Jul 042010

iH8sn0w, developer of popular jailbreaking tools such as Sn0wbreeze has just published a detailed guide on how to jailbreak iOS 4 for iPhone 3GS with new bootrom for Mac users.

Windows users can checkout this guide to jailbreak iOS 4 for iPhone 3GS (new bootrom) with SHSH blobs (ECID files).

Some important points before we proceed:

This guide is only for advanced users.

This guide is for Mac users, Windows users can checkout this guide.

Please note that jailbreaking your iPhone may void your warranty and hence proceed with caution.

Do not forget to backup your iPhone before you proceed. You can refer to this post for instructions on how to backup your iPhone 3GS.

This guide is only for iPhone 3GS users with new bootrom. You can use F0recast to find out if your iPhone 3GS has newer or older bootrom.

It will be a tethered jailbreak, which means that the jailbreak needs to be reapplied every time you power down your iPhone 3GS. If you let the battery run out or restart your iPhone 3GS then you will need to reapply the jailbreak by connecting to your computer (tethering).

It will only work if you had saved your iPhone 3GS’s SHSH blobs (or ECID files) for iPhone OS 3.1.2. iH8sn0w has clarified that it won’t work with iPhone OS 3.1.3 SHSH blobs.

iPhone 3GS with older bootrom can use PwnageTool for Mac or Sn0wbreeze for Windows users.

iPhone 3G users can use Redsn0w to jailbreak iOS 4. You can checkout our detailed step-by-step guide for Mac and Windows users.

Currently there is no tool available to jailbreak iPhone 4.

After the jailbreaking process is complete, do not forget to checkout our article on tips to keep your iPhone secure. Also, remember to change the password of your jailbroken iPhone.

This guide will NOT unlock your iPhone 3GS. You can use Ultrasn0w to unlock it after you have successfully jailbroken iOS 4.

If you gone through all the points mentioned above and meet the requirements then you can follow the step-by-step instructions given below:

iOS 3.1.2, 4.0
iOS 3.1.2 SHSH blobs
Download this (
STEP 1 : Grabbing your 3.1.2 iBSS file.
Pointing your hosts :
I : If you have your shsh blobs saved on Cydia/Saurik’sserver then follow this tutorial. —
II : If you have it saved with TinyUmbrella, then download the GUI here. —http://thefirmwareumbrella.blogspot.com/
Restoring to grab the iBSS file.
I : Place your device in DFU.
II : Start up the iBSS/iBEC grabber.
III : Put the save folder on a new folder on your desktop.
IV : Hit “Start Monitoring”.
V : Now go back to iTunes and do SHIFT + Restore. Then browse for your 3.1.2 IPSW. You will need to restore
to 3.1.2 in order to pwn 4.0.
STEP 2: Creating your custom firmware
Use Pwanage Tool (blog.iphone-dev.org) to create a custom ipsw ignore the warnings about the new bootrom.
Extract the zip file we downloaded earlier and use terminal to enter it
Create a new folder inside this called 3.1.2 and extract your 3.1.2 ipsw here (unzip *.ipsw in terminal)
Use xpwntool to patch iBoot & iBSS (run this in terminal)

xpwntool Firmware/dfu/iBSS.n88ap.RELEASE.dfu ibss.d -iv 41639d34547ae3dd7921bf3539dba529 -k 9121de4a038675d92e1a28683b2138b7a3bdb80994273d090398051c7f5af53c; bspatch ibss.d ../exploitibss312 ../ibss.patch; xpwntool Firmware/all_flash/all_flash.n88ap.production/iBoot.n88ap.RELEASE.img3 iboot.d -iv 127aa60e77da219961ee70707f44cbd4 -k c72ab4aae971f3a9ec356dfe555e4aef72d8e96c480698445ac236904e6a3443; bspatch iboot.d ../iboot.payload ../iboot.patch; cd ..; rm -rf 3.1.2

Create a folder called 4.0_cust inside 4.0_pwn and enter it with terminal and copy your custom 4.0 ipsw here.
Extract your custom ipsw (unzip *.zip)
Run the following in terminal:

cp kernelcache.release.n88 ../kcache.40; cp Firmware/dfu/iBEC.n88ap.RELEASE.dfu ../iBEC.40; cd ..;

Copy your signed iBSS from earlier into 4.0_pwn
STEP 10:
Place your device in dfu mode (power home for 10 seconds, release power keep holding home (blank screen and itunes asking to restore).
STEP 11:
Run the following in terminal:

./irecovery -u ibss312.dfu; ./irecovery -r; sleep 10; ./irecovery -e exploitibss312; ./irecovery -u iBEC.40; ./irecovery -c go; sleep 10; ./irecovery -u sn0w.img3; ./irecovery -c “setpicture 0”; ./irecovery -c “bgcolor 1 1 1”;

STEP 12:
Restore your custom 4.0 ipsw
Booting your device:
Run the following in terminal (once in the 4.0_pwn directory):

./irecovery -u ibss312.dfu; ./irecovery -r; sleep 10; ./irecovery -e exploitibss312; ./irecovery -u iBEC.40; ./irecovery -c go; sleep 10; ./irecovery -u sn0w.img3; ./irecovery -c “setpicture 0”; ./irecovery -c “bgcolor 1 1 1”; ./irecovery -u kcache.40; ./irecovery -c bootx;

iTunes will detect your device several times before it boots.

As always, please don’t forget to drop us a line to tell us how it goes.

[courtesy iH8sn0w]

  • Virtual

    I’ve already downloaded it, it is very nice to use