Donnerstag, 22. Dezember 2016

Are my shsh2/shsh files valid?

Note: i'm only refering to 64bit devices/shsh2/shsh files in this post.

Hello everyone,
last week we had a lot of news about jailbreaking.
The main things where the iOS 10.1.1 exploits by Ian Beer, the upcoming iOS 10.1.1 jailbreak by @qwertyoruiop and of course a bunch of updates about prometheus.
Prometheus not only allows downgrading, but also upgrading your device to a version which is not signed by apple anymore.
Since many people were jailbroken on iOS 9 already and didn't want to upgrade to iOS 10.1.1 and not be jailbroken for an unknown time, they were looking into using prometheus for updating to 10.1.1 once jailbreak is stable.
To prepare for the upgrade using prometheus shsh2 files needed to be saved while 10.1.1 was still signed. (Right now 10.1.1 is not signed anymore)
A lot of tools and wrappers around tsschecker where released which where meant to make saving shsh2 files easy for everyone. I'm totally fine with that, i don't mind if anyone makes a fancy gui around tsschecker, which makes saving shsh2 files for non-tech people easy. Though you should keep in mind that if a dev messes up anything there is a chance you can't use these shsh2 files. I can't and won't give support for anything but tsschecker, please don't ask me what error X means in tool Y and whether it worked or not.
That being said, let me try to answer most common questions:

Q: I get this error in tsschecker, does that mean saving blobs failed?

[Error] [TSSC] ERROR: device "iPhone8,2" is not in bbgcid.json, which means it's BasebandGoldCertID isn't documented yet.
If you own such a device please consider contacting @tihmstar ( to get instructions how to contribute to this project.
[TSSR] WARNING: there was an error getting BasebandGoldCertID, continuing without requesting Baseband ticket
A: No everything is fine. This error tells you that your BasebandGoldCertID is not documented. This means tsschecker can't save a baseband ticket. When i started tsschecker i wanted to make a tool to actually check signing status, as well as sending customizable requests to the tss server, to see what it responds. Later in time i figured that saving the ticket is a handy feature so i implemented that too. A baseband ticket can not be used for anything useful at the moment. It is not needed for prometheus, so if you care about using these blobs for prometheus, you can savely ignore this.

Q: I saved a bunch of shsh2 files using some scripts which gave me a bunch of folders, do i need all of them or can i delete all but one?
A: You should never delete blobs you got! I didn't look at all those script and i don't know what exactly they are saving, but better you saved some blobs more than you need, than regreting having deleted the only blob you really need.

Q: I saved shsh files with savethemblobs, or some other tool. Are they valid? Can i still use them for prometheus?
A: I'll explain in a sec how to check if shsh are valid.
Can they be used with prometheus?
Short: No
Long:  Well it depends. Prometheus needs to make your phone somehow regenerate the nonce inside the apticket (shsh file) to be able to accept it. There are two ways of doing this:
1. write the generator for that nonce to nvram using a jailbreak+nonceEnabler
2. reboot your phone until it regenerates that nonce. Only works if you picked one of the nonces which are generated really really often and requested a ticket for that purposely. If you don't know what that means you probably didn't do it and can't use this method. Also tsschecker is the only tool i know of where you can manually specify a APNonce you want a ticket for.
For the first method you need to know the generator for the nonce. It is not possible to calculate a generator from a nonce, you can only calculate a nonce based on a generator. What tsschecker does is choose a random generator, derive a nonce from that and request a ticket. Then both is saved inside the shsh2 file. This is also the reason why generator is not saved when you manually specify an APNonce to get a ticket for.

Q: What's the difference between shsh2 and shsh files?
A: As seen in the answer of the previous question, shsh2 additionally saves generator (if possible), whereas shsh does not. Beside of that, the files are identical.

Are my shsh files valid? Can they be used for prometheus?
The first answer i gave to this question was "yes". I was thinking that the only thing someone could mess up is either something with the ECID or APNONCE. In case the user entered the wrong ecid the device would simply not accept the ticket. In that case you could still exit recovery and boot up normal (and wouldn't loose jailbreak in case you're jailbroken). If the user messed up something with the generator or the APNonce, the device also would reject the ticket. Again you'd still be able to exit recovery and wouldn't loose jailbreak.

Now this all does apply to iOS 9 and below, but iOS 10 is a bit different.
With iOS 10 Apple being a dick, changed stuff in APTickets. A new element called "OS" was introduced and included inside the tssrequest.

It's the hash of the filesystem being restored (or something like this), which is now also included in the APTicket.
The problem here is that even if the tss request does not include the "OS" tag, the server would return a APTicket without including the OS hash.
You get an APTicket response and think you're fine right? Nope!
When trying to restore with that APTicket the device tries to validate the filesystem hash inside the APTicket, but fails because it can't find any. Unfortunately this happens after the disk has been wiped and formatted, so if the restore fails at that point you end up with no filesystem. This means there is nothing to boot except recovery, which means you need to perform a clean restore (updating to the latest signed version).

I remember tsschecker had a bug where it would get you a ticket without OS tag, but that has been fixed long time ago with tsschecker 1.0.4. You can take a look at the changes here
Also 1.0.5 fixed a bug where generator wasn't saved so you're fine if you used tsschecker 1.0.5 or later.
If you recently saved your shsh2 files with tsschecker you're pobably fine, if you look closely tsschecker 1.0.5 was released on 29 Sep. That's the story with tsschecker, but i don't know if the other tools were also updated to include OS in their requets.

But how do i know if the OS tag was included in my APTicket or not?
Well, img4tool comes to the rescue!
But until i fully implemented the --verify option (nonexisting at the time of writing), to check everything i want to be checked, you need to verify manually.

Let's take a look at an iOS 10.2 ticket with "img4tool -a -s my_10.2_ticket.shsh2"
(Note: use -a to see all entries of the manifest inside the ticket)

When using -a you get a bunch of these lines. I checked my tickets and those which were requested with OS to have the "rosi" tag whereas those which were requested without OS don't have that tag.

So do i simply check for that tag to be inside my shsh2 file?
I guess yes.
If you can't find that tag inside your shsh2 file, your files are invalid and a restore will probably fail.
If you see that tag inside your shsh2 file then your files are probably fine.
I can't gurantee that your restore won't fail, but this is the best i can come up with.

I would recommend to everyone who is planning to use prometheus:
Don't rush the restore and wait for someone to verify it's working. I know there are a lot of people who can't wait and want to be beta tester, but if you're not one of those people you should wait a few days and see how the beta tester are going. It is not likely that the restore will fail if your APTicket is valid, it worked for me several times, but it's also not impossible that there is some bug.
In case there are any bugs in prometheus i can try to fix them and if you don't rush restoring all at once then it's more likely that possible bugs are found before you attempt to restore.

I hope this post cleared up a bit more confusion, than it caused
if you have questions, send me a tweet or ask in /r/jailbreak



  1. is 3utools is fine for saving the shsh?

  2. Your visit is generally so superb to peruse! I additionally get a kick out of each photograph that you take. Your entire stylistic layout is mind blowing thus common and lovely. Much obliged for joining our visit and I trust you and your family have a superb Christmas!

    write my essay

  3. Learned a lot of new things from your post! Good creation and HATS OFF to the creativity of your mind. Very interesting and useful blog!
    SAS Training in Chennai
    SAS Course in Chennai
    SAS Training Institutes in Chennai

  4. Preorder games if they offer a discount on the purchase. You can have the newest game when it comes out and save money on the price or get other special perks when you preorder it. Check local gaming stores or online retailers to get the best deal on preordered video games.

  5. Good and inforative article, in this case I think everything is clear. We have a cool service for the implementation of affordable essay help, assignments and papers for students.

  6. Hello everyone, I am in high school and now the moment came when we needed to write an essay, but since I had no experience in this, I had difficulties. And then I came to the rescue, the guys from "" came. I just wrote them " write my essay " and got a quick and very high-quality work. I am very pleased with the result and want to recommend them to you!

  7. Excellent Post as always and you have a great post and i like it thank you for sharing

    โปรโมชั่นGclub ของทางทีมงานตอนนี้แจกฟรีโบนัส 50%
    เพียงแค่คุณสมัคร Gclub กับทางทีมงานของเราเพียงเท่านั้น
    สมัครสล็อตออนไลน์ >>> goldenslot
    สนใจร่วมลงทุนกับเรา สมัครเอเย่น Gclub คลิ๊กได้เลย

  8. Great post ! I am pretty much pleased with your good post.You put really very helpful information

    เว็บไซต์คาสิโนออนไลน์ที่ได้คุณภาพอับดับ 1 ของประเทศ
    เป็นเว็บไซต์การพนันออนไลน์ที่มีคนมา สมัคร Gclub Royal1688
    และยังมีหวยให้คุณได้เล่น สมัครหวยออนไลน์ ได้เลย
    สมัครสมาชิกที่นี่ >>> Gclub Royal1688

  9. It’s really a great and helpful piece of information. I’m satisfied that you just shared this helpful information with us.
    Please stay us up to date like this. Thank you for sharing
    Click here: First Ad Position Google Search

  10. grateful for your blog post. You will find a lot of approaches after visiting
    your post. Great work.
    Visit website: unicorn box mods

  11. The information you shared with us was very helpful, thank you very much. Great post, Thanks for providing us this great knowledge, Keep it up.
    Click here: top digital marketing companies in india

  12. I like your blog post. i like it. Farzana&Uzair have successfully run SF Digital Studios since 2002. SF Digital Studios offer digital imaging & marketing services.
    Website: google keyword tool uk

  13. Great post ! like your post very much. It is very usefull post for me.Are you looking for cell phone repair services. We fix iPhones, iPads, Samsung Galaxy Note. Broken screen repair or Cracked LCD Glass? Home, Speaker or Volume button not working.
    Visit here: mobile iphone repairs

  14. Thank you so much for sharing such a useful information. I will definitely share this with others
    Visit Website fashion jewellery|artificial jewellery wholesalers|american diamond earrings|antique jewellery designs

  15. Thank you so much for sharing such a useful information. I will definitely share this with others
    intercaste marriage problem solution|vashikaran specialist