"OFFICIAL"public iPhone 1.1.1 Jailbreak Activation APPS...

Discussion in 'Jailbreaks and iOS Hacks' started by skygear, Oct 10, 2007.

  1. skygear macrumors newbie

    Sep 22, 2007
    O hai
    before u read it, read this:

    The following instructions CAN NOT be used by those who have unlocked
    their iPhones qith iUnlock or anySIM. Apple has designed the 1.1.1 upgrade to permanently brick
    iPhones that have had their baseband modified to unlock the SIM.

    ok, so what works - jailbreaking, springboard patching
    activation is a bit messy for noobs.

    also some probs may accures on windows, or may not.

    files located are http://tinyurl.com/254sse

    read README very carefull.

    good luck

    short Q/A

    Q: will it allow to make calls ?
    A: No

    Q: what it will be after activating?
    A: it will be like ipod touch.

    - iphone dev team.

    iPhone Dev Team announces public iPhone 1.1.1 Jailbreak
    Posted Oct 10th 2007 6:00PM by Erica Sadun
    Filed under: iPod Family, Cool tools, Hacks, How-tos, iPhone

    Want to jailbreak your 1.1.1 iPhone so you can access all its files and install third party apps? Don't want to wait for Niacin's patch to leave beta? Here's a published method direct from the team. It may look similar to the iPhone Alley hack that is making the rounds but this isn't a derivative or leaked guide. This hack provides jailbreak, activation, and third party applications. The iPhone Alley hack is a actually copy of an early team method that someone leaked.

    So does that mean this will be more reliable or a better version? Not necessarily. However, the guys have been working hard on this for quite some time and they are pretty confident about their method.

    The hack applies only to the iPhone at this time and is not meant for iPhones with modified basebands. An iPod touch jailbreak will be published at a later date. For the actual hack procedure, check out this zip file (mirror here). You'll find detailed instructions on:

    Downgrading to 1.0.2 (if necessary)
    Preparing the iPhone for a jailbroken update
    Performing a software update, leaving you with a jailbroken v1.1.1
    Forcing v1.1.1 to mount read-write so you can access it
    Installing SSH and BSD world
    Activating with a Non-ATT SIM
    Patching SpringBoard to allow third-party applications

    Jailbreak for iPhone v1.1.1
    By NerveGas, Pumpkin, Edgan, drudge, dinopio, asap18
    NO THANKS to Niacin: Get some help dude


    The iPhone Dev Team disclaims any liability of damage to your iPhone as a
    result of following these instructions. While the instructions listed here
    are believed to be safe and accurate, there is always a possibility that
    your iPhone could be permanently damaged.


    The following instructions CAN NOT be used by those who have unlocked
    their iPhones. Apple has designed the 1.1.1 upgrade to permanently brick
    iPhones that have had their baseband modified to unlock the SIM.



    Jailbreaking iPhone software v1.1.1 is an involved process, but can be
    accomplished with the documentation here. The following steps will be
    explained in-depth. Please read them thoroughly before proceeding.

    0. Downgrading to 1.0.2 (if necessary)
    1. Preparing the iPhone for a jailbroken update
    2. Performing a software update, leaving you with a jailbroken v1.1.1
    3. Forcing v1.1.1 to mount read-write so you can access it
    4. Installing SSH and BSD world
    5. Activating with a Non-ATT SIM
    6. Patching SpringBoard to allow third-party applications
    7. Clean-up


    Certain steps must be run prior to upgrading to v1.1.1. If you have already
    upgraded to v1.1.1, follow these steps to downgrade back to v1.0.2.

    1. Make sure you have a copy of the v1.0.2 firmware handy. It can be downloaded
    here: http://appldnld.apple.com.edgesuite...70821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw

    2. With the iPhone turned on, hold down the POWER and HOME buttons
    simultaneously for ten seconds (until the screen goes dark). Then release
    POWER while CONTINUING TO HOLD DOWN HOME for another 15 seconds.

    At this stage, the iPhone WILL APPEAR TO BE POWERED DOWN, but it is actually
    in a special type of recovery mode allowing software downgrades. If you
    see the "Connect to iTunes" icon, you've placed the phone into the wrong
    recovery mode, and will need to try again.

    3. While continuing to hold HOME, launch iTunes. You should be prompted to
    restore your iPhone. If your iPhone instead boots up, then you powered it
    down instead of putting it into downgrade mode, so give step 2 another try.

    Once iTunes is up, you can now release HOME. You will be prompted to
    restore your iPhone (if you are not, try step 2 again). Hold down the
    OPTION key (or SHIFT if you're running Windows) and click RESTORE.
    You will then be prompted with a file selection window allowing you to
    select a firmware file. Select the 'iPhone1,1_1.0.2_1C28_Restore.ipsw'
    file you downloaded in step 1, and begin the restore.

    4. After the restore is complete, you'll be told that the process failed, and
    the iPhone will be in recovery mode. This is normal. Grab a copy of
    NullRiver's Installer.app from http://iphone.nullriver.com/beta/ and
    attempt to install the Installer.app. This will cause your phone to boot
    again, however the installation of Installer.app will fail (it's OK).

    5. Congratulations, you're now back at 1.0.2. You'll need to get shell access
    to move onto the next step. Since you have Installer.app right there,
    just run the installer again. This time it should succeed. Now activate.

    Drudge has prepared a package called Trip1Prepz, which is designed
    for people having to downgrade. It will perform all the necessary
    preparations from STEP 1 without needing to set SSH back up, etcetera.

    After Installer.app has been installed, go to this URL in Safari:

    This will prompt you to add a community source to Installer. Once you've
    done this, you should see Trip1Prepz listed as a package. BEFORE
    INSTALLING IT, connect to iTunes, and ensure that you have an 'update' or
    'check for updates' button. This is important, because once you install
    Trip1Prepz, iTunes will no longer give you an option to update, but
    only restore.

    Once you're up in iTunes, stay connected and install Trip1Prepz from


    Alternatively, if you don't want to use Trip1Prepz, you'll need to
    get going again with SSH and BSD world. This method will require that you
    DO execute the preparation steps in step 1.

    To do it this way, use Installer.app and install the "Community Sources"
    package. This will add the "OpenSSH" package to the installer manifest.
    Now install BSD Subsystem then OpenSSH and you should be able to get back
    into your iPhone (root password is dottie). You'll also want to add
    BSD Subsystem. Now move onto the steps below (do not skip them in this case).


    NOTE: This step requires you to be at iPhone software v1.0.2. If you are
    not, please see STEP 0: DOWNGRATING TO 1.0.2 before proceeding.

    Before upgrading to v1.1.1, some preparations must be made. The v1.1.1
    update re-jails the iPhone. We're going to use a little hack which will
    keep 1.1.1 from being able to jail once you upgrade.

    The way this hack works is this: An "update" in iTunes is unlike a "restore",
    in that the /private/var partition is preserved. The iPhone jails itself
    to /private/var/root/Media. We're going to move Media out of the way and
    replace it with a symlink to /. This fools v1.1.1 into jailing to /, which
    really is no jail at all. This will allow us to access the root filesystem,
    which we're going to throw into read-write mode later on.

    1. Connect the iPhone to iTunes! It is critical that iTunes already
    recognize your phone and that you have the "update" button available to you
    BEFORE making the changes below. This is because executing the steps below
    will otherwise cause iTunes to go into recovery mode, which will NOT WORK
    with this jailbreak. Open iTunes, and if you have a "Check for Updates"
    button, click it. You will be prompted to upgrade to 1.1.1. Tell iTunes
    to "Download Only"; DO NOT click "Download and Install".

    Once you see the "update" button, DONT CLICK IT, but continue to step 2.

    2. While still connected to iTunes, SSH into your iPhone while still at
    version 1.0.2. If you don't have SSH set up, see STEP 0's steps four and
    five to install OpenSSH.

    Now execute the following commands:

    mv /var/root/Media /var/root/Media.old
    ln -s / /var/root/Media

    Your Media folders should now look like this:

    lrwxr-xr-x 1 root wheel 1 Oct 10 12:06 Media -> /
    drwxr-x--- 7 root wheel 272 Oct 10 10:51 Media.old

    If it doesn't look like this, try again.

    3. If you plan on activating later using a Non-AT&T SIM (or without iTunes),
    you'll want to back up your existing copy of the lockdownd binary
    (we'll use these later)...

    cp /usr/libexec/lockdownd /var/root/lockdownd.1.0.2


    Now that you've symlinked Media -> /, you are ready to perform an update to
    1.1.1. This MUST BE DONE WITH THE UPDATE BUTTON, and NOT the restore button.
    The update process preserves your /private/var partition, while the restore
    blows it away (which will just re-jail you).

    Click the UPDATE button in iTunes, and upgrade to 1.1.1

    If you didn't listen and shut iTunes, you may no longer have an update button.
    If this is the case, you'll need to delete the symlink, put Media back,
    start iTunes, then repeat STEP 1 again.


    If you've followed the steps properly, your iPhone should now be jailbroken, but
    not yet writable. To confirm this, shut down iTunes and use iPHUC to connect
    to the iPhone. Run 'ls' and you should see the root folders (Applications,
    System, etc). If you see iTunes_Control, then you've botched a step and
    will need to start over at STEP 0.

    Forcing read-write mode involves overwriting the part of the disk partition that
    contains /etc/fstab. This is done by writing to /dev/rdisk0s1. The included
    iphuc-jailbreak code supports a command called "putjailbreak" which does this.
    After we overwrite the disk, we'll reboot and the iPhone will be mounted in

    1. Run iphuc:

    Make sure iTunes is closed
    killall iTunesHelper

    - If you are on OSX/Intel: ./iphuc-jailbreak.osx
    - If you are on OSX/PPC: ./iphuc-jailbreak.ppc
    - If you are on Windows: ./iphuc-jailbreak.exe

    NOTE: If you are using Windows, you'll need to grab an existing iPHUC
    distribution to get all the remaining files

    2. You should now be connected to your iPhone. Test this by running 'ls', and
    make sure you see 'dev' among the list of directories. If you see
    iTunes_Control, then you haven't jailbroken properly and will need to start
    again from STEP 0.

    3. We are now going to overwrite part of the disk partition with our payload
    using the 2K file included in this distribution called rdisk0s1.
    In iphuc, execute this command:

    putjailbreak rdisk0s1 /dev/rdisk0s1

    4. The upload should be relatively quick. Once finished, reboot your iPhone.
    You're now in read-write mode, and jail broken! You can test this by
    connecting again with iphuc after rebooting and running:

    getfile /etc/fstab fstab

    Open the file, and you should see the options for / to be 'rw' instead of
    'ro'. If you still see 'ro', then something's gone wrong, try repeating
    from step three.


    At this stage, you can crack shell on iPhone in the same way that you did
    with 1.0.2. If you're using a Mac, the easiest way is using the iPhone
    SSH Installer for Mac, which can be found here:

    For Mac:

    1. Just run iPhoneMacSSHInstall.sh in that package and it will walk you through
    an automated install of SSH:

    sh iPhoneMacSSHInstall.sh

    The new root password for v1.1.1 is 'alpine', once it's finished:

    ssh -l root iphone

    Your SSH keys are likely to change, so if you get any errors about an
    incorrect key, you can:

    rm -f ~/.ssh/known_hosts

    from your desktop's home directory and try again.

    2. Once you're in, you will also want to install the BSD world. NerveGas has
    built a new version of the BSD subsystem that doesn't require libarmfp.
    Download and extract the following files:


    tar -zvxf BSD_Base-2.0.tar.gz
    tar -zvxf BSD_Extra-2.0.tar.gz

    Change into each of these directories and run:

    cd BSD_Base
    scp -r * root@[IPHONE IP]:/
    cd ../BSD_Extra
    scp -r * root@[IPHONE IP]:/

    For Windows:

    1. Follow the instructions here:

    NOTE: If you download Nate True's iPhone SSH kit you will need to
    grab iphoneinterface.exe from his latest iBrickr release to
    actually make it work.


    If you're using an AT&T SIM that will activate through iTunes, skip this
    step and just activate through iTunes.

    To activate with a non-AT&T SIM, we'll need to copy over that lockdownd
    binary and activation certification we backed up when we were on v1.0.2
    and do a little hackery, then copy the v1.1.1 lockdownd back when we're done.

    NOTE: In order for afc to start, you must BOOT the phone with
    lockdownd v1.1.1, so do not reboot the phone during this process. If
    you have no choice, copy lockdownd v1.1.1 back after, then reboot
    again to make sure afc comes up.

    1. Back up v1.1.1's lockdownd:
    cp /usr/libexec/lockdownd /var/root/lockdownd.1.1.1

    Now overwrite the iPhone's copy with your old v1.0.2 copy:
    cp /var/root/lockdownd.1.0.2 /usr/libexec/lockdownd

    And upload the certificate included in this distribution:
    scp iPhoneActivation.pem root@[IPHONE IP]:/System/Library/Lockdown/

    killall lockdownd

    This will restart lockdownd with v1.0.2's version

    2. Download iASign from http://iphone.fiveforty.net/wiki/index.php/IASign

    bunzip2 iASign-v0.2.tar.bz2
    tar -xf iASign-v0.2.tar
    cd iASign/bin

    Overwrite iASign's iPhoneActivation.pem with the one provided in this package
    cp /path/to/1.1.1-jailbreak/iPhoneActivation.pem /path/to/iASign/bin/

    Now run: ./iASign.mac --automatic iPhoneActivation_private.pem

    After a while, it should complete and say "New State: Activated", but it
    doesn't really work. Don't worry, we're almost there!

    3. Now copy the v1.1.1 lockdownd back and restart it:

    cp /var/root/lockdownd.1.1.1 /usr/libexec/lockdownd
    killall lockdownd

    4. Run iAsign once more:

    ./iASign.mac --automatic iPhoneActivation_private.pem

    It should look like this:
    New State: Unactivated

    Don't let iAsign fool you, the phone is now activated.


    The new version of SpringBoard has been hard-coded to allow only factory
    applications to run. We've coded up a patcher that will fix this "bug",
    and back up your original SpringBoard app.

    1. Upload the springpatch binary included with this distribution:

    scp springpatch root@[IPHONE IP]:/usr/bin

    Then low into your iPhone and run it:

    $ springpatch

    SpringBoard Patcher for iPhone v1.1.1
    Brought to you by the iPhone Dev Team
    Successfully patched /System/Library/CoreServices/SpringBoard.app/SpringBoard
    Original backed up to:
    Please reboot your iPhone or kill springboard for changes to take effect.

    If it exits successfully, you can now restart SpringBoard to enable third
    party applications:

    killall SpringBoard

    2. You will need to list at least one application in:


    This is the new "DisplayOrder.plist". The application MUST be placed just
    before the MobileStore application. The reason for this is that MobileStore
    is placed at the end of the Springboard to specifically hide other
    applications. Adding at least one application appears to break free from

    For example, if you have installed NES.app, your M68AP.plist will be modified
    to look like:



    You've now successfully jailbroken your iPhone and set up shop. Congratulations!

    Before you can sync, you will need to remove the symlink you created:

    rm /var/root/Media
    mv /var/root/Media.old /var/root/Media

    That's it!

    - iPhone/iTouch Dev Team
  2. mcdj macrumors G3


    Jul 10, 2007
    Is there some difference between this post and the eleventy seven other posts today about the same thing?
  3. skygear thread starter macrumors newbie

    Sep 22, 2007
    are you serious ... i had no idea and i even looked over a few pages sh@t
  4. mcdj macrumors G3


    Jul 10, 2007
    Ok sorry, maybe it's not the same, but similar enough that it could have gone under your previous post, "iPhone v1.1.1 Jailbreak & AppTapp Installation Guide".

    IMO, a new thread would be warranted when there's a GUI release for us terminal tards.
  5. skygear thread starter macrumors newbie

    Sep 22, 2007
    well theres the leaked one... my first one..... and the OFFICIAL one ..... if i could erase the header of the other thread and put this one in i would .... but you cant change the titles only a mod can...... mod please change the title of the other thread of mine and i will update it to these instructions.....
  6. hromog macrumors newbie

    Oct 11, 2007
    Help! Stalled...

    I was doing the jailbreak on my 1.0.2, I updated, It was ALL PERFECT, It activated, THEN I arrived to STEP 6, I performed everything accordingly and when I used "killall springboard"... It DeActivated!!!!! And cant do anything!!!..

    HELP!! :confused:
  7. alnk1015 macrumors newbie

    Sep 6, 2007
    how do i find the iphone IP?

    yea my phone is not activated and according to the instructions i need to ssh into it. How do I know what IP to use??
  8. iphoneTrouble macrumors newbie

    Oct 19, 2007
    How to get ip of iphone

    I am also struck here, my phone is not activated yet, how can i determine my ip? without ip how can I ssh it? I am really in trouble now.

    Does this method require iphone to be activated with at&t sim card. Help please:confused:

  9. JPyre macrumors 6502

    Mar 28, 2005
    Log into your router and check for it, if you have a 4 port router its probably either:
    192.168.2.* 1-5
    192.168.1.* 1-5

    Although, without it activated, I'm not sure the iPhone's wifi will connect, it has no reason to....

    Personally I like the Niacin tiff exploit a lot better, I don't know why so many are against it, all you have to do is goto a webpage while running 1.1.1, no downgrading, and you're 90% done. But then again, how do you goto a webpage when the phone is not activated? So, I guess this does have some use....
  10. iphoneTrouble macrumors newbie

    Oct 19, 2007
    ip address

    Thanks for your help. I will get access to my router tomorrow. But as you have told, it may not have made connection to wifi router. However, iphone shows the wifi signal icons. (Does this means,it has wifi connection!)

    I think this article is incomplete, they have not told that you need activated iphone to install ssh. I am very pluzzled, looking around the net for the possible solution.


Share This Page