Dev-Team Blog

Welcome new A5 jailbreakers!

Mon, 23 Jan 2012 21:44:14 +0300

Here’s a quick breakdown of how many A5 owners have jailbroken their devices since Friday morning. The numbers as of Monday afternoon are:

491,325 new iPhone4,1 devices
308,967 new iPad2 devices
152,940 previously jailbroken (at 4.x) iPad2 devices

Total: 953,232 new A5 jailbreaks in a little over 3 days

The reason these numbers can be so precise is that one of the housekeeping activities that happens when you launch Cydia is a query to @saurik’s server for the list of available SHSH blobs. (Even if you have none on file, the query is still made).

Welcome to the jailbreak family!

P.S. Remember the cardinal rule of jailbreaking: never update your firmware until a new jailbreak is available. This is especially true for A5 owners, who currently have no way of restoring to 5.0.1 once the 5.0.1 SHSH blob signing window is closed.

Corona A5 jailbreak nearly ready to pop!

Fri, 20 Jan 2012 10:18:00 +0300

Ever since the December release of @pod2g’s “corona” untether for iOS 5.x on A4 and earlier devices, all eyes have been on the attempts to extend it to the A5 devices: the iPhone4S and iPad2. Due to the combined efforts of @pod2g and members of the iPhone Dev Team and Chronic Dev Team, we’re nearly ready for a general release! All technical hurdles dealing with the underlying technique have been overcome, and it’s now all about making the jailbreak as bug free as possible.

On his blog, @pod2g playfully nicknamed the combined effort a “dream team”. It’s an ironic name, because the past few weeks have left everyone involved with very little sleep and the opportunity to dream :) But we’re now near the final stages of testing the public version of the jailbreak. Please allow time to clean up any remaining bugs in the jailbreak clients.

Jailbreak programs:

To be as flexible as possible, the A5 version of the corona jailbreak will take multiple forms:

Chronic Dev have incorporated the overall flow into a GUI that runs on your Mac or PC. The goal is for the GUI to be enough for most cases.
iPhone Dev have also incorporated the exact same flow into an alternative command-line interface (CLI). This will allow us to help users through individual steps of the jailbreak manually, to both help the user and help improve the overall flow. Although the CLI will also allow the user to perform the entire jailbreak from beginning to end, we anticipate it will be more useful in debugging the occasional errors. The CLI currently has over 20 individual options (in addition to the single “jailbreak” option) that should be useful during debug after the GUI release.
Once all the bugs in the flow are worked out, we’ll also incorporate it into the redsn0w GUI (but still leave the CLI freely available too). In order to maximize the chances of the jailbreak working for everyone, the redsn0w GUI will use native Apple iTunes libraries — this technique is slightly different than how the Chronic Dev GUI handles communications, and should provide nice combined coverage for all the odd computer configurations out there.

Paypal Contributions:

Because there were so many different people and teams involved in the A5 corona release, we all felt the most equitable approach to any Paypal contributions should involve a single shared account. If you do feel the desire to contribute to the “dream team” Paypal account, it will be distributed to the members according to internally agreed-upon proportions :) (Please refer to this blog post for that specific http://is.gd/39YMWg link, to avoid frauds!) The same link will be on both the Chronic Dev and iPhone Dev versions of the GUI. This method seemed like the fairest to everyone involved!

Firmware:

The supported firmware versions will be:

iPhone4S: 5.0 (9A334), 5.0.1 (9A405) and the “other” 5.0.1 (9A406)
iPad2: 5.0.1 (9A405)

iPhone4S owners looking to maximize their chances of achieving an eventual software-based carrier unlock should be staying at 5.0. Everyone else should be at 5.0.1. If you’re an iPhone4S owner who already updated to 5.0.1, it’s too late to go back down to 5.0, but if you’re on 9A406 it is possible to downgrade the BB by going to the 9A405 version of 5.0.1 while the window is still open.

Support:

The overall flow used by the GUI and CLI to inject the A5 corona jailbreak has never been done before, and there may be unforeseen problems once it’s released to the public. It’s very important for you to sync your data, photos, and music before attempting any version of this jailbreak. We’ll be watching the comments section below for signs of any widespread problems, but please be aware that you jailbreak at your own risk!

When:

~~As mentioned at the start of this post: when testing has shown most of the bugs have been fixed!~~

Updates:

If the Absinthe webclip shows “Error establishing a database connection”, please go to Settings, turn on VPN and wait instead.
- Toggle VPN only AFTER Absinthe says it’s done, or it will not work.
- VPN SHOULD error and then reboot soon. If it does not, rerun Absinthe!
If you get a strange problem, we advise you to restore your iPhone with iTunes, if you can (i.e. if you’re not on 5.0 waiting for an eventual 4S unlock).
The OS X version of the CLI mentioned in the post can be downloaded here. It’s primarily to help us debug specific issues, but tinkerers might like to play around with some of its advanced options! More info is here.
- Version 0.4.3 adds support for Windows users. It also makes the “-j” jailbreak option much more functional :) See the README.txt for usage.

Untethered holidays

Tue, 27 Dec 2011 13:55:00 +0300

@pod2g has created a terrific gift for iOS fans — an untethered 5.0.1 jailbreak for non-A5 devices!

Many of you have already been following @pod2g’s blog where he’s been keeping everyone up to date on his progress. And so you know that he recently decided to push the button on a release for all devices except the new iPhone4S and iPad2. @pod2g’s untether involves two separate exploits and a few other “tricks” — and since he’s taken the @comex approach of doing nearly everything himself, you know his plate has been full these past few months!

A few days ago, @pod2g gave the untether to both the iPhone devteam and the chronic devteam. We’ve put it into redsn0w 0.9.10 and PwnageTool, and the chronic devteam put it into a Cydia package (the same set of exploits is in all three).

Here are the basic steps for how to get it:

The untether is for iOS 5.0.1 on iPhone3GS, iPhone4, iPhone4-CDMA, iPad1, iPod touch 3G, iPod touch 4G
If you have one of those devices and are not on 5.0.1 yet, update now! The SHSH window is still open for 5.0.1 If you unlock via ultrasn0w or gevey, make sure you only get to 5.0.1 via a custom IPSW! See the guides at places like iClarified.com if you don’t know how. Once you’re at 5.0.1, use the latest redsn0w 0.9.10 to both jailbreak and untether.
If you’re already at 5.0.1 with a tethered jailbreak, you have two choices: either run redsn0w 0.9.10 over your current jailbreak (deselect “Install Cydia” if you do that), or install the Cydia package prepared by the chronic devteam. The patches are the same regardless of which you choose.
Some of you are using a hybrid 5.0/5.0.1 configuration. If so, do not attempt to install this untether over that setup! You will most likely get into a reboot cycle. Do a sync and fresh restore to 5.0.1 then install the jailbreak + untether.

As mentioned earlier, @pod2g has spent months working on all the exploits and tricks in this untether, and many of you may be wondering how you can send donations. Although the iPhone devteam itself doesn’t take donations, we thought it was appropriate to provide a link at the end of the redsn0w run for you to more easily donate directly to @pod2g if you wish (alternatively, you can go right here). There’s a link in the Cydia package for donating to the chronic devteam for the Cydia version of @pod2g’s untether.

@pod2g is now looking for a way to extend this to A5 devices. Because those devices cannot use geohot’s limera1n exploit to inject the untether, they require exploits above and beyond those used for this release. Keep following pod2g on twitter or his blog for any progress reports!

Update #2: The b2 version of redsn0w includes the launchctl-related fix by @planetbeing as mentioned by @saurik here and here. As usual, you can just re-run redsn0w in jailbreak mode over your existing 5.0.1 jailbreak (even a PwnageTool one), making sure to de-select “Install Cydia” if you do. Always be sure to do a controlled “slide to power off” shutdown of your device before running redsn0w.

Update #3: The b3 version of redsn0w fixes a problem where re-running redsn0w over an existing jailbreak would cause MobileSubstrate-based apps to stop running until MS was installed again. Now you can re-run the redsn0w jailbreak step without worrying about that (but still remember to de-select the “Install Cydia” option if it’s already installed).

Update #4: The b4 version of redsn0w incorporates the 5.0.1 fix for iBooks, and also for sporadic problems with launchctl. Thanks to @xvolks for merging the iBooks (sandbox) fix from @comex’s github into the overall corona untether from @pod2g!

Update #5: redsn0w version b5 incorporates yet another fix for iBooks, this time involving DRM. @planetbeing wrote a utility called “crazeles” that overcomes jailbreak detection by iBooks that would cause about 10% of images to show incorrectly. This fix is similar to the “hunnypot” fix that @comex wrote for the 4.x jailbreak. As usual, you can choose to install the fix either by re-running redsn0w over your existing jailbreak (de-select Cydia if you do that), or by installing the corona package from Cydia (it’s the same set of files no matter which way you choose).

TIP: If auto-detection fails and redsn0w tells you no identifying data was found, you can always pre-select the appropriate 5.0.1 IPSW using “Extras->Select IPSW”.

Here are the redsn0w download links:

redsn0w 0.9.10b5 for OS X
redsn0w 0.9.10b5 for Windows (be sure to run in Administrator mode)

PwnageTool Official Bittorent Releases

PwnageTool_5.0.1.dmg

SHA1 Sum = 32e90607378988cdebb6c76d3acf8ffac6366e35

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email mirrors to blog@iphone-dev.org - please ensure that they are direct dmg download links only (no rapidshare type sites please) and that your web-server can serve DMG MIME types properly. — please don’t place mirrors in the comments as they will be deleted.

pre-QUALifier

Fri, 14 Oct 2011 12:01:00 +0400

We’ve updated ultrasn0w to be compatible with iOS5, which came out a few days ago. While ultrasn0w 1.2.4 (available now in Cydia) doesn’t add support for any new basebands, the update is required for any ultrasn0w unlockers trying out iOS5 (it remains backwards compatible though, so you should be able to use it no matter what firmware you have).

The supported basebands for the iPhone 3G and 3GS are 04.26.08, 05.11.07, 05.12.01, 05.13.04, and 06.15.00. The baseband supported for the iPhone4 is 01.59.00.

Remember, the only way to get to iOS5 while preserving your ultrasn0w-compatible baseband is by using a custom IPSW. redsn0w now has the ability to create such a custom IPSW for you (at least on Macs…the same capability for Windows will be coming soon).

The majority of people who use ultrasn0w at iOS5 right now will probably be those with old-bootrom iPhone3GS devices, since they already have an untethered jailbreak via redsn0w. For everyone else, the iOS5 jailbreak is currently tethered and you need to “Just boot” tethered with redsn0w every time your phone reboots. That’s not always easy to do if your phone reboots while away from home!

Note: there’s a special “trick” that iPhone3GS owners with baseband 06.15 need for iOS5. During the new setup screens you see when you start iOS5 for the first time, you’ll be asked about Location Services. Be sure to select “Disable Location Services” when asked! Later on in the setup, you’ll have the chance to turn on Location Services again when asked if you want to use “Find my iPhone”. It’s fine to turn it back on at that point, if that’s your desire (or you can always go in and enable it in Settings.app).

Edit: The above “trick” is no longer needed as of v0.9.9b6 of redsn0w.

Also, some iPhone3GS users with the 06.15 baseband may have tried to install iOS5 using a stock IPSW (even though you should never ever try to use a stock IPSW if you’re an ultrasn0w unlocker). If you did try this, your baseband is probably in an inconsistent state, and you’ll need to reflash the 06.15 baseband again (using redsn0w). Be very careful if you use redsn0w to reflash the iPad baseband — don’t interrupt the process! And please avoid using stock IPSWs in the future :) Unlockers should never go near stock IPSWs.

If you need to use redsn0w for any of the above tasks, please make sure it’s version 0.9.9b4 or higher, which is available here.

Enjoy!

RIP

Thu, 06 Oct 2011 04:38:50 +0400

The coolest cat

Thu, 25 Aug 2011 03:40:00 +0400

We loved the chase!

Good luck, Steve.

Signed,
Jailbreakers and tinkerers everywhere.

jailbreakme times 3

Wed, 06 Jul 2011 10:43:00 +0400

Once again, @comex has resurrected http://www.jailbreakme.com for your jailbreaking ease and pleasure!

@comex developed what is now the third installment (and his second) of jailbreakme.com, the easiest way to jailbreak your iPhone, iPod touch, and iPad (including the iPad2!). No computer is necessary for jbme3.0…just browse to http://www.jailbreakme.com on your device and install it from there!

While @comex and others have worked hard to make this as simple as possible, some people may have questions and problems may arise. Rather than inundate comex with any questions over twitter, please consider using either our comments section below, or visit http://jbqa.me

Please read “More Information” on the jbme3.0 page for some basic background information and ways you can thank @comex. Here are some additional Q&As beyond that:

Q: Which devices and firmware versions are supported?
A: In this initial release, the following configurations are supported:

iPad1: 4.3 through 4.3.3
iPad2: 4.3.3
iPhone3GS: 4.3 through 4.3.3
iPhone4: 4.3 through 4.3.3
iPhone4-CDMA: 4.2.6 through 4.2.8
iPod touch 3g: 4.3, 4.3.2, 4.3.3
iPod touch 4g: 4.3 through 4.3.3

Q: Do the holes discovered by @comex put my device at risk?
A: Yes. We recommend installing “PDF Patcher 2” in Cydia once you’re jailbroken to eliminate this risk (any firmware version).

Q: How does jbme3.0 differ from the existing jailbreaks?
A: jbme3.0 is entirely userland-based, from start to finish. The A5 chip in the iPad2 has no iBoot or bootrom-level exploits yet, so tools like redsn0w, PwnageTool and sn0wbreeze can’t use the limera1n bootrom exploit to inject the jailbreak. Even for those devices where limera1n works, jbme3.0 injects the jailbreak with a userland exploit.

Q: If I’m already jailbroken on the latest firmware, is there any advantage to jailbreaking again?
A: No, but you should consider showing this to your friends! Spread the jailbreaking fever.

Q: Are the holes exploited by jbme3.0 closed in iOS5?
A: The holes still exist in the iOS5 betas, but they’ll almost certainly be fixed by the time iOS5 is public. However because the iPad2 had no public jailbreak yet, it probably wasn’t worth waiting until the fall to use them. If history repeats itself though, there will be more holes and exploits.

Q: Will I permanently lose the jailbreak if I need to restore my device?
A: For all except the iPad2, saving your SHSH blobs should let you always restore your device to iOS versions where this jailbreak works. The iPad2 is a little more complicated. If you have a wifi-only iPad2 and saved SHSH blobs, you’re in good shape. But if you have the GSM or CDMA iPad2, you won’t be able to restore to 4.3.3 or lower once Apple stops signing its baseband. There are a few ideas that might work to get around this limitation, but for now it’s best to assume there’s no going back to 4.3.3 once 4.3.4 is out for iPad2 GSM or CDMA owners.

Q: I heard this new unionfs stuff is dangerous?
A: Define dangerous :) Seriously though, although unionfs is a huge improvement to the install time of the jailbreak, it is brand new code and there is the possibility something will go wrong. Just keep regular backups of your media and content and you should be fine. If there are any problems, they should appear within the first few days, so hold off and let “everyone else” test the waters if you’d like.

Blob monster

Mon, 27 Jun 2011 02:57:00 +0400

It looks like Apple is about to aggressively combat the “replay attacks” that have until now allowed users to use iTunes to restore to previous firmware versions using saved SHSH blobs.

Those of you who have been jailbreaking for a while have probably heard us periodically warn you to “save your blobs” for each firmware using either Cydia or TinyUmbrella (or even the “copy from /tmp during restore” method for advanced users). Saving your blobs for a given firmware on your specific device allows you to restore *that* device to *that* firmware even after Apple has stopped signing it. That’s all about to change.

Starting with the iOS5 beta, the role of the “APTicket” is changing — it’s being used much like the “BBTicket” has always been used. The LLB and iBoot stages of the boot sequence are being refined to depend on the authenticity of the APTicket, which is uniquely generated at each and every restore (in other words, it doesn’t depend merely on your ECID and firmware version…it changes every time you restore, based partly on a random number). This APTicket authentication will happen at every boot, not just at restore time. Because only Apple has the crypto keys to properly sign the per-restore APTicket, replayed APTickets are useless.

This will only affect restores starting at iOS5 and onward, and Apple will be able to flip that switch off and on at will (by opening or closing the APTicket signing window for that firmware, like they do for the BBTicket). geohot’s limera1n exploit occurs before any of this new checking is done, so tethered jailbreaks will still always be possible for devices where limera1n applies. Also, restoring to pre-5.0 firmwares with saved blobs will still be possible (but you’ll soon start to need to use older iTunes versions for that). Note that iTunes ultimately is *not* the component that matters here..it’s the boot sequence on the device starting with the LLB.

Although it’s always been just “a matter of time” before Apple started doing this (they’ve always done this with the BBTicket), it’s still a significant move on Apple’s part (and it also dovetails with certain technical requirements of their upcoming OTA “delta” updates).

Note: although there may still be ways to combat this, a beta period is really not the time or place to discuss them. We’re just letting you know what Apple has already done in their exisiting beta releases — they’ve stepped up their game!

Tic tac toe...

Fri, 06 May 2011 12:57:00 +0400

… three in a row! Apple released iOS 4.3.3 on Wednesday, and once again the untethered jailbreak exploit that @i0n1c created for 4.3.1 still works. That makes it an unprecedented three firmwares where the same userland exploit works. We’re not exactly sure why Apple hasn’t fixed the hole yet, but we’re not complaining!

Today’s PwnageTool and redsn0w incorporate @i0n1c’s port to 4.3.3 (it’s ironic that such a long-lasting untether doesn’t even have an official name!). It also of course uses geohot’s limera1n bootrom exploit to inject the jailbreak. The 4.3.3 untether works on all devices that actually support 4.3.3 except for the iPad2:

iPhone3GS
iPhone4 (GSM)
iPhone4 (CDMA) (4.2.8 - See update #3)
iPod touch 3G
iPod touch 4G
iPad1
AppleTV2G (v4.3 8F202…see update #2 below for the v4.3 8F305 bundle)

Some things to note:

ultrasn0w unlockers must stay away from redsn0w! Use only a custom IPSW to update to 4.3.3, to avoid updating your baseband. There are plenty of tutorials for both redsn0w and PwnageTool at sites like iClarified.com. Or feel free to ask away in our comments section below.
ultrasn0w has been updated to v1.2.3 to be compatible with iOS 4.3.3 and earlier (the ultrasn0w update does not include any new baseband support!). Please reboot your iPhone using the normal “slide to power off” swipe after installing ultrasn0w 1.2.3.
By popular demand, redsn0w now allows you to enable multitasking gestures (although most will find it useful only on iPads).
iPad2 update: The iPad2 jailbreak remains under development. As you may know, the original exploit @comex developed in the first week of the iPad2 release was mysteriously fixed by Apple within days of its development. Partly because of this, don’t expect much public discussion of the iPad2 jailbreak until it’s actually finished and ready for release (and please avoid asking about it). In all liklihood, it will be a userland exploit like the first (unreleased) one, not dependent on bootrom dumps. The first one can’t be released even for those with the original 4.3 firmware due to legal (distribution) reasons.

As always, please feel free to ask for help or advice in our comment section, with our friendly moderators Confucious, sherif_hashim, dhlizard, Frank55, and subarurider (and many other very knowledgable commenters too!)

Update #1: PwnageTool and redsn0w have been updated to include a fix for the iPhone3GS/i4 side switch vibration issue (only for 4.3.3!). Thanks to @i0n1c for tracking this down (even though he doesn’t even have an iPhone!).

If you’re already jailbroken at 4.3.3 (by either redsn0w rc15 or custom IPSW), you can install this fix simply by running redsn0w rc16 over your existing 4.3.3 jailbreak. Just uncheck the “Install Cydia” option and check any other options you want. The fix will be installed no matter what you’ve selected. This is safe for even ultrasn0w unlockers to do (because redsn0w itself won’t update your baseband…only an iTunes stock IPSW update/restore will do that).

redsn0w rc16 has a few more improvements: Windows 7 and Vista users should no longer need to set their CPU affinity…just run redsn0w as Administrator in XP compatiblity mode. Also, the “verbose boot” option for old-bootrom iPhone 3GS has been fixed for 4.3.3 (remember: old-bootrom 3GS users can even have custom bootlogos that show right at power-up). Enjoy!

Update #2: Apple released a minor update to iOS 4.3 for AppleTV2G (the IPSW name still says 4.3, but the build version changed from 8F202 to 8F305). @i0n1c was once again able to quickly port his original 4.3.1 untether (the exploit that wouldn’t die!) to this version.

If you do feel like updating to the “new” 4.3, you’ll need to drop this bundle into the correct folder in PwnageTool.app. If you don’t know how to do that, there are lots of tutorials on the web, and we’d be glad to help in the comments below.

Thanks once again, @i0n1c!

Update #3: We’ve updated redsn0w (0.9.6rc18) to also include the Verizon iPhone4-CDMA iOS version 4.2.8 untether (which uses the HFS exploit).

Update #4: redsn0w has been updated to 0.9.6rc19 to include changes in the way custom bundles are handled. Now when you use a custom bundle, most of the normal jailbreak steps (like stashing and untethering) are skipped. This makes it easier for custom bundles like the Verizon i4 jailbreakme fix.

redsn0w 0.9.6rc19:

OS X
Windows

PwnageTool Official BitTorrent Release

PwnageTool_4.3.3.1.dmg.6375459.TPB.torrent

SHA1 Sum = 2c8b17c28ae10295b72dabde30bb4b39b0e85821

Unofficial Mirrors

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

The untether rolls on

Tue, 19 Apr 2011 04:02:00 +0400

Only a few weeks after the 4.3.1 untether created by @i0n1c was released, Apple pushed out firmware 4.3.2. Thankfully, it appears Apple didn’t have a chance to fix the hole used by @i0n1c’s untether, so he ported his code over to 4.3.2’s kernel. Today’s redsn0w has been updated to include it.

The 4.3.2 untether works on all devices that actually support 4.3.2 except for the iPad2:

iPhone3GS
iPhone4 (GSM)
iPod touch 3G
iPod touch 4G
iPad1

redsn0w 0.9.6rc14:

As always, ultrasn0w unlockers should stay away from redsn0w and only update their firmware through a custom IPSW. See update #3 below.

For any questions or problems, please use our comments section below with our ever-helpful moderators Confucious, sherif_hashim, dhlizard, Frank55, and subarurider.

~~Update #1: Until @i0n1c has a chance to fix the i4 version, we’ve removed the i4 untether from redsn0w (making it a tethered-only JB for i4 right now).~~

Update #2: redsn0w rc14 includes the fixed i4 untether from @i0n1c. You can re-run redsn0w rc14 right over the tethered rc13b to transform the i4 JB into an untethered one.

Update #3: PwnageTool 4.3.2 now includes the iOS 4.3.2 untether from @i0n1c. (And look, the PwnageTool and iOS version numbers actually match!).

Note that there’s a corresponding update to ultrasn0w, which has been bumped up to v1.2.2 to get along with iOS 4.3.2 (the ultrasn0w update does not include any new baseband support!). Please reboot your iPhone using the normal “slide to power off” swipe after installing ultrasn0w 1.2.2.

PwnageTool Official BitTorrent Release

PwnageTool_4.3.2.dmg.6340182.TPB.torrent

SHA1 Sum = fdf9d7cba7872451bbca1ccae95a82cfefb352e7

Unofficial Mirrors

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email mirrors to blog@iphone-dev.org - please ensure that they are direct dmg download links only (no rapidshare type sites please) and that your web-server can serve DMG MIME types properly. — please don’t place mirrors in the comments as they will be deleted.

Three years of pwnage(tool)

Mon, 04 Apr 2011 09:00:00 +0400

Three years ago (almost to the day!), the first version of PwnageTool was released for firmware 1.1.4. So today we’re excited to release another edition of both PwnageTool and redsn0w to bring an untethered jailbreak for Apple’s latest firmware, FW 4.3.1.

The 4.3.1 untether exploit comes courtesy of Stefan Esser (@i0n1c on twitter), a security researcher based in Germany. Stefan has a long history of vulnerability research, and ironically his first contribution to the iPhone jailbreak community was improved security — last year he beat Apple to the punch and implemented ASLR for jailbroken iPhones with his “antid0te” framework. We’re happy to see that Stefan then turned his iPhone attention over to an untethered jailbreak exploit!

The 4.3.1 untether works on all devices that actually support 4.3.1 except for the iPad2:

iPhone3GS
iPhone4 (GSM)
iPod touch 3G
iPod touch 4G
iPad1
AppleTV 2G (PwnageTool only for now)

The reason the untether won’t work as-is on the iPad2 is that it requires a bootrom or iBoot-level exploit to install, and the iPad2 is not susceptible to either the limera1n or SHAtter bootrom exploits.

WARNING WARNING — ultrasn0w users don’t update yet! We need to first release an update to ultrasn0w that fixes some incompatibilities when FW 4.3.1 is used on the older basebands supported by ultrasn0w. And remember once we do fix ultrasn0w for 4.3.1 (we’ll announce it here and on twitter), you must only get there via a custom IPSW from PwnageTool, Sn0wbreeze or xpwn! Don’t ever try to restore or update to a stock IPSW, or you’ll lose the unlock!

For everyone else, redsn0w is the easier program to use (and redsn0w runs on both Mac and Windows). Please check out places like iClarified for some excellent guides on how to use both PwnageTool and redsn0w.

Feel free to ask for help in our comments section. Thanks once again to our fantastic moderators for volunteering their time and knowledge and keeping order: Confucious, sherif_hashim, dhlizard, Frank55, and subarurider!

~~redsn0w 0.9.6rc9:~~
redsn0w 0.9.6rc12 (updated to rc12..details in Update #1 below):

PwnageTool Official Bittorent Releases

PwnageTool_4.3.dmg.6293151.TPB.torrent

SHA1 Sum = 9e8ce7d4eb79b5f839efa0233893ef1a6a5e3c5c

Unofficial Mirrors

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Update #1:

Those running redsn0w may have noticed we enabled too many Settings options in some versions of the jailbreak (for instance, what you want your side switch to do, even if you have no side switch because you’re not using an iPad). Release ~~rc10~~ rc12 of redsn0w corrects that (you can just run it over your existing jailbreak…be sure to de-select Cydia to avoid package conflicts).

Along the way, we’ve also added the option to enable boot animations…these animations can be installed via Cydia, but be sure to select which animation to use via the Settings->Bootlogo setting after you’ve downloaded an animation (and again, you can just run ~~rc10~~ rc12 over your existing jailbreak…be sure to de-select Cydia to avoid package conflicts).

(The boot animation we tested against was “Android Boot Logo”. It correctly installs all the dependencies needed to run the animation at each boot).

~~redsn0w 0.9.6rc10:~~
redsn0w_0.9.6rc12: (rc12 should fix any lingering issues with the boot animation)

Update #2:

We’ve pushed out the 4.3.1 compatibility fix for ultrasn0w in Cydia — it’s now at version 1.2.1. If you’re not already at 4.3.1 and you need the unlock, please be sure you understand how to get to 4.3.1 using a custom IPSW that doesn’t update your baseband. There are lots of guides for this (like at iClarified.com).

This isn’t a new unlock! It’s to allow those who are already using ultrasn0w to use FW 4.3.1. It also fixes the signal bar issue for those who aren’t using the unlock but retain an older baseband intentionally.

AFTER INSTALLING ULTRASN0W 1.2.1, PLEASE REBOOT YOUR iPHONE using the normal “slide to power off” swipe. T-Mobile users in the USA also should disable 3G mode in Settings->General->Network.

A big thanks to @sbingner and @ronaldsb for helping with the testing of this update!

What's in a name?

Wed, 16 Feb 2011 00:16:00 +0300

What’s in a name? Well in the case of an HFS volume name on iOS, an untether exploit — as the Chronic Dev Team revealed last week with an untether for the 4.2.1 jailbreak, which had previously been a tethered JB for most recent devices since 4.2.1’s release in November. With their permission, we’ve incorporated their 4.2.1 “feedface” untether into today’s PwnageTool 4.2. This means iPhone unlockers can safely restore to a custom 4.2.1 pre-jailbroken IPSW and retain their current baseband and unlock. PwnageTool also supports all the other 4.2.1 devices other than iPod touch 2G:

iPhone3G
iPhone3GS
iPhone4
iPhone4-Verizon
iPod touch 3G
iPod touch 4G
iPad
AppleTV 2G

PwnageTool also includes two very recent improvements to the 4.2.1 JB: iBooks was just fixed by @comex and @pushfix last night so that it works as intended on DRMed books, and the wifi problem on AppleTV 2G was fixed by @nitotv, @DHowett, and @saurik. Both of these fixes will also be available in upcoming Cydia package updates, so if you’re already jailbroken you can wait for those updates rather than restore and jailbreak again.

The various components to the 4.2.1 untether (including a second exploit involving Mach-o headers) were worked out by 0naj, posixninja, and pod2g, and a nice writeup by 0naj is available on the wiki. The actual injection method uses geohot’s limerain exploit for most devices. And even though 4.3 is just around the corner, the exploit used has already been closed in the latest 4.3 betas, so it made sense for the 4.2.1 untether to be released when it was. It also appears that a security researcher named @i0n1c has a 4.3 untether ready for when Apple releases the final 4.3 FW, so it may not be a long wait at all with 4.3!

Feel free to ask for help in our comments section. And thanks as always to our terrific moderators Confucious, sherif_hashim, dhlizard, Frank55, and subarurider!

Official Bittorent Releases

PwnageTool_4.2.dmg -> PwnageTool_4.2.dmg.6176918.TPB.torrent

SHA1 Sum = af365f5de19d7ee19cbe1c67b2f226996a46b3ac

Unofficial Mirrors

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email direct dmg download links only (no rapidshare type sites please and please make sure that your web-server can serve DMG MIME types) to blog@iphone-dev.org — please don’t place mirrors in the comments as they will be deleted.

Ultra-recycle

Mon, 29 Nov 2010 00:24:00 +0300

Today we’re pleased to announce our free carrier unlock for iPhone3G/3GS owners with a baseband later than 05.13.04. The unlock for that baseband exploited the AT+XAPP command, thanks to a crash initially discovered by @sherif_hashim (@Oranav also found this crash). So what hole are we exploiting today, since Apple closed that AT+XAPP hole? Well, we’re exploiting the exact same hole!

It turns out that the very first iPad firmware 3.2.2 has baseband version 06.15.00 still vulnerable to AT+XAPP. The iPad baseband is built for the exact same baseband chip as the iPhone3G/3GS — they’re fully compatible! Some of us have been running 06.15 for weeks now on our iPhones in preparation for this release. (And some have known about this possibility of 06.15 on the iPhones for a while — kudos to @w1kedZ and @DHowett for keeping it hush!)

Unlockers have been reporting mixed results about GPS functionality at 06.15.00. Until we can track down what differentiates those who retain GPS vs. those who lose it, be conservative and assume you’ll lose GPS at 06.15.00. As we work on finding the cause (and possibly a fix), please report your personal findings in our comments section. (Update: early indications are that while 06.15.00 is capable of GPS, it will require some further hacks. But please still be conservative and assume you will lose GPS at 06.15, in case the hacks don’t work).

SIMPLIFIED ROUTE #1 (redsn0w for OSX + Windows):

Read and fully understand the warning below.
If you have an old-bootrom 3GS and are already unlockable but want to get to 4.2.1, please wait til we release an “unofficial” bundle for you. Read no further.
Use redsn0w (see update #2) for OSX or Windows. Enable the “Install iPad baseband” option and accept the warning.
When the redsn0w ramdisk is finished, install ultrasn0w via Cydia.
Enjoy!

SIMPLIFIED ROUTE #2 (PwnageTool for OSX):

Read and fully understand the warning below.
If you have an old-bootrom 3GS and are already unlockable but want to get to 4.2.1, please wait til we release an “unofficial” bundle for you. Read no further.
Read update #1 for an updated 3GS bundle.
Download this IPSW
Run PwnageTool to create a custom 4.1 IPSW. Tell it you want to use the iPad baseband you just downloaded. Restore to this custom IPSW.
Install ultrasn0w through Cydia
Enjoy!

FULL VERSION:

Since 06.15 is a higher version than 05.14 or 05.15 (where AT+XAPP is gone), anyone stuck at those versions can simply upgrade to 06.15 to unlock again! Luckily for us, Apple *still* provides the iPad FW 3.2.2 with this vulnerable baseband right from their own servers. (Grab it now, before they take it down!)

We’ve been busy updating both PwnageTool and redsn0w to make the baseband update as seamless as possible.

First up is “PwnageTool 4.1.3 Unlock Edition”. It has a special dialog box which will ask you if you want to update to the iPad baseband. You must already have the iPad 3.2.2 IPSW on your computer (see the above link)….so just point PwnageTool at it (or let it find it on its own if you’re in “simple” mode).
Directly after PwnageTool 4.1.3 is available, the official ultrasn0w repo http://repo666.ultrasn0w.com will be updated with ultrasn0w 1.2, which covers iPhone 4 baseband 01.59.00 and iPhone 3G/3GS basebands 04.26.08, 05.11.07, 05.12.01, 05.13.04 and now 06.15.00.
Finally, we’ll release an update to redsn0w today for those without Macs and can’t run PwnageTool. The new redsn0w will give you the option to update your baseband to 06.15 too.

WARNING — YOU DO THIS AT YOUR OWN RISK! PLEASE UNDERSTAND THE CONSEQUENCES OF UPDATING TO 06.15.

There is no way to come back down from 06.15, and there’s no hiding the baseband version from Apple. You’ll be voiding your warranty in a very obvious way.
If some future baseband comes out with a critical fix, you won’t be able to update to it if it remains down in the 05.xx sequence (then again, you wouldn’t update to it if you wanted to keep your unlock anyway).
Starting with FW 4.2.1 if you have 06.15 on your iPhone you won’t ever be able to restore to stock firmware (it will fail). You’ll need to only restore to custom IPSWs (then again, if you’re unlocker you should already be doing that).

Certainly don’t update to 06.15 if you don’t need to! Only do this if you need the unlock and you’re stuck on 05.14 or 05.15, and you’re willing to assume the above risks.

This PwnageTool also contains a 4.2.1 bundle for iPhone3G owners…for all else, it’s still only 4.1. If you have an iPhone3GS with an old bootrom, use redsn0w for an untethered 4.2.1 jailbreak (it can now install the iPad baseband too). For all other devices, the 4.2.1 jailbreak is tethered only (use redsn0w for it), until @comex can work some untethering magic.

Please feel free to use our comments section for questions. We have some very knowledgeable and helpful moderators: angiepangie, Confucious, sherif_hashim, dhlizard, and Frank55!

Official Bittorrent Releases

PwnageTool 4.1.3 - PwnageTool_4.1.3_Unlock_Edition.dmg.5994102.TPB.torrent

SHA1 Sum = adda6d882dce1b5117d01586037de289407e038a

Unofficial Mirrors

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email direct dmg download links only (no rapidshare type sites please) to blog@iphone-dev.org — please don’t place mirrors in the comments as they will be deleted.

Update #1: There’s an error in the bundle for the iPhone3GS 4.1 that prevents the new baseband from being used. If you know your way around OSX, please download the fixed bundle, and unzip it if Safari hasn’t already done so. Then “Show Package Contents” of PwnageTool.app, navigate to Contents->Resources->FirmwareBundles and drop it there. Otherwise, please wait for the updated PwnageTool, or the OSX version of redsn0w coming soon.

Update #2: The new redsn0w 0.9.6beta5 is out. It gives both Windows and OSX users the ability to flash the iPad 06.15 baseband on iPhone3G or iPhone3GS. It fetches the baseband files directly from Apple for now (the only IPSW you ever point it at is the stock IPSW for the FW on your iPhone right now). There may be a long delay while it’s doing this (their servers are currently getting pounded).

If you do flash your baseband via redsn0w, please keep it plugged into USB the whole time. You don’t want your battery to die during the flash process!

Update #3: For those Mac users with an old-bootrom 3GS who really know what they’re doing, here’s a minimal 3GS 4.2.1 bundle that will get you to 4.2.1 without updating your baseband. Be sure to uncheck “Activate the iPhone” using Expert mode. To actually jailbreak after you’ve restored with the help of that bundle, please use redsn0w. If you don’t know how to drop a bundle into PwnageTool.app, please hold off on 4.2.1 until it’s untethered for everyone (or wait for a nice tutorial from somewhere like http://iclarified.com)

Update #4: Our terrific moderators angiepangie, Confucious, sherif_hashim, dhlizard, and Frank55 have done a stupendous job moderating 7700 comments over just the first 12 hours (that’s 10 per minute for half a day!). Hats off to them, and to all of our great commenters who rack up those + points for helping total strangers jailbreak and unlock their iPhones! That’s what makes this community great :)

Update #5: Unlockers have been reporting mixed results about GPS functionality at 06.15.00. Until we can track down what differentiates those who retain GPS vs. those who lose it, be conservative and assume you’ll lose GPS at 06.15.00. As we work on finding the cause (and possibly a fix), please report your personal findings in our comments section. (Update: early indications are that while 06.15.00 is capable of GPS, it will require some further hacks. But please still be conservative and assume you will lose GPS at 06.15, in case the hacks don’t work).

Update #6: Developer @sbingner (author of TetherMe) has made some excellent progress devising a new hactivation method that kills two birds with one stone for all you ultrasn0w unlockers. His tool, “Subscriber Artificial Module (SAM)” tricks your iPhone and iTunes into creating legitimate activation tickets even though you’re unlocked with ultrasn0w. This means you get the full benefit of push applications, and your battery life increases substantially. If you’d like to try it out, check out http://www.bingner.com/SAM.html

To help make it easier to try out @sbingner’s tool, we’ve updated redsn0w to include a new “Deactivate” option for the 3G and 3GS. Use this option *after* you’ve installed SAM…it will remove the normal patches made to lockdownd and let SAM take over. (sbingner plans on making a button to do this within SAMPrefs too). Great work, @sbingner!

The new redsn0w with the “Deactivate” option is at:

OSX
Windows (Windows 7 and Vista users, please run redsn0w as Administrator in “XP Compatiblity Mode”)

Thanksgiving with Apple

Tue, 23 Nov 2010 01:48:00 +0300

With Turkey Day a few days off, today Apple publicly released FW version 4.2.1. As always, ultrasn0w unlockers please stay far far away from this official firmware (and all official firmware). Wait for the ability to create custom 4.2.1. IPSWs that don’t update your baseband! If you’re not an unlocker, read on!

The best news of all is for owners of iPhone3G, older iPhone3GS, and non-MC iPod touch 2G. Due to a combination of our original pwnage2 exploit, the arm7_go exploit, 24kpwn, and limera1n, your device is “just as jailbreakable as ever.” You reap the full benefit of an untethered 4.2.1 jailbreak.

Next are the owners of all the more recent devices. The good news there is that due to geohot’s limera1n exploit, all recent devices can be jailbroken (this will be true until Apple released new hardware that fixes geohot’s limerain exploit in the bootrom). The bad news is that right now, the 4.2.1 jailbreak is *tethered* on all of these recent devices. A tethered jailbreak means that each time your device loses battery power or needs to be rebooted, you must attach it to a PC or Mac to boot into the jailbroken state. @comex is working hard on a method that may untether the 4.2.1 jailbreak, but it may require you to have your 4.1 SHSH blobs in order to use it. No word on how much more effort it will take though (please don’t bug @comex about it!). (We also have an alternative method that may work, but @comex’s method is much more elegant.)

So when does all this 4.2.1 jailbreak action happen? Well if you’re a JB developer or tinkerer, you’ve already probably used the redsn0w mentioned in our last post to jailbreak 4.2.1 and at least get SSH working. But beyond that, there are still some last minute issues with MobileSubstrate and comex’s kernel patches that are being fixed. We’ll tweet and post a blog update when it’s all available (we hate to give ETAs, but barring any unforeseen problems, probably later today). It happens “now’…see Update #1.

In the meantime, please make sure you have your 4.1 SHSH blobs for all your devices. These will be important even for firmware beyond 4.1 (using both comex’s method and our alternative, depending on how each of them turn out.)

ultrasn0w unlock: After redsn0w is officially released with the new Cydia and kernel patches, we’ll be able to assess the unlock situation. It’s already looking very promising though, so expect the unlock for the 3G and 3GS to be coming this week. The i4 unlock is taking more effort though, and no further concrete info is available about that yet.

Feel free to ask questions in our comments section below, where we’ve got some awesome new additional moderators — sherif_hashim, dhlizard, and Frank55!

Update #1: redsn0w version 0.9.6b6 is now available for your 4.2.1 jailbreaking pleasure. Please read all the above to understand what this jailbreak currently entails.

Update #2: The notion of a “tethered” jailbreak is pretty new to many people, so here’s a quick rundown on what to expect:

If you’re on an iPhone3G, old-bootrom iPhone3GS, or non-MC ipt2g, life is easy. redsn0w installed an untethered jailbreak and so nothing below applies.
“Tethered” does not mean you cannot boot at all without PC/Mac assistance. If you have not installed any tweaks that hook into important programs like SpringBoard or CommCenter, your device will actually boot. However, jailbreak programs like Cydia won’t work (and Cydia may still have a white icon). Also, certain built-in apps that had to be moved by Cydia will fail (Safari being the most noticeable example).
If you’ve installed MobileSubstrate tweaks that hook into SpringBoard or other important programs, your boot will actually fail (you’ll get stuck at the Apple logo). You need to use redsn0w to “Just boot tethered right now”.

Remember, @comex is working on a way to untether the 4.2.1 jailbreak. Meanwhile, the above 3 points hopefully will make it all seem less confusing :)

Update #3: We’ve updated redsn0w to include “one-click” support for those of you running the tethered 4.2.1 jailbreak. Using command-line arguments, you can now bypass the screens you’d normally see as you use redsn0w to “Just boot tethered for now”.

The available command line arguments are:

-j to ask redsn0w to “Just boot now tethered for now”
-i to specify your reference IPSW
-o for old-bootrom iPod touch 2G and iPhone 3GS
-b to specify your own boot logo png

For example, to get redsn0w for Mac to do a tethered boot of an iPod touch 4G jailbroken at 4.2.1:

open ~/Desktop/redsn0w.app —args -j -i ~/Desktop/iPod4,1_4.2.1_8C148_Restore.ipsw

This assumes both redsn0w and the IPSW are on your OS X desktop, so modify as necessary! Included in the zip is an example script file that you can double click on to launch redsn0w like this (the Windows example assumes everything is in C:\). (Mac users: please remember to change the permissions of your custom *.command files to allow execution.)

This should help ease the pain of the tethered jailbreak until @comex comes up with a 4.2.1 untether (or for those of you with legit access to the 4.2b3 IPSW, until the “Jailbreak Monte” untether is out of beta)!

PLEASE UPGRADE TO iTunes 10.1 FOR BEST RESULTS
WINDOWS 7 USERS SHOULD RUN redsn0w IN “XP COMPATIBILITY” MODE
Make sure you’re using a USB 2.0 port

OS X
Windows

redsn0w+limera1n fun

Mon, 01 Nov 2010 11:35:00 +0300

It looks like geohot’s recent limera1n exploit for iPhone3GS/iPhone4/iPad/ipt3g/ipt4g/atv2g will be very beneficial to jailbreakers and unlockers for the next few months (at least). geohot’s limera1n program and the alternative greenpois1on program both use his same exploit (although greenpois0n refuses to tell you that, FWIW), and hopefully SHAtter can be saved for some later device.

In the meantime, we’ve also incorporated the limera1n exploit into redsn0w. But we’ve added a few extras:

custom bootlogos for iPhone3G/iPhone3GS/iPod2G users (with qualifying bootroms)
an option that implements the “DFU” button in PwnageTool. This button (which you can use from Windows) lets you prepare your device for a custom DFU. Even if you’re purely a Windows user, you can get a trusted friend to run PwnageTool over your IPSW to create a custom IPSW. You can now install that custom IPSW on your own Windows box, after you run this redsn0w version.

This latest redsn0w is available at:

~~OS X~~ (See our latest redsn0w post)
~~Windows~~ (See our latest redsn0w post)

For Windows users who have run redsn0w and chosen “Just enter pwned DFU mode right now”, your device is now completely vulnerable. Running iTunes and selecting a custom IPSW from PwnageTool (choose it by pressing Shift+Restore)….you’ve now convinced your device and iTunes to restore to a custom firmware. Congratulations!

If you are timid about software and running these programs…please just wait! Don’t jeopardize your carrier unlock for a firmware upgrade. Wait for even easier methods than this latest redsn0w release.

Update #1: Today Apple released to developers the GM seed for 4.2. Tinkerers will find that yesterday’s redsn0w jailbreaks today’s 4.2 GM seed, simply by pointing redsn0w at the 4.1 IPSW (rather than the 4.2 one). Right now it mostly only makes sense for JB app developers to do that because many apps (including Cydia itself) need to be updated for 4.2. However, if all you want to do is enable afc2 (to use iFunBox or other file browsers), or to tweak settings like Battery % and Homescreen wallpapers, then go for it (if you have valid paid access to the GM seed). Be sure to uncheck the Cydia box, though! Ultrasn0w unlockers should stay very far away from this!!

Update #2: By all accounts, we’re within a few days of Apple’s official public release of Firmware 4.2. Here’s what you need to know:

Thanks to geohot’s limera1n exploit, and our original pwnage2 exploit, and @pod2g’s ipod2g-MC exploit, absolutely all devices at all iOS firmware versions are capable of being jailbroken.
The untethered jailbreak of those very latest FWs and latest devices depends on @comex hacks. His hacks so far extend only to 4.1 and 4.2beta3. He’s working on a way to extend it to 4.2 and beyond. Just wait for him to work out his method.
iPhone 3G and 3GS unlockers will be covered by our upcoming unlock. Stay away from any updates to Apple FW until our official release and you’ll be okay. Just stay away from all Apple IPSWs :)
iPhone4 unlockers are not left out in the cold. @sherif_hashim has found some very promising avenues to pursue. Those will be explored as soon as possible after all the 4.2 madness.

What does this mean to you?

If you’re an unlocker, just stay where you are. Please, just stay where you are. Any mistakes you make now may be permanent.
If you only care about the jailbreak and you’re absolutely sure you have your personalized 4.1 SHSH hashes, feel free to experiment but keep in mind that any mistakes you make may result in your losing pictures or notes or bookmarks that you’d rather keep. Honestly unless you love living on the bleeding edge, it’s better to just wait for official updates from Cydia/redsn0w/PwnageTool.
Don’t buy or donate to any unlock or jailbreak scammers. Every legitimate solution you will find for unlocks or jailbreaks will be offered without an extended hand. That’s how the iPhone jailbreak/unlock community has succeeded. It’s about freedom to do what you want with your $300 device — not about donations, egos, tweets, or “interviews.”

Update #3: (Warning: if you use the ultrasn0w unlock, please read no further…this doesn’t apply to you yet!) We’ve made some updates to redsn0w to make it easier for jailbreak developers (and tinkerers) to get their programs ready for 4.2.1. As noted above, the public version of Cydia (and MobileSubstrate too!) is not 4.2.1-compatible. redsn0w will now let you install your own custom bundles independent of Cydia (the bundle can actually be Cydia if you’ve compiled it on your own). These bundles can be up to 15MB in size, and should be in the form of a gzip-compressed tar file.

The new redsn0w 0.9.6b3 is available at:

~~OS X~~ (See our latest redsn0w post)
~~Windows~~ (See our latest redsn0w post)

It’s very important that you get the file permissions and ownerships right in your custom redsn0w bundles. To give you a practical example of such a bundle, here’s one that includes OpenSSH, OpenSSL, and the basic apt installer programs:

SSH bundle v2 (update: v2 has fixed permissions..you can just drop this one right in even if you installed the first version)

redsn0w has also been updated to recognize the 4.2.1GM IPSWs. *However*, as noted above, the 4.2.x jailbreak is not yet untethered for most devices! That means until someone like @comex comes up with a way to untether it, you must use redsn0w (or a similar utility) to boot your device into a jailbroken 4.2.1 state. (The only exceptions to this are the iPhone3G, non-MC iPod touch 2G, and old-bootrom iPhone3GS. redsn0w will jailbreak those untethered!)

With the above redsn0w and SSH bundle, jailbreak developers and tinkerers can jailbreak and SSH into their 4.2.1 devices, provided they’ve done a tethered boot (using redsn0w’s “Just boot tethered right now” option).

Note: The Cydia that’s included in 0.9.6b3 is the same one as in 0.9.6b2, and so it will *not* work on 4.2.1. Don’t try installing it on 4.2.1! Instead, use the SSH bundle, or compile Cydia on your own. If you’re familiar with the apt utilities, you can use “apt-get” to install many programs from the command line. Be sure to do “apt-get update” first to refresh your sources!

PLEASE CONSIDER THIS AN ADVANCED TOPIC!! It’s not meant for the masses because it involves rather nerdy things like command lines and tar files. But for those who know how to use this new redsn0w feature, have fun!

20102010 event

Wed, 20 Oct 2010 19:32:00 +0400

We’re pleased to release PwnageTool ~~4.1~~ 4.1.2 for Mac OS X (free of charge, blog ads, and donation requests — as always!). Today’s big new addition to the jailbreak family is AppleTV 2G, which was first shown jailbroken in its release week!

[Update: Version 4.1.2 should fix any issues that OS X 10.5.x users were seeing. You only need to run this version if you’re at OS X 10.5.x and were seeing Cydia errors]

ULTRASN0W UNLOCKERS BEWARE!! ULTRASN0W UNLOCKERS BEWARE!! The biggest mistake you can make (and it is a big one!) is lettings iTunes restore to the official IPSW — you’ll lose the unlock and won’t be able to go back! You must use Option-Restore, not just the Restore button by itself. Then navigate to your custom IPSW — not to the stock one! If you accidentally started a restore to the official IPSW, unplug your iPhone immediately before the restore gets to the “Updating Firmware” step!

Through a combination of the recently released geohot limera1n exploit , @comex’s recently released pf kernel exploit, and our original pwnage2 exploit, PwnageTool ~~4.1~~ 4.1.2 works untethered on these devices at firmware 4.1:

AppleTV 2G
iPad (firmware 3.2.2)
iPod touch 4G
iPod touch 3G
iPhone4
iPhone 3GS
iPhone 3G

PwnageTool allows you to restore to a custom IPSW file. For instance, you can restore to a pre-jailbroken firmware while simultaneously maintaining your current baseband (and thus your ultrasn0w carrier unlock). You can also add whatever packages you want in the “Expert” mode of PwnageTool, if you wish to pre-install Cydia packages. iPhone 3G users get the additional benefit of selecting their own boot and recovery logos, and features like multitasking and battery charge percentage.

PwnageTool’s main advantage to ramdisk-based methods (limera1n, greenpois0n, redsn0w) is for unlockers — those that need to keep their current baseband and preserve their ultrasn0w unlock. But in this new age of both bootrom- and userland-based exploits, it’s an excellent platform for continuing the jailbreak through all future firmwares. More on this later! In the meantime, please enjoy this free software and please provide any usage feedback in our comment section below.

AppleTV 2G users: Welcome to the JB family! Right now, about all you can do is command-line stuff via ssh. You also have afc2 available, so you can use tools like ifunbox to move files around. These are the *very* early days of AppleTV 2G jailbreaking, so it’ll take some time for JB app developers to come up with methods to use your AppleTV 2G from the remote, versus the command line. PS: Your ssh password is “alpine”…please change it when you can :)

Expert mode: By popular demand, the IPSW file selection in Expert mode is now completely manual (doesn’t use Spotlight). Just pick your IPSW file directly instead of waiting for the Spotlight search to complete. In Expert mode, the default is to hacktivate (“Activate the iPhone”), so if you have a legit SIM card be sure to deselect that option in Expert mode.

DFU button: That “DFU” button in PwnageTool is more than it looks like. It guides you through the DFU process, but then also runs the appropriate exploit to convince your device and iTunes that all is legit. The DFU button in PwnageTool is not just your average DFU.

Official Bittorrent Releases

PwnageTool 4.1.2 Torrent - PwnageTool_4.1.2.dmg.5904259.TPB.torrent

SHA1 Sum = 1c0d5ea45464e336fcb38c644dc125c3a16b5493

Unofficial Mirrors

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email direct dmg download links only (no rapidshare type sites please) to blog@iphone-dev.org — please don’t place mirrors in the comments as they will be deleted.

Limera1n surprise

Sun, 10 Oct 2010 07:55:00 +0400

After a few very dramatic days in the jailbreak community, geohot has come out of nowhere to release limera1n. It’s a bootrom-level jailbreak that works on the iPhone3GS, iPhone4, iPod touch 3G, iPod touch 4G, the iPad, and (technically) the AppleTV 2G.

DO NOT USE LIMERA1N IF YOU USE THE ULTRASN0W CARRIER UNLOCK — wait for PwnageTool to incorporate the limera1n exploit. This is so that you can avoid updating your baseband and losing the unlock (possibly forever).

Limera1n uses a different exploit than SHAtter, and in fact covers more devices. Although some may question geohot’s dramatic and competitive style, he obviously does have considerable skill pulling this together in just over a day (although he’s had the underlying exploit for months). Credit also goes to @comex, who provides the untethered aspect of limera1n via another one of his growing list of kernel hacks.

The release of limera1n has (thankfully!) averted the burning of 2 bootrom holes at once (both his and SHAtter). Releasing SHAtter now would be a complete waste of a perfectly good bootrom hole in light of limera1n, and so it can be held until Apple closes limera1n’s hole. While there’s no guarantee that Apple won’t also close SHAtter by then, it provides a ray of hope for devices after Apple’s bootrom respin.

Update #1: Because the “untethered” part of this jailbreak comes from a userland hack from @comex, you should still backup your SHSH hashes for 4.1. Do this by either letting Cydia keep them (“make my life easier”), or using Tiny Umbrella. This way you can always come back to an untethered, jailbreakable 4.1 on your devices after Apple has closed their 4.1 signing window (they’ll close the 4.1 window once they push out their next firmware version). If you fail to do this and ever need to restore to 4.1 again, you can still jailbreak but it will be a tethered JB (you’ll need to connect to your computer to finish the booting process, each and every time).

And remember: you can backup your 4.1 SHSH hashes without even being at 4.1 or even being jailbroken, by using Tiny Umbrella.

SHAttered iPod touch 4G

Mon, 27 Sep 2010 10:46:00 +0400

Those of you with Apple’s new iPod touch 4G, or those of you who bought another recent device after the jailbreakme.com exploit was closed, have probably heard about a brand new exploit called SHAtter. The exploit (and payload) was developed by @pod2g a few months after @p0sixninja of the Chronic Dev Team discovered the crash. That team is hard at work bringing you a brand new tool to make use of the exploit. It’s not the sort of thing that can be developed overnight so please be patient while waiting for any announcements from them.

In the meantime, we’ve put @pod2g’s exploit into a beta version of PwnageTool to test the waters. The SHAtter exploit was enough to convince the iPod touch 4G to restore to our custom IPSW. The successful result is shown below! It’s all working: customized Preferences to show battery percentage, Cydia, root shell…the works!

Although PwnageTool was a useful first test of a full iPod 4G jailbreak via SHAtter, it’s really overkill compared to the faster tools being developed. Its main use in PwnageTool will be for those with iPhone4’s, to allow updates while preserving the baseband and ultrasn0w carrier unlock. In any event, this is another exciting time for iPhone and iPod touch users…the cat and mouse game continues!

UPDATE #1: It’s looking like SHAtter is going to be the gift that keeps on giving. Even though the new AppleTV isn’t yet in people’s homes, the firmware is available on Apple’s normal public distribution servers and SHAtter has been used to decrypt its keys! The main filesystem (“Mojave8M89.K66OS”) key for 018-8609-066.dmg is:

31c700a852f1877c88efc05bc5c63e8c7f081c4cb28d024ed7f9b0dbc98c7e1406e499c6

If you’re familiar with vfdecrypt, you can use that key to decrypt the image and mount it. If you do so, feel free to use the comments section to discuss what you discover there :) (And of course, thanks @pod2g!)

UPDATE #2: It’s confirmed…SHAtter can trick Apple’s new AppleTV 2G into restoring to a pre-jailbroken IPSW from PwnageTool too! Literally the only UI application on the ATV is Lowtide.app, but now the window is open for jailbroken apps of all varieties. (Just like the early iPhone days, the only apps you’ll see on the AppleTV will be jailbroken ones). In the meantime, here’s a video showing root access (via ssh) into Apple’s new product.

redsn0wier

Tue, 21 Sep 2010 10:05:00 +0400

We’ve released a beta version of redsn0w for the iPhone3G and iPod Touch 2G at FW 4.1 or 4.0. It uses the same pwnage2 DFU-mode exploit that we’ve been using since the 2.x days. It does not include the SHAtter exploit developed by pod2g. Nothing new is revealed to Apple with this jailbreak.

IF YOU USE THE ULTRASN0W UNLOCK, PLEASE WAIT FOR PWNAGETOOL TO SUPPORT 4.1. DO NOT USE REDSN0W. That’s because to use redsn0w at 4.1, you need to already have updated to official 4.1 from Apple. If you do that, you lose the ultrasn0w unlock (possibly forever).

~~The Windows version needs further testing, so for now this is available only for Mac OS X x86. The Windows version will come as soon as the bugs are ironed out.~~

Note: if you have an “MC” model of the ipt2g, your 4.1 jailbreak will be tethered…sorry! (Consider rolling back to a FW supported by jailbreakme.com or spiritjb.com)

===== What devices, platforms, and FW versions are supported? =====

This BETA release supports:

iPhone 3G and iPod touch 2G only (for now)
Mac OS X x86 and Windows only (for now)
4.1 or 4.0 firmware from Apple

===== How do I use it? =====

If you’ve already updated your device to 4.1 or 4.0, the next steps are:

Launch the beta redsn0w 0.9.6b1
Select your stock 4.1 or 4.0 ipsw (you’ve already used this to update your device to 4.1 or 4.0)
Select “Install Cydia” and any of the other options shown above, then click “Next”. Use DFU mode to install the jailbreak.

Note: If you choose to “Enable battery percentage”, you actually toggle that off and on via Settings->General->Usage.

===== Download links =====

Please do not directly link to these URLs because they’ll be changing according to bandwidth demands.

~~OS X~~ (See our latest redsn0w post)
~~Windows~~ (See our latest redsn0w post)

Update: Any Windows users seeing “Waiting for reboot” for too long (more than 20 seconds or so), please try “shaking” the JB process by unplugging then replugging your USB cable (while letting redsn0w continue to run). Also, try using a USB port “closer” to your computer (as opposed to on your monitor or behind another hub). We’re still tweaking the Windows flow and so any feedback you can provide will help!

It's a trap!

Wed, 08 Sep 2010 15:12:00 +0400

Today you’ll likely start seeing iTunes innocently offer you a new version of iOS…version 4.1. Don’t accept it…it’s a trap!

This time of year there are lots of new iPhone owners, and not everybody knows that accepting new iOS updates is the surest way to lose your jailbreak and/or unlock. While those of you who have Cydia or TinyUmbrella backups of your FW hashes will always be able to get back to 4.0.1 if you make this mistake, this doesn’t hold for unlockers. There’s currently no known way to revert your baseband — if you update your baseband you’ll lose the ultrasn0w unlock, possible forever.

Please stay away from this 4.1 release until a safe jailbreak procedure (which also preserves ultrasn0w) is developed and released.

P.S. There are a tiny number of iPhone3G owners who can revert their basebands due to a flaw in very early bootloaders…you will already know if you fit in this category!