Dev-Team Blog

In Memoriam: Ben “bushing” Byer

Tue, 09 Feb 2016 09:08:32 -0800

We are deeply saddened by the news that our member, colleague, and friend Ben “bushing” Byer passed away of natural causes on Monday, February 8th.

Many of you knew him as one of the public faces of the iPhone Dev Team, Team Twiizers and fail0verflow.

Outspoken but never confrontational, he was proof that even in the competitive and oftentimes aggressive hacking scene, there is a place for both a sharp mind and a kind heart.

To us he was, of course, much more. He brought us together, as a group and in spirit. Without him, we as a team would not exist. He was a mentor to many, and an inspiration to us all.

Yet above anything, he was our friend. He will be dearly missed.

Our thoughts go out to his wife and family.

Keep hacking. It’s what bushing would have wanted.

Restoration reinvigoration

Sat, 13 Oct 2012 21:42:00 -0700

Today we’re pleased to release redsn0w version 0.9.15b1, with significant new features supporting restoring to older firmware no longer being signed by Apple. For brevity, we’ll list most of the new features in bullet form. For more details, please feel free to drop by our comments section, or check out any upcoming guides on tutorial sites like http://iclarified.com

First, the high-level new feature list:

restore from any 5.x iOS to any other (up, down or the same) 5.x iOS on all devices as long as you have the correct blobs (see more below)
Cydia now included in the tethered 6.0 jailbreak on A4 devices
automatically “Just Boot” tethered when qualifying A4 device connects in DFU mode
untethered 6.0 jailbreak on old-bootrom 3GS
untethered 6.0 hactivation on any 3GS or iPhone4
directly restore pre-A5 devices to earlier firmware – no more complicated 15-step how-to’s with stitching, iTunes errors, and “hosts file” concerns
fetch new signed blobs for any IPSW (present or future – no redsn0w update required) using Extras->SHSH Blobs->New
block the BB update for any 3GS or iPhone4 restore (past, present, or future – no redsn0w update required) using Extras->Even More->Restore
deactivate any iPhone, useful for testing your “official” unlock status through iTunes. (Please only deactivate your own iPhone!)
activation status shown on “Even more” page
significantly more (very nerdy) info returned by “Identify” button when device is in Normal mode
tethered jailbreak of ATV2 supported (but the only thing available for it is the SSH2 custom bundle available here – no Cydia yet. Must use “Select IPSW” for tethered boot of ATV2 for now).
auto-exit WTF mode for older devices with broken buttons
any time a set of blobs is fetched remotely (from Apple or Cydia), redsn0w also saves them locally (and will check there first if you click “Local”)
for your future restoring convenience, you should also submit all of your past and present TinyUmbrella blobs to Cydia if you haven’t done so yet. Resubmitting is okay and won’t cause conflicts.

Here are more details on the iOS5-to-iOS5 restores for A5+ devices. (Note: pre-A5 devices don’t have these restrictions – just follow the redsn0w prompts during the restore).

1. redsn0w now lets you restore an A5+ device from any iOS5 to any other iOS5 as long as you have correct 5.x blobs for the starting (current) and ending points of the restore

APtickets eliminated “higher-version only” comparison of firmware restores (just like BBtickets did for the baseband)
example restores supported by redsn0w if you have the correct blobs: 5.1.1-to-5.0.1, 5.0.1-to-5.1.1, 5.1.1-to-5.1.1, 5.0.1-to-5.0.1
if you don’t have the blobs locally, let redsn0w try to fetch them remotely (redsn0w always tries both Apple and Cydia). Any succesful remote fetch also saves a local copy too.

2. You DO NOT QUALIFY for iOS5-to-iOS5 restores if you got to your current 5.x via an OTA update

the tickets saved by Cydia, redsn0w, and TinyUmbrella do not cover OTA update ramdisk images
even if they did, it’s the “wrong kind” of ramdisk (you’d need to start at that earlier pre-OTA FW)
devices fresh from factory or refurb may fall in the “does not qualify” category (your results will vary)
it’s okay if you previously got to 5.x via an OTA update, as long as your current 5.x was installed via a normal iTunes restore. All that matters is how you got to your current 5.x most recently
redsn0w detects an OTA/normal-restore APticket mismatch very early, so if you don’t know your status there should be no harm in trying. Any device in recovery mode after such a mismatch can boot normally again just by going back to “Even More” screen from the “Restore” screen (or use “Recovery Fix” if you quit redsn0w before doing that).

3. Unlike the A4 devices, redsn0w can’t (usefully) prevent the baseband updates of A5+ iPhones and iPads.

and so, redsn0w automatically flashes the currently signed baseband when it does A5+ restores, even if those basebands didn’t come with the original firmware
stay away from this if you have an unofficial unlock that isn’t supported by the newest baseband
the least-tested baseband update code in redsn0w is for iPad2,3 and iPad3,2. Please give any feedback on those iOS5 restores in the comments section below.

4. iPad2 owners (all three models) with saved 4.x blobs can use those instead, even from 6.x

if you have both 4.x and 5.x iPad2 blobs, you can always get to 5.x via the 4.x blobs, even if you’re currently on 6.x
you cannot get to 5.x from 6.x without the 4.x blobs (but you may still qualify for the iOS5-to-iOS5 restore described above)
if somehow you have 4.x blobs but no 5.x blobs, you can still go down to 4.x from 6.x
this only applies to iPad2 owners (they’re the only A5+ devices that ever had a public 4.x FW)
redsn0w still supports (but doesn’t require) jailbreaking A5+ devices at 5.0.1 and 5.1.1. Just head back to the first page after re-restoring to 5.x. It’s always much faster to jailbreak those FW versions with a freshly-restored device, before letting iTunes restore from a saved userland backup.

And finally, some random details:

5. ultrasn0w isn’t yet updated for 6.x

by now you probably should be taking advantage of the extremely cheap IMEI-based unlocks of iPhones sold by established online retailers like http://cutyoursim.com
still, IMEI-based unlocks don’t work in all cases. We’ll announce when ultrasn0w is ported up to 6.x
redsn0w will still hactivate your 3GS or iPhone4 if you run it before the device is activated. Due to the current tethered 6.x JB status, redsn0w now hactivates 6.x without requiring subsequent tethered boots. If you accidentally hactivate with redsn0w, use the “Deactivate” checkbox available from the Jailbreak screen, not the normal one in “Even more”

6. As always, redsn0w lets you “Fetch” the SHSH blobs currently flashed onto your pre-A5 device

use this if you’re at 5.x or 4.x but without having saved your blobs when the window was open
this is only useful when Apple is no longer signing the firmware, otherwise Cydia/redsn0w “New”/TinyUmbrella blobs are superior (but you’re welcome to fetch your 6.0 blobs this way anyway)
fetching blobs in this fashion will automatically forward them up to Cydia, as well as save a local copy

We realize there’s a lot of info in this post. If you’re at all confused about things remember to visit our comments section, with our very helpful user base and moderators like dhlizard, Frank55, 41willys, and slavakulikoff.

If you’re in the Melbourne, Australia area, MuscleNerd (and another anonymous long-time Dev Team member) will be giving some talks at the Breakpoint conference http://www.ruxconbreakpoint.com this week. And @mdowd’s iOS talk at the same conference should be quite interesting too! We’ll also all be attending Ruxcon a few days later, so say hi if you see us!

Update #1 (Oct 15): Version 0.9.15b2 fixes a few issues for 3GS owners: old-bootrom awesomeness is no longer forgotten directly after a restore, and iPad baseband upgrade/downgrade support is fixed (same production date cutoffs apply!). If your 3GS is currently tethered at 6.0 even though you have an old bootrom, just re-run redsn0w’s Jailbreak step (no need to restore). Don’t forget you can add some pizzaz with your own boot logo or a nerdy verbose boot.

Update #2 (Nov 1): Version 0.9.15b3 fixes the redsn0w “error 2601” that Windows users were seeing using the Restore button. It also fixes a related Windows iTunes error 14 for stitched files. Note that if you have a baseband, you should probably avoid stitching and simply use redsn0w’s native Restore (not iTunes).

Those lucky recipients of new iPad minis and iPad4s on Friday can use this redsn0w to save your 6.0 blobs off to Cydia. First connect your new device and turn it on, then use redsn0w’s Extras->SHSH Blobs->New and point it at the 6.0 IPSW.

Expect an ultrasn0w compatibility update for iOS 6.0 by Friday (mostly useful for 3GS old-bootrom users who are currently enjoying the untethered 6.0 jailbreak!). Same baseband support as with 5.x.

Thanks to @iamgolfy for helping test the 2601 Windows fix!

Here are the download links. Enjoy!

redsn0w 0.9.15b3 (OS X – use Ctrl-Click->Open if on Mountain Lion for now)
redsn0w 0.9.15b3 (Windows – run in Adminstrator Mode)

Blob-o-riffic

Wed, 19 Sep 2012 11:22:00 -0700

Today marks the public release of iOS6! For those devices capable of running 6.0, the 5.1.1 SHSH blob signing window will soon close, so it’s very important that you backup your 5.1.1 blobs now while you still can. We advise you do it for every device you have (see tutorial sites like iClarified if you don’t know the process).

A few months back we released a redsn0w feature that lets you downgrade A5+ devices from 5.1.1 to anything lower (if you had saved blobs). Unfortunately once the 5.1.1 window closes, redsn0w’s 5.x downgrade feature will no longer work. Most A5+ users will not be able to downgrade. So if you’re an A5+ owner up at 6.0 when the 5.1.1 window closes, you’ll be stuck there without a jailbreak for now.

We’re happy to report there are some serious deficiences in the 5.x restore process that are permanently exploitable. They’ll never be fixable by Apple because they’re all self-contained in the 5.x IPSWs. Here’s the breakdown:

A4 devices and 3GS will always be downgradable (and jailbreakable) with saved blobs due to limera1n. The tethered iOS6 jailbreak for those devices (and untethered for old-bootrom 3GS) will be out when Cydia and other important pieces are all working properly.
iPad2 owners who have both 4.x blobs and 5.x blobs will always be able to downgrade to those versions, even once you come up to 6.0 and the 5.1.1 window closes (don’t do that yet though!). You need both 4.x and 5.x blobs to qualify for the 5.x downgrade even though you only wish to downgrade to 5.x (you need only your 4.x blobs to downgrade to 4.x)
iPad3, i4S (and iPad2 owners who don’t satisfy #2) will always be able to RE-restore the current 5.x OS that’s already on their device. So if you’re at 5.1.1 when the window closes (and you’ve saved your blobs), you’ll always be able to RE-restore to 5.1.1 again. This makes the 5.1.1 jailbreak a lot less fragile – you don’t have to worry about messing up your install with funky extensions or getting into a boot loop, because you can always RE-restore from 5.1.1 to 5.1.1 again (or from 5.0.1 to 5.0.1 again, etc). But once you fall off the 5.x train by restoring to 6.x, you’ll be stuck there until the next jailbreak.

Please be aware that RE-restores and iPad2 downgraded devices will always end up with the latest baseband (not the one that came with that firmware). So don’t go near any of this if your unlock depends on the baseband version.

All of these features will be released shortly in a new version of redsn0w. In the meantime please be sure you have your 5.1.1 blobs and stay at 5.1.1. Happy iOS6 day!

Update #1: For a refresher on why saved blobs are not as powerful as they used to be, please see our Blob Monster post (the scenarios described above are possible only due to mistakes made by Apple, but those mistakes are being cleaned up with each new firmware).

Baseband Freedom

Wed, 04 Jul 2012 20:07:00 -0700

Happy 4th of July! Today’s release of redsn0w 0.9.14b2 improves the iPad baseband downgrade and should cover anyone who couldn’t downgrade with 0.9.14b1. This version covers 3 different types of NOR chips in the iPhone 3G and 3GS (the earlier version covered only the most prevalent NOR chip). We’ve also simplified the process and added logging to help diagnose any remaining stubborn iPhones.

The revised steps are:

Connect your iPhone in normal mode, then click “Jailbreak” after redsn0w identifies its model and BB version (you needn’t pre-select the IPSW anymore).
Choose the “Downgrade from iPad baseband” option (you needn’t worry about de-selecting Cydia anymore).
Do a controlled “slide to power off” shutdown of your phone and proceed through the normal DFU ramdisk steps.

Should the downgrade fail to take, feel free to leave the redsn0w log in the comments below. Use the “Extras->Even more->Backup” button to grab a copy of /var/mobile/Media/redsn0w_logs, then extract the log text file(s) from the zip and paste them into the comments (currently that log file is generated only during baseband downgrade runs).

NOTE: The original warning about 3GS units manufactured in early 2011 or later still holds! They have a NOR chip that’s incompatible with 06.15.00 and so trying to install it will brick the device. Please read and re-read the warning in our earlier post.

Thanks to bobmutch, @healeydave and @dilbert4life for lending us their iPhones to improve the baseband downgrade!

DFU IPSW

We’ve gotten a lot of feedback from users who can’t launch a DFU ramdisk because their iPhone home/power buttons are broken or intermittent. We’ve added a new redsn0w feature that lets you enter DFU mode as long as your phone is healthy enough to restore to a normal, everyday IPSW. You don’t need to be already jailbroken to use this method.

In redsn0w, go to “Extras->Even More>DFU IPSW” and select an IPSW that is currently being signed for your device and that you’d normally be able to restore to without any hacks. redsn0w will create an “ENTER_DFU_” version of the IPSW that you can restore to just like any other IPSW, except that now you’ll be dumped into DFU mode towards the end of the restore (WARNING, your screen will remain completely black…the only way to even know its on is that iTunes and redsn0w will detect it!). The technique used by this feature is 3 years old but surprisingly still works today!

Update #1 7/25/12: redsn0w is compatible with today’s retail release of Mountain Lion OS X 10.8. Until we start using an official developer ID for it (!), you’ll need to use the new Ctrl-Click-Open security bypass the first time you run it after downloading.

Here are the download links. Enjoy!

redsn0w 0.9.14b2 (OS X)
redsn0w 0.9.14b2 (Windows – run in Administrator Mode)

0615 fun

Sun, 17 Jun 2012 23:54:00 -0700

The iPhone Dev Team is happy to announce a baseband downgrade option in redsn0w for those who are using the iPad’s 06.15 baseband on the iPhone3G or iPhone3GS.

Typically you’d have the 06.15 baseband if you unlock with ultrasn0w but updated your iPhone baseband past 05.13.04. With this new capability, you can now downgrade specifically from 06.15 to 05.13.04 (even if you never had 05.13.04 on that device before). This gives you the best of both worlds: ultrasn0w compatibility and a normal iPhone baseband with full GPS and the ability to use stock IPSWs again.

Here are the steps:

Use the “Extras->Select IPSW” button in redsn0w to tell it which firmware version you have installed (new-bootrom 3GS users can usually skip this step but it doesn’t hurt for them to do it too).
Do a controlled shutdown of your iPhone (“slide to power off”). This step is very important to avoid mount problems when the ramdisk is running!
Go back to the first screen and click “Jailbreak”. Enable the “Downgrade from iPad baseband” checkbox, disable Cydia if you already have it installed, and click Next to proceed through the normal DFU ramdisk steps.

After the ramdisk gets launched and you see the Pwnapple running on your iPhone, you’ll eventually get to the “Flashing Baseband” step. THIS STEP TAKES A VERY LONG TIME to complete and there won’t be any feedback while its running. Please just let it be for the next 3-8 minutes! When the ramdisk has done its job it will reboot the phone on its own.

For those who are wondering if you can update your 3G or 3GS to 06.15 solely for the purposes of downgrading to 05.13.04, the answer is “yes” for 3G owners, and “maybe” for 3GS owners. The iPad baseband is not compatible with 3GS units manufactured week 34 of 2011 or later. If you have an iPhone3GS and if digits 3-5 of its Serial Number are 134 or later (xx134…), then you should NOT try to install the 06.15 baseband on your 3GS! It will brick your radio, preventing both the downgrade from working and normal iPhone software from using it as a phone! Be warned!

Thanks very much to @dilbert4life for graciously loaning us his 3GS at 06.15 (we had no such devices because we always prevent BB updates!)

If you have any questions or comments, please use our comments section below!

Here are the download links. Enjoy!

redsn0w 0.9.14b1 (OS X)
redsn0w 0.9.14b1 (Windows – run in Administrator Mode)

Update #1: If you’re still using ultrasn0w after going down to 05.13.04, many people have reported that re-installing Mobile Substrate and/or ultrasn0w fixes crashes and “No Signal”.

Update #2: There’s a subset of 3GS iPhones that won’t take the downgrade. We now understand why (they use a slightly different NOR chip), and should be receiving a loaner of such a phone on Thursday the 28th. ~~After we have one in hand we’ll tweak the redsn0w payload to handle that variation too!~~ The improved downgrader is now available here.

Pre-DC

Mon, 04 Jun 2012 03:01:00 -0700

With only a week to go before WWDC 2012 and the surprises Apple will announce there, today seems like a good time to release updates to our suite of free software to include the rocky-racoon jailbreak and untether developed by @pod2g and @planetbeing! Today’s updates are:

PwnageTool 5.1.1
redsn0w 0.9.12b1
cinject 0.5.4 (version 0.5.3 also had rocky-racoon but this includes some updates)
ultrasn0w 1.2.7 (5.1.1 compatibility only - no new baseband support)

If you’ve already installed rocky-racoon, don’t bother reinstalling it unless you’ve had problems and would like to try a different tool. The underlying untethered jailbreak (rocky-racoon) is identical to what is already installed by last week’s tools like Absinthe, cinject-0.5.3, and the rocky-racoon Cydia package – only the injection method offered by the above tools differs.

redsn0w allows owners of A4+earlier devices to install rocky-racoon two different ways:

backup/restore method similar to Absinthe and cinject
its traditional limera1n-based ramdisk install. If you have a lot of media on your A4 device (music, movies, TV shows, etc), then the ramdisk method is preferrred because it avoids any possibility of later problems related to syncing to iCloud (including Photo Stream and Music Match). The ramdisk method is not available for A5 devices or later because limera1n can’t be used. If you’d like to use redsn0w’s ramdisk method, just be sure to put the A4 device in DFU or Recovery mode before starting redsn0w (otherwise it will immediately start to use the backup/restore method).

We’ve also added a new redsn0w feature specifically for those who got in on the SAM unlock: you can now include your SAM tickets as part of your initial ramdisk jailbreak of iPhone4 or earlier, or alternatively you can upload your SAM tickets to any device after its been jailbroken. redsn0w accepts either the individual SAM activation ticket plist file, or the entire zip file created by redsn0w’s “Backup” button. As usual, redsn0w continues to cover all of its previous jailbreaks and untethers (so redsn0w-0.9.12b1 covers everything from 5.1.1 all the way back to 4.1).

PwnageTool also avoids any possible sync issues, but again it applies only to A4+earlier devices. If you unlock your iPhone with ultrasn0w or a commercial method, you must use PwnageTool to avoid updating your baseband otherwise you’ll lose the unlock. PwnageTool will also jailbreak+untether the AppleTV2,1 5.0_2B206f (unless you customize the IPSW further, you’ll have just basic SSH access to the device).

If you’d like to contribute to those that actually developed rocky-racoon, please visit here (any other links you may see are not going to the actual rocky-racoon developers, they’re being diverted to other “related” or fraudulent accounts).

This particular jailbreak brought an unusual amount of fanfare and hoopla to the table, including “press releases” and other haughty silliness. We’d just like to take this opportunity to remind everyone that jailbreaking is about freedom, not fame and donations!

Here are the download links. Please use our comment section below to give feedback. Enjoy!

Update #1: Starting with version 0.9.12b2, redsn0w will now explicitly ask users with limera1n-able devices whether they want to inject rocky-racoon using the DFU ramdisk method or the backup/restore method (the ramdisk method is better for those with lots of media on their device that would create very large backups, and it’s required for those with unactivated iPhones). If you’ll always want to use limera1n, you can select that in the Preferences pane. It also fixes an iBooks issue on old-bootrom 3GS iPhones, and provides more useful error messages when things go wrong.

PwnageTool 5.1.1 (OS X)
redsn0w 0.9.12b2 (OS X)
redsn0w 0.9.12b2 (Windows – run in Administrator Mode)
cinject 0.5.4 (OS X + Windows)
ultrasn0w 1.2.7 – install this via Cydia

5x redux

Fri, 11 May 2012 03:06:00 -0700

What’s old is new again!

Jailbreakers with devices that pre-date the iPad2 will always be able to downgrade (with SHSH blobs) to previous firmware versions due to geohot’s limera1n exploit, which allows us to bypass the restrictions that Apple places on restores. But until now, that ability has been limited to those older devices (if you have an older device and don’t know how to do that, check the popular tutorial sites or ask in the comments below).

Starting with redsn0w version 0.9.11b1, those with newer devices (iPad2, iPad3, and iPhone4S) can join the downgrade fun too! In a radical departure from previous versions of redsn0w, it now directly supports restoring IPSWs to your device. The first use of this new feature implements a hack that allows A5 downgrades without a bootrom-level exploit.

Some important points:

The new feature is at Extras->Even More->Restore
You cannot downgrade without the personalized SHSH blobs for your device at that lower firmware. You need to have fetched those blobs while the signing window was open, using either Cydia’s built-in TSS@Home feature, or with TinyUmbrella. The new Restore screen of redsn0w lets you choose either the remote blobs or local ones (for the earlier firmware). If you don’t know where TinyUmbrella put your blobs, TinyUmbrella has a button that will show you (copy them out of that folder and feed them to redsn0w).
The A5 downgrade method actually updates to the latest firmware before downgrading to the earlier one. This process updates your baseband to whatever is newest. DO NOT USE THIS METHOD IF YOU RELY ON UNOFFICIAL UNLOCKS of your iPhone4S. Those who used the temporary SAM technique to unlock their iPhones to specific SIMs shouldn’t be affected by this baseband update.
This method can be fixed by Apple with a firmware update. It’s a (pleasant) mystery why they haven’t fixed it yet, because reverse-engineering of the restore ramdisk indicates they do know about it. It’s possibly too niche to bother to fix right now.
The least-tested devices with this method are the iPad2,3 and iPad3,2 (because we don’t have those models). If you do and you feel like experimenting, please let us know how it turns out in the comment section below!
This update involves a bunch of new redsn0w code. We recommend sticking to the previous version 0.9.10b8b unless you’re specifically using this new feature, until all the bugs are worked out! (Note: If redsn0w gets stuck at the “Waiting for device” stage for more than 30 seconds, you’ve hit a pesky GUI bug…that will be fixed in an upcoming version!)

Of course all eyes are on @pod2g for his upcoming 5.1 untethered jailbreak. Watch his blog or twitter feed for the latest updates about that, but in the meantime if you accidentally updated your jailbroken A5 device to something later than 5.0.1, feel free to try this new A5 firmware downgrade feature of redsn0w!

Update #1: We accidentally left out one of the two flavors (“9A406”) of 5.0.1 for iPhone4S. It’ll be in the next update, but in the meantime check if Cydia or TU saved your blobs for the other 5.0.1 for iPhone4S (“9A405”). Version 0.9.11b2 adds support for that second “9A406” flavor of 5.0.1 for the iPhone4S.

Update #2: Version 0.9.11b3 should fix the spurious “Restore failed” messages people were sometimes getting, and it behaves better with nearby devices that have wifi syncing enabled!

Update #3: Version 0.9.11b4 completes the tethered JB support for 5.1.1 on A4 devices and earlier, including proper “Stitching” and “Custom” creation of NO_BB IPSWs.

Here are the redns0w download links:

redsn0w 0.9.11b4 for OS X
redsn0w 0.9.11b4 for Windows (be sure to run in Administrator mode)

iPad(3) Fever!

Thu, 15 Mar 2012 21:11:00 -0700

Despite the awkward name Apple announced last week for the new iPad (we’ll continue to call it iPad3!), by all signs it’s going to be another big hit. We suspect many of you are lined up at this very minute, and so it’s a good time to give you some info for maximizing your chance to eventually jailbreak the iPad3.

There are a few bits of good news already.

We can confirm that the method used to jailbreak the iPad2 4 months ago (before corona) still works even in 5.1. That means we’ll at least be able to get our foot in the door to get the required kernel dumps on the iPad3. That’s an important step, but by no means is it the end of the story.
Those of you following @i0n1c may have noticed he’s already tweeted pictures of his iPad2 jailbroken at 5.1. As far as we know, he’s using a method completely unrelated to the one mentioned above. That would be great news!
We’ve also seen bits and pieces of an entirely different jailbreak method being investigated by someone close to the Cydia repo scene: @phoenixdev

That’s three different angles, and we’re not even including the continuous work @pod2g makes towards a new jailbreak! As always, keep in mind this is very preliminary progress, and it’s impossible to predict how or when these things turn out. The only thing you need to remember is the golden rule:

Don’t update your new iPad3 past whatever iOS it comes shipped with

By the way, it’s rare but entirely possible that some of you may find your iPad3 comes with an iOS version that’s not quite 5.1. If you do, be sure to let us know in the comments below!

Update #1: It turns out that all three of the jailbreak methods mentioned above have had great success today! We’re off to a good start (but remember there’s still lots of work to do)!

March Mayhem

Wed, 07 Mar 2012 09:30:00 -0800

As the whole tech world waits for today’s Apple Event, it seems like a good time to remind both veteran and amateur jailbreakers about the fundamental rule of jailbreaking: Avoid firmware updates!

In all likelihood we’ll see the GM “gold master” version of 5.1 this week. DO NOT UPDATE TO 5.1, because you may lose your jailbreak! The rest of this post details the subtleties with this rule, but if there’s only one message to take home, it’s the overall “do not update” message! Now for the nitty gritty exceptions:

Soon after 5.1 appears on Apple’s public servers (i.e. iTunes starts to offer it), Apple will stop signing 5.0.1 SHSH blobs.
If you have an iPhone4S, the basic rule above is really the only rule: you cannot restore back to 5.0.1 once the 5.0.1 signing window is closed, no matter what (even if you saved your SHSH blobs).
If you have an iPad2 with saved 4.x hashes, you can in fact downgrade to that 4.x but you won’t be able to get to 5.0.1 once the 5.0.1 signing window is closed (even if you saved your 5.0.1 SHSH blobs).
If you have a device earlier than the iPad2, you can downgrade to whatever version you want, as long as you have saved SHSH blobs for that version. You’ll need the assistance of geohot’s limera1n exploit with tools like redsn0w to get into “pwned DFU mode” and bypass the downgrade restriction.

As you can see, it really is a nuanced landscape so it’s sometimes hard to drive the message home to new jailbreakers. But the basic rule is the simplest (and it’s better to be safe than sorry!): If you update to 5.1 you’ll very likely lose your jailbreak, so don’t do it! Exceptions are noted above.

Now let’s see what Apple unveils today!

Update #1: First, please read and re-read the above warnings! With all of that in mind, we realize that some of you non-A5 jailbreakers are itching to get to 5.1, even though there seems to be no compelling new feature there. Because of geohot’s limera1n exploit, those with devices earlier than the iPad2 can test the 5.1 jailbreak waters if they really want to, using redsn0w 0.9.10b6. Here’s what you need to know:

This is a *tethered* 5.1 jailbreak for non-A5 devices. You’ll need to use redsn0w to “Just Boot” your device every time it power cycles, otherwise jailbreak apps won’t work (neither will Safari).
If you use ultrasn0w for your carrier unlock, be sure to use a custom IPSW to get to 5.1 first! Don’t ever restore to a stock Apple IPSW! Use redsn0w’s “Custom IPSW” button to create a NO_BB_* version of the 5.1 IPSW and restore to that instead of the stock one. (That option is available only to 3GS and iPhone4-GSM owners.) ultrasn0w itself will be updated for 5.1 in the next few days (same baseband support, not 5.1’s baseband).
If you’re lucky enough to have an old-bootrom 3GS, this jailbreak is actually untethered (redsn0w will figure that part out automatically).
While we were at it, we added @pod2g’s steaks4uce exploit to support MC models of the iPod touch 2G (whose last firmware was 4.2.1). So now redsn0w will auto-detect and jailbreak both MB and MC versions of that older device.
iBooks won’t work until a future update of redsn0w

Update #1b: The OS X version of redsn0w has been updated to fix an issue for those running OS X 10.5.x or earlier.

Update #2: Version 0.9.10b7 of redsn0w adds a collection of useful features: It finally implements the corona-A5 jailbreak for iPhone4S and iPad2 devices still at 5.0.1. It can also re-install that jailbreak for those who accidentally uninstalled the untether. When stitching an IPSW, it can now grab your blobs directly from Cydia. It now shows a lot more info about your device (for instance, whether your iPhone3G has the vulnerable baseband boot loader, or whether your iPhone3GS has the old exploitable bootrom. (And the next new feature to be added will be built-in restore support, to provide an alternative to iTunes restores.)

Update #3: redsn0w 0.9.10b8 adds the ability to backup arbitrary directories or files from your device into a zip file on your Mac or PC. The new button is Extras->Even More->Backup and it requires your device to be jailbroken with the afc2 service enabled (most jailbreaks include that). By default it will backup your activation records from /var/root/Library/Lockdown, which is useful for everyone taking advantage of today’s SAM unlock using Loktar_Sun’s trick (more on that in a later post!).

Update #3b: The 0.9.10b8b update to redsn0w makes the zip files more compatible with the native Windows explorer (which doesn’t like leading slashes in the filenames).

Here are the redns0w download links:

redsn0w 0.9.10b8b for OS X
redsn0w 0.9.10b8b for Windows (be sure to run in Administrator mode)

Welcome new A5 jailbreakers!

Mon, 23 Jan 2012 10:44:14 -0800

Here’s a quick breakdown of how many A5 owners have jailbroken their devices since Friday morning. The numbers as of Monday afternoon are:

491,325 new iPhone4,1 devices
308,967 new iPad2 devices
152,940 previously jailbroken (at 4.x) iPad2 devices

Total: 953,232 new A5 jailbreaks in a little over 3 days

The reason these numbers can be so precise is that one of the housekeeping activities that happens when you launch Cydia is a query to @saurik’s server for the list of available SHSH blobs. (Even if you have none on file, the query is still made).

Welcome to the jailbreak family!

P.S. Remember the cardinal rule of jailbreaking: never update your firmware until a new jailbreak is available. This is especially true for A5 owners, who currently have no way of restoring to 5.0.1 once the 5.0.1 SHSH blob signing window is closed.

Corona A5 jailbreak nearly ready to pop!

Thu, 19 Jan 2012 23:18:00 -0800

Ever since the December release of @pod2g’s “corona” untether for iOS 5.x on A4 and earlier devices, all eyes have been on the attempts to extend it to the A5 devices: the iPhone4S and iPad2. Due to the combined efforts of @pod2g and members of the iPhone Dev Team and Chronic Dev Team, we’re nearly ready for a general release! All technical hurdles dealing with the underlying technique have been overcome, and it’s now all about making the jailbreak as bug free as possible.

On his blog, @pod2g playfully nicknamed the combined effort a “dream team”. It’s an ironic name, because the past few weeks have left everyone involved with very little sleep and the opportunity to dream :) But we’re now near the final stages of testing the public version of the jailbreak. Please allow time to clean up any remaining bugs in the jailbreak clients.

Jailbreak programs:

To be as flexible as possible, the A5 version of the corona jailbreak will take multiple forms:

Chronic Dev have incorporated the overall flow into a GUI that runs on your Mac or PC. The goal is for the GUI to be enough for most cases.
iPhone Dev have also incorporated the exact same flow into an alternative command-line interface (CLI). This will allow us to help users through individual steps of the jailbreak manually, to both help the user and help improve the overall flow. Although the CLI will also allow the user to perform the entire jailbreak from beginning to end, we anticipate it will be more useful in debugging the occasional errors. The CLI currently has over 20 individual options (in addition to the single “jailbreak” option) that should be useful during debug after the GUI release.
Once all the bugs in the flow are worked out, we’ll also incorporate it into the redsn0w GUI (but still leave the CLI freely available too). In order to maximize the chances of the jailbreak working for everyone, the redsn0w GUI will use native Apple iTunes libraries – this technique is slightly different than how the Chronic Dev GUI handles communications, and should provide nice combined coverage for all the odd computer configurations out there.

Paypal Contributions:

Because there were so many different people and teams involved in the A5 corona release, we all felt the most equitable approach to any Paypal contributions should involve a single shared account. If you do feel the desire to contribute to the “dream team” Paypal account, it will be distributed to the members according to internally agreed-upon proportions :) (Please refer to this blog post for that specific http://is.gd/39YMWg link, to avoid frauds!) The same link will be on both the Chronic Dev and iPhone Dev versions of the GUI. This method seemed like the fairest to everyone involved!

Firmware:

The supported firmware versions will be:

iPhone4S: 5.0 (9A334), 5.0.1 (9A405) and the “other” 5.0.1 (9A406)
iPad2: 5.0.1 (9A405)

iPhone4S owners looking to maximize their chances of achieving an eventual software-based carrier unlock should be staying at 5.0. Everyone else should be at 5.0.1. If you’re an iPhone4S owner who already updated to 5.0.1, it’s too late to go back down to 5.0, but if you’re on 9A406 it is possible to downgrade the BB by going to the 9A405 version of 5.0.1 while the window is still open.

Support:

The overall flow used by the GUI and CLI to inject the A5 corona jailbreak has never been done before, and there may be unforeseen problems once it’s released to the public. It’s very important for you to sync your data, photos, and music before attempting any version of this jailbreak. We’ll be watching the comments section below for signs of any widespread problems, but please be aware that you jailbreak at your own risk!

When:

~~As mentioned at the start of this post: when testing has shown most of the bugs have been fixed!~~

Updates:

If the Absinthe webclip shows “Error establishing a database connection”, please go to Settings, turn on VPN and wait instead.
- Toggle VPN only AFTER Absinthe says it’s done, or it will not work.
- VPN SHOULD error and then reboot soon. If it does not, rerun Absinthe!
If you get a strange problem, we advise you to restore your iPhone with iTunes, if you can (i.e. if you’re not on 5.0 waiting for an eventual 4S unlock).
The OS X version of the CLI mentioned in the post can be downloaded here. It’s primarily to help us debug specific issues, but tinkerers might like to play around with some of its advanced options! More info is here.
- Version 0.4.3 adds support for Windows users. It also makes the “-j” jailbreak option much more functional :) See the README.txt for usage.

Untethered holidays

Tue, 27 Dec 2011 02:55:00 -0800

@pod2g has created a terrific gift for iOS fans – an untethered 5.0.1 jailbreak for non-A5 devices!

Many of you have already been following @pod2g’s blog where he’s been keeping everyone up to date on his progress. And so you know that he recently decided to push the button on a release for all devices except the new iPhone4S and iPad2. @pod2g’s untether involves two separate exploits and a few other “tricks” – and since he’s taken the @comex approach of doing nearly everything himself, you know his plate has been full these past few months!

A few days ago, @pod2g gave the untether to both the iPhone devteam and the chronic devteam. We’ve put it into redsn0w 0.9.10 and PwnageTool, and the chronic devteam put it into a Cydia package (the same set of exploits is in all three).

Here are the basic steps for how to get it:

The untether is for iOS 5.0.1 on iPhone3GS, iPhone4, iPhone4-CDMA, iPad1, iPod touch 3G, iPod touch 4G
If you have one of those devices and are not on 5.0.1 yet, update now! The SHSH window is still open for 5.0.1 If you unlock via ultrasn0w or gevey, make sure you only get to 5.0.1 via a custom IPSW! See the guides at places like iClarified.com if you don’t know how. Once you’re at 5.0.1, use the latest redsn0w 0.9.10 to both jailbreak and untether.
If you’re already at 5.0.1 with a tethered jailbreak, you have two choices: either run redsn0w 0.9.10 over your current jailbreak (deselect “Install Cydia” if you do that), or install the Cydia package prepared by the chronic devteam. The patches are the same regardless of which you choose.
Some of you are using a hybrid 5.0/5.0.1 configuration. If so, do not attempt to install this untether over that setup! You will most likely get into a reboot cycle. Do a sync and fresh restore to 5.0.1 then install the jailbreak + untether.

As mentioned earlier, @pod2g has spent months working on all the exploits and tricks in this untether, and many of you may be wondering how you can send donations. Although the iPhone devteam itself doesn’t take donations, we thought it was appropriate to provide a link at the end of the redsn0w run for you to more easily donate directly to @pod2g if you wish (alternatively, you can go right here). There’s a link in the Cydia package for donating to the chronic devteam for the Cydia version of @pod2g’s untether.

@pod2g is now looking for a way to extend this to A5 devices. Because those devices cannot use geohot’s limera1n exploit to inject the untether, they require exploits above and beyond those used for this release. Keep following pod2g on twitter or his blog for any progress reports!

Update #2: The b2 version of redsn0w includes the launchctl-related fix by @planetbeing as mentioned by @saurik here and here. As usual, you can just re-run redsn0w in jailbreak mode over your existing 5.0.1 jailbreak (even a PwnageTool one), making sure to de-select “Install Cydia” if you do. Always be sure to do a controlled “slide to power off” shutdown of your device before running redsn0w.

Update #3: The b3 version of redsn0w fixes a problem where re-running redsn0w over an existing jailbreak would cause MobileSubstrate-based apps to stop running until MS was installed again. Now you can re-run the redsn0w jailbreak step without worrying about that (but still remember to de-select the “Install Cydia” option if it’s already installed).

Update #4: The b4 version of redsn0w incorporates the 5.0.1 fix for iBooks, and also for sporadic problems with launchctl. Thanks to @xvolks for merging the iBooks (sandbox) fix from @comex’s github into the overall corona untether from @pod2g!

Update #5: redsn0w version b5 incorporates yet another fix for iBooks, this time involving DRM. @planetbeing wrote a utility called “crazeles” that overcomes jailbreak detection by iBooks that would cause about 10% of images to show incorrectly. This fix is similar to the “hunnypot” fix that @comex wrote for the 4.x jailbreak. As usual, you can choose to install the fix either by re-running redsn0w over your existing jailbreak (de-select Cydia if you do that), or by installing the corona package from Cydia (it’s the same set of files no matter which way you choose).

Updates #5b and #5c: Version b5b fixes an issue with using custom ramdisks on iPhone3G and iPod2G, and version b5c prevents redsn0w from crashing due to the ever-growing ramdisk size :).

TIP: If auto-detection fails and redsn0w tells you no identifying data was found, you can always pre-select the appropriate 5.0.1 IPSW using “Extras->Select IPSW”.

Here are the redsn0w download links:

redsn0w 0.9.10b5c for OS X
redsn0w 0.9.10b5c for Windows (be sure to run in Administrator mode)

PwnageTool Official Bittorent Releases

PwnageTool_5.0.1.dmg

SHA1 Sum = 32e90607378988cdebb6c76d3acf8ffac6366e35

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email mirrors to blog@iphone-dev.org - please ensure that they are direct dmg download links only (no rapidshare type sites please) and that your web-server can serve DMG MIME types properly. — please don’t place mirrors in the comments as they will be deleted.

pre-QUALifier

Fri, 14 Oct 2011 01:01:00 -0700

We’ve updated ultrasn0w to be compatible with iOS5, which came out a few days ago. While ultrasn0w 1.2.4 (available now in Cydia) doesn’t add support for any new basebands, the update is required for any ultrasn0w unlockers trying out iOS5 (it remains backwards compatible though, so you should be able to use it no matter what firmware you have).

The supported basebands for the iPhone 3G and 3GS are 04.26.08, 05.11.07, 05.12.01, 05.13.04, and 06.15.00. The baseband supported for the iPhone4 is 01.59.00.

Remember, the only way to get to iOS5 while preserving your ultrasn0w-compatible baseband is by using a custom IPSW. redsn0w now has the ability to create such a custom IPSW for you (at least on Macs…the same capability for Windows will be coming soon).

The majority of people who use ultrasn0w at iOS5 right now will probably be those with old-bootrom iPhone3GS devices, since they already have an untethered jailbreak via redsn0w. For everyone else, the iOS5 jailbreak is currently tethered and you need to “Just boot” tethered with redsn0w every time your phone reboots. That’s not always easy to do if your phone reboots while away from home!

Note: there’s a special “trick” that iPhone3GS owners with baseband 06.15 need for iOS5. During the new setup screens you see when you start iOS5 for the first time, you’ll be asked about Location Services. Be sure to select “Disable Location Services” when asked! Later on in the setup, you’ll have the chance to turn on Location Services again when asked if you want to use “Find my iPhone”. It’s fine to turn it back on at that point, if that’s your desire (or you can always go in and enable it in Settings.app).

Edit: The above “trick” is no longer needed as of v0.9.9b6 of redsn0w.

Also, some iPhone3GS users with the 06.15 baseband may have tried to install iOS5 using a stock IPSW (even though you should never ever try to use a stock IPSW if you’re an ultrasn0w unlocker). If you did try this, your baseband is probably in an inconsistent state, and you’ll need to reflash the 06.15 baseband again (using redsn0w). Be very careful if you use redsn0w to reflash the iPad baseband – don’t interrupt the process! And please avoid using stock IPSWs in the future :) Unlockers should never go near stock IPSWs.

If you need to use redsn0w for any of the above tasks, please make sure it’s version 0.9.9b4 or higher, which is available here.

Enjoy!

RIP

Wed, 05 Oct 2011 17:38:50 -0700

The coolest cat

Wed, 24 Aug 2011 16:40:00 -0700

We loved the chase!

Good luck, Steve.

Signed,
Jailbreakers and tinkerers everywhere.

jailbreakme times 3

Tue, 05 Jul 2011 23:43:00 -0700

Once again, @comex has resurrected http://www.jailbreakme.com for your jailbreaking ease and pleasure!

@comex developed what is now the third installment (and his second) of jailbreakme.com, the easiest way to jailbreak your iPhone, iPod touch, and iPad (including the iPad2!). No computer is necessary for jbme3.0…just browse to http://www.jailbreakme.com on your device and install it from there!

While @comex and others have worked hard to make this as simple as possible, some people may have questions and problems may arise. Rather than inundate comex with any questions over twitter, please consider using either our comments section below, or visit http://jbqa.me

Please read “More Information” on the jbme3.0 page for some basic background information and ways you can thank @comex. Here are some additional Q&As beyond that:

Q: Which devices and firmware versions are supported?
A: In this initial release, the following configurations are supported:

iPad1: 4.3 through 4.3.3
iPad2: 4.3.3
iPhone3GS: 4.3 through 4.3.3
iPhone4: 4.3 through 4.3.3
iPhone4-CDMA: 4.2.6 through 4.2.8
iPod touch 3g: 4.3, 4.3.2, 4.3.3
iPod touch 4g: 4.3 through 4.3.3

Q: Do the holes discovered by @comex put my device at risk?
A: Yes. We recommend installing “PDF Patcher 2” in Cydia once you’re jailbroken to eliminate this risk (any firmware version).

Q: How does jbme3.0 differ from the existing jailbreaks?
A: jbme3.0 is entirely userland-based, from start to finish. The A5 chip in the iPad2 has no iBoot or bootrom-level exploits yet, so tools like redsn0w, PwnageTool and sn0wbreeze can’t use the limera1n bootrom exploit to inject the jailbreak. Even for those devices where limera1n works, jbme3.0 injects the jailbreak with a userland exploit.

Q: If I’m already jailbroken on the latest firmware, is there any advantage to jailbreaking again?
A: No, but you should consider showing this to your friends! Spread the jailbreaking fever.

Q: Are the holes exploited by jbme3.0 closed in iOS5?
A: The holes still exist in the iOS5 betas, but they’ll almost certainly be fixed by the time iOS5 is public. However because the iPad2 had no public jailbreak yet, it probably wasn’t worth waiting until the fall to use them. If history repeats itself though, there will be more holes and exploits.

Q: Will I permanently lose the jailbreak if I need to restore my device?
A: For all except the iPad2, saving your SHSH blobs should let you always restore your device to iOS versions where this jailbreak works. The iPad2 is a little more complicated. If you have a wifi-only iPad2 and saved SHSH blobs, you’re in good shape. But if you have the GSM or CDMA iPad2, you won’t be able to restore to 4.3.3 or lower once Apple stops signing its baseband. There are a few ideas that might work to get around this limitation, but for now it’s best to assume there’s no going back to 4.3.3 once 4.3.4 is out for iPad2 GSM or CDMA owners.

Q: I heard this new unionfs stuff is dangerous?
A: Define dangerous :) Seriously though, although unionfs is a huge improvement to the install time of the jailbreak, it is brand new code and there is the possibility something will go wrong. Just keep regular backups of your media and content and you should be fine. If there are any problems, they should appear within the first few days, so hold off and let “everyone else” test the waters if you’d like.

Blob monster

Sun, 26 Jun 2011 15:57:00 -0700

It looks like Apple is about to aggressively combat the “replay attacks” that have until now allowed users to use iTunes to restore to previous firmware versions using saved SHSH blobs.

Those of you who have been jailbreaking for a while have probably heard us periodically warn you to “save your blobs” for each firmware using either Cydia or TinyUmbrella (or even the “copy from /tmp during restore” method for advanced users). Saving your blobs for a given firmware on your specific device allows you to restore *that* device to *that* firmware even after Apple has stopped signing it. That’s all about to change.

Starting with the iOS5 beta, the role of the “APTicket” is changing – it’s being used much like the “BBTicket” has always been used. The LLB and iBoot stages of the boot sequence are being refined to depend on the authenticity of the APTicket, which is uniquely generated at each and every restore (in other words, it doesn’t depend merely on your ECID and firmware version…it changes every time you restore, based partly on a random number). This APTicket authentication will happen at every boot, not just at restore time. Because only Apple has the crypto keys to properly sign the per-restore APTicket, replayed APTickets are useless.

This will only affect restores starting at iOS5 and onward, and Apple will be able to flip that switch off and on at will (by opening or closing the APTicket signing window for that firmware, like they do for the BBTicket). geohot’s limera1n exploit occurs before any of this new checking is done, so tethered jailbreaks will still always be possible for devices where limera1n applies. Also, restoring to pre-5.0 firmwares with saved blobs will still be possible (but you’ll soon start to need to use older iTunes versions for that). Note that iTunes ultimately is *not* the component that matters here..it’s the boot sequence on the device starting with the LLB.

Although it’s always been just “a matter of time” before Apple started doing this (they’ve always done this with the BBTicket), it’s still a significant move on Apple’s part (and it also dovetails with certain technical requirements of their upcoming OTA “delta” updates).

Note: although there may still be ways to combat this, a beta period is really not the time or place to discuss them. We’re just letting you know what Apple has already done in their exisiting beta releases – they’ve stepped up their game!

Tic tac toe...

Fri, 06 May 2011 01:57:00 -0700

… three in a row! Apple released iOS 4.3.3 on Wednesday, and once again the untethered jailbreak exploit that @i0n1c created for 4.3.1 still works. That makes it an unprecedented three firmwares where the same userland exploit works. We’re not exactly sure why Apple hasn’t fixed the hole yet, but we’re not complaining!

Today’s PwnageTool and redsn0w incorporate @i0n1c’s port to 4.3.3 (it’s ironic that such a long-lasting untether doesn’t even have an official name!). It also of course uses geohot’s limera1n bootrom exploit to inject the jailbreak. The 4.3.3 untether works on all devices that actually support 4.3.3 except for the iPad2:

iPhone3GS
iPhone4 (GSM)
iPhone4 (CDMA) (4.2.8 - See update #3)
iPod touch 3G
iPod touch 4G
iPad1
AppleTV2G (v4.3 8F202…see update #2 below for the v4.3 8F305 bundle)

Some things to note:

ultrasn0w unlockers must stay away from redsn0w! Use only a custom IPSW to update to 4.3.3, to avoid updating your baseband. There are plenty of tutorials for both redsn0w and PwnageTool at sites like iClarified.com. Or feel free to ask away in our comments section below.
ultrasn0w has been updated to v1.2.3 to be compatible with iOS 4.3.3 and earlier (the ultrasn0w update does not include any new baseband support!). Please reboot your iPhone using the normal “slide to power off” swipe after installing ultrasn0w 1.2.3.
By popular demand, redsn0w now allows you to enable multitasking gestures (although most will find it useful only on iPads).
iPad2 update: The iPad2 jailbreak remains under development. As you may know, the original exploit @comex developed in the first week of the iPad2 release was mysteriously fixed by Apple within days of its development. Partly because of this, don’t expect much public discussion of the iPad2 jailbreak until it’s actually finished and ready for release (and please avoid asking about it). In all liklihood, it will be a userland exploit like the first (unreleased) one, not dependent on bootrom dumps. The first one can’t be released even for those with the original 4.3 firmware due to legal (distribution) reasons.

As always, please feel free to ask for help or advice in our comment section, with our friendly moderators Confucious, sherif_hashim, dhlizard, Frank55, and subarurider (and many other very knowledgable commenters too!)

Update #1: PwnageTool and redsn0w have been updated to include a fix for the iPhone3GS/i4 side switch vibration issue (only for 4.3.3!). Thanks to @i0n1c for tracking this down (even though he doesn’t even have an iPhone!).

If you’re already jailbroken at 4.3.3 (by either redsn0w rc15 or custom IPSW), you can install this fix simply by running redsn0w rc16 over your existing 4.3.3 jailbreak. Just uncheck the “Install Cydia” option and check any other options you want. The fix will be installed no matter what you’ve selected. This is safe for even ultrasn0w unlockers to do (because redsn0w itself won’t update your baseband…only an iTunes stock IPSW update/restore will do that).

redsn0w rc16 has a few more improvements: Windows 7 and Vista users should no longer need to set their CPU affinity…just run redsn0w as Administrator in XP compatiblity mode. Also, the “verbose boot” option for old-bootrom iPhone 3GS has been fixed for 4.3.3 (remember: old-bootrom 3GS users can even have custom bootlogos that show right at power-up). Enjoy!

Update #2: Apple released a minor update to iOS 4.3 for AppleTV2G (the IPSW name still says 4.3, but the build version changed from 8F202 to 8F305). @i0n1c was once again able to quickly port his original 4.3.1 untether (the exploit that wouldn’t die!) to this version.

If you do feel like updating to the “new” 4.3, you’ll need to drop this bundle into the correct folder in PwnageTool.app. If you don’t know how to do that, there are lots of tutorials on the web, and we’d be glad to help in the comments below.

Thanks once again, @i0n1c!

Update #3: We’ve updated redsn0w (0.9.6rc18) to also include the Verizon iPhone4-CDMA iOS version 4.2.8 untether (which uses the HFS exploit).

Update #4: redsn0w has been updated to 0.9.6rc19 to include changes in the way custom bundles are handled. Now when you use a custom bundle, most of the normal jailbreak steps (like stashing and untethering) are skipped. This makes it easier for custom bundles like the Verizon i4 jailbreakme fix.

redsn0w 0.9.6rc19:

OS X
Windows

PwnageTool Official BitTorrent Release

PwnageTool_4.3.3.1.dmg.6375459.TPB.torrent

SHA1 Sum = 2c8b17c28ae10295b72dabde30bb4b39b0e85821

Unofficial Mirrors

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

The untether rolls on

Mon, 18 Apr 2011 17:02:00 -0700

Only a few weeks after the 4.3.1 untether created by @i0n1c was released, Apple pushed out firmware 4.3.2. Thankfully, it appears Apple didn’t have a chance to fix the hole used by @i0n1c’s untether, so he ported his code over to 4.3.2’s kernel. Today’s redsn0w has been updated to include it.

The 4.3.2 untether works on all devices that actually support 4.3.2 except for the iPad2:

iPhone3GS
iPhone4 (GSM)
iPod touch 3G
iPod touch 4G
iPad1

redsn0w 0.9.6rc14:

As always, ultrasn0w unlockers should stay away from redsn0w and only update their firmware through a custom IPSW. See update #3 below.

For any questions or problems, please use our comments section below with our ever-helpful moderators Confucious, sherif_hashim, dhlizard, Frank55, and subarurider.

~~Update #1: Until @i0n1c has a chance to fix the i4 version, we’ve removed the i4 untether from redsn0w (making it a tethered-only JB for i4 right now).~~

Update #2: redsn0w rc14 includes the fixed i4 untether from @i0n1c. You can re-run redsn0w rc14 right over the tethered rc13b to transform the i4 JB into an untethered one.

Update #3: PwnageTool 4.3.2 now includes the iOS 4.3.2 untether from @i0n1c. (And look, the PwnageTool and iOS version numbers actually match!).

Note that there’s a corresponding update to ultrasn0w, which has been bumped up to v1.2.2 to get along with iOS 4.3.2 (the ultrasn0w update does not include any new baseband support!). Please reboot your iPhone using the normal “slide to power off” swipe after installing ultrasn0w 1.2.2.

PwnageTool Official BitTorrent Release

PwnageTool_4.3.2.dmg.6340182.TPB.torrent

SHA1 Sum = fdf9d7cba7872451bbca1ccae95a82cfefb352e7

Unofficial Mirrors

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email mirrors to blog@iphone-dev.org - please ensure that they are direct dmg download links only (no rapidshare type sites please) and that your web-server can serve DMG MIME types properly. — please don’t place mirrors in the comments as they will be deleted.

Three years of pwnage(tool)

Sun, 03 Apr 2011 22:00:00 -0700

Three years ago (almost to the day!), the first version of PwnageTool was released for firmware 1.1.4. So today we’re excited to release another edition of both PwnageTool and redsn0w to bring an untethered jailbreak for Apple’s latest firmware, FW 4.3.1.

The 4.3.1 untether exploit comes courtesy of Stefan Esser (@i0n1c on twitter), a security researcher based in Germany. Stefan has a long history of vulnerability research, and ironically his first contribution to the iPhone jailbreak community was improved security – last year he beat Apple to the punch and implemented ASLR for jailbroken iPhones with his “antid0te” framework. We’re happy to see that Stefan then turned his iPhone attention over to an untethered jailbreak exploit!

The 4.3.1 untether works on all devices that actually support 4.3.1 except for the iPad2:

iPhone3GS
iPhone4 (GSM)
iPod touch 3G
iPod touch 4G
iPad1
AppleTV 2G (PwnageTool only for now)

The reason the untether won’t work as-is on the iPad2 is that it requires a bootrom or iBoot-level exploit to install, and the iPad2 is not susceptible to either the limera1n or SHAtter bootrom exploits.

WARNING WARNING – ultrasn0w users don’t update yet! We need to first release an update to ultrasn0w that fixes some incompatibilities when FW 4.3.1 is used on the older basebands supported by ultrasn0w. And remember once we do fix ultrasn0w for 4.3.1 (we’ll announce it here and on twitter), you must only get there via a custom IPSW from PwnageTool, Sn0wbreeze or xpwn! Don’t ever try to restore or update to a stock IPSW, or you’ll lose the unlock!

For everyone else, redsn0w is the easier program to use (and redsn0w runs on both Mac and Windows). Please check out places like iClarified for some excellent guides on how to use both PwnageTool and redsn0w.

Feel free to ask for help in our comments section. Thanks once again to our fantastic moderators for volunteering their time and knowledge and keeping order: Confucious, sherif_hashim, dhlizard, Frank55, and subarurider!

~~redsn0w 0.9.6rc9:~~
redsn0w 0.9.6rc12 (updated to rc12..details in Update #1 below):

PwnageTool Official Bittorent Releases

PwnageTool_4.3.dmg.6293151.TPB.torrent

SHA1 Sum = 9e8ce7d4eb79b5f839efa0233893ef1a6a5e3c5c

Unofficial Mirrors

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Update #1:

Those running redsn0w may have noticed we enabled too many Settings options in some versions of the jailbreak (for instance, what you want your side switch to do, even if you have no side switch because you’re not using an iPad). Release ~~rc10~~ rc12 of redsn0w corrects that (you can just run it over your existing jailbreak…be sure to de-select Cydia to avoid package conflicts).

Along the way, we’ve also added the option to enable boot animations…these animations can be installed via Cydia, but be sure to select which animation to use via the Settings->Bootlogo setting after you’ve downloaded an animation (and again, you can just run ~~rc10~~ rc12 over your existing jailbreak…be sure to de-select Cydia to avoid package conflicts).

(The boot animation we tested against was “Android Boot Logo”. It correctly installs all the dependencies needed to run the animation at each boot).

~~redsn0w 0.9.6rc10:~~
redsn0w_0.9.6rc12: (rc12 should fix any lingering issues with the boot animation)

Update #2:

We’ve pushed out the 4.3.1 compatibility fix for ultrasn0w in Cydia – it’s now at version 1.2.1. If you’re not already at 4.3.1 and you need the unlock, please be sure you understand how to get to 4.3.1 using a custom IPSW that doesn’t update your baseband. There are lots of guides for this (like at iClarified.com).

This isn’t a new unlock! It’s to allow those who are already using ultrasn0w to use FW 4.3.1. It also fixes the signal bar issue for those who aren’t using the unlock but retain an older baseband intentionally.

AFTER INSTALLING ULTRASN0W 1.2.1, PLEASE REBOOT YOUR iPHONE using the normal “slide to power off” swipe. T-Mobile users in the USA also should disable 3G mode in Settings->General->Network.

A big thanks to @sbingner and @ronaldsb for helping with the testing of this update!