Connect with us


iOS Downgrades: Blobs, SEP & Baseband Explained 2022



If you want to downgrade or upgrade to an unsigned iOS version, you’ll have to deal with a few phrases that aren’t always self-explanatory. Despite the fact that I have covered them in hundreds of videos on my channel, I will do my best to explain what each of them signifies here.

Jailbreaking frequently necessitates iOS downgrades/upgrades to unregistered iOS. Because jailbreaks for the most recent signed versions of iOS are rare, the opinion is that you should stay on an older version and delay updating until a jailbreak for your version is released.

iOS Downgrades: Blobs, SEP & Baseband Explained

iOS Downgrades Blobs, SEP & Baseband Explained

iOS Downgrades Blobs, SEP & Baseband Explained

Because security researchers share their vulnerabilities or exploit them publicly only after a specified amount of time has passed since the vulnerability was addressed in a release firmware, jailbreaks for older iOS versions are frequently leaked. The average time frame is 90 days, but this is not always the case. As a result, earlier versions are more likely to include publicly available vulnerabilities that can be exploited to allow for a jailbreak.

When you try to update from an older unsigned version to a newer unsigned version (for example, from iOS 14.0 to iOS 15.1.1), or when you downgrade from the most recent signed version to an older one, things get a little more complicated.

These three terms are likely to come up:

1:SEP (Secure Enclave Processor)
3:SHSH2 Blobs

You may also hear terms like NONCE, NONCE Setter, TSS, and so on. We’ll go over those as well.

IMPORTANT: On iOS Firmware, every component is signed, and the Boot Chain is trusted, which means that each component loaded at boot time will check the signature of the next before loading it. This is the default setting on iOS that forbids downgrades.


What is SEP (Secure Enclave Processor)?

SEP is a core on your phone’s SoC that handles Passcode, Touch ID, FaceID, ApplePay, and the encryption and decryption of user data, among other things. However, in terms of downgrading, SEP is a file contained within the IPSW (iOS installation file) that is installed alongside the rest when the iPhone is restored.

SEP must be compatible with the rest of the IPSW (firmware) components; otherwise, everything that relies on SEP will fail, and the phone will not be able to boot.

The compatibility of SEP is strange. SEP, like any other component of the firmware, may undergo modifications from one firmware to the next, however, some changes may not be sufficient to disrupt compatibility. The SEP, for example, is compatible with any version of iOS 14.0 through 15.4 on the iPhone 7 Plus. Because the differences between the SEPs are either nonexistent (unlikely) or minor enough to compromise compatibility, you might utilize the SEP component of iOS 15.4 IPSW to restore iOS 14.0.

However, if the modifications are significant enough, strange difficulties may arise. On the iPhone X, for example, the SEP of iOS 15.4 was practically backward compatible with previous versions, but enough modifications were made that using it to update or downgrade would have destroyed FaceID. FaceID is just one of the many services provided by SEP, so the changes were minor, but significant enough to cause problems.

The differences between the SEP of iOS 15.4 and the older ones, for example, were so extensive in the instance of iPhone 11, that the entire SEP was incompatible. Not only would restoring with it fail, but it would also break FaceID.

You must utilize the SEP component of the latest signed firmware when downgrading or upgrading (or at least A signed firmware). Check to see that the SEP you want to downgrade to is compatible with the version you want to downgrade to. For this reason, we maintain a compatibility chart on our website.

What is the Baseband?

Another component of iOS that deals with the radio are the baseband. This contains everything connected to your SIM card, as well as the regular carrier signal/calls/SMS. If something goes wrong with this chip or its firmware, problems might arise ranging from the phone not starting up, calls dropping/losing signal, and even no service at all.


The baseband is a file within the IPSW firmware that, like SEP, may or may not be compatible across versions due to code changes.

IMPORTANT: A baseband chip is not found on all devices. Because WiFi-only models, such as iPad WiFi variants, lack such components, Baseband compatibility is not an issue on those devices. In general, anything with a SIM card also has a Baseband.

When you make a downgrade/upgrade to unsigned iOS, you use the baseband from a signed firmware, just like SEP (usually the latest). That may or may not be compatible, so check compatibility before of time, just as you would with SEP. You can check whether there are any Baseband concerns using our compatibility table.

Important takeaway: For the restore to succeed, both the SEP and Baseband components from one of the currently signed iOS versions must be compatible with the version you’re trying to restore. For instance, if iOS 15.4.1 is now the only signed version and I wish to update from iOS 14.0 to iOS 15.1.1, which is no longer signed, I’ll need to use iOS 15.4.1’s SEP and Baseband. iOS 15.4.1’s SEP + BB must be entirely compatible with iOS 15.1.1 for my recovery to work.

What are the SHSH2 Blobs?

The device will submit a request to TSS (Tatsu Signing Service), one of Apple’s servers that handles firmware signing, every time you want to upgrade, downgrade, or restore to a specific iOS firmware (through IPSW or OTA). The server will examine the request received from the device, verify that it is a genuine device (Serial Number, Unique IDs, etc. ), and then determine whether the iOS version you are attempting to restore to is currently signed.

1: If the version is signed by Apple, TSS will return a personalized response to the device. This response allows the device to install the firmware so the process begins.
2: If the version is no longer signed by Apple, TSS will instead return an error code and no personalized ticket. No personalized ticket means no restore.

Saving blobs or SHSH2 blobs (often with BlobSaver) entails sending a request to the server containing our device’s unique data and receiving a tailored response while the iOS version is still signed. However, rather than using this response straight away, we save it to a file.


This way, if Apple stops signing that version in the future, we won’t have to ask TSS for a response because we already have the old one from when it was still signed. So, during the restore, FutureRestore will use the previously saved SHSH2 file to imitate the TSS response to the device.

However, there is a catch. Generator / NONCE is a random alphanumeric string generated by the device and sent to TSS. When the response arrives, it is also tailored to that particular generator. When you reboot your phone, the generator now resets itself. This prevents you from using saved SHSH2 blobs.

Nonetheless, the community came together to form NONCE Setters.

What is a Nonce Setter?

Nonce Setters are iOS applications that change the NONCE / Generator set in the device’s NVRAM using a kernel hack. This allows the user to change the generator value to the value saved in their SHSH2 Blobs file.

This makes the previously saved TSS Response (the SHSH2 blob) legitimate for the device, allowing the restore to proceed.

The hitch is that in order to leverage saved SHSH2 blobs, you’ll need a kernel vulnerability that can unlock and write to the NVRAM. If you’re updating from a previous, jailbroken firmware, this isn’t an issue. For example, if you update from iOS 13 to iOS 14 due to App compatibility, you’re jailbroken and can use Nonce Setters.

This is where Apple stomps you if you try to downgrade from the latest firmware using SHSH2 blobs, and why most users believe SHSH2 blobs are useless. Your SHSH2 blobs will not work because you won’t have a Nonce Setter for the latest version because it is likely no kernel exploit for it.


People frequently misread SHSH2 blobs, leading to frustration and the belief that they are useless. To be clear, SHSH2 blobs are not intended to be used to upgrade from one version to another. If you’ve already made the mistake of updating to the latest version, you’re pretty much doomed for the next few months until there’s a signed lower version.

SHSH2 blobs are used to upgrade from an older jailbreak to a newer one for Application Support (for example, from iOS 14 to 15, or from iOS 12 to 14, etc.). They make it simple to upgrade to a newer jailbreakable iOS version, but they’re not a one-size-fits-all solution.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *