SHSH

As the SHSH blob article on Wikipedia summarizes it: "SHSH blob is a jargon term for a small piece of data that is part of Apple's digital signature protocol for iOS restores and updates, designed to control the iOS versions that users can install on their iOS devices (iPhones, iPads, iPod touches, and Apple TVs), generally only allowing the newest iOS version to be installable. "

Technically, the SHSH of a firmware image is a 1024-bit ( bytes) RSA signature. This often also refers to backup files with the signature ("SHSH blobs"). This signature is needed to restore a specific iOS version; it is generated by Apple based on hardware keys of the device and the hash of the firmware. Apple only issues signatures for the currently-available iOS version, which disallows installing older iOS versions. But if you have saved signatures for an older iOS version, you may be able to use a replay attack to restore that version. Therefore it is recommended to save the signature for your device as long as Apple issues it.

With the tools mentioned below it is possible to backup the signature. It is not necessary that the device is jailbroken to do the backup. Usually the SHSH signature file is stored on Saurik's server. If it is stored there, then you can see in the top of Cydia (on jailbroken devices) for which version a backup exists. This moved to TSS Center which can be located on the main page and then they are shown at the top of that.

Users often misunderstand this system and think that the SHSH firmware version they back up depends on the firmware version they have installed on their device. This is the case for iFaith, but not for TinyUmbrella. iFaith dumps the SHSHs from your device's storage (whatever's installed on your device, e.g. 4.3.3), while TinyUmbrella gets SHSHs from Apple's servers (whatever firmwares Apple is currently signing).

Using SHSH
Older devices allow installation of any correctly signed firmware, so no backup of the certificate is necessary. Devices that need Apple signatures are: iPhone 3GS (new Bootrom), iPhone 4, iPod touch 3G, iPad, iPad 2, iPod touch 4G, Apple TV 2G and all newer devices. The iPhone 3G, iPhone 3GS Old Bootrom and iPod touch 2G bootroms do not require these SHSHs; however, newer versions of iOS require them (unless the chain of trust is broken and custom firmwares are installed). To restore to arbitrary versions of iOS 4.0, the SHSH is also needed for the iPod touch 2G and iPhone 3G. not only does DFU Mode require the iBSS/iBEC files to be signed with an SHSH that includes the device's ECID, but the normal boot-chain requires the LLB to be fully signed with an ECID+SHSH, so a downgrade IPSW is not possible without a bootrom exploit of normal boot-chain (e.g. 0x24000 Segment Overflow). See also the Dev Team Blog post about this.

To restore to iOS 3.x or 4.x, change your hosts file to map any request to an Apple server to point to Saurik's server instead, if your device's signatures are hosted there. If you have the signature file on your computer, run TinyUmbrella's TSS Server on your local machine.

Since the limera1n Exploit is fixed in the bootrom since version Bootrom 838.3 and because iOS since 5.0 includes a nonce in their SHSH hashes, downgrading newer devices (iPhone 4S, iPad 2, iPad 3, Apple TV 3G) to earlier 5.x firmwares is not as simple. To restore to iOS 5.x on older devices, stitch iOS 5.x blobs into custom firmware (using redsn0w for example) and restore with that firmware. To restore to iOS 5.x on newer devices, use redsn0w's restore method. See the JailbreakQA guide to restoring to iOS 5.x using SHSH blobs (for all devices that can run iOS 5.x except Apple TV 3G).

Timeline
Note: The original iPhone and iPod touch don't use SHSH Blobs

Protocol
To request a SHSH blob from Apple, a simple HTTP request can be made. For a full description, please see the separate article SHSH Protocol and Baseband SHSH Protocol.

Links and Tools

 * Redsn0w
 * TinyUmbrella (Java needed)
 * Detailed background info from Saurik