[Update: I have now also used PwnageTool 4.01 to fix iBooks (which just didn’t work properly if you used PwnageTool 4.0 to jailbreak) and have added my instructions near the bottom of the post.] Early yesterday morning MacStories released an excellent preliminary jailbreak guide which used a modified version of PwnageTool to jailbreak iOS 4. […]
" />

How To: jailbreak your iPhone 3GS to iOS 4 with Pwnage Tool 4.0

Jun 23rd 2010 by

[Update: I have now also used PwnageTool 4.01 to fix iBooks (which just didn’t work properly if you used PwnageTool 4.0 to jailbreak) and have added my instructions near the bottom of the post.]

Early yesterday morning MacStories released an excellent preliminary jailbreak guide which used a modified version of PwnageTool to jailbreak iOS 4. It was very useful, but it used quite a few terms I didn’t quite understand, so I decided to try my hand at a different iOS 4 jailbreak guide.

I started this whole process off on the official iOS 4 release on my iPhone 3GS and although I am going to outline all the steps I took after the jump. Here are the necessary links and info for the guide (make sure to unzip files the files to your desktop or a special folder so you have everything in one place):

  • a Mac — that’s what I used, and PwnageTool is Mac-only for now
  • SHSH blobs for 3.1.2 on Cydia servers to downgrade your firmware
  • iOS 3.1.2 and 4.0 .ipsw files for iPhone 3GS
  • RedSn0w 0.9.4 to help you jailbreak 3.1.2 (Spirit won’t work for this)
  • PwnageTool 4.01 to help you create a custom jailbroken 4.0 .ipsw (firmware restore file)
  • an iPhone 3GS with the “old” bootrom (iBoot: 359.3)
  • iRecovery to help you downgrade to 3.1.2

If any of those terms confuse you, don’t worry. I’ve tried to explain and provide links to the guides I used after the jump. This is not a carrier unlock guide, but you should be alright if you need one, now that ultrasn0w 0.93 has been updated for every baseband from iOS 3.0 to iOS 4.0.

Disclaimer

First of all, no one here at Just Another iPhone Blog takes any responsibility for any damage these steps may cause. If you run into a problem we can try and help in the comments, but that’s the extent of it. iOS is pretty darn durable and I’ve gotten my iPhone out of a bricked state plenty of times, but this is really just my personal experience being shared as a guide to help others. There are many others like this guide, but you’ve got to be careful to follow the steps carefully.

Before Attempting

Make sure your SHSH blobs for 3.1.2 or 3.1.3 were saved to Saurik’s server. You can confirm this on your currently jailbroken device by loading up Cydia and checking for the text right at the top. It should look something like this picture:

If you’d like to understand the full process behind this, see this article from iPhoneinCanada about why this is so important.

You will also need to make sure you have the right Bootrom (a.k.a. iBoot). The newer generation of iPhone 3GS was released with a bootrom that is incompatible with PwnageTool 4.0 (or 4.01, which fixes an iTunes account issue with iBooks), and this new bootrom is also what makes it necessary to use a tethered jailbreak (jailbreak lost after every reboot, ex. Blackra1n RC2 for new 3GS ), instead of an untethered one (ex. Spirit — though this won’t work with my guide).

To make a long story short, your Bootrom has to be 359.3 for this guide to work. If there are more numbers after the 3, then your iPhone has the new bootrom and you’re out of luck — at least at the time of writing. If you don’t know your iBoot, put your iPhone into DFU mode:

hold sleep + home for 10 seconds exactly
release sleep, but continue to hold home until iTunes pings you
screen should simply stay blank, but device should be recognized by iTunes

Once you’re in DFU mode, here’s a modified excerpt from commenter sand0s on the Dev-Team Blog comments (couldn’t find a way to link to this):

on a mac (from memory)
click on the apple on the upper left of the screen, then click on system information.
in that display click on more information.
in the system profiler click on USB devices under hardware.
look for something like “apple device in DFU” and click on it or expand it.
there you should find the info [iBoot-359.3 is what you want to see].

Downgrading to 3.1.2 and then jailbreaking it with RedSn0w

As I mentioned earlier, I started out with an iPhone 3GS on the official release of iOS 4. However, all that really matters is that you’re able to downgrade. I chose to go all the way back to 3.1.2 because I figured it would be the easiest to jailbreak.

  1. Put your iPhone into DFU mode
  2. Make sure you’ve edited your Mac’s private/etc/hosts file to talk to Saurik’s servers. This is where we take advantage of those SHSH blobs you stored with Cydia.
    I used this guide at Decoding the Web to help me find and edit the hosts file so that I could add this line to the bottom:
    74.208.105.171 gs.apple.com
  3. Alt/Option-click the Restore button within iTunes and choose the stock 3.1.2 firmware (iPhone2,1_3.1.2_7D11_Restore)
  4. iTunes should complete the install, but then give you an 1015 or 1016 error, and you’ll see the recovery screen on iTunes (a USB cable leading into the iTunes icon). That’s fine — just load up Terminal and drag the iRecovery icon from Finder into Terminal and then add “-S” to the end of the line. I kept my iRecovery file in Applications, so the line looked like this in Terminal: 
    

/Applications/iRecovery -s
  5. Press enter, and then a bunch of text will appear on-screen. You should then add these lines from Brandon’s 4.0 downgrade post, but make sure you press enter after typing each one out: 
    setenv auto-boot true

saveenv

/exit
  6. After this you simply reboot your iPhone by holding sleep + home until you see the Apple logo. This should boot you right into the stock version of iOS 3.1.2.

    7. Now you have to jailbreak the 3GS using RedSn0w, so make sure you’re connected over USB. I also loaded iTunes, just to be safe. The process is pretty self-explanatory (iClarified RedSn0w 3.1.2 for 3GS guide here if you need it), but it will ask you if you have the newer iPhone 3GS model. If you’ve read this far then you should have confirmed that you do have the older 359.3 bootrom, and the serial number trick mentioned here is just another way of verifying that. Click on No.

    Redsn0w will do its thing and you’ll reboot to a jailbroken version of 3.1.2. I loaded up Cydia just to appease the voodoo gods, but you probably don’t have to.

Jailbreaking iOS 4 with PwnageTool

Now that you’re on a 3.1.2 firmware that has not been jailbroken with Spirit (which is incompatible with PwnageTool), it’s time to prepare your jailbroken iOS 4 firmware.

  1. Load up PwnageTool 4, select the iPhone 3GS, and let the software automatically find the official iOS 4.0 firmware (iPhone2,1_4.0_8A293) you downloaded. I did everything in Simple Mode and it worked out fine, but, as usual, there’s an iClarified iOS 4 jailbreak guide to take you through Expert Mode if you’d like to try it out.What PwnageTool will do is create a custom .ipsw (firmware) file that you can then load onto the iPhone through iTunes. Just wait until the whole process is done and you should find the custom file right on your desktop.
  2. Now make sure iTunes is on and the iPhone is plugged in before you put the device into recovery mode:
    3. hold sleep + home until screen goes out
release sleep, but continue holding home until iTunes pings you
screen should simply stay blank, but device should be recognized by iTunes
  3. Once your iPhone pops up in iTunes as a device in Recovery Mode, it’s time to alt/option-click on Restore and point to the custom iOS 4 firmware you made with PwnageTool.
  4. Wait a bit and then celebrate when you see the pineapple of Pwnage pop up on your screen. Your iPhone will reboot and you’ll be jailbroken. It will still be a little while before all of your favourite apps and utilities are iOS 4 compatible, though.

Fixing your PwnageTool 4.0 jailbreak (w/ broken iBooks) with a new firmware made by PwnageTool 4.01

Ignore this section if you used PwnageTool 4.01.

This is pretty simple stuff, but I thought I’d put it in writing, anyway. If you’re aching to try iBooks out on your fresh PwnageTool 4.0 install, you’ll have to do one more restore.

  • Back up your device to iTunes
  • create a new iOS 4 custom firmware using PwnageTool 4.01
  • set your device to Recovery Mode
  • alt/option-click Restore in iTunes and select your newly made firmware
  • Finish the install and enjoy iBooks

You shouldn’t encounter any problems during this installation, but if you do, make sure you disable Wi-Fi Sync if you have it installed (also mentioned in Misc Notes  below)

Miscellaneous Notes

Recovery Mode in iTunes

  • I’m sorry Internet. I forgot where I read this, but just know that it wasn’t my discovery: iTunes doesn’t show a difference between an iPhone in Recovery and an iPhone in DFU. That’s why I posted that comment above, which shows you how to check the mode using Mac OSX’s System Profiler.

Serial Number

  • A more indirect way of finding out your iBoot version is to check your serial number. Navigate to Settings -> General -> About on your iPhone and check the fourth and fifth digits of your Serial Number. These digits represent the production week, and if the number is below 40, you’re safe. Anything above and it’s no longer a sure shot, so I recommend you check your iBoot using the method I showed earlier in the guide I got this info from the RedSn0w warning window.

iPhone Backups:

  • It’s possible to keep your backups intact through this process, but make sure you don’t sync your iPhone with iTunes until you’ve actually gotten onto the final iOS 4 jailbroken firmware. I accidentally deleted mine during this process. Oops. And by “oops”, I mean “damn it”.

iPhone hanging during a firmware install:

  • It’s pretty terrifying to see your iPhone firmware install slow to a crawl and then never, ever move again. It can be even more terrifying to reset after this happens and watch as subsequent installs fail. However, in trying to update my iOS 4 install with a custom firmware from PwnageTool 4.01 (to fix iBooks), I had to reset from a frozen firmware about three or four times. I really don’t recommend you do this, but if you have to, know that at least one other person’s iPhone has come back from similar circumstances. iPhones are pretty brick-resilient.
  • The second little note I’d like to add here is to make sure you disable or uninstall the Wi-Fi Sync utility (partner to the Wi-Fi Sync jailbreak app) on your desktop before attempting any firmware install. Something about the Wi-Fi Sync’s desktop partner seems to block firmware installs, so watch out.

Continue reading:

TAGS: