Welcome to the new and improved 2012 version of the iPadForums SHSH Blob FAQ!
SHSH blobs can be a confusing subject for our members. There is also a lot of misunderstanding and misinformation around the subject, not helped by the way differences between devices and firmware versions. This thread aims to be a "one-stop-shop" for SHSH related facts so we can demystify the subject once and for all!
Frequently Asked Questions
1. What are SHSH Blobs?
SHSH Blobs, or blobs for short, are digital signatures which Apple provides to you to authorise the installation of a particular version of IOS on your device. Think of blobs as the key which unlocks the door to allow installation of a firmware file. Blobs are used on all modern Apple mobile devices and were first introduced on the iPhone 3GS.
2. Why are blobs so important?
iTunes will not let you install, update, or restore IOS on your device without valid blobs. There is no way to circumvent this security measure. So, no blobs = no install. iTunes typical response in this situation is the dreaded message "iTunes Error 3194 - This device isn't eligible for the requested build".
3. How are blobs generated?
Blobs are only ever generated by Apple on their own servers. They can't be created any other way since they use strong encryption techniques. They cannot be forged. They cannot be changed or otherwise manipulated.
iTunes first makes a request to the Apple signing server including information such as your devices unique ID (ECID) plus the version details of IOS that you are trying to install and iTunes gets your unique blobs back as a response, but only if Apple agrees that you are allowed to install that version of IOS on your device!
Since the release of IOS5 an additional unique component known as the APTicket is also required from Apple. This component is randomly generated by something called a "nonce" (number once) from your device and is unique each time a fresh restore operation is requested.
4. So what's the problem?
Apple will only provide you with blobs for the version of IOS which they decide is "current". At the time of writing, this is version 5.0.1. You will never receive blobs from Apple for older versions of IOS, such as 4.3.3, if a newer version is available except for a brief period of cutover between the current and previous version of IOS.
The period of time for which Apple will provide blobs for a version of IOS is referred to in the jailbreaking community as the firmware signing window. As soon as Apple stop providing new blobs for a particular version of IOS, we say that the firmware signing window has been closed.
Apple typically close the firmware window on the previous version of IOS within 24 hours of a new version being released. So, if the next version of IOS is 5.1, you will have about 24 hours after it is released to the public before Apple will stop providing blobs for 5.0.1.
5. So why do I hear folks talk about "saving blobs"?
Well, whilst Apple were smart enough to make blobs which cannot be changed or forged, they didn't protect themselves very well from a "replay attack", at least up to the release of IOS 5.0.
Soon after Apple started using blobs, clever hackers discovered that if you intercepted and saved away the blobs which were returned from Apple when you requested them, you could replay them to iTunes at a later date by pretending to be the Apple servers and the installation would succeed! The main tool which has been developed to help you do this is called TinyUmbrella, although Saurik first allowed Cydia servers to be used in place of Apple's signing servers and also automated the process of saving your blobs for jailbroken devices.
BUT, for this technique to work, you must still request and save your blobs from Apple during the period when they are still signing the firmware version you are interested in. So, if you want to restore IOS version 4.3.3 today, you need to have saved your blobs for 4.3.3 (which are unique to your device) back in May 2011 when Apple was still signing them. Remember, they are unique and cannot be forged or copied from someone else's device - no blobs = no install.
Apple have known about this replay attack exploit for a long time, and with the release of IOS5 they effectively blocked the ability to perform a replay attack by introducing the APTicket component to the blob request. This component is randomly generated every time the device undertakes a new restore operation and therefore replaying previously saved blobs for 5.x will not work since the random component will be different from the first time it was restored.
LUCKILY, our clever hacker friends found a way to circumvent this too, but only for devices where there is a known bootrom exploit, which in our land is the iPad1 only. Both iFaith 1.4+ and redsn0w 0.9.9+ have the capabilities to extract the blobs AND the APTicket from the device and then build a pre-signed custom firmware for a version of 5.x which can be restored at a later time using a pwned DFU mode. TinyUmbrella has also been updated to save both the blobs and the APTicket component for 5.x firmwares to allow a custom firmware to be built using redsn0w or iFaith.
UNFORTUNATELY, since the release of IOS6, there is no way for iPad2 or iPad3 owners to restore any previous version of IOS (including 5.x) even if they have saved their blobs. Hopefully, this will change in the near future with a new release of the redsn0w tool. We will post an update and tutorials when this becomes available!
6. So, what do I do now?
Well, the short answer is start saving your blobs today!
It is never to late to start saving them, no matter what device you have. What you are doing by starting today is giving yourself a potential insurance policy for the future. Even if you have a device which is not currently able to be restored on the current firmwares using saved blobs you should still start today, because you never know what new exploits will be discovered by the hackers tomorrow! Remember, up until recently it was impossible for any device to restore a 5.x firmware which Apple had stopped signing, but now there are various ways to be able to do this, so there is always hope!
The recommended methods to save your blobs are as follows:
TinyUmbrella (TU) - The Firmware Umbrella.
TU is a PC (both OSX & Windows) tool which saves your blobs locally on your hard disk. It is simple to use and puts you in control of your blob saving. You can download the latest version of TU from - The Firmware Umbrella - TinyUmbrella
We have a very simple tutorial which you can follow to save all our current blobs and set yourself up for future blobs saving. Give it a go - http://www.ipadforums.net/jailbreaki...yumbrella.html
If you have a jailbroken device, Cydia will automatically save your SHSH Blobs on your behalf. Whenever you start Cydia you should see a line at the top of the home page with all your saved blobs (on Cydia servers) in green, similar to the following screenshot…
If you want to retrieve all of your blobs from Cydia, use the tutorial for TinyUmbrella linked above. The tutorial is written in such a way that it will get all of your blobs from Cydia (if you have any) as well as get the current blobs from Apple. But remember, it cannot magically create blobs which you have not previously requested from Apple or saved away on Cydia!
This is a jailbreak application which you can install through Cydia on your device. Just like TU, it can retrieve blobs from either Cydia or direct from Apple, but this time it downloads the blobs directly onto your device. A nice feature is that is allows you to email the blobs anywhere you want (including to yourself!), which to be honest you MUST do since they are of little use to you on your device if you are going to restore it! . It is highly recommended for blob saving on the go, particularly if you are away from your PC, maybe on vacation, and hear that a firmware window is about to be closed!
Unlike the other options, iFaith does something really special. It extracts the blobs from your currently installed firmware on your device. However, because iFaith relies on being able to pwn the boot process, it is only available on devices with a known bootrom exploit which are the moment are the A4 devices such as iPad1 and iPhone4. It will NOT work on iPad2 or iPhone4S as things stand today. iFaith can be a real lifeline for owners who did not understand the importance of saving blobs, but still have an older version of IOS installed on their device.
Additionally, you are able to build a pre-signed custom firmware for your device using the blobs which were extracted with iFaith. This custom firmware can be installed without the need to interact with the Apple signing servers or TinyUmbrella in the future. The latest version of iFaith can be downloaded from - iH8sn0w.com
The jailbreaking tool redsn0w can now also be used to extract blobs from the currently installed version of IOS in a similar way to the iFaith tool. Blobs can also be "stitched" into a custom pre-signed firmware to install at a later date. The latest version of redsn0w can be downloaded from - Dev-Team Blog. redsn0w also has a nice feature to verify your blobs, including letting you know if your 5.x blobs have a proper APTicket component. Very handy! :D
7. I still don't understand SHSH Blobs!Quote:
Note: The latest versions of iFaith (iPad1 only) and redsn0w (iPad1, iPad2, and iPad3) are the ONLY tools which will allow you to restore a version of 5.x firmware which Apple has stopped signing as of this time, but remember you must also have saved SHSH Blobs too!
I have failed you grasshopper :(
Post your question in response to this thread and we will do our best to answer! :D