Dev-Team Blog
To find yourself, think for yourself © Socrates 469 BC
The untether rolls on 

Only a few weeks after the 4.3.1 untether created by @i0n1c was released, Apple pushed out firmware 4.3.2. Thankfully, it appears Apple didn’t have a chance to fix the hole used by @i0n1c’s untether, so he ported his code over to 4.3.2’s kernel.  Today’s redsn0w has been updated to include it.

The 4.3.2 untether works on all devices that actually support 4.3.2 except for the iPad2:

  • iPhone3GS
  • iPhone4 (GSM)  
  • iPod touch 3G
  • iPod touch 4G
  • iPad1

redsn0w 0.9.6rc14:

As always, ultrasn0w unlockers should stay away from redsn0w and only update their firmware through a custom IPSW.   See update #3 below.

For any questions or problems, please use our comments section below with our ever-helpful moderators Confucious, sherif_hashim, dhlizard, Frank55, and subarurider.


Update #1: Until @i0n1c has a chance to fix the i4 version, we’ve removed the i4 untether from redsn0w (making it a tethered-only JB for i4 right now).

Update #2: redsn0w rc14 includes the fixed i4 untether from @i0n1c.  You can re-run redsn0w rc14 right over the tethered rc13b to transform the i4 JB into an untethered one.


Update #3: PwnageTool 4.3.2 now includes the iOS 4.3.2 untether from @i0n1c.  (And look, the PwnageTool and iOS version numbers actually match!).

Note that there’s a corresponding update to ultrasn0w, which has been bumped up to v1.2.2 to get along with iOS 4.3.2 (the ultrasn0w update does not include any new baseband support!).  Please reboot your iPhone using the normal “slide to power off” swipe after installing ultrasn0w 1.2.2.

PwnageTool Official BitTorrent Release

SHA1 Sum = fdf9d7cba7872451bbca1ccae95a82cfefb352e7

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email mirrors to blog@iphone-dev.org - please ensure that they are direct dmg download links only  (no rapidshare type sites please) and that your web-server can serve DMG MIME types properly. — please don’t place mirrors in the comments as they will be deleted.

Three years of pwnage(tool) 

Three years ago (almost to the day!), the first version of PwnageTool was released for firmware 1.1.4.  So today we’re excited to release another edition of both PwnageTool and redsn0w to bring an untethered jailbreak for Apple’s latest firmware, FW 4.3.1.

The 4.3.1 untether exploit comes courtesy of Stefan Esser (@i0n1c on twitter), a security researcher based in Germany.  Stefan has a long history of vulnerability research, and ironically his first contribution to the iPhone jailbreak community was improved security — last year he beat Apple to the punch and implemented ASLR for jailbroken iPhones with his “antid0te” framework. We’re happy to see that Stefan then turned his iPhone attention over to an untethered jailbreak exploit!

The 4.3.1 untether works on all devices that actually support 4.3.1 except for the iPad2:

  • iPhone3GS
  • iPhone4 (GSM)
  • iPod touch 3G
  • iPod touch 4G
  • iPad1
  • AppleTV 2G (PwnageTool only for now)

The reason the untether won’t work as-is on the iPad2 is that it requires a bootrom or iBoot-level exploit to install, and the iPad2 is not susceptible to either the limera1n or SHAtter bootrom exploits.

WARNING WARNING — ultrasn0w users don’t update yet!  We need to first release an update to ultrasn0w that fixes some incompatibilities when FW 4.3.1 is used on the older basebands supported by ultrasn0w.  And remember once we do fix ultrasn0w for 4.3.1 (we’ll announce it here and on twitter), you must only get there via a custom IPSW from PwnageTool, Sn0wbreeze or xpwn!  Don’t ever try to restore or update to a stock IPSW, or you’ll lose the unlock!

For everyone else, redsn0w is the easier program to use (and redsn0w runs on both Mac and Windows).  Please check out places like iClarified for some excellent guides on how to use both PwnageTool and redsn0w.

Feel free to ask for help in our comments section.  Thanks once again to our fantastic moderators for volunteering their time and knowledge and keeping order: Confucious, sherif_hashim, dhlizard, Frank55, and subarurider!


redsn0w 0.9.6rc9:
redsn0w 0.9.6rc12 (updated to rc12..details in Update #1 below):


PwnageTool Official Bittorent Releases

SHA1 Sum = 9e8ce7d4eb79b5f839efa0233893ef1a6a5e3c5c

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email mirrors to blog@iphone-dev.org - please ensure that they are direct dmg download links only  (no rapidshare type sites please) and that your web-server can serve DMG MIME types properly. — please don’t place mirrors in the comments as they will be deleted.


Update #1:

Those running redsn0w may have noticed we enabled too many Settings options in some versions of the jailbreak (for instance, what you want your side switch to do, even if you have no side switch because you’re not using an iPad).   Release rc10 rc12 of redsn0w corrects that (you can just run it over your existing jailbreak…be sure to de-select Cydia to avoid package conflicts).

Along the way, we’ve also added the option to enable boot animations…these animations can be installed via Cydia, but be sure to select which animation to use via the Settings->Bootlogo setting after you’ve downloaded an animation (and again, you can just run rc10 rc12 over your existing jailbreak…be sure to de-select Cydia to avoid package conflicts).

(The boot animation we tested against was “Android Boot Logo”.  It correctly installs all the dependencies needed to run the animation at each boot).

redsn0w 0.9.6rc10:
redsn0w_0.9.6rc12: (rc12 should fix any lingering issues with the boot animation)


Update #2:

We’ve pushed out the 4.3.1 compatibility fix for ultrasn0w in Cydia — it’s now at version 1.2.1.  If you’re not already at 4.3.1 and you need the unlock, please be sure you understand how to get to 4.3.1 using a custom IPSW that doesn’t update your baseband.  There are lots of guides for this (like at iClarified.com).

This isn’t a new unlock!  It’s to allow those who are already using ultrasn0w to use FW 4.3.1.  It also fixes the signal bar issue for those who aren’t using the unlock but retain an older baseband intentionally.

AFTER INSTALLING ULTRASN0W 1.2.1, PLEASE REBOOT YOUR iPHONE using the normal “slide to power off” swipe.  T-Mobile users in the USA also should disable 3G mode in Settings->General->Network.

A big thanks to @sbingner and @ronaldsb for helping with the testing of this update!

What’s in a name? 

What’s in a name?  Well in the case of an HFS volume name on iOS, an untether exploit — as the Chronic Dev Team revealed last week with an untether for the 4.2.1 jailbreak, which had previously been a tethered JB for most recent devices since 4.2.1’s release in November.  With their permission, we’ve incorporated their 4.2.1 “feedface” untether into today’s PwnageTool 4.2.  This means iPhone unlockers can safely restore to a custom 4.2.1 pre-jailbroken IPSW and retain their current baseband and unlock.  PwnageTool also supports all the other 4.2.1 devices other than iPod touch 2G:

  • iPhone3G
  • iPhone3GS
  • iPhone4
  • iPhone4-Verizon
  • iPod touch 3G
  • iPod touch 4G
  • iPad
  • AppleTV 2G

PwnageTool also includes two very recent improvements to the 4.2.1 JB:  iBooks was just fixed by @comex and @pushfix last night so that it works as intended on DRMed books, and the wifi problem on AppleTV 2G was fixed by @nitotv, @DHowett, and @saurik.  Both of these fixes will also be available in upcoming Cydia package updates, so if you’re already jailbroken you can wait for those updates rather than restore and jailbreak again.

The various components to the 4.2.1 untether (including a second exploit involving Mach-o headers) were worked out by 0naj, posixninja, and pod2g, and a nice writeup by 0naj is available on the wiki. The actual injection method uses geohot’s limerain exploit for most devices.  And even though 4.3 is just around the corner, the exploit used has already been closed in the latest 4.3 betas, so it made sense for the 4.2.1 untether to be released when it was.  It also appears that a security researcher named @i0n1c has a 4.3 untether ready for when Apple releases the final 4.3 FW, so it may not be a long wait at all with 4.3!

Feel free to ask for help in our comments section.  And thanks as always to our terrific moderators Confucious, sherif_hashim, dhlizard, Frank55, and subarurider!

Official Bittorent Releases

PwnageTool_4.2.dmg -> PwnageTool_4.2.dmg.6176918.TPB.torrent

SHA1 Sum = af365f5de19d7ee19cbe1c67b2f226996a46b3ac

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email direct dmg download links only (no rapidshare type sites please and please make sure that your web-server can serve DMG MIME types) to blog@iphone-dev.org — please don’t place mirrors in the comments as they will be deleted.