Pwning 4.0 on 3GS (New Bootrom) | ipt2g MC | ipt3 w/3.1.2

I figured making a tool would take a bit too long. So, i’m going to write up this tutorial. It isn’t recommended for regular users.

**BEFORE PROCEEDING, ENSURE THAT YOU HAVE YOUR iPod/PHONE BACKED UP!**

THIS TUTORIAL ASSUMES YOU ARE ALREADY ON 3.1.2!

Q: Why not 3.1.3???
A: The exploit used is closed in 3.1.3 and beyond.
——-
WHAT YOU WILL NEED:

* An iPhone 3G[S] or iPod Touch 2G MC or iPod Touch 3– new bootrom
* 3.1.2 already installed or 3.1.2 installed via SHSH blobs. <– Broken blackra1n’d devices will work. (Especially if Spirit messed you up!).
* Payload Pwner-r4.1
* sn0wbreeze V1.7
* iBooty V1.4
* 3.1.2/4.0 firmware downloaded.
* iTunes 9.2 Installed
——-
STEP A : Pwning iBoot

I : Download this easy tool here — Payload Pwner-r4.1 // It will help you create the payload.

II : Extract it to a directory and run Pwner.exe

**SAVE THE PAYLOAD WHERE iBooty is.**
——-
STEP B : Making a Custom IPSW

I : Download sn0wbreeze V1.7 from here — sn0wbreeze V1.7

II : USE EXPERT MODE!

III : In General, Checkmark “Disable NOR Flash” <– THIS IS ESSENTIAL!!!!

IV : Build it. It will be on your Desktop.

**CUSTOM BOOT LOGOS THAT ARE MADE IN sn0wbreeze WILL NOT WORK ON NEW BOOTROMS!**

*Mac Users : PwnageTool does not have this option. I don’t think it will ever be in there. Use a Windows Virtual Machine or friends PC to create your firmware.*
——-
STEP C: iBooty Prep.

Most of you know of the utility “iBooty” that I made for Aki_nG.

It will work as long as you place all of the correct files there.

I : Download iBooty GUI here — iBooty V1.4 and Extract it.

II : Extract your Custom IPSW created by sn0wbreeze with 7-Zip or another un-archiver.

III : Grab the kernelcache and bring it into the same folder as ibooty.
Also grab iBEC from the folder “Firmware\dfu”.
Aswell as DeviceTree from the folder “Firmware\all_flash\all_flash.n88ap.production\DeviceTree.n88ap”.

IV :
* Rename your Kernel 4.0-Custom to “kernel.40”
* Rename your iBEC 4.0-Custom to “ibec.40”
* Rename your DeviceTree 4.0-Custom to “devtree.40”
======
Your folder should look like this :

– iboot.payload <– Created with Payload Pwner.
– devtree.40 <– Grabbed from Custom IPSW made by sn0wbreeze.
– ibec.40 <– Created with Payload Pwner.
– bspatch.exe <– Comes with iBooty.
– iBooty.exe <– Comes with iBooty.
– kernel.40 <– Grab from Custom IPSW made by sn0wbreeze.
– sn0w.img3 <– Comes with iBooty.
– wait.img3 <– Comes with iBooty.
======
——-
STEP D: Restoring to 4.0 + Booting
——-
*MAKE SURE YOU ARE ON 3.1.2 WHEN DOING THIS*

I : Run iBooty and Select “Prepare Device for Custom Firmware”. Run the Process and if you see the image, you can proceed!

II : Now open iTunes and restore to the custom ipsw.

***WHEN DONE, YOUR DEVICE WILL GO INTO RECOVERY MODE. IT WONT BOOT.***
——-
STEP E : Booting

I : Just Re-Run iBooty and select “Boot It”. If all goes well it will boot!
——-
Enjoy!
——-
============
CREDITS:
============
* AKi_nG (For testing 3GS.)
* demize95 (For testing iPod Touch 3!)
* msft.Guy (Helping out here and there.)
* planetbeing (For xpwn.)
* posixninja (For his continuous help!!!)
* You (For making this community possible.)

iH8sn0w’s Forums • View topic – Pwning 4.0 on 3GS (New Bootrom) | ipt2g MC | ipt3 w/3.1.2.

Leave a Reply