Advertisements

Ok guys let me clear this upfront. I haven’t tested this method yet, but by the looks of it, there is no reason why it shouldn’t work. If you have just got a new iPhone 4 or iPhone 3GS (new bootrom) which is on iOS 4.0.2, you can now downgrade to iOS 4.0.1 without having your SHSH blobs saved. This will of course allow you to jailbreak and unlock your new iPhone with JailbreakMe, and patch it with PDF Patch so that you are safe from PDF vulnerability in iOS 4.0.1.

Downgrade iOS 4.0.2

Today I found something that the iPhone Devs told me "impossible". I also spoke with iH8Snow, telling me that this sounds impossible. He also mentioned to me and one of my beta testers that this is possible if you allowed Cydia to store your SHSH/Blobs since Cydia will cache your firmware along the way.

Well, I’m pretty sure I proved them wrong.

So the story is that I have possession of clean (never before jailbroken) iDevices, and I managed to downgrade one of them and upgrade one of them to iOS 4.0.

The step by step instructions for downgrading new iPhone 4 and iPhone 3GS without having SHSH blobs saved are posted below. Follow them at your own risk. I am not responsible for any loss of data, or malfunction of your iPhone.

Step 1: Download iOS 4.0.1 ipsw from here.

Step 2: Extract it with WinRAR or WinZip to a folder on the desktop. You may need to rename the firmware file from .ipsw to .zip to do this.

Step 3: Open the buildmanifest.plist with the Notepad if you are on Windows, or TextWrangler if you are on Mac.

Downgrade iOS 4.0.2 to 4.0.1 (2)

Search and replace all – 8A306 with 8A400. Save. Repeat the same with the file restore.plist.

Downgrade iOS 4.0.2 to 4.0.1 (1)

Step 4: Download iOS 4.0.2 ipsw from here and open this with WinRAR or WinZip.

Note: Do not extract it. Just open it and leave it open. You must use this exact file and not create a new one. If you have to create a new one for reasons like you are on OS X, then use zip command line not explorer or finder to make the zip. I will assume you are using the original file opened in WinRAR for the rest of this guide.

Step 5: Take all the files from iOS 4.0.1 and drag them over to the iOS 4.0.2 zip archive that you have open.

Step 6: Delete all the .dmg files that have 002 at the end, leaving only the 001 files left.

Step 7: Save the archive, and rename it back to .ipsw if you changed the name to get WinRAR/WinZip to open it.

Step 8: Optional (This helps ensure you get an SHSH file request for the future, but should not be necessary to just restore iOS 4.0.1).
Add the 74.208.10.249 gs.apple.com line to the host file. If you need help with this step, read Step 3 from here.

Step 9: Put the device in DFU by following the steps below:

  • Connect your iPhone to your computer.
  • Turn iPhone off.
  • Start iTunes.
  • Hold Power and Home buttons together for 10 seconds or so.
  • Release Power button but keep holding the Home button until your computer recognizes a new USB device.
  • iTunes will now recognize your iPhone.

Note: Your iPhone screen at this time should be blank (black in color), if not, then you are most likely in Recovery Mode, not DFU mode.

Step 10: Now simply open iTunes and restore the firmware you changed.

This is it, you should now be able to jailbreak and unlock your device on iOS 4.0.1 with JailbreakMe, guides for which can be found below:

Once you are done with the jailbreak, you can follow our step by step guide posted here to unlock your iPhone on iOS 4.x, on any baseband using Ultrasn0w. [via PwnMyI Forums, Thanks to everyone for sending this in!]

UPDATE 1: Ok guys, I know I took a little long to provide this update but this was because I was thoroughly testing this method to see if it really works. After trying it out on my iPhone 4, 3GS, iPod touch and iPad, I can confirm that this at least didn’t worked for me. But then again I got lots of messages from Twitter and email from users who said that they got it working on iPhone 3GS and all. But at least in all my tests, it didn’t work for me even on an iPhone 3GS.

After searching around for a bit, I came to the conclusion that those who reported of this method being working for them had at some point in past saved their SHSH files on Cydia, it was just that they didn’t knew about it which resulted in irrupting false hopes for many. I wont go as far as calling this method as fake, it was just that people unknowingly didn’t knew that the device which they were trying to downgrade using this method already had SHSH blobs saved on Cydia. Notcom explains this on his blog:

There is much discussion on many blogs about a potential means of downgrading iOS 4.0.2 to 4.0.1 by simply changing a couple values in the buildmanifest.plist and copying all of the images from 4.0.1 into 4.0.2 and then deleting the files ending with 002. Following all of this, perform a DFU restore and somehow you will be on 4.0.1. 
There is a perfectly logical explanation for all of this and I will lay out exactly what is happening and explain why it is working for the folks that are the lucky ones.
Let me get this out first.

  1. This is not a miracle, at least not in the sense you all hope for
  2. SHSHs are STILL required for any iPhone 4, iPhone 3GS, iPad, iPod Touch 3G, and iPod Touch 2G (MC Model)
  3. There is NO way around this… unfortunately this method included.

Let me start by explaining something very important. The buildmanifest is used by iTunes to build much of the TSS request that is used to obtain your SHSH for any given firmware revision. Unfortunately, the BuildNumber has no part to play in the request for SHSH. All that you ended up doing in following these directions is request 4.0.1 SHSH blobs.THAT IS ALL. Since every single one of you that got this to work changed your hosts file to point to Cydia, Cydia responded to the TSS request with an SHSH blob that was ALREADY "on-file". There was no magic. There was no miracle, apart from the lucky break that your device had been put on Cydia’s SHSH request list at some time in the distant past.
That’s it in a nutshell folks. There was no amazing technique for bypassing Apple’s TSS. There was no amazing exploit that exists in DFU mode allowing for 4.0.2 -> 4.0.1 downgrading. It’s simple; Cydia had your SHSH because at sometime in the past either:

  • Someone saved your SHSH with that device using TinyUmbrella and the default options
  • Someone restored that device with Cydia in the hosts pointing to gs.apple.com
  • Someone jailbroke the device and pressed ‘Make my life easier’

So yes, unfortunately, the wait continues..

You may also like to check out:

You can follow me on twitter or join our facebook fanpage to keep yourself updated on all the latest iPhone jailbreaking and unlocking releases.

Advertisements