Is it possible to downgrade a brand new 4.2.1 iPhone 4 to 4.1 to Jailbreak it?

[Rbai63]

My friend has a new iPhone 4 on 4.2.1 FW and it seems that the tutorials online don't work unless you have an SSH saved from when you were at 4.1.

On craigslist their are adds saying that they can jailbreak a 4.2.1 iPhone and that they will downgrade if necessary, do they have a different method of doing it or downgrading?

Thanks

 

[iAd4m]

The facts as I understand them:

-You can't downgrade from 4.2.1 unless you have your 4.1 shsh blobs saved.
-4.2.1 can be successfully jailbroken but tethered.
For untethered there is currently a beta testing for mac users going, it has bugs and requires your 4.2b3 beta shsh to do it.
So better stay away from it for now and wait however long it takes until it reaches a final stage. There is also another jailbreak method at work from comex which will not require past blobs, but it has been delayed.

Bottom line?
Stay away from the craigs list people. They either want to scam you or get your money to do a tethered jailbreak you can easily do for free yourself.

 

[Applejuiced]

My friend has a new iPhone 4 on 4.2.1 FW and it seems that the tutorials online don't work unless you have an SSH saved from when you were at 4.1.

On craigslist their are adds saying that they can jailbreak a 4.2.1 iPhone and that they will downgrade if necessary, do they have a different method of doing it or downgrading?

Thanks

No, simply without SHSH's it cannot be downgraded.
Those craigslists guys just use the same tools everyone else is using from The Dev Team.

 

[NathanA]

Actually, I believe that with the release of the limera1n exploit that all jailbreak tools are using nowadays for the newer phone models (3GS *and* 4), this is now possible. Now, I have never tried this, but based on my understanding of the way that limera1n works, in theory you should be able to.

The trick is that limera1n is an exploit against the bootrom, which is fixed in hardware at the time of manufacture. So it is much like the 24kpwn exploit that the iPod touch 2G and OLDER iPhone 3GSes are vulnerable to: they are "pwned for life," and with limera1n, so are the iPod touch 3G and 4G, iPhone 4, and NEWER iPhone 3GSes.

The last time this happened (with 24kpwn), Apple updated the bootrom in the 3GS mid-production-cycle and closed the hole. So the 3GS models released before mid-October last year are all "pwned for life," while ones sold after that date were not (at least until limera1n came out this year), and this has nothing to do with SHSH collection. So far, nobody has seen any indications that Apple has attempted the same kind of thing to prevent limera1n from working with the newest iPhone 4s coming off the assembly line nowadays, but the precedent was set last year with the 3GS, so it would not surprise me if they tried it at some future date.

Anyway, in theory, to do a downgrade to 4.1 on a phone that you don't have 4.1 SHSHs for, though, you can't use the stock Apple 4.1 IPSW. You would have to build a custom/pre-jailbroken 4.1 IPSW using either PwnageTool (Mac) or sn0wbreeze (Windows). Once it is built, you can then use redsn0w to run the limera1n exploit against the phone while the phone is in DFU mode. Once the exploit has been run, you should be able to just go into iTunes and restore the custom IPSW you made earlier to the phone, and voila: the phone is now downgraded AND jailbroken.

Now, keep in mind that this will not downgrade the 3G modem chipset's baseband/firmware. It will still be stuck running version 03.10.01, which came with 4.2.1 and which is not currently unlockable using ultrasn0w. So you can downgrade to 4.1 and use an untethered jailbreak on a brand-new iPhone 4 that comes with 4.2.1, but you won't be able to soft-unlock it.

Hope this helps,

-- Nathan

 

[Applejuiced]

Actually, I believe that with the release of the limera1n exploit that all jailbreak tools are using nowadays for the newer phone models (3GS *and* 4), this is now possible. Now, I have never tried this, but based on my understanding of the way that limera1n works, in theory you should be able to.

The trick is that limera1n is an exploit against the bootrom, which is fixed in hardware at the time of manufacture. So it is much like the 24kpwn exploit that the iPod touch 2G and OLDER iPhone 3GSes are vulnerable to: they are "pwned for life," and with limera1n, so are the iPod touch 3G and 4G, iPhone 4, and NEWER iPhone 3GSes.

The last time this happened (with 24kpwn), Apple updated the bootrom in the 3GS mid-production-cycle and closed the hole. So the 3GS models released before mid-October last year are all "pwned for life," while ones sold after that date were not (at least until limera1n came out this year), and this has nothing to do with SHSH collection. So far, nobody has seen any indications that Apple has attempted the same kind of thing to prevent limera1n from working with the newest iPhone 4s coming off the assembly line nowadays, but the precedent was set last year with the 3GS, so it would not surprise me if they tried it at some future date.

Anyway, in theory, to do a downgrade to 4.1 on a phone that you don't have 4.1 SHSHs for, though, you can't use the stock Apple 4.1 IPSW. You would have to build a custom/pre-jailbroken 4.1 IPSW using either PwnageTool (Mac) or sn0wbreeze (Windows). Once it is built, you can then use redsn0w to run the limera1n exploit against the phone while the phone is in DFU mode. Once the exploit has been run, you should be able to just go into iTunes and restore the custom IPSW you made earlier to the phone, and voila: the phone is now downgraded AND jailbroken.

Now, keep in mind that this will not downgrade the 3G modem chipset's baseband/firmware. It will still be stuck running version 03.10.01, which came with 4.2.1 and which is not currently unlockable using ultrasn0w. So you can downgrade to 4.1 and use an untethered jailbreak on a brand-new iPhone 4 that comes with 4.2.1, but you won't be able to soft-unlock it.

Hope this helps,

-- Nathan

Thats false.
Even with a custom firmware built with pwnage or snowbreeze you will NOT be able to downgrade your firmware without SHSH's at the moment.
Hopefully in the future we will have more options, currently we dont.

 

[labman]

^ 1+ What Applejuiced said!

 

[NathanA]

Thats false.
Even with a custom firmware built with pwnage or snowbreeze you will NOT be able to downgrade your firmware without SHSH's at the moment.
Hopefully in the future we will have more options, currently we dont.

I believe it will work, although again I admit that I haven't tried it. I will do so in the next day or so and report my results.

I can't think of a reason why this shouldn't work. You don't need SHSHs to restore custom IPSWs. The contents of the IPSW (bootloader files, installation ramdisk, and main disk image) are all decrypted by PwnageTool/sn0wbreeze before being patched up and reassembled, and the bootloader is patched up by PT to not sigcheck things down the chain, so it simply shouldn't care about the lack of SHSHs.

-- Nathan

 

[Applejuiced]

I believe it will work, although again I admit that I haven't tried it. I will do so in the next day or so and report my results.

I can't think of a reason why this shouldn't work. You don't need SHSHs to restore custom IPSWs. The contents of the IPSW (bootloader files, installation ramdisk, and main disk image) are all decrypted by PwnageTool/sn0wbreeze before being patched up and reassembled, and the bootloader is patched up by PT to not sigcheck things down the chain, so it simply shouldn't care about the lack of SHSHs.

-- Nathan

I won't work but give it a shot anyway to see for yourself.

 

[NathanA]

I won't work but give it a shot anyway to see for yourself.

What will you give me if it does work?

-- Nathan

 

[noiceT]

I believe it will work, although again I admit that I haven't tried it. I will do so in the next day or so and report my results.

I can't think of a reason why this shouldn't work. You don't need SHSHs to restore custom IPSWs. The contents of the IPSW (bootloader files, installation ramdisk, and main disk image) are all decrypted by PwnageTool/sn0wbreeze before being patched up and reassembled, and the bootloader is patched up by PT to not sigcheck things down the chain, so it simply shouldn't care about the lack of SHSHs.

-- Nathan

Please report back, I'm curious to see what you find out regardless if it works or not.

 

[Applejuiced]

What will you give me if it does work?

-- Nathan

A spot in the Dev Team
Cause you figured it out and noone else thought of trying something like that.
If we could all downgrade with custom ipsw's then why bother with shshs at all?

 

[NathanA]

A spot in the Dev Team

LOL...trust me, I'm nowhere near their caliber. Not even close. Besides, I doubt that privilege is yours to give.

If we could all downgrade with custom ipsw's then why bother with shshs at all?

Because if this works, it will be a relatively new phenomenon. SHSH signing was introduced by Apple with the 3GS. The 3GS didn't ever really have a "once pwned, always pwned" exploit that existed for it over the course of its production life with an easy point of injection (24kpwn is in early-bootrom 3GSes, but redsn0w relied upon the USB security hole that existed in iOS 3.0's iBoot to get exploitative code into the system...as I recall, you didn't have to DFU to install a custom IPSW on 3GS), unlike iPhone and iPhone 3G which had the DFU-based "Pwnage" exploit. limera1n is more like Pwnage than 24kpwn, is my understanding.

While I was typing this out, though, I had a short Twitter convo with MuscleNerd, and it turns out that we were both kind of right. You can do what I suspected you can do: downgrade to 4.1 using custom IPSW + limera1n exploit, without SHSH hashes for 4.1. However, the SHSHs are still needed...for it to be UNtethered. You can apparently downgrade to 4.1 without SHSHs, but it will be tethered boot only, much like the current 4.2.1 jailbreak. So for those that want to downgrade to 4.1 and don't have SHSHs, I guess there's really not much point.

(For limera1n-based 'sploits, the untethering bit is apparently handled after SHSHs have been checked by the OS, so as of limera1n-based versions of PwnageTool, the custom IPSWs apparently DO cause iTunes to go out and collect hashes, which is different from the way it was before.)

http://twitter.com/MuscleNerd/status/19906571546927104
http://twitter.com/MuscleNerd/status/19912981357797376

-- Nathan

 

[scirica]

LOL...trust me, I'm nowhere near their caliber. Not even close. Besides, I doubt that privilege is yours to give.



Because if this works, it will be a relatively new phenomenon. SHSH signing was introduced by Apple with the 3GS. The 3GS didn't ever really have a "once pwned, always pwned" exploit that existed for it over the course of its production life with an easy point of injection (24kpwn is in early-bootrom 3GSes, but redsn0w relied upon the USB security hole that existed in iOS 3.0's iBoot to get exploitative code into the system...as I recall, you didn't have to DFU to install a custom IPSW on 3GS), unlike iPhone and iPhone 3G which had the DFU-based "Pwnage" exploit. limera1n is more like Pwnage than 24kpwn, is my understanding.

While I was typing this out, though, I had a short Twitter convo with MuscleNerd, and it turns out that we were both kind of right. You can do what I suspected you can do: downgrade to 4.1 using custom IPSW + limera1n exploit, without SHSH hashes for 4.1. However, the SHSHs are still needed...for it to be UNtethered. You can apparently downgrade to 4.1 without SHSHs, but it will be tethered boot only, much like the current 4.2.1 jailbreak. So for those that want to downgrade to 4.1 and don't have SHSHs, I guess there's really not much point.

(For limera1n-based 'sploits, the untethering bit is apparently handled after SHSHs have been checked by the OS, so as of limera1n-based versions of PwnageTool, the custom IPSWs apparently DO cause iTunes to go out and collect hashes, which is different from the way it was before.)

http://twitter.com/MuscleNerd/status/19906571546927104
http://twitter.com/MuscleNerd/status/19912981357797376

-- Nathan

Nathan you are way out of your knowledge zone here. I believe you are doing more potential damage than good. Keep to things you know first hand from experience. Not bashing, just saying there is enough speculation and misinformation out there already.

 

[NathanA]

Nathan you are way out of your knowledge zone here. I believe you are doing more potential damage than good. Keep to things you know first hand from experience. Not bashing, just saying there is enough speculation and misinformation out there already.

Not quite sure I follow you...if you were to look at my past posting history regarding help with jailbreak topics, I think you will see that I avoid *dangerous* speculation and go to great lengths to make sure that any instructions that I do give are disclosed with step-by-step clarity.

In this instance, I don't see what the harm was in speculating about a possible downgrade option that doesn't use SHSHs. We are talking about brand-new phones that people are buying that already came with 4.2.1 and cannot be downgraded because of lack of SHSHs. If someone were to have read my speculation and tried it, and it didn't work, the worst that could have happened is that they would have needed to restore back to 4.2.1, which means they would be back at the exact same point they started from. Nothing risked or lost, except for an hour of one's time.

-- Nathan

 

[lucifiel]

All the literature up to this point has been contra to what you're suggesting, NathanA, and so, it'd be nice if you could fashion some sort of method to demonstrate your theory, because every other source, including the Dev Team itself, suggests that your theory cannot work.

If, however, you can pull it off (and I reserve my doubts), you will be loved and adored by all JB-ers.

 

[Obeece]

http://www.felixbruns.de/iPod/firmware/

Is the method described on the top of this web page legitimate? Has anyone tried this method before? Sorry if this is a noobie question, I'm new to jail breaking and trying to learn. I'm stuck with the damn 4.2.1 and am trying to downgrade my iphone4.

 

[NathanA]

All the literature up to this point has been contra to what you're suggesting, NathanA, and so, it'd be nice if you could fashion some sort of method to demonstrate your theory, because every other source, including the Dev Team itself, suggests that your theory cannot work.

If, however, you can pull it off (and I reserve my doubts), you will be loved and adored by all JB-ers.

You didn't read all of the posts, or at least you didn't read them very carefully. As I said two replies up (with Twitter links/sources included), I had a convo with MuscleNerd where he indicated it is technically possible but is essentially a useless option because if you downgrade this way without SHSHs, then your jailbreak on 4.1 will be TETHERED. So there's no point in trying this vs. just using 4.2.1 tethered (or unjailbroken, if you feel like waiting for the untether).

So the case on this is closed. It could be done, but why bother if it would be tethered, too?

-- Nathan

 

[lucifiel]

You didn't read all of the posts, or at least you didn't read them very carefully. As I said two replies up (with Twitter links/sources included), I had a convo with MuscleNerd where he indicated it is technically possible but is essentially a useless option because if you downgrade this way without SHSHs, then your jailbreak on 4.1 will be TETHERED. So there's no point in trying this vs. just using 4.2.1 tethered (or unjailbroken, if you feel like waiting for the untether).

So the case on this is closed. It could be done, but why bother if it would be tethered, too?

-- Nathan

Ahh, fair enough. My mistake, I do ever so hate reading twitter things. Well goodo then. So the end result is, it works, but why the hell would you want to.

 

[Obeece]

Can someone knowledgeable on the subject of my previous post please respond so I do not need to make a separate thread with the same topic? Thanks.

 

[NathanA]

Is the method described on the top of this web page legitimate? Has anyone tried this method before?

The "Shift-Restore" (Windows) / "Option-Restore" (Mac) option has existed in iTunes for a while. The problem is that starting with the 3GS, Apple engineered it so that to install any version of iOS on an iDevice, Apple has to sign off on it first.

So you can Shift-Restore all you want using official Apple firmware, and iTunes will merrily bring up the "choose your firmware file" dialog box and then start cranking away, but Apple's TSS server won't sign off on it, so the end result is that iTunes will throw up an error in the middle of the restore if you try to downgrade to 4.1 this way.

If you're stuck on 4.2.1 on a 3GS or newer device, it sounds like you're going to have to wait for an untethered jailbreak to be released. No (useful) downgrade option without SHSHs exists.

-- Nathan

EDIT: Also, to be clear, the "method" described on the felixbruns page isn't specifically talking about downgrading. True, you could use it to downgrade if Apple didn't add the additional checks that they did within the last year-and-a-half. But those instructions at the top of the page you linked to aren't for "downgrading."

 

[Obeece]

Thank you, Nathan. I'm also curious about another thing. When this untethered jail break is released, will it be available from jailbreakme.com? I've read up on this method and it seems to be the one that would be easiest fro me to understand.

 

[NathanA]

Thank you, Nathan. I'm also curious about another thing. When this untethered jail break is released, will it be available from jailbreakme.com? I've read up on this method and it seems to be the one that would be easiest fro me to understand.

Unlikely, but who knows. Jailbreakme.com, for now, is defunct. The jailbreak from that site only works on 4.0.1 or below, and it takes advantage of a bug/security vulnerability in Safari that Apple fixed in 4.0.2.

If comex or somebody else finds another Safari vulnerability that can be used to install a jailbreak, jailbreakme.com might make a third comeback (it was originally used for a web-based jailbreak back in the 1.x firmware days), but from the sounds of it, that is not where they are concentrating their efforts these days.

-- Nathan

 

[jinx1000]

Could you use your method to downgrade to 4.0.1 then jailbrak using jailbreakme.com? Or would this require hashes as well?

 

[NathanA]

Could you use your method to downgrade to 4.0.1 then jailbrak using jailbreakme.com? Or would this require hashes as well?

There is no version of PwnageTool that can construct custom IPSWs for iPhone 4 running 4.0.x. (limera1n wasn't released until after 4.1 came out.) So, no. (Also, a custom IPSW would be pre-jailbroken, so I don't understand where you think jailbreakme.com would come into the picture.) Even if there was such an animal, SHSHs for 4.0.x would still be required in order for it to boot untethered.

jailbreakme.com and 4.0.x are dead-ends. Sadly, you are going to have to either be satisfied with a tethered jailbreak for now, or run unjailbroken until the kinks with 4.2.1 are worked out.

-- Nathan

 

[jinx1000]

lol. Shows how little I know.
I assumed limera1n and therefore PwnageTool worked on every version of IOS since it is advertised as jailbroken for life.
I didn't realize once a phone was reverted to a newer firmware with one jailbreak you couldn't rejailbreak it with another jailbreak.

Thanks for the info. I just had the idea when reading this. I have pretty much all of the Iphone 4 SHSH's.