A while back we broke the story of a bug which was allowing restores to iOS 9 firmwares, without even needing a jailbreak. It was subsequently discovered that the bug was more far-reaching than originally thought, allowing restores to iOS 9.x from any firmware, not just from iOS 9.

The tool was released a week or so ago, and so we thought the time was right for a tutorial. Follow our instructions here to bring any 32-bit device back to any iOS 9.x firmware you have blobs for, from any starting firmware. No keys, bundles, nonces, or jailbreak required!

Before we begin, let’s go over the ground rules. As ever, there are some restrictions and requirements which dictate whether or not this will work for you.

Requirements

  • iDeviceReRestore, from the official page.
  • A Mac or Linux computer, or a PC with a Mac/Linux VM.
  • The IPSW for your iOS 9.x destination firmware.
  • Your saved .shsh blob file for your iOS 9.x destination firmware.
  • 32-bit devices only.
  • Destination firmware must be iOS 9.x.
  • Starting firmware can be any.
  • Starting firmware does not require a jailbreak.
  • Process requires blobs for the destination firmware.
  • The blobs have specific requirements.
    They cannot be OTA blobs.
    They can be Erase or Update blobs, but not all of them work.
    If they begin with the string MIIKkj, they are definitely fine. Open them up in a text editor to see the opening string. If they do not, they may also be fine, but will need checking to make sure. Use this checker if you’re unsure.
    They must have been saved without a nonce.
  • The blobs must have a separate iBSS ticket to be used for DFU restores (moving to iOS 9.x from a firmware other than iOS 9.x). If they don’t, they can only be used for iOS 9.x – iOS 9.x restores. Open them up to look for the iBSS section.

How to downgrade to iOS 9.x

1) Download the iDeviceReRestore .zip and expand it. Rename the expanded folder to iDeviceReRestore and place it on your Desktop.

2) Place your downloaded IPSW loose into the iDeviceReRestore folder.

3) Place your iOS 9.x .shsh blob into /iDeviceReRestore/shsh.

4) Rename your IPSW to something simple. I renamed my iOS 9.3.4 IPSW to 934.ipsw. This step is optional, but makes things easier.

5) Rename your .shsh file to the form ECID-Model-Firmware.shsh. For example, mine was called 2588516246720-iPad2,1-9.3.4.shsh. Make sure the name uses dashes, not underscores, and that you remove the build ID from the filename if it has it.

6) The contents of my iDeviceReRestore folder now look as below:

7) Connect your device to your computer, and put it into DFU mode. If you don’t know how, take a look at this. When it’s in DFU mode iTunes will report it as in Recovery Mode, but the screen will be black rather than showing the “Connect to iTunes” graphic.

8) If iTunes launches and reports this, click OK, and then quit iTunes. Do not click Restore, Update, or anything else in iTunes.

9) Launch Terminal from /Applications/Utilities, or via Spotlight.

10) At the prompt, type cd and then drag your iDeviceReRestore folder onto the Terminal window, as shown below. Hit Enter to set Terminal to our chosen directory.

11) We’re ready to go! Enter the following command to run iDeviceReRestore:

./idevicererestore -r YOUR-IPSW-NAME.ipsw

Replace YOUR-IPSW-NAME with the name of your IPSW from Step 4. For example, my IPSW was called 934.ipsw, so my entire command looked as in the picture below:

Let the tool do its thing. It will exploit the re-restore bug to push your chosen iOS 9.x firmware to the device. With the help of your .shsh blob, the device will accept it, and a normal restore will begin. The output will look roughly as below. You’ll know when it’s finished, as Terminal will report DONE, and your iOS device will reboot to the setup screens.

Fin. You can now jailbreak with Pangu, or Home Depot, depending on which firmware you’ve restored back to. Enjoy your jailbreak! If you ever get into trouble and need to restore, just use this bug again; you’ll always be able to return to iOS 9 from now on, as long as you keep your iOS 9.x blobs.

Let me know if you have any difficulties or success stories, and good luck!

  • DanielRojass

    So with out blobs I’m out luck ? I can not get someone else’s blobs or do they save On back ups ? I’m a little lost with this whole blobs thing.

    • No, blobs are unique to your device, if you never saved then there is absolutely nothing you can do, start saving them from now onwards for possible future use.

      • Barrie Gould

        so a blobs is a backup ?

      • It’s more like a token that has to be backed up to be used after a signing window has closed. It contaigns Apple’s digital signature protocol for iOS restores and updates.

      • Barrie Gould

        and how do you find the blobs ?

      • Use an online tool called “TSSSaver”

  • JF

    Why would you downgrade !?!

    I miss the last 2 windows to upgrade from 9.0.2 to an iOS version that was jailbreakable.

    Unless you decide voluntary to kiss goodbye your jailbreak, who can you have blob of firmware unless you upgrade your device…

    I was not wiling to loose an untether jb for a maybe jb to come !!

    If I recall 9.3.4 was no longer signed when the Pangu jb came out, Apple already updated to 9.3.5 ?? So unless you update your device with no confirmation of a jb… You can’t have a fw blob!

    I would like to update to 9.3.4 ou 10.2 and have all the new features, but I can’t, and updating my device to 10.2.1 and loose the jb that I have… No thank you!!

    • Joaquim Barbosa

      I’ve said this many times, you don’t need to upgrade your device to get the blobs. You can save blobs for any currently signed firmware, regardless of the firmware on your device. And people might want to downgrade precisely to get an untethered jailbreak like 9.0.2. This will let them do that.

      • johnlegarcon

        My iPhone 5 is on 8.4 JB , can I use this guide to get to 9.02 ?

      • Joaquim Barbosa

        That’s what the guide is about, did you read it to see if you can? It has a list of everything you need, blobs etc…

      • johnlegarcon

        I read it on the go half way through , so I was hoping for a quick yes or no , thank you in advance, sorry I’m on the move !

      • johnlegarcon

        As I said I’m on 8.4 no “blobs for any currently signed firmware”

      • Joaquim Barbosa

        I’m not sure you did say you didn’t have blobs? I can’t see it anywhere… And if you have no blobs for 9.x you can’t use this tool unfortunately.

      • johnlegarcon

        Thank you , I was quoting you on the blobs , the specific device was never updated to iOS 9 , my bad !

      • Joaquim Barbosa

        You don’t have to update to iOS 9 to save blobs for iOS 9, you just have to save them when iOS 9 was signed, even if you were still on 8.4. Unfortunately, it’s too late now because iOS 9 is not signed. But you can save blobs for iOS 10.3.1 and iOS 10.3.2 and all future versions if you like…

      • johnlegarcon

        Ok , it finally comes to place now, thanks again , a shame I got this phone last Xmas so it was too late to save iOS 9 blobs already!

      • Joaquim Barbosa

        Ah cool, in theory, yes you can. But you need blobs for 9.0.2 to go to it.

  • mmht

    can i use shsh blobs for cydia server?

    • Joaquim Barbosa

      If Cydia saved your blobs then yes, you can use them. Check they’re valid first.

      • mmht

        how can i check ?

    • Mustafa Içten

      I remotely and locally saved 9.2.1 blobs from cydia by ifaith. Here is the successful restore message:
      NOTE: using cached version data
      Found device in DFU mode
      Identified device as p101ap, iPad3,4
      Extracting BuildManifest from IPSW
      Product Version: 9.2.1
      Product Build: 13D15 Major: 13
      Device supports Image4: false
      Variant: Customer Erase Install (IPSW)
      This restore will erase your device data.
      Found ECID 421075964786
      Getting ApNonce in dfu mode… 7b eb f2 59 c3 ae a5 cd 39 c8 97 78 44 31 96 fc 8b 9c 47 e9
      checking for local shsh
      no local file shsh/421075964786-iPad3,4-9.2.1.shsh
      No local blobs found, checking Cydia TSS server for SHSH blobs
      Getting SepNonce in dfu mode…
      WARNING: Unable to find BbChipID node
      WARNING: Unable to find BbSkeyId node
      Sending TSS request attempt 1… response successfully received
      Received SHSH blobs
      Using cached filesystem from ‘iPad3,4_9.2.1_13D15_Restore/058-32425-015.dmg’
      Extracting iBSS.p101.RELEASE.dfu…
      Personalizing IMG3 component iBSS…
      reconstructed size: 84518
      Sending iBSS (84518 bytes)…
      Nonce: 7b eb f2 59 c3 ae a5 cd 39 c8 97 78 44 31 96 fc 8b 9c 47 e9
      Extracting iBEC.p101.RELEASE.dfu…
      Not personalizing component iBEC…
      Sending iBEC (293964 bytes)…
      INFO: device serial number is DMPL90A4F183
      Device: iPad3,4
      Getting ApNonce in recovery mode… 7b eb f2 59 c3 ae a5 cd 39 c8 97 78 44 31 96 fc 8b 9c 47 e9
      Sending APTicket (2717 bytes)
      Recovery Mode Environment:
      iBoot build-version=iBoot-2817.20.26
      iBoot build-style=RELEASE
      Sending RestoreLogo…
      Extracting applelogo@2x~ipad.s5l8955x.img3…
      Not personalizing component RestoreLogo…
      Sending RestoreLogo (17868 bytes)…
      ramdisk-size=0x4000000
      Extracting 058-32031-015.dmg…
      Not personalizing component RestoreRamDisk…
      Sending RestoreRamDisk (20381964 bytes)…
      Extracting DeviceTree.p101ap.img3…
      Not personalizing component RestoreDeviceTree…
      Sending RestoreDeviceTree (83404 bytes)…
      Extracting kernelcache.release.p101…
      Not personalizing component RestoreKernelCache…
      Sending RestoreKernelCache (10538188 bytes)…
      About to restore device…
      Waiting for device…
      Device 0e5b117039cccf99175266aaaf1e28f2b3ffb407 is now connected in restore mode…
      Connecting now…
      Connected to com.apple.mobile.restored, version 13
      Device 0e5b117039cccf99175266aaaf1e28f2b3ffb407 has successfully entered restore mode
      Hardware Information:
      BoardID: 0
      ChipID: 35157
      UniqueChipID: 421075964786
      ProductionMode: true
      Starting FDR listener thread
      ERROR: Unable to connect to FDR client (-2)
      ERROR: Failed to start FDR Ctrl channel
      About to send RootTicket…
      Sending RootTicket now…
      Done sending RootTicket
      Waiting for NAND (28)
      Unmounting filesystems (29)
      Unmounting filesystems (29)
      Creating partition map (11)
      Creating filesystem (12)
      Creating filesystem (12)
      Mounting filesystems (16)
      Mounting filesystems (16)
      Unmounting filesystems (29)
      Unmounting filesystems (29)
      About to send filesystem…
      Connected to ASR
      Validating the filesystem
      Filesystem validated
      Sending filesystem now…
      Done sending filesystem
      Verifying restore (14)
      Mounting filesystems (16)
      Mounting filesystems (16)
      About to send KernelCache…
      Extracting kernelcache.release.p101…
      Not personalizing component KernelCache…
      Sending KernelCache now…
      Done sending KernelCache
      Installing kernelcache (27)
      About to send NORData…
      Found firmware path Firmware/all_flash/all_flash.p101ap.production
      Getting firmware manifest from Firmware/all_flash/all_flash.p101ap.production/manifest
      Extracting LLB.p101.RELEASE.img3…
      Personalizing IMG3 component LLB…
      reconstructed size: 154150
      Extracting iBoot.p101.RELEASE.img3…
      Not personalizing component iBoot…
      Extracting DeviceTree.p101ap.img3…
      Not personalizing component DeviceTree…
      Extracting applelogo@2x~ipad.s5l8955x.img3…
      Not personalizing component AppleLogo…
      Extracting recoverymode@2x~ipad-lightning.s5l8955x.img3…
      Not personalizing component RecoveryMode…
      Extracting batterylow0@2x~ipad.s5l8955x.img3…
      Not personalizing component BatteryLow0…
      Extracting batterylow1@2x~ipad.s5l8955x.img3…
      Not personalizing component BatteryLow1…
      Extracting batterycharging0@2x~ipad.s5l8955x.img3…
      Not personalizing component BatteryCharging0…
      Extracting batterycharging1@2x~ipad.s5l8955x.img3…
      Not personalizing component BatteryCharging1…
      Extracting glyphplugin@2x~ipad-lightning.s5l8955x.img3…
      Not personalizing component BatteryPlugin…
      Extracting batteryfull@2x~ipad.s5l8955x.img3…
      Not personalizing component BatteryFull…
      Sending NORData now…
      Done sending NORData
      Flashing firmware (18)
      Updating gas gauge software (46)
      Updating gas gauge software (46)
      Fixing up /var (17)
      Creating system key bag (49)
      Modifying persistent boot-args (25)
      Resizing system partition (51)
      Unmounting filesystems (29)
      Unmounting filesystems (29)
      Got status message
      Status: Restore Finished
      Cleaning up…
      DONE

  • Mariano Martinez

    Which iphones are 32bit? How ca i tell if my iphone is 32 or 64?

    • Ramon

      iPhone 5S and later are 64bit

  • ivish

    ios 8 blobs valuable? and how to check or verify blobs, dont know what to do with aptticket checker. please help.

    • Joaquim Barbosa

      All blobs are valuable, keep them. You can’t use them with this tool, but you might be able to with another tool like Odysseus, or another one in future.

  • Melo

    I wish I could boot 8.4.1 on my iPhone 6 to make it fast again

  • Fumetasing

    I have saved all the blobs with TinyUmbrella but I can’t use them.
    I always have an error.
    Anyone has used this blobs successfully?

    • Joaquim Barbosa

      This part should tell you if the blobs are good. In future, use savethemblobs instead of Tiny Umbrella, which hasn’t worked for a while.

      “The blobs have specific requirements.

      They cannot be OTA blobs.

      They can be Erase or Update blobs, but not all of them work.

      If they begin with the string MIIKkj, they are definitely fine. Open them up in a text editor to see the opening string. If they do not, they may also be fine, but will need checking to make sure. Use this checker if you’re unsure.

      They must have been saved without a nonce.

      The blobs must have a separate iBSS ticket to be used for DFU restores (moving to iOS 9.x from a firmware other than iOS 9.x). If they don’t, they can only be used for iOS 9.x – iOS 9.x restores. Open them up to look for the iBSS section.”

      Cheers

      • Fumetasing

        Thanks for your answer..

        I have all blobs for all version from iOS 8.2 to 9.3.5. Some of them are OTA blobs but theres 5 versions of iOS 9.x that are Erase and or Update.
        All of them begin with the string MIIKkj but TinyUmbrella save all of them in one file and not separate them per firmware witch I think is the problem.

        I also tried SHSHaker-beta-0.2.3-mac to separate blobs but I also have an error.

        Can anyone help me?
        It’s an iPad 3 now on 9.3.5 upgraded from 8.4

        Thanks!

      • Joaquim Barbosa

        It sounds like in theory you are in luck! It seems you have many valid blobs. You just need to find a guide for making tiny umbrella blobs acceptable to idevicererestore. I’ll see if I can find anything…

      • Fumetasing

        Hi, I think I go one step away.
        My model is an iPad 3 GSM and I paste the error for if anyone can help me.
        I can see the problem now is de ApTicket, how can I solve this?

        MacBook-Pro-i7:iDeviceReRestore-1 fumetasing$ ./idevicererestore -r 933.ipsw

        NOTE: using cached version data

        Found device in Recovery mode

        Identified device as j2aap, iPad3,3

        Extracting BuildManifest from IPSW

        Product Version: 9.3.3

        Product Build: 13G34 Major: 13

        INFO: device serial number is XXXXH50JDVGJ

        Device supports Image4: false

        Variant: Customer Erase Install (IPSW)

        This restore will erase your device data.

        Found ECID XXXXX21883402

        Getting ApNonce in recovery mode… XX c1 XX 84 cb 28 74 50 XX d0 ab 46 XX a8 00 99 ee 9d ce e1

        checking for local shsh

        Using local SHSH

        Extracting filesystem from IPSW

        [==================================================] 100.0%

        ERROR: Unable to get ApTicket from TSS request

        WARNING: Unable to send APTicket

        Extracting iBEC.j2a.RELEASE.dfu…

        Not personalizing component iBEC…

        Sending iBEC (291212 bytes)…

        Device: iPad3,3

        Getting ApNonce in recovery mode… a9 XX d9 84 cb XX 74 50 d7 XX ab 46 ae a8 XX 99 ee 9d ce e1

        ERROR: Unable to get ApTicket from TSS request

        ERROR: Unable to send APTicket

        ERROR: Unable to place device into restore mode

        I have changed with XX some things.

        Thanks!!!

      • Mustafa Içten

        your blob hasn’t got apticket entry. TRY WITH WINDOWS SAME ERROR.

      • Mustafa Içten

        HOW MANY kbs are there in your shsh blob?

      • Fumetasing

        Hi, it’s 66KB

      • Mustafa Içten

        my blobs are smaller than you

      • Fumetasing

        But I have in one file a lot of them. Do you be able to separate them?

      • Mustafa Içten

        No

      • Fumetasing

        Me too.
        Do you have downgrade any device successfully?

  • rcfaro

    Hi, i have iphone 5s with iOS 10.3.2 can i downgrade to iOS 9.x.x? what is “Your saved .shsh blob file for your iOS 9.x destination firmware”? need this to restore?

  • buzunser

    it works downgrade my iphone 4s ios 9.3.5 to ios 9.3.1 yes!!!!!!!!!!

  • Peter Peterchen

    I tried to restore/upgrade my jailbroken iPad 2 (2,1) from 7.1.2 to 9.1 following this guide. I splitted the single TinyUmbrella SHSH file with the extract-packed-shsh script. Then I checked it with the apticket-nonce-checker script. It tells me, blob has no nonce, nothing else. They start with MIIKlTALB and have an APTicket, LBB, IBSS and IBEC section. When I tried to use idevicererestore it started working and then I got an error, implying that the local shsh file is not found. I then checked it and had to add the iOS version key (in my case 13B143) to the end of the filename. That’s missing in your tutorial. Unfortunately on the next try the next error appears and I’ stuck there right now:

    Sending APTicket (2713 bytes)
    [==================================================] 100.0%
    NOTE: Unable to find iBEC path in TSS entry
    NOTE: No path for component iBEC in TSS, will fetch from build_identity
    Extracting iBEC.k93.RELEASE.dfu…
    DEBUG: tss_response_get_data_by_key: No entry ‘ApImg4Ticket’ in TSS response
    Personalizing IMG3 component iBEC…
    Parsed TYPE element
    Parsed DATA elemen
    Parsed VERS element
    Parsed SEPO element
    Parsed CHIP element
    Parsed BORD element
    Parsed BORD element
    Parsed KBAG element
    Parsed KBAG element
    reconstructed size: 297498
    Sending iBEC (297498 bytes)…
    [==================================================] 100.0%
    Device: iPad2,1
    Segmentation fault: 11

    I read about this segmentation fault 11 concerning futurerestore but not the idevicererestore process. Is there anything I can do or are the blobs not working? Maybe I haven’t setup dependencies for idevicererestore right?!?
    Thanks for help in advance!