These are instructions on how to jailbreak your iPhone using PwnageTool 4.1.2 for Mac OS X. If you need unlock and you have not updated to iOS 4 you will be able to preserve baseband and unlock iPhone using ultrasn0w.
This guide will work for iPhone 4, iPhone 3GS, iPhone 3G, iPod Touch 3G, iPod Touch 4G, iPad and AppleTV. Just use the right firmware and select the right device (step four).
Step One
Make a folder called “Pwnage” on the desktop. Now you need to download there PwnageTool 4.1.2 from here and iOS 4.1 firmware from here.
When downloading the IPSW file, it is best to download it with Firefox since Safari often auto extracts it!
Step Two
Double click to mount PwnageTool then drag the PwnageTool icon into the Pwnage folder.
Then from the Pwnage folder double click to launch the PwnageTool application.
Click Ok if presented with a warning.
Step Three
Click to select Expert Mode from the top menu bar
Step Four
Click to select your device. A check-mark will appear over the image of the device. Click the blue arrow button to continue.
Step Five
You will be brought to the “Browse for IPSW” page. Click the Browse for IPSW… button.
From the popup window select your firmware from the Pwnage folder then click the Open button.
Step Six
You will then be brought to a menu with several choices. Click to select General then click the blue arrow button.
The General settings allows you to decide the partition size. Check Activate the phone if you are not with an official carrier then click the blue arrow button.
NOTE*: Deselect Activate if you have an iPhone legitimately activated on an official carrier.
The Cydia settings menu allows you to create custom packages so you do not have to manually install the necessary them later. If you do not want to install anything here go to next step (seven).
Click to select the Download packages tab. Then click the Refresh button to display all the available packages. Double clicking the package you want will download it and make it available in the Select Packages tab.
Checkmark the ones you want then click the blue arrow button.
The Custom Packages Settings menu displays listed package settings for your custom IPSW. Click the blue arrow button to continue.
Step Seven
You are now ready to begin the pwnage process! Click the Build button to select it then click the Blue arrow button to begin.
Step Eight
You will be asked to save your custom .ipsw file. Save it to your Pwnage folder you created on your Desktop.
Your IPSW is now being built. Please allow up to 10 minutes.
You will be asked to enter your administrator password. Do this then click the OK button.
Step Nine
Once your ipsw has been built you will be asked to connect your iPhone to the computer. Once it detects your device PwnageTool will guide your through the steps to putting your iPhone into DFU mode.
Press and hold the power and home buttons for 10 seconds.
Then release the power button and continue holding the home button for 10 seconds.
Once your iPhone is successfully in DFU mode, PwnageTool will prompt you to launch iTunes.
Step Ten
Once in iTunes, hold the Alt/Option key and click Restore.
ULTRASN0W UNLOCKERS BEWARE!! The biggest mistake you can make (and it is a big one!) is lettings iTunes restore to the official IPSW — you’ll lose the unlock and won’t be able to go back! You must use Option-Restore, not just the Restore button by itself. Then navigate to your custom IPSW — not to the stock one! If you accidentally started a restore to the official IPSW, unplug your iPhone immediately before the restore gets to the “Updating Firmware” step!
Step Eleven
Navigate to the Pwnage folder on your desktop using the dialog window that appears. Select the custom IPSW (!) that was created and click the Choose button.
Step Twelve
iTunes will now restore the firmware on your iPhone. This can also take up to 10 minutes. Once done you will be rebooted into jailbroken iOS 4.1!
Step Thirteen
When your iPhone has restarted you can run Cydia. Let it do all the necessary updates.
To have access to the root file system of your iPhone (via file managers like iFunBox or iPhone Explorer) install application called afc2add in Cydia.
Step Fourteen
If you need unlock – install ultrasn0w via Cydia, it will work if you had iOS 4.0.2 or lower before step one.
Open Cydia.
Go to Manage than click Sources.
Click Edit button in the top right corner.
Then click Add button in the top left corner.
Type http://repo666.ultrasn0w.com and click Add Source.
Now go to Search and type ultrasn0w, click on the utility and hit Install button in the top right.
With internet tethering enabled you can use iPhone internet connection on you desktop or notebook. Here is a quick tutorial for experienced users. For everybody else – just wait for the new version of PwnageTool or some other utility.
Here it is:
A bsdiff patch to apply to CommCenter in 3.1.2 to re-enable tethering is available and . It’s just a 2-byte patch as shown below (and an appropriate readjusting of the mach-o’s codesign hash):
USE THIS AT YOUR OWN RISK! Your carrier may end up charging you for unauthorized tethering access.
Update #1 It looks like a lot of people have been looking at CommCenter lately because IRC user CleanAir had a similar tethering patch. Meanwhile over in the 2G CommCenter, WhiteRat and geniusan for that platform. Kudos to CleanAir, WhiteRat, and geniusan for digging into CommCenter and coming up with patches!
Update #2 A few have started to pop up. Eventually this will be made a part of the normal PwnageTool flow but for now this is best left for the adventurous users out there!
sub_17538+74 4B F0 58 F8 BL validate_signature
sub_17538+74
sub_17538+78 30 B1 CBZ R0, FAIL ; <— PATCH THIS TO 00 20 (MOV R0,#0)
sub_17538+78
sub_17538+7A 05 20 MOVS R0, #5 ; int
sub_17538+7C 1C 49 LDR R1, =aValidatedWirel ; “Validated wireless modem connection wit”…
sub_17538+7E 02 9A LDR R2,
sub_17538+80 7E F0 00 ED BLX _syslog
sub_17538+80
sub_17538+84
sub_17538+84 loc_175BC ; CODE XREF: sub_17538+70j
sub_17538+84 02 9C LDR R4,
sub_17538+86 05 E0 B loc_175CC
sub_17538+86
sub_17538+88 ; —————————————————————————
sub_17538+88
sub_17538+88 FAIL ; CODE XREF: sub_17538+78j
sub_17538+88 05 20 MOVS R0, #5 ; int
sub_17538+8A 1A 49 LDR R1, =aCouldNotValida ; “Could not validate wireless modem conne”…
sub_17538+8C 7E F0 FA EC BLX _syslog
sub_17538+8C
bsdiff patches are the normal way that PwnageTool modifies Apple software. To apply one manually, you must first get the “bspatch” program. Then do:
bspatch CommCenter CommCenter-hacked CommCenter.patch
If you don’t have bsdiff but know how to use a hex editor, the differences are available in text format.
The correct SHA1 of the hacked file will be:
1b19712035f33654cf72838ebe1a2033931b56b2 # 3GS
063165c3fa3e21d30eb4b486fab924ba3ef0ea5e # 3G
You would then remove the original program and replace it. Don’t forget to ensure it has execute permission!
chmod +x /System/Library/PrivateFrameworks/CoreTelephony.framework/Support/CommCenter
After you’ve started using the hacked CommCenter, visit from your iPhone and install a new mobileconfig.
DevTeam says that 2.2 update SHOULD NOT be applied using iTunes if you want the chance of a soft-unlock in the near future. Use new version of PwnageTool (not avaliable yet, but will be soon).
Some fact:
The 2.2 firmware for 3G contains a baseband update for the 3G iPhone
The 2.2 firmware for 2G (1st gen iPhones) doesn’t contain a baseband update and the baseband is still at 04.05.04
Pwnage technique (and therefore the Jailbreak) isn’t affected, but PwnageTool and QuickPwn do not support this release as yet, so DO NOT install 2.2 using iTunes as you will lose your jailbreak
If you apply this update and you previously relied on PwnageTool or QuickPwn to activate your phone, it may become temporarily deactivated and unusable (until we release the new version of PwnageTool or QuickPwn).
PwnageTool and QuickPwn updates will be released as soon as possible that will allow a safe update path to 2.2 the release of these updates is inevitable but not imminent, we are creating the modifications right now and we need to put the new software through the usual testing process.
If you apply this update and you have third-party (non AppStore) applications from Cydia and Installer that you rely on they will stop working.
2G (1st gen) iPhone users who cannot wait for the new PwnageTool or QuickPwn can safely “Update” to 2.2 using iTunes, this will preserve the existing activation. However “restoring” to 2.2 using iTunes will return the iPhone to the unactivated state. If you are in any doubt just wait. NB: This works for 2G ONLY.
The use of SIM-Proxies (small circuit boards/chips that sit underneath the SIM card) to provide GSM/UMTS service on your locked iPhone 3G: early reports suggest that the 2.2 update disables the functionality of these devices.
