iOS 4.0.2 Jailbreak Not Possible; Rollback to iOS 4.0.1 Without SHSH Backup Possible for New iPhone 4 & 3GS [New iPhone 4 & iPhone 3GS with iOS 4.0.2 Can be Jailbroken; Downgrade to iOS 4.0.1 Available Without SHSH Blobs Saved Beforehand]

Posted on TFTS by Chris Smith on Tuesday, 31. August 2010 under: Mobile/Cell Phones

Well look here what the cat dragged in! It looks like new iPhone 4 and iPhone 3GS handsets that come with iOS 4.0.2 out of the box, you know, the kind of firmware that’s currently not jailbreakable nor unlockable yet, can be jailbroken. Yes indeed! That’s very surprising and it doesn’t involved the iPhone Dev Team one single bit.

Or at least, there’s no iOS 4.0.2 jailbreak out in the open. What you can do though is to downgrade your firmware to iOS 4.0.1, that’s jailbreakable via JailbreakMe, even if you don’t have SHSH blobs saved. So how does this trickery work out? Well here’s a step-by-step tutorial that will show you how to do it:

Step 1: Download iOS 4.0.1 ipsw from here.
Step 2: Extract it with WinRAR or WinZip to a folder on the desktop. You may need to rename the firmware file from .ipsw to .zip to do this.
Step 3: Open the buildmanifest.plist with the Notepad if you are on Windows, or TextWrangler if you are on Mac.
Search and replace all – 8A306 with 8A400. Save. Repeat the same with the file restore.plist.
Step 4: Download iOS 4.0.2 ipsw from here and open this with WinRAR or WinZip.
Note: Do not extract it. Just open it and leave it open. You must use this exact file and not create a new one. If you have to create a new one for reasons like you are on OS X, then use zip command line not explorer or finder to make the zip. I will assume you are using the original file opened in WinRAR for the rest of this guide.
Step 5: Take all the files from iOS 4.0.1 and drag them over to the iOS 4.0.2 zip archive that you have open.
Step 6: Delete all the .dmg files that have 002 at the end, leaving only the 001 files left.
Step 7: Save the archive, and rename it back to .ipsw if you changed the name to get WinRAR/WinZip to open it.
Step 8: Optional (This helps ensure you get an SHSH file request for the future, but should not be necessary to just restore iOS 4.0.1).
Add the 74.208.10.249 gs.apple.com line to the host file.
Step 9: Put the device in DFU by following the steps below:
• Connect your iPhone to your computer.
• Turn iPhone off.
• Start iTunes.
• Hold Power and Home buttons together for 10 seconds or so.
• Release Power button but keep holding the Home button until your computer recognizes a new USB device.
• iTunes will now recognize your iPhone.
Note: Your iPhone screen at this time should be blank (black in color), if not, then you are most likely in Recovery Mode, not DFU mode.
Step 10: Now simply open iTunes and restore the firmware you changed.

Now this tutorial sounds pretty easy to follow, but it’s all your fault if you mess it all up. We’re definitely going to be interested to hear your feedback on this. Redmond Pie managed to pull off an interesting stunt here and I’d be interested to see if it works on current iOS devices that were simply upgraded to iOS 4.0.2 by mistake (that means without saving SHSH blobs on iOS 4.0.1 jailbroken iPhones or iPod touches.)

And while we’re at it, can we assume a similar solution is available for iOS 3.2.2 iPads?

Source

daniel
does not work. it give me an unknown error with a 3194 number
Felix
Followed instructions to a T but no success. Maybe because I used Bitzipper and not Winzip??? Bitzipper worked great. I assumed that in step 3 you mean to “rename” files from 8A306 to 8A400. Step 8 was totally skipped because Windows 7 Administrator won’t let me save it. At the end I tried the restore the iphone by letting the computer search for file which didn’t work so I also tried to restore the phone by holding shift key and clicking restore then searched for file from the saved location but nothing worked. ERROR I receive every time (after about 10 tries) is:
“The iPhone “iPhone” cannot be restored at this time because the iPhone software update server could not be contacted or is temporarily unavailable. Please try again later.”
Any help will be really appreciated.
Thank You,
Felix
Ricky
can’t do that with error 3294, how we can solve it
Ericson
doesnt work it give me an error 3194
gus
It worked guys. I just did it on a 3gs 32gb.
Muzz
error 3194….dont bother folks
Matt
3194 error here too…seems its not going to be possible! Which sucks!
Sfbatuta
I followed the steps above (or thought I did) but got the dreaded 3014. I reviewed what I have done over again and it turned out that I missed replacing the file restore.plist value 8A306 with 8A400.
I did not skip step#8. But I did see several posts of folks missing that step. So on windows, to verify that you have performed that step correctly, open up a command line window. Type below:
C:\>ping gs.apple.com
You should get the following output if you updated your hosts file correctly (hosts file under C:\WINDOWS\system32\drivers\etc\ or %windir%\system32\drivers\etc\
Pinging gs.apple.com [74.208.10.249] with 32 bytes of data:
Reply from 74.208.10.249: bytes=32 time=223ms TTL=46
Reply from 74.208.10.249: bytes=32 time=317ms TTL=46
Reply from 74.208.10.249: bytes=32 time=224ms TTL=46
One last thing, when you hit restore in iTunes, make sure you hold down the shift button (left one in my case on windows). That will make iTunes give you a browse window to select the ipsw file you prepared above. Also note that iTunes will still say you are restoring to 4.0.1 (not 4.0.2) despite changing all the ids above but it will let the restore go through.
I was writing comment above as phone is being rollbacked from 4.0.2 to 4.0.1 and now rollback is over, cydia is installed, phone is jailbroken and unlocked.
Note that originally my device was upgraded direcltly from 3.1.2 to 4.0.2 (never had 4.0.1 on it) and that I did not have SHSH blobs saved on file either.
Amir
It dosent work on iPhone 4 – 4.0.2 out of box.
The Dev Team has hacked OS 4.1 already so I will wait for them to release that :)
Nick
Instead of having everyone go thru the motions, why not just provide a download to the file that has already been adjusted? I am not savvy enough to know how to use command line zip in Mac OSX & this is where I am stuck – can’t you just provide the file once it’s been “tweaked” so people like me can just drop that on the desktop & go from there?