Wednesday, June 23, 2010

OLD BOOTROM + Spirit => 4.0 JB

Updated for FW 4.0/4.0.1 + 'Star' jailbreak. You'll need NOR files from a custom 4.0 ipsw made with PwnageTool 4.0.1.
You still obviously need to have an old bootrom 3GS, however you don't currently need any SHSH while Apple still signs 4.0.1
The fact that Star jailbreak uses Safari, however, means it will be patched in weeks, so back up those hashes while you can..
Now that 4.0 is jailbroken, potential uses of this method include installing 4.1 betas, rolling back to 3.x and similar fun activities.

STOP if you have a new bootrom (week 40+, tethered only 3.1.2 JB etc). Here's how to check bootrom ver
- your hardware is iPhone 3GS with OLD BOOTROM
- you HAVE 3.1.3 SHSH (**)
- you DON'T have 3.1.2 SHSH (otherwise, just use blackra1n/redsn0w).
- you WANT iOS4/JB

Update: thanks to movie for those awesome step by step instructions!
Update2: someone made a Cydia package. Looking at type of questions people ask in the comments, that might be the only option for 80% of them. Apple's license terms, of course, don't allow to redistribute their binaries, so I just link to it. Their description also says it works with 3.1.2/Spirit - I very much doubt that.

This tool can be used to flash pwned nor files (containing LLB  exploit) on the phone  running Spirit JB  (script has hardcoded offsets for 3.1.3 3GS).

*Now flasher checks that all files exist before flashing them.
http://code.google.com/p/iphone-img3-flasher/downloads/detail?name=spirit2pwn_r2.zip
  1. Unpack pwned(!) 3.1.3 firmware, copy all the files from  iPhone2,1_3.1.3_7E18_Custom_Restore\Firmware\all_flash\all_flash.n88ap.production folder to /tmp directory your phone. You can use CyberDuck or WinSCP to do that. Copy those files directly to the /tmp, not to a subfolder: LLB should be at /tmp/LLB.n88ap.RELEASE.img3, etc.!
  2. Extract the contents of the spirit2pwn_r2.zip archive to /tmp directory on the phone.
  3. Run the following commands on the iPhone: (Use ssh or PuTTY).
cd /tmp
chmod 755 pwn_old_boot_r2.sh
./pwn_old_boot_r2.sh
  • Now reboot and your iboot and llb should be pwned, and you can restore to a custom FW now.
Thanks Gojohnnyboi for code, ZeRoLiMiT for testing ;)

(**) Technically, you can still do that if you don't have 3.1.3 SHSH, but then if you don't really have old bootrom or if you use wrong ipsw files, your only option will be to upgrade to 4.0 and stay without jailbreak or unlock until a new exploit is made public. 

111 comments:

Kenny said...

THANK YOU for this fix!!! this worked like a charm and i am now jailbroken on 4.0 with my 3GS!

Leandro said...

Worked for me. Thanks

Ryan said...

Thank you so much for this!!!!

ShAyAn-BeTa said...

Nice..! like previous posts..! ;-)

la said...

does it work without a 3.1.3 shsh too? my device is now on 3.1.3 with spirit and unlocked with ultrasn0w, but i dont have a shsh for 3.1.3 because it was never jb before.

msft.guy said...

@la: it does, but you have to be *very* careful!

zwaldowski said...

Is there anyway to flash, upload, or otherwise run a pwned iBoot/LLB when you haven't had your SHSH backed up before? I just got this 3G[s], came with 4.0 but has the old bootrom, and the original seller never backed up the SHSH blobs for 3.1.x.

Michel said...

Hi I get every step but not the first one.... wheredo I get the custtom firmware? can someone help me and the week on my iPhone serial number is 35 but it's an MC-model I'm I ok?

msft.guy said...

@zwaldowski: nope, you need a new exploit for that - either a new kernel exploit, or a new bootrom/iBoot exploit. Nothing of the sort is currently publicly available.
@Michel: use PwnageTool 4.0.1

Michel said...

@msft.guy : THX but do you have any idea about my serial number week being 35 and having an MC-model?

msft.guy said...

@Michel: week 35 is old bootrom, see also here

Michel said...

THX a lot made my day worked fine for me!

Mike said...

Ok all these instructions make sense for the most part to me. As far as a pwned 3.1.3 FW is this something I should build with Pwnage Tool or Redsn0w? I'm on the old bootrom, spirit JB, 3.1.3 blobs on file but now 3.1.2. I just want to make sure that I do this 100% correct as I depend on my 3G[S] for tethering right now...So if someone could point me in the right direction as far as that file goes that would be greatly appreciated(FYI I have a pwned 3.1.2 FW, can I extract and use the file from that?)

Mike said...

Also what is the easiest way to unpack an ipsw in OS X....if somebody could supply me with the necessary files via email if they aren't too large that would be very helpful as well....Thanks in advance!

Mike said...

Ok I pwned 3.1.3 w/ pwnage and used safari to extract the pwned FW...copied it to /tmp on the iPhone as well as the extracted zip file and it seems that there was an issue with flashing the NOR....here is the output I received.....

Applying kernel AppleImage3NORAccess patches
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000699 s, 5.7 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000324 s, 12.3 kB/s
2+0 records in
2+0 records out
2 bytes (2 B) copied, 0.000316 s, 6.3 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000386 s, 10.4 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000329 s, 12.2 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000327 s, 12.2 kB/s
Flashing NOR
[OK] IOMasterPort opened
[OK] AppleImage3NORAccess found: 0x1503
[OK] IOServiceOpen: conn = 0x1407
[INFO] img3_flash_NOR_image: flashing LLB data
imgLen=4294967295
IOConnectCallStructMethod failed: 0xe00002c2
[FAIL] img3_flash_NOR_image(LLB.n88ap.RELEASE.img3), ERROR = 0xE00002C2

msft.guy said...

@Mike: Ugh.. LLB.n88ap.RELEASE.img3 needs to be in /tmp, just like the other img3 files.

Dimitrios-Geo said...

how to run the last part?????

can i do it with mobile terminal??? if not, how???? because i use mobile terminal, i gain access to tmp, but then the last step does nothing....

Dimitrios-Geo said...

and how do we understand that we did everything right????

and do we just install a custom ios4 afterwards???

frenchderf said...

Thank you I have 3G with 3.1.2 Spirited.

Is this method is working or limited with 3GS only.

Let us know

msft.guy said...

@frenchderf: Not this package: patches are just for 313 kernel.
Although it's possible to rewrite it for 312, it doesn't make any sense - just use redsn0w or blackra1n on 312.

@Dimitrios-Geo: ask someone with better terminal skills to do those steps for you?
Just make sure you use files from 313 ipsw pwned by PwnageTool and all files are in /tmp directory.
Also I'd recommend SSH over mobileTerminal, as you can copy-paste the log if you are unsure about results.

Wilson said...

Works great! Thanks for the info!

Vincent said...

Thanks for the script. I tried it twice, but I can't get it to work :( The script completes succesfully, no errors, but when I turn the iPhone off to start in recoverymode, it gets stuck in DFU-only mode. In this mode, I am also unable to restore to the 4.0 custom. I have to do a full restore to 3.1.3 and re-jailbreak. Do you know what I might be doing wrong? Thanks :)

Mike said...

Hmm that was weird, the script worked on my second shot though. Only problem is iTunes is now throwing out a 1600 error when I try to do a custom restore and I'm stuck in DFU for now....gonna try to rebuild iOS with pwnage again and see what happens....

Norman Yau said...

I have the same problem as Mike but it shows error (2).
To clarify, does the Custom OS 3.1.3 and IOS 4.0 need to be pwn ONLY by PWNAGE tool ? I did it with sn0wbreeze. Itunes is 9.2.

gfm said...

Worked for me. Thanks! 3GS model MB715LL, firmware 05.12.01

msft.guy said...

@Mike: double-check that you're on old bootrom http://www.redmondpie.com/how-to-check-iphone-3gs-bootrom-iboot-version;
paste the output of the script to pastie.org and post the link here
@Norman Yau: does your phone boot ok after the described steps? If it doesn't, you might have new bootrom or have done something wrong. Again, post a log. Make sure you restore from recovery mode and not DFU. Try custom fw generated by PwnageTool 4.0.1 if the snowbreeze one doesn't work. Remember you need iTunes 9.2 to restore 4.0 fw.

Oren said...

Thanks a lot for the hack! Do you accept donations?

Just pointing that it can't run on mobile terminal (you will get a permission error) only by ssh and using mac terminal.

jpacubas said...

Hi,

Just wanted to say that this worked brilliantly. I used sn0wbreeze to pwn the firmware, so I know that method works.

Thank you, thank you, thank you so much!

mike said...

Thanks msft.guy! Any chance there will soon be a JB/unlock on 4.0 for those of us stuck with the new bootrom?

Norman Yau said...

Still not working. It is an old bootrom, but it is a MC model. Is it because of MC?

Applying kernel AppleImage3NORAccess patches
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000353 s, 11.3 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000359 s, 11.1 kB/s
2+0 records in
2+0 records out
2 bytes (2 B) copied, 0.000415 s, 4.8 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000354 s, 11.3 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000356 s, 11.2 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000355 s, 11.3 kB/s
Flashing NOR
[OK] IOMasterPort opened
[OK] AppleImage3NORAccess found: 0x1503
[OK] IOServiceOpen: conn = 0x1407
[INFO] img3_flash_NOR_image: flashing LLB data
imgLen=147920
[OK] Flashing LLB.n88ap.RELEASE.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=178564
[INFO] breakHash(iBoot.n88ap.RELEASE.img3) at 0x2B950
[OK] Flashing iBoot.n88ap.RELEASE.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=45252
[INFO] breakHash(DeviceTree.n88ap.img3) at 0xB090
[OK] Flashing DeviceTree.n88ap.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=16104
[INFO] breakHash(applelogo.s5l8920x.img3) at 0x3EB4
[OK] Flashing applelogo.s5l8920x.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=97080
[INFO] breakHash(recoverymode.s5l8920x.img3) at 0x17B04
[OK] Flashing recoverymode.s5l8920x.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=20484
[INFO] breakHash(needservice.s5l8920x.img3) at 0x4FD0
[OK] Flashing needservice.s5l8920x.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=56836
[INFO] breakHash(batterylow0.s5l8920x.img3) at 0xDDD0
[OK] Flashing batterylow0.s5l8920x.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=65348
[INFO] breakHash(batterylow1.s5l8920x.img3) at 0xFF10
[OK] Flashing batterylow1.s5l8920x.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=20420
[INFO] breakHash(glyphcharging.s5l8920x.img3) at 0x4F90
[OK] Flashing glyphcharging.s5l8920x.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=19396
[INFO] breakHash(glyphplugin.s5l8920x.img3) at 0x4B90
[OK] Flashing glyphplugin.s5l8920x.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=19780
[INFO] breakHash(batterycharging0.s5l8920x.img3) at 0x4D10
[OK] Flashing batterycharging0.s5l8920x.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=24964
[INFO] breakHash(batterycharging1.s5l8920x.img3) at 0x6150
[OK] Flashing batterycharging1.s5l8920x.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=76164
[INFO] breakHash(batteryfull.s5l8920x.img3) at 0x12950
[OK] Flashing batteryfull.s5l8920x.img3
[OK] SUCCESS

msft.guy said...

@Oren: maybe you need to 'su root' in MobileTerminal first? Haven't tried that since it's broken on iOS4. -(
On donations: feel free to donate to msft.guy@gmail.com (paypal), but people like comex (author of Spirit JB) deserve a donation far more ;) Dev Team too, for the 24kpwn, but they only accept postcards ;)

@mike: I think posixninja has a tethered exploit and looks like Spirit was just ported to 4.0 (but not open yet); and unlock is already there, just don't update to official 4.0.1 etc so that you can unlock after JB is released.

@Norman Yau: OK, so the method itself works. I'm still confused about what exactly happens after you do those steps and reboot - does the phone boot or not? If it does not boot, there is something wrong with the pwned firmware you used: it's either original ipsw, or the pwnage tool/snowbreeze didn't work properly, or it's the wrong version (like 4.0 instead of 3.1.3).
Now, if your phone does boot but you cannot update to pwned 4.0, it's most likely a problem with your custom 4.0 firmware. make sure you are restoring in Recovery and not DFU. Try creating it on another mac or something.. also post restore log to pastie.org.

Norman Yau said...

Thanks YOU!!! It works.
Turns out it was the custom firmware. I used Pwnage tools and it worked.

Marin said...

So I followed the steps, and I was able to pwn my 3.1.3. When I did a shift+restore, itunes says "restoring iphone software" and iphone shows bar, but it then gives me error (2) and does not restore to 4.0

Ace03v said...

where can i be able to get pwned 3.1.3. i cannot make one since i am running window and i do not have a mac available.:S

Dimitrios-Geo said...

@ msft.guy

i managed to throw everything you say on tmp, but then because i never used ssh before.....maybe i do the command step wrong... i dont really know how to use ssh, it was always easier, not to mention safer, to connect with "phoneview" .



so please help me if you can :))

sleeper said...

thank you so much for this, but is it permanant or temporary ?

Dimitrios-Geo said...

hmm... sth tells me i have the new bootrom....so what do i do now???

kensu said...

Worked!

Although lost AT&T logo and signal and 3G. Had to install ultrasn0w afterward to get them back. But ok now!

Eazaay said...

i also need pwned 3.1.3 and 4.0. i searched online but cant tell the diff between pwned and snowbreeze versions.

@Norman_Yau: where did you get your FWs?

bammeh said...

This works! THANKS SO MUCH :)

Chris said...

Hi, I followed all your instructions. After pwn_old_boot_r2.sh
and a successful message, I went ahead and rebooted the phone. Now it looks like its on DFU mode and I can not restore it in iTunes since its giving me the 1600 error any ideas?

Ian said...

Thanks for this!!
Tried it and worked..
Hope that there won't be any problems in the future..
Cheers!!

Raghib said...

It would be great if somebody post a link on youtube on this method on how should we do that, step by step... I dont understand exactly what should i do

Steven said...

I agree why don't someone post a youtube to show how it is done

AAG said...

Genius!

Thanks buddy! worked perfectly!Maybe this could be packaged into a deb and hosted on a cydia repo! Can't see why it couldn't be done :)

Download idetector from ih8sn0w.com to check what boot rom you have!

MaxR said...

Could somebody help me with this instruction?


Unpack pwned(!) 3.1.3 firmware, copy all the files from iPhone2,1_3.1.3_7E18_Custom_Restore\Firmware\all_flash\all_flash.n88ap.production folder to /tmp directory your phone.


1. How to unpack pwned 3.1.3 firmware?
2. Copy all the files from where? from iPhone folder?

help me please.

TQ in advance

AAG said...

Rename the IPSW to .zip

msft.guy said...

Dimitrios-Geo: wait for a new iOS4-compatible Spirit release.

Chris: either you have new bootrom or did not use correct fw (3.1.3/PwnageTool).

AAG: I don't know how to check bootrom version from an iPhone app. This also needs additional firmware files which cannot be provided in the package (Apple's IP).

aag321 said...

ah very true. Don't want to open your self to a lawsuit. Well Great work on the script!

MaxR said...

ok thanks....i extracted from the apple 3.1.3 fw, maybe that's why i couldn't find iPhone2,1_3.1.3_7E18_Custom_Restore\Firmware\all_flash\all_flash.n88ap.production

will build the custom fw with pwnage tool then will try again

Livon said...

Thanks! It's really works! BUT!
I cannot connect to itunes (ver. 9.2)! I try on PC and on Mac too. iPhone is not show in itunes. I changed USB ports, cables, reinstall itunes but all not success.
Please say what can I do with it?
Can I firmware on iOS 4 custom once more now?

Aber1kanobee said...

You ROCK!!!

msft.guy said...

@MaxR: iPhone2,1_3.1.3_7E18_Custom_Restore.ipsw is the filename of custom FW (made with PwnageTool). Whether or not you have it in the file path depends on which unarchiver you use.

@Livon:
That's really weird. Did the USB work before restoring to custom iOS4? In any case, you can now restore to custom FW (even downgrade) unless you accidentally install the original FW. Can you see iPhone in the device manager? Did you make this custom FW 4 with Pwnage Tool 4.0.1?

Dimitrios-Geo said...

@ msft.guy thanks for your reply.....

is this the reason i get a "needservice.a518920x.img3 missing " error when i run the last command????

do we have any news for the spirit 4.0 release?? till then what shall i do, stay with 3.1.3 jb or move to official 4.0???



thanks once again

Livon said...

2 msft.guy:
Thanks for your reply.
Yes, USB is worked before I firmware to 4.0 using your instructions.
In device manager I see iphone in section "Mobile devices" but not in USB Controllers (sorry this may be not same in English version of Windows, because I have some localized Win7). It must be in Usb controllers too?
And yes, I create 4.0 custom using Pwnage Tool 4.0.1 on Mac.
And I just firmware once more to 4.0 custom (did on Mac).
And I have now: itunes on mac can view iPhone, but on Win NO !
I understand this is very strange. I think problem in my itunes on Win?

msft.guy said...

@Dimitrios-Geo: No. The reason you are getting the 'needservice.a518920x.img3 missing' error is you. You've failed to read the instructions and are trying to flash 4.0 fw when the instructions clearly say custom 3.1.3
If you really have old bootrom as you've mentioned earlier then your phone won't boot and you'll have to restore to 3.1.3 if you've saved those SHSHs, or to 4.0 if you haven't.

@Livon: if you have installed libUSB on Windows, it can interfere with iTunes USB drivers. Otherwise, reinstalling Windows in upgrade mode might be faster and will save your data and settings..

Livon said...

Sorry, some update:
I try to connect iPhone 3G (iOs 4.0, 05.13.04) to this PC with win and all ok - I can see it in itunes.

MaxR said...

@msft.guy: TQ...I figured it out and upgrading from spirited 3.1.3 to 4.0 using pwnagetool custom fw ran like a charm with ONLY 1 MAJOR PROBLEM...No carrier signal...FYI my 3GS was factory unlocked when I bought it last year. This also happened when i upgrading from 3.1.1 to 3.1.3 and the best fix i can find that time was...restore with original fw than run spirit. With no spirit for 4.0, what option i have to solve my problem and have a jailbroken one?

msft.guy said...

@MaxR: try ultrasn0w, just in case..

MaxR said...

@msft.guy: Does it work with 05.12.01 baseband?

Jordan said...

I honestly can't thank you enough. This worked flawlessly and didn't have a single error!

Elijah said...

Is there a video on this? Because I want to be jailbroken on 4.0. HELP Any one. I only get like half the stuff.

Dinesh said...

hi msft...I followed your procedure,,turned it off and now its not coming on at all

MaxR said...

@msft.guy : ultrasn0w works...and i'm back to business.....tq

Elijah said...

@msft.guy : Ok I did everything and now it will not turn on. What do I do now?

movie said...

***INSTRUCTIONS FOR THE LAYMEN***

It worked for me on my 3Gs (Jailbroken with Spirit, 3.1.3, old bootrom) and I'm a total noob.

NOTE: When flashing using the iphone app: mobile terminal, you must first go into the root directory by typing: su root

So here are the STEP by STEP instructions for someone slow like myself.


1.) Download a custom firmware for 3.1.3 3Gs (you can get it here: http://www.iphoneheat.com/2010/02/download-iphone-custom-firmware-3-1-3-ipsw/

must download all the files and then join them using something like "Split and Concat" software.


2a.) Download a custom firmware for 4.0 3Gs (you can get it here:
http://www.iphoneheat.com/2010/06/download-custom-ios-40-firmware-ipsw/

must download all the files and then join them using something like "Split and Concat" software

OR

2b.) Download both Pwnage Tool 4.01 and the official apple version of 4.0 called iPhone2,1_4.0_8A293_Restore.ipsw

Then make your own custom 4.0 which will be named: iPhone2,1_4.0_8A293_Custom_Restore.ipsw

3.) Download spirit2pwn_r2
from here:
http://code.google.com/p/iphone-img3-flasher/downloads/detail?name=spirit2pwn_r2.zip

4.) Download Cyberduck on your Mac OS X

5.) Download MobileTerminal on your iPhone

6.) Download OpenSSH on your iPhone

NOW YOU HAVE ALL THE FILES YOU NEED!

7.) Open up Cyberduck and connect your Mac to your
iPhone. To use this you need:
a.) IP address of iPhone
b.) username which is: root
c.) password which is alpine (unless you changed it)
d.) Connect Cyberduck to your iPhone
d.) Navigate to the /tmp folder

8.) Go to your files in STEP 1.) (custom firmware for 3.1.3 3Gs that you downloaded) and navigate to the subfolder called: all_flash.n88ap.production folder.
Take all the files in that folder and copy into the /tmp folder using Cyberduck. Should be 14 files total.

9.) Go to your files in STEP 3.) (spirit2pwn_r2 you downloaded). Take all the files in that folder and copy into the /tmp folder using Cyberduck. Should be 2 files total.

NOW YOUR SET TO FLASH!!!

10.) Now go to your iPhone and open up MobileTerminal.

a.) TYPE: su root
(may ask for password)
HIT RETURN

b.) TYPE: cd /tmp
HIT RETURN

c.) TYPE: chmod 755 pwn_old_boot_r2.sh
HIT RETURN

d.) TYPE: ./pwn_old_boot_r2.sh
HIT RETURN

It will start flashing the files on your iPhone. It will pause a few times. WAIT! don't do anything. WAIT until it's completely done and says [SUCCESS] as the bottom.

11.) REBOOT your iPhone.

12.) plug your iPhone into iTunes. press the OPTION key as you click on RESTORE in iTunes. Make sure you are connected to the internet.

13.) Navigate to the file: iPhone2,1_4.0_8A293_Custom_Restore.ipsw
You created in STEP 2a.) or STEP 2b.)

14.) iTunes will RESTORE your iPhone using iPhone2,1_4.0_8A293_Custom_Restore.ipsw
(Does not take that long)

15.) iPhone will REBOOT and then iTunes will prompt you to RESTORE your files from a BACKUP or as a NEW Phone.

There you go! Whew!

msft.guy said...

@Dinesh, @Elijah: Assuming the script executed successfully, you've probably used incorrect ipsw.
You need to use 3.1.3 custom ipsw made using PwnageTool (or sn0wbreeze, but if you don't have 3.1.3 SHSH on file, I'd recommend sticking to PwnageTool).
Now you have to put the phone in DFU mode (although it's probably already in DFU now) and restore to 3.1.3 (if you have saved SHSH) or to 4.0 (if you have not).
After you restore to 3.1.3, try reading the instructions more carefully.

@movie: awesome, thx!

Eric said...

Thanks mate, that is awesome! You are a Legend!

Livon said...

Anyone have working youtube? Is not wowking for me :( Any fix?

Lapkritinis said...

Thanks a lot JB iOS on 4.0 now ! :)))

Elijah said...

@Dinesh ok thanks

Cristian said...

worked for me 3gs @ 4.0
thxxxx

movie said...

@Livon: YouTube works perfectly. Just watched Vangelis-Conquest of Paradise as a test.

Now, MxTube is another story... that continues to crash. Hopefully someone will update it soon.

Also, MobileTerminal crashes. So I found one updated for ios4 from the source macosmovil.

Dinesh said...

msft: Still the same thing for me,,black screen...turn on itunes it sees the phone in the recovery mode,,try to custom restore on 4,,but gives error 1600

Dinesh said...

@Elijah - did it work for you,,if yes how?

Adam said...

@movie i am I correct in assuming iTunes 9.2 needs to be used in order to restore to the custom iOS 4 ipsw? Also it looks like you didn't use recovery mode while restoring the custom ipsw, is this correct?

Alex said...

@Dinesh the reason its not working for you is because you are in DFU mode not recovery mode (thats whats error 1600 mean) just hold power and reset button to get out of DFU the get into recovery mode

Alex said...

For those who are looking for 3.1.3 3gs extracted files you can get the whole package here http://www.megaupload.com/?d=XLDN5DAG

fatlus said...

Hi,
i have an iphone 3gs with OLD bootrom and the not jailbroken iOS4. I had 3.1.3 with Spirit on it before but hadn't saved the SHSH. Is there any chance to get back to 3.1.3 without the SHSH. The walkthrough sounds very simple but i can't go for it without having a jailbreak and a terminal on the iphone. it makes me mad...

FanFan said...

JUST THANK YOU VERY MUCH :)

movie said...

@Adam:

1) Yes, you use iTunes 9.2

2) Yes, I did NOT go into recovery mode. Simply plug iPhone into iTunes and press option when you hit restore button then you an navigate to the 4.0 pwned firmware and start restore process.

there seems to be a misnomer that you have to go into recovery mode to do this. It's not necessary. That's really if you have issues with your iPhone.

Adam said...

incredible! restoring as a new device and re-syncing everything now. before I did though I saw Cydia sitting nicely on the second page. Works for me!

YourGeekGuy said...

I have the same question as fatlus...is there a way to get back to 3.1.3 jailbroken or even a way to jailbreak on 4.0 if you had 3.1.3 jailbroken with Spirit.

I don't have the SHSH and I don't have anything more than a clean install of iOS4 on the phone now. I can't seem to even get back to 3.1.3...Any help?

Iqbal Ansari said...

@Move
Thank you for your awsome step by step guide. one question about your instruction on
7.) Open up Cyberduck and connect your Mac to your
iPhone. To use this you need:
a.) IP address of iPhone
b.) username which is: root
c.) password which is alpine (unless you changed it)
d.) Connect Cyberduck to your iPhone
d.) Navigate to the /tmp folder

when i use iphonebrowser, i can see root dir and tmp dir, tmp dir has another 2 dir launchd and payloads.

my question is that is it the same dir where we hav to copy all files, and can i use iphone browser since i have access to those directories.

thanks
iqbal

cecilia tan said...

omg ... i cant jailbreak my iphone 3gs ios4 with ultrasnow . what were happened ? anyone can help me pls ?

cecilia tan said...

omg ... i cant jailbreak my iphone 3gs ios4 with ultrasnow . what were happened ? anyone can help me pls ?

Iqbal Ansari said...

Thank you Movie,

I used iphonebrowser in place of your step 7 and successfully patched my 3GS, and now i am on iOS4.
Thank you everyone...

movie said...

@Iqbal Ansari:

Glad it worked!
I have iPhonebrowser as well but sometimes it's a little wonky and crashes once in a while so I used CyberDuck when doing this kind of stuff. Luckily they're both free!

The Brogster said...

I don't know what I'm doing wrong, I know I have old bootrom (week 18 manufactured), and 3.1.3 SHSH's on file. I do everything that msft and Movie say to do, I even cooked up my own custom 3.1.3 ipsw with sn0wbreeze. I run the script in MobileTerminal and get the SUCCESSS tag at the bottom, I go to reset my iphone and it won't turn back on. Any help? at all?

Dinesh said...

The brogster, I am going through the same thing. Guys I have tried the recovery mode too, but it's still giving me 1600 error. Tried both, Mac and PC.
Thanks. I gave up..am going to wait for a clean jailbreak solution. I tried several times. Thanks

Yakir said...

didn't work for me as well ...
did everything but still have and dfu mode but cant cant get out of it.

iv try to make restore with a file i make on my pwangtool and also on snowbreez 1.6.2 but still i get ERROR 1600 every time.

any suggestions ?

Calin said...

Thank you very much! It worked (finally) for me too!

@ Dinesh, @Yakir : I had the same problem, error 1600. I just didn't put it DFU, neither restore mode.
Just siply plugged it in (turned on), and alt+restore the pwned version of iOS 4, and it worked!!

uSaMaBeNe said...

this one on Mob2all seems completely noob!

panha said...

Wow! I'm living again! It Work Perfect For Me! Thank alot

Macbook said...

Thank you "movie" it worked!! woohoo :)

TheStraightMusic said...

Hey guys i have posted an atricle tutorial on this is a very simpler way!!
www.thestraightmusic.blogspot.com

Jeff said...

Finally! Someone has finally nailed these instructions. Well played, sir. Well played, indeed.

Mathieu said...

I did that for mine, worked fine up to the restore in 4.0. I have an error code (1600)

msft.guy said...

@Mathieu: this happens if you restore in DFU mode, use recovery mode (or just let iTunes put your phone into recovery mode for you when you shift-restore).

Fabryka Fantazji said...

After rebooting my iphone it went into DFU mode and I can't get out of it. I am trying to restore modded 4.0 or 3.1.3 and I have errors 1601 1602 when doing this. I have 3GS with old bootrom from 17th week. Any ideas?

luis said...

i get an error

Applying kernel AppleImage3NORAccess patches
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000699 s, 5.7 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000324 s, 12.3 kB/s
2+0 records in
2+0 records out
2 bytes (2 B) copied, 0.000316 s, 6.3 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000386 s, 10.4 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000329 s, 12.2 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000327 s, 12.2 kB/s
Flashing NOR
[OK] IOMasterPort opened
[OK] AppleImage3NORAccess found: 0x1503
[OK] IOServiceOpen: conn = 0x1407
(FAIL) File not found: 'needservice.s518920x.img3', ABORTINNG

luis said...

i get an error

Applying kernel AppleImage3NORAccess patches
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000699 s, 5.7 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000324 s, 12.3 kB/s
2+0 records in
2+0 records out
2 bytes (2 B) copied, 0.000316 s, 6.3 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000386 s, 10.4 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000329 s, 12.2 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000327 s, 12.2 kB/s
Flashing NOR
[OK] IOMasterPort opened
[OK] AppleImage3NORAccess found: 0x1503
[OK] IOServiceOpen: conn = 0x1407
(FAIL) File not found: 'needservice.s518920x.img3', ABORTINNG

nik.mess said...

Jeez, I went through hell one week ago with the final result to be stuck on 3.1.3 (again!).
If I knew by then, that a few lines in terminal would make a CFW-update possible.. phew!
Thank you very very much!

Akram said...

Damn!!!!!
I did everything except copy 3.1.3 files from ORIGINAL firmware and now stuck in DFU!!! is my device toast??
please help. What do i do to redo everything just like everybody else?
itunes is not helping nor recboot.
HELP HELP HELP :(

Garrard said...

WHere can I find and download these 3 things Cyberduck, MobileTerminal, OpenSSH to help JB my iphone? I could't find them in the store..

Also, how do I find my ip addy? I have no clue....

Chow said...

Will this work with the jailbreakme.com exploit on an iPhone 3GS will new bootrom on iOS 4.0? I want to have a pwned phone instead of the userland jailbreak.

Ian said...

would love to know Chow's question answered..
I was thinking about asking the same thing..

msft.guy said...

@Chow, @Ian: Yep, check the latest update (http://code.google.com/p/iphone-img3-flasher/downloads/detail?name=spirit2pwn_r3.zip). It was tested on 4.0.1 and _probably_ works on 4.0 as there were minimal kernel changes. I'll double-check and update this.

Ian said...

@msft_guy:
I tried it, and I think it works..

ricknvtown said...

r3 worked perfect on my 3gs old boot rom that had 4.0.1 running jailbreakme. it allowed me to use sn0wbreeze 2 custom ipsw. thanks for the tut...

★Admin★ said...

http://projailbreak.blogspot.com

GO & Get newest jailbreak :)