Recently my flatmate was given a hand-me-down iPhone 3G. Unfortunately the phone had two problems meaning she couldn’t use it:
- Locked to O2 – My flatmate has a contract with Vodafone
- Broken Power/Sleep button
To get around this I initially thought it was as simple as jailbreaking the phone, installing Activator to get around the broken sleep button, and then using ultrasn0w to unlock.
Getting into DFU Mode
It then dawned on me that because the iPhone was at firmware 4.2.1, it could only be jailbroken using a custom firmware flashed through “pwned” DFU mode. Normally to access DFU mode you perform a specially timed series of button presses using the menu and sleep button. This was obviously not possible due to the broken sleep button.
After googling around for some time I stumbled across a blog post which demonstrated how it was possible to get into DFU mode by corrupting the LLB file in a vanilla firmware file.
To do this you’ll need a Mac or Linux VM (if on Windows).
- Grab the vanilla 4.2.1 firmware: here
- Unzip the LLB file
unzip -x iPhone1,2_4.2.1_8C148_Restore.ipsw */LLB*img3
- Corrupt some bytes at offset 0x240 (whilst maintaining the file size):
dd if=/dev/urandom of=Firmware/all_flash/all_flash.n82ap.production/LLB.n82ap.RELEASE.img3 bs=16 count=10 seek=36 conv=notrunc
- Repack the corrupted file into the ipsw:
zip -fv iPhone1,2_4.2.1_8C148_Restore.ipsw Firmware/all_flash/all_flash.n82ap.production/LLB.n82ap.RELEASE.img3
- Use iTunes to flash the corrupted firmware file.
- Somewhere through the flashing process, iTunes will throw an error and the iPhone will reboot into DFU mode.
Flashing the custom firmware
To create the custom firmware ipsw (including the jailbreak), I used redsn0w. However, I found that newer versions didn’t seem to work properly with the iPhone 3G. In the end I used version 0.9.6rc16 available here: Windows, Mac.
The timing and ordering of the next steps is very important and is where I had the most trouble.
After much confusion I found that redsn0w could only put the iPhone into “Pwned” DFU mode the first time it was connected to the computer after entering DFU mode. Later attempts would result in the tool claiming success but when attempting to flash the custom firmware, iTunes would give a 1600 error meaning that the phone wasn’t in “Pwned” DFU mode.
Discovering this and working around it proved very time consuming because if you didn’t successfully enter “Pwned” DFU mode on the first connection after entering DFU mode, the broken power button prevented you from resetting the phone! This meant that each time I failed, I had to wait for the phone to run out of battery before I could try again!
After achieving “Pwned” DFU mode on the phone I kept experiencing errors 9 and 14 when attempting to flash the custom firmware using iTunes. This turned out to be a side-effect of waiting for the battery to run out to reset the phone! It seemed that despite being connected via USB, the phone did not draw enough power to last through the flashing process causing it to fail.
Finally I found a process that worked around all of these issues:
- Wait for the iPhone to run out of battery (There’s no display on the phone because it’s in DFU mode so this is a waiting game really)
- Click through the redsn0w menus selecting “Only enter Pwned DFU mode” until you reach the stage where it walks you through getting into DFU mode
- Connect the iPhone
- Redsn0w should say it’s successfully put the phone in “Pwned” DFU mode
- Leave the iPhone charging from the computer for at least an hour
If you don’t leave it this long, the phone will run out of battery during the flashing process and you’ll have to start again from the beginning so don’t get trigger happy!You may want to make sure your computer doesn’t go to sleep during the hour or it might stop the charging the phone.
- Start iTunes and use Shift/Alt click to select the custom firmware file you made using redsn0w earlier
- iTunes should flash the phone without any complaints!
- If you encounter error 1600, the phone isn’t in “Pwned” DFU mode and you’ll need to start again from step 1.
If you encounter errors 9 or 14, you didn’t leave the phone charging for long enough and you’ll need to start again from step 1.
Ultrasn0w only works with iPhone 3G basebands 4.26.08, 5.11.07, 5.12.01, 5.13.04, and 6.15.00. Unfortunately my friend’s iPhone was at 05.15.04. This left me with two options:
- Upgrade to the iPad 6.15.00 baseband (which apparently causes issues with GPS)
- Downgrade to the 5.13.04 baseband (only possible if you have bootloader 05.08 / 5.8)
Fortunately the bootloader was 05.08 meaning I could downgrade like so:
- Install “fuzzyband” from Cydia
- Assuming you’re on baseband 05.15.04 you’ll need to add an extra certificate to /Applications/Fuzzyband/ – You can get it here. You can copy onto the phone using i-FunBox if you’re using Windows or use SSH.
- Run the fuzzyband app and it should let you downgrade the baseband
- Once downgraded, add the ultrasn0w repo (repo666.ultrasn0w.com) to Cydia
- Install ultrasn0w