Dev-Team Blog
To find yourself, think for yourself © Socrates 469 BC
Three years of pwnage(tool) 

Three years ago (almost to the day!), the first version of PwnageTool was released for firmware 1.1.4.  So today we’re excited to release another edition of both PwnageTool and redsn0w to bring an untethered jailbreak for Apple’s latest firmware, FW 4.3.1.

The 4.3.1 untether exploit comes courtesy of Stefan Esser (@i0n1c on twitter), a security researcher based in Germany.  Stefan has a long history of vulnerability research, and ironically his first contribution to the iPhone jailbreak community was improved security — last year he beat Apple to the punch and implemented ASLR for jailbroken iPhones with his “antid0te” framework. We’re happy to see that Stefan then turned his iPhone attention over to an untethered jailbreak exploit!

The 4.3.1 untether works on all devices that actually support 4.3.1 except for the iPad2:

  • iPhone3GS
  • iPhone4 (GSM)
  • iPod touch 3G
  • iPod touch 4G
  • iPad1
  • AppleTV 2G (PwnageTool only for now)

The reason the untether won’t work as-is on the iPad2 is that it requires a bootrom or iBoot-level exploit to install, and the iPad2 is not susceptible to either the limera1n or SHAtter bootrom exploits.

WARNING WARNING — ultrasn0w users don’t update yet!  We need to first release an update to ultrasn0w that fixes some incompatibilities when FW 4.3.1 is used on the older basebands supported by ultrasn0w.  And remember once we do fix ultrasn0w for 4.3.1 (we’ll announce it here and on twitter), you must only get there via a custom IPSW from PwnageTool, Sn0wbreeze or xpwn!  Don’t ever try to restore or update to a stock IPSW, or you’ll lose the unlock!

For everyone else, redsn0w is the easier program to use (and redsn0w runs on both Mac and Windows).  Please check out places like iClarified for some excellent guides on how to use both PwnageTool and redsn0w.

Feel free to ask for help in our comments section.  Thanks once again to our fantastic moderators for volunteering their time and knowledge and keeping order: Confucious, sherif_hashim, dhlizard, Frank55, and subarurider!


redsn0w 0.9.6rc9:
redsn0w 0.9.6rc12 (updated to rc12..details in Update #1 below):


PwnageTool Official Bittorent Releases

SHA1 Sum = 9e8ce7d4eb79b5f839efa0233893ef1a6a5e3c5c

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email mirrors to blog@iphone-dev.org - please ensure that they are direct dmg download links only  (no rapidshare type sites please) and that your web-server can serve DMG MIME types properly. — please don’t place mirrors in the comments as they will be deleted.


Update #1:

Those running redsn0w may have noticed we enabled too many Settings options in some versions of the jailbreak (for instance, what you want your side switch to do, even if you have no side switch because you’re not using an iPad).   Release rc10 rc12 of redsn0w corrects that (you can just run it over your existing jailbreak…be sure to de-select Cydia to avoid package conflicts).

Along the way, we’ve also added the option to enable boot animations…these animations can be installed via Cydia, but be sure to select which animation to use via the Settings->Bootlogo setting after you’ve downloaded an animation (and again, you can just run rc10 rc12 over your existing jailbreak…be sure to de-select Cydia to avoid package conflicts).

(The boot animation we tested against was “Android Boot Logo”.  It correctly installs all the dependencies needed to run the animation at each boot).

redsn0w 0.9.6rc10:
redsn0w_0.9.6rc12: (rc12 should fix any lingering issues with the boot animation)


Update #2:

We’ve pushed out the 4.3.1 compatibility fix for ultrasn0w in Cydia — it’s now at version 1.2.1.  If you’re not already at 4.3.1 and you need the unlock, please be sure you understand how to get to 4.3.1 using a custom IPSW that doesn’t update your baseband.  There are lots of guides for this (like at iClarified.com).

This isn’t a new unlock!  It’s to allow those who are already using ultrasn0w to use FW 4.3.1.  It also fixes the signal bar issue for those who aren’t using the unlock but retain an older baseband intentionally.

AFTER INSTALLING ULTRASN0W 1.2.1, PLEASE REBOOT YOUR iPHONE using the normal “slide to power off” swipe.  T-Mobile users in the USA also should disable 3G mode in Settings->General->Network.

A big thanks to @sbingner and @ronaldsb for helping with the testing of this update!

What’s in a name? 

What’s in a name?  Well in the case of an HFS volume name on iOS, an untether exploit — as the Chronic Dev Team revealed last week with an untether for the 4.2.1 jailbreak, which had previously been a tethered JB for most recent devices since 4.2.1’s release in November.  With their permission, we’ve incorporated their 4.2.1 “feedface” untether into today’s PwnageTool 4.2.  This means iPhone unlockers can safely restore to a custom 4.2.1 pre-jailbroken IPSW and retain their current baseband and unlock.  PwnageTool also supports all the other 4.2.1 devices other than iPod touch 2G:

  • iPhone3G
  • iPhone3GS
  • iPhone4
  • iPhone4-Verizon
  • iPod touch 3G
  • iPod touch 4G
  • iPad
  • AppleTV 2G

PwnageTool also includes two very recent improvements to the 4.2.1 JB:  iBooks was just fixed by @comex and @pushfix last night so that it works as intended on DRMed books, and the wifi problem on AppleTV 2G was fixed by @nitotv, @DHowett, and @saurik.  Both of these fixes will also be available in upcoming Cydia package updates, so if you’re already jailbroken you can wait for those updates rather than restore and jailbreak again.

The various components to the 4.2.1 untether (including a second exploit involving Mach-o headers) were worked out by 0naj, posixninja, and pod2g, and a nice writeup by 0naj is available on the wiki. The actual injection method uses geohot’s limerain exploit for most devices.  And even though 4.3 is just around the corner, the exploit used has already been closed in the latest 4.3 betas, so it made sense for the 4.2.1 untether to be released when it was.  It also appears that a security researcher named @i0n1c has a 4.3 untether ready for when Apple releases the final 4.3 FW, so it may not be a long wait at all with 4.3!

Feel free to ask for help in our comments section.  And thanks as always to our terrific moderators Confucious, sherif_hashim, dhlizard, Frank55, and subarurider!

Official Bittorent Releases

PwnageTool_4.2.dmg -> PwnageTool_4.2.dmg.6176918.TPB.torrent

SHA1 Sum = af365f5de19d7ee19cbe1c67b2f226996a46b3ac

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email direct dmg download links only (no rapidshare type sites please and please make sure that your web-server can serve DMG MIME types) to blog@iphone-dev.org — please don’t place mirrors in the comments as they will be deleted.

Ultra-recycle 

Today we’re pleased to announce our free carrier unlock for iPhone3G/3GS owners with a baseband later than 05.13.04.  The unlock for that baseband exploited the AT+XAPP command, thanks to a crash initially discovered by @sherif_hashim (@Oranav also found this crash).  So what hole are we exploiting today, since Apple closed that AT+XAPP hole?  Well, we’re exploiting the exact same hole!

It turns out that the very first iPad firmware 3.2.2 has baseband version 06.15.00 still vulnerable to AT+XAPP. The iPad baseband is built for the exact same baseband chip as the iPhone3G/3GS — they’re fully compatible! Some of us have been running 06.15 for weeks now on our iPhones in preparation for this release.   (And some have known about this possibility of 06.15 on the iPhones for a while — kudos to @w1kedZ and @DHowett for keeping it hush!)

Unlockers have been reporting mixed results about GPS functionality at 06.15.00.  Until we can track down what differentiates those who retain GPS vs. those who lose it, be conservative and assume you’ll lose GPS at 06.15.00. As we work on finding the cause (and possibly a fix), please report your personal findings in our comments section.  (Update: early indications are that while 06.15.00 is capable of GPS, it will require some further hacks.  But please still be conservative and assume you will lose GPS at 06.15, in case the hacks don’t work).

SIMPLIFIED ROUTE #1 (redsn0w for OSX + Windows):

  1. Read and fully understand the warning below.
  2. If you have an old-bootrom 3GS and are already unlockable but want to get to 4.2.1, please wait til we release an “unofficial” bundle for you.  Read no further.
  3. Use redsn0w (see update #2) for OSX or Windows.  Enable the “Install iPad baseband” option and accept the warning.
  4. When the redsn0w ramdisk is finished, install ultrasn0w via Cydia.
  5. Enjoy!

SIMPLIFIED ROUTE #2 (PwnageTool for OSX):

  1. Read and fully understand the warning below.
  2. If you have an old-bootrom 3GS and are already unlockable but want to get to 4.2.1, please wait til we release an “unofficial” bundle for you.  Read no further.
  3. Read update #1 for an updated 3GS bundle.
  4. Download this IPSW
  5. Run PwnageTool to create a custom 4.1 IPSW.  Tell it you want to use the iPad baseband you just downloaded.  Restore to this custom IPSW.
  6. Install ultrasn0w through Cydia
  7. Enjoy!

FULL VERSION:

Since 06.15 is a higher version than 05.14 or 05.15 (where AT+XAPP is gone), anyone stuck at those versions can simply upgrade to 06.15 to unlock again! Luckily for us, Apple *still* provides the iPad FW 3.2.2 with this vulnerable baseband right from their own servers. (Grab it now, before they take it down!)

We’ve been busy updating both PwnageTool and redsn0w to make the baseband update as seamless as possible.

  1. First up is “PwnageTool 4.1.3 Unlock Edition”.  It has a special dialog box which will ask you if you want to update to the iPad baseband.  You must already have the iPad 3.2.2 IPSW on your computer (see the above link)….so just point PwnageTool at it (or let it find it on its own if you’re in “simple” mode).
  2. Directly after PwnageTool 4.1.3 is available, the official ultrasn0w repo http://repo666.ultrasn0w.com will be updated with ultrasn0w 1.2, which covers iPhone 4 baseband 01.59.00 and iPhone 3G/3GS basebands 04.26.08, 05.11.07, 05.12.01, 05.13.04 and now 06.15.00.
  3. Finally, we’ll release an update to redsn0w today for those without Macs and can’t run PwnageTool.  The new redsn0w will give you the option to update your baseband to 06.15 too.

WARNING — YOU DO THIS AT YOUR OWN RISK!  PLEASE UNDERSTAND THE CONSEQUENCES OF UPDATING TO 06.15.

  1. There is no way to come back down from 06.15, and there’s no hiding the baseband version from Apple. You’ll be voiding your warranty in a very obvious way.
  2. If some future baseband comes out with a critical fix, you won’t be able to update to it if it remains down in the 05.xx sequence (then again, you wouldn’t update to it if you wanted to keep your unlock anyway).
  3. Starting with FW 4.2.1 if you have 06.15 on your iPhone you won’t ever be able to restore to stock firmware (it will fail).  You’ll need to only restore to custom IPSWs (then again, if you’re unlocker you should already be doing that).

Unlockers have been reporting mixed results about GPS functionality at 06.15.00.  Until we can track down what differentiates those who retain GPS vs. those who lose it, be conservative and assume you’ll lose GPS at 06.15.00. As we work on finding the cause (and possibly a fix), please report your personal findings in our comments section.  (Update: early indications are that while 06.15.00 is capable of GPS, it will require some further hacks.  But please still be conservative and assume you will lose GPS at 06.15, in case the hacks don’t work).

Certainly don’t update to 06.15 if you don’t need to!  Only do this if you need the unlock and you’re stuck on 05.14 or 05.15, and you’re willing to assume the above risks.


This PwnageTool also contains a 4.2.1 bundle for iPhone3G owners…for all else, it’s still only 4.1.   If you have an iPhone3GS with an old bootrom, use redsn0w for an untethered 4.2.1 jailbreak (it can now install the iPad baseband too).  For all other devices, the 4.2.1 jailbreak is tethered only (use redsn0w for it), until @comex can work some untethering magic.  

Please feel free to use our comments section for questions.  We have some very knowledgeable and helpful moderators:  angiepangie, Confucious, sherif_hashim, dhlizard, and Frank55!


Official Bittorrent Releases

PwnageTool 4.1.3  - PwnageTool_4.1.3_Unlock_Edition.dmg.5994102.TPB.torrent

SHA1 Sum = adda6d882dce1b5117d01586037de289407e038a

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email direct dmg download links only (no rapidshare type sites please) to blog@iphone-dev.org — please don’t place mirrors in the comments as they will be deleted.


Update #1:  There’s an error in the bundle for the iPhone3GS 4.1 that prevents the new baseband from being used.  If you know your way around OSX, please download the fixed bundle, and unzip it if Safari hasn’t already done so.  Then “Show Package Contents” of PwnageTool.app, navigate to Contents->Resources->FirmwareBundles and drop it there.   Otherwise, please wait for the updated PwnageTool, or the OSX version of redsn0w coming soon.

Update #2:  The new redsn0w 0.9.6beta5 is out.  It gives both Windows and OSX users the ability to flash the iPad 06.15 baseband on iPhone3G or iPhone3GS.  It fetches the baseband files directly from Apple for now (the only IPSW you ever point it at is the stock IPSW for the FW on your iPhone right now).  There may be a long delay while it’s doing this (their servers are currently getting pounded).

If you do flash your baseband via redsn0w, please keep it plugged into USB the whole time.  You don’t want your battery to die during the flash process!

Update #3:  For those Mac users with an old-bootrom 3GS who really know what they’re doing, here’s a minimal 3GS 4.2.1 bundle that will get you to 4.2.1 without updating your baseband.  Be sure to uncheck “Activate the iPhone” using Expert mode.  To actually jailbreak after you’ve restored with the help of that bundle, please use redsn0w.  If you don’t know how to drop a bundle into PwnageTool.app, please hold off on 4.2.1 until it’s untethered for everyone (or wait for a nice tutorial from somewhere like http://iclarified.com)

Update #4: Our terrific moderators angiepangie, Confucious, sherif_hashim, dhlizard, and Frank55 have done a stupendous job moderating 7700 comments over just the first 12 hours (that’s 10 per minute for half a day!). Hats off to them, and to all of our great commenters who rack up those + points for helping total strangers jailbreak and unlock their iPhones!   That’s what makes this community great :)

Update #5:  Unlockers have been reporting mixed results about GPS functionality at 06.15.00.  Until we can track down what differentiates those who retain GPS vs. those who lose it, be conservative and assume you’ll lose GPS at 06.15.00.  As we work on finding the cause (and possibly a fix), please report your personal findings in our comments section.  (Update: early indications are that while 06.15.00 is capable of GPS, it will require some further hacks.  But please still be conservative and assume you will lose GPS at 06.15, in case the hacks don’t work).

Update #6:  Developer @sbingner (author of TetherMe) has made some excellent progress devising a new hactivation method that kills two birds with one stone for all you ultrasn0w unlockers.  His tool, “Subscriber Artificial Module (SAM)” tricks your iPhone and iTunes into creating legitimate activation tickets even though you’re unlocked with ultrasn0w.  This means you get the full benefit of push applications, and your battery life increases substantially.  If you’d like to try it out, check out http://www.bingner.com/SAM.html

To help make it easier to try out @sbingner’s tool, we’ve updated redsn0w to include a new “Deactivate” option for the 3G and 3GS.  Use this option *after* you’ve installed SAM…it will remove the normal patches made to lockdownd and let SAM take over.  (sbingner plans on making a button to do this within SAMPrefs too).  Great work, @sbingner!

The new redsn0w with the “Deactivate” option is at:

  • OSX
  • Windows  (Windows 7 and Vista users, please run redsn0w as Administrator in “XP Compatiblity Mode”)