iPhone 3G S: Restoring "forbidden" firmware

Updated: February 17, 2010

Page 1 of 2




Who is this guide for?

• 3G S iPhones.
• I used iTunes 9.0.3
• I used OS X 10.6.2

Saurik wrote at great length about Apple's latest trick to thwart those of us that like to jailbreak and unlock our iPhones. The 3G S is the only model being targeted, for now.

When you want to restore your iPhone and connect it to iTunes, Apple receives a request to restore along with your phone's ECID (Exclusive Chip Identification number). This will happen even if you have the firmware stored on your computer! The Apple server then checks to see if you are requesting to restore to the most current firmware version available. If you are, the server then "signs" a file and sends it back through iTunes authorizing the restore. If you request to restore any other firmware version than the most recent, the server denies the request, and you can not restore.

Saurik's article is about how he has set up Cydia to grab the ECID SHSH file for everyone's iPhones. This file is the one that iTunes receives when a user requests a restore of their iPhone from Apple. This ensures you can restore to the firmware version, that you jailbroke on, indefinitely. You will also be able to restore to new firmware updates as Cydia will continue to generate the file it needs for newer firmwares automatically.

The next step in the evolution of this process came about when ModMyi.com member Semaphore came up with a way of expanding Saurik's concept. He recognized that while Saurik's method is very helpful, it relies on Saurik's servers to be operating. What if something happend to his servers? He then posed the question: Wouldn't it be great if you could get the ECID SHSH file using your own computer? By doing this, you could restore any time you felt like it, and your file would always be safe, because you had control over it. That's where the method I'm going to cover in this tutorial comes in.

Before I start, let me tell you what I'm about to write about will not do.

• The programs you will download have nothing to do with the restoring process itself.
• These programs will not upgrade your iPhone to 3.1.3 (or any other) firmware.
• These programs will not store the ECID SHSH file for 3.0, or 3.0.1, 3.1, or 3.1.2 firmware (unless you previously saved them with Cydia) since Apple is no longer signing these firmwares.

To learn more about the iTunes verification process, read this article by iGuru.

Denied request example.

Let me show you what happens when I try to restore 3.1.2 firmware to my iPhone 3G S, after Apple has stopped signing 3.1.2 firmware restore requests (because 3.1.3 is now out). Here's my About screen so you can see I'm on 3.1.2 and with the unlockable modem firmware 4.26.08. Note: I always erase my serial number, Wi-Fi address, Bluetooth address, IMEI and ICCID for privacy reasons.




Next I launch iTunes, click Option and then Restore. I then point to where I have 3.1.2 firmware already on my computer. I receive this message and select Restore.




Then the restore request is sent to iTunes...




And now for the bad news. Fortunately, it's easy to beat the system...

Step 1.

To get around this restriction Apple has put in place, there are two important numbers we need to look up on the iPhone - the iBoot version and the ECID.

If you aren't even jailbroken yet, you need to be aware that newer iPhone 3G S models (manufactured after October 13, 2009) may have a newer version of iBoot. This updated iBoot prevents the jailbreak from working fully. Every time your reboot your phone, or if it crashes or runs out of battery power, you will have to rerun the jailbreak process to reboot it. This happens with iBoot version 359.3.2 (or later).

You may be able to determine if you have an older version of iBoot prior to purchase by looking at the serial number of the iPhone. Look at the fourth and fifth digits. This is the week the phone was manufactured. If that number is 40 or higher than you just might have this new iBoot.

Here is how you definitively check your iBoot version. Place the iPhone into DFU mode: have the phone connected via USB, turn it off. Press and hold the Home and the Sleep/Wake buttons for ten seconds. Then let go of the Sleep/Wake button and continue holding the Home button for 10 seconds. The screen will appear black but it will be on.

Click on the Apple in the top left corner of your screen. Select About This Mac. Click the More Info... button on the pop up that appears.




Under the Hardware menu select USB. Now go to the USB High-Speed Bus menu and look for the Apple Mobile Device (DFU Mode). In the Serial Number field look for SRT:[iBoot-XXX.X]. Your version number is here. My version, pictured below, allows the jailbreak to function.

On the line above the iBoot is the ECID. You should write this down somewhere for future reference, you'll need it. To leave DFU mode, simply continue holding the Home and Sleep/Wake buttons until the iPhone reboots.

Step 2.

The next thing to do is launch Cydia on your iPhone and check for one of two things. In the picture on the left you'll see a line of text just above the Cydia icon that says "This device has SHSHs on file for iPhone OS: 3.1, 3.1.2." It may also list 3.0, 3.0.1, and 3.1.3. This means that for every firmware listed, you can restore to that firmware even if Apple no longer wants you to. This does not mean you can restore the modem firmware of that version. Remember, modem firmwares are not downgradeable on the 3G S. So if you restored "accidentally" to 3.1.3 firmware, you would get the new 5.12.01 modem firmware. If you had an SHSH on file for 3.0 you could then downgrade to 3.0, but you would be stuck with the 5.12.01 modem firmware, which can not be unlocked. Follow this?

If you see the picture on the right instead, then press the button that says "Make my life easier, thanks!" Do this immediately! At this point it will only get the SHSH on file for the most recent firmware - at the time of this writing 3.1.3 firmware. You can not go back in time and retrieve SHSHs for earlier firmwares.

Note: Saurik does have a method where you can edit your hosts file to point the Apple authorization server request to his server instead, I'm going to use another method.

Step 3.

Download the programs Umbrella, and TinyTSS here. Save this to your desktop! Note: This program is frequently updated, and as of this writing is currently at version 221. Should a newer version come out, the steps are the same except in Step 5, which will contain more information.

I learned about this program here in a thread titled 3.1 SHSH Blob Grabber. You could learn even more by reading these links, and the original TinyTSS thread here yourself. Here is a thread that iGuru made supporting his original GUI for Umbrella.

After you download this file, decompress it and you'll have a folder.

Step 4.

Open the folder from Step 3. Double click the umbrella.jar file. You could also use the Umbrella.dmg, it just takes more steps to run the program inside.




Here is the Umbrella program. Enter your ECID (that you retrieved in Step 1), then select your device version (iPhone 3gs - 3.1.2 in my case). Then select the SHSH repository you want to use. You can get your ECID SHSH from Apple directly (which will only be for the most recent firmware) or from Saurik - Cydia (who may have other ECID SHSH files for your particular iPhone). The localhost option is for testing TinyTSS, and is not normally used. Then click Submit.




I have Little Snitch firewall running so I had to approve the outbound connection.




Umbrella will now tell you it has saved the file and gives you the file name.




The file is saved in the same folder the program resides in. Look at the file size of your ECID SHSH carefully. It should be 66 kilobytes. If it is 4 kilobytes, then the file is no good. This is caused by requesting an ECID SHSH file that is not on record with Cydia or that Apple is no longer signing.