SHSH

0x80 byte RSA signature of a firmware image.

This often also refers to the backup file with the signature. This signature is needed to restore a specific firmware version. The signature is being created by Apple and is being generated based on some hardware keys of the device and the hash of the firmware. Using a replay attack, with the saved signature old firmware can be restored, although Apple doesn't issue the signatures anymore and therefore disallows installing older firmware. Therefore it is recommended to save the signature for your device as long as Apple issues it.

Unfortunately, since the Limera1n Exploit is fixed in the bootrom since version Bootrom 838.3 and because iOS since 5.0 includes a nonce in their SHSH hashes, downgrading newer devices (iPhone 4S, iPad 2, iPad 3, Apple TV 3G) to earlier 5.x firmwares is impossible, even with iFaith. Until a Bootrom or LLB exploit is found, it is recommended to stay on a jailbreakable firmware until such time that the latest firmware is jailbroken.

To downgrade the firmware, simply change your hosts file to map any request to an Apple server to point to Saurik's server instead, if your certificate is there. If you have the file yourself, run TinyUmbrella's TSS Server on your local machine. Note, though, that downgrades to iOS 5 or newer are currently not available.

Not all devices have this check built in. Older devices allow installation of any correctly signed firmware, so no backup of the certificate is necessary. Devices that need Apple signatures are: iPhone 3GS, iPhone 4, iPod touch 3G, iPad, iPad 2, iPod touch 4G, Apple TV 2G and all newer devices. The iPhone 3G and iPod touch 2G bootroms do not require these SHSHs; however, newer versions of iOS require them (unless the chain of trust is broken and custom firmwares are installed). To restore to arbitrary versions of iOS 4.0, the SHSH is also needed for the iPod touch 2G and iPhone 3G. Not only does DFU Mode require the iBSS/iBEC files to be signed with an SHSH that includes the device's ECID, but the normal boot-chain requires the LLB to be fully signed with an ECID+SHSH, so a downgrade IPSW is not possible without a bootrom exploit of normal boot-chain (e.g. 0x24000 Segment Overflow). See also the Dev Team Blog post about this.

With the tools mentioned below it is possible to backup the signature. It is not necessary that the device is jailbroken to do the backup. Usually the SHSH signature file is stored on Saurik's server. If it is stored there, then you can see in the top of Cydia (on jailbroken devices) for which version a backup exists.

Users usually make the mistake that (even if they understand all this) they think the SHSH firmware version they back up depends on the firmware version they have installed on their device. This is the case for iFaith, but not for TinyUmbrella. iFaith dumps the SHSHs from your device's storage (whatever's installed on your device, e.g. 4.3.3), while TinyUmbrella gets SHSHs from Apple's servers (whatever firmwares Apple is currently signing).

Protocol
To request a SHSH blob from Apple, a simple HTTP request can be made. For a full description, please see the separate article SHSH Protocol and Baseband SHSH Protocol.

Links and Tools

 * TinyUmbrella (Java needed)
 * Detailed background info from Saurik