A while back we broke the story of a bug which was allowing restores to iOS 9 firmwares, without even needing a jailbreak. It was subsequently discovered that the bug was more far-reaching than originally thought, allowing restores to iOS 9.x from any firmware, not just from iOS 9.

The tool was released a week or so ago, and so we thought the time was right for a tutorial. Follow our instructions here to bring any 32-bit device back to any iOS 9.x firmware you have blobs for, from any starting firmware. No keys, bundles, nonces, or jailbreak required!

Before we begin, let’s go over the ground rules. As ever, there are some restrictions and requirements which dictate whether or not this will work for you.

Requirements

  • iDeviceReRestore, from the official page.
  • A Mac or Linux computer, or a PC with a Mac/Linux VM.
  • The IPSW for your iOS 9.x destination firmware.
  • Your saved .shsh blob file for your iOS 9.x destination firmware.
  • 32-bit devices only.
  • Destination firmware must be iOS 9.x.
  • Starting firmware can be any.
  • Starting firmware does not require a jailbreak.
  • Process requires blobs for the destination firmware.
  • The blobs have specific requirements.
    They cannot be OTA blobs.
    They can be Erase or Update blobs, but not all of them work.
    If they begin with the string MIIKkj, they are definitely fine. Open them up in a text editor to see the opening string. If they do not, they may also be fine, but will need checking to make sure. Use this checker if you’re unsure.
    They must have been saved without a nonce.
  • The blobs must have a separate iBSS ticket to be used for DFU restores (moving to iOS 9.x from a firmware other than iOS 9.x). If they don’t, they can only be used for iOS 9.x – iOS 9.x restores. Open them up to look for the iBSS section.

How to downgrade to iOS 9.x

1) Download the iDeviceReRestore .zip and expand it. Rename the expanded folder to iDeviceReRestore and place it on your Desktop.

2) Place your downloaded IPSW loose into the iDeviceReRestore folder.

3) Place your iOS 9.x .shsh blob into /iDeviceReRestore/shsh.

4) Rename your IPSW to something simple. I renamed my iOS 9.3.4 IPSW to 934.ipsw. This step is optional, but makes things easier.

5) Rename your .shsh file to the form ECID-Model-Firmware.shsh. For example, mine was called 2588516246720-iPad2,1-9.3.4.shsh. Make sure the name uses dashes, not underscores, and that you remove the build ID from the filename if it has it.

6) The contents of my iDeviceReRestore folder now look as below:

7) Connect your device to your computer, and put it into DFU mode. If you don’t know how, take a look at this. When it’s in DFU mode iTunes will report it as in Recovery Mode, but the screen will be black rather than showing the “Connect to iTunes” graphic.

8) If iTunes launches and reports this, click OK, and then quit iTunes. Do not click Restore, Update, or anything else in iTunes.

9) Launch Terminal from /Applications/Utilities, or via Spotlight.

10) At the prompt, type cd and then drag your iDeviceReRestore folder onto the Terminal window, as shown below. Hit Enter to set Terminal to our chosen directory.

11) We’re ready to go! Enter the following command to run iDeviceReRestore:

./idevicererestore -r YOUR-IPSW-NAME.ipsw

Replace YOUR-IPSW-NAME with the name of your IPSW from Step 4. For example, my IPSW was called 934.ipsw, so my entire command looked as in the picture below:

Let the tool do its thing. It will exploit the re-restore bug to push your chosen iOS 9.x firmware to the device. With the help of your .shsh blob, the device will accept it, and a normal restore will begin. The output will look roughly as below. You’ll know when it’s finished, as Terminal will report DONE, and your iOS device will reboot to the setup screens.

Fin. You can now jailbreak with Pangu, or Home Depot, depending on which firmware you’ve restored back to. Enjoy your jailbreak! If you ever get into trouble and need to restore, just use this bug again; you’ll always be able to return to iOS 9 from now on, as long as you keep your iOS 9.x blobs.

Let me know if you have any difficulties or success stories, and good luck!

  • DanielRojass

    So with out blobs I’m out luck ? I can not get someone else’s blobs or do they save On back ups ? I’m a little lost with this whole blobs thing.

    • No, blobs are unique to your device, if you never saved then there is absolutely nothing you can do, start saving them from now onwards for possible future use.

      • Barrie Gould

        so a blobs is a backup ?

      • It’s more like a token that has to be backed up to be used after a signing window has closed. It contaigns Apple’s digital signature protocol for iOS restores and updates.

      • Barrie Gould

        and how do you find the blobs ?

      • Use an online tool called “TSSSaver”

  • JF

    Why would you downgrade !?!

    I miss the last 2 windows to upgrade from 9.0.2 to an iOS version that was jailbreakable.

    Unless you decide voluntary to kiss goodbye your jailbreak, who can you have blob of firmware unless you upgrade your device…

    I was not wiling to loose an untether jb for a maybe jb to come !!

    If I recall 9.3.4 was no longer signed when the Pangu jb came out, Apple already updated to 9.3.5 ?? So unless you update your device with no confirmation of a jb… You can’t have a fw blob!

    I would like to update to 9.3.4 ou 10.2 and have all the new features, but I can’t, and updating my device to 10.2.1 and loose the jb that I have… No thank you!!

    • Joaquim Barbosa

      I’ve said this many times, you don’t need to upgrade your device to get the blobs. You can save blobs for any currently signed firmware, regardless of the firmware on your device. And people might want to downgrade precisely to get an untethered jailbreak like 9.0.2. This will let them do that.

  • mmht

    can i use shsh blobs for cydia server?

    • Joaquim Barbosa

      If Cydia saved your blobs then yes, you can use them. Check they’re valid first.

      • mmht

        how can i check ?

  • Mariano Martinez

    Which iphones are 32bit? How ca i tell if my iphone is 32 or 64?

    • Ramon

      iPhone 5S and later are 64bit

  • ivish

    ios 8 blobs valuable? and how to check or verify blobs, dont know what to do with aptticket checker. please help.

  • Melo

    I wish I could boot 8.4.1 on my iPhone 6 to make it fast again

  • Fumetasing

    I have saved all the blobs with TinyUmbrella but I can’t use them.
    I always have an error.
    Anyone has used this blobs successfully?