You still obviously need to have an old bootrom 3GS, however you don't currently need any SHSH while Apple still signs 4.0.1
The fact that Star jailbreak uses Safari, however, means it will be patched in weeks, so back up those hashes while you can..
Now that 4.0 is jailbroken, potential uses of this method include installing 4.1 betas, rolling back to 3.x and similar fun activities.
STOP if you have a new bootrom (week 40+, tethered only 3.1.2 JB etc). Here's how to check bootrom ver
- your hardware is iPhone 3GS with OLD BOOTROM
- you HAVE 3.1.3 SHSH (**)
- you DON'T have 3.1.2 SHSH (otherwise, just use blackra1n/redsn0w).
- you WANT iOS4/JB
Update: thanks to movie for those awesome step by step instructions!
Update2: someone made a Cydia package. Looking at type of questions people ask in the comments, that might be the only option for 80% of them. Apple's license terms, of course, don't allow to redistribute their binaries, so I just link to it. Their description also says it works with 3.1.2/Spirit - I very much doubt that.
This tool can be used to flash pwned nor files (containing LLB exploit) on the phone running Spirit JB (script has hardcoded offsets for 3.1.3 3GS).
*Now flasher checks that all files exist before flashing them.
http://code.google.com/p/iphone-img3-flasher/downloads/detail?name=spirit2pwn_r2.zip
- Unpack pwned(!) 3.1.3 firmware, copy all the files from iPhone2,1_3.1.3_7E18_Custom_Restore\Firmware\all_flash\all_flash.n88ap.production folder to /tmp directory your phone. You can use CyberDuck or WinSCP to do that. Copy those files directly to the /tmp, not to a subfolder: LLB should be at /tmp/LLB.n88ap.RELEASE.img3, etc.!
- Extract the contents of the spirit2pwn_r2.zip archive to /tmp directory on the phone.
- Run the following commands on the iPhone: (Use ssh or PuTTY).
chmod 755 pwn_old_boot_r2.sh ./pwn_old_boot_r2.sh
- Now reboot and your iboot and llb should be pwned, and you can restore to a custom FW now.
(**) Technically, you can still do that if you don't have 3.1.3 SHSH, but then if you don't really have old bootrom or if you use wrong ipsw files, your only option will be to upgrade to 4.0 and stay without jailbreak or unlock until a new exploit is made public.
111 comments:
THANK YOU for this fix!!! this worked like a charm and i am now jailbroken on 4.0 with my 3GS!
Worked for me. Thanks
Thank you so much for this!!!!
Nice..! like previous posts..! ;-)
does it work without a 3.1.3 shsh too? my device is now on 3.1.3 with spirit and unlocked with ultrasn0w, but i dont have a shsh for 3.1.3 because it was never jb before.
@la: it does, but you have to be *very* careful!
Is there anyway to flash, upload, or otherwise run a pwned iBoot/LLB when you haven't had your SHSH backed up before? I just got this 3G[s], came with 4.0 but has the old bootrom, and the original seller never backed up the SHSH blobs for 3.1.x.
Hi I get every step but not the first one.... wheredo I get the custtom firmware? can someone help me and the week on my iPhone serial number is 35 but it's an MC-model I'm I ok?
@zwaldowski: nope, you need a new exploit for that - either a new kernel exploit, or a new bootrom/iBoot exploit. Nothing of the sort is currently publicly available.
@Michel: use PwnageTool 4.0.1
@msft.guy : THX but do you have any idea about my serial number week being 35 and having an MC-model?
@Michel: week 35 is old bootrom, see also here
THX a lot made my day worked fine for me!
Ok all these instructions make sense for the most part to me. As far as a pwned 3.1.3 FW is this something I should build with Pwnage Tool or Redsn0w? I'm on the old bootrom, spirit JB, 3.1.3 blobs on file but now 3.1.2. I just want to make sure that I do this 100% correct as I depend on my 3G[S] for tethering right now...So if someone could point me in the right direction as far as that file goes that would be greatly appreciated(FYI I have a pwned 3.1.2 FW, can I extract and use the file from that?)
Also what is the easiest way to unpack an ipsw in OS X....if somebody could supply me with the necessary files via email if they aren't too large that would be very helpful as well....Thanks in advance!
Ok I pwned 3.1.3 w/ pwnage and used safari to extract the pwned FW...copied it to /tmp on the iPhone as well as the extracted zip file and it seems that there was an issue with flashing the NOR....here is the output I received.....
Applying kernel AppleImage3NORAccess patches
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000699 s, 5.7 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000324 s, 12.3 kB/s
2+0 records in
2+0 records out
2 bytes (2 B) copied, 0.000316 s, 6.3 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000386 s, 10.4 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000329 s, 12.2 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000327 s, 12.2 kB/s
Flashing NOR
[OK] IOMasterPort opened
[OK] AppleImage3NORAccess found: 0x1503
[OK] IOServiceOpen: conn = 0x1407
[INFO] img3_flash_NOR_image: flashing LLB data
imgLen=4294967295
IOConnectCallStructMethod failed: 0xe00002c2
[FAIL] img3_flash_NOR_image(LLB.n88ap.RELEASE.img3), ERROR = 0xE00002C2
@Mike: Ugh.. LLB.n88ap.RELEASE.img3 needs to be in /tmp, just like the other img3 files.
how to run the last part?????
can i do it with mobile terminal??? if not, how???? because i use mobile terminal, i gain access to tmp, but then the last step does nothing....
and how do we understand that we did everything right????
and do we just install a custom ios4 afterwards???
Thank you I have 3G with 3.1.2 Spirited.
Is this method is working or limited with 3GS only.
Let us know
@frenchderf: Not this package: patches are just for 313 kernel.
Although it's possible to rewrite it for 312, it doesn't make any sense - just use redsn0w or blackra1n on 312.
@Dimitrios-Geo: ask someone with better terminal skills to do those steps for you?
Just make sure you use files from 313 ipsw pwned by PwnageTool and all files are in /tmp directory.
Also I'd recommend SSH over mobileTerminal, as you can copy-paste the log if you are unsure about results.
Works great! Thanks for the info!
Thanks for the script. I tried it twice, but I can't get it to work :( The script completes succesfully, no errors, but when I turn the iPhone off to start in recoverymode, it gets stuck in DFU-only mode. In this mode, I am also unable to restore to the 4.0 custom. I have to do a full restore to 3.1.3 and re-jailbreak. Do you know what I might be doing wrong? Thanks :)
Hmm that was weird, the script worked on my second shot though. Only problem is iTunes is now throwing out a 1600 error when I try to do a custom restore and I'm stuck in DFU for now....gonna try to rebuild iOS with pwnage again and see what happens....
I have the same problem as Mike but it shows error (2).
To clarify, does the Custom OS 3.1.3 and IOS 4.0 need to be pwn ONLY by PWNAGE tool ? I did it with sn0wbreeze. Itunes is 9.2.
Worked for me. Thanks! 3GS model MB715LL, firmware 05.12.01
@Mike: double-check that you're on old bootrom http://www.redmondpie.com/how-to-check-iphone-3gs-bootrom-iboot-version;
paste the output of the script to pastie.org and post the link here
@Norman Yau: does your phone boot ok after the described steps? If it doesn't, you might have new bootrom or have done something wrong. Again, post a log. Make sure you restore from recovery mode and not DFU. Try custom fw generated by PwnageTool 4.0.1 if the snowbreeze one doesn't work. Remember you need iTunes 9.2 to restore 4.0 fw.
Thanks a lot for the hack! Do you accept donations?
Just pointing that it can't run on mobile terminal (you will get a permission error) only by ssh and using mac terminal.
Hi,
Just wanted to say that this worked brilliantly. I used sn0wbreeze to pwn the firmware, so I know that method works.
Thank you, thank you, thank you so much!
Thanks msft.guy! Any chance there will soon be a JB/unlock on 4.0 for those of us stuck with the new bootrom?
Still not working. It is an old bootrom, but it is a MC model. Is it because of MC?
Applying kernel AppleImage3NORAccess patches
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000353 s, 11.3 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000359 s, 11.1 kB/s
2+0 records in
2+0 records out
2 bytes (2 B) copied, 0.000415 s, 4.8 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000354 s, 11.3 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000356 s, 11.2 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000355 s, 11.3 kB/s
Flashing NOR
[OK] IOMasterPort opened
[OK] AppleImage3NORAccess found: 0x1503
[OK] IOServiceOpen: conn = 0x1407
[INFO] img3_flash_NOR_image: flashing LLB data
imgLen=147920
[OK] Flashing LLB.n88ap.RELEASE.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=178564
[INFO] breakHash(iBoot.n88ap.RELEASE.img3) at 0x2B950
[OK] Flashing iBoot.n88ap.RELEASE.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=45252
[INFO] breakHash(DeviceTree.n88ap.img3) at 0xB090
[OK] Flashing DeviceTree.n88ap.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=16104
[INFO] breakHash(applelogo.s5l8920x.img3) at 0x3EB4
[OK] Flashing applelogo.s5l8920x.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=97080
[INFO] breakHash(recoverymode.s5l8920x.img3) at 0x17B04
[OK] Flashing recoverymode.s5l8920x.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=20484
[INFO] breakHash(needservice.s5l8920x.img3) at 0x4FD0
[OK] Flashing needservice.s5l8920x.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=56836
[INFO] breakHash(batterylow0.s5l8920x.img3) at 0xDDD0
[OK] Flashing batterylow0.s5l8920x.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=65348
[INFO] breakHash(batterylow1.s5l8920x.img3) at 0xFF10
[OK] Flashing batterylow1.s5l8920x.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=20420
[INFO] breakHash(glyphcharging.s5l8920x.img3) at 0x4F90
[OK] Flashing glyphcharging.s5l8920x.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=19396
[INFO] breakHash(glyphplugin.s5l8920x.img3) at 0x4B90
[OK] Flashing glyphplugin.s5l8920x.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=19780
[INFO] breakHash(batterycharging0.s5l8920x.img3) at 0x4D10
[OK] Flashing batterycharging0.s5l8920x.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=24964
[INFO] breakHash(batterycharging1.s5l8920x.img3) at 0x6150
[OK] Flashing batterycharging1.s5l8920x.img3
[INFO] img3_flash_NOR_image: flashing NOR data
imgLen=76164
[INFO] breakHash(batteryfull.s5l8920x.img3) at 0x12950
[OK] Flashing batteryfull.s5l8920x.img3
[OK] SUCCESS
@Oren: maybe you need to 'su root' in MobileTerminal first? Haven't tried that since it's broken on iOS4. -(
On donations: feel free to donate to msft.guy@gmail.com (paypal), but people like comex (author of Spirit JB) deserve a donation far more ;) Dev Team too, for the 24kpwn, but they only accept postcards ;)
@mike: I think posixninja has a tethered exploit and looks like Spirit was just ported to 4.0 (but not open yet); and unlock is already there, just don't update to official 4.0.1 etc so that you can unlock after JB is released.
@Norman Yau: OK, so the method itself works. I'm still confused about what exactly happens after you do those steps and reboot - does the phone boot or not? If it does not boot, there is something wrong with the pwned firmware you used: it's either original ipsw, or the pwnage tool/snowbreeze didn't work properly, or it's the wrong version (like 4.0 instead of 3.1.3).
Now, if your phone does boot but you cannot update to pwned 4.0, it's most likely a problem with your custom 4.0 firmware. make sure you are restoring in Recovery and not DFU. Try creating it on another mac or something.. also post restore log to pastie.org.
Thanks YOU!!! It works.
Turns out it was the custom firmware. I used Pwnage tools and it worked.
So I followed the steps, and I was able to pwn my 3.1.3. When I did a shift+restore, itunes says "restoring iphone software" and iphone shows bar, but it then gives me error (2) and does not restore to 4.0
where can i be able to get pwned 3.1.3. i cannot make one since i am running window and i do not have a mac available.:S
@ msft.guy
i managed to throw everything you say on tmp, but then because i never used ssh before.....maybe i do the command step wrong... i dont really know how to use ssh, it was always easier, not to mention safer, to connect with "phoneview" .
so please help me if you can :))
thank you so much for this, but is it permanant or temporary ?
hmm... sth tells me i have the new bootrom....so what do i do now???
Worked!
Although lost AT&T logo and signal and 3G. Had to install ultrasn0w afterward to get them back. But ok now!
i also need pwned 3.1.3 and 4.0. i searched online but cant tell the diff between pwned and snowbreeze versions.
@Norman_Yau: where did you get your FWs?
This works! THANKS SO MUCH :)
Hi, I followed all your instructions. After pwn_old_boot_r2.sh
and a successful message, I went ahead and rebooted the phone. Now it looks like its on DFU mode and I can not restore it in iTunes since its giving me the 1600 error any ideas?
Thanks for this!!
Tried it and worked..
Hope that there won't be any problems in the future..
Cheers!!
It would be great if somebody post a link on youtube on this method on how should we do that, step by step... I dont understand exactly what should i do
I agree why don't someone post a youtube to show how it is done
Genius!
Thanks buddy! worked perfectly!Maybe this could be packaged into a deb and hosted on a cydia repo! Can't see why it couldn't be done :)
Download idetector from ih8sn0w.com to check what boot rom you have!
Could somebody help me with this instruction?
Unpack pwned(!) 3.1.3 firmware, copy all the files from iPhone2,1_3.1.3_7E18_Custom_Restore\Firmware\all_flash\all_flash.n88ap.production folder to /tmp directory your phone.
1. How to unpack pwned 3.1.3 firmware?
2. Copy all the files from where? from iPhone folder?
help me please.
TQ in advance
Rename the IPSW to .zip
Dimitrios-Geo: wait for a new iOS4-compatible Spirit release.
Chris: either you have new bootrom or did not use correct fw (3.1.3/PwnageTool).
AAG: I don't know how to check bootrom version from an iPhone app. This also needs additional firmware files which cannot be provided in the package (Apple's IP).
ah very true. Don't want to open your self to a lawsuit. Well Great work on the script!
ok thanks....i extracted from the apple 3.1.3 fw, maybe that's why i couldn't find iPhone2,1_3.1.3_7E18_Custom_Restore\Firmware\all_flash\all_flash.n88ap.production
will build the custom fw with pwnage tool then will try again
Thanks! It's really works! BUT!
I cannot connect to itunes (ver. 9.2)! I try on PC and on Mac too. iPhone is not show in itunes. I changed USB ports, cables, reinstall itunes but all not success.
Please say what can I do with it?
Can I firmware on iOS 4 custom once more now?
You ROCK!!!
@MaxR: iPhone2,1_3.1.3_7E18_Custom_Restore.ipsw is the filename of custom FW (made with PwnageTool). Whether or not you have it in the file path depends on which unarchiver you use.
@Livon:
That's really weird. Did the USB work before restoring to custom iOS4? In any case, you can now restore to custom FW (even downgrade) unless you accidentally install the original FW. Can you see iPhone in the device manager? Did you make this custom FW 4 with Pwnage Tool 4.0.1?
@ msft.guy thanks for your reply.....
is this the reason i get a "needservice.a518920x.img3 missing " error when i run the last command????
do we have any news for the spirit 4.0 release?? till then what shall i do, stay with 3.1.3 jb or move to official 4.0???
thanks once again
2 msft.guy:
Thanks for your reply.
Yes, USB is worked before I firmware to 4.0 using your instructions.
In device manager I see iphone in section "Mobile devices" but not in USB Controllers (sorry this may be not same in English version of Windows, because I have some localized Win7). It must be in Usb controllers too?
And yes, I create 4.0 custom using Pwnage Tool 4.0.1 on Mac.
And I just firmware once more to 4.0 custom (did on Mac).
And I have now: itunes on mac can view iPhone, but on Win NO !
I understand this is very strange. I think problem in my itunes on Win?
@Dimitrios-Geo: No. The reason you are getting the 'needservice.a518920x.img3 missing' error is you. You've failed to read the instructions and are trying to flash 4.0 fw when the instructions clearly say custom 3.1.3
If you really have old bootrom as you've mentioned earlier then your phone won't boot and you'll have to restore to 3.1.3 if you've saved those SHSHs, or to 4.0 if you haven't.
@Livon: if you have installed libUSB on Windows, it can interfere with iTunes USB drivers. Otherwise, reinstalling Windows in upgrade mode might be faster and will save your data and settings..
Sorry, some update:
I try to connect iPhone 3G (iOs 4.0, 05.13.04) to this PC with win and all ok - I can see it in itunes.
@msft.guy: TQ...I figured it out and upgrading from spirited 3.1.3 to 4.0 using pwnagetool custom fw ran like a charm with ONLY 1 MAJOR PROBLEM...No carrier signal...FYI my 3GS was factory unlocked when I bought it last year. This also happened when i upgrading from 3.1.1 to 3.1.3 and the best fix i can find that time was...restore with original fw than run spirit. With no spirit for 4.0, what option i have to solve my problem and have a jailbroken one?
@MaxR: try ultrasn0w, just in case..
@msft.guy: Does it work with 05.12.01 baseband?
I honestly can't thank you enough. This worked flawlessly and didn't have a single error!
Is there a video on this? Because I want to be jailbroken on 4.0. HELP Any one. I only get like half the stuff.
hi msft...I followed your procedure,,turned it off and now its not coming on at all
@msft.guy : ultrasn0w works...and i'm back to business.....tq
@msft.guy : Ok I did everything and now it will not turn on. What do I do now?
***INSTRUCTIONS FOR THE LAYMEN***
It worked for me on my 3Gs (Jailbroken with Spirit, 3.1.3, old bootrom) and I'm a total noob.
NOTE: When flashing using the iphone app: mobile terminal, you must first go into the root directory by typing: su root
So here are the STEP by STEP instructions for someone slow like myself.
1.) Download a custom firmware for 3.1.3 3Gs (you can get it here: http://www.iphoneheat.com/2010/02/download-iphone-custom-firmware-3-1-3-ipsw/
must download all the files and then join them using something like "Split and Concat" software.
2a.) Download a custom firmware for 4.0 3Gs (you can get it here:
http://www.iphoneheat.com/2010/06/download-custom-ios-40-firmware-ipsw/
must download all the files and then join them using something like "Split and Concat" software
OR
2b.) Download both Pwnage Tool 4.01 and the official apple version of 4.0 called iPhone2,1_4.0_8A293_Restore.ipsw
Then make your own custom 4.0 which will be named: iPhone2,1_4.0_8A293_Custom_Restore.ipsw
3.) Download spirit2pwn_r2
from here:
http://code.google.com/p/iphone-img3-flasher/downloads/detail?name=spirit2pwn_r2.zip
4.) Download Cyberduck on your Mac OS X
5.) Download MobileTerminal on your iPhone
6.) Download OpenSSH on your iPhone
NOW YOU HAVE ALL THE FILES YOU NEED!
7.) Open up Cyberduck and connect your Mac to your
iPhone. To use this you need:
a.) IP address of iPhone
b.) username which is: root
c.) password which is alpine (unless you changed it)
d.) Connect Cyberduck to your iPhone
d.) Navigate to the /tmp folder
8.) Go to your files in STEP 1.) (custom firmware for 3.1.3 3Gs that you downloaded) and navigate to the subfolder called: all_flash.n88ap.production folder.
Take all the files in that folder and copy into the /tmp folder using Cyberduck. Should be 14 files total.
9.) Go to your files in STEP 3.) (spirit2pwn_r2 you downloaded). Take all the files in that folder and copy into the /tmp folder using Cyberduck. Should be 2 files total.
NOW YOUR SET TO FLASH!!!
10.) Now go to your iPhone and open up MobileTerminal.
a.) TYPE: su root
(may ask for password)
HIT RETURN
b.) TYPE: cd /tmp
HIT RETURN
c.) TYPE: chmod 755 pwn_old_boot_r2.sh
HIT RETURN
d.) TYPE: ./pwn_old_boot_r2.sh
HIT RETURN
It will start flashing the files on your iPhone. It will pause a few times. WAIT! don't do anything. WAIT until it's completely done and says [SUCCESS] as the bottom.
11.) REBOOT your iPhone.
12.) plug your iPhone into iTunes. press the OPTION key as you click on RESTORE in iTunes. Make sure you are connected to the internet.
13.) Navigate to the file: iPhone2,1_4.0_8A293_Custom_Restore.ipsw
You created in STEP 2a.) or STEP 2b.)
14.) iTunes will RESTORE your iPhone using iPhone2,1_4.0_8A293_Custom_Restore.ipsw
(Does not take that long)
15.) iPhone will REBOOT and then iTunes will prompt you to RESTORE your files from a BACKUP or as a NEW Phone.
There you go! Whew!
@Dinesh, @Elijah: Assuming the script executed successfully, you've probably used incorrect ipsw.
You need to use 3.1.3 custom ipsw made using PwnageTool (or sn0wbreeze, but if you don't have 3.1.3 SHSH on file, I'd recommend sticking to PwnageTool).
Now you have to put the phone in DFU mode (although it's probably already in DFU now) and restore to 3.1.3 (if you have saved SHSH) or to 4.0 (if you have not).
After you restore to 3.1.3, try reading the instructions more carefully.
@movie: awesome, thx!
Thanks mate, that is awesome! You are a Legend!
Anyone have working youtube? Is not wowking for me :( Any fix?
Thanks a lot JB iOS on 4.0 now ! :)))
@Dinesh ok thanks
worked for me 3gs @ 4.0
thxxxx
@Livon: YouTube works perfectly. Just watched Vangelis-Conquest of Paradise as a test.
Now, MxTube is another story... that continues to crash. Hopefully someone will update it soon.
Also, MobileTerminal crashes. So I found one updated for ios4 from the source macosmovil.
msft: Still the same thing for me,,black screen...turn on itunes it sees the phone in the recovery mode,,try to custom restore on 4,,but gives error 1600
@Elijah - did it work for you,,if yes how?
@movie i am I correct in assuming iTunes 9.2 needs to be used in order to restore to the custom iOS 4 ipsw? Also it looks like you didn't use recovery mode while restoring the custom ipsw, is this correct?
@Dinesh the reason its not working for you is because you are in DFU mode not recovery mode (thats whats error 1600 mean) just hold power and reset button to get out of DFU the get into recovery mode
For those who are looking for 3.1.3 3gs extracted files you can get the whole package here http://www.megaupload.com/?d=XLDN5DAG
Hi,
i have an iphone 3gs with OLD bootrom and the not jailbroken iOS4. I had 3.1.3 with Spirit on it before but hadn't saved the SHSH. Is there any chance to get back to 3.1.3 without the SHSH. The walkthrough sounds very simple but i can't go for it without having a jailbreak and a terminal on the iphone. it makes me mad...
JUST THANK YOU VERY MUCH :)
@Adam:
1) Yes, you use iTunes 9.2
2) Yes, I did NOT go into recovery mode. Simply plug iPhone into iTunes and press option when you hit restore button then you an navigate to the 4.0 pwned firmware and start restore process.
there seems to be a misnomer that you have to go into recovery mode to do this. It's not necessary. That's really if you have issues with your iPhone.
incredible! restoring as a new device and re-syncing everything now. before I did though I saw Cydia sitting nicely on the second page. Works for me!
I have the same question as fatlus...is there a way to get back to 3.1.3 jailbroken or even a way to jailbreak on 4.0 if you had 3.1.3 jailbroken with Spirit.
I don't have the SHSH and I don't have anything more than a clean install of iOS4 on the phone now. I can't seem to even get back to 3.1.3...Any help?
@Move
Thank you for your awsome step by step guide. one question about your instruction on
7.) Open up Cyberduck and connect your Mac to your
iPhone. To use this you need:
a.) IP address of iPhone
b.) username which is: root
c.) password which is alpine (unless you changed it)
d.) Connect Cyberduck to your iPhone
d.) Navigate to the /tmp folder
when i use iphonebrowser, i can see root dir and tmp dir, tmp dir has another 2 dir launchd and payloads.
my question is that is it the same dir where we hav to copy all files, and can i use iphone browser since i have access to those directories.
thanks
iqbal
omg ... i cant jailbreak my iphone 3gs ios4 with ultrasnow . what were happened ? anyone can help me pls ?
omg ... i cant jailbreak my iphone 3gs ios4 with ultrasnow . what were happened ? anyone can help me pls ?
Thank you Movie,
I used iphonebrowser in place of your step 7 and successfully patched my 3GS, and now i am on iOS4.
Thank you everyone...
@Iqbal Ansari:
Glad it worked!
I have iPhonebrowser as well but sometimes it's a little wonky and crashes once in a while so I used CyberDuck when doing this kind of stuff. Luckily they're both free!
I don't know what I'm doing wrong, I know I have old bootrom (week 18 manufactured), and 3.1.3 SHSH's on file. I do everything that msft and Movie say to do, I even cooked up my own custom 3.1.3 ipsw with sn0wbreeze. I run the script in MobileTerminal and get the SUCCESSS tag at the bottom, I go to reset my iphone and it won't turn back on. Any help? at all?
The brogster, I am going through the same thing. Guys I have tried the recovery mode too, but it's still giving me 1600 error. Tried both, Mac and PC.
Thanks. I gave up..am going to wait for a clean jailbreak solution. I tried several times. Thanks
didn't work for me as well ...
did everything but still have and dfu mode but cant cant get out of it.
iv try to make restore with a file i make on my pwangtool and also on snowbreez 1.6.2 but still i get ERROR 1600 every time.
any suggestions ?
Thank you very much! It worked (finally) for me too!
@ Dinesh, @Yakir : I had the same problem, error 1600. I just didn't put it DFU, neither restore mode.
Just siply plugged it in (turned on), and alt+restore the pwned version of iOS 4, and it worked!!
this one on Mob2all seems completely noob!
Wow! I'm living again! It Work Perfect For Me! Thank alot
Thank you "movie" it worked!! woohoo :)
Hey guys i have posted an atricle tutorial on this is a very simpler way!!
www.thestraightmusic.blogspot.com
Finally! Someone has finally nailed these instructions. Well played, sir. Well played, indeed.
I did that for mine, worked fine up to the restore in 4.0. I have an error code (1600)
@Mathieu: this happens if you restore in DFU mode, use recovery mode (or just let iTunes put your phone into recovery mode for you when you shift-restore).
After rebooting my iphone it went into DFU mode and I can't get out of it. I am trying to restore modded 4.0 or 3.1.3 and I have errors 1601 1602 when doing this. I have 3GS with old bootrom from 17th week. Any ideas?
i get an error
Applying kernel AppleImage3NORAccess patches
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000699 s, 5.7 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000324 s, 12.3 kB/s
2+0 records in
2+0 records out
2 bytes (2 B) copied, 0.000316 s, 6.3 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000386 s, 10.4 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000329 s, 12.2 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000327 s, 12.2 kB/s
Flashing NOR
[OK] IOMasterPort opened
[OK] AppleImage3NORAccess found: 0x1503
[OK] IOServiceOpen: conn = 0x1407
(FAIL) File not found: 'needservice.s518920x.img3', ABORTINNG
i get an error
Applying kernel AppleImage3NORAccess patches
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000699 s, 5.7 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000324 s, 12.3 kB/s
2+0 records in
2+0 records out
2 bytes (2 B) copied, 0.000316 s, 6.3 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000386 s, 10.4 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000329 s, 12.2 kB/s
4+0 records in
4+0 records out
4 bytes (4 B) copied, 0.000327 s, 12.2 kB/s
Flashing NOR
[OK] IOMasterPort opened
[OK] AppleImage3NORAccess found: 0x1503
[OK] IOServiceOpen: conn = 0x1407
(FAIL) File not found: 'needservice.s518920x.img3', ABORTINNG
Jeez, I went through hell one week ago with the final result to be stuck on 3.1.3 (again!).
If I knew by then, that a few lines in terminal would make a CFW-update possible.. phew!
Thank you very very much!
Damn!!!!!
I did everything except copy 3.1.3 files from ORIGINAL firmware and now stuck in DFU!!! is my device toast??
please help. What do i do to redo everything just like everybody else?
itunes is not helping nor recboot.
HELP HELP HELP :(
WHere can I find and download these 3 things Cyberduck, MobileTerminal, OpenSSH to help JB my iphone? I could't find them in the store..
Also, how do I find my ip addy? I have no clue....
Will this work with the jailbreakme.com exploit on an iPhone 3GS will new bootrom on iOS 4.0? I want to have a pwned phone instead of the userland jailbreak.
would love to know Chow's question answered..
I was thinking about asking the same thing..
@Chow, @Ian: Yep, check the latest update (http://code.google.com/p/iphone-img3-flasher/downloads/detail?name=spirit2pwn_r3.zip). It was tested on 4.0.1 and _probably_ works on 4.0 as there were minimal kernel changes. I'll double-check and update this.
@msft_guy:
I tried it, and I think it works..
r3 worked perfect on my 3gs old boot rom that had 4.0.1 running jailbreakme. it allowed me to use sn0wbreeze 2 custom ipsw. thanks for the tut...
http://projailbreak.blogspot.com
GO & Get newest jailbreak :)
Post a Comment