page contents

How to Set nonce with checkm8-nonce-setter – Work with iOS 13.2 version

checkm8-nonce-setter is a nonce setter for devices compatible with checkm8 exploit used by checkra1n. iOS version doesn’t matter. If your device is compatible with checkm8 + Linus Henze’s Signature Check Remover then you can set your nonce and downgrade. This script is macOS only.


To start the script open the Terminal app and proceeded with instructions. After setting nonce on your device, you can future restore with the SHSH you used during the script. axi0mX introduced this method as “EPIC jailbreak”.

This is a bootrom exploit that couldn’t patch or block without a hardware replacement which is impossible with a large number of devices affected.

Nonce is a signing method that randomizes Apple’s cryptographic signature hash blobs (SHSH blobs) and is used with the base band signing ticket, the APTicket, and SEP (Secure Enclave). Every time if you restore the device, a random string of letters and numbers is generated.

The nonce (e.g. 0x532fd02xd15k30) is sent to apples serves to request a blob (or APTicket) for the firmware you want to restore. If the nonce of the device and the APTicket match, you can restore even no longer signed IPSW system file. There are few nonce generators available to set a nonce on iOS.