*** Welcome to piglix ***

SHSH blob


Apple only allows the latest version of iOS to be installed on any iOS device. This process is controlled by the TATSU ("TSS") Signing Server (gs.apple.com) where updates and restores can only be completed by iTunes if the version of iOS is being signed. A SHSH blob is a term for a small piece of data that is part of Apple's digital signature protocol for iOS restores and updates, designed to control the iOS versions that users can install on their iOS devices (iPhones, iPads, iPod touches, and Apple TVs), generally only allowing the newest iOS version to be installable. Developers interested in iOS jailbreaking have made tools for working around this signature system in order to install jailbreakable older iOS versions that are no longer being signed by Apple.

"SHSH blobs" (also called "ECID SHSH") is an unofficial term referring to the digital signatures that Apple generates and uses to personalize IPSW (iOS firmware) files for each device; they are part of Apple's protocol designed to ensure that trusted software is installed on the device. Apple's public name for this process is System Software Personalization (System Software Authorization as of iOS 7+).

SHSH blobs are created by a hashing formula that has multiple keys, including the device type, the iOS version being signed, and the device's ECID (a unique identification number embedded in its hardware). When Apple wishes to restrict users' ability to restore their devices to a particular iOS version, Apple can refuse to generate this hash during the restore attempt, and the restore will not be successful (or at least will require bypassing the intended function of the system).

This protocol is part of iPhone 3GS and later devices.

When iTunes restores or updates an iOS firmware, Apple has added many checkpoints before the iOS version is installed and on-device consolidation begins. At the first "Verifying iPhone software" iTunes communicates with "gs.apple.com" to verify that the IPSW file provided is still being signed. The TATSU server will give back a list of versions being signed if the version is not being signed, then iBec and iBoot will decline the image, giving an error of "error 3194" or "declined to authorize the image"


...
Wikipedia

...