- 3GS -- ultrasn0w style!
Do not upgrade to 3.1 yet if you want this unlock!
Here’s a brief video demonstration by @planetbeing of the iPhone Dev Team’s ultrasn0w unlock for the new iPhone 3G S. Special thanks to @Oranav for the at+xlog crash — a gift to the community that has kept on giving!
Our ultrasn0w program uses the at+xlog crash as an injection vector of our unlocking payload — and it does so on the 3GS in exactly the same way as on the 3G! But this injection vector will be lost if you update to 3.1 using the official Apple IPSW, which updates the baseband. So stay away from official 3.1 IPSWs until we release the tools that let you update the firmware without updating the baseband.
- your 3GS temporary solution ;-)
Remember we warned you to stay away from any updates to 3.1 if you want to be able to jailbreak or unlock your 3GS.
Well this is an additional message to all you 3GS owners that would like to jailbreak your device sometime soon, but this advice comes with a warning! A warning that if you accidentally upgrade to 3.1, you will not be able to use Ultransn0w, so please re-read and double check this warning at the bottom of this post before proceeding.
You may have read or heard about techniques to capture files during the iTunes restore process. These will be required to jailbreak your phone in the near future, most of the methods involve icky USB snoops. Well, there is an even better and more reliable method to get your hands on those lovely files.
During the restore process iTunes nicely keeps these oh-so-top-secret-files in a lovely accessible place for us to copy out and backup, that place? /tmp on Mac OS X or %TEMP% on Windows. Thanks Apple — handy!
The downside to this approach is that you actually need to go through the restore process to get these signed files, which has risks if you are anywhere near 3.1 or 3.1 beta :-)
If you are ready to proceed and you know the risks we’ll get down to the nitty-gritty -
So during a usual recovery with iTunes, your signed iBEC is written to /tmp and during a DFU mode restore the signed iBSS is written there also. To be sure, restore in both modes one after another to be able to grab them both. You’ll need to keep an eye on the temp directory and copy it before it is deleted again by iTunes. I’m sure some nice folks will create a tutorial about this, we’ll link to the first person who makes a good one.
Should you choose to accept this mission, act fast, this needs to be done quickly! But again, always, always double check here to see if 3.1 has been released, if is has, then don’t do this.
WARNING!! - DANGER, WILL ROBINSON! - NB! - REMEMBER!
IF YOU CARE ABOUT ULTRASN0W, BE VERY CAREFUL WITH THIS METHOD! Do not attempt this if you have downloaded the 3.1 beta. You do NOT WANT TO accidentally restore your device to 3.1 beta — you’ll lose ultrasn0w if you do! BE WARNED :-)
Update: iClarified has come up with a good picture-filled guide for doing this on a Mac and also one for Windows. Good luck!
- Only so many ways to say it
You’ve seen us give this warning before, and there are only so many ways to say it or come up with a clever title :) But here it is: ultrasn0w users must stay away from any firmware updates past 3.0 (including today’s 3.1 beta) until we release the tools that let you update the firmware without updating the baseband. For most phones out there, baseband updates are irreversible and you’ll lose ultrasn0w.
The 3.0 jailbreak was one of those (rare) times where both the jailbreak and the unlock coincided (the only other time was 2.2). It’s important that people realize that *most* firmware releases aren’t like that, and you need to take steps (via the tools) to separate the firmware update from its included baseband update.
This warning does not apply to the iPhone 2G, which uses BootNeuter for the unlock, not ultrasn0w.
- The needs of the many...
Spock said it best: “The needs of the many outweigh the needs of the few…”
Summary:
We can jailbreak the 3GS right now. But making our jailbreak public at this point in time would benefit relatively few people. It would in fact be detrimental to many more people than it would help. So we feel it’s best to keep our version of the jailbreak out of Apple’s sights for the time being.
Details:
If you already have a 3GS phone and have already done a full USB dump or captured your img3’s signed with your ECID, then you’re in great shape. You will always be able to jailbreak. But many people who plan on getting a 3GS do not yet have one. For instance, many people are waiting for their existing contracts to mature to the point where they get a price break on the 3GS. Many people are trying to sell their 3G before they can buy the 3GS. There are parts of the globe where you can’t even buy a 3GS yet! The reasons are varied, but they are many.
The nature of the 3GS hardware allows Apple to stop IPSWs from being usable unless you’ve already gotten the signed chunks they send to you based on your ECID (a unique chip ID). You cannot get these signed chunks without knowing your ECID, and you don’t know your ECID until you’ve bought your 3GS.
The jailbreak requires at least one signed iBoot-family img3 for your device. And that iBoot needs to have an exploitable bug. It’s an all-or-nothing deal…you either have your signed exploitable iBoot ready to use, for now and forever — always jailbreakable — or you have nothing.
Here’s the critical point, the reason why we’re delaying our version of the jailbreak: Once the jailbreak is out, Apple will fix the iBoot-family bug we use to accomplish it. They will simply stop signing the old iBoots and only sign the fixed ones. If you bought your phone after Apple has done this, there’s nothing you can do…the jailbreak isn’t going to work for you.
It is possible that Apple will find the bug we use without our handing it to them on a silver platter (via a public jailbreak). In that case, we will have delayed our jailbreak for “nothing”. But we’d rather be safe than sorry!
Apple is surely coming out with a 3.0.1 firmware release shortly. They need to fix ultrasn0w. They need to fix some UI issues. 3.0 is buggy and 3.0.1 is coming. We’re going to wait and see what 3.0.1 brings before figuring out the release date for our version of the jailbreak.
In the meantime, we have some remaining 3.0 jailbreak issues to investigate, including push notification. Thanks for being patient with us while we took a 3GS “timeout”!
- 24Kpwn lives on, in the iPhone 3GS!
About 5 hours ago (Thursday evening, less than a week after the 3GS launch), we were able to verify that the 24Kpwn exploit that the hybrid team used on the iPod Touch 2G is still applicable to the bootrom of the iPhone 3GS. That means we can use the same sort of technique used by our current redsn0w tool to jailbreak and unlock the iPhone 3GS.
This is great news, but how did it happen? Why didn’t Apple fix this in their normal cat&mouse fashion? Well it seems this bootrom was cut in about the August 2008 timeframe, so the unintended early reveal of 24Kpwn earlier this year didn’t affect the iPhone 3GS.
For our technical notes on where the 24Kpwn exploit is in the 3GS, see here (pastebin hash of it is here). Our original blog post for when this exploit was first found is here.
And yes, ultrasn0w will be able to be used on the iPhone 3GS for you unlockers! (In fact, without any modifications whatsoever!)
Important: Apple has not given up on the cat&mouse game, and in fact there are challenging aspects of the 3GS jailbreak that aren’t in the other devices. It’ll take some time to safely work these into our tools, but the fundamental weaknesses are there: The bootrom is exploitable via 24Kpwn, and the baseband is exploitable via ultrasn0w. (And just like with the 3G, ultrasn0w for 3GS requires that you not update your baseband when Apple comes out with new firmware.)
- Ultra's Now!
Ultrasn0w for iPhone 3G is ready!
- Ensure you have upgraded to iPhone OS 3.0
- Jailbreak your iPhone 3G using redsn0w or PwnageTool (this will also install Cydia/Icy)
- Run Cydia or Icy
- Please add the repo repo666.ultrasn0w.com to Cydia or Icy. That last “o” is actually the number zero “0”! If you use the letter “o” you’ll get an error.
- Search for ‘ultrasn0w’ in cydia or icy and install ultrasn0w
- Reboot your iPhone 3G
- T-Mobile USA users should disable 3G before using ultrasn0w
- Enjoy
- redsn0w in june
Read the whole post in full before attempting anything!
redsn0w is an easy to use, multi-platform, multi-device jailbreaking and unlocking (iPhone 2G only) tool for the iPhone 2G (original iPhone), the iPhone 3G (but not the 3GS) and also the iPod touch (first and second generation). Currently it is available for Windows and Mac OS X (there are some issues using redsn0w with OS X PPC, please use an Intel Mac until we have this problem resolved).
REDSN0W PROVIDES SIMILAR FUNCTIONALITY TO QUICKPWN.
If you want to build custom firmware files with more flexibility it is suggested that you use ‘PwnageTool’ on Mac OS X.
-
GOLDEN RULE: If you are using a 3G iPhone with yellowsn0w and rely on yellowsn0w to obtain cellular service, then you should NOT use redsn0w right now. Ultrasn0w (the 3G carrier unlock) is not included with this release and therefore your baseband will be locked and unable to use an operator other than the official one it was bought for. UltraSn0w will be released via APT (cydia and icy) soon. If you have an original iPhone (1st generation) then 3.0 carrier unlock works with this redsn0w release.
- Yellowsn0w in its current form will NOT work with the baseband version that is present in the 3.0 update, you will need Ultrasn0w, which will be released sometime soon, Ultrasn0w will work with all iPhone 3G models (but not 3GS), even ones that were previously unlockable, Ultrasn0w (when available) will be released via APT (this means you will be able to get it via Cydia or Icy).
- Please read all parts of this post before downloading and using these tools.
- Read items 1, 2 and 3 again and again.
- At the bottom of this post are the bittorrent files for the latest version of redsn0w.
- This app is suitable for the recent 3.0 release
- redsn0w will NOT work for the iPhone 3GS.
- redsn0w WILL work for Original iPhone (1st Generation), Original iPod touch, iPod touch 2G and the iPhone 3G (not the iPhone 3GS).
To use redsn0w simply upgrade the device in iTunes to firmware version 3.0 and run redsn0w to activate and jailbreak the device (and if you are using an original iPhone 2G, it will unlock it too!)
SHA1 SUMS
- SHA1(redsn0w-mac_0.7.2.zip)=0d58ff133461f3487a80200fe924741dd393b724
- SHA1(redsn0w-win_0.7.2.zip)=444a3120b6bfd98838df74d598d3799cf656dfff
Official Bittorrent Releases -
Unofficial Mirrors
The following links are unofficial download mirrors, you download these at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links or archives and we accept no responsibility with regard to the validity of the files, or with other content these links provide or with the content that is on the linked site. Always check the published SHA1 sums. We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must. Mirror owners should email direct links only to blog@iphone-dev.org , please don’t place mirrors in the comments as they will be deleted.
Mac
Windows
- trois, drei, три, három!
This is the low down on our tools for use with the 3.0 firmware from Apple, read the whole post in full before attempting anything. Because of some bugs and unexpected changes this will be a multipart release, starting with the release of PwnageTool for Mac OS X. QuickPwn for Mac OS X and Windows will follow sometime soon, please don’t bug us about it, we are working flat out to get everything finished to release them.
-
GOLDEN RULE: If you are using a 3G iPhone with yellowsn0w and rely on yellowsn0w to obtain cellular service, then you should NOT use PwnageTool right now. UltraSn0w is not included with this release and therefore your baseband will be locked and unable to use an operator other than the official one it was bought for. UltraSn0w will be release via APT (cydia and icy) soon. If you have an original iPhone (1st generation) then 3.0 unlock works with this PwnageTool release.
- Yellowsn0w in its current form will NOT work with the baseband version that is present in the 3.0 update, you will need Ultrasn0w, which will be released sometime soon, Ultrasn0w will work with all iPhone 3G models (but not 3GS), even ones that were previously unlockable, Ultrasn0w (when available) will be released via APT (this means you can get it via Cydia or Icy).
- Please read all parts of this post before downloading and using these tools.
- Read items 1, 2 and 3 again and again.
- At the bottom of this post are the bittorrent files for the 3.0 capable version of PwnageTool.
- This app is suitable for the recent 3.0 release.
- PwnageTool will NOT work for the iPhone 3GS.
- PwnageTool WILL work for Original iPhone (1st Generation), Original iPod touch (1st Generation) and the iPhone 3G.
Baseband 101
The ‘baseband’ is the generic nickname given to the internal components of the iPhone that handle the phone calls and Internet access. This ‘baseband’ is a tiny and unique independent computer system that runs inside your iPhone, it is separate to the main system that handles the applications (such as email and google maps) and it talks to the main part of the phone over an internal communications network. Think of it like a cable modem or other peripheral that is attached to your home PC that needs occasional updates. When a software update is released and presented to you within iTunes the baseband is sometimes updated (to fix bugs or add new features). The 3.0 update for the iPhone 3G contains such an update, so running the vanilla updater straight away with iTunes will reprogram and update the baseband.
SIM Free/SP Unlocked/Factory Unlocked iPhone 3G
This applies if you bought your iPhone 3G for $$$$$$$. This model of iPhone 3G doesn’t have an Service Provider lock (aka factory unlocked) and you are able to put any SIM card into the phone and get service. Your phone is already unlocked so you do not need to worry about baseband updates, simply upgrade to 3.0 using iTunes and then use PwnageTool to create an ipsw and then use this to jailbreak your phone.
iPhone 2G (1st Generation)
Use PwnageTool to do the magic and then restore with iTunes using your newly created .ipsw ‘nuff said, you don’t need to worry about anything, the baseband will be unlocked, the phone jailbroken.
iPod Touch 1G (Original iPod Touch)
Use PwnageTool to create a firmware image and restore with that .ipsw using iTunes.
iPod Touch 2G (New iPod Touch)
Sorry, no support at this time within PwnageTool, use Redsn0w for an earlier (pre 3.0) firmware release instead.
Official Bittorrent Releases -
Unofficial Mirrors
The following links are unofficial download mirrors, you download these at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links or archives and we accept no responsibility with regard to the validity of the files, or with other content these links provide or with the content that is on the linked site. Always check the published SHA1 sums. We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must. Mirror owners should email direct links only to blog@iphone-dev.org , please don’t place mirrors in the comments as they will be deleted.
- Big week!
As anyone reading this blog must already know, this is the big week where Apple releases their official 3.0 FW to the public (Wednesday), and then the new iPhone2,1 hardware, aka the iPhone 3GS (Friday).
On Tuesday evening (just before the big Apple release) we’ll do a live demo of the yellowsn0w carrier unlock working on official 3.0 firmware. The actual link for the feed will be twittered by @MuscleNerd and also placed here when the feed starts. The demo should answer everything you need to know about the new yellowsn0w. But it’s good news for iPhone 3G unlockers everywhere.
Meanwhile, we’re in the middle of testing our PwnageTool and QuickPwn tools, which will work with iTunes 8.2. The jailbreak of course continues to work on 3.0 for all devices it ever worked on, thanks due the Pwnage 2.0 technique released last summer. Our tools will be released no sooner than the Apple release (just in case!).
P.S. For the new iPhone 3GS, please don’t expect periodic updates about any progress we have or don’t have. Nothing gives Apple the upper hand like someone tweeting or blogging partial hack results. That’s not how cat & mouse is played :) That’s how the cat gets fed.
Updates after the video. Please skip ahead to 02:00 to see the demo.
Update 1 (Wednesday morning):
- Only ultrasn0w is going to take til Friday to get pushed out. All of our other tools should be out pretty soon after the official Apple release.
- If you apply our jailbreak when it comes out, you can install ultrasn0w anytime after that. You obviously won’t have cell service in the meantime, though.
- This may in fact be directly applicable to the iPhone 3GS if it can be jailbroken, because it runs the same baseband version. Whether or not it can be jailbroken is a big question right now!
- If you’re on Twitter, please give @Oranav a pat on the back. He could have revealed the crash he found to Apple and maybe gotten quite an incentive in return. Instead, he told us about it so that we could work it into an injection vector for the soft unlock.
Update 2 (Thursday morning):
- We have two issues that we’ve been trying to resolve:
- There are new 3.0 complications with YouTube.app if you’re on a hacktivated (unofficially activated) device
- There’s a bug in Apple’s new version of asr that our custom IPSW’s are tickling and causing crashes on, on some devices. (For the nerdy or curious among us, the details of that bug were tweeted by planetbeing a month ago.)
- As of Thursday morning we now have a workaround for #2. For #1, we’ll try our best to get it fixed but we may end up releasing a preliminary jailbreak in which YouTube doesn’t work for hacktivated devices, and then follow that up with a more complete jailbreak when we can.
WARNING ABOUT THE COMMENTS: People new to this blog probably don’t realize that comments from the DevTeam actually have a gold header to them, so you can pick them apart from the fake users. But to be extra safe, until the release of this set of tools we’ll keep our feedback up here in the main post, not in the comments. That way you won’t get tricked by fake users.
Also, if you want to help self-moderate, please click on the “report this post” for comments you all know are fake. If enough of you do that, it’ll get deleted automatically.
- Yell0w Fever
These are very exciting days ahead! WWDC, the new 3.0 firmware, the new iPhone2,1 device. All in the span of a month or two. Nobody is more excited than we are :)
Unfortunately, there are predators out there that are counting on your over-exuberance. Maybe we should call it yell0w fever. One very recent example is a certain yellowsn0w221 page on wordpress.com. Do not download anything from that page if you’re on a PC, else you’ll be infected with a virus. The page talks and talks about a supposed Firmware 2.2.1 yellowsn0w exploit, but it’s all a ruse to get you to download and infect your PC.
We’re used to (though still aren’t happy about) less predatory websites, like quickpwn.com. That site (1) is not us. We don’t consult with them in any way (2) makes money from their Google hits (they’re usually near the top) (3) sometimes gives very very bad advice (like tweeting yellowsn0w users to use QuickPwn on 3.0 betas. Bad suggestion). (4) also owns yellowsn0w.net, another money making website.
The wordpress page, though, is at another level. It’s out to 0wn your PC for spamming purposes. Please be on the lookout for any pages that mention “dev team” news that you don’t actually see on this blog first. We are very good at not leaking sensitive info (since that really wrecks this whole “cat&mouse” thing). So no blog or forum or youtube page would have any “insider” dev team knowledge that you won’t see announced here first.
About the unlock (the real yellowsn0w): you all paid lots of money for your iPhones, and so we know that if you are depending on a software unlock, this is a sensitive issue. It’s a very sensitive issue to us too, which is why we can’t say or release anything prematurely that could potentially compromise any 3.0 software unlock. The commenters on this blog that have high ratings (20 or above) understand this intimately so please listen to them when they try to assist those waiting for any unlock :)
- That tempting "update" button
Yesterday, Apple started pushing out their official iTunes 8.2, which supports mobile devices at firmware 3.0. Here’s why you jailbreakers and yellowsn0w-users shouldn’t really accept that “Update now?” question:
- Most people aren’t at 3.0. In fact 3.0 is still in beta and has lots of bugs (especially related to push updates).
- It breaks your ability to use QuickPwn, PwnageTool, and iPhone Tunneling Suite (ssh over usb). We don’t think this is a deliberate breakage of these tools. It’s just that Apple has updated a low-level USB protocol that normally only Apple cares about (but jailbreakers care about).
- So far, the only appreciable change to iTunes 8.2 is the Genius function working on videos.
- It may actually break Palm Pre’s connection to the device (please give us feedback on this).
This update is one of those that incidentally breaks QuickPwn and PwnageTool. It doesn’t seem like an anti-jailbreak. But nonetheless, it will break your ability to re-run QuickPwn or PwnageTool’s dfu-entry.
Because this update isn’t a deliberate anti-jailbreak measure, it’s easily fixed in our tools. But we really don’t want to update our tools until 3.0 is out, so please don’t update to 8.2 if you think you’ll need to rejailbreak your device. :)
YellowSn0w on 2.2.1 and beyond
We see many questions about whether yellowsn0w can ever be made to work on firmware versions past 2.2 (or equivalently, basebands past 02.28). This is probably a good place to address those questions:
If there is a yellowsn0w update for firmware after 2.2 (or basebands after 02.28), there is no way it would ever be released before 3.0 is official. It just wouldn’t make any sense to release an exploit for something that only those who have beta 3.0’s (NDA signers) could use. Most people in the world aren’t NDA signers. Any yellowsn0w update for 3.0 would need to happen *after* 3.0 is officially available.
- Half way home?
Apple just released the fifth beta of their 3.0 OS. Back when 2.0 was still in beta, they released about nine beta firmwares, so it’s reasonable to assume we’re about half way through the 3.0 beta process.
As should be expected, the modern devteam jailbreak process is still valid. The picture below is 3.0beta5 jailbroken on an iPhone 3G. As we’ve said in previous posts, nothing other than a hardware respin can prevent our jailbreak from working on all exisiting iPhone and iPod Touches. They’ve chased our jailbreak so far down in the chain of trust, the only way they can fix it is in hardware.
Because there are so many beta releases, we couldn’t possible refine, test, and release both PwnageTool and QuickPwn for each of them. That’s why we’re waiting until the final release. You may have seen other “hijacked” versions of QuickPwn out there, but all of them are buggy, none of them work on OSX, and almost everyone who uses them reverts back to 2.2.1 (because none of the useful jailbroken apps (Qik, Cycorder, and others) work on 3.0 yet).
But this is a good time to remind everyone. If you care about the yellowsn0w unlock, don’t go anywhere near the beta releases. You will lose your unlock, possibly forever.
- Beta O'Clock
Today at exactly 2 minutes past Beta O’Clock we are releasing a beta version of redsn0w. The release hopes to simplify the jailbreaking of your iPod touch 2G.
redsn0w is currently in beta as it relies on the user running it from the command line, but this new redsn0w functionality is being added into our GUI applications.
If you are not fully confident with using the command line, then hold off for those simpler tools that will be released sometime soon.
Related links
Credits
implementation ⓒ2009 iPhone Dev Team
vulnerability: pod2g, MuscleNerd
exploit: planetbeing, CPICH, posixninja, chronic, ius
Legal
This work is copyrighted with all rights reserved. Modification or redistribution without written consent is expressly prohibited.
UPDATE
The redsn0w site shows the latest release version, it is currently at v0.3.
- Cat. Bag. Mouse.
Well, the cat is out of the bag. The 3.0 firmware from Apple can be jailbroken, and there are now sites out there giving you that jailbreak (after you sort through various ads and browser popups, etc).
Of course it’s not really a surprise that it can be jailbroken. One of the nicest things about the jailbreaking iPhones and iPod Touches nowadays is that once a given device can be jailbroken, it can always be jailbroken. The exploits we’re forced to resort to are down at the hardware level, where nothing can be done about them via software. That’s why within a day or two of 3.0 beta1’s release we were able to snap this screenshot of a jailbroken system:
(we also captured the date of the SHA1 of the above image for historical purposes here and here)
Why did we not release the jailbreak two weeks ago when the above image was captured and hashed? There are many reasons, mostly resource-related:
- We don’t want to have to release a new version of PwnageTool and QuickPwn for every beta release. Last time around during the 2.0 beta period, there were nine (9!) Apple releases, spaced within a few weeks of each other.
- There are unresolved problems that we’re still working on. It’s currently impossible to get the 3.0 firmware to talk to baseband 02.28 where yellowsn0w lives, for instance.
- We don’t want to have to support everyone who wants to back down from the betas…because the betas are, well, buggy.
- It’s silly to play cat&mouse with Apple during a beta period, when relatively few people are willing to actually use the beta software in their everyday lives. There are ways Apple can tighten the screws, and we’d rather not burn methods just for a beta release.
THE MOST IMPORTANT THING ABOUT THE UNOFFICIAL QUICKPWN RELEASES IS THAT IF YOU USE THEM, YOU WILL KILL YELLOWSN0W, POSSIBLY FOREVER. That’s because QuickPwn, by its very nature, requires you to already have accepted Apple’s official IPSW, along with its baseband update. If you do that, you will (possibly forever) lose your ability to software-unlock your iPhone 3G.
They say that imitation is the sincerest form of flattery, and so perhaps we should be flattered that so many ad-supported sites are now using our own tools to create unofficial jailbreaks (QuickPwn in particular is so easily adapted from one release to the next that it’s reduced to a handful of binary pattern searches in a good hex editor). But please don’t expect support for them on this blog, because we’re actually busy with the hard part of the 3.0 jailbreak (the 02.28 incompatibility and the new compressed ramdisk they’re using).
Oh, and also the unlock :)
- Itchy update fingers
It almost goes without saying, but we will say it anyway :)
With all of the great stuff lined up for us with the 3.0 OS that Apple described today, many 3G owners may find themselves with itchy update fingers. If you find yourself with access to the 3G IPSW for 3.0 via the iPhone Dev Center program, and you are using yellowsn0w, do not update or restore to that official IPSW. You will lose yellowsn0w and find yourself unable to revert the baseband to get it back.
And for those wondering, yes the 3.0 OS is jailbreakable on all devices. It’s just those using 3G yellowsn0w that have to show some restraint and wait for PwnageTool to create a custom IPSW that avoids the baseband update.
- iPod Touch 2G: Hi, welcome to the jailbreak family
The iPod Touch 2G is now another member of the “pwned for life” family. It has a fatal flaw in its bootrom that means you will always be able to pwn these devices no matter what firmware updates come along. This is the full, untethered jailbreak, something that iPod Touch 2G users have not had before today.
Those of you who hang out on IRC or were able to read between the lines in the various blogs, forums, wikis and twitters may realize that we — and importantly, that’s a that’s a collective, cross-team “we” :) — had been hoping to hold onto this full ipt2g jailbreak until the next version of the iPhone came out. That didn’t happen, but maybe it’s too late for Apple to fix the bootrom in the next iPhone.
The raw patch to the firmware that transforms the “tethered” jailbreak into an untethered one was released here but it’s not yet packaged up into the PwnageTool or QuickPwn flows. But other threads there are pulling together tutorials and other tips for those of you anxious to try this out now. For the curious, the hole itself is explained here. There’s also a “pen and paper” analysis that helped the hybrid team venture transform the hole into an exploit. Hopefully that will be up for viewing soon too, if only because of its geeky beauty :)
Anyway, to all those iPod Touch 2G users out there who waited so patiently through all the various incarnations of the jailbreak for Apple’s latest device — welcome to the family!
For the rest of us, the jailbreak “cat and mouse” game will continue in the summer with the next iPhone. And the carrier unlock “cat and mouse” game continues as ever. :)
- Close the stable door!
This is the low down on our tools for use with the 2.2.1 firmare from Apple, read the whole post in full before attempting anything. Please note that the Windows version of QuickPwn has been updated to version 2.2.5-2
-
GOLDEN RULE: If you have a 3G iPhone running 2.2 firmware and you want to keep your ability to use yellowns0w (or the option to use it in the future) do NOT use QuickPwn, and do not use the official ipsw or the iTunes update process without using PwnageTool.
-
Yellowsn0w will NOT work with the baseband version (02.30.03) that is present in the recent 2.2.1 update. If you want to use Yellownsn0w you will need to create and restore using a custom .ipsw that will allow you to update safely to 2.2.1 without applying the 02.30.03 baseband update. You’ll then have a 3G iPhone running 2.2.1 with an older baseband version that is still vulnerable to yellowsn0w, following these steps ensures that yellowsn0w will still operate.
- Please read all parts of this post before downloading and using these tools.
- Read items 1, 2 and 3 again and again.
- At the bottom of this post are the bittorrent files for the latest versions of PwnageTool and QuickPwn.
- These apps are suitable for the recent 2.2.1 release.
-
The Yellowsn0w version has been updated to 0.9.7. Yellowsn0w is available from Cydia or Installer - this version allows compatibility with pwned 2.2.1 system (not baseband). Again„ remember 0.9.7 yellowsn0w DOES NOT WORK WITH 2.2.1 (02.30.03) directly - you need to be running a ‘pwned’ version of 2.2.1 which didn’t upgrade the baseband during the restore/upgrade.
- Users of OS X 10.5.6 will be unable to use DFU mode correctly, please see the note towards the end of this post to easily fix this issue.
Baseband 101
The ‘baseband’ is the generic name given to the internal components of the iPhone that handle the phone calls and Internet access. This ‘baseband’ is a tiny and unique independent computer system that runs inside your iPhone, it is separate to the main system that handles the applications (such as email and google maps) and it talks to the main part of the phone over an internal communications network. Think of it like a cable modem or other peripheral that is attached to your home PC that needs occasional updates. When a software update is released and presented to you within iTunes the baseband is sometimes updated (to fix bugs or add new features). The 2.2.1 update for the iPhone 3G contains such an update, so running the vanilla updater straight away with iTunes will reprogram and update the baseband. This could be bad for certain people, depending on your ultimate aim.
SIM Free/SP Unlocked/Factory Unlocked iPhone 3G
This applies if you bought your iPhone 3G for $$$$$$$. This model of iPhone 3G doesn’t have an Service Provider lock (aka factory unlocked) and you are able to put any SIM card into the phone and get service. Your phone is already unlocked so you do not need to worry about baseband updates, simply upgrade to 2.2.1 using iTunes and then use QuickPwn to Pwn and Jailbreak. This will add Cydia and Installer too.
Locked iPhone 3G - Preserve Baseband
This applies if you have a locked iPhone 3G and you wish to update to 2.2.1 but preserve the iPhone’s current baseband software. Preserving the baseband will ensure that you can still use “yellowsn0w” the iPhone 3G unlock application. To upgrade your phone to 2.2.1 and preserve the state of the baseband you need to create a custom .ipsw with PwnageTool. This custom .ipsw will not contain the baseband update but of course will still give you any new stuff from 2.2.1
There are plenty of tutorials about this process on the web, but PwnageTool contains intuitive graphics and easy to follow prompts that should have you up and running in no time at all. Please note: PwnageTool is only available for Mac OS X.
Locked iPhone 3G
If you are using your iPhone with one carrier and have no interest in the possibility of an iPhone 3G unlock in the near future then just restore or upgrade to 2.2.1 using iTunes and use QuickPwn to Jailbreak and add Cydia and Installer.
iPhone 2G (1st Generation)
Update or Restore your iPhone 2G with iTunes then run QuickPwn to do the magic, ‘nuff said, you don’t need to worry about anything.
iPod Touch 1G (Original iPod Touch)
Update to 2.2.1 with iTunes and run QuickPwn.
iPod Touch 2G (New iPod Touch)
Sorry, no support at this time, but Redsn0w is being actively researched and developed.
Fixing DFU mode on 10.5.6
As noted previously OS X 10.5.6 introduced a bug that affected the use of DFU mode. with some Macs. There have been previously published hacks and techniques to fix this, but here is another method that can be used to temporarily restore DFU functionality in order to use QuickPwn or PwnageTool.
- You will need an account with ADC (Apple Developer Connection) this is free and takes a few minutes to sign up, you should read the terms and conditions carefully and you should only sign up if you are thinking of developing applications in the future - http://developer.apple.com/mac/
- Download the disk image “IOUSBFamily-315.4-log.dmg” for Mac OS X 10.5.5 Build 9F33” (yes, that is a “5” in 10.5.5 - this is a developer debug package of the USB kernel extension).
- Unplug non-vital USB equipment, such as external DVD writers, USB scanners, USB mass storage devices, at the most leave a Keyboard and Mouse connected.
- Install IOUSBFamily-315.4.1.pkg from within the disk image
- Reboot your system!
- Perform necessary DFU activity with QuickPwn or PwnageTool.
- Download the disk image “IOUSBFamily-327.4.0-log.dmg” for Mac OS X 10.5.6 Build 9G55”
- Intall IOUSBFamily-327.4.0.pkg from within the disk image
- Reboot your system!
- Reattach your USB peripherals.
Official Bittorrent Releases -
- PwnageTool 2.2.5 for Mac OSX is here SHA1 Sum - 8fe2f20c00f48b37d8262d6872a12166c6e165ba
- QuickPwn 2.2.5 for Mac OSX is here SHA1 Sum - 2f1353242ef10dc408e95786643e497fcd04e4ea
- QuickPwn 2.2.5 for Windows is here SHA1 Sum - 2.2.5-2 instead>
-
QuickPwn 2.2.5-2 for Windows is here SHA1 Sum - 82aae63218316af42e4fa20f8c69d9eb4fe9d4ee
Unofficial Mirrors
The following links are unofficial download mirrors, you download these at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these archives. We do not check these links or archives and we accept no responsibility with regard to the validity of the files, or with other content these links provide or with the content that is on the linked site. Always check the published SHA1 sums. We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must. Mirror owners should email direct links only to blog@iphone-dev.org , please don’t place mirrors in the comments as they will be deleted.
Mac PwnageTool
Mac QuickPwn
Windows QuickPwn
- Hold your horses!
There is an iPhone and iPod update available in iTunes - it is numbered 2.2.1 (5H11a).
Please DO NOT update. We will investigate and report back to you ASAP.
Update 1: Here’s a video overview of what this update means.
- Thermonuclear pop!
- Well it isn’t a British Thermonuclear Device.
- It isn’t an episode from “The Twilight Zone”
- And it certainly isn’t iPhone 3G related (right now)
- There is one other device…
- It fits in your pocket..
- What can it be?
Update 1: Here is the first screenshot of a jailbroken iPod Touch 2G. Right now the jailbreak process is far too manual to be useful to most people. But this is a first step (well, second step if you include the initial exploit).
When we announced yellowsn0w, we made the mistake of giving an ETA for its release…and that really clobbered the last day of 2008 for us. So we won’t be issuing a formal ETA for the ipt2G jailbreak. But we are putting a lot of energy into it.
Update 2: A picture is worth a 1000 words but a video might be better in this day of Photoshop and fake YouTube videos. So we’re thinking of doing what we did before Christmas for yellowsn0w — show a demo of the jailbreak on Musclenerd’s Qik account (announced via his twitter account over there on the right hand side). Since Qik provides a live chatroom right next to the video, we’ll probably be in there too right after the video’s over. Note: anybody posing as any devteam member on that chat right now is faking it. We won’t be on that chat except for a very specific time that we’ll announce. (We may possibly not even do the chat since it’s so ripe for abuse).
Update 3: It looks like we’ll do the Qik broadcast on Saturday afternoon (California time). It’ll be announced through MuscleNerd’s twitter. Unfortunately the Qik chatroom seems unmanageable, with no way to control the nicknames being used. So we’ll avoid it altogether — nobody on the Qik chat claiming to be us is actually us, so please don’t be fooled.
Update 4: The demo video is now available. NOTE: NONE OF THE DEVTEAM WILL EVER BE IN THE QIK CHATROOM. There’s no way to prevent people from taking any name they want there. Anyone you see there with our names is a fake.
Update 5: ”Caleb Mingle” has done a nice job collecting our answers to the questions everyone’s been asking and re-asking. Check out Caleb’s FAQ
- What a week!
What a week it’s been for the 3G unlock! Here’s where we’re at:
Past
- As predicted in our beta release post, expanding yellowsn0w from dev team testing to worldwide usage revealed some unexpected situations.
- Thanks to specific feedback from you on our reporting page, we’ve been able to tweak the method by which yellowsn0w injects the unlocking payload. We believe we’re converging on a method that works for most cases.
Present
- The current beta version of yellowsn0w is 0.9.6, available via Cydia. Please refer to our beta release post for more technical info about how to install and use it.
- Although ultimately the payload is the same as in the very first beta, we’ve changed the way that it’s injected into the baseband.
- Although some of you have invested time and energy in coming up with a very specific flow that works for you, the best way to first try 0.9.6 is as-provided, straight out of the box with no special usage around it.
- Please continue to provide feedback on our reporting page so that we can iron out wrinkles.
Future
- One major feature we have left to provide support for is PIN locking. We have dabbled in this a bit and think we have a solution, but want to make that a separate effort from making yellowsn0w work with as many SIMs as possible.
- At that point, we can probably declare yellowsn0w out of “beta” status.
- The “permanent” unlock is still the ultimate goal for some of us. We’d like to break the chain of trust a bit earlier in the boot process (if only for the fun in trying).
