Dev-Team Blog: Archive

Restoration reinvigoration

Today we’re pleased to release redsn0w version 0.9.15b1, with significant new features supporting restoring to older firmware no longer being signed by Apple. For brevity, we’ll list most of the new features in bullet form. For more details, please feel free to drop by our comments section, or check out any upcoming guides on tutorial sites like http://iclarified.com

First, the high-level new feature list:

restore from any 5.x iOS to any other (up, down or the same) 5.x iOS on all devices as long as you have the correct blobs (see more below)
Cydia now included in the tethered 6.0 jailbreak on A4 devices
automatically “Just Boot” tethered when qualifying A4 device connects in DFU mode
untethered 6.0 jailbreak on old-bootrom 3GS
untethered 6.0 hactivation on any 3GS or iPhone4
directly restore pre-A5 devices to earlier firmware — no more complicated 15-step how-to’s with stitching, iTunes errors, and “hosts file” concerns
fetch new signed blobs for any IPSW (present or future — no redsn0w update required) using Extras->SHSH Blobs->New
block the BB update for any 3GS or iPhone4 restore (past, present, or future — no redsn0w update required) using Extras->Even More->Restore
deactivate any iPhone, useful for testing your “official” unlock status through iTunes. (Please only deactivate your own iPhone!)
activation status shown on “Even more” page
significantly more (very nerdy) info returned by “Identify” button when device is in Normal mode
tethered jailbreak of ATV2 supported (but the only thing available for it is the SSH2 custom bundle available here — no Cydia yet. Must use “Select IPSW” for tethered boot of ATV2 for now).
auto-exit WTF mode for older devices with broken buttons
any time a set of blobs is fetched remotely (from Apple or Cydia), redsn0w also saves them locally (and will check there first if you click “Local”)
for your future restoring convenience, you should also submit all of your past and present TinyUmbrella blobs to Cydia if you haven’t done so yet. Resubmitting is okay and won’t cause conflicts.

Here are more details on the iOS5-to-iOS5 restores for A5+ devices. (Note: pre-A5 devices don’t have these restrictions — just follow the redsn0w prompts during the restore).

1. redsn0w now lets you restore an A5+ device from any iOS5 to any other iOS5 as long as you have correct 5.x blobs for the starting (current) and ending points of the restore

APtickets eliminated “higher-version only” comparison of firmware restores (just like BBtickets did for the baseband)
example restores supported by redsn0w if you have the correct blobs: 5.1.1-to-5.0.1, 5.0.1-to-5.1.1, 5.1.1-to-5.1.1, 5.0.1-to-5.0.1
if you don’t have the blobs locally, let redsn0w try to fetch them remotely (redsn0w always tries both Apple and Cydia). Any succesful remote fetch also saves a local copy too.

2. You DO NOT QUALIFY for iOS5-to-iOS5 restores if you got to your current 5.x via an OTA update

the tickets saved by Cydia, redsn0w, and TinyUmbrella do not cover OTA update ramdisk images
even if they did, it’s the “wrong kind” of ramdisk (you’d need to start at that earlier pre-OTA FW)
devices fresh from factory or refurb may fall in the “does not qualify” category (your results will vary)
it’s okay if you previously got to 5.x via an OTA update, as long as your current 5.x was installed via a normal iTunes restore. All that matters is how you got to your current 5.x most recently
redsn0w detects an OTA/normal-restore APticket mismatch very early, so if you don’t know your status there should be no harm in trying. Any device in recovery mode after such a mismatch can boot normally again just by going back to “Even More” screen from the “Restore” screen (or use “Recovery Fix” if you quit redsn0w before doing that).

3. Unlike the A4 devices, redsn0w can’t (usefully) prevent the baseband updates of A5+ iPhones and iPads.

and so, redsn0w automatically flashes the currently signed baseband when it does A5+ restores, even if those basebands didn’t come with the original firmware
stay away from this if you have an unofficial unlock that isn’t supported by the newest baseband
the least-tested baseband update code in redsn0w is for iPad2,3 and iPad3,2. Please give any feedback on those iOS5 restores in the comments section below.

4. iPad2 owners (all three models) with saved 4.x blobs can use those instead, even from 6.x

if you have both 4.x and 5.x iPad2 blobs, you can always get to 5.x via the 4.x blobs, even if you’re currently on 6.x
you cannot get to 5.x from 6.x without the 4.x blobs (but you may still qualify for the iOS5-to-iOS5 restore described above)
if somehow you have 4.x blobs but no 5.x blobs, you can still go down to 4.x from 6.x
this only applies to iPad2 owners (they’re the only A5+ devices that ever had a public 4.x FW)
redsn0w still supports (but doesn’t require) jailbreaking A5+ devices at 5.0.1 and 5.1.1. Just head back to the first page after re-restoring to 5.x. It’s always much faster to jailbreak those FW versions with a freshly-restored device, before letting iTunes restore from a saved userland backup.

And finally, some random details:

5. ultrasn0w isn’t yet updated for 6.x

by now you probably should be taking advantage of the extremely cheap IMEI-based unlocks of iPhones sold by established online retailers like http://cutyoursim.com
still, IMEI-based unlocks don’t work in all cases. We’ll announce when ultrasn0w is ported up to 6.x
redsn0w will still hactivate your 3GS or iPhone4 if you run it before the device is activated. Due to the current tethered 6.x JB status, redsn0w now hactivates 6.x without requiring subsequent tethered boots. If you accidentally hactivate with redsn0w, use the “Deactivate” checkbox available from the Jailbreak screen, not the normal one in “Even more”

6. As always, redsn0w lets you “Fetch” the SHSH blobs currently flashed onto your pre-A5 device

use this if you’re at 5.x or 4.x but without having saved your blobs when the window was open
this is only useful when Apple is no longer signing the firmware, otherwise Cydia/redsn0w “New”/TinyUmbrella blobs are superior (but you’re welcome to fetch your 6.0 blobs this way anyway)
fetching blobs in this fashion will automatically forward them up to Cydia, as well as save a local copy

We realize there’s a lot of info in this post. If you’re at all confused about things remember to visit our comments section, with our very helpful user base and moderators like dhlizard, Frank55, 41willys, and slavakulikoff.

If you’re in the Melbourne, Australia area, MuscleNerd (and another anonymous long-time Dev Team member) will be giving some talks at the Breakpoint conference http://www.ruxconbreakpoint.com this week. And @mdowd’s iOS talk at the same conference should be quite interesting too! We’ll also all be attending Ruxcon a few days later, so say hi if you see us!

Update #1 (Oct 15): Version 0.9.15b2 fixes a few issues for 3GS owners: old-bootrom awesomeness is no longer forgotten directly after a restore, and iPad baseband upgrade/downgrade support is fixed (same production date cutoffs apply!). If your 3GS is currently tethered at 6.0 even though you have an old bootrom, just re-run redsn0w’s Jailbreak step (no need to restore). Don’t forget you can add some pizzaz with your own boot logo or a nerdy verbose boot.

Update #2 (Nov 1): Version 0.9.15b3 fixes the redsn0w “error 2601” that Windows users were seeing using the Restore button. It also fixes a related Windows iTunes error 14 for stitched files. Note that if you have a baseband, you should probably avoid stitching and simply use redsn0w’s native Restore (not iTunes).

Those lucky recipients of new iPad minis and iPad4s on Friday can use this redsn0w to save your 6.0 blobs off to Cydia. First connect your new device and turn it on, then use redsn0w’s Extras->SHSH Blobs->New and point it at the 6.0 IPSW.

Expect an ultrasn0w compatibility update for iOS 6.0 by Friday (mostly useful for 3GS old-bootrom users who are currently enjoying the untethered 6.0 jailbreak!). Same baseband support as with 5.x.

Thanks to @iamgolfy for helping test the 2601 Windows fix!

Here are the download links. Enjoy!

redsn0w 0.9.15b3 (OS X — use Ctrl-Click->Open if on Mountain Lion for now)
redsn0w 0.9.15b3 (Windows — run in Adminstrator Mode)

Oct 14, 2012104 notes

#redsn0w

Blob-o-riffic

Today marks the public release of iOS6! For those devices capable of running 6.0, the 5.1.1 SHSH blob signing window will soon close, so it’s very important that you backup your 5.1.1 blobs now while you still can. We advise you do it for every device you have (see tutorial sites like iClarified if you don’t know the process).

A few months back we released a redsn0w feature that lets you downgrade A5+ devices from 5.1.1 to anything lower (if you had saved blobs). Unfortunately once the 5.1.1 window closes, redsn0w’s 5.x downgrade feature will no longer work. Most A5+ users will not be able to downgrade. So if you’re an A5+ owner up at 6.0 when the 5.1.1 window closes, you’ll be stuck there without a jailbreak for now.

We’re happy to report there are some serious deficiences in the 5.x restore process that are permanently exploitable. They’ll never be fixable by Apple because they’re all self-contained in the 5.x IPSWs. Here’s the breakdown:

A4 devices and 3GS will always be downgradable (and jailbreakable) with saved blobs due to limera1n. The tethered iOS6 jailbreak for those devices (and untethered for old-bootrom 3GS) will be out when Cydia and other important pieces are all working properly.
iPad2 owners who have both 4.x blobs and 5.x blobs will always be able to downgrade to those versions, even once you come up to 6.0 and the 5.1.1 window closes (don’t do that yet though!). You need both 4.x and 5.x blobs to qualify for the 5.x downgrade even though you only wish to downgrade to 5.x (you need only your 4.x blobs to downgrade to 4.x)
iPad3, i4S (and iPad2 owners who don’t satisfy #2) will always be able to RE-restore the current 5.x OS that’s already on their device. So if you’re at 5.1.1 when the window closes (and you’ve saved your blobs), you’ll always be able to RE-restore to 5.1.1 again. This makes the 5.1.1 jailbreak a lot less fragile — you don’t have to worry about messing up your install with funky extensions or getting into a boot loop, because you can always RE-restore from 5.1.1 to 5.1.1 again (or from 5.0.1 to 5.0.1 again, etc). But once you fall off the 5.x train by restoring to 6.x, you’ll be stuck there until the next jailbreak.

Please be aware that RE-restores and iPad2 downgraded devices will always end up with the latest baseband (not the one that came with that firmware). So don’t go near any of this if your unlock depends on the baseband version.

All of these features will be released shortly in a new version of redsn0w. In the meantime please be sure you have your 5.1.1 blobs and stay at 5.1.1. Happy iOS6 day!

Update #1: For a refresher on why saved blobs are not as powerful as they used to be, please see our Blob Monster post (the scenarios described above are possible only due to mistakes made by Apple, but those mistakes are being cleaned up with each new firmware).

Sep 19, 201228 notes

Baseband Freedom

Happy 4th of July! Today’s release of redsn0w 0.9.14b2 improves the iPad baseband downgrade and should cover anyone who couldn’t downgrade with 0.9.14b1. This version covers 3 different types of NOR chips in the iPhone 3G and 3GS (the earlier version covered only the most prevalent NOR chip). We’ve also simplified the process and added logging to help diagnose any remaining stubborn iPhones.

The revised steps are:

Connect your iPhone in normal mode, then click “Jailbreak” after redsn0w identifies its model and BB version (you needn’t pre-select the IPSW anymore).
Choose the “Downgrade from iPad baseband” option (you needn’t worry about de-selecting Cydia anymore).
Do a controlled “slide to power off” shutdown of your phone and proceed through the normal DFU ramdisk steps.

Should the downgrade fail to take, feel free to leave the redsn0w log in the comments below. Use the “Extras->Even more->Backup” button to grab a copy of /var/mobile/Media/redsn0w_logs, then extract the log text file(s) from the zip and paste them into the comments (currently that log file is generated only during baseband downgrade runs).

NOTE: The original warning about 3GS units manufactured in early 2011 or later still holds! They have a NOR chip that’s incompatible with 06.15.00 and so trying to install it will brick the device. Please read and re-read the warning in our earlier post.

Thanks to bobmutch, @healeydave and @dilbert4life for lending us their iPhones to improve the baseband downgrade!

DFU IPSW

We’ve gotten a lot of feedback from users who can’t launch a DFU ramdisk because their iPhone home/power buttons are broken or intermittent. We’ve added a new redsn0w feature that lets you enter DFU mode as long as your phone is healthy enough to restore to a normal, everyday IPSW. You don’t need to be already jailbroken to use this method.

In redsn0w, go to “Extras->Even More>DFU IPSW” and select an IPSW that is currently being signed for your device and that you’d normally be able to restore to without any hacks. redsn0w will create an “ENTER_DFU_” version of the IPSW that you can restore to just like any other IPSW, except that now you’ll be dumped into DFU mode towards the end of the restore (WARNING, your screen will remain completely black…the only way to even know its on is that iTunes and redsn0w will detect it!). The technique used by this feature is 3 years old but surprisingly still works today!

Update #1 7/25/12: redsn0w is compatible with today’s retail release of Mountain Lion OS X 10.8. Until we start using an official developer ID for it (!), you’ll need to use the new Ctrl-Click-Open security bypass the first time you run it after downloading.

Here are the download links. Enjoy!

redsn0w 0.9.14b2 (OS X)
redsn0w 0.9.14b2 (Windows — run in Administrator Mode)

Jul 4, 201276 notes

#redsn0w #Ultrasn0w

0615 fun

The iPhone Dev Team is happy to announce a baseband downgrade option in redsn0w for those who are using the iPad’s 06.15 baseband on the iPhone3G or iPhone3GS.

Typically you’d have the 06.15 baseband if you unlock with ultrasn0w but updated your iPhone baseband past 05.13.04. With this new capability, you can now downgrade specifically from 06.15 to 05.13.04 (even if you never had 05.13.04 on that device before). This gives you the best of both worlds: ultrasn0w compatibility and a normal iPhone baseband with full GPS and the ability to use stock IPSWs again.

Here are the steps:

Use the “Extras->Select IPSW” button in redsn0w to tell it which firmware version you have installed (new-bootrom 3GS users can usually skip this step but it doesn’t hurt for them to do it too).
Do a controlled shutdown of your iPhone (“slide to power off”). This step is very important to avoid mount problems when the ramdisk is running!
Go back to the first screen and click “Jailbreak”. Enable the “Downgrade from iPad baseband” checkbox, disable Cydia if you already have it installed, and click Next to proceed through the normal DFU ramdisk steps.

After the ramdisk gets launched and you see the Pwnapple running on your iPhone, you’ll eventually get to the “Flashing Baseband” step. THIS STEP TAKES A VERY LONG TIME to complete and there won’t be any feedback while its running. Please just let it be for the next 3-8 minutes! When the ramdisk has done its job it will reboot the phone on its own.

For those who are wondering if you can update your 3G or 3GS to 06.15 solely for the purposes of downgrading to 05.13.04, the answer is “yes” for 3G owners, and “maybe” for 3GS owners. The iPad baseband is not compatible with 3GS units manufactured week 34 of 2011 or later. If you have an iPhone3GS and if digits 3-5 of its Serial Number are 134 or later (xx134…), then you should NOT try to install the 06.15 baseband on your 3GS! It will brick your radio, preventing both the downgrade from working and normal iPhone software from using it as a phone! Be warned!

Thanks very much to @dilbert4life for graciously loaning us his 3GS at 06.15 (we had no such devices because we always prevent BB updates!)

If you have any questions or comments, please use our comments section below!

Here are the download links. Enjoy!

redsn0w 0.9.14b1 (OS X)
redsn0w 0.9.14b1 (Windows — run in Administrator Mode)

Update #1: If you’re still using ultrasn0w after going down to 05.13.04, many people have reported that re-installing Mobile Substrate and/or ultrasn0w fixes crashes and “No Signal”.

Update #2: There’s a subset of 3GS iPhones that won’t take the downgrade. We now understand why (they use a slightly different NOR chip), and should be receiving a loaner of such a phone on Thursday the 28th. ~~After we have one in hand we’ll tweak the redsn0w payload to handle that variation too!~~ The improved downgrader is now available here.

Jun 18, 201267 notes

#redsn0w #Ultrasn0w

Pre-DC

With only a week to go before WWDC 2012 and the surprises Apple will announce there, today seems like a good time to release updates to our suite of free software to include the rocky-racoon jailbreak and untether developed by @pod2g and @planetbeing! Today’s updates are:

PwnageTool 5.1.1
redsn0w 0.9.12b1
cinject 0.5.4 (version 0.5.3 also had rocky-racoon but this includes some updates)
ultrasn0w 1.2.7 (5.1.1 compatibility only - no new baseband support)

If you’ve already installed rocky-racoon, don’t bother reinstalling it unless you’ve had problems and would like to try a different tool. The underlying untethered jailbreak (rocky-racoon) is identical to what is already installed by last week’s tools like Absinthe, cinject-0.5.3, and the rocky-racoon Cydia package — only the injection method offered by the above tools differs.

redsn0w allows owners of A4+earlier devices to install rocky-racoon two different ways:

backup/restore method similar to Absinthe and cinject
its traditional limera1n-based ramdisk install. If you have a lot of media on your A4 device (music, movies, TV shows, etc), then the ramdisk method is preferrred because it avoids any possibility of later problems related to syncing to iCloud (including Photo Stream and Music Match). The ramdisk method is not available for A5 devices or later because limera1n can’t be used. If you’d like to use redsn0w’s ramdisk method, just be sure to put the A4 device in DFU or Recovery mode before starting redsn0w (otherwise it will immediately start to use the backup/restore method).

We’ve also added a new redsn0w feature specifically for those who got in on the SAM unlock: you can now include your SAM tickets as part of your initial ramdisk jailbreak of iPhone4 or earlier, or alternatively you can upload your SAM tickets to any device after its been jailbroken. redsn0w accepts either the individual SAM activation ticket plist file, or the entire zip file created by redsn0w’s “Backup” button. As usual, redsn0w continues to cover all of its previous jailbreaks and untethers (so redsn0w-0.9.12b1 covers everything from 5.1.1 all the way back to 4.1).

PwnageTool also avoids any possible sync issues, but again it applies only to A4+earlier devices. If you unlock your iPhone with ultrasn0w or a commercial method, you must use PwnageTool to avoid updating your baseband otherwise you’ll lose the unlock. PwnageTool will also jailbreak+untether the AppleTV2,1 5.0_2B206f (unless you customize the IPSW further, you’ll have just basic SSH access to the device).

If you’d like to contribute to those that actually developed rocky-racoon, please visit here (any other links you may see are not going to the actual rocky-racoon developers, they’re being diverted to other “related” or fraudulent accounts).

This particular jailbreak brought an unusual amount of fanfare and hoopla to the table, including “press releases” and other haughty silliness. We’d just like to take this opportunity to remind everyone that jailbreaking is about freedom, not fame and donations!

Here are the download links. Please use our comment section below to give feedback. Enjoy!

Update #1: Starting with version 0.9.12b2, redsn0w will now explicitly ask users with limera1n-able devices whether they want to inject rocky-racoon using the DFU ramdisk method or the backup/restore method (the ramdisk method is better for those with lots of media on their device that would create very large backups, and it’s required for those with unactivated iPhones). If you’ll always want to use limera1n, you can select that in the Preferences pane. It also fixes an iBooks issue on old-bootrom 3GS iPhones, and provides more useful error messages when things go wrong.

PwnageTool 5.1.1 (OS X)
redsn0w 0.9.12b2 (OS X)
redsn0w 0.9.12b2 (Windows — run in Administrator Mode)
cinject 0.5.4 (OS X + Windows)
ultrasn0w 1.2.7 — install this via Cydia

Jun 4, 201260 notes

#pwnagetool #redsn0w #Ultrasn0w

5x redux

What’s old is new again!

Jailbreakers with devices that pre-date the iPad2 will always be able to downgrade (with SHSH blobs) to previous firmware versions due to geohot’s limera1n exploit, which allows us to bypass the restrictions that Apple places on restores. But until now, that ability has been limited to those older devices (if you have an older device and don’t know how to do that, check the popular tutorial sites or ask in the comments below).

Starting with redsn0w version 0.9.11b1, those with newer devices (iPad2, iPad3, and iPhone4S) can join the downgrade fun too! In a radical departure from previous versions of redsn0w, it now directly supports restoring IPSWs to your device. The first use of this new feature implements a hack that allows A5 downgrades without a bootrom-level exploit.

Some important points:

The new feature is at Extras->Even More->Restore
You cannot downgrade without the personalized SHSH blobs for your device at that lower firmware. You need to have fetched those blobs while the signing window was open, using either Cydia’s built-in TSS@Home feature, or with TinyUmbrella. The new Restore screen of redsn0w lets you choose either the remote blobs or local ones (for the earlier firmware). If you don’t know where TinyUmbrella put your blobs, TinyUmbrella has a button that will show you (copy them out of that folder and feed them to redsn0w).
The A5 downgrade method actually updates to the latest firmware before downgrading to the earlier one. This process updates your baseband to whatever is newest. DO NOT USE THIS METHOD IF YOU RELY ON UNOFFICIAL UNLOCKS of your iPhone4S. Those who used the temporary SAM technique to unlock their iPhones to specific SIMs shouldn’t be affected by this baseband update.
This method can be fixed by Apple with a firmware update. It’s a (pleasant) mystery why they haven’t fixed it yet, because reverse-engineering of the restore ramdisk indicates they do know about it. It’s possibly too niche to bother to fix right now.
The least-tested devices with this method are the iPad2,3 and iPad3,2 (because we don’t have those models). If you do and you feel like experimenting, please let us know how it turns out in the comment section below!
This update involves a bunch of new redsn0w code. We recommend sticking to the previous version 0.9.10b8b unless you’re specifically using this new feature, until all the bugs are worked out! (Note: If redsn0w gets stuck at the “Waiting for device” stage for more than 30 seconds, you’ve hit a pesky GUI bug…that will be fixed in an upcoming version!)

Of course all eyes are on @pod2g for his upcoming 5.1 untethered jailbreak. Watch his blog or twitter feed for the latest updates about that, but in the meantime if you accidentally updated your jailbroken A5 device to something later than 5.0.1, feel free to try this new A5 firmware downgrade feature of redsn0w!

Update #1: We accidentally left out one of the two flavors (“9A406”) of 5.0.1 for iPhone4S. It’ll be in the next update, but in the meantime check if Cydia or TU saved your blobs for the other 5.0.1 for iPhone4S (“9A405”). Version 0.9.11b2 adds support for that second “9A406” flavor of 5.0.1 for the iPhone4S.

Update #2: Version 0.9.11b3 should fix the spurious “Restore failed” messages people were sometimes getting, and it behaves better with nearby devices that have wifi syncing enabled!

Update #3: Version 0.9.11b4 completes the tethered JB support for 5.1.1 on A4 devices and earlier, including proper “Stitching” and “Custom” creation of NO_BB IPSWs.

Here are the redns0w download links:

redsn0w 0.9.11b4 for OS X
redsn0w 0.9.11b4 for Windows (be sure to run in Administrator mode)

May 11, 201236 notes

#redsn0w

iPad(3) Fever!

Despite the awkward name Apple announced last week for the new iPad (we’ll continue to call it iPad3!), by all signs it’s going to be another big hit. We suspect many of you are lined up at this very minute, and so it’s a good time to give you some info for maximizing your chance to eventually jailbreak the iPad3.

There are a few bits of good news already.

We can confirm that the method used to jailbreak the iPad2 4 months ago (before corona) still works even in 5.1. That means we’ll at least be able to get our foot in the door to get the required kernel dumps on the iPad3. That’s an important step, but by no means is it the end of the story.
Those of you following @i0n1c may have noticed he’s already tweeted pictures of his iPad2 jailbroken at 5.1. As far as we know, he’s using a method completely unrelated to the one mentioned above. That would be great news!
We’ve also seen bits and pieces of an entirely different jailbreak method being investigated by someone close to the Cydia repo scene: @phoenixdev

That’s three different angles, and we’re not even including the continuous work @pod2g makes towards a new jailbreak! As always, keep in mind this is very preliminary progress, and it’s impossible to predict how or when these things turn out. The only thing you need to remember is the golden rule:

Don’t update your new iPad3 past whatever iOS it comes shipped with

By the way, it’s rare but entirely possible that some of you may find your iPad3 comes with an iOS version that’s not quite 5.1. If you do, be sure to let us know in the comments below!

Update #1: It turns out that all three of the jailbreak methods mentioned above have had great success today! We’re off to a good start (but remember there’s still lots of work to do)!

Mar 16, 201240 notes

March Mayhem

As the whole tech world waits for today’s Apple Event, it seems like a good time to remind both veteran and amateur jailbreakers about the fundamental rule of jailbreaking: Avoid firmware updates!

In all likelihood we’ll see the GM “gold master” version of 5.1 this week. DO NOT UPDATE TO 5.1, because you may lose your jailbreak! The rest of this post details the subtleties with this rule, but if there’s only one message to take home, it’s the overall “do not update” message! Now for the nitty gritty exceptions:

Soon after 5.1 appears on Apple’s public servers (i.e. iTunes starts to offer it), Apple will stop signing 5.0.1 SHSH blobs.
If you have an iPhone4S, the basic rule above is really the only rule: you cannot restore back to 5.0.1 once the 5.0.1 signing window is closed, no matter what (even if you saved your SHSH blobs).
If you have an iPad2 with saved 4.x hashes, you can in fact downgrade to that 4.x but you won’t be able to get to 5.0.1 once the 5.0.1 signing window is closed (even if you saved your 5.0.1 SHSH blobs).
If you have a device earlier than the iPad2, you can downgrade to whatever version you want, as long as you have saved SHSH blobs for that version. You’ll need the assistance of geohot’s limera1n exploit with tools like redsn0w to get into “pwned DFU mode” and bypass the downgrade restriction.

As you can see, it really is a nuanced landscape so it’s sometimes hard to drive the message home to new jailbreakers. But the basic rule is the simplest (and it’s better to be safe than sorry!): If you update to 5.1 you’ll very likely lose your jailbreak, so don’t do it! Exceptions are noted above.

Now let’s see what Apple unveils today!

Update #1: First, please read and re-read the above warnings! With all of that in mind, we realize that some of you non-A5 jailbreakers are itching to get to 5.1, even though there seems to be no compelling new feature there. Because of geohot’s limera1n exploit, those with devices earlier than the iPad2 can test the 5.1 jailbreak waters if they really want to, using redsn0w 0.9.10b6. Here’s what you need to know:

This is a *tethered* 5.1 jailbreak for non-A5 devices. You’ll need to use redsn0w to “Just Boot” your device every time it power cycles, otherwise jailbreak apps won’t work (neither will Safari).
If you use ultrasn0w for your carrier unlock, be sure to use a custom IPSW to get to 5.1 first! Don’t ever restore to a stock Apple IPSW! Use redsn0w’s “Custom IPSW” button to create a NO_BB_* version of the 5.1 IPSW and restore to that instead of the stock one. (That option is available only to 3GS and iPhone4-GSM owners.) ultrasn0w itself will be updated for 5.1 in the next few days (same baseband support, not 5.1’s baseband).
If you’re lucky enough to have an old-bootrom 3GS, this jailbreak is actually untethered (redsn0w will figure that part out automatically).
While we were at it, we added @pod2g’s steaks4uce exploit to support MC models of the iPod touch 2G (whose last firmware was 4.2.1). So now redsn0w will auto-detect and jailbreak both MB and MC versions of that older device.
iBooks won’t work until a future update of redsn0w

Update #1b: The OS X version of redsn0w has been updated to fix an issue for those running OS X 10.5.x or earlier.

Update #2: Version 0.9.10b7 of redsn0w adds a collection of useful features: It finally implements the corona-A5 jailbreak for iPhone4S and iPad2 devices still at 5.0.1. It can also re-install that jailbreak for those who accidentally uninstalled the untether. When stitching an IPSW, it can now grab your blobs directly from Cydia. It now shows a lot more info about your device (for instance, whether your iPhone3G has the vulnerable baseband boot loader, or whether your iPhone3GS has the old exploitable bootrom. (And the next new feature to be added will be built-in restore support, to provide an alternative to iTunes restores.)

Update #3: redsn0w 0.9.10b8 adds the ability to backup arbitrary directories or files from your device into a zip file on your Mac or PC. The new button is Extras->Even More->Backup and it requires your device to be jailbroken with the afc2 service enabled (most jailbreaks include that). By default it will backup your activation records from /var/root/Library/Lockdown, which is useful for everyone taking advantage of today’s SAM unlock using Loktar_Sun’s trick (more on that in a later post!).

Update #3b: The 0.9.10b8b update to redsn0w makes the zip files more compatible with the native Windows explorer (which doesn’t like leading slashes in the filenames).

Here are the redns0w download links:

redsn0w 0.9.10b8b for OS X
redsn0w 0.9.10b8b for Windows (be sure to run in Administrator mode)

Mar 7, 201268 notes

#redsn0w

Welcome new A5 jailbreakers!

Here’s a quick breakdown of how many A5 owners have jailbroken their devices since Friday morning. The numbers as of Monday afternoon are:

491,325 new iPhone4,1 devices
308,967 new iPad2 devices
152,940 previously jailbroken (at 4.x) iPad2 devices

Total: 953,232 new A5 jailbreaks in a little over 3 days

The reason these numbers can be so precise is that one of the housekeeping activities that happens when you launch Cydia is a query to @saurik’s server for the list of available SHSH blobs. (Even if you have none on file, the query is still made).

Welcome to the jailbreak family!

P.S. Remember the cardinal rule of jailbreaking: never update your firmware until a new jailbreak is available. This is especially true for A5 owners, who currently have no way of restoring to 5.0.1 once the 5.0.1 SHSH blob signing window is closed.

Jan 23, 201243 notes

Corona A5 jailbreak nearly ready to pop!

Ever since the December release of @pod2g’s “corona” untether for iOS 5.x on A4 and earlier devices, all eyes have been on the attempts to extend it to the A5 devices: the iPhone4S and iPad2. Due to the combined efforts of @pod2g and members of the iPhone Dev Team and Chronic Dev Team, we’re nearly ready for a general release! All technical hurdles dealing with the underlying technique have been overcome, and it’s now all about making the jailbreak as bug free as possible.

On his blog, @pod2g playfully nicknamed the combined effort a “dream team”. It’s an ironic name, because the past few weeks have left everyone involved with very little sleep and the opportunity to dream :) But we’re now near the final stages of testing the public version of the jailbreak. Please allow time to clean up any remaining bugs in the jailbreak clients.

Jailbreak programs:

To be as flexible as possible, the A5 version of the corona jailbreak will take multiple forms:

Chronic Dev have incorporated the overall flow into a GUI that runs on your Mac or PC. The goal is for the GUI to be enough for most cases.
iPhone Dev have also incorporated the exact same flow into an alternative command-line interface (CLI). This will allow us to help users through individual steps of the jailbreak manually, to both help the user and help improve the overall flow. Although the CLI will also allow the user to perform the entire jailbreak from beginning to end, we anticipate it will be more useful in debugging the occasional errors. The CLI currently has over 20 individual options (in addition to the single “jailbreak” option) that should be useful during debug after the GUI release.
Once all the bugs in the flow are worked out, we’ll also incorporate it into the redsn0w GUI (but still leave the CLI freely available too). In order to maximize the chances of the jailbreak working for everyone, the redsn0w GUI will use native Apple iTunes libraries — this technique is slightly different than how the Chronic Dev GUI handles communications, and should provide nice combined coverage for all the odd computer configurations out there.

Paypal Contributions:

Because there were so many different people and teams involved in the A5 corona release, we all felt the most equitable approach to any Paypal contributions should involve a single shared account. If you do feel the desire to contribute to the “dream team” Paypal account, it will be distributed to the members according to internally agreed-upon proportions :) (Please refer to this blog post for that specific http://is.gd/39YMWg link, to avoid frauds!) The same link will be on both the Chronic Dev and iPhone Dev versions of the GUI. This method seemed like the fairest to everyone involved!

Firmware:

The supported firmware versions will be:

iPhone4S: 5.0 (9A334), 5.0.1 (9A405) and the “other” 5.0.1 (9A406)
iPad2: 5.0.1 (9A405)

iPhone4S owners looking to maximize their chances of achieving an eventual software-based carrier unlock should be staying at 5.0. Everyone else should be at 5.0.1. If you’re an iPhone4S owner who already updated to 5.0.1, it’s too late to go back down to 5.0, but if you’re on 9A406 it is possible to downgrade the BB by going to the 9A405 version of 5.0.1 while the window is still open.

Support:

The overall flow used by the GUI and CLI to inject the A5 corona jailbreak has never been done before, and there may be unforeseen problems once it’s released to the public. It’s very important for you to sync your data, photos, and music before attempting any version of this jailbreak. We’ll be watching the comments section below for signs of any widespread problems, but please be aware that you jailbreak at your own risk!

When:

~~As mentioned at the start of this post: when testing has shown most of the bugs have been fixed!~~

Updates:

If the Absinthe webclip shows “Error establishing a database connection”, please go to Settings, turn on VPN and wait instead.
- Toggle VPN only AFTER Absinthe says it’s done, or it will not work.
- VPN SHOULD error and then reboot soon. If it does not, rerun Absinthe!
If you get a strange problem, we advise you to restore your iPhone with iTunes, if you can (i.e. if you’re not on 5.0 waiting for an eventual 4S unlock).
The OS X version of the CLI mentioned in the post can be downloaded here. It’s primarily to help us debug specific issues, but tinkerers might like to play around with some of its advanced options! More info is here.
- Version 0.4.3 adds support for Windows users. It also makes the “-j” jailbreak option much more functional :) See the README.txt for usage.

Jan 20, 2012103 notes

Untethered holidays

@pod2g has created a terrific gift for iOS fans — an untethered 5.0.1 jailbreak for non-A5 devices!

Many of you have already been following @pod2g’s blog where he’s been keeping everyone up to date on his progress. And so you know that he recently decided to push the button on a release for all devices except the new iPhone4S and iPad2. @pod2g’s untether involves two separate exploits and a few other “tricks” — and since he’s taken the @comex approach of doing nearly everything himself, you know his plate has been full these past few months!

A few days ago, @pod2g gave the untether to both the iPhone devteam and the chronic devteam. We’ve put it into redsn0w 0.9.10 and PwnageTool, and the chronic devteam put it into a Cydia package (the same set of exploits is in all three).

Here are the basic steps for how to get it:

The untether is for iOS 5.0.1 on iPhone3GS, iPhone4, iPhone4-CDMA, iPad1, iPod touch 3G, iPod touch 4G
If you have one of those devices and are not on 5.0.1 yet, update now! The SHSH window is still open for 5.0.1 If you unlock via ultrasn0w or gevey, make sure you only get to 5.0.1 via a custom IPSW! See the guides at places like iClarified.com if you don’t know how. Once you’re at 5.0.1, use the latest redsn0w 0.9.10 to both jailbreak and untether.
If you’re already at 5.0.1 with a tethered jailbreak, you have two choices: either run redsn0w 0.9.10 over your current jailbreak (deselect “Install Cydia” if you do that), or install the Cydia package prepared by the chronic devteam. The patches are the same regardless of which you choose.
Some of you are using a hybrid 5.0/5.0.1 configuration. If so, do not attempt to install this untether over that setup! You will most likely get into a reboot cycle. Do a sync and fresh restore to 5.0.1 then install the jailbreak + untether.

As mentioned earlier, @pod2g has spent months working on all the exploits and tricks in this untether, and many of you may be wondering how you can send donations. Although the iPhone devteam itself doesn’t take donations, we thought it was appropriate to provide a link at the end of the redsn0w run for you to more easily donate directly to @pod2g if you wish (alternatively, you can go right here). There’s a link in the Cydia package for donating to the chronic devteam for the Cydia version of @pod2g’s untether.

@pod2g is now looking for a way to extend this to A5 devices. Because those devices cannot use geohot’s limera1n exploit to inject the untether, they require exploits above and beyond those used for this release. Keep following pod2g on twitter or his blog for any progress reports!

Update #2: The b2 version of redsn0w includes the launchctl-related fix by @planetbeing as mentioned by @saurik here and here. As usual, you can just re-run redsn0w in jailbreak mode over your existing 5.0.1 jailbreak (even a PwnageTool one), making sure to de-select “Install Cydia” if you do. Always be sure to do a controlled “slide to power off” shutdown of your device before running redsn0w.

Update #3: The b3 version of redsn0w fixes a problem where re-running redsn0w over an existing jailbreak would cause MobileSubstrate-based apps to stop running until MS was installed again. Now you can re-run the redsn0w jailbreak step without worrying about that (but still remember to de-select the “Install Cydia” option if it’s already installed).

Update #4: The b4 version of redsn0w incorporates the 5.0.1 fix for iBooks, and also for sporadic problems with launchctl. Thanks to @xvolks for merging the iBooks (sandbox) fix from @comex’s github into the overall corona untether from @pod2g!

Update #5: redsn0w version b5 incorporates yet another fix for iBooks, this time involving DRM. @planetbeing wrote a utility called “crazeles” that overcomes jailbreak detection by iBooks that would cause about 10% of images to show incorrectly. This fix is similar to the “hunnypot” fix that @comex wrote for the 4.x jailbreak. As usual, you can choose to install the fix either by re-running redsn0w over your existing jailbreak (de-select Cydia if you do that), or by installing the corona package from Cydia (it’s the same set of files no matter which way you choose).

Updates #5b and #5c: Version b5b fixes an issue with using custom ramdisks on iPhone3G and iPod2G, and version b5c prevents redsn0w from crashing due to the ever-growing ramdisk size :).

TIP: If auto-detection fails and redsn0w tells you no identifying data was found, you can always pre-select the appropriate 5.0.1 IPSW using “Extras->Select IPSW”.

Here are the redsn0w download links:

redsn0w 0.9.10b5c for OS X
redsn0w 0.9.10b5c for Windows (be sure to run in Administrator mode)

PwnageTool Official Bittorent Releases

PwnageTool_5.0.1.dmg

SHA1 Sum = 32e90607378988cdebb6c76d3acf8ffac6366e35

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email mirrors to blog@iphone-dev.org - please ensure that they are direct dmg download links only (no rapidshare type sites please) and that your web-server can serve DMG MIME types properly. — please don’t place mirrors in the comments as they will be deleted.

Dec 27, 2011265 notes

#PwnageTool #redsn0w

pre-QUALifier

We’ve updated ultrasn0w to be compatible with iOS5, which came out a few days ago. While ultrasn0w 1.2.4 (available now in Cydia) doesn’t add support for any new basebands, the update is required for any ultrasn0w unlockers trying out iOS5 (it remains backwards compatible though, so you should be able to use it no matter what firmware you have).

The supported basebands for the iPhone 3G and 3GS are 04.26.08, 05.11.07, 05.12.01, 05.13.04, and 06.15.00. The baseband supported for the iPhone4 is 01.59.00.

Remember, the only way to get to iOS5 while preserving your ultrasn0w-compatible baseband is by using a custom IPSW. redsn0w now has the ability to create such a custom IPSW for you (at least on Macs…the same capability for Windows will be coming soon).

The majority of people who use ultrasn0w at iOS5 right now will probably be those with old-bootrom iPhone3GS devices, since they already have an untethered jailbreak via redsn0w. For everyone else, the iOS5 jailbreak is currently tethered and you need to “Just boot” tethered with redsn0w every time your phone reboots. That’s not always easy to do if your phone reboots while away from home!

Note: there’s a special “trick” that iPhone3GS owners with baseband 06.15 need for iOS5. During the new setup screens you see when you start iOS5 for the first time, you’ll be asked about Location Services. Be sure to select “Disable Location Services” when asked! Later on in the setup, you’ll have the chance to turn on Location Services again when asked if you want to use “Find my iPhone”. It’s fine to turn it back on at that point, if that’s your desire (or you can always go in and enable it in Settings.app).

Edit: The above “trick” is no longer needed as of v0.9.9b6 of redsn0w.

Also, some iPhone3GS users with the 06.15 baseband may have tried to install iOS5 using a stock IPSW (even though you should never ever try to use a stock IPSW if you’re an ultrasn0w unlocker). If you did try this, your baseband is probably in an inconsistent state, and you’ll need to reflash the 06.15 baseband again (using redsn0w). Be very careful if you use redsn0w to reflash the iPad baseband — don’t interrupt the process! And please avoid using stock IPSWs in the future :) Unlockers should never go near stock IPSWs.

If you need to use redsn0w for any of the above tasks, please make sure it’s version 0.9.9b4 or higher, which is available here.

Enjoy!

Oct 14, 201124 notes

RIP

Oct 5, 201184 notes

The coolest cat

We loved the chase!

Good luck, Steve.

Signed,
Jailbreakers and tinkerers everywhere.

Aug 24, 2011155 notes

jailbreakme times 3

Once again, @comex has resurrected http://www.jailbreakme.com for your jailbreaking ease and pleasure!

@comex developed what is now the third installment (and his second) of jailbreakme.com, the easiest way to jailbreak your iPhone, iPod touch, and iPad (including the iPad2!). No computer is necessary for jbme3.0…just browse to http://www.jailbreakme.com on your device and install it from there!

While @comex and others have worked hard to make this as simple as possible, some people may have questions and problems may arise. Rather than inundate comex with any questions over twitter, please consider using either our comments section below, or visit http://jbqa.me

Please read “More Information” on the jbme3.0 page for some basic background information and ways you can thank @comex. Here are some additional Q&As beyond that:

Q: Which devices and firmware versions are supported?
A: In this initial release, the following configurations are supported:

iPad1: 4.3 through 4.3.3
iPad2: 4.3.3
iPhone3GS: 4.3 through 4.3.3
iPhone4: 4.3 through 4.3.3
iPhone4-CDMA: 4.2.6 through 4.2.8
iPod touch 3g: 4.3, 4.3.2, 4.3.3
iPod touch 4g: 4.3 through 4.3.3

Q: Do the holes discovered by @comex put my device at risk?
A: Yes. We recommend installing “PDF Patcher 2” in Cydia once you’re jailbroken to eliminate this risk (any firmware version).

Q: How does jbme3.0 differ from the existing jailbreaks?
A: jbme3.0 is entirely userland-based, from start to finish. The A5 chip in the iPad2 has no iBoot or bootrom-level exploits yet, so tools like redsn0w, PwnageTool and sn0wbreeze can’t use the limera1n bootrom exploit to inject the jailbreak. Even for those devices where limera1n works, jbme3.0 injects the jailbreak with a userland exploit.

Q: If I’m already jailbroken on the latest firmware, is there any advantage to jailbreaking again?
A: No, but you should consider showing this to your friends! Spread the jailbreaking fever.

Q: Are the holes exploited by jbme3.0 closed in iOS5?
A: The holes still exist in the iOS5 betas, but they’ll almost certainly be fixed by the time iOS5 is public. However because the iPad2 had no public jailbreak yet, it probably wasn’t worth waiting until the fall to use them. If history repeats itself though, there will be more holes and exploits.

Q: Will I permanently lose the jailbreak if I need to restore my device?
A: For all except the iPad2, saving your SHSH blobs should let you always restore your device to iOS versions where this jailbreak works. The iPad2 is a little more complicated. If you have a wifi-only iPad2 and saved SHSH blobs, you’re in good shape. But if you have the GSM or CDMA iPad2, you won’t be able to restore to 4.3.3 or lower once Apple stops signing its baseband. There are a few ideas that might work to get around this limitation, but for now it’s best to assume there’s no going back to 4.3.3 once 4.3.4 is out for iPad2 GSM or CDMA owners.

Q: I heard this new unionfs stuff is dangerous?
A: Define dangerous :) Seriously though, although unionfs is a huge improvement to the install time of the jailbreak, it is brand new code and there is the possibility something will go wrong. Just keep regular backups of your media and content and you should be fine. If there are any problems, they should appear within the first few days, so hold off and let “everyone else” test the waters if you’d like.

Jul 6, 2011105 notes

#jailbreakme

Blob monster

It looks like Apple is about to aggressively combat the “replay attacks” that have until now allowed users to use iTunes to restore to previous firmware versions using saved SHSH blobs.

Those of you who have been jailbreaking for a while have probably heard us periodically warn you to “save your blobs” for each firmware using either Cydia or TinyUmbrella (or even the “copy from /tmp during restore” method for advanced users). Saving your blobs for a given firmware on your specific device allows you to restore *that* device to *that* firmware even after Apple has stopped signing it. That’s all about to change.

Starting with the iOS5 beta, the role of the “APTicket” is changing — it’s being used much like the “BBTicket” has always been used. The LLB and iBoot stages of the boot sequence are being refined to depend on the authenticity of the APTicket, which is uniquely generated at each and every restore (in other words, it doesn’t depend merely on your ECID and firmware version…it changes every time you restore, based partly on a random number). This APTicket authentication will happen at every boot, not just at restore time. Because only Apple has the crypto keys to properly sign the per-restore APTicket, replayed APTickets are useless.

This will only affect restores starting at iOS5 and onward, and Apple will be able to flip that switch off and on at will (by opening or closing the APTicket signing window for that firmware, like they do for the BBTicket). geohot’s limera1n exploit occurs before any of this new checking is done, so tethered jailbreaks will still always be possible for devices where limera1n applies. Also, restoring to pre-5.0 firmwares with saved blobs will still be possible (but you’ll soon start to need to use older iTunes versions for that). Note that iTunes ultimately is *not* the component that matters here..it’s the boot sequence on the device starting with the LLB.

Although it’s always been just “a matter of time” before Apple started doing this (they’ve always done this with the BBTicket), it’s still a significant move on Apple’s part (and it also dovetails with certain technical requirements of their upcoming OTA “delta” updates).

Note: although there may still be ways to combat this, a beta period is really not the time or place to discuss them. We’re just letting you know what Apple has already done in their exisiting beta releases — they’ve stepped up their game!

Jun 26, 201128 notes

Tic tac toe...

… three in a row! Apple released iOS 4.3.3 on Wednesday, and once again the untethered jailbreak exploit that @i0n1c created for 4.3.1 still works. That makes it an unprecedented three firmwares where the same userland exploit works. We’re not exactly sure why Apple hasn’t fixed the hole yet, but we’re not complaining!

Today’s PwnageTool and redsn0w incorporate @i0n1c’s port to 4.3.3 (it’s ironic that such a long-lasting untether doesn’t even have an official name!). It also of course uses geohot’s limera1n bootrom exploit to inject the jailbreak. The 4.3.3 untether works on all devices that actually support 4.3.3 except for the iPad2:

iPhone3GS
iPhone4 (GSM)
iPhone4 (CDMA) (4.2.8 - See update #3)
iPod touch 3G
iPod touch 4G
iPad1
AppleTV2G (v4.3 8F202…see update #2 below for the v4.3 8F305 bundle)

Some things to note:

ultrasn0w unlockers must stay away from redsn0w! Use only a custom IPSW to update to 4.3.3, to avoid updating your baseband. There are plenty of tutorials for both redsn0w and PwnageTool at sites like iClarified.com. Or feel free to ask away in our comments section below.
ultrasn0w has been updated to v1.2.3 to be compatible with iOS 4.3.3 and earlier (the ultrasn0w update does not include any new baseband support!). Please reboot your iPhone using the normal “slide to power off” swipe after installing ultrasn0w 1.2.3.
By popular demand, redsn0w now allows you to enable multitasking gestures (although most will find it useful only on iPads).
iPad2 update: The iPad2 jailbreak remains under development. As you may know, the original exploit @comex developed in the first week of the iPad2 release was mysteriously fixed by Apple within days of its development. Partly because of this, don’t expect much public discussion of the iPad2 jailbreak until it’s actually finished and ready for release (and please avoid asking about it). In all liklihood, it will be a userland exploit like the first (unreleased) one, not dependent on bootrom dumps. The first one can’t be released even for those with the original 4.3 firmware due to legal (distribution) reasons.

As always, please feel free to ask for help or advice in our comment section, with our friendly moderators Confucious, sherif_hashim, dhlizard, Frank55, and subarurider (and many other very knowledgable commenters too!)

Update #1: PwnageTool and redsn0w have been updated to include a fix for the iPhone3GS/i4 side switch vibration issue (only for 4.3.3!). Thanks to @i0n1c for tracking this down (even though he doesn’t even have an iPhone!).

If you’re already jailbroken at 4.3.3 (by either redsn0w rc15 or custom IPSW), you can install this fix simply by running redsn0w rc16 over your existing 4.3.3 jailbreak. Just uncheck the “Install Cydia” option and check any other options you want. The fix will be installed no matter what you’ve selected. This is safe for even ultrasn0w unlockers to do (because redsn0w itself won’t update your baseband…only an iTunes stock IPSW update/restore will do that).

redsn0w rc16 has a few more improvements: Windows 7 and Vista users should no longer need to set their CPU affinity…just run redsn0w as Administrator in XP compatiblity mode. Also, the “verbose boot” option for old-bootrom iPhone 3GS has been fixed for 4.3.3 (remember: old-bootrom 3GS users can even have custom bootlogos that show right at power-up). Enjoy!

Update #2: Apple released a minor update to iOS 4.3 for AppleTV2G (the IPSW name still says 4.3, but the build version changed from 8F202 to 8F305). @i0n1c was once again able to quickly port his original 4.3.1 untether (the exploit that wouldn’t die!) to this version.

If you do feel like updating to the “new” 4.3, you’ll need to drop this bundle into the correct folder in PwnageTool.app. If you don’t know how to do that, there are lots of tutorials on the web, and we’d be glad to help in the comments below.

Thanks once again, @i0n1c!

Update #3: We’ve updated redsn0w (0.9.6rc18) to also include the Verizon iPhone4-CDMA iOS version 4.2.8 untether (which uses the HFS exploit).

Update #4: redsn0w has been updated to 0.9.6rc19 to include changes in the way custom bundles are handled. Now when you use a custom bundle, most of the normal jailbreak steps (like stashing and untethering) are skipped. This makes it easier for custom bundles like the Verizon i4 jailbreakme fix.

redsn0w 0.9.6rc19:

OS X
Windows

PwnageTool Official BitTorrent Release

PwnageTool_4.3.3.1.dmg.6375459.TPB.torrent

SHA1 Sum = 2c8b17c28ae10295b72dabde30bb4b39b0e85821

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email mirrors to blog@iphone-dev.org - please ensure that they are direct dmg download links only (no rapidshare type sites please) and that your web-server can serve DMG MIME types properly. — please don’t place mirrors in the comments as they will be deleted.

May 6, 201183 notes

#PwnageTool #redsn0w #ultrasn0w

The untether rolls on

Only a few weeks after the 4.3.1 untether created by @i0n1c was released, Apple pushed out firmware 4.3.2. Thankfully, it appears Apple didn’t have a chance to fix the hole used by @i0n1c’s untether, so he ported his code over to 4.3.2’s kernel. Today’s redsn0w has been updated to include it.

The 4.3.2 untether works on all devices that actually support 4.3.2 except for the iPad2:

iPhone3GS
iPhone4 (GSM)
iPod touch 3G
iPod touch 4G
iPad1

redsn0w 0.9.6rc14:

As always, ultrasn0w unlockers should stay away from redsn0w and only update their firmware through a custom IPSW. See update #3 below.

For any questions or problems, please use our comments section below with our ever-helpful moderators Confucious, sherif_hashim, dhlizard, Frank55, and subarurider.

~~Update #1: Until @i0n1c has a chance to fix the i4 version, we’ve removed the i4 untether from redsn0w (making it a tethered-only JB for i4 right now).~~

Update #2: redsn0w rc14 includes the fixed i4 untether from @i0n1c. You can re-run redsn0w rc14 right over the tethered rc13b to transform the i4 JB into an untethered one.

Update #3: PwnageTool 4.3.2 now includes the iOS 4.3.2 untether from @i0n1c. (And look, the PwnageTool and iOS version numbers actually match!).

Note that there’s a corresponding update to ultrasn0w, which has been bumped up to v1.2.2 to get along with iOS 4.3.2 (the ultrasn0w update does not include any new baseband support!). Please reboot your iPhone using the normal “slide to power off” swipe after installing ultrasn0w 1.2.2.

PwnageTool Official BitTorrent Release

PwnageTool_4.3.2.dmg.6340182.TPB.torrent

SHA1 Sum = fdf9d7cba7872451bbca1ccae95a82cfefb352e7

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email mirrors to blog@iphone-dev.org - please ensure that they are direct dmg download links only (no rapidshare type sites please) and that your web-server can serve DMG MIME types properly. — please don’t place mirrors in the comments as they will be deleted.

Apr 18, 201156 notes

#PwnageTool #redsn0w #ultrasn0w

Three years of pwnage(tool)

Three years ago (almost to the day!), the first version of PwnageTool was released for firmware 1.1.4. So today we’re excited to release another edition of both PwnageTool and redsn0w to bring an untethered jailbreak for Apple’s latest firmware, FW 4.3.1.

The 4.3.1 untether exploit comes courtesy of Stefan Esser (@i0n1c on twitter), a security researcher based in Germany. Stefan has a long history of vulnerability research, and ironically his first contribution to the iPhone jailbreak community was improved security — last year he beat Apple to the punch and implemented ASLR for jailbroken iPhones with his “antid0te” framework. We’re happy to see that Stefan then turned his iPhone attention over to an untethered jailbreak exploit!

The 4.3.1 untether works on all devices that actually support 4.3.1 except for the iPad2:

iPhone3GS
iPhone4 (GSM)
iPod touch 3G
iPod touch 4G
iPad1
AppleTV 2G (PwnageTool only for now)

The reason the untether won’t work as-is on the iPad2 is that it requires a bootrom or iBoot-level exploit to install, and the iPad2 is not susceptible to either the limera1n or SHAtter bootrom exploits.

WARNING WARNING — ultrasn0w users don’t update yet! We need to first release an update to ultrasn0w that fixes some incompatibilities when FW 4.3.1 is used on the older basebands supported by ultrasn0w. And remember once we do fix ultrasn0w for 4.3.1 (we’ll announce it here and on twitter), you must only get there via a custom IPSW from PwnageTool, Sn0wbreeze or xpwn! Don’t ever try to restore or update to a stock IPSW, or you’ll lose the unlock!

For everyone else, redsn0w is the easier program to use (and redsn0w runs on both Mac and Windows). Please check out places like iClarified for some excellent guides on how to use both PwnageTool and redsn0w.

Feel free to ask for help in our comments section. Thanks once again to our fantastic moderators for volunteering their time and knowledge and keeping order: Confucious, sherif_hashim, dhlizard, Frank55, and subarurider!

~~redsn0w 0.9.6rc9:~~
redsn0w 0.9.6rc12 (updated to rc12..details in Update #1 below):

PwnageTool Official Bittorent Releases

PwnageTool_4.3.dmg.6293151.TPB.torrent

SHA1 Sum = 9e8ce7d4eb79b5f839efa0233893ef1a6a5e3c5c

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email mirrors to blog@iphone-dev.org - please ensure that they are direct dmg download links only (no rapidshare type sites please) and that your web-server can serve DMG MIME types properly. — please don’t place mirrors in the comments as they will be deleted.

Update #1:

Those running redsn0w may have noticed we enabled too many Settings options in some versions of the jailbreak (for instance, what you want your side switch to do, even if you have no side switch because you’re not using an iPad). Release ~~rc10~~ rc12 of redsn0w corrects that (you can just run it over your existing jailbreak…be sure to de-select Cydia to avoid package conflicts).

Along the way, we’ve also added the option to enable boot animations…these animations can be installed via Cydia, but be sure to select which animation to use via the Settings->Bootlogo setting after you’ve downloaded an animation (and again, you can just run ~~rc10~~ rc12 over your existing jailbreak…be sure to de-select Cydia to avoid package conflicts).

(The boot animation we tested against was “Android Boot Logo”. It correctly installs all the dependencies needed to run the animation at each boot).

~~redsn0w 0.9.6rc10:~~
redsn0w_0.9.6rc12: (rc12 should fix any lingering issues with the boot animation)

Update #2:

We’ve pushed out the 4.3.1 compatibility fix for ultrasn0w in Cydia — it’s now at version 1.2.1. If you’re not already at 4.3.1 and you need the unlock, please be sure you understand how to get to 4.3.1 using a custom IPSW that doesn’t update your baseband. There are lots of guides for this (like at iClarified.com).

This isn’t a new unlock! It’s to allow those who are already using ultrasn0w to use FW 4.3.1. It also fixes the signal bar issue for those who aren’t using the unlock but retain an older baseband intentionally.

AFTER INSTALLING ULTRASN0W 1.2.1, PLEASE REBOOT YOUR iPHONE using the normal “slide to power off” swipe. T-Mobile users in the USA also should disable 3G mode in Settings->General->Network.

A big thanks to @sbingner and @ronaldsb for helping with the testing of this update!

Apr 4, 2011144 notes

#PwnageTool #redsn0w #ultrasn0w

What's in a name?

What’s in a name? Well in the case of an HFS volume name on iOS, an untether exploit — as the Chronic Dev Team revealed last week with an untether for the 4.2.1 jailbreak, which had previously been a tethered JB for most recent devices since 4.2.1’s release in November. With their permission, we’ve incorporated their 4.2.1 “feedface” untether into today’s PwnageTool 4.2. This means iPhone unlockers can safely restore to a custom 4.2.1 pre-jailbroken IPSW and retain their current baseband and unlock. PwnageTool also supports all the other 4.2.1 devices other than iPod touch 2G:

iPhone3G
iPhone3GS
iPhone4
iPhone4-Verizon
iPod touch 3G
iPod touch 4G
iPad
AppleTV 2G

PwnageTool also includes two very recent improvements to the 4.2.1 JB: iBooks was just fixed by @comex and @pushfix last night so that it works as intended on DRMed books, and the wifi problem on AppleTV 2G was fixed by @nitotv, @DHowett, and @saurik. Both of these fixes will also be available in upcoming Cydia package updates, so if you’re already jailbroken you can wait for those updates rather than restore and jailbreak again.

The various components to the 4.2.1 untether (including a second exploit involving Mach-o headers) were worked out by 0naj, posixninja, and pod2g, and a nice writeup by 0naj is available on the wiki. The actual injection method uses geohot’s limerain exploit for most devices. And even though 4.3 is just around the corner, the exploit used has already been closed in the latest 4.3 betas, so it made sense for the 4.2.1 untether to be released when it was. It also appears that a security researcher named @i0n1c has a 4.3 untether ready for when Apple releases the final 4.3 FW, so it may not be a long wait at all with 4.3!

Feel free to ask for help in our comments section. And thanks as always to our terrific moderators Confucious, sherif_hashim, dhlizard, Frank55, and subarurider!

Official Bittorent Releases

PwnageTool_4.2.dmg -> PwnageTool_4.2.dmg.6176918.TPB.torrent

SHA1 Sum = af365f5de19d7ee19cbe1c67b2f226996a46b3ac

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email direct dmg download links only (no rapidshare type sites please and please make sure that your web-server can serve DMG MIME types) to blog@iphone-dev.org — please don’t place mirrors in the comments as they will be deleted.

Feb 15, 201153 notes

#PwnageTool

Ultra-recycle

Today we’re pleased to announce our free carrier unlock for iPhone3G/3GS owners with a baseband later than 05.13.04. The unlock for that baseband exploited the AT+XAPP command, thanks to a crash initially discovered by @sherif_hashim (@Oranav also found this crash). So what hole are we exploiting today, since Apple closed that AT+XAPP hole? Well, we’re exploiting the exact same hole!

It turns out that the very first iPad firmware 3.2.2 has baseband version 06.15.00 still vulnerable to AT+XAPP. The iPad baseband is built for the exact same baseband chip as the iPhone3G/3GS — they’re fully compatible! Some of us have been running 06.15 for weeks now on our iPhones in preparation for this release. (And some have known about this possibility of 06.15 on the iPhones for a while — kudos to @w1kedZ and @DHowett for keeping it hush!)

Unlockers have been reporting mixed results about GPS functionality at 06.15.00. Until we can track down what differentiates those who retain GPS vs. those who lose it, be conservative and assume you’ll lose GPS at 06.15.00. As we work on finding the cause (and possibly a fix), please report your personal findings in our comments section. (Update: early indications are that while 06.15.00 is capable of GPS, it will require some further hacks. But please still be conservative and assume you will lose GPS at 06.15, in case the hacks don’t work).

SIMPLIFIED ROUTE #1 (redsn0w for OSX + Windows):

Read and fully understand the warning below.
If you have an old-bootrom 3GS and are already unlockable but want to get to 4.2.1, please wait til we release an “unofficial” bundle for you. Read no further.
Use redsn0w (see update #2) for OSX or Windows. Enable the “Install iPad baseband” option and accept the warning.
When the redsn0w ramdisk is finished, install ultrasn0w via Cydia.
Enjoy!

SIMPLIFIED ROUTE #2 (PwnageTool for OSX):

Read and fully understand the warning below.
If you have an old-bootrom 3GS and are already unlockable but want to get to 4.2.1, please wait til we release an “unofficial” bundle for you. Read no further.
Read update #1 for an updated 3GS bundle.
Download this IPSW
Run PwnageTool to create a custom 4.1 IPSW. Tell it you want to use the iPad baseband you just downloaded. Restore to this custom IPSW.
Install ultrasn0w through Cydia
Enjoy!

FULL VERSION:

Since 06.15 is a higher version than 05.14 or 05.15 (where AT+XAPP is gone), anyone stuck at those versions can simply upgrade to 06.15 to unlock again! Luckily for us, Apple *still* provides the iPad FW 3.2.2 with this vulnerable baseband right from their own servers. (Grab it now, before they take it down!)

We’ve been busy updating both PwnageTool and redsn0w to make the baseband update as seamless as possible.

First up is “PwnageTool 4.1.3 Unlock Edition”. It has a special dialog box which will ask you if you want to update to the iPad baseband. You must already have the iPad 3.2.2 IPSW on your computer (see the above link)….so just point PwnageTool at it (or let it find it on its own if you’re in “simple” mode).
Directly after PwnageTool 4.1.3 is available, the official ultrasn0w repo http://repo666.ultrasn0w.com will be updated with ultrasn0w 1.2, which covers iPhone 4 baseband 01.59.00 and iPhone 3G/3GS basebands 04.26.08, 05.11.07, 05.12.01, 05.13.04 and now 06.15.00.
Finally, we’ll release an update to redsn0w today for those without Macs and can’t run PwnageTool. The new redsn0w will give you the option to update your baseband to 06.15 too.

WARNING — YOU DO THIS AT YOUR OWN RISK! PLEASE UNDERSTAND THE CONSEQUENCES OF UPDATING TO 06.15.

There is no way to come back down from 06.15, and there’s no hiding the baseband version from Apple. You’ll be voiding your warranty in a very obvious way.
If some future baseband comes out with a critical fix, you won’t be able to update to it if it remains down in the 05.xx sequence (then again, you wouldn’t update to it if you wanted to keep your unlock anyway).
Starting with FW 4.2.1 if you have 06.15 on your iPhone you won’t ever be able to restore to stock firmware (it will fail). You’ll need to only restore to custom IPSWs (then again, if you’re unlocker you should already be doing that).

Unlockers have been reporting mixed results about GPS functionality at 06.15.00. Until we can track down what differentiates those who retain GPS vs. those who lose it, be conservative and assume you’ll lose GPS at 06.15.00. As we work on finding the cause (and possibly a fix), please report your personal findings in our comments section. (Update: early indications are that while 06.15.00 is capable of GPS, it will require some further hacks. But please still be conservative and assume you will lose GPS at 06.15, in case the hacks don’t work).

Certainly don’t update to 06.15 if you don’t need to! Only do this if you need the unlock and you’re stuck on 05.14 or 05.15, and you’re willing to assume the above risks.

This PwnageTool also contains a 4.2.1 bundle for iPhone3G owners…for all else, it’s still only 4.1. If you have an iPhone3GS with an old bootrom, use redsn0w for an untethered 4.2.1 jailbreak (it can now install the iPad baseband too). For all other devices, the 4.2.1 jailbreak is tethered only (use redsn0w for it), until @comex can work some untethering magic.

Please feel free to use our comments section for questions. We have some very knowledgeable and helpful moderators: angiepangie, Confucious, sherif_hashim, dhlizard, and Frank55!

Official Bittorrent Releases

PwnageTool 4.1.3 - PwnageTool_4.1.3_Unlock_Edition.dmg.5994102.TPB.torrent

SHA1 Sum = adda6d882dce1b5117d01586037de289407e038a

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email direct dmg download links only (no rapidshare type sites please) to blog@iphone-dev.org — please don’t place mirrors in the comments as they will be deleted.

Update #1: There’s an error in the bundle for the iPhone3GS 4.1 that prevents the new baseband from being used. If you know your way around OSX, please download the fixed bundle, and unzip it if Safari hasn’t already done so. Then “Show Package Contents” of PwnageTool.app, navigate to Contents->Resources->FirmwareBundles and drop it there. Otherwise, please wait for the updated PwnageTool, or the OSX version of redsn0w coming soon.

Update #2: The new redsn0w 0.9.6beta5 is out. It gives both Windows and OSX users the ability to flash the iPad 06.15 baseband on iPhone3G or iPhone3GS. It fetches the baseband files directly from Apple for now (the only IPSW you ever point it at is the stock IPSW for the FW on your iPhone right now). There may be a long delay while it’s doing this (their servers are currently getting pounded).

If you do flash your baseband via redsn0w, please keep it plugged into USB the whole time. You don’t want your battery to die during the flash process!

Update #3: For those Mac users with an old-bootrom 3GS who really know what they’re doing, here’s a minimal 3GS 4.2.1 bundle that will get you to 4.2.1 without updating your baseband. Be sure to uncheck “Activate the iPhone” using Expert mode. To actually jailbreak after you’ve restored with the help of that bundle, please use redsn0w. If you don’t know how to drop a bundle into PwnageTool.app, please hold off on 4.2.1 until it’s untethered for everyone (or wait for a nice tutorial from somewhere like http://iclarified.com)

Update #4: Our terrific moderators angiepangie, Confucious, sherif_hashim, dhlizard, and Frank55 have done a stupendous job moderating 7700 comments over just the first 12 hours (that’s 10 per minute for half a day!). Hats off to them, and to all of our great commenters who rack up those + points for helping total strangers jailbreak and unlock their iPhones! That’s what makes this community great :)

Update #5: Unlockers have been reporting mixed results about GPS functionality at 06.15.00. Until we can track down what differentiates those who retain GPS vs. those who lose it, be conservative and assume you’ll lose GPS at 06.15.00. As we work on finding the cause (and possibly a fix), please report your personal findings in our comments section. (Update: early indications are that while 06.15.00 is capable of GPS, it will require some further hacks. But please still be conservative and assume you will lose GPS at 06.15, in case the hacks don’t work).

Update #6: Developer @sbingner (author of TetherMe) has made some excellent progress devising a new hactivation method that kills two birds with one stone for all you ultrasn0w unlockers. His tool, “Subscriber Artificial Module (SAM)” tricks your iPhone and iTunes into creating legitimate activation tickets even though you’re unlocked with ultrasn0w. This means you get the full benefit of push applications, and your battery life increases substantially. If you’d like to try it out, check out http://www.bingner.com/SAM.html

To help make it easier to try out @sbingner’s tool, we’ve updated redsn0w to include a new “Deactivate” option for the 3G and 3GS. Use this option *after* you’ve installed SAM…it will remove the normal patches made to lockdownd and let SAM take over. (sbingner plans on making a button to do this within SAMPrefs too). Great work, @sbingner!

The new redsn0w with the “Deactivate” option is at:

OSX
Windows (Windows 7 and Vista users, please run redsn0w as Administrator in “XP Compatiblity Mode”)

Nov 28, 201054 notes

#PwnageTool #ultrasn0w

Thanksgiving with Apple

With Turkey Day a few days off, today Apple publicly released FW version 4.2.1. As always, ultrasn0w unlockers please stay far far away from this official firmware (and all official firmware). Wait for the ability to create custom 4.2.1. IPSWs that don’t update your baseband! If you’re not an unlocker, read on!

The best news of all is for owners of iPhone3G, older iPhone3GS, and non-MC iPod touch 2G. Due to a combination of our original pwnage2 exploit, the arm7_go exploit, 24kpwn, and limera1n, your device is “just as jailbreakable as ever.” You reap the full benefit of an untethered 4.2.1 jailbreak.

Next are the owners of all the more recent devices. The good news there is that due to geohot’s limera1n exploit, all recent devices can be jailbroken (this will be true until Apple released new hardware that fixes geohot’s limerain exploit in the bootrom). The bad news is that right now, the 4.2.1 jailbreak is *tethered* on all of these recent devices. A tethered jailbreak means that each time your device loses battery power or needs to be rebooted, you must attach it to a PC or Mac to boot into the jailbroken state. @comex is working hard on a method that may untether the 4.2.1 jailbreak, but it may require you to have your 4.1 SHSH blobs in order to use it. No word on how much more effort it will take though (please don’t bug @comex about it!). (We also have an alternative method that may work, but @comex’s method is much more elegant.)

So when does all this 4.2.1 jailbreak action happen? Well if you’re a JB developer or tinkerer, you’ve already probably used the redsn0w mentioned in our last post to jailbreak 4.2.1 and at least get SSH working. But beyond that, there are still some last minute issues with MobileSubstrate and comex’s kernel patches that are being fixed. We’ll tweet and post a blog update when it’s all available (we hate to give ETAs, but barring any unforeseen problems, probably later today). It happens “now’…see Update #1.

In the meantime, please make sure you have your 4.1 SHSH blobs for all your devices. These will be important even for firmware beyond 4.1 (using both comex’s method and our alternative, depending on how each of them turn out.)

ultrasn0w unlock: After redsn0w is officially released with the new Cydia and kernel patches, we’ll be able to assess the unlock situation. It’s already looking very promising though, so expect the unlock for the 3G and 3GS to be coming this week. The i4 unlock is taking more effort though, and no further concrete info is available about that yet.

Feel free to ask questions in our comments section below, where we’ve got some awesome new additional moderators — sherif_hashim, dhlizard, and Frank55!

Update #1: redsn0w version 0.9.6b6 is now available for your 4.2.1 jailbreaking pleasure. Please read all the above to understand what this jailbreak currently entails.

Update #2: The notion of a “tethered” jailbreak is pretty new to many people, so here’s a quick rundown on what to expect:

If you’re on an iPhone3G, old-bootrom iPhone3GS, or non-MC ipt2g, life is easy. redsn0w installed an untethered jailbreak and so nothing below applies.
“Tethered” does not mean you cannot boot at all without PC/Mac assistance. If you have not installed any tweaks that hook into important programs like SpringBoard or CommCenter, your device will actually boot. However, jailbreak programs like Cydia won’t work (and Cydia may still have a white icon). Also, certain built-in apps that had to be moved by Cydia will fail (Safari being the most noticeable example).
If you’ve installed MobileSubstrate tweaks that hook into SpringBoard or other important programs, your boot will actually fail (you’ll get stuck at the Apple logo). You need to use redsn0w to “Just boot tethered right now”.

Remember, @comex is working on a way to untether the 4.2.1 jailbreak. Meanwhile, the above 3 points hopefully will make it all seem less confusing :)

Update #3: We’ve updated redsn0w to include “one-click” support for those of you running the tethered 4.2.1 jailbreak. Using command-line arguments, you can now bypass the screens you’d normally see as you use redsn0w to “Just boot tethered for now”.

The available command line arguments are:

-j to ask redsn0w to “Just boot now tethered for now”
-i <filename> to specify your reference IPSW
-o for old-bootrom iPod touch 2G and iPhone 3GS
-b <filename> to specify your own boot logo png

For example, to get redsn0w for Mac to do a tethered boot of an iPod touch 4G jailbroken at 4.2.1:

open ~/Desktop/redsn0w.app —args -j -i ~/Desktop/iPod4,1_4.2.1_8C148_Restore.ipsw

This assumes both redsn0w and the IPSW are on your OS X desktop, so modify as necessary! Included in the zip is an example script file that you can double click on to launch redsn0w like this (the Windows example assumes everything is in C:\). (Mac users: please remember to change the permissions of your custom *.command files to allow execution.)

This should help ease the pain of the tethered jailbreak until @comex comes up with a 4.2.1 untether (or for those of you with legit access to the 4.2b3 IPSW, until the “Jailbreak Monte” untether is out of beta)!

PLEASE UPGRADE TO iTunes 10.1 FOR BEST RESULTS
WINDOWS 7 USERS SHOULD RUN redsn0w IN “XP COMPATIBILITY” MODE
Make sure you’re using a USB 2.0 port

OS X
Windows

Nov 22, 201081 notes

#redsn0w

redsn0w+limera1n fun

It looks like geohot’s recent limera1n exploit for iPhone3GS/iPhone4/iPad/ipt3g/ipt4g/atv2g will be very beneficial to jailbreakers and unlockers for the next few months (at least). geohot’s limera1n program and the alternative greenpois1on program both use his same exploit (although greenpois0n refuses to tell you that, FWIW), and hopefully SHAtter can be saved for some later device.

In the meantime, we’ve also incorporated the limera1n exploit into redsn0w. But we’ve added a few extras:

custom bootlogos for iPhone3G/iPhone3GS/iPod2G users (with qualifying bootroms)
an option that implements the “DFU” button in PwnageTool. This button (which you can use from Windows) lets you prepare your device for a custom DFU. Even if you’re purely a Windows user, you can get a trusted friend to run PwnageTool over your IPSW to create a custom IPSW. You can now install that custom IPSW on your own Windows box, after you run this redsn0w version.

This latest redsn0w is available at:

~~OS X~~ (See our latest redsn0w post)
~~Windows~~ (See our latest redsn0w post)

For Windows users who have run redsn0w and chosen “Just enter pwned DFU mode right now”, your device is now completely vulnerable. Running iTunes and selecting a custom IPSW from PwnageTool (choose it by pressing Shift+Restore)….you’ve now convinced your device and iTunes to restore to a custom firmware. Congratulations!

If you are timid about software and running these programs…please just wait! Don’t jeopardize your carrier unlock for a firmware upgrade. Wait for even easier methods than this latest redsn0w release.

Update #1: Today Apple released to developers the GM seed for 4.2. Tinkerers will find that yesterday’s redsn0w jailbreaks today’s 4.2 GM seed, simply by pointing redsn0w at the 4.1 IPSW (rather than the 4.2 one). Right now it mostly only makes sense for JB app developers to do that because many apps (including Cydia itself) need to be updated for 4.2. However, if all you want to do is enable afc2 (to use iFunBox or other file browsers), or to tweak settings like Battery % and Homescreen wallpapers, then go for it (if you have valid paid access to the GM seed). Be sure to uncheck the Cydia box, though! Ultrasn0w unlockers should stay very far away from this!!

Update #2: By all accounts, we’re within a few days of Apple’s official public release of Firmware 4.2. Here’s what you need to know:

Thanks to geohot’s limera1n exploit, and our original pwnage2 exploit, and @pod2g’s ipod2g-MC exploit, absolutely all devices at all iOS firmware versions are capable of being jailbroken.
The untethered jailbreak of those very latest FWs and latest devices depends on @comex hacks. His hacks so far extend only to 4.1 and 4.2beta3. He’s working on a way to extend it to 4.2 and beyond. Just wait for him to work out his method.
iPhone 3G and 3GS unlockers will be covered by our upcoming unlock. Stay away from any updates to Apple FW until our official release and you’ll be okay. Just stay away from all Apple IPSWs :)
iPhone4 unlockers are not left out in the cold. @sherif_hashim has found some very promising avenues to pursue. Those will be explored as soon as possible after all the 4.2 madness.

What does this mean to you?

If you’re an unlocker, just stay where you are. Please, just stay where you are. Any mistakes you make now may be permanent.
If you only care about the jailbreak and you’re absolutely sure you have your personalized 4.1 SHSH hashes, feel free to experiment but keep in mind that any mistakes you make may result in your losing pictures or notes or bookmarks that you’d rather keep. Honestly unless you love living on the bleeding edge, it’s better to just wait for official updates from Cydia/redsn0w/PwnageTool.
Don’t buy or donate to any unlock or jailbreak scammers. Every legitimate solution you will find for unlocks or jailbreaks will be offered without an extended hand. That’s how the iPhone jailbreak/unlock community has succeeded. It’s about freedom to do what you want with your $300 device — not about donations, egos, tweets, or “interviews.”

Update #3: (Warning: if you use the ultrasn0w unlock, please read no further…this doesn’t apply to you yet!) We’ve made some updates to redsn0w to make it easier for jailbreak developers (and tinkerers) to get their programs ready for 4.2.1. As noted above, the public version of Cydia (and MobileSubstrate too!) is not 4.2.1-compatible. redsn0w will now let you install your own custom bundles independent of Cydia (the bundle can actually be Cydia if you’ve compiled it on your own). These bundles can be up to 15MB in size, and should be in the form of a gzip-compressed tar file.

The new redsn0w 0.9.6b3 is available at:

~~OS X~~ (See our latest redsn0w post)
~~Windows~~ (See our latest redsn0w post)

It’s very important that you get the file permissions and ownerships right in your custom redsn0w bundles. To give you a practical example of such a bundle, here’s one that includes OpenSSH, OpenSSL, and the basic apt installer programs:

SSH bundle v2 (update: v2 has fixed permissions..you can just drop this one right in even if you installed the first version)

redsn0w has also been updated to recognize the 4.2.1GM IPSWs. *However*, as noted above, the 4.2.x jailbreak is not yet untethered for most devices! That means until someone like @comex comes up with a way to untether it, you must use redsn0w (or a similar utility) to boot your device into a jailbroken 4.2.1 state. (The only exceptions to this are the iPhone3G, non-MC iPod touch 2G, and old-bootrom iPhone3GS. redsn0w will jailbreak those untethered!)

With the above redsn0w and SSH bundle, jailbreak developers and tinkerers can jailbreak and SSH into their 4.2.1 devices, provided they’ve done a tethered boot (using redsn0w’s “Just boot tethered right now” option).

Note: The Cydia that’s included in 0.9.6b3 is the same one as in 0.9.6b2, and so it will *not* work on 4.2.1. Don’t try installing it on 4.2.1! Instead, use the SSH bundle, or compile Cydia on your own. If you’re familiar with the apt utilities, you can use “apt-get” to install many programs from the command line. Be sure to do “apt-get update” first to refresh your sources!

PLEASE CONSIDER THIS AN ADVANCED TOPIC!! It’s not meant for the masses because it involves rather nerdy things like command lines and tar files. But for those who know how to use this new redsn0w feature, have fun!

Nov 1, 201037 notes

#redsn0w

20102010 event

We’re pleased to release PwnageTool ~~4.1~~ 4.1.2 for Mac OS X (free of charge, blog ads, and donation requests — as always!). Today’s big new addition to the jailbreak family is AppleTV 2G, which was first shown jailbroken in its release week!

[Update: Version 4.1.2 should fix any issues that OS X 10.5.x users were seeing. You only need to run this version if you’re at OS X 10.5.x and were seeing Cydia errors]

ULTRASN0W UNLOCKERS BEWARE!! ULTRASN0W UNLOCKERS BEWARE!! The biggest mistake you can make (and it is a big one!) is lettings iTunes restore to the official IPSW — you’ll lose the unlock and won’t be able to go back! You must use Option-Restore, not just the Restore button by itself. Then navigate to your custom IPSW — not to the stock one! If you accidentally started a restore to the official IPSW, unplug your iPhone immediately before the restore gets to the “Updating Firmware” step!

Through a combination of the recently released geohot limera1n exploit , @comex’s recently released pf kernel exploit, and our original pwnage2 exploit, PwnageTool ~~4.1~~ 4.1.2 works untethered on these devices at firmware 4.1:

AppleTV 2G
iPad (firmware 3.2.2)
iPod touch 4G
iPod touch 3G
iPhone4
iPhone 3GS
iPhone 3G

PwnageTool allows you to restore to a custom IPSW file. For instance, you can restore to a pre-jailbroken firmware while simultaneously maintaining your current baseband (and thus your ultrasn0w carrier unlock). You can also add whatever packages you want in the “Expert” mode of PwnageTool, if you wish to pre-install Cydia packages. iPhone 3G users get the additional benefit of selecting their own boot and recovery logos, and features like multitasking and battery charge percentage.

PwnageTool’s main advantage to ramdisk-based methods (limera1n, greenpois0n, redsn0w) is for unlockers — those that need to keep their current baseband and preserve their ultrasn0w unlock. But in this new age of both bootrom- and userland-based exploits, it’s an excellent platform for continuing the jailbreak through all future firmwares. More on this later! In the meantime, please enjoy this free software and please provide any usage feedback in our comment section below.

AppleTV 2G users: Welcome to the JB family! Right now, about all you can do is command-line stuff via ssh. You also have afc2 available, so you can use tools like ifunbox to move files around. These are the *very* early days of AppleTV 2G jailbreaking, so it’ll take some time for JB app developers to come up with methods to use your AppleTV 2G from the remote, versus the command line. PS: Your ssh password is “alpine”…please change it when you can :)

Expert mode: By popular demand, the IPSW file selection in Expert mode is now completely manual (doesn’t use Spotlight). Just pick your IPSW file directly instead of waiting for the Spotlight search to complete. In Expert mode, the default is to hacktivate (“Activate the iPhone”), so if you have a legit SIM card be sure to deselect that option in Expert mode.

DFU button: That “DFU” button in PwnageTool is more than it looks like. It guides you through the DFU process, but then also runs the appropriate exploit to convince your device and iTunes that all is legit. The DFU button in PwnageTool is not just your average DFU.

Official Bittorrent Releases

PwnageTool 4.1.2 Torrent - PwnageTool_4.1.2.dmg.5904259.TPB.torrent

SHA1 Sum = 1c0d5ea45464e336fcb38c644dc125c3a16b5493

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email direct dmg download links only (no rapidshare type sites please) to blog@iphone-dev.org — please don’t place mirrors in the comments as they will be deleted.

Oct 20, 201073 notes

#PwnageTool

Limera1n surprise

After a few very dramatic days in the jailbreak community, geohot has come out of nowhere to release limera1n. It’s a bootrom-level jailbreak that works on the iPhone3GS, iPhone4, iPod touch 3G, iPod touch 4G, the iPad, and (technically) the AppleTV 2G.

DO NOT USE LIMERA1N IF YOU USE THE ULTRASN0W CARRIER UNLOCK — wait for PwnageTool to incorporate the limera1n exploit. This is so that you can avoid updating your baseband and losing the unlock (possibly forever).

Limera1n uses a different exploit than SHAtter, and in fact covers more devices. Although some may question geohot’s dramatic and competitive style, he obviously does have considerable skill pulling this together in just over a day (although he’s had the underlying exploit for months). Credit also goes to @comex, who provides the untethered aspect of limera1n via another one of his growing list of kernel hacks.

The release of limera1n has (thankfully!) averted the burning of 2 bootrom holes at once (both his and SHAtter). Releasing SHAtter now would be a complete waste of a perfectly good bootrom hole in light of limera1n, and so it can be held until Apple closes limera1n’s hole. While there’s no guarantee that Apple won’t also close SHAtter by then, it provides a ray of hope for devices after Apple’s bootrom respin.

Update #1: Because the “untethered” part of this jailbreak comes from a userland hack from @comex, you should still backup your SHSH hashes for 4.1. Do this by either letting Cydia keep them (“make my life easier”), or using Tiny Umbrella. This way you can always come back to an untethered, jailbreakable 4.1 on your devices after Apple has closed their 4.1 signing window (they’ll close the 4.1 window once they push out their next firmware version). If you fail to do this and ever need to restore to 4.1 again, you can still jailbreak but it will be a tethered JB (you’ll need to connect to your computer to finish the booting process, each and every time).

And remember: you can backup your 4.1 SHSH hashes without even being at 4.1 or even being jailbroken, by using Tiny Umbrella.

Oct 9, 201033 notes

SHAttered iPod touch 4G

Those of you with Apple’s new iPod touch 4G, or those of you who bought another recent device after the jailbreakme.com exploit was closed, have probably heard about a brand new exploit called SHAtter. The exploit (and payload) was developed by @pod2g a few months after @p0sixninja of the Chronic Dev Team discovered the crash. That team is hard at work bringing you a brand new tool to make use of the exploit. It’s not the sort of thing that can be developed overnight so please be patient while waiting for any announcements from them.

In the meantime, we’ve put @pod2g’s exploit into a beta version of PwnageTool to test the waters. The SHAtter exploit was enough to convince the iPod touch 4G to restore to our custom IPSW. The successful result is shown below! It’s all working: customized Preferences to show battery percentage, Cydia, root shell…the works!

Although PwnageTool was a useful first test of a full iPod 4G jailbreak via SHAtter, it’s really overkill compared to the faster tools being developed. Its main use in PwnageTool will be for those with iPhone4’s, to allow updates while preserving the baseband and ultrasn0w carrier unlock. In any event, this is another exciting time for iPhone and iPod touch users…the cat and mouse game continues!

UPDATE #1: It’s looking like SHAtter is going to be the gift that keeps on giving. Even though the new AppleTV isn’t yet in people’s homes, the firmware is available on Apple’s normal public distribution servers and SHAtter has been used to decrypt its keys! The main filesystem (“Mojave8M89.K66OS”) key for 018-8609-066.dmg is:

31c700a852f1877c88efc05bc5c63e8c7f081c4cb28d024ed7f9b0dbc98c7e1406e499c6

If you’re familiar with vfdecrypt, you can use that key to decrypt the image and mount it. If you do so, feel free to use the comments section to discuss what you discover there :) (And of course, thanks @pod2g!)

UPDATE #2: It’s confirmed…SHAtter can trick Apple’s new AppleTV 2G into restoring to a pre-jailbroken IPSW from PwnageTool too! Literally the only UI application on the ATV is Lowtide.app, but now the window is open for jailbroken apps of all varieties. (Just like the early iPhone days, the only apps you’ll see on the AppleTV will be jailbroken ones). In the meantime, here’s a video showing root access (via ssh) into Apple’s new product.

Sep 27, 201029 notes

redsn0wier

We’ve released a beta version of redsn0w for the iPhone3G and iPod Touch 2G at FW 4.1 or 4.0. It uses the same pwnage2 DFU-mode exploit that we’ve been using since the 2.x days. It does not include the SHAtter exploit developed by pod2g. Nothing new is revealed to Apple with this jailbreak.

IF YOU USE THE ULTRASN0W UNLOCK, PLEASE WAIT FOR PWNAGETOOL TO SUPPORT 4.1. DO NOT USE REDSN0W. That’s because to use redsn0w at 4.1, you need to already have updated to official 4.1 from Apple. If you do that, you lose the ultrasn0w unlock (possibly forever).

~~The Windows version needs further testing, so for now this is available only for Mac OS X x86. The Windows version will come as soon as the bugs are ironed out.~~

Note: if you have an “MC” model of the ipt2g, your 4.1 jailbreak will be tethered…sorry! (Consider rolling back to a FW supported by jailbreakme.com or spiritjb.com)

===== What devices, platforms, and FW versions are supported? =====

This BETA release supports:

iPhone 3G and iPod touch 2G only (for now)
Mac OS X x86 and Windows only (for now)
4.1 or 4.0 firmware from Apple

===== How do I use it? =====

If you’ve already updated your device to 4.1 or 4.0, the next steps are:

Launch the beta redsn0w 0.9.6b1
Select your stock 4.1 or 4.0 ipsw (you’ve already used this to update your device to 4.1 or 4.0)
Select “Install Cydia” and any of the other options shown above, then click “Next”. Use DFU mode to install the jailbreak.

Note: If you choose to “Enable battery percentage”, you actually toggle that off and on via Settings->General->Usage.

===== Download links =====

Please do not directly link to these URLs because they’ll be changing according to bandwidth demands.

~~OS X~~ (See our latest redsn0w post)
~~Windows~~ (See our latest redsn0w post)

Update: Any Windows users seeing “Waiting for reboot” for too long (more than 20 seconds or so), please try “shaking” the JB process by unplugging then replugging your USB cable (while letting redsn0w continue to run). Also, try using a USB port “closer” to your computer (as opposed to on your monitor or behind another hub). We’re still tweaking the Windows flow and so any feedback you can provide will help!

Sep 21, 201040 notes

#redsn0w

It's a trap!

Today you’ll likely start seeing iTunes innocently offer you a new version of iOS…version 4.1. Don’t accept it…it’s a trap!

This time of year there are lots of new iPhone owners, and not everybody knows that accepting new iOS updates is the surest way to lose your jailbreak and/or unlock. While those of you who have Cydia or TinyUmbrella backups of your FW hashes will always be able to get back to 4.0.1 if you make this mistake, this doesn’t hold for unlockers. There’s currently no known way to revert your baseband — if you update your baseband you’ll lose the ultrasn0w unlock, possible forever.

Please stay away from this 4.1 release until a safe jailbreak procedure (which also preserves ultrasn0w) is developed and released.

P.S. There are a tiny number of iPhone3G owners who can revert their basebands due to a flaw in very early bootloaders…you will already know if you fit in this category!

Sep 8, 201033 notes

Winning moves

Jailbreakme v2.0 was a great success, and it’s provided a nice leveling point for all jailbreakers and unlockers on all devices at firmware versions less than 4.0.2/3.2.2. We hope that everybody ever interested in jailbreaks or unlocks was able to join in on the jailbreakme bonanza. Those of you who had Cydia capture your SHSH blobs, or those of you who captured them locally, will always be able to benefit from the jailbreakme.com v2.0 release. Congratulations!

Now it’s a few weeks later, and Apple has closed the jailbreakme.com hole. They’re shipping devices with FW 4.0.2/3.2.2, impervious to this particular jailbreak. So now, people will begin to ask: will there be a jailbreak for devices that shipped with 4.0.2/3.2.2, out of the box?

No, there won’t be. FW 4.0.2/3.2.2 was *only* released to fix the jailbreakme hole. With FW 4.1 still in its beta stages, it makes no sense to escalate the “cat & mouse” with Apple for FW updates that only fix the jailbreak holes. To quote WOPR, “the only winning move is not to play”.

If the cat & mouse game escalates too quickly, especially during beta FW periods, nobody but Apple benefits. For this reason, there won’t be a 4.0.2/3.2.2 jailbreak specifically during the period where 4.0.2/3.2.2 is the latest public release. At best, some future 4.1x FW jailbreak *may* be compatible with 4.0.2/3.2.2 (but don’t count on that).

If any of this is confusing, please ask below in our comments section!

P.S.: For those of you with iPhone3G or iPod Touch 2G(not MC version), it’s true you can always use redsn0w to jailbreak your 4.x devices. Don’t let that dilute the above message, though :)

Aug 26, 201016 notes

Fixing what Apple won't

On Wednesday, Apple (finally) released firmware 4.0.2, which patches the very large security holes exploited by @comex in the 2nd incarnation of jailbreakme.com. The only problem is they outright abandoned iPhone2G and iPod Touch 1G users! Even though Apple acknowledges in their security update the severity of these holes, they left iPhone2G and ipt1G owners high and dry — completely vulnerable to truly malicious variants of jailbreakme (these variants aren’t out yet, but they’re sure to come!).

Luckily for Apple, the Jailbreak community isn’t so callous. @saurik has been burning the midnight oil coding a Cydia package that will fix the holes for all devices and all firmware versions (even going back to version 2.x!). It will be released very soon, after some more testing is done. (Update: it’s available now…see update #2 below).

Since the only reason for 4.0.2 was to fix the security holes, and since the upcoming Cydia package will fix them too (and then some!), everybody should sit tight on 4.0.1 (or lower) and install the Cydia package as soon as it’s out. Jailbreakers can have their cake and eat it too.

P.S. Dear Apple: you’re welcome!

Update #1: For those who know their way around the bash shell and dpkg, please try out this fix and send any pertinent feedback to @saurik.

Update #2: The fix is installable via Cydia itself now (search for “PDF Patch”). To test that it’s working properly, visit jailbreakme.com again. After you slide to jailbreak, you should no longer see a dialog box pop up (you’ll just see the star background). That means you’re no longer vulnerable!

Aug 12, 201039 notes

grow, grow ultrasn0w!

We’re happy to tell you that our ultrasn0w carrier unlock now supports the iPhone4!

Version 1.0-1 of ultrasn0w works for:

iPhone4 baseband 01.59
3G/3GS basebands 04.26.08, 05.11.07, 05.12.01 and 05.13.04

(If ultrasn0w doesn’t show when you search Cydia, add the repo: repo666.ultrasn0w.com)

Here is a nice how-to video from @AdamFromYT that shows the installation process on the iPhone 4.

Aug 4, 201057 notes

#ultrasn0w

The return of jailbreakme.com!

jailbreakme.com is back!

Thanks to some serious work by @comex, you can now jailbreak your iPhone, iPod Touch, or iPad right from MobileSafari — no PC or Mac needed!

Just visit http://jailbreakme.com on your device.

For those needing a carrier unlock, use the existing ultrasn0w in Cydia on your iPhone3G or iPhone3GS. After a short testing period, we’ll push out the iPhone4 version.

Note: The earlier MMS and Facetime issues have been fixed. If you already ran the version with those problems, launch Cydia and accept its offer to update.

Aug 1, 201055 notes

#jailbreakme

Getting out of jail is free!

Fantastic news today from the Electronic Frontier Foundation (EFF). After a lot of hard work and mountains of paperwork, jailbreaking your iPhone is now explicitly a permitted fair use under the DMCA!

The first of EFF’s three successful requests clarifies the legality of cell phone “jailbreaking” — software modifications that liberate iPhones and other handsets to run applications from sources other than those approved by the phone maker. More than a million iPhone owners are said to have “jailbroken” their handsets in order to change wireless providers or use applications obtained from sources other than Apple’s own iTunes “App Store,” and many more have expressed a desire to do so. But the threat of DMCA liability had previously endangered these customers and alternate applications stores.

In its reasoning in favor of EFF’s jailbreaking exemption, the Copyright Office rejected Apple’s claim that copyright law prevents people from installing unapproved programs on iPhones: “When one jailbreaks a smartphone in order to make the operating system on that phone interoperable with an independently created application that has not been approved by the maker of the smartphone or the maker of its operating system, the modifications that are made purely for the purpose of such interoperability are fair uses.”

The EFF also successfully renewed the existing DMCA exception for carrier unlocking. More on the ruling by the Library of Congress is here and here (and many other places, since this is huge news!). The full ruling is here, and EFF’s history with this case is here (EFF’s servers are understandably getting hammered today!).

This doesn’t mean that Apple will stop their technical attempts to thwart jailbreaking, but it does mean that our iPhone jailbreaks and unlocks are now unambiguously legal under the DMCA.

Great job, EFF!

Jul 26, 201070 notes

Blob banter

Those of you with jailbroken iPhone3G and ipt2G devices may now have noticed Cydia starting to save your SHSH blobs too, just like it does for iPhone3GS, ipt3G and later devices. That’s because starting with 4.0, Apple started putting a “soft” SHSH blob check in the firmware. The SHSH blob check is very real in the sense that if iTunes can’t get your blobs (because the Apple signing window has closed), the iTunes restore will error out. But it’s “soft” in the sense that those devices can always use redsn0w or PwnageTool to get past the error (the bootroms themselves for those devices don’t require blobs to be in the firmware files, unlike the newer bootroms).

Furthermore, since the 3.x IPSWs for these devices don’t enforce it, you can always restore to 3.x IPSWs outside of any signing windows.

So, Cydia is doing this to allow you to continue to use iTunes to restore to 4.x on iPhone3G and ipt2g outside of Apple’s signing window without needing to use redsn0w or PwnageTool to get around Apple’s annoying new restriction.

Jul 19, 201011 notes

ultrasn0w is growing!

Those of you who follow @MuscleNerd or @planetbeing on Twitter probably already know that the team has had a series of successes with the carrier unlock on iPhone4 (#1, #2, #3, #4, #5-video). We’re fine-tuning the payload to make it as quick to load as possible (and making sure it remains crash-free of course!).

As usual before a public release, there are lots of fake Twitter and Facebook accounts trying to capitalize on the public’s eagerness to get the unlock. For those who only want to know when it’s released, either of these two official accounts will do. All other variations of these account names are fake!

@ultrasn0w

@iphone_dev

If you want to be kept up to date on progress as it’s being made, you can also follow:

@planetbeing

@MuscleNerd

And of course, our comment section below is a great place to ask general questions! There are lots of knowledgeable people able to respond, including our great moderators @confuciousmobil and @angiexpangie

P.S. If you want to help prevent more people from being fooled by the fake accounts, here are a few examples of them: fake#1 fake#2 fake#3 fake#4 fake#5. Feel free to tweet them, so that others following them realize they’re fake.

Jul 18, 201015 notes

#ultrasn0w

foursome news

~~PwnageTool 4.0 Release Info~~

PwnageTool 4.01 Release Info (UPDATED TO V 4.01)

On Monday, Apple released firmware 4.0 for the iPhone and iPod touch devices. This of course was a major upgrade.

As advised, you shouldn’t have upgraded your devices if you have previously relied on our tools for hacktivation and/or a carrier unlock.

With that said, today we are releasing ~~PwnageTool 4.0~~ PwnageTool 4.01

PLEASE READ THIS ENTIRE POST CAREFULLY, THERE ARE KNOWN UPGRADE TRAPS AND DIFFERENT UPGRADE SCENARIOS THAT NEED TO BE FULLY UNDERSTOOD AND CONSIDERED BEFORE USING THESE TOOLS.

Each supported device has few different scenarios that users need to consider when performing the upgrades, you need to check below and perform the upgrade in the particular way that matches your current device state.

NB: With ~~PwnageTool 4.0~~ PwnageTool 4.01 certain devices are not supported this is because they are not supported in iOS 4.0 or they are not supported by our software. We’re working on ways to get past these restrictions.

iPhone 2G - not supported
iPod Touch - not supported
iPod Touch 3G - not supported

~~PwnageTool 4.0~~ PwnageTool 4.01 only recognizes the official IPSWs that came out yesterday. If you had developer access to the “4.0 GM” IPSWs, do not try to use those.

iPhone 3GS

Summary: Currently, PwnageTool only works on previously jailbroken 3GS devices with the old bootrom.

If you have a Jailbroken iPhone 3GS with the OLD BOOTROM and you DID NOT use Spirit to jailbreak then you can create the ipsw with PwnageTool 4.0 and restore with your jailbroken recovery mode.
If you have an iPhone 3GS with the NEW BOOTROM this is NOT supported by ~~PwnageTool 4.0~~ PwnageTool 4.01

iPhone 3G

If you have a Jailbroken iPhone 3G at 3.1.2 (but not jailbroken with Spirit) then you should create the ipsw with PwnageTool 4.01 and restore from recovery mode or DFU mode.
If you have an out of the box iPhone 3G you should restore using a PwnageTool 4.01 ipsw using DFU mode.
If you have a Jailbroken 3.1.3 iPhone 3G it is very possible that this can fail from recovery mode, if this failure happens you will need to restore using DFU mode.
As an alternative to PwnageTool, you can use redsn0w on iPhone 3G (on both Windows and Mac) as mentioned in our last post.

IMPORTANT! Whenever you need to enter DFU mode, you will need to do so using PwnageTool.

iPod touch 2G

If you have an iPod touch 2G (non-MC model) that is jailbroken (but not with Spirit) then you can restore using recovery mode.
As an alternative to PwnageTool, you can use redsn0w on non-MC iPod Touch 2G (on both Windows and Mac) as mentioned in our last post.

Baseband Unlock

As you probably know by now, ultrasn0w has been updated to cover all basebands from 04.26.08 onward. Many thanks to @sherif_hashim for finding the crashing command that the new ultrasn0w 0.93 uses! He worked hard at finding the crash, and he kept it confidential until the right time to use it.
Major props to @oranav (who found the earlier +xlog crash). He also had this crashing command!
iPhone 3G and 3GS baseband unlockers (those who rely on ultrasn0w to make phone calls) should always be very wary to update their firmware, however our Ultrasn0w application will unlock all recent (including the current) 3GS and 3G baseband firmware versions. Once you are jailbroken using PwnageTool 4.01, install ultrasn0w from Cydia and you’ll be unlocked.
Remember! This baseband unlock situation is rare, should you upgrade your iPhone blindly at the next iOS release please don’t expect an unlock - but for now you are OK (whatever state your baseband is in).

Please feel free to ask any questions in the comment section below. We’ve got a bunch of expert help there, including our friendly moderators confucious and angie!

Official Bittorrent Releases

PwnageTool 4.01 Torrent - PwnageTool_4.01.dmg.5645662.TPB.torrent

~~SHA1 Sum = 15bdb90ec40f1e279bb648eb7e9d90ebe07b66d2~~

SHA1 Sum = a7e83163b4868256ac887975d7d2fd230110cf68

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must. Mirror owners should email direct dmg download links only (no rapidshare or filesharing sites please) to blog@iphone-dev.org — please don’t place mirrors in the comments as they will be deleted.

France

http://www.blogiphone.fr/PwnageTool_4.01.dmg

Poland

Switzerland

http://www.ifreak.ch/download/PwnageTool_4.01.dmg

Turkey

http://www.appleturk.net/PwnageTool_4.01.dmg

Netherlands

http://www.stimp.nl/mirrorfiles/PwnageTool_4.01.dmg

Germany

Jun 22, 201052 notes

#PwnageTool #ultrasn0w

all four one!

Around an hour ago the new version of the iPhone Operating System (now called ‘iOS’) was released.

iOS 4 is a huge release for Apple with many many changes and those changes offer slick additional features.

These new features are being offered by Apple as a free upgrade to qualifying devices.

We are working hard on a release to our tools that will jailbreak your device (or give you iOS 4 via the jailbreak train) and provide you with a carrier unlock.

Until these tools are released you should hold off on updating your device until we have fully tested our tools with all the relevant devices.

If you rely on hacktivation or a carrier unlock (ultrasn0w) then you should not upgrade until we have fully tested and released our tools.

Don’t be tempted with unofficial PwnageTool/redsn0w bundles or releases, just check here or our team twitter for real time release information.

Remember, we risk our devices so you don’t have to (but this time anyone who has made a mistake upgrading their baseband firmware should be OK real soon ;) Now! :)

Update #1: redsn0w beta has been updated to hacktivate iOS 4.0 for iPhone3G (in addition to jailbreaking the iPhone3G and iPod Touch 2G). The download links for redsn0w are:

For now, the redsn0w beta release supports only the iPhone3G and iPod Touch 2G at today’s 4.0. It’s still a beta, so you’ll need to let Cydia reorganize, reload, and update after using redsn0w.

Update #2: There’s a new redsn0w beta (links were changed above) that should fix any iBooks problems people were seeing. Just run this new version 0.9.5b5-4 and deselect Cydia (you don’t want to reinstall Cydia over itself).

Update #3: Remember, there are scammers everywhere in the iPhone scene. The latest one involves something called “ClawPack”. Avoid this costly, untested, and certainly unendorsed ripoff of our free software.

Update #4: There’s a new redsn0w beta (links were changed above) that should fix any APN or MMS issues that users were seeing. It’s safe to re-run it on an already jailbroken iPhone without restoring…just deselect “Install Cydia” if you do that.

Jun 21, 201022 notes

#redsn0w

Spirit freed

The Spirit jailbreak is now out! Congratulations to @comex for the first userland jailbreak since the 1.x days.

Spirit provides an untethered jaibreak on those newer devices which used to require a computer nearby to finish the boot process. Spirit is able to do this because it doesn’t actually kick in until after the kernel is running.

You can get the goodies at http://spiritjb.com

May 2, 201039 notes

Calm before the Spirit storm

At some point after (don’t ask when!) the iPad 3G is actually in customers’ hands, the first “userland” jailbreak since firmware 1.x will be released by @comex. It’s called “Spirit” and was first demonstrated working on an iPad by @MuscleNerd within 24 hours of the iPad’s release on April 3.

Userland jailbreaks are more troublesome for Apple since they expose security weaknesses that exist even for non-jailbroken owners. As such, Apple is likely to close them soon after they’re made public. One recent example of this is the SMS vulnerability exposed at Blackhat last summer. Apple released new firmware to close that hole within a day.

The Spirit jailbreak is most useful for newer devices: iPhone 3GS, iPod Touch 3G, and the iPads. Unfortunately those devices are the same ones that Apple can prevent you from downgrading unless you’ve got a backup of your personalized SHSH blobs. Unless you’ve backed up your SHSH blobs for vulnerable firmware versions, you’ll lose the ability to use the current Spirit jailbreak if you accidentally upgrade.

Please take the steps now to backup your SHSH blobs. Use either Firmware Umbrella to create a local copy, or go through saurik’s server. If you are getting an iPad 3G, it’s safest to backup your blobs using Firmware Umbrella, in case saurik’s server gets bogged down with requests.

Other things about Spirit that are useful to know:

Spirit is an untethered jailbreak.
Spirit works on all devices. (However, the redsn0w and PwnageTool flows will continue to work on those devices they’ve always worked on)
Spirit does not include a carrier unlock. (Please don’t bug @comex about that)
Spirit requires your device to be activated or hacktivated

Please make sure you have your SHSH blobs backed up! While @comex has indicated he’s not going to release the very minute the iPad 3G is out, there’s no telling what Apple might do anyway.

Update Friday, Apr 30:

As expected, the iPad 3G is equally vulnerable to @comex’s Spirit JB, as demonstrated below on MuscleNerd’s device soon after it arrived by FedEx on the iPad 3G release day.

Before even running Spirit, however, a backup of that iPad 3G’s blobs was made. Even though he already had blobs for his iPad Wifi, they can’t be used on the iPad 3G (or any other iPad Wifi or other device for that matter). Blobs are unique per-device, per-firmware.

Apr 29, 201020 notes

iphoneos 4.0 on the horizon

Some interesting features were revealed in today’s preview of iphoneos 4.0. We’ll use this post as a placeholder for discussion about these features and how they relate to the jailbreak.

Also, it seemed like a good idea to move away from our last post, which was made on April 1 for a reason :)

Apr 8, 201010 notes

Planned Tablet Hacks

The iPhone DevTeam has been passed confidential internal information relating to the next version of the tablet computer the ‘iPad’. An upcoming redesign of the iPad tablet computer will miniaturize the device so that it will be able to be carried on the user’s person (such as a pocket or small bag). Also a radical move to add a minimum of a 13 kbits/s speech codec to the miniaturized tablet variant is planned.

The inclusion of the voice codec will allow the user to directly utilize the GSM nomadic network, allowing person to person communications directly using your mini-iPad from anywhere dramatically speeding up the usual typed email or instant messaging capabilities that the iPad offers today.

It is the plan of the iPhone DevTeam to target this device as soon as it is released.

Apr 1, 201020 notes

Scam season

While Apple’s 3.1.3 firmware was minor in terms of new features, it’s had the side effect of opening up a huge market for scam sites. These sites will promise you a 3.1.3 jailbreak for newer devices like the iPod touch 3G, or a baseband 05.12 software unlock. Those desperate enough to “just give it a shot” will find, 100% of the time, that they were misled. After money has changed hands they’ll be told “well the 05.12 unlock is coming, in the meantime here’s the 05.11 unlock” (of course the 05.11 unlock was intended to be free, as you all know). They’ll hold your money until one day the 05.12 unlock does come out, even if that’s months later (and of course it’ll be released for free). In the meantime they’ll be able to claim they gave you part of what they advertised, and keep at least part of your money (in actuality they’ll usually keep all of it).

Don’t fall for these scam sites! None of them have a 05.12 unlock, none have the 05.11 unlock working on 3.1.3, none have a 3.1.3 jailbreak for newer devices like the ipt3G. They’re trying to capitalize on your upgrade mistake, and they only need a very small percentage of people to fall for them to make their money and run.

Those following twitter may have seen some recent very early developments in the 05.12 unlock situation. One of our more helpful commenters sherif_hashim (at a rating of 84p you know he’s helped others much already!) found what looks like a very promising crash in the new baseband. He’s put in a lot of work looking for crashes over this past year, and he’s still looking for more! We’ve started to look at his crash but it’s a long road between any given crash and a fully working unlock, and we couldn’t put an ETA on it even if we wanted to. It’s not even guaranteed that an working unlock will come from this particular crash — it’s just too early to tell.

In the meantime, please stay vigilant against these scam sites. Don’t be part of the small percentage of people that fall for them because that small percentage is all they need.

Feb 11, 20108 notes

Pre-game show

On Tuesday, Apple released firmware 3.1.3 for the iPhone and iPod touches. Unless you’ve personally observed a problem with the reporting of your battery percentage, there’s no reason to update to 3.1.3. We know some of you will want to anyway. Superbowl Sunday’s PwnageTool 3.1.5 for Mac OS X will let you do so safely, preserving your jailbreak and ultrasn0w unlock. (If you use the blacksn0w unlock (at baseband 05.11.07), you need to stay at 3.1.2.)

iPhone 3G and 3GS unlockers should always be very wary to update their firmware. This is no exception. If you make a mistake along the way you may find yourself updating to official 3.1.3 in which case you will lose your unlock, possibly forever.

iPhone 3GS users (regardless of unlock) should stay away from this and all 3.1.3 jailbreak tools unless you know you have your “SHSH hashes” backed up via Cydia. That’s because if you make a mistake you may find yourself stuck at official 3.1.3 with no way to jailbreak or come back down to 3.1.2 to jailbreak.

If you really truly feel that you need to update, this version creates a custom 3.1.3 IPSW for you to restore to on your iPhone 2G, iPhone 3G, iPhone 3GS with early bootrom, iPod touch 1G, and iPod touch 2G with early bootrom. If you don’t know if you have an early bootrom or not, please avoid updating until you learn more.

You don’t need to be pre-jailbroken on anything but the iPod touch 2G early bootrom. And really for that device, it’s faster and easier to use redsn0w 0.9.4 as mentioned in our last post. For that matter, if you have an ipt1g, iphone2g, or iphone3g(and don’t need an unlock), you should use redsn0w too (but version 0.9.3). It’s faster and you won’t have to go through a full restore process (just do an update then run redsn0w, pointing it at 3.1.2 FW instead of 3.1.3).

If you have an iPhone 3GS: PwnageTool works if you’re currently at version 3.1.2 or below (down to 3.0) and if you know you have a old bootrom. You don’t need to be already jailbroken — PwnageTool will ask you if you’re jailbroken after you’ve created the IPSW. Don’t use PwnageTool unless you know for sure you have an old bootrom (if you’re not sure, assume the worst and don’t use it). Don’t use PwnageTool on the iPhone 3GS if you’re at 3.1.3, it just won’t work. Downgrade to 3.1.2 using the methods described here. If you can’t downgrade because you don’t have your 3GS 3.1.2 hashes on file with Cydia, you’ll need to sit out the 3.1.3 jailbreak.

We aren’t revealing any new exploits to Apple with this jailbreak. Everything here has been used before, it’s just a straightforward port of Pwnage2 and 24Kpwn to the new firmware. It’s possible the new firmware was released largely to flush out new exploits before the next big release. We won’t be biting.

We’d really like the above warnings and disclaimers to sink in. Please don’t download the files below and use them blindly.

Please feel free to ask any questions in the comment section below. We’ve got a bunch of expert help there, including our friendly moderators confucious and angie!

Official Bittorrent Releases

PwnageTool 3.15 Torrent - PwnageTool_3.1.5.dmg.5344262.TPB.torrent
SHA1 Sum = 16611fb60d088edd2fa5128e4f95f35d8e56a603

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash. We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must. Mirror owners should email direct download links only (no rapidshare or filesharing sites please) to blog@iphone-dev.org — please don’t place mirrors in the comments as they will be deleted.

United States

Austria

http://www.apfelzone.com/intern/downloads/PwnageTool_3.1.5.dmg

France

http://www.ipodtouchmasterfr.com/files/PwnageTool_3.1.5.dmg

Germany

Korea

http://iphone.ddisk.com/PwnageTool_3.1.5.dmg

Poland

http://bentkowski.com.pl/PwnageTool_3.1.5.dmg

Romania

http://www.accesoriigsm.net/PwnageTool_3.1.5.dmg

United Kingdom

http://hosted.z0id.com/PwnageTool_3.1.5.dmg

Feb 7, 201021 notes

#PwnageTool

3.1.3 and thee

WARNING! At 10.30AM PST on February 2nd 2010 Apple released the 3.1.3 version (7E18) of the iPhoneOS.

If you care about your jailbreak and unlock, don’t update your device - 3G and 3G(S) owners should pay particular attention to this warning.

PwnageTool and redsn0w are not yet compatible with 3.1.3
There is no estimated release time for compatible tools (please don’t bug us about this).
Any information we have regarding this update will be posted here.
You can also follow us on twitter - @iphone_dev

Update 1: [Don’t go near this if you have 3GS, newer ipt2G, or any ipt3G] Thanks to daring experimenters in the comments, we can confirm that yesterday’s redsn0w works for today’s 3.1.3 update for iPhone 2G. Just point it at the 3.1.2 iPhone 2G IPSW after doing update or restore to 3.1.3. So far we’ve only confirmed this for iPhone 2G. (Note that if this does work for iPhone 3G too, you can *only* use it if you don’t care about the unlock.)

Update 2: [Don’t go near this if you have 3GS, newer ipt2G, or any ipt3G] Can confirm that this method works for iPhone 3G and iPod touch 1G too. Don’t do it for iPhone 3G if you need an unlock though (really, don’t!). For older iPod touch 2G, we’ll need a small (1-character) change in redsn0w source.

Update 3: [Don’t go near this if you have 3GS, newer ipt2G, or any ipt3G] For those with older (non-MC) iPod touch 2G, we’ve compiled a special version of redsn0w meant just for you: Mac and Windows. You guys can get in on the “3.1.2 loophole” too using this special version. Don’t try this if you have a newer iPod Touch 2G or if you’re not completely sure what version you have. And of course don’t try it for 3GS or ipt3G either.

That about does it for the 3.1.2 redsn0w loophole. Ultrasn0w/yellowsn0w/blacksn0w users shouldn’t go near it. Otherwise, it can be used by owners of iPhone 2G, iPhone 3G (not unlockers!), iPod 1G, and iPod 2G older version. Everyone else please wait for official support in the tools.

Feb 2, 201031 notes

Reviving redsn0w

It sure has been a while since we last saw a firmware update from Apple. (And by the way, which will come first…the iPad wifi, FW version 3.1.3/4.0 for iPhones, or the new iPhone itself?) Anyway, while we’re waiting, we updated redsn0w to be compatible with FW 3.1.2. We also added a few new features!

It’s actually been in “open beta” for a while now, and those of you who already follow @MuscleNerd on twitter may already have tried the new redsn0w. You can read all about it and download it from our our wikee. Compared to our last release, we’ve given you the ability to quickly change your boot or recovery logos and enable “verbose” booting. And for those of you who want to experiment with your internet tethering options over cellular, try version 0.9.3 in the extra links at the bottom of that wikee page.

After reading the brief Q&A on our wikee, feel free to ask any questions below in the comments. Briefly though, if you’re already happy with your current jailbroken system (whether it’s via PwnageTool or blackra1n), and if you don’t want boot logos, then you can safely ignore this post and we’ll continue the wait for Apple’s next release together :) Otherwise go ahead and try some new boot logos using redsn0w, or use it for fresh jailbreaks. If you use it on an already jailbroken phone, be sure to checkmark “Already pwned” and don’t reinstall Cydia again (doing so will probably make Cydia lose track of what it has installed).

Caution: if you’re using the ultrasn0w or yellowsn0w unlocks then don’t be tempted to update to official 3.1.2 just to use redsn0w (and remember, redsn0w still works at 3.0 anyway). If you update to official 3.1.2, redsn0w will still work but you’ll lose ultrasn0w and yellowsn0w. There is geohot’s blacksn0w for those who updated to official 3.1.2 but there are still wifi problems with the unlock at that firmware in a small number of cases. iPhone 2G unlockers don’t need to worry about any of this, since BootNeuter handles all that regardless of firmware version (BootNeuter is installed for you by redsn0w if you have an iPhone 2G and choose “unlock”).

This version of redsn0w does not provide an untethered jailbreak for those of you with brand new iPhone 3GS, iPod touch 2G, or any iPod touch 3G. redsn0w will jailbreak those but it will still be a tethered jailbreak until some new exploit is found and released.

As always, redsn0w does not update your firmware version. You use it with whatever firmware is already running on your device (and you point redsn0w to the IPSW corresponding to that firmware already running on your device).

Feb 1, 20109 notes

#redsn0w

Ultrasn0w update

Today we released an ultrasn0w update that fixes an issue for those running firmware 3.1.x with the 04.26 baseband. That specific combination resulted in a missing carrier name in the upper left-hand corner of your home screen. Today’s ultrasn0w update from 0.91 to 0.92 fixes that problem (which was an important issue for roaming). You should see the update available if you have http://repo666.ultrasn0w.com as a Cydia source. Enjoy!

Nov 9, 20096 notes

#ultrasn0w

Baseband reprieve

iPhone 3G/3GS owners who found themselves stuck with version 05.11 of the baseband (either by accident or because they bought it that way) are now in luck! geohot was able to turn the already-public at+xemn crash into an injection vector, which can be used to inject his version of the unlock. The blacksn0w unlock is available for free via Cydia by adding the repository http://blackra1n.com in the Manage->Sources panel. Congratulations, geohot!

Those of you who are already unlocked at 3.1.2 because you kept your 04.26 baseband now have an extra cushion of comfort, and more choices: ultrasn0w, purplesn0w, and now blacksn0w (and of course the original yellowsn0w too if you’re still back at FW 2.x). Whether or not you choose to update your baseband solely to use the new unlock is a personal choice, but so far there are no advantages to doing so (and remember you can’t come back to 04.26 after you’ve gone to 05.11).

As with all the unlocks, it will probably very soon be re-sold through scam sites that charge you money for what is offered to the community for free. Please stay vigilant for these scam sites and steer your friends away from them.

Update: Some commenters are reporting a lingering problem with WiFi while using blacksn0w. Some are able to solve it with a single “Reset Network Settings” but others say they need to do that periodically. So far there seems to be no pattern to those affected or the best way to fix it.

Nov 3, 200911 notes

Happy Pwnkin Day

No, this is not a release post! Just wanted to wish iPhone and iPod touch users everywhere a Happy Halloween!

This next one obviously isn’t a pumpkin but who can pass up on laser art by marcan!

If you have an iPhone or Apple related pumpkin photo you’d like to share, send it on in to blog@iphone-dev.org or tweet it to MuscleNerd :) The first pumpkin with our dev team pwnapple logo is MuscleNerd’s and for credit on the others, just click on them.

Oct 31, 20096 notes

Pwnage Pie

Here are some details on our latest version of PwnageTool 3.1.4 for Mac OS X which supports the 3.1.2 release of the iPhone software for iPhone 2G/3G/3GS and iPod Touch 1G/2G.

If you’re already jailbroken (by whatever means), you don’t need to mess around with DFU mode at all. Just create (or get from a friend) your custom IPSW and Option-Restore (Shift-Restore on Windows) to it via iTunes. Don’t enter DFU mode at all. Please make sure you are restoring to the custom IPSW, not the stock one from Apple! For best results, use the latest iTunes (9.0.1) — which includes a nice new application organizer.

This release allows your baseband to remain unlocked at 3.1.2, but it does not unlock a new baseband put there by restoring to official 3.1.x. It is super important that people who need the unlock to understand they can keep it only by starting at 3.0 (or earlier) and updating solely to custom IPSWs that don’t update the baseband. For those who have been onboard the “unlock train”, simply install ultrasn0w via Cydia once you’ve restored to your custom IPSW. Don’t forget to turn off the “3G” setting in Settings->General->Network if you use T-Mobile in the U.S.A.

Note for 3GS users not already jailbroken and stuck at 3.1.x: this version of PwnageTool has a side feature to jailbreak your 3GS. It uses a simple implementation of the usb control msg hole found by chronicdev, geohot, and our very own gray. (Update: please make sure iTunes and iTunesHelper are not running when PwnageTool asks you if your 3GS is already jailbroken/pwned). Now that the hole is public and in use, we expect Apple to close it by the next major firmware update. That’s why 3GS users need to get their ECID hashes for 3.1.x now, and need to stay onboard the “jailbreak train” in all future updates. For more details on what this means, please see our earlier posts or ask in our comments section (moderated by the always helpful @angie and @confucious!).

For the early adopters who ran blackra1n and are having problems with mobilesubstrate, winterboard, diskaid, or ifunbox, you can install a custom .ipsw from PwnageTool to fix these issues. That’s because all jailbroken devices accept a custom .ipsw created by PwnageTool. (However, if you ran blackra1n on a 3G or 3GS that means you updated to stock 3.1.x, and the carrier unlock is now out of reach. We’ll continue to work on a carrier unlock for the latest basebands, but the timeframe for such an unlock is unknowable.)

Note: If you use internet tethering on a carrier that doesn’t officially support it, you’ll lose it by going to 3.1.x. Stay back at 3.0 until a hack for that is developed.

SUMMARY:

The iPhone 3GS is now supported out of the box in PwnageTool 3.1.4 (or if you have upgraded to 3.1.x in iTunes)
The iPod 2G is still supported in PwnageTool 3.1.4 but you must already be jailbroken (we’ll update this if there’s a big demand from non-jailbroken ipt2G owners)
The iPod touch 3G is NOT supported

DETAILS:

GOLDEN RULE: If you are using a iPhone 3G or iPhone 3G(S) with ultrasn0w and rely on ultrasn0w to obtain cellular service then you should only update your device with an .ipsw that is made with the new PwnageTool. There are no second chances with this. You need to remember that PwnageTool will provide an upgrade path to newer versions of the iPhone software in the future.
Please read all parts of this post before downloading and using these tools.
Read items 1, 2 and 3 again and again.
At the bottom of this post are the bittorrent files for the 3.1.4 capable version of PwnageTool.
PwnageTool will work for the iPhone 3GS
PwnageTool will work for the iPod touch 2G
PwnageTool WILL work for Original iPhone (1st Generation), the iPhone 3G and iPhone 3G(S) and the iPod touch (1st Generation and 2nd Generation) but NOT the iPod touch 3rd generation.
For 3G and 3G(S) users who are Pwned, PwnageTool is your key to updating in the future, just remember to never install an update directly from Apple, always use an .ipsw that has been created with PwnageTool.
There is no Windows version of PwnageTool yet. It is currently a Mac OS X tool only. Custom IPSWs created on a Mac can be used on a Windows machine too.

What’s a Baseband?

The ‘baseband’ is the generic nickname given to the internal components of the iPhone that handle the phone calls and Internet access. This ‘baseband’ is a tiny and unique independent computer system that runs inside your iPhone, it is separate to the main system that handles the applications (such as email and google maps) and it talks to the main part of the phone over an internal communications network.

Think of it like a cable modem or other peripheral that is attached to your home PC that needs occasional updates. When a software update is released and presented to you within iTunes the baseband is sometimes updated (to fix bugs or add new features).

The 3.1.2 update for the iPhone 3G and 3GS contains such an update, so running the vanilla updater straight away with iTunes will reprogram and update the baseband.

WHICH DEVICE DO I HAVE?

Read the description to identify your device, once you have correctly identified your device follow the specific instructions for that device as listed below.

SIM Free/SP Unlocked/Factory Unlocked iPhone 3G(S)

This applies if you bought your iPhone 3G(S) for $$$$$$$. This model of iPhone 3G(S) doesn’t have an Service Provider lock (aka factory unlocked) and you are able to put any SIM card into the phone and get service. Your phone is already unlocked so you do not need to worry about baseband updates, you can use PwnageTool to create an ipsw and then use this to update and jailbreak your phone.

SIM Free/SP Unlocked/Factory Unlocked iPhone 3G

This applies if you bought your iPhone 3G for $$$$$$$. This model of iPhone 3G doesn’t have an Service Provider lock (aka factory unlocked) and you are able to put any SIM card into the phone and get service. Your phone is already unlocked so you do not need to worry about baseband updates, you can use PwnageTool to create a 3.1.ipsw and then use this to with iTunes to upgrade and jailbreak your phone.

iPhone 3G

Use PwnageTool to do the magic and then restore with iTunes using your newly created .ipsw

iPhone 3G(S)

Use PwnageTool to do the magic and then restore with iTunes using your newly created .ipsw

iPhone 2G (1st Generation)

Use PwnageTool to do the magic and then restore with iTunes using your newly created .ipsw ‘nuff said, you don’t need to worry about anything, the baseband will be unlocked, the phone jailbroken.

iPod Touch 1G (Original iPod Touch)

Use PwnageTool to create a firmware image and restore with that .ipsw using iTunes.

iPod Touch 2G

Use PwnageTool to create a firmware image and restore with that .ipsw to your already jailbroken device using iTunes.

iPod Touch 3G

At this time PwnageTool does not support this device.

Official Bittorrent Releases -

PwnageTool 3.14 Torrent
PwnageTool_3.1.4.dmg.5122330.TPB.torrent
SHA1(PwnageTool_3.1.4.dmg.5122330.TPB.torrent)= d9d44258ade35623ec71e83520943b6f4baa568a

Unofficial Mirrors

The following links are unofficial download mirrors, you download these at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links or archives and we accept no responsibility with regard to the validity of the files, or with other content these links provide or with the content that is on the linked site. Always check the published SHA1 sums. We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must. Mirror owners should email direct links only to blog@iphone-dev.org , please don’t place mirrors in the comments as they will be deleted.

Oct 13, 200942 notes

#PwnageTool

3.1.2 and you?

WARNING! At 10.20AM PDT on October 8th 2009 Apple released the 3.1.2 version (7D11) of the iPhoneOS.

If you care about your jailbreak and unlock, don’t update your device - 3G and 3G(S) owners should pay particular attention to this warning.

PwnageTool and redsn0w are not yet compatible with 3.1.2
There is no estimated release time for compatible tools (please don’t bug us about this).
Any information we have regarding this update will be posted here.
You can also follow us on twitter - @iphone_dev
@wizdaz has made a very cool DevTeam alert widget for his upcoming app called SmartScreen

Update: geohot released a Windows jailbreak called “blackra1n” which is similar to redsn0w in that it covers multiple devices (and it covers beyond just firmware 3.0.1 where redsn0w currently stops). blackra1n is not a carrier unlock. You must always avoid updating your baseband to maintain your unlockability. If you use blackra1n to jailbreak 3.1 or 3.1.2, the steps you take before running blackra1n will prevent the unlock from working on your iPhone for potentially a very long time. By the way, we haven’t yet tested whether a blackra1n’d device can accept a custom IPSW without tweaks, but if it doesn’t then it should only require a minor change.

Oct 8, 200915 notes