iPhones – iPads – iDevices Jailbreaking and unlocking saga

 4.1, 4.2.1 upto 4.3.5 , 5.0, 5.1 is on the way. Jailbreaks and Unlocks are now here. Be careful, read the docs !  If you upgrade do it with custom firmware to protect your baseband. Stay at 4.3.3 if you can. There are unlocks for basebands 1.59, 4.26.08, 5.11.07, 5.12.01, 5.13.04 and the ipad 6.15.00.  PROTECT them !!

Image via Wikipedia

 

 

 

Well, the plot thickens. Its getting harder to jailbreak these days. And from the looks of it, its going to get harder.
Apple is adding more secure ticket structure to the restore process. 5.0, 5.1 is really going to be a challenge. So use TinyUmbrella or Cydia to back up your Keys (SHSH blobs) . Always use a custom restore to do upgrades. I will be adding to this and the updates to the iOS saga. Save your iTunes versions, it looks like it might be your only choice in the future. The newer iTunes will prevent a custom restore.

If at all possible stay at 4.3.3 and never update your baseband. Or make a custom ios that does not update the baseband.

Lets see what happens with iOS 5  ?

Dr. Kev

Jailbreak (AC/DC song)

Image via Wikipedia

 

Heres the latest from the Dev-Team Blog.

jailbreakme times 3

Once again, @comex has resurrected http://www.jailbreakme.com for your jailbreaking ease and pleasure!

@comex developed what is now the third installment (and his second) of jailbreakme.com, the easiest way to jailbreak your iPhone, iPod touch, and iPad (including the iPad2!).  No computer is necessary for jbme3.0…just browse to http://www.jailbreakme.com on your device and install it from there!

While @comex and others have worked hard to make this as simple as possible, some people may have questions and problems may arise.  Rather than inundate comex with any questions over twitter, please consider using either our comments section below, or visit http://jbqa.me

Please read “More Information” on the jbme3.0 page for some basic background information and ways you can thank @comex.  Here are some additional Q&As beyond that:

Q: Which devices and firmware versions are supported?
A: In this initial release, the following configurations are supported:

  • iPad1: 4.3 through 4.3.3
  • iPad2: 4.3.3
  • iPhone3GS: 4.3 through 4.3.3
  • iPhone4: 4.3 through 4.3.3
  • iPhone4-CDMA: 4.2.6 through 4.2.8
  • iPod touch 3g: 4.3, 4.3.2, 4.3.3
  • iPod touch 4g: 4.3 through 4.3.3

Q: Do the holes discovered by @comex put my device at risk?
A: Yes.  We recommend installing “PDF Patcher 2” in Cydia once you’re jailbroken to eliminate this risk (any firmware version).

 

The Jailbreak Source 0.4 Logo

Image via Wikipedia

 

Q: How does jbme3.0 differ from the existing jailbreaks?
A: jbme3.0 is entirely userland-based, from start to finish.  The A5 chip in the iPad2 has no iBoot or bootrom-level exploits yet, so tools like redsn0w, PwnageTool and sn0wbreeze can’t use the limera1n bootrom exploit to inject the jailbreak.  Even for those devices where limera1n works, jbme3.0 injects the jailbreak with a userland exploit.

Q: If I’m already jailbroken on the latest firmware, is there any advantage to jailbreaking again?
A: No, but you should consider showing this to your friends!  Spread the jailbreaking fever.

Q: Are the holes exploited by jbme3.0 closed in iOS5?
A: The holes still exist in the iOS5 betas, but they’ll almost certainly be fixed by the time iOS5 is public.  However because the iPad2 had no public jailbreak yet, it probably wasn’t worth waiting until the fall to use them.  If history repeats itself though, there will be more holes and exploits.

Q: Will I permanently lose the jailbreak if I need to restore my device?
A: For all except the iPad2, saving your SHSH blobs should let you always restore your device to iOS versions where this jailbreak works.  The iPad2 is a little more complicated.  If you have a wifi-only iPad2 and saved SHSH blobs, you’re in good shape.  But if you have the GSM or CDMA iPad2, you won’t be able to restore to 4.3.3 or lower once Apple stops signing its baseband.  There are a few ideas that might work to get around this limitation, but for now it’s best to assume there’s no going back to 4.3.3 once 4.3.4 is out for iPad2 GSM or CDMA owners.

Q: I heard this new unionfs stuff is dangerous?
A: Define dangerous 🙂  Seriously though, although unionfs is a huge improvement to the install time of the jailbreak, it is brand new code and there is the possibility something will go wrong.  Just keep regular backups of your media and content and you should be fine.  If there are any problems, they should appear within the first few days, so hold off and let “everyone else” test the waters if you’d like.

The Jailbreak: Source 0.6 Logo

Image via Wikipedia

1 month ago
Blob monster

It looks like Apple is about to aggressively combat the “replay attacks” that have until now allowed users to use iTunes to restore to previous firmware versions using saved SHSH blobs.

Those of you who have been jailbreaking for a while have probably heard us periodically warn you to “save your blobs” for each firmware using either Cydia or TinyUmbrella (or even the “copy from /tmp during restore” method for advanced users).  Saving your blobs for a given firmware on your specific device allows you to restore *that* device to *that* firmware even after Apple has stopped signing it.  That’s all about to change.

Starting with the iOS5 beta, the role of the “APTicket” is changing — it’s being used much like the “BBTicket” has always been used.  The LLB and iBoot stages of the boot sequence are being refined to depend on the authenticity of the APTicket, which is uniquely generated at each and every restore (in other words, it doesn’t depend merely on your ECID and firmware version…it changes every time you restore, based partly on a random number).  This APTicket authentication will happen at every boot, not just at restore time.  Because only Apple has the crypto keys to properly sign the per-restore APTicket, replayed APTickets are useless.

This will only affect restores starting at iOS5 and onward, and Apple will be able to flip that switch off and on at will (by opening or closing the APTicket signing window for that firmware, like they do for the BBTicket).  geohot’s limera1n exploit occurs before any of this new checking is done, so tethered jailbreaks will still always be possible for devices where limera1n applies.  Also, restoring to pre-5.0 firmwares with saved blobs will still be possible (but you’ll soon start to need to use older iTunes versions for that). Note that iTunes ultimately is *not* the component that matters here..it’s the boot sequence on the device starting with the LLB.

 

Although it’s always been just “a matter of time” before Apple started doing this (they’ve always done this with the BBTicket), it’s still a significant move on Apple’s part (and it also dovetails with certain technical requirements of their upcoming OTA “delta” updates).

Note: although there may still be ways to combat this, a beta period is really not the time or place to discuss them.  We’re just letting you know what Apple has already done in their exisiting beta releases — they’ve stepped up their game!

1 month ago
A screenshot of the Spirit Jailbreak Tool on M...

Image via Wikipedia

Tic tac toe…

… three in a row!  Apple released iOS 4.3.3 on Wednesday, and once again the untethered jailbreak exploit that @i0n1c created for 4.3.1 still works.  That makes it an unprecedented three firmwares where the same userland exploit works.  We’re not exactly sure why Apple hasn’t fixed the hole yet, but we’re not complaining!

Today’s PwnageTool and redsn0w incorporate @i0n1c’s port to 4.3.3 (it’s ironic that such a long-lasting untether doesn’t even have an official name!).  It also of course uses geohot’s limera1n bootrom exploit to inject the jailbreak. The 4.3.3 untether works on all devices that actually support 4.3.3 except for the iPad2:

  • iPhone3GS
  • iPhone4 (GSM)
  • iPhone4 (CDMA) (4.2.8 – See update #3)
  • iPod touch 3G
  • iPod touch 4G
  • iPad1
  • AppleTV2G (v4.3 8F202…see update #2 below for the v4.3 8F305 bundle)

Some things to note:

  1. ultrasn0w unlockers must stay away from redsn0w!  Use only a custom IPSW to update to 4.3.3, to avoid updating your baseband.  There are plenty of tutorials for both redsn0w and PwnageTool at sites like iClarified.com.  Or feel free to ask away in our comments section below.
  2. ultrasn0w has been updated to v1.2.3 to be compatible with iOS 4.3.3 and earlier (the ultrasn0w update does not include any new baseband support!).  Please reboot your iPhone using the normal “slide to power off” swipe after installing ultrasn0w 1.2.3.
  3. By popular demand, redsn0w now allows you to enable multitasking gestures (although most will find it useful only on iPads).
  4. iPad2 update:  The iPad2 jailbreak remains under development.  As you may know, the original exploit @comex developed in the first week of the iPad2 release was mysteriously fixed by Apple within days of its development.  Partly because of this, don’t expect much public discussion of the iPad2 jailbreak until it’s actually finished and ready for release (and please avoid asking about it).  In all liklihood, it will be a userland exploit like the first (unreleased) one, not dependent on bootrom dumps.  The first one can’t be released even for those with the original 4.3 firmware due to legal (distribution) reasons.

As always, please feel free to ask for help or advice in our comment section, with our friendly moderators Confucious, sherif_hashim, dhlizard, Frank55, and subarurider (and many other very knowledgable commenters too!)

 


Update #1: PwnageTool and redsn0w have been updated to include a fix for the iPhone3GS/i4 side switch vibration issue (only for 4.3.3!).  Thanks to @i0n1c for tracking this down (even though he doesn’t even have an iPhone!).

If you’re already jailbroken at 4.3.3 (by either redsn0w rc15 or custom IPSW), you can install this fix simply by running redsn0w rc16 over your existing 4.3.3 jailbreak.  Just uncheck the “Install Cydia” option and check any other options you want.  The fix will be installed no matter what you’ve selected.  This is safe for even ultrasn0w unlockers to do (because redsn0w itself won’t update your baseband…only an iTunes stock IPSW update/restore will do that).

redsn0w rc16 has a few more improvements:  Windows 7 and Vista users should no longer need to set their CPU affinity…just run redsn0w as Administrator in XP compatiblity mode.  Also, the “verbose boot” option for old-bootrom iPhone 3GS has been fixed for 4.3.3 (remember: old-bootrom 3GS users can even have custom bootlogos that show right at power-up).  Enjoy!


Update #2:  Apple released a minor update to iOS 4.3 for AppleTV2G (the IPSW name still says 4.3, but the build version changed from 8F202 to 8F305).  @i0n1c was once again able to quickly port his original 4.3.1 untether (the exploit that wouldn’t die!) to this version.

If you do feel like updating to the “new” 4.3, you’ll need to drop this bundle into the correct folder in PwnageTool.app.  If you don’t know how to do that, there are lots of tutorials on the web, and we’d be glad to help in the comments below.

Thanks once again, @i0n1c!


Update #3: We’ve updated redsn0w (0.9.6rc18) to also include the Verizon iPhone4-CDMA iOS version 4.2.8 untether (which uses the HFS exploit).


Update #4: redsn0w has been updated to 0.9.6rc19 to include changes in the way custom bundles are handled.  Now when you use a custom bundle, most of the normal jailbreak steps (like stashing and untethering) are skipped.  This makes it easier for custom bundles like the Verizon i4 jailbreakme fix.


redsn0w 0.9.6rc19:


PwnageTool Official BitTorrent Release

SHA1 Sum = 2c8b17c28ae10295b72dabde30bb4b39b0e85821

Unofficial Mirrors

The following links are unofficial download mirrors, you download these archives at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links and we accept no responsibility with regard to the validity of the files, the other content that these links may provide or with the content that is on the third-party linked site.

Always check the files that you have downloaded against our published SHA1 hash.

We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must.

Mirror owners should email mirrors to blog@iphone-dev.org – please ensure that they are direct dmg download links only  (no rapidshare type sites please) and that your web-server can serve DMG MIME types properly. — please don’t place mirrors in the comments as they will be deleted.

Dev-Team Blog.

 

 

Enhanced by Zemanta

Leave a Reply