For iOS 3 and 4, SHSH blobs were made of static keys (such as the device type, iOS version, and ECID), which meant that the SHSH blobs for a specific iOS version and device would be the same upon every restore. To subvert that system using a man-in-the-middle attack, server requests the unique SHSH blobs from Apple for the jailbroken device and caches those SHSH blobs on servers, so that if a user changes the hosts file on a computer to redirect the SHSH blobs check to cache instead of Apple's servers, iTunes would be tricked into checking those cached SHSH blobs and allowing the device to be restored to that version.
iOS 5 and later versions of iOS implement an addition to this system, a random number (a cryptographic nonce) in the "APTicket", making that simple replay attack no longer effective. Versions of redsn0w after 0.9.9b9 include a way to bypass the nonce requirement, allowing the SHSH blobs and APTicket to both be replayed by "stitching" them into custom firmware.
First released in 2009 (as TinyTSS and Umbrella), TinyUmbrella is a tool for finding out information about SHSH blobs saved on third party servers, saving SHSH blobs locally, and running a local server to replay SHSH blobs to trick iTunes into restoring older devices to iOS 3 and 4. In June 2011, iH8sn0w released iFaith, a tool that can grab partial SHSH blobs from a device for its currently-installed iOS version (limited to iPhone 4 and older devices). In late 2011, the iPhone Dev Team added comprehensive SHSH blob management features to redsn0w, including the ability to save SHSH blobs with APTickets and stitch them into custom firmware in order to restore a device to iOS 5 or later.
