How to save SHSH2 blobs

By Samplasion — Posted on 26 November 2019

On iDevices, blobs are essential for a successful downgrade. However, a new or inexperienced user might find trouble finding the right tools to save them.

But what exactly is a SHSH blob? Basically, a blob is a small file of data Apple's signing server (TSS, Tatsu Signing Server) uses to validate an update or a restore. Since Apple regularly revokes the firmware versions, we download the blobs when they're signed so that we can use them when they're no longer signed. Keep in mind, though, that each blob is tied to a specific device. In fact, the data is encoded using, among other things, the ECID of the device. Mind you, a blob can only grant you a restore or an update to a specific iOS version (ie. a blob saved for iOS 12.4 can only be used to downgrade to that version).

Saving a blob doesn't automatically grant you lifetime downgrades. Each iOS version is accompanied by a SEP firmware update. The SEP (Secure Enclave Processor) is a processor in iDevices that manages the security stuff in iOS (like Apple Pay, iCloud Keychain and other privacy data). In order for a downgrade to be successful, the target iOS version has to be compatible with the SEP version, and since it can't be downgraded (unless a SEP exploit comes out, but it'd be scary, because, y'know, privacy), you'll have to make sure it truly is, or else you won't be able to downgrade (e.g. the SEP for iOS 12.4 is not compatible with iOS ≤ 12.3, so it didn't produce a successful downgrade: after two weeks the biometric stuff stopped working). Generally, the SEP of a new major release (iOS 13, iOS 12 etc...) isn't compatible with the previous versions, and the SEP of a patch version (iOS 13.2.2 & 13.2.3) is almost always guaranteed to be working. The SEP of a minor upgrade is always a guess, because we don't know if it's compatible unless someone tries to downgrade and reports the situation to the community.

Anyways, to save a blob you first have to get the ECID of your device, but you'll have to have iTunes installed on your PC (except if you're on Catalina or newer versions of macOS; we'll see another method for those). Getting the ECID is actually pretty simple: plug your device into your computer and unlock it. Then, open the device view in iTunes (on Mojave and below) and click twice on "Serial Number". This will show a line like: ECID: XXXXXXXXXX. Right click it and copy it.

On Catalina, with iTunes completely missing – and unable to be copied over from older versions – we'll use a third party program to do the work from us. Install brew from here and when you're done, run:

$ brew install mobiledevice

in a terminal window. After installing, run:

$ mobiledevice get_device_prop UniqueChipID

If everything went correctly, you should see a series of numbers. Copy it: it's your ECID.

Now, to actually save the blobs, head over to TSS Saver by 1Conan. In the form, that looks like this:

you'll see a drop-down menu saying "Hex (iTunes)". The value of this dropdown will have to be changed to "Dec (UDID Calculator/ideviceinfo)" if you used the mobiledevice method.

Next to it, there's the text field that'll host the actual ECID as noted by the text that literally says "type ECID here" duh. The next step is selecting the right device. Select the device from the leftmost drop-down menu, then the model from the other one. Leave the checkbox unchecked, fill the captcha and hit "Submit".

You'll be greeted by a page that says that your request has been added to the queue, along with a link to see all you available blobs. Feel free to bookmark that link, relax, and check it some time later. Chances are your blob has already been saved.

Have fun downgrading! (BTW, I just restored comments, so you can comment under my posts again!)