Beginning with devices using an A12 SoC or higher, Apple introduced nonce entangling.
- This meant that, when saving SHSH blobs, a nonce generator would generate a different ApNonce for each device.
- When saving SHSH blobs for an A12+ device, you now must find a generator-ApNonce pair for your device, then use that generator-ApNonce pair when saving SHSH blobs.
- After you have found a generator-ApNonce pair for your device, you can save it and re-use it whenever you save SHSH blobs again.
- (iOS 14+ only) Install an iOS kernel r/w library.
- On Taurine, install
libkernrw
. - On unc0ver, install
libkrw
. - This is not required on jailbroken iOS devices running iOS 13 or below.
- On Taurine, install
- Install
TSS Saver
from 1Conan's repo. - Open the
TSS Saver
app and go to theGenerator
tab. - Copy your generator and write it down somewhere.
- This value should begin with
0x
, and is 18 characters long.
- This value should begin with
- Copy your ApNonce and write it down somewhere.
- This value should contain both numbers and letters.
- On A7-A9(X) devices, this is 40 characters long.
- On A10(x)+ devices, this is 64 characters long.
This requires a PC.
- Download, install, and run blobsaver for your OS.
- This can be downloaded from the GitHub releases page.
- Connect your iOS device to your PC.
- Click on the
Read from device
button next to theAPNonce
field. - On the prompt that comes up, click on
Unjailbroken
. - Your device will reboot into recovery mode multiple times while blobsaver retrieves a generator-ApNonce pair.
- If your device gets stuck in recovery mode, you can exit recovery mode from the
Help->Exit Recovery Mode...
menu.
- If your device gets stuck in recovery mode, you can exit recovery mode from the
- Copy your generator and write it down somewhere.
- This value should begin with
0x
, and is 18 characters long.
- This value should begin with
- Copy your ApNonce and write it down somewhere.
- This value should contain both numbers and letters.
- On A7-A9(X) devices, this is 40 characters long.
- On A10(x)+ devices, this is 64 characters long.
It does not work for unsigned versions?