iPhone 3GS iOS 5.1.1 Upgrade without Jailbreak?

[Joz3d]

Hello,

I have received an iPhone 3GS that is running iOS 5.0.1. I'd like to upgrade it to iOS 5.1.1 (because I wanna see what iOS 5 was really about before going to 6). Is there a way for me to do this without jailbreaking?

I have the official 5.1.1 ipsw, but iTunes won't authenticate the shift+restore upgrade. If I run TinyUmbrella TSS server, it will pass but then error 1600, and if I run TSS server + iReb to enter PWNED DFU, I still get error 1600.

Is there any way to get around this and install 5.1.1 on this 3GS without actually jailbreaking, only using the official firmware? Thanks in advance for any help.

Model: MC125LL
iOS: 5.0.1 (9A405)
Carrier: AT&T 11.0
Modem Firmware: 05.16.05

 

[inselstudent]

There is no way to get an earlier version than the latest (6.1.4 or something) at this point. But, IMO, iOS 6 was better than 5 in every way, more refined, smoother, more features. You won't miss a thing when you skip 5.1.1 (and there's no way around that).

Just update to iOS 6 (and jailbreak).

 

[dhlizard]

Without the 5.1.1 SHSH having been previously saved for that phone, you cannot restore to that firmware.

 

[Joz3d]

Thank you very much for the answers.

So, if I have 5.0.1 on there right now, could I then save the SHSH, and put 4.x on there? Then later come back to 5.0.1? Or would I also need the SHSH for 4.x?

I remember on iPhone 3G just being able to swap iOS via DFU without any SHSH concern. Did the SHSH thing start with later iOS's or later iPhone models?

 

[darricksailo]

Thank you very much for the answers.

So, if I have 5.0.1 on there right now, could I then save the SHSH, and put 4.x on there? Then later come back to 5.0.1? Or would I also need the SHSH for 4.x?

I remember on iPhone 3G just being able to swap iOS via DFU without any SHSH concern. Did the SHSH thing start with later iOS's or later iPhone models?

yes, you need SHSH blobs to go down to 4.x

if you currently don't have 5.0.1, you can make them by dumping them using ifaith (this only works for iphone 4 and under; ifaith is windows only). remember to keep a local copy of it

SHSH blobs were introduced starting with iOS 4.x (3.x to be more precise, I believe)

 

[Joz3d]

yes, you need SHSH blobs to go down to 4.x

if you currently don't have 5.0.1, you can make them by dumping them using ifaith (this only works for iphone 4 and under; ifaith is windows only). remember to keep a local copy of it

SHSH blobs were introduced starting with iOS 4.x (3.x to be more precise, I believe)

Interesting, thanks. Yes, I'm currently on 5.0.1, so I can save those SHSH blobs. I don't have them for 4.x, but what about the timeline on this page though. Am I understanding correctly, based on that page, that Apple is allowing 3GS installs of iOS 4.1?

 

[darricksailo]

Interesting, thanks. Yes, I'm currently on 5.0.1, so I can save those SHSH blobs. I don't have them for 4.x, but what about the timeline on this page though. Am I understanding correctly, based on that page, that Apple is allowing 3GS installs of iOS 4.1?

oh yes, i had forgotton about that. apple is allowing 4.1 installs on the 3GS

before you downgrade to 4.1, make sure to dump your 5.0.1 blobs (it'll come with a .ifaith extension if you're using ifaith; i have never done one using redsn0w so no idea how that goes)

 

[Joz3d]

oh yes, i had forgotton about that. apple is allowing 4.1 installs on the 3GS

before you downgrade to 4.1, make sure to dump your 5.0.1 blobs (it'll come with a .ifaith extension if you're using ifaith; i have never done one using redsn0w so no idea how that goes)

That is interesting. I'm very curious as to why they are allowing that? ...and then that specific version and not a more final iOS 4 version?

So, if I save those 5.0.1 blobs, I'll be fine for going back to 5.0.1, right? I understand that I'd save them with iFaith or redsn0w (TinyUmbrella?). What would the procedure be to re-install 5.0.1? Specifically, how do I insert those blobs back into the procedure after I have the 5.0.1 ipsw? TinyUmbrella TSS server, or do iFaith/redsn0w have a procedure for it?

 

[darricksailo]

That is interesting. I'm very curious as to why they are allowing that? ...and then that specific version and not a more final iOS 4 version?

So, if I save those 5.0.1 blobs, I'll be fine for going back to 5.0.1, right? I understand that I'd save them with iFaith or redsn0w (TinyUmbrella?). What would the procedure be to re-install 5.0.1? Specifically, how do I insert those blobs back into the procedure after I have the 5.0.1 ipsw? TinyUmbrella TSS server, or do iFaith/redsn0w have a procedure for it?

no one knows why they decided to allow that version for the 3GS and the ipod touch 2nd gen

dump the 5.0.1 blobs using iFaith!

you can use iFaith, sn0wbreeze, or redsn0w to stitch the blobs back into the ipsw. put the device into PWNED DFU mode and make sure itunes is 11.0.5 or under

then shift + shift click restore with that custom ipsw

 

[Joz3d]

no one knows why they decided to allow that version for the 3GS and the ipod touch 2nd gen

dump the 5.0.1 blobs using iFaith!

you can use iFaith, sn0wbreeze, or redsn0w to stitch the blobs back into the ipsw. put the device into PWNED DFU mode and make sure itunes is 11.0.5 or under

then shift + shift click restore with that custom ipsw

Excellent! It worked. I used mostly iFaith for everything, except iREB to get out of recovery loop after going down to 4.1. I tested it and am able to jump between iOS 4.1 (mysteriously still signed) and 5.0.1 (my shsh blobs). Then I should be able to upgrade it to 6 (last 3GS iOS supported).

This really helped me accomplish my goal. I've been on iOS 3.1.3 on an iPhone 3G for a very long time and wanted to experience the incremental progression of iOS. I'll spend a few weeks on each iOS (4/5/6) and then hopefully get a newer iPhone to become current on iOS 7. Your assistance darricksailo really helped me out and I am grateful to you! Thanks! Can I buy you a coffee or beer or something? And thanks also to the other initial respondents.

 

[darricksailo]

Excellent! It worked. I used mostly iFaith for everything, except iREB to get out of recovery loop after going down to 4.1. I tested it and am able to jump between iOS 4.1 (mysteriously still signed) and 5.0.1 (my shsh blobs). Then I should be able to upgrade it to 6 (last 3GS iOS supported).

This really helped me accomplish my goal. I've been on iOS 3.1.3 on an iPhone 3G for a very long time and wanted to experience the incremental progression of iOS. I'll spend a few weeks on each iOS (4/5/6) and then hopefully get a newer iPhone to become current on iOS 7. Your assistance darricksailo really helped me out and I am grateful to you! Thanks! Can I buy you a coffee or beer or something? And thanks also to the other initial respondents.

just so you're aware, you can get blobs for 4.1 and 6.1.3 (you don't have to dump them with ifaith since they're being signed)

and glad everything worked out fine

 

[Joz3d]

just so you're aware, you can get blobs for 4.1 and 6.1.3 (you don't have to dump them with ifaith since they're being signed)

and glad everything worked out fine

Thanks for the info, yes I noticed that in TinyUmbrella.

Hey, I found out that this 3GS I have has the Old Bootrom. Any advantage of having that for my situation? The second sentence here seems to convey that I don't even need Apple signatures? Could I then install any version of iOS 4 I'd like? Or iOS 5? It does say "however, newer versions of iOS require them" (shsh blobs), but which versions are "newer versions"? If you or anybody can clarify what's going on with this I'd appreciate it!

 

[darricksailo]

Thanks for the info, yes I noticed that in TinyUmbrella.

Hey, I found out that this 3GS I have has the Old Bootrom. Any advantage of having that for my situation? The second sentence here seems to convey that I don't even need Apple signatures? Could I then install any version of iOS 4 I'd like? Or iOS 5? It does say "however, newer versions of iOS require them" (shsh blobs), but which versions are "newer versions"? If you or anybody can clarify what's going on with this I'd appreciate it!

Advantages of old bootrom mean an untethered jailbreak for all versions

I guess newer versions are iOS 4.x and up

 

[Joz3d]

Actually, after doing more research and experimentation, you can indeed install any iOS version on an old bootrom 3GS without shsh blobs, utilizing the 24Kpwn exploit.

It must, however, be a custom IPSW created in redsn0w or sn0wbreeze, which patches the OS to not upgrade the baseband, but must also do some other patching related to iTunes signing? (I didn't have luck with sn0wbreeze, but did with redsn0w - I did NOT do the jailbreak)

Here's what worked for me on my old bootrom 3GS (I loaded iOS 4.3.3):

1. Create a custom IPSW from the stock IPSW using redsn0w.
2. Boot into DFU mode.
3. Enter PWNED DFU.
4. Shift+Restore custom IPSW.

 

[darricksailo]

Actually, after doing more research and experimentation, you can indeed install any iOS version on an old bootrom 3GS without shsh blobs, utilizing the 24Kpwn exploit.

It must, however, be a custom IPSW created in redsn0w or sn0wbreeze, which patches the OS to not upgrade the baseband, but must also do some other patching related to iTunes signing? (I didn't have luck with sn0wbreeze, but did with redsn0w - I did NOT do the jailbreak)

Here's what worked for me on my old bootrom 3GS (I loaded iOS 4.3.3):

1. Create a custom IPSW from the stock IPSW using redsn0w.
2. Boot into DFU mode.
3. Enter PWNED DFU.
4. Shift+Restore custom IPSW.

hmm, that's interesting. iOS 4.x restores do require SHSH blobs but their process of restore is different than iOS 5+

you don't have to stitch the blobs into the 4.x ipsw; all you need to do is point your hosts file to cydia's server and if cydia has your 4.3.3 blobs, then the restore will go through (it doesn't even have to be a custom ipsw)

 

[Joz3d]

hmm, that's interesting. iOS 4.x restores do require SHSH blobs but their process of restore is different than iOS 5+

you don't have to stitch the blobs into the 4.x ipsw; all you need to do is point your hosts file to cydia's server and if cydia has your 4.3.3 blobs, then the restore will go through (it doesn't even have to be a custom ipsw)

No, you don't stitch the blobs into the 4.3 IPSW (cause I don't have them). This is not specific to 4.x, it's the same story for 5.x and 6.x on the old bootrom 3GS. When you do the custom IPSW it patches the IPSW in some way to (I think) bypass signature checks - that's what I'm trying to find out (what the custom IPSW patches out of the official IPSW, because this does not work by simply pwn dfu-ing, editing hosts file, and restoring stock). The phone itself, however, is exploited to bypass shsh requirements through the 24Kpwn exploit. Matter of fact, after installing the custom 4.3.3 IPSW, I tried to download the blobs from it to see what would happen, and iFaith detects and explains that the phone is patched with 24Kpwn and therefor there are no blobs.

Here's the redsn0w message when creating the custom IPSW. Note the last line, which explains the different shsh blob requirement between the new and old bootrom 3GS.

 

[darricksailo]

No, you don't stitch the blobs into the 4.3 IPSW (cause I don't have them). This is not specific to 4.x, it's the same story for 5.x and 6.x on the old bootrom 3GS. When you do the custom IPSW it patches the IPSW in some way to (I think) bypass signature checks - that's what I'm trying to find out (what the custom IPSW patches out of the official IPSW, because this does not work by simply pwn dfu-ing, editing hosts file, and restoring stock). The phone itself, however, is exploited to bypass shsh requirements through the 24Kpwn exploit. Matter of fact, after installing the custom 4.3.3 IPSW, I tried to download the blobs from it to see what would happen, and iFaith detects and explains that the phone is patched with 24Kpwn and therefor there are no blobs.

Here's the redsn0w message when creating the custom IPSW. Note the last line, which explains the different shsh blob requirement between the new and old bootrom 3GS.

Image​

yes, you don't stitch blobs into a 4.x ipsw because the SHSH lookup is via cydia's server

it's not; the only difference between old bootrom and new bootrom 3GS is just whether it's untethered vs tethered. SHSH blobs are still needed, notice that the message says "If you have a newer mode, the IPSW will still require SHSH blobs

the thing is that with 4.x restores, you can have the SHSH blob stitched in the ipsw or at cydia's server. that's not the case with 5.x+ restores because of the addition of APTickets

what the custom ipsw function in redsn0w does is make it so that your baseband doesn't get patched. if you're on a higher baseband than the version you want to downgrade to has, then it will throw an error and not allow you to complete the restore


hmm, that's interesting to find out. All 3GS devices should still require SHSH blobs. can you show the iFaith window?

 

[Joz3d]

yes, you don't stitch blobs into a 4.x ipsw because the SHSH lookup is via cydia's server

it's not; the only difference between old bootrom and new bootrom 3GS is just whether it's untethered vs tethered. SHSH blobs are still needed, notice that the message says "If you have a newer mode, the IPSW will still require SHSH blobs

the thing is that with 4.x restores, you can have the SHSH blob stitched in the ipsw or at cydia's server. that's not the case with 5.x+ restores because of the addition of APTickets

what the custom ipsw function in redsn0w does is make it so that your baseband doesn't get patched. if you're on a higher baseband than the version you want to downgrade to has, then it will throw an error and not allow you to complete the restore


hmm, that's interesting to find out. All 3GS devices should still require SHSH blobs. can you show the iFaith window?

For this restore, I don't know that it contacted cydia's server at all, because I didn't modify my hosts file for that, unless redsn0w does it while it's running and then changes it back when it's done, because currently it's not modified (after I did the restore). The last entry I have in there is a commented out localhost re-point from gs.apple.com.

When looking up 24Kpwn 3GS downgrading I found multiple sources stating that you don't need the SHSH blobs if you have the old bootrom (1, 2, 3, etc), and as far as I can tell, I proved this in my downgrade. The only mystery being why IPSW customization is needed (other than the baseband rejection you mentioned which makes sense), with one of those sources saying it needs to patch out the shsh requirement in the software via 24Kpwn. I'm just trying to figure out if that's what it does in addition to taking out the baseband.

I plan to do the same procedure to install 5.1.1 in a couple weeks, for which I already am running the appropriate baseband as this phone doesn't seem to have ever gone up past 5.0.1. At that point I could try to restore without customizing... but I think that's the only way to really apply the 24Kpwn...?

 

[darricksailo]

For this restore, I don't know that it contacted cydia's server at all, because I didn't modify my hosts file for that, unless redsn0w does it while it's running and then changes it back when it's done, because currently it's not modified (after I did the restore). The last entry I have in there is a commented out localhost re-point from gs.apple.com.

When looking up 24Kpwn 3GS downgrading I found multiple sources stating that you don't need the SHSH blobs if you have the old bootrom (1, 2, 3, etc), and as far as I can tell, I proved this in my downgrade. The only mystery being why IPSW customization is needed (other than the baseband rejection you mentioned which makes sense), with one of those sources saying it needs to patch out the shsh requirement in the software via 24Kpwn. I'm just trying to figure out if that's what it does in addition to taking out the baseband.

I plan to do the same procedure to install 5.1.1 in a couple weeks, for which I already am running the appropriate baseband as this phone doesn't seem to have ever gone up past 5.0.1. At that point I could try to restore without customizing... but I think that's the only way to really apply the 24Kpwn...?

Image​

hmm, that's very interesting! when you do update to 5.1.1, please let me know as I'm interested in what the results will be since iOS 5.x+ blobs include the addition of the APTicket

 

[Joz3d]

hmm, that's very interesting! when you do update to 5.1.1, please let me know as I'm interested in what the results will be since iOS 5.x+ blobs include the addition of the APTicket

I've done it!

Stock 5.1.1 IPSW -> redsn0w custom IPSW -> DFU -> Pwned DFU -> iTunes Shift+Restore custom IPSW -> Done!

Works!

 

[TheRainKing]

I've done it!

Stock 5.1.1 IPSW -> redsn0w custom IPSW -> DFU -> Pwned DFU -> iTunes Shift+Restore custom IPSW -> Done!

Works!

Wow! I had no idea you could do that.

I use to have a 3GS old bootrom and I wanted to downgrade from iOS 6 to iOS 5 but I kept getting told it was impossible without shsh blobs.

 

[Joz3d]

Wow! I had no idea you could do that.

I use to have a 3GS old bootrom and I wanted to downgrade from iOS 6 to iOS 5 but I kept getting told it was impossible without shsh blobs.

Yeah, seems to be some confusion out there about this.

Now the next thing I'm wondering about is upgrading to iOS 6 (in a month). I can obviously just legitimately upgrade to 6 since that's the last one the 3GS supports... but I'm wondering if I should instead do a custom IPSW for that one in order to not upgrade the baseband version? Would it matter if I let the official path upgrade the baseband? It currently has 05.16.05 on it, and looks like iOS 6 will upgrade it to 05.16.08. Would that in any way affect re-installing old iOS versions?

Conversely, would not upgrading the baseband and installing custom iOS 6 cause any sort of trouble in iOS 6 with using an older baseband?