We’re pleased to release PwnageTool 4.1 4.1.2 for Mac OS X (free of charge, blog ads, and donation requests — as always!).  Today’s big new addition to the jailbreak family is AppleTV 2G, which was first shown jailbroken in its release week!

[Update: Version 4.1.2 should fix any issues that OS X 10.5.x users were seeing.  You only need to run this version if you’re at OS X 10.5.x and were seeing Cydia errors]

ULTRASN0W UNLOCKERS BEWARE!!  ULTRASN0W UNLOCKERS BEWARE!!  The biggest mistake you can make (and it is a big one!) is lettings iTunes restore to the official IPSW — you’ll lose the unlock and won’t be able to go back!  You must use Option-Restore, not just the Restore button by itself.  Then navigate to your custom IPSW — not to the stock one!  If you accidentally started a restore to the official IPSW, unplug your iPhone immediately before the restore gets to the “Updating Firmware” step!

Through a combination of the recently released geohot limera1n exploit , @comex’s recently released pf kernel exploit, and our original pwnage2 exploit, PwnageTool 4.1 4.1.2 works untethered on these devices at firmware 4.1:

• AppleTV 2G
• iPad (firmware 3.2.2)
• iPod touch 4G
• iPod touch 3G
• iPhone4
• iPhone 3GS
• iPhone 3G

PwnageTool allows you to restore to a custom IPSW file.  For instance, you can restore to a pre-jailbroken firmware while simultaneously maintaining your current baseband (and thus your ultrasn0w carrier unlock).  You can also add whatever packages you want in the “Expert” mode of PwnageTool, if you wish to pre-install Cydia packages.   iPhone 3G users get the additional benefit of selecting their own boot and recovery logos, and features like multitasking and battery charge percentage.

PwnageTool’s main advantage to ramdisk-based methods (limera1n, greenpois0n, redsn0w) is for unlockers — those that need to keep their current baseband and preserve their ultrasn0w unlock.  But in this new age of both bootrom- and userland-based exploits, it’s an excellent platform for continuing the jailbreak through all future firmwares.  More on this later!  In the meantime, please enjoy this free software and please provide any usage feedback in our comment section below.

AppleTV 2G users:  Welcome to the JB family!  Right now, about all you can do is command-line stuff via ssh.  You also have afc2 available, so you can use tools like ifunbox to move files around.  These are the *very* early days of AppleTV 2G jailbreaking, so it’ll take some time for JB app developers to come up with methods to use your AppleTV 2G from the remote, versus the command line.  PS: Your ssh password is “alpine”…please change it when you can :)

Expert mode: By popular demand, the IPSW file selection in Expert mode is now completely manual (doesn’t use Spotlight).  Just pick your IPSW file directly instead of waiting for the Spotlight search to complete.  In Expert mode, the default is to hacktivate (“Activate the iPhone”), so if you have a legit SIM card be sure to deselect that option in Expert mode.

DFU button:  That “DFU” button in PwnageTool is more than it looks like.  It guides you through the DFU process, but then also runs the appropriate exploit to convince your device and iTunes that all is legit.   The DFU button in PwnageTool is not just your average DFU.

Official Bittorrent Releases

PwnageTool 4.1.2 Torrent  - PwnageTool_4.1.2.dmg.5904259.TPB.torrent

SHA1 Sum = 1c0d5ea45464e336fcb38c644dc125c3a16b5493

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email direct dmg download links only (no rapidshare type sites please) to blog@iphone-dev.org — please don’t place mirrors in the comments as they will be deleted.

• http://iphoneroot.com/download/PwnageTool_4.1.2.dmg
• http://download.touch-time.eu/PwnageTool_4.1.2.dmg
• http://www.kuru.at/PwnageTool_4.1.2.dmg
• http://www.kuruptor.com/PwnageTool_4.1.2.dmg
• http://gumballtech.com/files/PwnageTool_4.1.2.dmg
• http://zcr.me/f/PwnageTool_4.1.2.dmg
• http://download.sourcekills.com/files/devteam/PwnageTool_4.1.2.dmg
• http://public.stuff.hu/pwnagetool/PwnageTool_4.1.2.dmg
• http://flyhq.net/PwnageTool_4.1.2.dmg
• http://www.d4sys.com/download/PwnageTool_4.1.2.dmg
• http://chronzz.com/dl/PwnageTool_4.1.2.dmg
• http://theplacefordee.com/PwnageTool_4.1.2.dmg
• http://www.project-cestlavie.de/PwnageTool_4.1.2.dmg

After a few very dramatic days in the jailbreak community, geohot has come out of nowhere to release limera1n.  It’s a bootrom-level jailbreak that works on the iPhone3GS, iPhone4, iPod touch 3G, iPod touch 4G, the iPad, and (technically) the AppleTV 2G.

DO NOT USE LIMERA1N IF YOU USE THE ULTRASN0W CARRIER UNLOCK — wait for PwnageTool to incorporate the limera1n exploit.  This is so that you can avoid updating your baseband and losing the unlock (possibly forever).

Limera1n uses a different exploit than SHAtter, and in fact covers more devices.  Although some may question geohot’s dramatic and competitive style, he obviously does have considerable skill pulling this together in just over a day (although he’s had the underlying exploit for months).  Credit also goes to @comex, who provides the untethered aspect of limera1n via another one of his growing list of kernel hacks.

The release of limera1n has (thankfully!) averted the burning of 2 bootrom holes at once (both his and SHAtter). Releasing SHAtter now would be a complete waste of a perfectly good bootrom hole in light of limera1n, and so it can be held until Apple closes limera1n’s hole.  While there’s no guarantee that Apple won’t also close SHAtter by then, it provides a ray of hope for devices after Apple’s bootrom respin.

Update #1: Because the “untethered” part of this jailbreak comes from a userland hack from @comex, you should still backup your SHSH hashes for 4.1.  Do this by either letting Cydia keep them (“make my life easier”), or using Tiny Umbrella.   This way you can always come back to an untethered, jailbreakable 4.1 on your devices after Apple has closed their 4.1 signing window (they’ll close the 4.1 window once they push out their next firmware version). If you fail to do this and ever need to restore to 4.1 again, you can still jailbreak but it will be a tethered JB (you’ll need to connect to your computer to finish the booting process, each and every time).

And remember: you can backup your 4.1 SHSH hashes without even being at 4.1 or even being jailbroken, by using Tiny Umbrella.

Those of you with Apple’s new iPod touch 4G, or those of you who bought another recent device after the jailbreakme.com exploit was closed, have probably heard about a brand new exploit called SHAtter. The exploit (and payload) was developed by @pod2g a few months after @p0sixninja of the Chronic Dev Team discovered the crash. That team is hard at work bringing you a brand new tool to make use of the exploit. It’s not the sort of thing that can be developed overnight so please be patient while waiting for any announcements from them.

In the meantime, we’ve put @pod2g’s exploit into a beta version of PwnageTool to test the waters. The SHAtter exploit was enough to convince the iPod touch 4G to restore to our custom IPSW. The successful result is shown below!  It’s all working: customized Preferences to show battery percentage, Cydia, root shell…the works!

Although PwnageTool was a useful first test of a full iPod 4G jailbreak via SHAtter, it’s really overkill compared to the faster tools being developed. Its main use in PwnageTool will be for those with iPhone4’s, to allow updates while preserving the baseband and ultrasn0w carrier unlock. In any event, this is another exciting time for iPhone and iPod touch users…the cat and mouse game continues!

UPDATE #1:  It’s looking like SHAtter is going to be the gift that keeps on giving.  Even though the new AppleTV isn’t yet in people’s homes, the firmware is available on Apple’s normal public distribution servers and SHAtter has been used to decrypt its keys!  The main filesystem (“Mojave8M89.K66OS”) key for 018-8609-066.dmg is:

31c700a852f1877c88efc05bc5c63e8c7f081c4cb28d024ed7f9b0dbc98c7e1406e499c6

If you’re familiar with vfdecrypt, you can use that key to decrypt the image and mount it.  If you do so, feel free to use the comments section to discuss what you discover there :)  (And of course, thanks @pod2g!)

UPDATE #2:  It’s confirmed…SHAtter can trick Apple’s new AppleTV 2G into restoring to a pre-jailbroken IPSW from PwnageTool too!   Literally the only UI application on the ATV is Lowtide.app, but now the window is open for jailbroken apps of all varieties.  (Just like the early iPhone days, the only apps you’ll see on the AppleTV will be jailbroken ones).  In the meantime, here’s a video showing root access (via ssh) into Apple’s new product.