), if you want to get Apple's SHSH, choose only the latest stable firmware. You will not be given another one anyway.
If TinyUmbrella cannot redirect certificate verification to Saurik's server, or for other reasons, you will need to manually edit the hosts file :

Location of the hosts file :

  • Windows - C: \ Windows \ System32 \ drivers \ etc \ hosts
  • MAC - / private / etc / hosts or / etc / host

Line required: (Apple server)
Replaced by ( Saurik's server)

After a successful “rollback” of the firmware, it is recommended to return the “native” parameters of the hosts file (to the Apple server).

Possible warnings of TinyUmbrella are usually associated with the inability to access certain ports:

Cannot Start TSS Service
DO NOT TRY RESTORING YOUR DEVICE !!! (PID: xxxx) must be killed !!

- Run as Administrator
- Run in XP SP3 compatibility mode (for Windows version)
- Enter the command line
  tskill PID

where PID is the process Ambrela told you

Cannot Start TSS Service
TinyUmbrella MUST be run as an Administrator!

- Add the tinyumbrella file to the firewalls and anti-virus exclusions.

Exit Recovery Loop:
How to get iOS from Recovery Loop after rollback to iOS 4.3.3 and lower?

Recovery Loop - Literally " Recovery Loop ", the phenomenon in which the recovery to any firmware returns you to the recovery mode. It is expressed in the form of the fact that the device goes into Recovery immediately upon loading (Lace + iTunes icon). Usually characteristic of errors 29, 1013, 1015, and several others (those given are most likely). What is it caused by? In 99% of cases, by iTunes, because at the end of the recovery process, he conducts a check on the integrity of the system and its components, if some parts do not correspond to what he actually restored, the only conclusion left is that the restoration passed with an error and needs to be redone. And so in a circle.

TinyUmbrella allows us to get out of this circle, by force pushing the check through to the end.

After downloading TinyUmbrella, launch it and simply click on “ Exit Recovery ”. After a couple of seconds, your gadget will boot into normal mode.

If TinyUmbrella does not help (the device is still in recovery mode), then we will use the Fix Recovery program:

If you are not sure what could provoke a loop, I strongly recommend that you first read the list of iTunes errors .

  • Download ( Fix Recovery ) for iOS 4.3.x ( 4.2.1 ) ( Windows | Mac )
  • Download Zlib1.dll from here and place it in the same folder where you unzipped the fixrecovery43.exe
  • Launch iTunes and leave it running in the background.
  • Now go to DFU mode.

    For this:
    • Connect your iPhone, iPad, iPod Touch to your computer.
    • Turn off the iPhone, iPad, iPod Touch.
    • Press and hold Power and Home at the same time for 10 seconds.
    • Release Power but do not release Home for another 10 seconds.
    • If you have done everything correctly, the device will switch to DFU mode.
    • iTunes should recognize your gadget.

  • Run fixrecovery43.exe and wait until the utility switches your iPhone or iPad to normal mode. Make sure you are connected to the Internet, as all the necessary files should be downloaded from Apple servers. The whole process should take several minutes, depending on the speed of the Internet.
  • As soon as you see Exiting libpois0n in the program window, you can disable your iPhone or iPad. The rest of the procedure will be performed offline on your gadget. The gadget will go into normal mode in about two minutes.

Remember that if you don’t know what the Recovery loop was caused by, you didn’t try to manipulate the phone’s modem using any instructions and it appeared on the official firmware in the form of double-digit errors, forced loop-out does not guarantee the performance of your device! This is just a method of bypassing some mechanisms, and not a utility for repair and maintenance.