Jailbreak iPhone 4|FW=4.2.1 (8C148) & BB=03.10.01

Hi there!

A friend of mine was stupid enough to sell his HTC Desire and buy an Apple iPhone 4. Now he is all over me and bothering me about not being able to use a different operator/network than the one where he bought the phone. I told him numerous times about this but he didn't listen to me. So now I am supposed to help him get rid of these limitations that those bastards at Apple still keep imposing on the users of their iDevices.

So! He has an iPhone 4 with the 4.2.1 (8C148) firmware and 03.10.01 baseband!

I have been looking into this matter before, few weeks before new year. And from what I could understand it was not possible to jailbreak iPhone 4 with the 4.2.1 firmware. Only the iPhone 4 with the older firmwares 4.0.1 and possibly 4.0.2 could be jailbroken.

I found information that a new version of Redsn0w would be released on 15th of January this year. But yesterday I came across the news about the release of Redsn0w 0.9.7b7 the day earlier. The iPhone Dev Team has obviously released this new version earlier than expected - 10th January for Mac and 11th January for Windows.

So!

Q: Is it possible to use Redsn0w 0.9.7b7 to jailbreak this iPhone 4?

Q: Is it necessary to jailbreak the iPhone before unlocking it?

Q: Is it necessary to have Cydia installed on the phone in order to install Redsn0w?

Q: How do I get Cydia into the phone if it's not jailbroken, it is not available from the App Store, is it?

Q: Do I need to use some software to extract the SHSH blob file/files before using Redsn0w?

Q: What are those IPSW files? Is that "iPhone software"? What are they used for?

Q: What other software do I need to jailbreak and unlock this iPhone?

From what I understand Redsn0w is a set of tools used on the computer to completely re-install the firmware without the limitations imposed by the manufacturer. So the "hacking" process is actually done offline on the computer itself, not on the phone directly. The hacked firmware is then transferred to the phone. Am I right?

There is actually something called tethered and untethered jailbreaking. Tethered meaning the phone has to be connected to the computer every time you need to enter a jailbroken state and the phone returns to default state when powered off or restarted. Untethered means it is independent of the computer and can stay in a jailbroken state all the time.

Correct me if I'm wrong. I am new to this, I have never done this before.

Thanks in advance!

Quote:

---

Originally Posted by ElectroGeeza

Q: Is it possible to use Redsn0w 0.9.7b7 to jailbreak this iPhone 4?

Q: Is it necessary to jailbreak the iPhone before unlocking it?

Q: Is it necessary to have Cydia installed on the phone in order to install Redsn0w?

Q: How do I get Cydia into the phone if it's not jailbroken, it is not available from the App Store, is it?

Q: Do I need to use some software to extract the SHSH blob file/files before using Redsn0w?

Q: What are those IPSW files? Is that "iPhone software"? What are they used for?

Q: What other software do I need to jailbreak and unlock this iPhone?

---

1) redsn0w 0.9.6b4 will jailbreak an iPhone 4 running iOS 4.2.1, but it is presently a tethered jailbreak and will need to be plugged in to boot if you install anything that interacts with the boot process or with mobile substrate (e.g., MobileSubstrate, winterboard, etc.)
2) Yes, you have to jailbreak first. You can't unlock your phone though, so it doesn't matter. The baseband in the iPhone 4 with 4.2.1 is not presently able to be unlocked.
3) No, redsn0w installs Cydia, you can't have Cydia on the phone until the phone is jailbroken and the jailbreak tool will install Cydia for you if you ask it to.
4) You can't. Cydia requires a jailbroken phone.
5) Please do some research on SHSH, this topic has been covered hundreds of times. The only SHSH you may need is the 4.2b3 SHSH, but they're not signing it anymore so if you don't have it, you can't get it. Again, I can't stress this enough, please see my sig or any of the pages detailing what an SHSH is so you'll know why/what/when/etc.
6) IPSW is effectively just a zip file, it's the extension that iOS software revisions have. They are the actual firmware files for your phone.
7) Nothing, really. iTunes (latest version is fine), redsn0w, and that's it.

redsn0w does NOT install the firmware, it is used on a device currently running the exploitable version, for example, in this case you need to ensure the phone is running 4.2.1 before using redsn0w, it will NOT upgrade you to 4.2.1 if you're not already on it. redsn0w is just one tool, not a set. redsn0w hacks the currently running firmware, so it doesn't hack it on the PC and send it, etc., it connects to your currently running phone and modifies it while connected.

Your understanding of tethered and untethered jailbreaks is correct.

Let us know if you have any other questions.

Quote:

---

Originally Posted by ElectroGeeza

Q: Is it possible to use Redsn0w 0.9.7b7 to jailbreak this iPhone 4?

---

Redsn0w 0.9.7b7 has very specific requirements to allow untethered jailbreak on 4.2.1

1. You have previously saved a 4.2b3 (and hopefully also a 4.1) SHSH with Cydia or via TinyUmbrella locally. It is too late to save these now
2. You are a legitimate/current iOS developer and have legal access to download the 4.2b3 IPSW for your model iOS device from Apple

I'm pretty sure you don't meet these requirements. Plus as n1ckn4m3 says, even with a tethered jailbreak, you still can't unlock.

The official statement on any future unlock news is:

Quote:

---

Official iPhone unlock statement: no unlock will be released until after 4.2.5 or official 4.3 (whichever is last) is out

---

Twitter

Thank you!

Since this is all new to me I do have a lot of questions. But as more and more I am digging into this matter the more confused I am. It seems as if one answer opens up three new questions. And I have been reading a lot about this yesterday, believe me. There's a whole world out there about jailbreaking. I knew about jailbreaking from the beginning but I never realized how big this whole movement is.

I have come to know all the guys who we have to thank for all these wonderful hacks, the iPhone Dev Team, the Chronic Dev Team, Geohot, Semaphore, and not to forget Comex. There are several famous hackers like MuscleNerd and Geohot working on this type of thing, but most of them are either part of the iPhone Dev Team or Chronic Dev Team, or they work solo like Geohot mostly does. I just want to say thank you guys for standing tall against the big bullys Apple. Thanks!

Things are becoming more clear to me as I keep reading, as a result of learning of course. But there are a few questions I would like to straighten out.

Q: So redsn0w only jailbreaks the phone, allowing me to install apps like Cydia through which I then can find, download and install unofficial app or extension packages like the ultrasn0w?

Q: Is it true that ultrasn0w and blacksn0w are made specifically for unlocking the phone and not for jailbreaking? In other words, if no version of either ultrasn0w or blacksn0w can unlock a given baseband then there is nothing else to do than wait and see if our heroes can break the chains in coming updates, right?

Q: Would you say that an iPhone that has been jailbroken once should only be upgraded with a customized version of a newer firmware? This applies if you want to have the ability to downgrade to an older firmware after Apple closes the window on SHSH signing, right?

Q: Is it safe to use an official stock firmware from Apple on an jailbroken iPhone if you have the SHSH signature saved to a local file or uploaded to saurik's server via Cydia?

Q: Is it true that you can upgrade to a new stock firmware both by using iTunes and PwnageTool?

Q: Would you say that so called "restoring" actually refers to downgrading the firmware in iTunes or is that something else?

Q: If so, then the "restore" facility in iTunes cannot be used to "upgrade" to a newer firmware?

Q: If not, is there an option in iTunes where it says "upgrade" or "search for upgrades", or how else does it present you with available upgrades? I am not familiar with using iTunes with iPhone.

Some questions may be overlapping. Sorry about that, I'm just so stressed out right now.

Quote:

---

Originally Posted by Olethros

Redsn0w 0.9.7b7 has very specific requirements to allow untethered jailbreak on 4.2.1

1. You have previously saved a 4.2b3 (and hopefully also a 4.1) SHSH with Cydia or via TinyUmbrella locally. It is too late to save these now
2. You are a legitimate/current iOS developer and have legal access to download the 4.2b3 IPSW for your model iOS device from Apple

I'm pretty sure you don't meet these requirements. Plus as n1ckn4m3 says, even with a tethered jailbreak, you still can't unlock.

The official statement on any future unlock news is:

Twitter

---

So there is basically nothing I can do to get neither untethered iPhone 4 with iOS 4.2.1 nor unlock the 03.10.01 baseband on it (using the tethered jailbreak)?

So there is only a tethered jailbreak available for this model? Do you know what tools are used for tethered jailbreak of this model?

So we will have to wait at least until Verizon releases the iPhone 4 on 10th February with iOS 4.2.5 or possibly the release of 4.3 later on, perhaps in march?

Quote:

---

Originally Posted by ElectroGeeza

So there is basically nothing I can do to get neither untethered iPhone 4 with iOS 4.2.1 nor unlock the 03.10.01 baseband on it (using the tethered jailbreak)?

---

Correct . Not at this time

Quote:

---

So there is only a tethered jailbreak available for this model? Do you know what tools are used for tethered jailbreak of this model?

---

redsn0w 0.9.6rc8 for both mac and windows.
Dev-Team Blog

Quote:

---

So we will have to wait at least until Verizon releases the iPhone 4 on 10th February with iOS 4.2.5 or possibly the release of 4.3 later on, perhaps in march?

---

Don't know. DevTeam don't discuss DATE and ETA

Quote:

---

Originally Posted by ElectroGeeza

Q: So redsn0w only jailbreaks the phone, allowing me to install apps like Cydia through which I then can find, download and install unofficial app or extension packages like the ultrasn0w?

Q: Is it true that ultrasn0w and blacksn0w are made specifically for unlocking the phone and not for jailbreaking? In other words, if no version of either ultrasn0w or blacksn0w can unlock a given baseband then there is nothing else to do than wait and see if our heroes can break the chains in coming updates, right?

Q: Would you say that an iPhone that has been jailbroken once should only be upgraded with a customized version of a newer firmware? This applies if you want to have the ability to downgrade to an older firmware after Apple closes the window on SHSH signing, right?

Q: Is it safe to use an official stock firmware from Apple on an jailbroken iPhone if you have the SHSH signature saved to a local file or uploaded to saurik's server via Cydia?

Q: Is it true that you can upgrade to a new stock firmware both by using iTunes and PwnageTool?

Q: Would you say that so called "restoring" actually refers to downgrading the firmware in iTunes or is that something else?

Q: If so, then the "restore" facility in iTunes cannot be used to "upgrade" to a newer firmware?

Q: If not, is there an option in iTunes where it says "upgrade" or "search for upgrades", or how else does it present you with available upgrades? I am not familiar with using iTunes with iPhone.

---

1) Correct. redsn0w jailbreaks, hacktivates, and can install Cydia on the phone. Cydia then can be used to download and install unofficial apps or extension packages.
2) Yes. ultrasn0w and blacksn0w are unlocks only and do not relate to jailbreaking. I recommend you read this: http://www.hackint0sh.org/f137/32703.htm
3) It depends. Some iPhones cannot restore custom firmware (like the 3GS, prior to geohot's custom DFU, or presently, the iPhone 4) without being pwned first (hacking the low level bootrom on the phone). What I can say is that a jailbroken phone should *never* be upgraded until you are 100% certain that the destination firmware can be jailbroken and that software has been updated to support it, and also until you are 100% certain that an unlock is available or a mechanism is available to upgrade to the new firmware without upgrading the baseband.
4) Yes and no - if you have the SHSH, you can always downgrade to the revision of iOS that you have the SHSH saved for, however, upgrading the phone with stock firmware will upgrade your radio baseband (which cannot presently be downgraded), and this may prevent you from being able to unlock the device.
5) I do not believe PwnageTool actually flashes the firmware on the device, it only creates the custom firmware that you use from iTunes to restore.
6) No, restoring has nothing to do with downgrading -- restoring is the act of re-flashing the iOS revision onto the device from iTunes.
7) See #6, question is based on an incorrect assumption.
8) See #6, question is based on an incorrect assumption. The 'Update' button in iTunes checks for the update, downloads the .ipsw, then flashes to the device. iTunes will *never* by default attempt to downgrade your device, the only way to do this is with the SHSH saved.

I have done some reading on SHSH blob files and I would like to elaborate some more on this topic.

First of all, ECID is just a number! It is a 16 digit long hexadecimal number to be specific! So it is alphanumeric! Meaning it may look something like "000005A9DB897CE1" or similar, where the first 5 digits have 0 values and the remaining digits can have values anywhere from 0 to 15 in the decimal system (or obviously 0 to F in hexadecimal).

The ECID is unique to every iPhone on the planet Earth!

From the way I understood a post on Saurik's website even the iPhones prior to 3GS had ECID but unlike the 3GS and later models they didn't make any use of it. Could someone confirm or dismiss this? I just want to be certain.

Well, so far I understand. Now, where exactly is this number stored and how do you grab it?

Is it stored in some file on the file system or hardcoded to some silicon chip on the device itself?

Is it in any way part of the firmware? And if so, wouldn't it be true that it would be erased when flashing the firmware, i.e. upgrading or downgrading the firmware?

I also understand that not only the ECID but also a hashcode of the current firmware is used as a challange in Apple's challange-response authentication mechanism, and then the SHSH signature is used as a response. Is that correct, the ECID and the hashcode of the current firmware is the challange? And SHSH signature is the response?

What does this hackcode look like? What kind of hash algorith is used?

What does the SHSH signature look like?

Could it be that the SHSH signature generated by Apple servers is always the same and not random for a given ECID?

I also understand the process for defining bypass for a given hostname, for pointing iTunes to saurik's SHSH server instead of the real thing. But I still don't fully understand why we even need this in first place.

Could someone explain to me in layman terms how this firmware authentication protocol works? From the moment you connect your iPhone to the computer and shift-click on "Restore" button in iTunes and choose an IPSW file, what is happening? Is it at that point that iTunes starts communicating with Apple servers?

"Restoring" in iTunes terms means flashing the device firmware. So, iTunes normally doesn't allow you to restore to a firmware older than the current one, only to a newer firmware. So how do you go past this to begin with? Is this where DFU mode comes into play?

In other words, recovery mode does not allow you to "restore" (flash) to an older firmware than the current one, but DFU mode does allow you to just that?

Quote:

---

Originally Posted by ElectroGeeza

The ECID is unique to every iPhone on the planet Earth!

From the way I understood a post on Saurik's website even the iPhones prior to 3GS had ECID but unlike the 3GS and later models they didn't make any use of it. Could someone confirm or dismiss this? I just want to be certain.

---

Yes this is true and how Apple could add the software only SHSH to 3G and iPod touch 2G in iOS 4.x

Quote:

---

Originally Posted by ElectroGeeza

Well, so far I understand. Now, where exactly is this number stored and how do you grab it?

Is it stored in some file on the file system or hardcoded to some silicon chip on the device itself?

---

It's manufactured into the main app CPU as far as I understand. Impossible to change.

Quote:

---

Originally Posted by ElectroGeeza

I also understand that not only the ECID but also a hashcode of the current firmware is used as a challange in Apple's challange-response authentication mechanism, and then the SHSH signature is used as a response. Is that correct, the ECID and the hashcode of the current firmware is the challange? And SHSH signature is the response?

What does this hackcode look like? What kind of hash algorith is used?

What does the SHSH signature look like?

Could it be that the SHSH signature generated by Apple servers is always the same and not random for a given ECID?

I also understand the process for defining bypass for a given hostname, for pointing iTunes to saurik's SHSH server instead of the real thing. But I still don't fully understand why we even need this in first place.

---

The shsh blob from Apple is the sane for a given ecid and iOS version. That is how saurik's server and tiny umbrella's TSS server can cache and serve shsh after apple stops signing them.

The secure boot model and format of img3 is explained in an Apple patent.

The img3 header where shsh and signature are located is explained on iphonewiki.

Quote:

---

Originally Posted by ElectroGeeza

Could someone explain to me in layman terms how this firmware authentication protocol works? From the moment you connect your iPhone to the computer and shift-click on "Restore" button in iTunes and choose an IPSW file, what is happening? Is it at that point that iTunes starts communicating with Apple servers?

---

When you click restore, first iTunes examines the ipsw, there are some manifest type files that describe the key contents of the ipsw, (information like what hardware is this ipsw targeted for, what files are contained and what iOS build number does this ipsw correspond to.

iTunes also checks the iDevice to ensure it meets the basic requirements outlined in manifest and determines the ECID of device.

Then iTunes contacts a server at Apple and sends a request for SHSH blobs, the request contains the ECID plus signatures of the key files within the ipsw. Apple checks that the signatures match their records then issues a unique shsh blob for each file that is signed with ECID and apple's private key.

iTunes takes these SHSH blobs and merges them into the key files from ipsw.

Then it sends (depending on DFU or recovery mode) some shsh signed boot files to iDevice followed by a shsh signed ramdisk. There is a separate ramdisk for restore and for update (otherwise all other files in ipsw are shared [if necessary] by both processes)

On the 3GS and newer the shsh signed bootfiles/ramdisk are checked by the iPhone hardware to ensure that they were signed with same ECID as the actual iDevice has. If they don't pass this check, then they shouldn't be allowed to be written to the iDevice or executed by the iDevice.

Once the ramdisk is sent, the iDevive is instructed to boot from that instead of from normal OS installed on device.

When ramdisk is booted the control process is reversed, now it is the ramdisk that determines the remainder of restore/update procedure not iTunes

The ramdisk runs through a script doing the various tasks required.
This stage is well documented on theiphonewiki - this is where most of the restore occurs. Including loading OS, flashing NOR, updating baseband and also some ramdisks have updates for other components (battery firmware for example)

During the ramdisk boot status update is sent back to iTunes.

When finished (or failed) device reboots and is detected/controlled by iTunes again

Quote:

---

Originally Posted by ElectroGeeza

In other words, recovery mode does not allow you to "restore" (flash) to an older firmware than the current one, but DFU mode does allow you to just that?

---

You are over complicating things.

Dfu is a term found across many devices it is not exclusive to apple.

It generically means that there is a hardware based mechanism to restore the device in the case that the existing software/firmware on the device has been corrupted.

Apple choose to use a common code base for dfu and their software based recovery mode.

The difference is that true dfu is smaller and supports only a subset of the options available in recovery mode.

Both DFU and recovery mode can be used to downgrade your iOS, it is just iTunes GUI that makes it look like downgrade is not possible.

Everything you have asked is explained in mostly plain English terms at theiphonewiki, i recommend that you go and start reading before asking more questions.