Of course it has. With the iPhone Dev Team cranking out updates on the iPhone v1.1.1 jailbreak solution like there’s no tomorrow, we’re not at all surprised to see a public jailbreak solution so soon. The iPhone Dev Team has published their method to jailbreak your updated iPhone v1.1.1 to gain access to the file system, activate the iPhone, and install/run third-party applications. Keep in mind, the v1.1.1 jailbreak solution is not a simple point-and-click procedure. It’s pretty involved, requires terminal commands, and some SSH-ing. So if you’re not down with getting some dirt under your fingernails, you might just want to sit back and wait for a simple, GUI jailbreak solution.
Make sure your iPhone’s baseband hasn’t been altered before you attempt this method. In other words, unlocked iPhones will still need to wait for a re-locking solution before proceeding with any hacks.
The iPhone v1.1.1 jailbreak solution will guide you through the steps:
- Downgrading to 1.0.2 (if necessary)
- Preparing the iPhone for a jailbroken update
- Performing a software update, leaving you with a jailbroken v1.1.1
- Forcing v1.1.1 to mount read-write so you can access it
- Installing SSH and BSD world
- Activating with a Non-ATT SIM
- Patching SpringBoard to allow third-party applications
- Clean-up
Keep reading for the full instruction guide.
Jailbreak for iPhone v1.1.1
By NerveGas, Pumpkin, Edgan, drudge, dinopio, asap18
NO THANKS to Niacin: Get some help dude
DISCLAIMER
The iPhone Dev Team disclaims any liability of damage to your iPhone as a
result of following these instructions. While the instructions listed here
are believed to be safe and accurate, there is always a possibility that
your iPhone could be permanently damaged.
WARNING TO UNLOCKERS
The following instructions CAN NOT be used by those who have unlocked
their iPhones. Apple has designed the 1.1.1 upgrade to permanently brick
iPhones that have had their baseband modified to unlock the SIM.
— DO NOT FOLLOW THESE INSTRUCTIONS IF YOU HAVE EVER MODIFIED YOUR BASEBAND —
INTRODUCTION
Jailbreaking iPhone software v1.1.1 is an involved process, but can be
accomplished with the documentation here. The following steps will be
explained in-depth. Please read them thoroughly before proceeding.
0. Downgrading to 1.0.2 (if necessary)
1. Preparing the iPhone for a jailbroken update
2. Performing a software update, leaving you with a jailbroken v1.1.1
3. Forcing v1.1.1 to mount read-write so you can access it
4. Installing SSH and BSD world
5. Activating with a Non-ATT SIM
6. Patching SpringBoard to allow third-party applications
7. Clean-up
STEP 0: DOWNGRADING TO 1.0.2
Certain steps must be run prior to upgrading to v1.1.1. If you have already
upgraded to v1.1.1, follow these steps to downgrade back to v1.0.2.
1. Make sure you have a copy of the v1.0.2 firmware handy. It can be downloaded
here: http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw
2. With the iPhone turned on, hold down the POWER and HOME buttons
simultaneously for ten seconds (until the screen goes dark). Then release
POWER while CONTINUING TO HOLD DOWN HOME for another 15 seconds.
At this stage, the iPhone WILL APPEAR TO BE POWERED DOWN, but it is actually
in a special type of recovery mode allowing software downgrades. If you
see the “Connect to iTunes” icon, you’ve placed the phone into the wrong
recovery mode, and will need to try again.
3. While continuing to hold HOME, launch iTunes. You should be prompted to
restore your iPhone. If your iPhone instead boots up, then you powered it
down instead of putting it into downgrade mode, so give step 2 another try.
Once iTunes is up, you can now release HOME. You will be prompted to
restore your iPhone (if you are not, try step 2 again). Hold down the
OPTION key (or SHIFT if you’re running Windows) and click RESTORE.
You will then be prompted with a file selection window allowing you to
select a firmware file. Select the ‘iPhone1,1_1.0.2_1C28_Restore.ipsw’
file you downloaded in step 1, and begin the restore.
4. After the restore is complete, you’ll be told that the process failed, and
the iPhone will be in recovery mode. This is normal. Grab a copy of
NullRiver’s Installer.app from http://iphone.nullriver.com/beta/ and
attempt to install the Installer.app. This will cause your phone to boot
again, however the installation of Installer.app will fail (it’s OK).
5. Congratulations, you’re now back at 1.0.2. You’ll need to get shell access
to move onto the next step. Since you have Installer.app right there,
just run the installer again. This time it should succeed. Now activate.
Drudge has prepared a package called Trip1Prepz, which is designed
for people having to downgrade. It will perform all the necessary
preparations from STEP 1 without needing to set SSH back up, etcetera.
After Installer.app has been installed, go to this URL in Safari:
http://conceitedsoftware.com/iphone/beta
This will prompt you to add a community source to Installer. Once you’ve
done this, you should see Trip1Prepz listed as a package. BEFORE
INSTALLING IT, connect to iTunes, and ensure that you have an ‘update’ or
‘check for updates’ button. This is important, because once you install
Trip1Prepz, iTunes will no longer give you an option to update, but
only restore.
Once you’re up in iTunes, stay connected and install Trip1Prepz from
Installer.app.
NOW SKIP “STEP 1: PREPARING THE IPHONE FOR A JAILBROKEN UPDATE” COMPLETELY!
Alternatively, if you don’t want to use Trip1Prepz, you’ll need to
get going again with SSH and BSD world. This method will require that you
DO execute the preparation steps in step 1.
To do it this way, use Installer.app and install the “Community Sources”
package. This will add the “OpenSSH” package to the installer manifest.
Now install BSD Subsystem then OpenSSH and you should be able to get back
into your iPhone (root password is dottie). You’ll also want to add
BSD Subsystem. Now move onto the steps below (do not skip them in this case).
STEP 1: PREPARING THE IPHONE FOR A JAILBROKEN UPDATE
NOTE: This step requires you to be at iPhone software v1.0.2. If you are
not, please see STEP 0: DOWNGRATING TO 1.0.2 before proceeding.
Before upgrading to v1.1.1, some preparations must be made. The v1.1.1
update re-jails the iPhone. We’re going to use a little hack which will
keep 1.1.1 from being able to jail once you upgrade.
The way this hack works is this: An “update” in iTunes is unlike a “restore”,
in that the /private/var partition is preserved. The iPhone jails itself
to /private/var/root/Media. We’re going to move Media out of the way and
replace it with a symlink to /. This fools v1.1.1 into jailing to /, which
really is no jail at all. This will allow us to access the root filesystem,
which we’re going to throw into read-write mode later on.
1. Connect the iPhone to iTunes! It is critical that iTunes already
recognize your phone and that you have the “update” button available to you
BEFORE making the changes below. This is because executing the steps below
will otherwise cause iTunes to go into recovery mode, which will NOT WORK
with this jailbreak. Open iTunes, and if you have a “Check for Updates”
button, click it. You will be prompted to upgrade to 1.1.1. Tell iTunes
to “Download Only”; DO NOT click “Download and Install”.
Once you see the “update” button, DONT CLICK IT, but continue to step 2.
2. While still connected to iTunes, SSH into your iPhone while still at
version 1.0.2. If you don’t have SSH set up, see STEP 0’s steps four and
five to install OpenSSH.
Now execute the following commands:
mv /var/root/Media /var/root/Media.old
ln -s / /var/root/Media
Your Media folders should now look like this:
lrwxr-xr-x 1 root wheel 1 Oct 10 12:06 Media -> /
drwxr-x— 7 root wheel 272 Oct 10 10:51 Media.old
If it doesn’t look like this, try again.
3. If you plan on activating later using a Non-AT&T SIM (or without iTunes),
you’ll want to back up your existing copy of the lockdownd binary
(we’ll use these later)…
cp /usr/libexec/lockdownd /var/root/lockdownd.1.0.2
STEP 2: PERFORMING A SOFTWARE UPDATE
Now that you’ve symlinked Media -> /, you are ready to perform an update to
1.1.1. This MUST BE DONE WITH THE UPDATE BUTTON, and NOT the restore button.
The update process preserves your /private/var partition, while the restore
blows it away (which will just re-jail you).
Click the UPDATE button in iTunes, and upgrade to 1.1.1
If you didn’t listen and shut iTunes, you may no longer have an update button.
If this is the case, you’ll need to delete the symlink, put Media back,
start iTunes, then repeat STEP 1 again.
STEP 3: FORCING READ-WRITE MODE
If you’ve followed the steps properly, your iPhone should now be jailbroken, but
not yet writable. To confirm this, shut down iTunes and use iPHUC to connect
to the iPhone. Run ‘ls’ and you should see the root folders (Applications,
System, etc). If you see iTunes_Control, then you’ve botched a step and
will need to start over at STEP 0.
Forcing read-write mode involves overwriting the part of the disk partition that
contains /etc/fstab. This is done by writing to /dev/rdisk0s1. The included
iphuc-jailbreak code supports a command called “putjailbreak” which does this.
After we overwrite the disk, we’ll reboot and the iPhone will be mounted in
read-write!
1. Run iphuc:
Make sure iTunes is closed
killall iTunesHelper
– If you are on OSX/Intel: ./iphuc-jailbreak.osx
– If you are on OSX/PPC: ./iphuc-jailbreak.ppc
– If you are on Windows: ./iphuc-jailbreak.exe
NOTE: If you are using Windows, you’ll need to grab an existing iPHUC
distribution to get all the remaining files
2. You should now be connected to your iPhone. Test this by running ‘ls’, and
make sure you see ‘dev’ among the list of directories. If you see
iTunes_Control, then you haven’t jailbroken properly and will need to start
again from STEP 0.
3. We are now going to overwrite part of the disk partition with our payload
using the 2K file included in this distribution called rdisk0s1.
In iphuc, execute this command:
putjailbreak rdisk0s1 /dev/rdisk0s1
4. The upload should be relatively quick. Once finished, reboot your iPhone.
You’re now in read-write mode, and jail broken! You can test this by
connecting again with iphuc after rebooting and running:
getfile /etc/fstab fstab
Open the file, and you should see the options for / to be ‘rw’ instead of
‘ro’. If you still see ‘ro’, then something’s gone wrong, try repeating
from step three.
STEP 4: INSTALLING SSH AND BSD WORLD
At this stage, you can crack shell on iPhone in the same way that you did
with 1.0.2. If you’re using a Mac, the easiest way is using the iPhone
SSH Installer for Mac, which can be found here:
For Mac:
http://iphone.natetrue.com/iPhone_SSH_Install_for_Mac.zip
1. Just run iPhoneMacSSHInstall.sh in that package and it will walk you through
an automated install of SSH:
sh iPhoneMacSSHInstall.sh
The new root password for v1.1.1 is ‘alpine’, once it’s finished:
ssh -l root iphone
Your SSH keys are likely to change, so if you get any errors about an
incorrect key, you can:
rm -f ~/.ssh/known_hosts
from your desktop’s home directory and try again.
2. Once you’re in, you will also want to install the BSD world. NerveGas has
built a new version of the BSD subsystem that doesn’t require libarmfp.
Download and extract the following files:
http://iphone.natetrue.com/BSD_Base-2.0.tar.gz
http://iphone.natetrue.com/BSD_Extra-2.0.tar.gz
tar -zvxf BSD_Base-2.0.tar.gz
tar -zvxf BSD_Extra-2.0.tar.gz
Change into each of these directories and run:
cd BSD_Base
scp -r * root@[IPHONE IP]:/
cd ../BSD_Extra
scp -r * root@[IPHONE IP]:/
For Windows:
1. Follow the instructions here:
http://cre.ations.net/blog/post/howto-install-ssh-on-your-iphone
NOTE: If you download Nate True’s iPhone SSH kit you will need to
grab iphoneinterface.exe from his latest iBrickr release to
actually make it work.
STEP 5: ACTIVATING WITH A NON-AT&T SIM
If you’re using an AT&T SIM that will activate through iTunes, skip this
step and just activate through iTunes.
To activate with a non-AT&T SIM, we’ll need to copy over that lockdownd
binary and activation certification we backed up when we were on v1.0.2
and do a little hackery, then copy the v1.1.1 lockdownd back when we’re done.
NOTE: In order for afc to start, you must BOOT the phone with
lockdownd v1.1.1, so do not reboot the phone during this process. If
you have no choice, copy lockdownd v1.1.1 back after, then reboot
again to make sure afc comes up.
1. Back up v1.1.1’s lockdownd:
cp /usr/libexec/lockdownd /var/root/lockdownd.1.1.1
Now overwrite the iPhone’s copy with your old v1.0.2 copy:
cp /var/root/lockdownd.1.0.2 /usr/libexec/lockdownd
And upload the certificate included in this distribution:
scp iPhoneActivation.pem root@[IPHONE IP]:/System/Library/Lockdown/
Now:
killall lockdownd
This will restart lockdownd with v1.0.2’s version
2. Download iASign from http://iphone.fiveforty.net/wiki/index.php/IASign
bunzip2 iASign-v0.2.tar.bz2
tar -xf iASign-v0.2.tar
cd iASign/bin
Overwrite iASign’s iPhoneActivation.pem with the one provided in this package
cp /path/to/1.1.1-jailbreak/iPhoneActivation.pem /path/to/iASign/bin/
Now run: ./iASign.mac –automatic iPhoneActivation_private.pem
After a while, it should complete and say “New State: Activated”, but it
doesn’t really work. Don’t worry, we’re almost there!
3. Now copy the v1.1.1 lockdownd back and restart it:
cp /var/root/lockdownd.1.1.1 /usr/libexec/lockdownd
killall lockdownd
4. Run iAsign once more:
./iASign.mac –automatic iPhoneActivation_private.pem
It should look like this:
Activating…
InvalidActivationRecord
New State: Unactivated
Don’t let iAsign fool you, the phone is now activated.
STEP 6: PATCHING SPRINGBOARD
The new version of SpringBoard has been hard-coded to allow only factory
applications to run. We’ve coded up a patcher that will fix this “bug”,
and back up your original SpringBoard app.
1. Upload the springpatch binary included with this distribution:
scp springpatch root@[IPHONE IP]:/usr/bin
Then low into your iPhone and run it:
$ springpatch
SpringBoard Patcher for iPhone v1.1.1
Brought to you by the iPhone Dev Team
Successfully patched /System/Library/CoreServices/SpringBoard.app/SpringBoard
Original backed up to:
/System/Library/CoreServices/SpringBoard.app/SpringBoard.original.
Please reboot your iPhone or kill springboard for changes to take effect.
If it exits successfully, you can now restart SpringBoard to enable third
party applications:
killall SpringBoard
2. You will need to list at least one application in:
/System/Library/CoreServices/SpringBoard.app/M68AP.plist
This is the new “DisplayOrder.plist”. The application MUST be placed just
before the MobileStore application. The reason for this is that MobileStore
is placed at the end of the Springboard to specifically hide other
applications. Adding at least one application appears to break free from
this.
For example, if you have installed NES.app, your M68AP.plist will be modified
to look like:
<dict>
<key>displayIdentifier</key>
<string>com.natetrue.iphone.nesapp</string>
</dict>
<dict>
<key>displayIdentifier</key>
<string>com.apple.MobileStore</string>
</dict>
STEP 7: CLEAN UP
You’ve now successfully jailbroken your iPhone and set up shop. Congratulations!
Before you can sync, you will need to remove the symlink you created:
rm /var/root/Media
mv /var/root/Media.old /var/root/Media
That’s it!
– iPhone/iTouch Dev Team