Unlocking the 3G iPhone using PwnageTool in Expert mode

intel Mac & PPC

Page 1 of 2


Updated: June 2, 2009





Who is this guide for?
  • All 3G iPhones on 2.2 firmware or lower. Note: If you are currently on 2.2.1 firmware it may be possible for you to downgrade your baseband to an unlockable state. See this tutorial for more information.
  • Official contract, or not.
  • Pwned or not.
  • I used iTunes 8.1.1. iTunes 8.2 will not work! To uninstall iTunes 8.2 read this.
  • I used OS X 10.5.7.
  • I kept my T-Mobile SIM in the entire time.
  • Make sure to Sync your iPhone prior to using this tutorial. This way your personal information, and any App Store applications will be preserved.

Thanks again go out to the iPhone Dev Team for providing this amazing, and FREE program for jailbreaking, activating, unlocking, and customizing the 1st generation iPhones. You can visit their website here.

Apple has an excellent support document regarding update and restore error messages on the iPhone. Should you have any troubles, consult this article.

If it any point in this tutorial you should receive this pop up message from iTunes, go ahead and install the carrier settings update. It is completely harmless.

iPhone




Step 1.

Download PwnageTool 2.2.5 from me here, or via the iPhone Dev Team's download link list here.

If you haven't already downloaded 2.2.1 firmware from Apple, then you can download it here. Note: Safari likes to open "safe" files by default. You must turn this feature off for this download to work correctly. Click "Safari", select "Preferences", from the "Geneal" tab uncheck the box that says "Open "safe" files after downloading". Otherwise just use Firefox to download this firmware file.

You should now have these two icons on your desktop:

iPhone




Step 2.

Double click the PwnageTool_2.2.5.dmg. It will open the window seen below. Install PwnageTool. Make sure to drag the program icon from the disk image into your Applications folder!   Do not attempt to run the program from the disk image window, it will cause problems.

iPhone




Step 3.

Launch PwnageTool. Make sure the Expert mode button in the top left corner is selected. Click the iPhone on the right.

iPhone



You should get a green check mark on the iPhone you selected. Click the blue arrow button in the lower right corner.

iPhone



PwnageTool will search for the 2.2.1 firmware on your computer. When it displays the firmware file you want, click on it. Multiple firmwares may be displayed, so make sure you select the correct one. Then click the blue arrow in the lower right corner.

iPhone



You will be at this screen and have many choices you can make. Click on General. Then click the blue arrow at the bottom.

iPhone



At the General settings screen, if you are not using an authorized carrier (this is the reason you are unlocking the iPhone to begin with), then check the box for Activate the phone. Check the box for Disable partition wipe-out. I would set the Root partition size at 534 megabytes. Click the blue arrow in the lower right corner when you have made your choices.

iPhone



At the Bootneuter settings screen there will be nothing you can select. The unlock for the 3G iPhone is not built into PwnageTool yet. We will install yellowsn0w at a later stage to perform the unlock. Click the blue arrow in the lower right corner.

iPhone



Based on Saurik's advice (the creator of Cydia), I ignore the Cydia settings screen in PwnageTool. It is better to install any applications you need from Cydia directly. I've found problems when using this screen to automatically install programs. Just click the blue arrow in the lower right corner, to continue to the next screen.

iPhone





Here you can decide whether or not to install Cydia, or the Installer. After you've made your choices, click the blue arrow in the lower right corner.

iPhone



At the Custom logos settings screen, you can choose to use the suggested images by leaving their boxes checked, or uncheck them and use the stock images. If you click on Browse... you can add your own images in their place. Click the blue arrow in the lower right corner when done.

iPhone



Here is the boot graphic I like to use. It is 320 by 480 in size. It has a one pixel, transparent border on all sides. All you have to do is paste in your 318 by 478 image onto it and center it. Then just save the image with the transparency intact and your image will work. Make sure your saved image is 100kb or less.

iPhone



Finally, click the Build button and the blue arrow in the lower right corner.

iPhone



Name your custom firmware file, and select where to save it.

iPhone



You will now see this screen while your custom .ipsw is assembled. This stage is about three minutes long.

iPhone



You will be prompted to enter your system password. There is nothing nefarious in this request, the reason it is asking is because it is creating your firmware and running commands as the root account (or superuser) on your computer. There are various processes where unmounting and mounting of a file systems is necessary. This is performed while using a system UID of 0, which causes the prompt for a system password. The root access is only for the creation of the ipsw file. So it's completely harmless.

iPhone




Has your iPhone been Pwned before? It's always safe to answer no, which I did.

iPhone



You will receive instructions on how to put the iPhone into DFU mode. Simply follow the on screen prompts to do this. Note there are many ways to get into DFU mode since 10.5.6 complicated the process.

If you are unable to enter DFU mode, the iPhone Dev Team posted the following information (Warning, many Mac users complain of loss of track pad and keyboard use and USB issues):

OS X 10.5.6 introduced a bug that affected the use of DFU mode. with some Macs. There have been previously published hacks and techniques to fix this, but here is another method that can be used to temporarily restore DFU functionality in order to use QuickPwn or PwnageTool.

  1. You will need an account with ADC (Apple Developer Connection) this is free and takes a few minutes to sign up, you should read the terms and conditions carefully and you should only sign up if you are thinking of developing applications in the future - http://developer.apple.com/mac/
  2. Download the disk image “IOUSBFamily-315.4-log.dmg” for Mac OS X 10.5.5 Build 9F33” (yes, that is a “5” in 10.5.5 - this is a developer debug package of the USB kernel extension).
  3. Unplug non-vital USB equipment, such as external DVD writers, USB scanners, and USB mass storage devices. At the most leave a keyboard and mouse connected.
  4. Install IOUSBFamily-315.4.1.pkg from within the disk image
  5. Reboot your system!
  6. Perform necessary DFU activity with QuickPwn or PwnageTool.
  7. Download the disk image IOUSBFamily-327.4.0-log.dmg” for Mac OS X 10.5.6 Build 9G55”
  8. Install IOUSBFamily-327.4.0.pkg from within the disk image
  9. Reboot your system!
  10. Reattach your USB peripherals.


Another option is to use a USB hub (powered or unpowered) to get into DFU mode.


Note: I have had luck restoring to a custom firmware file by not using DFU mode. With the iPhone on, open iTunes and just option click Restore.


First turn off your iPhone.   iTunes may open, you can just drag it out of the way.


iPhone



You will then get 5 seconds to press and hold both the Power (sleep/wake) and Home buttons. Don't do this until told to though.

iPhone



You will then press and continue to hold both the Power (sleep/wake) and Home buttons for 10 seconds.

iPhone



You will be prompted to release the Power (sleep/wake) button.

iPhone



Continue holding the Home button for 10 seconds.

iPhone



You are now in DFU mode. Click OK.

iPhone







Click here to go to page 2.






Return to top of page