- Modifying PwnageTool
- Building a Custom Firmware
- Creating Custom Ramdisk for iOS 4.3 Custom Firmware
- Restore iOS 4.3 Custom Firmware Using iTunes
- Booting in Tethered Mode
Starting with first point:
1. Modifying PwnageTool
First Step: For your version of iOS device, download PwnageTool and extract the ' .zip' folder.
You will find two bundle files: CydiaInstaller.bundle and ,let's say , "X".bundle file (it will be named according to your downloaded version!).
Move the files to your desktop.
Second Step: Download PwnageTool 4.1.2 and copy it to your desktop. Right click it and choose “Show Package Contents” as shown below.
Third Step: Navigate to Contents/Resources/FirmwareBundles/ and paste the X.bundle file.
Fourth Step: Now navigate to
Contents/Resources/CustomPackages and here replace the
CydiaInstaller.bundle file with the version that you downloaded in the 'first step', and then simply close this folder.
2. Building a Custom Firmware
Fifth Step: Download iOS 4.3 Beta and move the file to your desktop.
Sixth Step: Start PwnageTool in “Expert mode” and select your device.
Seventh Step: Browse for iOS 4.3 beta firmware for your device (as shown below).
Eighth Step: Select “Build” to create custom 4.3 firmware file.
Ninth Step: PwnageTool will now create the custom .ipsw file for your iPhone which will be jailbroken.
Tenth Step: After creating the custom firmware, quit PwnageTool. Don’t restore to this firmware yet.
3. Creating Custom Ramdisk for iOS 4.3 Custom Firmware
Eleventh Step: Download Ramdisk_Maker.zip by DjayB6, extract the file, and move the folder to your desktop.
Twelfth Step: Now open
ramdisk_maker.sh file, and edit the paths required in a program like TextEdit, as shown highlighted in the screenshot below.
Thirteenth Step: Now start Terminal and run the following commands:
cd desktop
cd ramdisk_maker
./ramdisk_maker.sh
Now from here on, this automated script in Terminal will guide you on what to do next as shown highlighted in the screenshot below.
Fourteenth Step: Now create a folder on desktop named
My_Ramdisk.
Then change the extension of the original iOS 4.3 Beta file from .ipsw to .zip, and then extract this .zip file.
Fifteenth Step: You will see a file named 038-0408-002.dmg. This is the needed file. Copy it to My_Ramdisk folder which you created on desktop.
Sixteenth Step: Once you have done that, you will notice that Terminal screen will automatically move to the next step as shown in the screenshot below.
Seventeenth Step: Now go to
ramdisk_maker folder that you saved earlier on desktop, here open the file
Options.plist in a program like TextWrangler (available for free on the Mac App Store). Here change the
value under
SystemPartitionSize to 1116, as also shown highlighted below.
Eighteenth Step: Now save this Options.plist file and move it to My_Ramdisk folder. And again, the Terminal will automatically move to complete the process.
Nineteenth Step: A new file named final_ramdisk.dmg in My_Ramdisk folder will be created. Rename it as 038-0408-002.dmg
Twentieth Step: Now change the extension of the custom iOS 4.3 Beta firmware file that you created earlier from .ipsw to .zip, and then extract this .zip file.
Twenty-first Step: Here, replace
038-0408-002.dmg file with the one you created in the past step.
Twenty-second Step: Now select all files, and click on “Compress 9 Items” to convert them back into .zip file. Then change the extension of this .zip file to .ipsw and you are done making the custom firmware, with fixed ramdisk.
4. Restore iOS 4.3 Custom Firmware Using iTunes
Twenty-third Step: Start iTunes, click on your iOS device icon from the sidebar in iTunes. Now press and hold left “alt” (option) button on Mac [or Left “Shift” button if you are on Windows ] on the keyboard and then click on “Restore” button in the iTunes and release it.
This will make iTunes prompt you to select the location for your custom firmware 4.3 file. Select the required custom .ipsw file that you created in the last step, and click on “Open”.
Twenty-fourth Step: Now let iTunes do the rest for you. This will involve a series of automated steps. Be patient and do nothing while iTunes installs the new firmware 4.3 on your iOS device. Your iOS device screen at this point will be showing a progress bar indicating installation progress. After the installation is done, your iPhone, iPad or iPod touch will be jailbroken on iOS 4.3.
5. Booting in Tethered Mode
Finally, since there is no untethered jailbreak for iOS 4.3 yet, we will have to boot it into a tethered jailbroken state. To do this, we will make use of a utility named “tetheredboot” as shown in the steps below.
Twenty-fifth Step:
Download tetheredboot.zip utility for Mac OS X and extract the .zip file.
Twenty-sixth Step: First, we will need three files from the original iOS 4.3 Beta firmware named
- kernelcache.release.n90
- iBEC.n90ap.RELEASE.dfu
- iBSS.n90ap.RELEASE.dfu
Change the extension of the original iOS 4.3 Beta file from .ipsw to .zip, like you did in the '14th step', and then extract this .zip file.
Now copy
kernelcache.release.n90 file, and then copy
iBEC.n90ap.RELEASE.dfu, and
iBSS.n90ap.RELEASE.dfu files which are found under
/Firmware/dfu/.
Move the three files, and tetheredboot utility to a new folder named “tetheredboot” on the desktop as shown below.
Twenty-seventh Step: Now to boot your iPhone, iPad or iPod touch into tethered mode, connect it with your computer and start it in Recovery Mode by holding Home and Power buttons until the connect to iTunes screen appears on your device.
Twenty-eighth Step: Start Terminal and run the following commands:
sudo sh
enter your administrator password, then:
cd desktop/tetheredboot
./tetheredboot iBSS kernel
You should now see some code running in the Terminal windows, at some point, it will ask you to enter DFU mode. Now follow the following steps to enter DFU mode:
- Hold Power and Home buttons for 10 seconds
- Now release the Power button but continue holding the Home button for 10 more seconds
- You device should now be in DFU mode
Now wait for your device to boot, Terminal at this point will be showing “Exiting libpois0n” message. After a short while, your iPhone, iPad or iPod touch will be booted in a jailbroken tethered mode!
WARNING: The jailbreaking procedure is complex, and hence is meant for advanced users only. It will require you to make your own ramdisk because the latest official version of PwnageTool makes a broken one for iOS 4.3. Proceed at your own risk only. We are not to be held responsible if you end up bricking your iPhone, iPad or iPod touch.
By Redmond Pie
