NEW AND IMPROVED JAILBREAK 1.1.1
For the actual download:
1) READ THIS FIRST
2) See the Firmware Info Page
(Revised 10/13/07)
These directions are based on the README file for the 1.1.1
jailbreak process. Thanks to NerveGas, Pumpkin, Edgan,
drudge, dinopio, and asap18 for writing it!
NOTE TO UNLOCKERS: If you have previously used an unlock
such as anySIM or iUnlock and you have not already upgraded
to 1.1.1, do not proceed with this process! The new
baseband firmware will conclude that things have been
tampered with (because they have), and return an invalid
IMEI number beginning with 0049.
As of 2007-Oct-12, developers are still hard at work trying
to correct this problem. A baseband downgrade process
exists, but is not recommended because it has permanently
damaged more than a few phones. If you cannot wait for a
safer, free solution, iPhone SimFree has a commercial
solution. Your best bet is to sit tight, though.
Introduction
Jailbreaking 1.1.1 is somewhat involved, but it is not
difficult. Please read through the steps below and be sure
that you understand them before proceeding. Here's the
overview:
0. Before the
jailbreak
1. Planning the
escape
2. Upgrading to 1.1.1, out of
jail
3. Getting a read/write
filesystem
4. Installing SSH/BSD World
5. Activating with iTunes or Non-ATT
SIM
6. Patching
SpringBoard
7. Clean Up
You should gather the necessary tools before you begin.
When you have everything you need, you can proceed to step
0.
Step 0: Before the jailbreak
Results:
• A backup of anything important
• An activated iPhone running 1.0.2 OS
• Either 3.x or 4.x baseband
• An unpatched 1.0.2 lockdownd (not PACAY)
Downloads:
• iPhone1,1_1.0.2_1C28_Restore.ipsw
• AppTapp Installer
• iNdependence (Mac OS X)
• iASign generator (Windows)
The first thing you should do, assuming this is not a
freshly unboxed iPhone, is back up your data. You may well
lose all data on your phone before the night is over. This
author found that backing up /private/var/root and
/private/etc/dropbear to be sufficient for his needs.
If you have an activated 1.0.2, and an unpatched lockdownd,
you could skip to step 1 now, but you are advised to follow
this procedure anyway, just so that you know how to recover
later.
You will need a copy of the compressed 1.0.2 firmware (ipsw
file). If you have previously downloaded it with iTunes,
you're all set. If not, you can download the firmware
directly from Apple.
With your iPhone turned on, hold down the POWER and HOME
buttons at the same time for about ten seconds, until the
screen goes dark. Release POWER, but CONTINUE TO HOLD HOME.
After about 15 more seconds, your iPhone should appear to
be turned off, but has actually gone into a special state
called DFU mode which is available when a regular restore
isn't. Feel free to speculate as to the meaning of "DFU".
You're still holding HOME, right? Go ahead and connect to
iTunes now. If your device turns on and boots normally, you
managed to turn it off, not put it into DFU mode. Try
again. You will also need to try again if you got to a
screen with a dock cable and an iTunes logo (the 1.1.1
"connect to iTunes" screen), because you cannot downgrade
from the standard recovery mode.
iTunes should have prompted you to restore your phone. Hold
down the shift key (Windows) or the option key (Mac) and
click Restore. Select the iPhone1,1_1.0.2_1C28_Restore.ipsw
file and click OK.
If you're just practicing, iTunes will succeed. If you're
actually downgrading from 1.1.1, it will give you an error
and leave your phone with a "connect to iTunes" screen. You
can close iTunes now. Also, if you have not previously
disabled iTunesHelper, do so at this time.
To get your phone into a normal state, grab NullRiver's
AppTapp Installer if you need to and try to install it. The
attempt will fail, but it'll get you into a state where you
have 1.0.2's OS and 1.1.1's baseband.
All that's left is to open iTunes once again so that it
will "pair" with your iPhone. It doesn't have to sync with
it. If you get to the activation phase, you've done all
that you need to. If you have an AT&T SIM and iPhone
account, do that. Otherwise, use iNdependence or the online
iASign generator.
You can activate now using either iNdependence or iBrickr,
or even iTunes itself if you've got a normal AT&T SIM
and iPhone account.
By the way, if your phone has a 1.1.1 baseband with an
invalid IMEI, you can fix it before you do the jailbreak.
Your choices are presently limited. iPhone SimFree is the
only safe choice for doing that at the moment, but it will
cost you at least US$60. A free solution is in the works,
but isn't ready yet.
Our advice is to wait. The dev team is likely to have a
solution for you within a few days. Any solutions involving
the use of a program called ieraser are strongly
discouraged. A number of people have tried to use it and
had failures resulting in their phones becoming permanent,
unrepairable, unrestorable bricks.
Just do yourself the favor and either wait a few days or
pay for a license to use SimFree.app, okay?
Step 1: Planning the escape
Results:
• An iPhone with AppTapp Installer
• iTunes open with an active Update button
• An iPhone with Trip1Prepz installed
Downloads:
• AppTapp Installer (if needed)
Apple has gone to great lengths to prevent 1.1.1
jailbreaks. In fact, what we are going to do isn't so much
break out of jail as redefine it. To put it another way, if
I confine you to a cell, your freedoms are greatly reduced.
What if I confine you to the whole world instead? Unless
you work for a space program, you are not likely to notice
much.
That's what we're going to convince iTunes to do to us.
Start out by installing AppTapp Installer, if you haven't
already got it installed. Next, on your iPhone, open Safari
and go to this URL:
http://conceitedsoftware.com/iphone/beta
This will ask you if you would like to add a new repository
to Installer.app. Answer Yes, but don't install any of the
new packages just yet.
Now, open iTunes and look at your iPhone in the sources
list. There should be Restore and Update or Check for
Update buttons. If your Update button is greyed out, figure
out how to get it back before proceeding. Update allows a
jailbreak, Restore doesn't.
Open iTunes and select your iPhone from the list. You
should see an Update or Check for Update button, and of
course the Restore button. Make sure either Update or Check
for Update is not greyed out.
Now, leave iTunes open and your phone connected. If you
close iTunes between now and the next step, the only thing
iTunes will let you do is Restore, and we don't want to do
that. Now, open the AppTapp Installer and find Trip1Prepz.
This package was created by Drudge to do all of the hard
work for you. Go ahead and install it, but be warned that
you're committed to this process as soon as you have done
so.
Step 2: Upgrading to 1.1.1,
out of jail
Results:
• A jailbroken 1.1.1 iPhone
• A read-only filesystem (we'll fix it!)
Downloads:
• iPhone1,1_1.1.1_3A109a_Restore.ipsw
You should already have iTunes open with Trip1Prepz
installed after your Update button was available. If you
don't have a copy of the 1.1.1 firmware, download it from
Apple. We do it this way to future-proof these
instructions. Apple could release a new firmware tomorrow,
and we might not be able to jailbreak it in quite the same
way.
Now, whether it says Update or Check for Update,
shift-click (Windows) or option-click (Mac OS X) the button
and select the iPhone1,1_1.1.1_3A109a_Restore.ipsw you
downloaded and begin the update. ONLY use the Update
button, DO NOT USE Restore for this procedure!
STEP 3: Getting a read/write
filesystem (forcing read/write mode)
Results:
• A read-write filesystem (told you we'd fix it!)
Downloads:
• Dev team's 1.1.1 jailbreak kit
If you've followed the steps properly, your iPhone should
now be jailbroken, but not yet writable. To confirm this,
shut down iTunes and use iPHUC to connect to the iPhone.
Run 'ls' and you should see the root folders (Applications,
System, etc). If you see iTunes_Control, then you've
botched a step and will need to start over at STEP 0.
Forcing read-write mode involves overwriting the part of
the disk partition that contains /etc/fstab. This is done
by writing to /dev/rdisk0s1. The included iphuc-jailbreak
code supports a command called "putjailbreak" which does
this. After we overwrite the disk, we'll reboot and the
iPhone will be mounted in read-write!
1. Run iphuc:
Make sure iTunes is closed
killall iTunesHelper
- If you are on OSX/Intel: ./iphuc-jailbreak.osx
- If you are on OSX/PPC: ./iphuc-jailbreak.ppc
- If you are on Windows: ./iphuc-jailbreak.exe
NOTE: If you are using Windows, you'll need to grab an
existing iPHUC distribution to get all the remaining files
2. You should now be connected to your iPhone. Test this by
running 'ls', and make sure you see 'dev' among the list of
directories. If you see iTunes_Control, then you haven't
jailbroken properly and will need to start again from STEP
0.
3. We are now going to overwrite part of the disk partition
with our payload using the 2K file included in this
distribution called rdisk0s1. In iphuc, execute this
command:
putjailbreak rdisk0s1 /dev/rdisk0s1
4. The upload should be relatively quick. Once finished,
reboot your iPhone. You're now in read-write mode, and jail
broken! You can test this by connecting again with iphuc
after rebooting and running:
getfile /etc/fstab fstab
Open the file, and you should see the options for / to be
'rw' instead of 'ro'. If you still see 'ro', then
something's gone wrong, try repeating from step three.
STEP 4: INSTALLING SSH AND BSD
WORLD
At this stage, you can crack shell on iPhone in the same
way that you did with 1.0.2. If you're using a Mac, the
easiest way is using the iPhone SSH Installer for Mac,
which can be found here:
For Mac:
http://iphone.natetrue.com/iPhone_SSH_Install_for_Mac.zip
1. Just run iPhoneMacSSHInstall.sh in that package and it
will walk you through an automated install of SSH:
sh iPhoneMacSSHInstall.sh
The new root password for v1.1.1 is 'alpine', once it's
finished:
ssh -l root iphone
Your SSH keys are likely to change, so if you get any
errors about an incorrect key, you can:
rm -f ~/.ssh/known_hosts
from your desktop's home directory and try again.
2. Once you're in, you will also want to install the BSD
world. NerveGas has built a new version of the BSD
subsystem that doesn't require libarmfp. Download and
extract the following files:
http://iphone.natetrue.com/BSD_Base-2.0.tar.gz
http://iphone.natetrue.com/BSD_Extra-2.0.tar.gz
tar -zvxf BSD_Base-2.0.tar.gz
tar -zvxf BSD_Extra-2.0.tar.gz
Change into each of these directories and run:
cd BSD_Base
scp -r * root@[IPHONE IP]:/
cd ../BSD_Extra
scp -r * root@[IPHONE IP]:/
For Windows:
1. Follow the instructions here:
http://cre.ations.net/blog/post/howto-install-ssh-on-your-iphone
NOTE: If you download Nate True's iPhone SSH kit you will
need to grab iphoneinterface.exe from his latest iBrickr
release to actually make it work.
STEP 5: ACTIVATING WITH A
NON-AT&T SIM
If you're using an AT&T SIM that will activate through
iTunes, skip this step and just activate through iTunes.
To activate with a non-AT&T SIM, we'll need to copy
over that lockdownd binary and activation certification we
backed up when we were on v1.0.2 and do a little hackery,
then copy the v1.1.1 lockdownd back when we're done.
NOTE: In order for afc to start, you must BOOT the phone
with lockdownd v1.1.1, so do not reboot the phone during
this process. If you have no choice, copy lockdownd v1.1.1
back after, then reboot again to make sure afc comes up.
1. Back up v1.1.1's lockdownd:
cp /usr/libexec/lockdownd /var/root/lockdownd.1.1.1
Now overwrite the iPhone's copy with your old v1.0.2 copy:
cp /var/root/lockdownd.1.0.2 /usr/libexec/lockdownd
And upload the certificate included in this distribution:
scp iPhoneActivation.pem root@[IPHONE
IP]:/System/Library/Lockdown/
Now:
killall lockdownd
This will restart lockdownd with v1.0.2's version
2. Download iASign from http://iphone.fiveforty.net/wiki/index.php/IASign
bunzip2 iASign-v0.2.tar.bz2
tar -xf iASign-v0.2.tar
cd iASign/bin
Overwrite iASign's iPhoneActivation.pem with the one
provided in this package
cp /path/to/1.1.1-jailbreak/iPhoneActivation.pem
/path/to/iASign/bin/
Now run: ./iASign.mac --automatic
iPhoneActivation_private.pem
After a while, it should complete and say "New State:
Activated", but it doesn't really work. Don't worry, we're
almost there!
3. Now copy the v1.1.1 lockdownd back and restart it:
cp /var/root/lockdownd.1.1.1 /usr/libexec/lockdownd
killall lockdownd
4. (tjcarter 2007-Oct-12) Previously you would be advised
here to run iASign again. Don't. Just reboot your phone to
verify that you are activated.
STEP 6: PATCHING SPRINGBOARD
The new version of SpringBoard has been hard-coded to allow
only factory applications to run. We've coded up a patcher
that will fix this "bug", and back up your original
SpringBoard app.
1. Upload the springpatch binary included with this
distribution:
scp springpatch root@[IPHONE IP]:/usr/bin
Then low into your iPhone and run it:
$ springpatch
SpringBoard Patcher for iPhone v1.1.1
Brought to you by the iPhone Dev Team
Successfully patched
/System/Library/CoreServices/SpringBoard.app/SpringBoard
Original backed up to:
/System/Library/CoreServices/SpringBoard.app/SpringBoard.original.
Please reboot your iPhone or kill springboard for changes
to take effect.
If it exits successfully, you can now restart SpringBoard
to enable third party applications:
killall SpringBoard
2. You will need to list at least one application in:
/System/Library/CoreServices/SpringBoard.app/M68AP.plist
This is the new "DisplayOrder.plist". The application MUST
be placed just before the MobileStore application. The
reason for this is that MobileStore is placed at the end of
the Springboard to specifically hide other applications.
Adding at least one application appears to break free from
this.
For example, if you have installed NES.app, your
M68AP.plist will be modified to look like:
displayIdentifier
com.natetrue.iphone.nesapp
displayIdentifier
com.apple.MobileStore
STEP 7: CLEAN UP
You've now successfully jailbroken your iPhone and set up
shop. Congratulations!
Before you can sync, you will need to remove the symlink
you created:
rm /var/root/Media
mv /var/root/Media.old /var/root/Media
That's it!
- iPhone/iTouch Dev Team