PWNAGE TOOl 1.1. and Windows RC1 Tutorial.
MOVED FROM PAGE 1 so PWNAGE TOOL 2.0 TUTORIAL CAN BE THERE!
ONLY FOLLOW IF YOU ARE ON 1.1.4 and want to use pwnage!
-------------------------------------------------
WINDOWS USERS IMPORTANT READ HERE!
Windows RC1 is out now!
Download from
www.winpwn.com
Although it is for windows the buttons do the same and it works the same way.
Follow the same steps below as on Mac
NOTE: Once you pwn your iphone/ipod using winpwn you CAN download already made custom firmwares to install but this is not recommended as you do not know if the source is reliable.
To select custom firmware on PC - press SHIFT and click on the restore button in iTunes.
iLiberty+ is available for PC and can be used to put iPhone/iPod into recovery mode or kick it out of recovery mode should you need to.
You will require the iTunesMobileDevice.dll in order for WinPwn to work and you will have to put it inside the winpwn program files directory - these can be downloaded from winpwn.com.
They would have to be put in "C:\Program Files\cmw\winpwn"
New Features of WinPwn
WinPwn has been released. This version is fully working with no functions disabled.
WinPwn has added the following NEW features:
- You can now download applications from Installer and put them onto your phone during the restore.
- You can download custom boot images from the internet as well.
You MUST select "installer" from the "System" catagory and "BSD Subsystem" from "System" catagory for your to be able to use ALL OTHER 3rd party applications and they may be required for successful unlocking as well.
If you click on "custom images" and check the box you can then select from a choice of custom images which are automatically downloaded if you click on "search online". Alternatively you can click on "boot image" and chose your own image on your computer (NOTE: there are certain requirements for images and if the image does not match those then any restore will fail with error 6).
The unlocking options are THE SAME AS FOR MAC - BOOTLOADERS CAN BE SELECTED THE SAME WAY AS FOR MAC. EVERYTHING WORKS THE SAME WAY SO FOLLOW THE MAC TUTORIAL.
Installer however will NOT be added unless you manually download it and add it from the applications tab.
====
Should you use this if I already used ZiPhone/iPlus/iLiberty+?
If your phone is working at this time then there is NO need to use pwnage.
Pwnage is a safer method for jailbreaking/unlocking/activating but unless you like
messing with new firmware then there is no reason to use it.
However, none of the above apps will unlock/activate/JB 2.0 or any of its betas.
So for the next firmware you will have to use Pwnage.
If you wish to revert to your original bootloader you can using pwnage now!
iPhone or iPod Touch?
Both work with Pwnage - for iPod instructions just use iPod restore files instead of iPhone files I mention below!
PWNAGE does not add 1.1.4 apps or wiggly icons on iPod touch- you can get those through installer by adding the source:
http://repo.ispazio.net or buy them through iTunes.
Apple Firmware files can be downloaded from:
iPhone:
1.1.4:
http://appldnld.apple.com.edgesuite...0226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw
iPod Touch:
1.1.4:
http://appldnld.apple.com.edgesuite...080226.Btu45/iPod1,1_1.1.4_4A102_Restore.ipsw
ONLY use iPwner on 1.1.4
BEFORE YOU TRY ANY OF THE 2.0 BETA VERSIONS YOU MUST PWN AND UNLOCK/ACTIVATE WITH 1.1.4
If you do not have 1.1.4 then I recommend you update to 1.1.4 using iTunes (also to familiarise yourself with the restore process) as normal then run the pwnage tool.
You can pwn your phone without restoring first from 1.1.4
1. Click the "Browse .ipsw" button.
2. Select the 1.1.4 restore - on mac it is in the
User (ie your name on your mac)>Library>iTunes>iPhone Software upgrade
Then you just select the firmware. There is even an iPod folder so you don't get confused!
MAKE SURE YOU SELECT THE CORRECT FIRMWARE FOR YOUR IPHONE/IPOD.
EXAMPLE: IF YOU HAVE A 1.1.4 IPHONE THEN PWN IT USING THE 1.1.4 IPHONE RESTORE FILE!
DO NOT USE A 1.1.4 IPOD RESTORE FILE ON YOUR IPHONE OR IPHONE ON YOUR IPOD
If you do not have it then connect your iPhone and click on restore and it will start downloading in iTunes.
UNPLUG your iPhone as soon as it starts downloading as we DO NOT WANT to restore yet!
Or download it directly from the above link.
3. Once the 1.1.4 file has been seen by the pwnage tool then click on "iPwner"... You have to put your phone in restore mode to do this.
Whilst connected to your computer turn off your phone. Hold down the home button and turn the phone back on - it will go into restore mode. You can tell this from the "connect to iTunes" logo that comes up. If you have problems getting into restore mode - then I suggest downloading iLiberty+ and looking at the advanced menu on the top left of the screen gives you the option of putting it into restore mode using that.
iTunes will open when the phone enters restore mode. PwnageTool will detect iTunes is open and ask you to close it.
Just close it anyway when it pops up by exiting it from the mac taskbar - no need to wait to be told to close it by the tool!
Once in restore mode Pwnage tool will do its magic!
Your phone will restart with a pineapple instead of the apple logo and then boot back into normal mode.
4. Click on "IPSW builder" button. Make sure that Pwnage tool will rebuild the 1.1.4 file for you. Make sure that Enable baseband update, Neuter bootloader, unlock baseband and activate phone are selected. If you wish to keep the pineapple logo then click on use custom images if not the apple logo will come back!
When you upgrade to 1.2/2.0 iPhone or iPod - pwnage automatically selects the correct settings so you don't have to do anything! But DON'T uncheck anything checked in that situation!
IF it asks for bootloaders see bottom of page for how to select them!
PwnageTool 1.1 has added additional options for custom firmware creation.
IMPORTANT: There are reports that BootNeuter CAN NOT unlock the phone unless BSD Subsystem part of your custom firmware. YOU MUST ADD IT TO THE CUSTOM FIRMWARE TO AVOID ANY ISSUES!
"General" Tab
Now includes "Auto delete BootNeuter.app" - This deleted BootNeuter after it has been run once.
This avoids accidently or malicious fiddling of your phone settings by third partys as after your phone is unlocked it is deleted automatically. (Note: If you wish to re-lock your phone at a latter
date you would have to restore again to a new custom firmware with auto-delete unchecked so you can reset the settings or download BootNeuter directly from Installer)
"Custom Packages" Tab
This allows you to add applications you would have to download through Installer or chose whether set-up Installer on your phone in the first place.
BSD Subsystem: This package of tools is needed by MOST 3rd party apps so they can run correctly HOWEVER your Installer will not "see" it as installed so for your phone to see it as installed you need to add the big boss recommended and beta sources from the sources catagory. Then go into the system category and install "Fake BSD Subsystem" then exit installer and you can now install all apps without redownloading BSD again!
Installer: This is the application that lets you locate by category and download and install all 3rd party applications with the touch of one button - it MUST be selected if you want 3rd party applications on your iPhone.
OpenSSH: This is a tool that allows you to wirelessly connect your iPhone to your PC/Mac and transfer files and run complicated command line applications. It is not required and not recommended unless you KNOW you need it for something first!
"Custom Logos" Tab
This allows you to select your own custom logos for when your iPhone/iPod starts up and for recovery mode. If you do NOT check the boxes then the standard Apple logos will be used.
If you leave the boxes checked then the pineapple and Steve Jobs images will be used.
You can select your own image for the firmware by clicking on "browse" and selecting your own image however it must be a PNG gile in RGB or Grayscale format with alpha channel present. The dimensions must be below 320x480 pixels. The size of the compressed image is limited to 100 Kb.
Pwnage will then make a custom firmware file and save it to your iTunes directory.
5. Connect iPhone to Mac. Click on alt+ restore and it should open up the file select box. If it doesn't then try the buttons next to it and restore as I always get confused on Mac what the equivalent of shift is! lol
6. Select the firmware that says "custom restore" in the filename.
7. Your iPhone will now restore and restart.
If you get a restore failed message then put the phone into recovery mode and try restoring again with the custom firmware before you do anything else and it should work!
8. When it restarts
it will load BootNeuter automatically.
DO NOT TOUCH THE PHONE
The phone will reboot when BootNeuter has completed its process back to the home screen.
Your Done - unlocked and activated!
BOOTLOADER INSTRUCTIONS!
If IPSW Builder asks you for the bootloader images.
Download bootloaders.rar from the link onto your Desktop. Double click this to extract its contents.
Click the browse button for the bootloader 3.9 image and select BL-39.bin file from your Desktop.
Click the browse button for the bootloader 4.6 image and select BL-46.bin file from your Desktop.
Click OK button!
Can I go back to 4.6 from 3.9 that ZiPhone downgraded/ or 3.9FB that iLiberty/iPlus downgraded?
Yes! Just click on bootneuter on your home screen. It will "unload commcenter" DO NOT TOUCH while it is doing that!
The current settings will then be highlighted. Select what you want and click on Flash and WAIT UNTIL IT FINISHES.
ALWAYS LEAVE Baseband unlocked and bootloader "neutered". I changed my 3.9FB back to 4.6 original but STILL neutered without any issues.
DO NOT FLASH UNECCESSARILY! it is still possible to damage your phone if you go back and forth over and over. If you need to go back to your original bootloader for warranty reasons then do so otherwise leave it alone!
IF you load bootneuter and when you exit bootneuter it will take 15-20 seconds for your signal to return.
just be patient!
Can I return it to Apple and they won't know?
When you click the "iPwner" button in PwnageTool, your main s5l8900 bootloader (the OS bootloader) gets pwned. To undo this, use iTunes to restore to a Apple ipsw.
When you neuter using BootNeuter, your S-Gold radio bootloader (the baseband bootloader) gets "pwned". To undo this, run BootNeuter again and turn off all options (and pick 3.9 or 4.6 depending on your preference).
Two different CPUs, two different tools. But both the s5l8900 pwnage and S-Gold pwnage are 100% reversible.
If you want to relock your phone - use bootneuter and click everything to off. Then restore with Apple firmware. And you are back to factory fresh.
If you restore with Apple firmware you will then have to use ipwner again to use custom firmware.
-----------------------------------------------------------------------------------------
Can I remove BootNeuter once I have completed the process? its a dangerous application if someone doesn't know what they are doing!
If someone was to constantly flash your bootloader you could break your phone. So its best to remove the application. If you want it back just restore back from your custom firmware.
You can now select "auto delete BootNeuter" when you make the custom firmware so it is automatically removed
You can chose to "hide" BootNeuter by downloading "Poof" app from Installer - this will remove it from the phone screen without deleting it and you can get it back by clicking on it in the poof.app settings
However if you have not selected that option you can manually
remove it by following the steps below:
The easiest way to do this is using "Term-vt100" which can be found on
Installer in the "system" catagory.
Make sure you install "Community Sources" from the sources catagory first.
You will then need to download "BSD Subsystem" from the "system" catagory and then Term-vt100.
You will then need two fixes also from installer before it works (otherwise terminal won't login or work with backspaces)
SUID Lib Fix (from 1.1.3 tweaks section)
and
BSD Subsystem Termfix (from tweaks section).
If you type the following command in through Term-vt100:
If you are asked for the password then type : alpine
You will not see the password appear - the cursor will just flash so when you have finished typing press enter then continue to the next stage.
After the first line is typed then press enter, when you type the second line press enter again. This is Case sensative - and must have the correct spaces between words as well to work - if you mistype you WILL get an error - in which case retype the part you mistyped and press enter again!
rm -rf /Applications/BootNeuter.app
killall -HUP SpringBoard
Type it exactly like that and it will delete BootNeuter and restart your iPhone screen so it has vanished from your phone!
When you download an application from installer then click ok to install it if it asks. When you exit installer the icon for the vt-100 will appear on your phone screen. Click on the icon to access the application. The other downloads are not visible on the phone as they are tweaks to installer and the phone and vt-100.
PwnageTool 1.1 has added additional options for custom firmware creation.
"General" Tab
Now includes "Auto delete BootNeuter.app" - This deleted BootNeuter after it has been run once.
This avoids accidently or malicious fiddling of your phone settings by third partys as after your phone is unlocked it is deleted automatically. (Note: If you wish to re-lock your phone at a latter
date you would have to restore again to a new custom firmware with auto-delete unchecked so you can reset the settings or download BootNeuter directly from Installer)
"Custom Packages" Tab
This allows you to add applications you would have to download through Installer or chose whether set-up Installer on your phone in the first place.
BSD Subsystem: This package of tools is needed by MOST 3rd party apps so they can run
correctly HOWEVER it does not show as being set-up when you check the "uninstall" tab in Installer which means that Installer will make you download it again online before you can use any applications that require it.
Installer: This is the application that lets you locate by category and download and install all 3rd party applications with the touch of one button - it MUST be selected if you want 3rd party applications on your iPhone.
OpenSSH: This is a tool that allows you to wirelessly connect your iPhone to your PC/Mac and transfer files and run complicated command line applications. It is not required and not recommended unless you KNOW you need it for something first!
"Custom Logos" Tab
This allows you to select your own custom logos for when your iPhone/iPod starts up and for recovery mode. If you do NOT check the boxes then the standard Apple logos will be used.
If you leave the boxes checked then the pineapple and Steve Jobs images will be used.
You can select your own image for the firmware by clicking on "browse" and selecting your own image however it must be a PNG gile in RGB or Grayscale format with alpha channel present. The dimensions must be below 320x480 pixels. The size of the compressed image is limited to 100 Kb.
----
Enable baseband update - Determines if the baseband update should be enabled in the custom ipsw. Only check this button if you wish to update the baseband modem portion of your iPhone.
WARNING: This
may remove previous baseband unlocks or other modifications that have been made previously. If in doubt leave it unchecked.
Neuter bootloader - This will enable "Bootneutering" to the baseband firmware allowing custom firmware onto the iPhone baseband by convincing the iPhine that it is secure.
Upgrade to 4.6 - upgrades 3.9 and 3.9FB to 4.6
Downgrade to 3.9 - downgrades 4.6 and 4.6FB to 3.9
Unless you understand the above option you should
avoid it
The only reason right now to change bootloader is because ZiPhone/iPlus etc downgraded a 1.1.2 OTB and newer phone from stock 4.6 to unlock it thus voiding the warranty. Returning it to 4.6 will mean that Apple will not know you ever changed it and you can still get that warranty (if your on an official contract).
These changes can be made using BootNeuter once your iPhone has booted up successfully after restoring from the custom firmware you selected
Unlock Baseband - This will enable the unlocking of the baseband to all networks using a custom "software unlock" process. Use this if you wish to use your iPhone with a SIM from a carrier other than the one provided with your iPhone.
Activate Phone - This will activate the phone so that it can be used with iTunes. This will bypass the Apple activation process and set the iPhone to be in an Activated state allowing access to the device's functions.
Unless your unlocked phone is activated using this then it will not work with any other SIM card (other than an official SIM activated in that particular iPhone).
Use Custom Pictures - This options enables the DevTeam's funky pineapple and Steve Jobs graphics. If you wish to keep the original iPhone graphics then DO NOT select it.
Your iPhone will be jailbreaked with installer even if you DO NOT select any of the above options!
