Windows 7
Windows Vista
Windows Server
Windows Live
Live Mesh
iPhone
iPad
Mac OS XOk guys.. Mac version of the guide is now up! (Windows version can be found here) The requirements though as mentioned earlier remains the same. You will need a iPhone 3GS (with new bootrom) on iOS 4, which has SHSH blobs saved for iPhone 3.1.2. Some other important notes about the jailbreak are as follows.
1) it is a tethered jailbreak (whenever you turn off your phone, you will need to re-connect it to a computer to be able to turn it back on) and
2) it will only work for those devices which have their SHSH blobs (ECID SHSH) files for 3.1.2 (NOT 3.1.3) saved on Cydia.
If you meet all the requirements, and have lots of patience, you can follow the guide posted below to jailbreak your iPhone 3GS (with new bootrom) on iOS 4.
Warning Note: All the standard warnings apply. This is for advanced users only. Only proceed if you think you know your iPhone inside out.
Pwning 4.0 on New Bootrom 3G[S] w/3.1.2 SHSH Blobs [Mac]
Credits to iH8sn0w. Thanks to lilstevie for help.
Required:
libusb-1.0
xpwntool
iOS 3.1.2, 4.0
iOS 3.1.2 SHSH blobs
Download this (http://www.mediafire.com/?mmn1nnjlqoy)
STEP 1 : Grabbing your 3.1.2 iBSS file.
Pointing your hosts :
I : If you have your shsh blobs saved on Cydia/Saurik’s server then follow this tutorial. — http://saurik.com/id/12
II : If you have it saved with TinyUmbrella, then download the GUI here. — http://thefirmwareumbrella.blogspot.com/
——-
Restoring to grab the iBSS file.
I : Place your device in DFU.
II : Start up the iBSS/iBEC grabber.
III : Put the save folder on a new folder on your desktop.
IV : Hit "Start Monitoring".
V : Now go back to iTunes and do SHIFT + Restore. Then browse for your 3.1.2 IPSW. You will need to restore
to 3.1.2 in order to pwn 4.0.
STEP 2: Creating your custom firmware
Use Pwanage Tool (blog.iphone-dev.org) to create a custom ipsw ignore the warnings about the new bootrom.
STEP 3:
Extract the zip file we downloaded earlier and use terminal to enter it
STEP 4:
Create a new folder inside this called 3.1.2 and extract your 3.1.2 ipsw here (unzip *.ipsw in terminal)
STEP 5:
Use xpwntool to patch iBoot & iBSS (run this in terminal)xpwntool Firmware/dfu/iBSS.n88ap.RELEASE.dfu ibss.d -iv 41639d34547ae3dd7921bf3539dba529 -k 9121de4a038675d92e1a28683b2138b7a3bdb80994273d090398051c7f5af53c; bspatch ibss.d ../exploitibss312 ../ibss.patch; xpwntool Firmware/all_flash/all_flash.n88ap.production/iBoot.n88ap.RELEASE.img3 iboot.d -iv 127aa60e77da219961ee70707f44cbd4 -k c72ab4aae971f3a9ec356dfe555e4aef72d8e96c480698445ac236904e6a3443; bspatch iboot.d ../iboot.payload ../iboot.patch; cd ..; rm -rf 3.1.2
STEP 6:
Create a folder called 4.0_cust inside 4.0_pwn and enter it with terminal and copy your custom 4.0 ipsw here.
STEP 7:
Extract your custom ipsw (unzip *.zip)
STEP 8:
Run the following in terminal:cp kernelcache.release.n88 ../kcache.40; cp Firmware/dfu/iBEC.n88ap.RELEASE.dfu ../iBEC.40; cd ..;
STEP 9:
Copy your signed iBSS from earlier into 4.0_pwn
STEP 10:
Place your device in dfu mode (power home for 10 seconds, release power keep holding home (blank screen and itunes asking to restore).
STEP 11:
Run the following in terminal:./irecovery -u ibss312.dfu; ./irecovery -r; sleep 10; ./irecovery -e exploitibss312; ./irecovery -u iBEC.40; ./irecovery -c go; sleep 10; ./irecovery -u sn0w.img3; ./irecovery -c "setpicture 0"; ./irecovery -c "bgcolor 1 1 1";
STEP 12:
Restore your custom 4.0 ipsw
Booting your device:
Run the following in terminal (once in the 4.0_pwn directory):./irecovery -u ibss312.dfu; ./irecovery -r; sleep 10; ./irecovery -e exploitibss312; ./irecovery -u iBEC.40; ./irecovery -c go; sleep 10; ./irecovery -u sn0w.img3; ./irecovery -c "setpicture 0"; ./irecovery -c "bgcolor 1 1 1"; ./irecovery -u kcache.40; ./irecovery -c bootx;
iTunes will detect your device several times before it boots.
PS: When i wake up i will write a script to automate most of this.
Once you have jailbroken your phone, you can unlock it using ultrasn0w 0.93 (on any baseband), guide for which is posted here. [via OpenPwn]
You may also like to check out:
- iPhone 4 Jailbroken Already !
- How to Jailbreak iPhone 3GS on iOS 4, which is already Jailbroken Using Spirit with Spirit2Pwn
- How to Unlock iOS 4 with Ultrasn0w and Blacksn0w on 05.13.04 Baseband [Guide]
- How to Jailbreak iOS 4.0 on iPhone 3GS, iPhone 3G and iPod touch 2G using Redsn0w, PwnageTool 4.0 (Windows)
You can follow me on twitter or join our facebook fanpage to keep yourself updated on all the latest jailbreaking and unlocking releases.
Subscribe to our RSS Feed !
September 9th, 2010
21 Comments/Trackbacks on "Jailbreak iPhone 3GS, iOS 4, New Bootrom, on Mac [How to Guide]"
(#)
They need to hurry up and do something for people like me! I managed to get an iPhone but it was already on iOS4 with no shsh files saved and now its just a fancy iPod for me!
(#)
Is there any other way to get the shsh blog 3.1.2, I've already upgraded to IOS4 by accident?
It's really annoying trying to jailbreak this IOS4.
(#)
i dont understand this tutorial
(#)
Ive 3GS 05.13.04(new Bootrom) on iOS4. I Didnt Save my SHSH Blob Files.
Would it works anyway anyhow to Downgrade to 3.1.3 or 3.1.2, Save the SHSH Blob Files on 3.1.2 firmware with new 05.13.04 bootrom?!.After that, update to iOS 4 again and use this jailbreak ?
Thak you for your reply
(#)
i dont risk
it s better tstay on 3.1.3 till a better JB For OS 4.0 come
(#)
oh dear, is there any simple way to jbreak new bootrom for 3GS iOS4 for Windows?
(#)
when i bought this iphone its already 3.1.3 with new bootrom then jailbrake+unlock, what should i do???
(#)
my phone is new bootroom 3.1.3 and also save SHSH blobs.
i want to upgrade to ios4 but can't jailbreak so please kindly solution of version 3.1.3 to upgrade and jailbreak.
(#)
Hi, There is no way to go back to 3.1.2 with out SHSH on a 3GS. Apple is not signing that firmware, therefore you cant save SHSH. You may downgrade to 3.1.3 run fuzzyband and downgrade your bootrom also, then use pwnage tool to create custom 4.0 firmware. ( I'm almost sure this works for non MC models ).
(#)
Great!
There are few people left using 3.1.2 or stored their SHSH on cydia. It is better to find a JB for 3.1.3 at least. This is not a solution for majority…
(#)
My iPhone is jailbroken by Spirit, still at 3.1.2 old bootrom. SHSH blobs are saved.
Happy
(#)
it worked only after i lock the screen it goes direct to DFU Mode !! So i have to booty it again!
(#)
And this will STILL not work for people who need to hacktivate their phones.
(#)
Some one actually suceed it ???? i have the new bootrom and 3.1.2 shsh blobs on cydia (and captured by tinyumbrela)
here is some output:
i'm blocked at STEP 11: i have FAILED TO CONNECT
./irecovery -u ibss312.dfu; ./irecovery -r; sleep 10; ./irecovery -e exploitibss312; ./irecovery -u iBEC.40; ./irecovery -c go; sleep 10; ./irecovery -u sn0w.img3; ./irecovery -c “setpicture 0″; ./irecovery -c “bgcolor 1 1 1″;
iRecovery – Version: 2.0.2 – For LIBUSB: 1.0
by westbaer. Thanks to pod2g, tom3q, planetbeing, geohot and posixninja.
Rewrite by GreySyntax.
[Device] Connected.
[Device] Sending packet 1 of 50 (0×00000800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 2 of 50 (0×00001000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 3 of 50 (0×00001800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 4 of 50 (0×00002000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 5 of 50 (0×00002800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 6 of 50 (0×00003000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 7 of 50 (0×00003800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 8 of 50 (0×00004000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 9 of 50 (0×00004800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 10 of 50 (0×00005000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 11 of 50 (0×00005800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 12 of 50 (0×00006000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 13 of 50 (0×00006800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 14 of 50 (0×00007000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 15 of 50 (0×00007800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 16 of 50 (0×00008000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 17 of 50 (0×00008800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 18 of 50 (0×00009000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 19 of 50 (0×00009800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 20 of 50 (0x0000a000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 21 of 50 (0x0000a800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 22 of 50 (0x0000b000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 23 of 50 (0x0000b800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 24 of 50 (0x0000c000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 25 of 50 (0x0000c800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 26 of 50 (0x0000d000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 27 of 50 (0x0000d800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 28 of 50 (0x0000e000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 29 of 50 (0x0000e800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 30 of 50 (0x0000f000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 31 of 50 (0x0000f800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 32 of 50 (0×00010000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 33 of 50 (0×00010800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 34 of 50 (0×00011000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 35 of 50 (0×00011800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 36 of 50 (0×00012000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 37 of 50 (0×00012800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 38 of 50 (0×00013000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 39 of 50 (0×00013800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 40 of 50 (0×00014000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 41 of 50 (0×00014800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 42 of 50 (0×00015000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 43 of 50 (0×00015800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 44 of 50 (0×00016000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 45 of 50 (0×00016800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 46 of 50 (0×00017000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 47 of 50 (0×00017800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 48 of 50 (0×00018000 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 49 of 50 (0×00018800 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Sending packet 50 of 50 (0×00018999 of 0×00018999 bytes)/[Device] Upload successfull.
[Device] Executing file.
[Device] Successfully executed file.
[Device] Closing Connection.
iRecovery – Version: 2.0.2 – For LIBUSB: 1.0
by westbaer. Thanks to pod2g, tom3q, planetbeing, geohot and posixninja.
Rewrite by GreySyntax.
[Device] Connected.
[Device] Reseting Connection.
[Device] Closing Connection.
iRecovery – Version: 2.0.2 – For LIBUSB: 1.0
by westbaer. Thanks to pod2g, tom3q, planetbeing, geohot and posixninja.
Rewrite by GreySyntax.
[Device] Failed to connect, check the device is in DFU or WTF (Recovery) Mode.
iRecovery – Version: 2.0.2 – For LIBUSB: 1.0
by westbaer. Thanks to pod2g, tom3q, planetbeing, geohot and posixninja.
Rewrite by GreySyntax.
[Device] Failed to connect, check the device is in DFU or WTF (Recovery) Mode.
iRecovery – Version: 2.0.2 – For LIBUSB: 1.0
by westbaer. Thanks to pod2g, tom3q, planetbeing, geohot and posixninja.
Rewrite by GreySyntax.
[Device] Failed to connect, check the device is in DFU or WTF (Recovery) Mode.
iRecovery – Version: 2.0.2 – For LIBUSB: 1.0
by westbaer. Thanks to pod2g, tom3q, planetbeing, geohot and posixninja.
Rewrite by GreySyntax.
[Device] Failed to connect, check the device is in DFU or WTF (Recovery) Mode.
iRecovery – Version: 2.0.2 – For LIBUSB: 1.0
by westbaer. Thanks to pod2g, tom3q, planetbeing, geohot and posixninja.
Rewrite by GreySyntax.
[Device] Failed to connect, check the device is in DFU or WTF (Recovery) Mode.
iRecovery – Version: 2.0.2 – For LIBUSB: 1.0
by westbaer. Thanks to pod2g, tom3q, planetbeing, geohot and posixninja.
Rewrite by GreySyntax.
[Device] Failed to connect, check the device is in DFU or WTF (Recovery) Mode.
(#)
Can i still jailbreak my iphone 3GS if i did not save the SHSH blobs file?
(#)
I tried doing this and I failed. Lemme know if anyone can help
I am currently on i OS 4.0 on a 3GS with new bootrom
I have my SHSH blobs saved for 3.1.2 which I had previously jailbroken with blackra1n.
So I put my phone in DFU mode and tried downgrading to 3.1.2 and I SUCESSFULLY got the 1015 error, but then I dont know how to kick it out of recovery mode on a mac?
Also I didnt understand STEP 3,4 & 5. I extracted the file but how do I use terminal to enter it? Any help will be greatly appreciated.
(#)
did u dot any way to unlock ur 3gs on 5.13.04
without SHSH
then plz mail me at
pbasoor@gmail.com
i m having the same thing as u
(#)
Hi Sunny.
I haveny figured how to restore my iphone 3gs to the custom firmware. once i do, i will let you know.
(#)
use RecBoot to get out of Recovery mode.
(#)
I'm trying to run step 5 and it says and it says xpwntool command not found. How do i install xpwntool so terminal can run it?
(#)
rrrrrrrr this jailbreak doesnt work on nokia 3310's aaarrrrgggh!
Comment Now!