Miraculous restore of iOS 3.1.2 without SHSH blob! How?!
Here is how I restored an iPhone 3GS old-bootrom that was stuck at the Apple logo for hours after an "Erase All Content and Settings":
1) Installed iTunes 9.
2) Ran iREB-r4 and clicked iPhone 3G[S]. iREB put the phone into pwned DFU mode
3) Ran iTunes 9 and shift-restored custom firmware iPhone2,1_3.1.2_7D11_Custom_Restore_Activated.ipsw .
I didn't use any SHSH blob server or TinyTSS or anything like that. My host file is clean. I don't understand how this worked without a valid SHSH blob. Any idea?
Here's some background that might help...
The person who sold the iPhone to me said they had bought it from someone else and didn't seem too knowledgeable. They claimed the phone wasn't unlocked or jailbroken. They were quite paranoid about privacy and wouldn't let me use the phone aside from viewing the Settings->General->About screen. I saw that the iOS "Version" was 3.1.2 and the "Carrier" was "Not available". I wasn't able to check if Cydia was installed. (The price was excellent so I went along with it.) Before giving me the phone, the seller did "Erase All Content and Settings" and drove away. The phone was stuck at the Apple logo for hours. I read that this happens to jailbroken phones, but since this one wasn't supposed to be jailbroken, I was concerned. I decided to attempt a restore.
On a shift-restore of the official 3.1.2 firmware iTunes would tell me the iPhone "cannot be updated at this time because the iPhone software update server could not be contacted or is temporarily unavailable."
On a shift-restore of iPhone2,1_3.1.2_7D11_Custom_Restore_Activated.ipsw , I would get an Error 1600. That led me to this page which introduced me to iREB: How to Restore Custom IPSW Made with PwnageTool or Sn0wbreeze? | Jaxov
To my amazement, after iREB pwned DFUed the iPhone, I was able to shift-restore the custom firmware and iOS booted fine. It's been 5 hours and the phone seems to be working okay.
How could this work without an SHSH blob or without contacting an SHSH service? Maybe the phone was jailbroken and/or unlocked before, but I would still need an SHSH blob, correct? Could it be an old bootrom vs new bootrom thing? Everything I've read indicates that the old bootrom still requires SHSH validation.
This is a long shot, but is it possible the correct SHSH blob was already stored on the device and never overwritten?