downgrade iOS header

As reported on iDB earlier, iOS hacker tihmstar has announced a New Year’s Eve release of his new tool Prometheus, which can downgrade/upgrade devices to unsigned firmwares, subject to certain requirements.
The main prerequisite for using the tool is having the APTicket/.shsh for the firmware you want to go to, but the process for saving these has changed. You must now use his tool tsschecker to correctly save the files, dubbed .shsh2. This guide will walk you through how to do it.

First off, please note that saving .shsh with TinyUmbrella or savethemblobs will not work for Prometheus, as it requires more information than the blobs they save provide. Using tsschecker, you can save an .shsh2 blob which contains a specific nonce, allowing a replay attack to downgrade your device.

Before you begin, go to tihmstar’s GitHub and download tsschecker. I will be outlining the process for Mac, but there are versions for Windows and Linux too.

How to use tsschecker to save blobs

1) Unzip the downloaded tsschecker file by double-clicking it. I used version

2) Create a folder on your desktop called “TSS”, and put the unzipped file called “tsschecker_macos” inside it.

3) Open the program TextEdit and connect your device to your computer.

4) Open iTunes and navigate to the connected devices page.

5) On this page certain information about your device is visible. We need to make a note of our device’s “ECID” and “Model”. These can be found by clicking on the “Serial Number” field of your device until they appear.

6) Copy these two pieces of information into your TextEdit document. An example “Model” would be “iPhone7,2”, and an example “ECID” would be “1234A5678B912”.

7) Now, paste the following lines into your TextEdit document:

/Users/USERNAME/Desktop/TSS/tsschecker_macos -d MODEL -e ECID -i 10.2 -s

/Users/USERNAME/Desktop/TSS/tsschecker_macos -d MODEL -e ECID -i 10.1.1 --buildid 14B150 -s

/Users/USERNAME/Desktop/TSS/tsschecker_macos -d MODEL -e ECID -i 10.1.1 --buildid 14B100 -s

/Users/USERNAME/Desktop/TSS/tsschecker_macos -d MODEL -e ECID -i 10.1 -s

8) We need to replace the words in capital letters in these lines with our own information. Replace “USERNAME” with your computer username, for example “joebloggs”. Replace “MODEL” with the Model we noted earlier, for example “iPhone7,2”. Replace “ECID” with your ECID, for example “1234A5678B912”. Do this for all four commands.

9) Once this is done, open Terminal from /Applications/Utilities, or via Spotlight.

11) Now copy each line from your TextEdit document one at a time into your Terminal window, and press “Enter” to save the blobs. The output should be similar (though not necessarily identical) to the one below, and should end in success:

tsschecker terminal output

12) After you have repeated the process for all of the lines, you should have your .shsh2 blobs saved for iOS 10.2, iOS 10.1.1 (both builds), and iOS 10.1. Remember, time is short, so grab them while you can. In future, grab new firmwares by replacing the iOS version number in the commands with new ones, for example iOS 10.2.1.

13) If you want to be doubly safe you can issue all the previous commands and add the following nonces to the end, one at a time. This may help to increase your chances of a downgrade in future, and might even facilitate downgrades without a jailbreak on specific iPhone 5s devices:

--apnonce 603be133ff0bdfa0f83f21e74191cf6770ea43bb

--apnonce 352dfad1713834f4f94c5ff3c3e5e99477347b95

--apnonce 42c88f5a7b75bc944c288a7215391dc9c73b6e9f

--apnonce 0dc448240696866b0cc1b2ac3eca4ce22af11cb3

--apnonce 9804d99e85bbafd4bb1135a1044773b4df9f1ba3

An example command using these nonces would be as follows:

/Users/joebloggs/Desktop/TSS/tsschecker_macos -d iPhone7,2 -e 1234A5678B912 -i 10.1 -s --apnonce 9804d99e85bbafd4bb1135a1044773b4df9f1ba3

One thing to note is that saving the blobs again with nonces will overwrite the ones you have already saved. To keep all of them, save blobs without nonces first, then move them to a different folder for safekeeping before saving them again with a nonce. Move the blobs saved with the first nonce to another folder, then save with the next nonce, and so on.

This does increase the number of commands you have to issue. To do all four iOS firmware versions with each nonce would be 20 commands per device, but it may help you out in the future, so weigh it up for yourself. Saving them without the nonces should be sufficient, but better safe than sorry!

The saved blobs should now be at the root of your home user folder, ~/. Look for them under /Users/USERNAME, next to your “Documents” and “Downloads” folders, and move them wherever you please to keep them safe.

As stated before, the clock is ticking until iOS 10.1.1 is unsigned, so whilst this method will work in future to save all iOS firmware blobs which are then signed, you only have a little while to use this to save your iOS 10.1.1 .shsh2 files.

Good luck, and let me know how it goes!


  • Tyler Forest-Hauser

    It’s worth noting that you can use ~/Desktop instead of /Users/USERNAME/Desktop. The tilde represents the home folder.

    • 7000rpm

      Will try this due to issues

  • Omri Kug

    can make it more “windows” like? the chmod is a command on linux and in general couldnt make this on windows. thanks in advance.

  • tunutsaigon

    Can you guy make a tutorial for Windows users?

    • Joaquim Barbosa

      Hi tunutsaigon, try this guide, in combination with my most recent article (for Mac). Together they should be enough:

      • Anwar Ala

        So now my iphone is running on 10.1.1
        Is it possible to get the shsh from it?!

      • Joaquim Barbosa

        Yes, if you follow the guide. Also, you didn’t have to go to 10.1.1 to get the blobs. It just has to be signed, it doesn’t have to be installed on your device. Thanks.

      • Julio Hernandez

        Hi Joaquim, what if I follow the site that Rolf Bause posted down below? From what it looks like to me its much simpler as it provides your SHSH2 blobs for you by just entering in the ECID and model numbers. Please let me know what you think, I’m a bit lost and TSS is just too confusing.

      • Joaquim Barbosa

        You can use it if you like, yes. I prefer to do these things myself to be sure of the results. If the site goes down, or he has made a mistake in how he’s saving everyone’s blobs, then they’d be useless, and I prefer to have them saved on my own computer instead of on his site. However, the chances that there will be a problem are very small, and if the guide is too confusing for you, it doesn’t seem a terrible idea to use someone else’s tool to do it for you. Feel free to use it. Hope this helps.

      • Julio Hernandez

        Thanks a lot, very helpful indeed!

      • Anonymouse

        did you forget how to highlight the name, children do have poor memories

    • Rolf Bause

      Just go to tsssaver.1conan[DOT]com

      • Julio Hernandez

        okay so i checked out the site and the reddit link Joaquim linked above and if i’m correct i’m assuming this website you posted SAVES your SHSH2 blobs for you to be able to download at a later time? I also posted my ECID number from iTunes as is which should be in that HEX format which is the combination of letters and numbers correct? Sorry, I’m a bit new to this.

      • Mark S

        You can download your blobs right away (at least I could). Just post the number itunes shows you into the website you don’t need to convert anything.

    • pegger1

      Pretty much the same as above, only instead of pasting the lines to a document you run them from a command prompt (in the folder where tsschecker is)

  • mgrimace

    Should the commands with the additional nonces be generating files as well? I’m getting blobs from the original commands, but the ones with the added nonces aren’t actually creating anything…

    • Joaquim Barbosa

      They overwrite existing ones for the same firmware. Save them without nonces, then move them to a different folder for safekeeping, then repeat with nonces, and they will build up without overwriting the previous ones. Hope this helps, and thanks for reading!

  • ricky_nguyen

    Doing this screwed up my backups that I created while downgrading to 10.1.1 saying that “Your iPhone was never backed up to your computer”

    • Joaquim Barbosa

      Hi Ricky, this seems unlikely. Saving the blobs doesn’t interfere with those files at all. Perhaps they were always corrupted, and you just coincidentally noticed after following the guide?
      Hope you get it sorted!

    • Mark S

      PROVE that following this guide screwed up your backups.

      • ricky_nguyen

        Here is my proof. I asked a guy on reddit if doing this screwed up his backup and he told me this.

      • Can confirm it does indeed remove the local backup of the Phone for some unknown reason… My iCloud backup was still in tact though. (iPhone 7 256GB, iOS 10.2)

      • ricky_nguyen

        I wish there was a disclaimer saying that it will indeed remove your local backup from your computer.

      • Sivale99

        Hi guys, I don’t think this tool messed up your 10.2 backup. You can’t restore your iphone on 10.1.1 to a 10.2 backup. I had this problem weeks ago when I first heard about the possible j/b.

      • ricky_nguyen

        I think what I did was the alt/option+update so that my data would still be saved on my phone.


    A video tutorial would be great

  • Abi Darwish

    I have saved my shsh2 from telegram @rJailbreakBot. Is it the same?

  • 7000rpm

    Video by any chance?

  • Diego Milano

    Perfect, another good and useful article for everyone to follow.

    • Joaquim Barbosa

      Hi Diego, did you try clicking on the iPhone information field in iTunes? Where it says its name and capacity, it says its serial number underneath. Click the serial number and it shows you different pieces of information, including the ones you need. Hope this works.

      • Diego Milano

        I don’t think I’ve tried that so hopefully that was it. I’ll try in a few later this evening and let you know.

  • Andrian

    Does it work with iOS 9.0.2? Since previously it mention it needs to have “tfp0” functionality

    • Mark S

      According to the video from tihmstar Prometheus won’t work because that jailbreak didn’t use the tfp0 functionality.

    • Joaquim Barbosa

      Prometheus probably won’t work with 9.0.2 but you can still save blobs with tsschecker. They may still be useful in future, so I would do it anyway. Cheers!

  • 7000rpm

    So the tool to downgrade is coming NYE, but a tool to save blobs in a new format is available today?

    • Joaquim Barbosa


  • eXoguti097

    “chmod +x ~/Desktop/TSS/tsschecker” isn’t doing anything for me, the directory is perfectly fine

    • lucianf

      If you downloaded from github, the extracted file is called tsschecker_macos. So you need to use that instead of tsschecker in the chmod command.

  • Viktor_Zweig

    You need to update your instructions since the new build has been uploaded to GitHub. Also, for those of you who may be using a firewall (such as LittleSnitch), make sure to download one shsh2 at a time. In between each download, quit Terminal and then start a new download. It will work without a glitch, otherwise the process just hangs…

    • Joaquim Barbosa

      Thanks for the heads-up Viktor, I’ve updated the guide. Thanks for reading!

  • EricWalker (ewalk40)

    Hey my tsschecker folder will not change to an exectuable file by using chmod +x am I doing something wrong?

    • Mark S

      It may already be an executable to begin with. Mine was.

      • EricWalker (ewalk40)

        I keep getting the output:

        -bash: /Users/EricWalker/Desktop/TSS/tsschecker: is a directory

        Am I doing something wrong now?

      • Joaquim Barbosa

        Try the new command in the guide now if you downloaded version of the tool instead of 1.0.6. Hope this helps.

      • Chris Mn

        hey i am having this same problem, my extracted file is tsschecker-master not macOS

    • Joaquim Barbosa

      If you downloaded then you do not need that step. Hope this helps!

  • Rick

    For Windows use auto-tsschecker_v2 very easy to use and no errors for me using Windows 10.

  • iltas

    Can u plz add video tutorial /it’s so easy

  • iltas

    Can I save my iOS 10.1.1 ssh

    • Abhijeet Gupta

      Yes you can . But if you fail your last backup will be botched up .

      • Joaquim Barbosa

        Did your last backup get botched up Abhijeet?

      • Abhijeet Gupta

        Yep. I had two of them, one , an older one on 10.1.1 and another on 10.2 now it says your phone has never been backed up. ☹️

    • Joaquim Barbosa

      Yes, that is what the guide shows. Thanks!

  • Dexter SherloConan

    It seems that the directory changed into “tsschecker-master”.

    • Joaquim Barbosa

      tsschecker_macos? I’ve updated the guide to show that now, cheers!

  • :D

    There’s a new and easier script available. You just drag it into terminal and follow the prompts – takes 2 mins

    • Rahimo

      the link to the process please?

      • :D

        Hm it seems to have been removed
        I think it was called Mac short version or something but maybe there was something wrong with it – seemed to work fine for me but I redid it with the new tool just in case

  • jnx

    Please a video of this on iDB YouTube channel

  • craig

    im totally noob with this 🙁 im on windows 10 64bit (if that makes any difference) and i cant seem to get this to work, if anybody could help id greatly appreciate it

    • Joaquim Barbosa

      This guide is for Mac so that may be the problem, try following a Windows guide as it may be different. Also, without more information on why/how it’s not working, I can’t offer any suggestions. Thanks!

  • Jannomag

    I’m currently on 9.0.2 with my 6S and want to update to 10.1.1, when the jailbreak is out…Is this even possible?

    • Joaquim Barbosa

      Probably not, as 9.0.2 jailbreak doesn’t have the necessary functions. It *might* be possible in future, but probably not. If you really desperately want a 10.1.1 jailbreak, you might have to just take a chance and upgrade to 10.1.1 now before it goes unsigned and hope one comes out. But you’ll lose you 9.0.2 jailbreak. A tough one, it’s up to you. Hope this helps.

      • Jannomag

        Thanks for the replay. The problem is that I need my JB because I need to download and share for iOS unknown files via iFile/Filza. So I think I’ll have to sit another year on 9.0.2.

      • Joaquim Barbosa

        Hmm, yea, that’s tricky. You could jump to iOS 10.1.1 and wait without a jailbreak for a while, or else stay on iOS 9.0.2. You could look into using a third-party app like GoodReader 4 to accept the files instead, though I can’t guarantee it would work depending on what filetypes they are. Cheers!

      • Kevin Le

        I think I’m missing something here. So what is the purpose of saving the SHSH2 blob if it isn’t possible to downgrade (or yet at least)? Would it be possible with an iOS 9.3.3 jailbreak to do what @Jannomag is trying to do?

  • Natalie

    Yeah….. Not worth it. Jailbreaking has been one of those things that are cool to have but becoming more unneeded as time goes on. I’ll just wait for a Jailbreak on a FW that I’m actually on instead of messing around with downgrading and updating :/

    • dlxmax

      Good luck with that.

  • Successfully dump 4 .shsh2 from my iPhone SE on Windows 10. Looking forward to your downgrading tool!

    • Joaquim Barbosa

      Glad you got the blobs saved in time! Was the guide easy to follow even on Windows? Also, it’s not my downgrade tool, it’s tihmstar’s, but I’m looking forward to it too… Thanks for reading!

      • The commands on Windows CMD are a little different from those on Terminal, but I know how to run it. It may be a little difficult for those who are not good at computer, you can add a Windows version guide. (Run CMD in the tool’s folder you just unziped, then type “tsschecker_windows.exe /Users/USERNAME/Desktop/TSS/tsschecker_macos -d MODEL -e ECID -i 10.2 -s” Do it 4 times for 4 versions of iOS.)

    • Yazdan Khazeni

      Could you explain how did you do that please?
      I couldn’t save mine.

      • Run cmd in the tools folder you just unzip, then type “tsschecker_windows.exe /Users/USERNAME/Desktop/TSS/tsschecker_macos -d MODEL -e ECID -i 10.2 -s” Do it 4 times for 4 version of iOS.

  • Christopher Jazinski

    Anyone else getting this? [Error] [TSSC] ERROR: device “iPad6,7” is not in bbgcid.json, which means it’s BasebandGoldCertID isn’t documented yet.

    If you own such a device please consider contacting @tihmstar ( to get instructions how to contribute to this project.

    • Mark S

      I’m pretty sure everyone is getting the baseband error. The baseband isn’t relevant to what we are trying to do here according to tihmstar. Even the tutorial picture above has that error message.

    • Rafael Romero

      Yes im getting the same error on my iphone 6 plus, but it did generated the blobs, anybody, wll these blobs work?

    • Joaquim Barbosa

      It’s a weird one. I kept getting it at first, as you can see from the screenshot in my guide. But eventually I ran the commands and the error didn’t appear; I have no idea what changed. I think however that tihmstar has mentioned that the error is nothing to worry about anyway. Hope this helps.

  • Ninja Ass

    Does this work to save shsh for 32 bit devices ?

    • Joaquim Barbosa

      I think it works for 32-bit devices, let me know as I’d be interested to find out for sure! The blobs won’t work with Prometheus though when it’s released, but he may add 32-bit support to Prometheus later and then they would be useful, so it can’t hurt to save them. Cheers.

  • 7000rpm

    Dear: Joaquim Barbosa

    My issue after running the first line to download the iOS blob, terminal says there’s a folder on my desktop relating to the destination in the line we have to enter. So my command is basically spitting the information back at me. Not sure what to do from here.

    • Joaquim Barbosa

      I don’t quite understand the problem, I’m sorry. If you’re using version, the commands are slightly different. Check my post again as I updated the commands and see if that helps.

  • Rick Hart

    One of 10.1.1 didn’t work for me. Unable to parse or something to that effect. The 14b100 worked and the 14b150 didn’t. Is anyone else having this problem?

  • 7000rpm

    Joaquim Barbos

    I’m having the issue where command line says there’s a folder existing already which is the tss downloaded and extracted. My terminal keeps repeating my input which was the line to download the blobs. After each line I enter it says there’s a folder existing but it doesn’t download any blobs.

    • Joaquim Barbosa

      Hi 7000rpm, try my new guide posted just now, it might be easier and solve your problem. Thanks!

  • deep desai
    Try this…
    Best Easier way i found
    After above step u can download it as zip , or upload to google drive option…

    • Tom Mermul

      Well if that is legit, then this is so easy. IDB can you look into this?
      It worked well for me but are the blobs correct?

      • Mark S

        Why don’t you use both methods and then do a compare on the resulting files? That will give you your answer. If people would rather do this this difficult way so be it.

      • Tom Mermul

        The files look the same but i cant test their function

  • Navnik Shivadas

    Could you please help me to do it on Windows?

    • Francesco Suarez

      Ok on windows it’s easy
      One place a TSS folder in the root of the C:/ then follow the written instruction when it says tsschecker_macos(change it to macos to windows) than do everything whmith the ECID and Model etc and it should work then open command prompt and type cd C:/tss and then add the line tsschecker_windows …… and it should save the blobs shsh2 I did it and worked for all 4 shsh2

  • Slice

    For me appears an error: [Errir] [TSSC] parsing firmware.jason failed.
    what can I do

    • Rick Hart

      I’m on a Mac and 14b150 failed too. All the others worked though

  • Francesco Suarez

    Would the –apnonce work for any iPhone model ??? I have the shsh2 saved already but if doing the last part help me downgrade even more and securely I would do it 20 commands lol

    • Joaquim Barbosa

      It should work for any model yes. But you need to move your already saved blobs before doing the nonce ones or they will overwrite your already saved ones. You will want to keep all of them…

      • Francesco Suarez

        But I saved the iOS 10.2, 10.1.1(both) and 10.1 I have hem saved already but if the apnonce isn’t required I won’t do it

      • Joaquim Barbosa

        That should be enough. I saved with nonces too just to be safe but it shouldn’t matter. It may allow upgrades on iPhone 5S even with no jailbreak if you do nonces too, but no promises! If you do want nonces, use my new guide, it’s much faster. Cheers!

      • Francesco Suarez

        lol I just did the website and saved with the apnonce and without so I’m good now lol I have it in my pç and now on the web

  • Slice

    Have an iphone 7 256Gb

    • Francesco Suarez

      It works for every idevice out there

  • Noa Will

    Will this work for Appletv 4th gen

  • Francesco Suarez

    So when I got this iPhone I had it on 9.0 if this tool can downgrade with saved shsh2 can I save the 9.0 shsh2 so I can downgrade when I’m the tools comes out ??

    • Joaquim Barbosa

      Francesco, no you can’t. It is irrelevant what OS came on your phone, the only blobs you can save are the OS versions which Apple is signing now. At the moment, they are signing 10.1, 10.1.1 (two versions), and 10.2. These are the only versions you can save blobs for. If you save 10.1.1 blobs, you can UPGRADE when the tool comes out, if a jailbreak is released for 10.1.1, which it should be. Hope this helps!

  • Bugs Bunnay

    ooohh this is the first day of THIS Christmas. can’t wait for the second day to come! nyuk nyuk nyuk

  • Chris Ryan

    wow, this is complicated, nothing works as it says it should in this tutorial, could we see a more detailed video of this being done?!

    • Francesco Suarez

      Are you using mac or windows ???

    • Joaquim Barbosa

      Hi Chris, sorry you found it tough. Try my newer guide (posted just now), it uses a simpler method. Cheers.

      • Chris Ryan

        Hey thanks. Will try it out , I did end up using the website method that people had referred to, worked fine, but just incase I will try this new method as well

  • Francesco Suarez

    I couldn’t save the iOS 9.0 🙁

    • Joaquim Barbosa

      Yes, you can’t save iOS because it’s not saved, sorry. Only 10.1-10.2.

  • Joaquim Barbosa

    Try my new guide, posted just now, it might be easier and solve your problem. Thanks!

  • jbdx

    I saved my 10.1.1 shsh2 for my 6s but I didn’t put one of those apnonce codes at the end of the command, the command I typed just ended in ‘no cache’ or something. TSS checker website says that they are valid (Rosi tag found)
    Are mine ok?

  • why i always get Permission denied error?

  • WarrenCooper

    A question to Joaquim Barbosa….
    What is the number for the nonces you mentioned in step 13???

    Are these numbers the so called “UniqueDeviceID” Number?
    I found such a number with 40 digits.
    Does it make sense, to use the 5 numbers you mentioned above? Really?

    Please explain…

  • André Bezerra

    Is that work for Apple TV 4th?