How To: jailbreak your iPhone 3GS to iOS 4 with Pwnage Tool 4.0
[Update: I have now also used PwnageTool 4.01 to fix iBooks (which just didn't work properly if you used PwnageTool 4.0 to jailbreak) and have added my instructions near the bottom of the post.]
Early yesterday morning MacStories released an excellent preliminary jailbreak guide which used a modified version of PwnageTool to jailbreak iOS 4. It was very useful, but it used quite a few terms I didn’t quite understand, so I decided to try my hand at a different iOS 4 jailbreak guide.
I started this whole process off on the official iOS 4 release on my iPhone 3GS and although I am going to outline all the steps I took after the jump. Here are the necessary links and info for the guide (make sure to unzip files the files to your desktop or a special folder so you have everything in one place):
- a Mac — that’s what I used, and PwnageTool is Mac-only for now
- SHSH blobs for 3.1.2 on Cydia servers to downgrade your firmware
- iOS 3.1.2 and 4.0 .ipsw files for iPhone 3GS
- RedSn0w 0.9.4 to help you jailbreak 3.1.2 (Spirit won’t work for this)
- PwnageTool 4.01 to help you create a custom jailbroken 4.0 .ipsw (firmware restore file)
- an iPhone 3GS with the “old” bootrom (iBoot: 359.3)
- iRecovery to help you downgrade to 3.1.2
If any of those terms confuse you, don’t worry. I’ve tried to explain and provide links to the guides I used after the jump. This is not a carrier unlock guide, but you should be alright if you need one, now that ultrasn0w 0.93 has been updated for every baseband from iOS 3.0 to iOS 4.0.
Disclaimer
First of all, no one here at Just Another iPhone Blog takes any responsibility for any damage these steps may cause. If you run into a problem we can try and help in the comments, but that’s the extent of it. iOS is pretty darn durable and I’ve gotten my iPhone out of a bricked state plenty of times, but this is really just my personal experience being shared as a guide to help others. There are many others like this guide, but you’ve got to be careful to follow the steps carefully.
Before Attempting
Make sure your SHSH blobs for 3.1.2 or 3.1.3 were saved to Saurik’s server. You can confirm this on your currently jailbroken device by loading up Cydia and checking for the text right at the top. It should look something like this picture:
If you’d like to understand the full process behind this, see this article from iPhoneinCanada about why this is so important.
You will also need to make sure you have the right Bootrom (a.k.a. iBoot). The newer generation of iPhone 3GS was released with a bootrom that is incompatible with PwnageTool 4.0 (or 4.01, which fixes an iTunes account issue with iBooks), and this new bootrom is also what makes it necessary to use a tethered jailbreak (jailbreak lost after every reboot, ex. Blackra1n RC2 for new 3GS ), instead of an untethered one (ex. Spirit — though this won’t work with my guide).
To make a long story short, your Bootrom has to be 359.3 for this guide to work. If there are more numbers after the 3, then your iPhone has the new bootrom and you’re out of luck — at least at the time of writing. If you don’t know your iBoot, put your iPhone into DFU mode:
hold sleep + home for 10 seconds exactly release sleep, but continue to hold home until iTunes pings you screen should simply stay blank, but device should be recognized by iTunes
Once you’re in DFU mode, here’s a modified excerpt from commenter sand0s on the Dev-Team Blog comments (couldn’t find a way to link to this):
on a mac (from memory)
click on the apple on the upper left of the screen, then click on system information.
in that display click on more information.
in the system profiler click on USB devices under hardware.
look for something like “apple device in DFU” and click on it or expand it.
there you should find the info [iBoot-359.3 is what you want to see].
Downgrading to 3.1.2 and then jailbreaking it with RedSn0w
As I mentioned earlier, I started out with an iPhone 3GS on the official release of iOS 4. However, all that really matters is that you’re able to downgrade. I chose to go all the way back to 3.1.2 because I figured it would be the easiest to jailbreak.
- Put your iPhone into DFU mode
- Make sure you’ve edited your Mac’s private/etc/hosts file to talk to Saurik’s servers. This is where we take advantage of those SHSH blobs you stored with Cydia.
I used this guide at Decoding the Web to help me find and edit the hosts file so that I could add this line to the bottom:
74.208.105.171 gs.apple.com - Alt/Option-click the Restore button within iTunes and choose the stock 3.1.2 firmware (iPhone2,1_3.1.2_7D11_Restore)
- iTunes should complete the install, but then give you an 1015 or 1016 error, and you’ll see the recovery screen on iTunes (a USB cable leading into the iTunes icon). That’s fine — just load up Terminal and drag the iRecovery icon from Finder into Terminal and then add “-S” to the end of the line. I kept my iRecovery file in Applications, so the line looked like this in Terminal:
/Applications/iRecovery -s
- Press enter, and then a bunch of text will appear on-screen. You should then add these lines from Brandon’s 4.0 downgrade post, but make sure you press enter after typing each one out:
setenv auto-boot true saveenv /exit
- After this you simply reboot your iPhone by holding sleep + home until you see the Apple logo. This should boot you right into the stock version of iOS 3.1.2.
Now you have to jailbreak the 3GS using RedSn0w, so make sure you’re connected over USB. I also loaded iTunes, just to be safe. The process is pretty self-explanatory (iClarified RedSn0w 3.1.2 for 3GS guide here if you need it), but it will ask you if you have the newer iPhone 3GS model. If you’ve read this far then you should have confirmed that you do have the older 359.3 bootrom, and the serial number trick mentioned here is just another way of verifying that. Click on No.
- Redsn0w will do its thing and you’ll reboot to a jailbroken version of 3.1.2. I loaded up Cydia just to appease the voodoo gods, but you probably don’t have to.
Jailbreaking iOS 4 with PwnageTool
Now that you’re on a 3.1.2 firmware that has not been jailbroken with Spirit (which is incompatible with PwnageTool), it’s time to prepare your jailbroken iOS 4 firmware.
- Load up PwnageTool 4, select the iPhone 3GS, and let the software automatically find the official iOS 4.0 firmware (iPhone2,1_4.0_8A293) you downloaded. I did everything in Simple Mode and it worked out fine, but, as usual, there’s an iClarified iOS 4 jailbreak guide to take you through Expert Mode if you’d like to try it out.What PwnageTool will do is create a custom .ipsw (firmware) file that you can then load onto the iPhone through iTunes. Just wait until the whole process is done and you should find the custom file right on your desktop.
- Now make sure iTunes is on and the iPhone is plugged in before you put the device into recovery mode:
- Once your iPhone pops up in iTunes as a device in Recovery Mode, it’s time to alt/option-click on Restore and point to the custom iOS 4 firmware you made with PwnageTool.
- Wait a bit and then celebrate when you see the pineapple of Pwnage pop up on your screen. Your iPhone will reboot and you’ll be jailbroken. It will still be a little while before all of your favourite apps and utilities are iOS 4 compatible, though.
hold sleep + home until screen goes out
release sleep, but continue holding home until iTunes pings you
screen should simply stay blank, but device should be recognized by iTunesFixing your PwnageTool 4.0 jailbreak (w/ broken iBooks) with a new firmware made by PwnageTool 4.01
Ignore this section if you used PwnageTool 4.01.
This is pretty simple stuff, but I thought I’d put it in writing, anyway. If you’re aching to try iBooks out on your fresh PwnageTool 4.0 install, you’ll have to do one more restore.
- Back up your device to iTunes
- create a new iOS 4 custom firmware using PwnageTool 4.01
- set your device to Recovery Mode
- alt/option-click Restore in iTunes and select your newly made firmware
- Finish the install and enjoy iBooks
You shouldn’t encounter any problems during this installation, but if you do, make sure you disable Wi-Fi Sync if you have it installed (also mentioned in Misc Notes below)
Miscellaneous Notes
Recovery Mode in iTunes
- I’m sorry Internet. I forgot where I read this, but just know that it wasn’t my discovery: iTunes doesn’t show a difference between an iPhone in Recovery and an iPhone in DFU. That’s why I posted that comment above, which shows you how to check the mode using Mac OSX’s System Profiler.
Serial Number
- A more indirect way of finding out your iBoot version is to check your serial number. Navigate to Settings -> General -> About on your iPhone and check the fourth and fifth digits of your Serial Number. These digits represent the production week, and if the number is below 40, you’re safe. Anything above and it’s no longer a sure shot, so I recommend you check your iBoot using the method I showed earlier in the guide I got this info from the RedSn0w warning window.
iPhone Backups:
- It’s possible to keep your backups intact through this process, but make sure you don’t sync your iPhone with iTunes until you’ve actually gotten onto the final iOS 4 jailbroken firmware. I accidentally deleted mine during this process. Oops. And by “oops”, I mean “damn it”.
iPhone hanging during a firmware install:
- It’s pretty terrifying to see your iPhone firmware install slow to a crawl and then never, ever move again. It can be even more terrifying to reset after this happens and watch as subsequent installs fail. However, in trying to update my iOS 4 install with a custom firmware from PwnageTool 4.01 (to fix iBooks), I had to reset from a frozen firmware about three or four times. I really don’t recommend you do this, but if you have to, know that at least one other person’s iPhone has come back from similar circumstances. iPhones are pretty brick-resilient.
- The second little note I’d like to add here is to make sure you disable or uninstall the Wi-Fi Sync utility (partner to the Wi-Fi Sync jailbreak app) on your desktop before attempting any firmware install. Something about the Wi-Fi Sync’s desktop partner seems to block firmware installs, so watch out.
And what with iPhones jailbroken with PwnageTool 4.0 not the 4.01?
How to fix the problems with iBooks without going thru the whole setup again?
The easiest way to determine if in DFU vs. Restore mode: DFU = blank screen, Restore = "connect to iTunes" screen. In the case of DFU just follow PwnageTool's onscreen directions at the end. Restore is MUCH easier: just power off phone then hold down home button as you connect to sync cable until you see the "connect to iTunes" screen.
So, if your SHSH blobs were not saved to Saurik’s server, are you out of luck if you've already upgraded to iOS 4?
I believe that is the case, although you may be able to downgrade to the 4.0GM, which can be jailbroken. If you can manage that, use the MacStories guide by Federico Viticci that I linked to right at the top of this post.
Actually, I don't think this is true. I certainly didnt backup any blobs, and I just followed your guide just fine without them, though I did add the server redirection into my hosts file. I think as long as your iBoot is good, then all is happy with the world…
Maybe your blobs were already backed up (simply load up cydia to do this), or you were on the right firmware with the right circumstances to begin with (non-Spirit jailbroken 3.1.2 or 3.1.3).
Just did this for my v1 3GS last night. Went from 3.1.2 to OS4. A few observations:
-Don't select any of the cydia packages that you can add into your custom ispw except the Cydia Installer which is on a separate screen from the others. This caused some errors the first time and I had to re-jailbreak/restore.
-Winterboard will kill the task switching ability.
-The phone seems a little unstable right now, I've had some freezes, primarily Cydia related.
-Besides the caveats noted above, its quick, much quicker than 3.1.2.
-I like the folders, but I really need winterboard to be able to skin the folder icons – they look horrible IMO.
Winterboard still needs to be updated, I believe. It's still not ioS 4 compatible. All I have installed is SBSettings and Wi-Fi Sync.
Sooo, i have a 3gs on iOS4 not jailbroken, never jailbroken, but my serial number is 37, how can i jailbreak and unlock? is it possible yet?
Yep, you can use this guide. Serial numbers under 40, according to the Dev Team notes in redsn0w, are the good ones.
What if it is above 40?
my interpretation of RedSn0w info:
Serial Numbers
<40 = safe
40-45 = iffy (you should probably check the iBoot, instructions are in the guide)
>45 = newer bootrom, you're out of luck for now
Hi Thomas and everyone else. I have a 3Gs with old bootrom still on 3.12 (never bothered to take the 3.13) but it is jailbroken with blackra1n. Do you know whether this is compatible with pwange or does the spirit incompatibility warning apply to blackra1n as well?
Thanks in advance,
I believe that should work out fine. The explicit warnings were about Spirit, and not Blackra1n. That said, there's nothing to stop you from simply re-flashing 3.1.2 and then jailbreaking it with RedSn0w and THEN proceeding with the upgrade. That's the super safe route, since you know it's tested. However, I think you should be fine with using PwnageTool 4.1 and just restoring to jailbroken iOS 4.
Thanks Thomas
Any time — and that should be Pwnage 4.01, btw. Oops.
Good question — I'm guessing that it doesn't. I think iBoot has something to do with hardware and not with software, and that's why it's so hard to jailbreak devices with the newer iBoot. I may check this later on if I flash again, but I'm enjoying a working iPhone right now.
My compliments to you on a very comprehensive and well-written tutorial (the only literate one I have seen/attempted to decipher in MONTHS).
Please clarify:
1) at what point does the /etc/hosts file need to be reverted (by commenting it out, as follows, with a pound sign at the beginning: #74.208.105.171 gs.apple.com), followed by a flushing of the DNS cache, via the following command (in a Terminal.app session)?:
dscacheutil -flushcache
2) My iPhone OS 3.1.2 reversion (from ios 4.0, non-GM, 23JUN10 version) and subsequent jailbreak worked; however, the final step (ios 4 jailbreak via iTunes' DFU mode restoration of PwnageTool 4.01's customi-built IPSW file) FAILED with an Error 1600.
Ideas?
Very kind regards,
-=s/m/s
@Scott M. Shell
thanks for the kind words. As for clarification, I'll do my best:
1) my knowledge of the Terminal is that of a toddler's at best. I read guides liked the ones I linked to, and I follow them once I've confirmed from others that they work. I didn't have to flush my DNS cache with any extra commands. The IP address is still in my /etc/hosts file, and I haven't even commented it out.
2) I'm thinking this may either have to do with the way you restored your phone. I simply put my iPhone into restore mode, and not DFU mode, before upgrading to jailbroken iOS 4. I think that's the error you're encountering, based on my own experience and this quick bit on SimonBlog from 2008:
http://www.simonblog.com/2008/10/07/iphone-jailbreakupgrade-more-on-itunes-1600-error/
I know it's not the same firmware, but it could be worth a shot.
Pingback: How To: Use PwnageTool 4.01 to get iBooks working on jailbroken iOS 4 « Just Another iPhone Blog
If redsn0w crashes on you:
I was really scared when the redsn0w program suddenly crashed during the operation.
Just as fortunately I managed to go on with jailbreaking normally after restarting the program.
If Restore's progress bar hangs on the iPhone screen:
The progress bar on the iPhone screen during the restore process hanged for a too long time, so I decided to try a 'magic trick': I downloaded and run blackra1n and hit the "Make It Run" button and the progress bar on the iPhone's screen began to move again.
If you get error '1600' during restore:
Likely you switched into DCU-mode instead of Recovery Mode. (iTunes talks about Recovery Mode in any case, don't believe it.)
To leave DCU-mode, unplug the USB cable from iPhone and keep the Home button held down during plugging the cable in to enter the Recovery Mode.
I hope these suggestions are for help!
Thank you, Thomas.
I confirm that the following (final) step WORKED (i.e. – NO "error 16xx"):
- from iTunes, put the iPhone into "Restore Mode" (NOT "DFU mode") and option-restore PwnageTool 4.01's custom-built IPSW file)
iHackintosh article: "What is Difference Between Recovery Mode and DFU Mode" is here:
http://www.ihackintosh.com/2009/06/recovery-mode-…
Thanks Scott – and thanks to all the other people who have left some kind words. I wont' respond to all of you, though, since I don't want to clutter up the guide's comments with \”thank you thank you\”. Many of you are posting little extra tips and I'd like for people to get to them easily without wading through all of my gratitude.
Thanks for the wonderful tutorial.
Worked like a charm the first time.
so, iphone 3Gs running iOS 4.0, not jailbroken, has never been jailbroken, its < 40. am i out of luck, or can i do this? it seems like i get a different story in every forum.
Short answer: sorry, you're out of luck for now.
The problem is that your device must be jailbroken before you can to upgrade to a jailbroken custom firmware of iOS 4. There's nothing out right now that can just jailbreak your current firmware installation, so you need to be able to install a jailbroken custom firmware (made by PwnageTool).
You can't do what I did (downgrade to 3.1.2 and then jailbreak that) because you weren't previously jailbroken (which would have provided you with the ability to downgrade to a firmware and then use this guide).
We may see a new jailbreak from Geohotz soon enough, but I wouldn't hold my breath — he has stated on Twitter that he doesn't even have an iPhone 4 to develop with.
hi, please help me
i have tried to follow you steps and managed to make firmware through (PwnageTool 4.0) but when i put my iphone into recovery mode and tried to restored, it shows an error and now i am able to use my iphone if i don't update and restore my phone, please tell me what i have to do.
thank's
I'm afraid that's not nearly enough detail for me to provide an answer. I believe the guide should be more than enough to guide you step-by-step, and if not, the links i've provided within the guide should walk you through any steps that might need extra clarification.
However, if you need to simply back up and get back to a usable iPhone, simply click the restore button in iTunes and you'll be back on iOS 4 stock. If you're running the Wi-Fi Sync utility, make sure it's turned off or uninstalled before restoring.
Thank you for this great guide, which, in a sea of badly ones out there, stands out for being easy to follow, and -for actually working. One small error, I believe (that I think others have already picked up on) is point 2 under "Jailbreaking iOS 4 with Pwnagetool"; Recovery mode is required here, but the instructions describe DFU mode.
thanks Jaap, but actually those are the correct instructions. DFU should not be used for flashing to the PwnageTool'ed version of iOS 4.
The timing difference for Recovery as opposed to DFU is only very slight (a few seconds), but the method is the same (hold home + sleep). The big difference is highlighted in the final line of each set of instructions.
I should never have doubted you – I take it all back!
Great info, i was finally able to get my 3gs into dfu and recovery mode. I have been trying with pawnage to get into dfu but the timing in pawnage is off. However, I keep getting error 1600 in DFU and 1604 in recovery mode. The only thing I can do without an error is allow itunes to do a recovery for me. I have the correct iboot as described in the guide, that was a big help didn't know how to find that before. I cooked the custom firmware in pawnage 4.01, maybe my pot is not cooking right? Any help would be appreciated. Thanks
Pingback: Having trouble using JailbreakMe.com? Try restoring your iPhone « Just Another iPhone Blog