Saturday, November 20, 2010

Sunday, November 7, 2010

Booting 4.2 bundle - instructions

  • Download the appropriate tetheredboot binary for Windows or OS X from
    • Update: OS X version does NOT need libUSB from MacPorts any more.
  • Put the device in DFU mode
  • Use the command line tetheredboot -i iBSS.CPUap.RELEASE.dfu -k kernelcache.release.CPU to boot, where CPU is k48 for iPad, n90 for iPhone4
    • These files (iBSS and kernelcache) need to be extracted from custom ipsw you made using the bundle!

    Thursday, July 8, 2010

    Data recovery: not just for iBoot-pwned devices

    Deprecated: Now you can use greenpois0n to load an SSH ramdisk on any new device.

    Update: wrote a tool to generate upgrade IPSWs automatically
    iPad data recovery!
    If your user data partition is not corrupted, it's possible to get your data back (say, after some Cydia app made your oversized iTouch hang on boot!)

    Should also work for iOS 4.0 new bootrom 3GS iPhones and 3G iTouches.

    Will it work if you were jailbroken with:
    PwnageTool: Not recommended/might work
    SnowBreeze: Not recommended/might work
    Spirit: YES
    redsn0w: YES
    blackra1n: YES
    Not jailbroken: YES

    Other necessary conditions:
    Mountable user data volume - not always the case!

    Other warnings:
    You'll obviously lose your jailbroken state and will have to re-Spirit if using iPad or just back up and restore if using a PwnageTool/SnowBreeze iOS4 jailbreak!

    When should you use this method?
    • You have an iDevice that does not boot (stuck in DFU/on Apple logo) with important data on it (kids pix, financial reports, names of Russian spies)
    • You are not jailbroken with PwnageTool/redsn0w/blackra1n/Sn0wbreeze
      • If you are jailbroken using one of those jailbreak methods, check out SSH ramdisk method first as it guarantees non-destructive recovery.
    • You don't need the device to remain jailbroken/unlocked or can jailbreak/unlock a device that has been restored to latest firmware version.
    Windows versionPython source

    Use current firmware version that is still being signed by Apple (4.1 ATM)!
    Drag and drop original unmodified IPSW file over the tool icon, wait for it to generate a UPG_...ipsw file, restore to that using iTunes.
    Make sure you've read the necessary conditions and warnings sections!

    Look at the source code if you want an insight into what exactly happens here.

    Wednesday, July 7, 2010

    iRecovery functionality on Windows without libUSB

    itunnel_mux_rev6.exe <- this unfortunately named tool now supports loading stuff into iBoot, including USB exploit payloads.
    Usage example: 
    itunnel_mux_rev6.exe --ibss iBSS.n88ap.RELEASE.dfu --exploit exploit --ibec
     iBEC.n88ap.RELEASE.dfu --ramdisk  018-6461-399.dmg.ssh --devicetree 
    DeviceTree.n88ap.img3 --kernelcache kernelcache.release.n88
    Due to some hardcoded structure offsets still left, will probably only work with iTunes 9.2.

    Wednesday, June 23, 2010

    OLD BOOTROM + Spirit => 4.0 JB

    Updated for FW 4.0/4.0.1 + 'Star' jailbreak. You'll need NOR files from a custom 4.0 ipsw made with PwnageTool 4.0.1.
    You still obviously need to have an old bootrom 3GS, however you don't currently need any SHSH while Apple still signs 4.0.1
    The fact that Star jailbreak uses Safari, however, means it will be patched in weeks, so back up those hashes while you can..
    Now that 4.0 is jailbroken, potential uses of this method include installing 4.1 betas, rolling back to 3.x and similar fun activities.

    STOP if you have a new bootrom (week 40+, tethered only 3.1.2 JB etc). Here's how to check bootrom ver
    - your hardware is iPhone 3GS with OLD BOOTROM
    - you HAVE 3.1.3 SHSH (**)
    - you DON'T have 3.1.2 SHSH (otherwise, just use blackra1n/redsn0w).
    - you WANT iOS4/JB

    Update: thanks to movie for those awesome step by step instructions!
    Update2: someone made a Cydia package. Looking at type of questions people ask in the comments, that might be the only option for 80% of them. Apple's license terms, of course, don't allow to redistribute their binaries, so I just link to it. Their description also says it works with 3.1.2/Spirit - I very much doubt that.

    This tool can be used to flash pwned nor files (containing LLB  exploit) on the phone  running Spirit JB  (script has hardcoded offsets for 3.1.3 3GS).

    Thursday, May 27, 2010


    On bluetooth in 4.0

    • Bluetooth in 4.0 has a couple of new profiles: HID (meh) and.. Braille. Wait, what's exciting about Braille? Two things:
      • It is one of the three services that call OpenSerialPort()
      • It is the only one of them that isn't handled by OS isn't generally handled by the OS, unless you enable some obscure accessibility feature, unlike WiAP and Nike sensor profiles, meaning there are no side effects to connecting the service to arbitrary BT devices with serial profile.

    Sunday, May 16, 2010

    Tuesday, March 23, 2010

    Fixing Blacksn0w on 3.1.3

    Update: Ultrasn0w now supports 05.11 thru 05.13 with a new exploit that should fix all possible WiFi issues and any OS 4.0 problems.