Dev-Team Blog
To find yourself, think for yourself © Socrates 469 BC
redsn0w iOS5beta 



THIS POST IS NOW OUTDATED.  PLEASE REFER TO OUR MAIN BLOG PAGE FOR THE LATEST REDSN0W



beta everything

WWDC 2011 is winding down to a close, and developers of jailbroken apps for Cydia are probably itching to get started on all the iOS 5 goodness.  It seems like a good time to release the tethered redsn0w jailbreak for iOS 5. The following devices are supported:

  • iPod touch 3G
  • iPod touch 4G
  • iPad 1
  • iPhone3GS
  • iPhone4 (GSM)
  • iPhone4 (CDMA)

UNLOCKERS AND THOSE PRESERVING THEIR UNLOCKABLE BASEBANDS SHOULD STAY FAR AWAY FROM THIS!  You will very likely lose your unlockable baseband if you try to install iOS 5.

THIS JAILBREAK IS INTENDED ONLY FOR DEVELOPERS OF JAILBROKEN APPS!  There are just too many broken components (Apple’s official apps, 3rd-party App Store apps, Cydia apps, MobileSubstrate apps, etc) for this to be useful to anyone but those truly looking to fix bugs in their iOS 5 jailbroken apps.  (Seriously!)

THIS REDSN0W WILL NOT HACTIVATE!  You need to be an iOS developer with a registered UDID to get past all the new activation screens.  PLEASE DON’T PIRATE APPLE SOFTWARE!  Only registered devs with Macs can develop iOS applications,and only those people will have legitimate access to the beta IPSWs. See update #1 below.

THIS IS A TETHERED JAILBREAK ONLY!  No new exploits are being exposed with this jailbreak (it uses geohot’s limera1n bootrom exploit), but that comes at a cost.  You will need to use redsn0w to “Just boot tethered now”  to be able to use many things, including Cydia and Safari.  If you see a white icon for Cydia, or if Cydia or Safari crash when you open them, it’s because you didn’t boot tethered.

IF YOU HAVE THE 06.15 BASEBAND ON YOUR 3GS…this redsn0w will get you past the iTunes restore error you’ll get when using the stock IPSW (nobody other than those with the 06.15 baseband should be going anywhere near the stock IPSW!). 

The way redsn0w works, you will very likely be able to use this on upcoming iOS5 betas, just by continuing to point redsn0w at the5.0b1 5.0b4 IPSW.  So keep that IPSW handy!

Although most people just launch redsn0w by double-clicking it, remember there are “advanced” options available to those who invoke it from the Terminal shell:


Update #1: Since Apple now provides Windows iTunes 10.5 for iOS5 and iCloud developers, it’s no longer the case that only Mac owners can legitimately activate their devices.  We now provide a Windows version of redsn0w for those developers (only!).

Update #2: We’ve updated redsn0w to account for the sandbox changes that affected App Store apps in 5.0b3 (and it now recognizes the IPSWs for all three betas so far).  If you already jailbroke 5.0b3 using the previous redsn0w, you don’t need to re-jailbreak…just use this updated version to boot tethered.  Point redsn0w b3 at the b3 IPSW when jailbreaking iOS5b3.

Update #3: For the convenience of kernel hackers like @comex and @i0n1c, we have a new redsn0w 0.9.8b3 that supports a TETHERED jailbreak for iOS 4.3.4 on all devices that have 4.3.4 except the iPad2.  The vast majority of people will want to stay back at 4.3.3 because that’s where the untethered jailbreak is!  There are no new features in 4.3.4 — only fixes for jailbreak exploits. 

Also, this is a good time to remind everyone (since we’re still seeing confusion about this): iPad2 owners with a baseband (3G or CDMA) cannot currently use saved blobs to go back to 4.3.3 once the signing window is closed.  This is unlike every other device, so don’t be confused!  iPad2 owners with basebands should stay away from all updates to maintain the jailbreak!

Update #4:  In conjunction with iOS5 beta4 being released to iOS developers, redsn0w 0.9.8b4 is now available for jailbreak app developers (point the b4 redsn0w at the b4 IPSW).  Remember, it’s a tethered jailbreak right now so you’ll need to use redsn0w to boot into a jailbroken state at each power cycle.

NOTE: It appears that by design, the OTA update that became available starting with iOS 5 beta4 will *not* be automatically applied to jailbroken devices.  That’s a relief to those who don’t want to lose their jailbreak via OTA pushes.  If you’re jailbroken, you’ll need to use the standard iTunes method to get to iOS 5 beta4.

Update #5: redsn0w has been updated to 0.9.8b5, adding support for Apple’s new iOS5 beta5 (point it directly at the beta5 IPSW). Please use this only if you’re a jailbreak app developer with a legit Apple dev account, and remember it’s a tethered jailbreak for now!

Update #6: We’ve released redsn0w 0.9.8b6 to jailbreak iOS5 beta6 (point it directly at the beta6 IPSW).  Two important notes about this version: (1) Please let your device boot normally to IOS5b6 and do a clean shutdown (slide to power off) before jailbreaking.  (2) Boot logos have intentionally been disabled for now, so you’ll see a black screen on tethered boots (you can re-enable logos or verbose boot with command-line options if you really want them back).

Due increased sensitivity to abrupt filesystem shutdowns in IOS5b6, it’s very important that you do a clean shutdown before running redsn0w.

Update #7:  Apple updated the iPad1 iOS5b6 IPSW without changing its version number or filename, so we’re releasing redsn0w 0.9.8b7 to handle both the original and changed IPSW.  We’ve also added explicit support for a tethered 4.3.5/4.2.10 jailbreak (instead of pointing at the 4.3.4/4.2.9 IPSWs) and fixed a 4.2.10 problem.

Update #7b:  About 12 hours after we released redsn0w 0.9.8b7 with some improvements for iOS5b6, Apple went and released iOS5b7 (what are the odds of that?!?).  Even though that redsn0w could still jailbreak iOS5b7, you needed to point it at the iOS5b6 IPSW to do so.  Today’s redsn0w 0.9.8b7b lets you point redsn0w directly at the iOS5b7 IPSW instead.

We’ve also added some overall improvements for old-bootrom 3GS owners (where the 24kpwn exploit applies):  on those devices, you can tell redsn0w to untether 4.3.5 and lower, or iOS5b7.  Old-bootrom 3GS owners can once again choose custom logos, and/or verbose booting (for the really nerdy iPhone3GS fans out there!).  And it allows 4.3.4 or 4.3.5 users to use ultrasn0w again (if they have a compatible baseband).

Last but not least, we fixed some lingering Verizon iPhone4 4.2.10 JB issues.

Have a great Labor Day weekend!

Update #7c:  For those 3GS owners with the 06.15 baseband (and only those owners!), version 0.9.8b7c allows you to restore to the stock 4.3.5 IPSW, then simply run redsn0w to jailbreak.  (redsn0w has a built-in fixrecovery that will get you past the Error 1015 you’ll see when you try to restore to the stock 4.3.5 IPSW with a 06.15 baseband) 

Update #8: This space intentionally left blank.

Update #9:  A bunch of new features!  

  • uses DFU mode to try to automatically determine which device and FW you have
  • fetches pieces of public IPSWs from Apple (once).  Non-public IPSWs must be provided manually (once).  It then caches those pieces for future use.
  • "Just boot" is a tethered boot.  Uses whatever "Preferences" you’ve set for boot logo and kernel boot-args
  • "Pwned DFU" puts your device in a pwned DFU state for some of the iTunes stuff detailed below
  • "Recovery fix" gets past 1015 types of errors (when baseband portion of restore fails).  Should work on iOS5 beta too
  • "Select IPSW" is for picking non-public IPSWs, or overriding auto-detection
  • "SHSH blobs" has a bunch of options…
  • "Fetch" - fetch current PARTIAL blobs on device.  Should complete in under 10 or 15 seconds.  Puts the set of PARTIAL of blobs on your computer as a plist.  Checks if Cydia already has a full set for this device and build.  If not, it submits this PARTIAL set and returns Cydia’s acknowledgement or rejection
  • "Verify"  - cryptographically verifies existing blob files from either redsn0w, TinyUmbrella, or Cydia server.  You can select a whole bunch of blobs to verify at once if you want (like the TinyUmbrella directory)
  • "Submit"  - both verifies and submits one or more blob files to Cydia.  This lets you copy your entire TinyUmbrella cache of blobs up to the Cydia server
  • "Query" - queries the Cydia server for all available FULL or PARTIAL blobs for a given set of ECIDs
  • "Stitch" - stitches either FULL or PARTIAL blobs to a STOCK or CUSTOM IPSW
  1. Stitching is NOT yet supported on iPhones!  Need to work out the baseband part of the restore process.
  2. FULL blobs stitched to a STOCK IPSW gives you a completely self-contained signed IPSW that iTunes will accept without any tricks (no need to go into pwned DFU mode, no need to start TinyUmbrella TSS server, no need to redirect to Cydia server for blobs)
  3. PARTIAL blobs stitched to any IPSW requires you to go into pwned DFU mode before running iTunes.  No need to start TU or use Cydia though.
  4. Stitching either FULL or PARTIAL blobs to a CUSTOM IPSW also requires a pwned DFU start before iTunes restores.  No need to start TU or use Cydia though.
  5. Will eventually support fetching the blobs directly from Cydia instead of a file on your computer

Update #10:  Version 0.9.9b2 has been released with fixes and enhancements related to: Verizon iPhone4 firmware detection, Fix Recovery, Stitching, and blob processing.  If you encountered a problem with any of these in the b1 version, please try b2 and leave any feedback below!

Update #11:  redsn0w has been updated to 0.9.9b3 to auto-detect iOS5 GM firmware.  Remember:  it’s still tethered for all devices except for iPhone 3GS with old bootrom.  If you don’t use redsn0w to “Just boot” at power up, all jailbreak apps  (and even some native ones like MobileSafari) will fail to launch.

If you already jailbroke the GM by pointing an older redsn0w at the beta7 IPSW, there’s no need to re-run the full jailbreak step again…just use this newer one to make the tethered boot easier :)

Update #11a:  We’ve replaced the Windows version of 0.9.9b3 with 0.9.9b3a.  The new version fixes a caching bug that affected only Windows users — point it one more time at your iOS5GM IPSW, and from then on you won’t have to point at it again.

As a special bonus to Windows users, we’ve made it so that if you make a copy of redsn0w.exe and name it something like “justboot.exe” (anything with the word “boot” in it), it will start up in “Just Boot tethered” mode. That way you don’t have to click on any buttons at all to boot tethered! :)

Update #12:  For those of you who experiment with your own custom ramdisks using the -r command-line option, version 0.9.9b4 adds auto-detection support for iOS5.  This is needed because iOS4 and iOS5 treat the root partition differently (it’s encrypted in iOS5).  redsn0w will now upload the correct iOS5 kernel by itself, but it’s up to your own launchd to determine if it needs to mount using the old or new partition scheme.

redsn0w now also accepts both native and img3-encapsulated versions of files you provide via the -r, -k, and -d command-line options (do redsn0w -h to show all the available options).

Update #13:  With today’s official iOS5 release, redsn0w has been updated to 0.9.9b5 to include the public URLs for the IPSW files.  This way, first-time iOS5 jailbreakers don’t need to supply the IPSW file manually.  It’s still a tethered jailbreak on all except the old-bootrom iPhone3GS, and it doesn’t apply to iPad2 or the upcoming iPhone4S.

Because the jailbreak is currently only tethered for most devices, we’re not going to release a new PwnageTool yet.  Instead, we’ve decided to build some of PwnageTool’s functionality into redsn0w (since you need redsn0w to “Just boot tethered” on every power cycle anyway).  The new “Custom IPSW” button on the Extras screen will create a custom IPSW without the baseband update for 4.3.3 or 5.0gm (iPhone3GS and iPhone4 only, for now).  Remember to NOT accidentally restore to the stock IPSW after you create the custom one!  The custom one begins with NO_BB_ (for “no baseband”).  On Mac iTunes, you select an IPSW by holding down the Option key while clicking “Restore”.

You must enter “Pwned DFU” mode before trying to use the NO_BB_ IPSW with iTunes (and your hosts file cannot be pointing to Cydia’s servers due to the new blob nonce mechanism they’re using in iOS5).

Version 0.9.9b5 is available only for Mac for now, until we can do more testing on the Windows version of “Custom IPSW”.

We’re currently working on a normal compatibility update for existing ultrasn0w unlockers.  After that we’ll try to fix the iBooks issue on jailbroken iOS5.

Update #14: We’ve released version 0.9.9b6 of redsn0w, with both a functional fix and cosmetic fix for iOS5 jailbreakers.  For iPhone3GS owners with the 06.15 baseband, this redsn0w eliminates the network crash you saw when using Location Services in iOS5 (in fact, you don’t even need to disable Location Services anymore during the initial setup).   The cosmetic fix is to the visual countdown you see when going into DFU mode. 

It’s okay to re-run this redsn0w over an existing device jailbroken at iOS5.  Just choose “Jailbreak” again and de-select Cydia (in other words, all the checkboxes will be unchecked).  If you are lucky enough to have an old-bootrom iPhone3GS, please pre-select the IPSW first (redsn0w can’t yet auto-detect the FW version of your old-bootrom 3GS if it’s already been jailbroken).

Update #15:  After some feedback on reddit, we’ve decided to make the initial jailbreak as quick as possible by no longer “stashing” the applications by default during the redsn0w run.  This reduces the time to actually perform the jailbreak from 210 seconds to 80 seconds (60 percent!).  However, you make up for much of that the first time you launch Cydia, which will then want to stash the applications.  You can choose whether you want redsn0w or Cydia to stash in the Preferences pane.

Update #16: redsn0w version 0.9.9b8 will natively recognize the 5.0.1 beta that Apple let developers start testing this week (so you don’t have to play the “point at 5.0 IPSW” trick).  Because the IPSW isn’t public, you’ll still need to provide it once to redsn0w (at which point it will cache all the important pieces so you don’t need to select it again).  

For those 3GS and i4 users who preserve their baseband, the Mac version can also produce the NO_BB_* custom IPSWs for 5.0.1.  (But please note that ultrasn0w doesn’t get updated for betas like this.)


Update #17: The holiday season is almost here (Happy Holidays!) so we realize everyone is busy (especially @pod2g!).  And even though we always recommend that jailbreakers stay where they are until a new untethered JB comes out, that’s not always possible.  So we’ve updated redsn0w for those who may have found themselves at iOS 5.0.1, and added some other useful features too:

  • native support for 5.0.1 (no need to point redsn0w at 5.0 IPSW or use command-line args).  Support automatically extends to all of redsn0w’s various functions: “Jailbreak”, “Just boot”, “Fetch blobs”, “Stitch blobs”, “Recovery Fix”
  • iBooks fixed in 5.0 and 5.0.1.  This is a targeted fix that doesn’t remove entire sandbox mechanism.  5.x users already using redsn0w “Just Boot” can just use the new version without redoing entire jailbreak again
  • 3GS old-bootrom owners can now create custom IPSWs without blobs
  • ultrasn0w compatability update (i.e. same baseband requirements) for 5.0.1 will be available on Cydia Monday
  • support for newer 8GB iPhone4 (which until now had problems with “Fetch blobs”).  Thanks to @JKjeepnJeff for loaning us one of these newer i4 units for testing!
  • allows Windows users (not just OS X users) to use the “Custom” button to create IPSWs without baseband updates.  (Update: please use 0.9.9b9b for this!)
  • accommodates APTickets in 5.x (until next Apple countermove).  APTickets are crypto-verified before submitting to Cydia, just like the main blobs.  Cydia server support for sending back the APTickets is upcoming.  For now, use stitched IPSWs for 5.x.  Due to APTickets, stitched 5.x IPSWs now require user to start in “Pwned DFU” mode
  • Support added for stitching 4.x blobs to iPad2-GSM IPSWs.  Similar to @notcom’s TinyCFW but doesn’t require lots of RAM or a TSS-assisted restore. Won’t work for iPad2 5.x blobs (or iPhone4S at all) until a bootrom-level exploit is out
  • top line now shows whether (and where) a redsn0w update is available, or if the version being run is the latest.  Uses DNS TXT record to alleviate any concerns about snooping
  • no 5.1 beta support at this time (major apps like Cydia are not yet compatible)
  • @pod2g has been doing a great job porting his 5.x untether…check his blog for updates!
  • Owners of newer 3GS iPhones must not flash the iPad baseband.  The iPad baseband will not work on 3GS iPhones built later than 2011 week 35.  You have a week 35 or later device if your serial # starts with xx135.
Update #17b: Version 0.9.9b9b enables the “Custom” button for Windows users, and make the 3GS week 35 warning a more explicit part of the process.
Update #17c: For those Windows users encountering launch errors due to the self-update check, please use this version instead for now.
Update #17d: iPhone3GS owners in our comments section below noticed a problem with the untethered jailbreak available for the old-bootrom 3GS. We’ve corrected that problem in 0.9.9b9d. If you have an old-bootrom 3GS and have already used last night’s redsn0w on it, you can re-run it again without losing anything. Just use this new version, go to Extras->IPSW and manually select the 5.0.1 IPSW, then go back and Jailbreak it again (but you can uncheck Cydia because it’s already installed).

This is still a tethered jailbreak for all except old-bootrom 3GS users.

THIS POST IS NOW OUTDATED.  PLEASE REFER TO OUR MAIN BLOG PAGE FOR THE LATEST REDSN0W