How I got 3.1.2 on a 3G[s] from 2011

See that? That is an iPhone 3G[s] running 3.1.2. What makes this special is that this is a new boot ROM 3G[s] thats been downgraded. And, for the cherry on top, its an iPhone that shipped with iOS 5 originally. How did I do it?

Just recently, a person on Twitter called ‘axi0mX’ released the alloc8 boot ROM exploit affecting the new and old boot ROM 3G[s], though he recommends that the 24k exploit still be used on old boot ROM devices due to a slow down that the alloc8 exploit introduces. Thankfully, this exploit is relatively easy to use, if you have the right tools

Tools:

  • Xcode Command Line tools (xcode-select --install)
  • Homebrew
  • (updated 4-20-2017) A Mac running Mavericks or newer1

Step 1:

(updated 4-12-2017) Time to install all the dependancies. Open Terminal, then install pip/Python from Homebrew like this:

brew install python --with-brewed-openssl

Next, install libusb, similar to how you installed Python, using Homebrew:

brew install libusb

Quit Terminal and then reopen Terminal.

Lastly, run this last command:

pip install pyusb

Step 2:

Navigate to a nice and safe directory in Terminal, e.g. cd ~/Desktop. There, clone the ipwndfu repository:

git clone https://github.com/axi0mX/ipwndfu && cd ipwndfu

Step 3:

Thanks to some oddities in libusb for El Capitan and Sierra, it is necessary to patch the binary we use. Only do this on El Capitan and Sierra. Thankfully, axi0mX has made it pretty easy for us. Verify that the version installed on your computer is the same one the patch is made for (1.0.21) by running this command:

openssl sha1 /usr/local/Cellar/libusb/1.0.21/lib/libusb-1.0.0.dylib

If the little string of numbers and letters (the hash) matches 02da61201c8f67b723bca5fb44b35797d1021625 then you should be fine.

Now, its time to patch. inside the ipwndfu directory, run

sudo bspatch /usr/local/Cellar/libusb/1.0.21/lib/libusb-1.0.0.dylib /usr/local/Cellar/libusb/1.0.21/lib/libusb-1.0.0.dylib libusb-patches/libusb-1.0.21-02da61201c8f67b723bca5fb44b35797d1021625.patch

Now, just to make sure that the patch was applied successfully, rerun this command:

openssl sha1 /usr/local/Cellar/libusb/1.0.21/lib/libusb-1.0.0.dylib

The hash should be: f356ee6052cd520b46ca50333b937ff2efe4477b

All good?

Step 4:

Now, it is time to generate a custom IPSW for your 3G[s]. Below is a table which breaks down the versions and tools to accomplish this.

Version Tool Success
iOS 3.1 PwnageTool 3.1.3 😀
iOS 3.1.2/3 PwnageTool 3.1.5 😀
iOS 4.0 PwnageTool 4.01 😀
iOS 4.3.3 redsn0w 0.9.15 beta 3 😫
iOS 5.0 redsn0w 0.9.15 beta 3 😀
iOS 5.0.1 redsn0w 0.9.15 beta 3 😀
iOS 5.1 redsn0w 0.9.15 beta 3 😀
iOS 5.1.1 redsn0w 0.9.15 beta 3 😀

Notes on using redsn0w:

During the process, redsn0w will ask you something along the lines of ‘Will this custom IPSW be used on a newer (fixed) version of the iPhone3GS?’. You must answer ‘no’ to create an IPSW laced with the 24Kpwn exploit, which is essential for alloc8.

All the tools above will walk you through the IPSW creation, just don’t stray too far from the default options and you should be fine. I opted for 3.1.2, but thats my personal choice. I also downloaded my firmware file from ipsw.me. Also, since we’re on the topic of downloading firmwares, you also need to download the 4.3.5 IPSW for your 3G[s] and place it in your ipwndfu folder

From there (again in your ipwndfu folder) run:

unzip -p iPhone2,1_4.3.5_8L1_Restore.ipsw Firmware/dfu/iBSS.n88ap.RELEASE.dfu > n88ap-iBSS-4.3.5.img3

You should be all set to run ipwndfu here pretty soon.

Step 5:

Note: if you installed all the pip dependancies with the Homebrew version, you must prepend python to the commands like I have done below

Okay, here is where it got dodgy for me. The developer recommends you either use a computer with iTunes 11.1 or older, or use idevicerestore to restore the custom firmware file to your 3G[s]. I tried getting idevicerestore to work, I compiled all what I needed, but it kept getting stuck. I gave up and just grabbed my trusty 17” PowerBook running 10.5.8 with iTunes 10. It took me twice to get it to work, but I’m writing this from the perspective of me restoring it with iTunes.

I went ahead and transferred the custom IPSW to the machine, ready for restore. I had iTunes opened, raring to go.

Now, plug the iPhone into the machine with the ipwndfu tools. Put the iPhone into DFU mode, which goes as follows:

  1. Turn the phone off.
  2. Hold the power button for 3 seconds.
  3. Hold the home and power button for 10 seconds.
  4. Release the power button, but continue to hold the home button without releasing for 15 more seconds.

Now, iTunes should popup complaining about a device in recovery.

Go back to Terminal, and inside of the ipwndfu tools directory, run:

python ./ipwndfu -p

It should output something like this:

Yerba-Buena:ipwndfu keatonburleson$ python ./ipwndfu -p
*** based on limera1n exploit (heap overflow) by geohot ***
Found: CPID:8920 CPRV:15 CPFM:03 SCEP:03 BDID:00 ECID:XXXXXXXXXXXXXXXX SRTG:[iBoot-359.3.2]
Device is now in pwned DFU Mode.

Great!

Unplug the device, and quickly move it to the machine with iTunes <11.1, in my case, my PowerBook. iTunes should once again popup about a device in recovery. Now we’re rolling. Okay, deep breath. I’m assuming your iPhone is backed up if you care. Now we need to browse to our custom firmware. Hold down Shift (for Windows) or Alt/option (for Mac) and a file dialog should come up. Browse and select our custom firmware. The restoration process should begin. I had to do this process twice, not sure why, but when I finished, it showed no errors.

Step 6:

After your restore is complete, you should be at a black screen. Move the phone to the machine with the tools once again. Next, we’re running the same command as earlier to get it into a pwned DFU state:

python ./ipwndfu -p

It should output something like this:

Yerba-Buena:ipwndfu keatonburleson$ python ./ipwndfu -p
*** based on limera1n exploit (heap overflow) by geohot ***
Found: CPID:8920 CPRV:15 CPFM:03 SCEP:03 BDID:00 ECID:XXXXXXXXXXXXXXXX SRTG:[iBoot-359.3.2]
Device is now in pwned DFU Mode.

Now, run this:

python ./ipwndfu -x

Which, in turn, should provide an output like this:

Yerba-Buena:ipwndfu keatonburleson$ python ./ipwndfu -x
Installing alloc8 exploit to NOR.
Dumping NOR, part 1/8.
Dumping NOR, part 2/8.
Dumping NOR, part 3/8.
Dumping NOR, part 4/8.
Dumping NOR, part 5/8.
Dumping NOR, part 6/8.
Dumping NOR, part 7/8.
Dumping NOR, part 8/8.
NOR backed up to file: nor-backups/nor-xxxxxxxxx-20170411-193959.dump
Sending iBSS.
Waiting for iBSS to enter Recovery Mode.
Sending iBSS payload to flash NOR.
Sending run command.
If screen is not red, NOR was flashed successfully and device will reboot.

The whole process should take about 10 seconds, and your screen on your iPhone should be green for a considerable amount of that time.

Thankfully, the developer provided some nice troubleshooting tips:

  • If there are any errors before the screen turned green, it is safe to try again.

  • If the screen turns red, something went wrong while your phone was being flashed. Trying again probably won’t help.

Hopefully your phone should be booting whatever iOS you chose! Comment below if something bad happens or you discover another way to restore!

If you are having issues running this command, check out Troubleshooting below.

Troubleshooting

(added 4-12-2017)

I had some friends try running the guide themselves, and they ran into some issues not covered.

Operation timed out

.

My friend on Slack ran into this. Not sure if it is an environment issue, as I did not have Python installed via Homebrew. I just had OS X’s default install. If you’re wondering if you are using Homebrew Python, run this command:

which python

I added this to the guide, but I think it has something to do with the lack of OpenSSL in the default Python package. Running this in Terminal should fix that:

brew update
brew rm python
brew install python --with-brewed-openssl

Thanks to this GitHub issue.

However, if you don’t want to really mess with Homebrew, or the proposed fix doesn’t work for you, here is another way.

First, remove the Homebrew Python install.

brew rm python

Then, close Terminal and reopen.

In Terminal, navigate somewhere safe, like cd ~/Desktop, and run:

curl -O https://bootstrap.pypa.io/get-pip.py

Next, run:

sudo python get-pip.py

Make sure you’ve installed libusb, and then install pyusb like this:

pip install pyusb

Hopefully that should get you running again.

Final Thoughts

I’d like to give a major thanks to the developer for writing really good documentation in the first place, and another thanks for creating this awesome open source jailbreak and boot ROM exploit for a device almost 9 years old.

1 there is a bug that the author hasn’t made progress fixing in versions older than OS X 10.9

Comments

John K. said:

Sunday, August 20th, 2017, 03.59am

I am stuck on patching the USB at Step 3:
sudo bspatch /usr/local/Cellar/libusb/1.0.21/lib/libusb-1.0.0.dylib /usr/local/Cellar/libusb/1.0.21/lib/libusb-1.0.0.dylib libusb-patches/libusb-1.0.21-02da61201c8f67b723bca5fb44b35797d1021625.patch

It returned:bspatch: fopen(libusb-patches/libusb-1.0.21-02da61201c8f67b723bca5fb44b35797d1021625.patch): No such file or directory

Please advise.

Keaton Burleson said:

Sunday, August 20th, 2017, 06.58pm

John, I need to update this guide, but it appears the patches aren’t necessary anymore. They were removed in this commit: https://github.com/axi0mX/ipwndfu/commit/220b8f307debe39099fded4e3ce979d3b1620e0d, I will test when I get a chance. Thanks.

Leave a comment