iPhone 3G S: Restoring "forbidden" firmware
Updated: May 14, 2010
Page 1 of 2
Who is this guide for?
3G S iPhones.
I used iTunes 9.0.3
I used OS X 10.6.2
at great length
about Apple's latest trick
to thwart those of us that like to jailbreak and unlock our iPhones. The 3G S is the only model
being targeted, for now.
When you want to restore your iPhone and connect it to iTunes, Apple receives a request to restore
along with your phone's ECID (Exclusive Chip Identification number). This will happen even if
you have the firmware stored on your computer! The Apple server then checks to see if you are
requesting to restore to the most current firmware version available. If you are, the server then
"signs" a file and sends it back through iTunes authorizing the restore. If you request to restore
any other firmware version than the most recent, the server denies the request, and you can not
Saurik's article is about how he has set up Cydia to grab the ECID SHSH file for everyone's iPhones.
This file is the one that iTunes receives when a user requests a restore of their iPhone from Apple.
This ensures you can restore to the firmware version, that you jailbroke on, indefinitely. You will
also be able to restore to new firmware updates as Cydia will continue to generate the file it needs
for newer firmwares automatically.
The next step in the evolution of this process came about when ModMyi.com member Semaphore came up
with a way of expanding Saurik's concept. He recognized that while Saurik's method is very helpful,
it relies on Saurik's servers to be operating. What if something happend to his servers? He then
posed the question: Wouldn't it be great if you could get the ECID SHSH file using your own
computer? By doing this, you could restore any time you felt like it, and your file would always be
safe, because you had control over it. That's where the method I'm going to cover in this tutorial
Before I start, let me tell you what I'm about to write about will not do.
The programs you will download have nothing to do with the restoring process itself.
These programs will not upgrade your iPhone to 3.1.3 (or any other) firmware.
These programs will not store the ECID SHSH file for 3.0, or 3.0.1, 3.1, or 3.1.2 firmware (unless
you previously saved them with Cydia) since Apple is no longer signing these firmwares.
To learn more about the iTunes verification process,
read this article
Denied request example.
Let me show you what happens when I try to restore 3.1.2 firmware to my iPhone 3G S, after Apple
has stopped signing 3.1.2 firmware restore requests (because 3.1.3 is now out). Here's my About
screen so you can see I'm on 3.1.2 and with the unlockable modem firmware 4.26.08. Note: I always
erase my serial number, Wi-Fi address, Bluetooth address, IMEI and ICCID for privacy reasons.
Next I launch iTunes, click Option and then Restore. I then point to where I have 3.1.2 firmware
already on my computer. I receive this message and select Restore.
Then the restore request is sent to iTunes...
And now for the bad news. Fortunately, it's easy to beat the system...
To get around this restriction Apple has put in place, there are two important numbers we need to
look up on the iPhone - the iBoot version and the ECID.
If you aren't even jailbroken yet, you need to be aware that newer iPhone 3G S models (manufactured
after October 13, 2009) may have a newer version of iBoot. This updated iBoot prevents the
jailbreak from working fully. Every time your reboot your phone, or if it crashes or runs out of
battery power, you will have to rerun the jailbreak process to reboot it. This happens with iBoot
version 359.3.2 (or later).
You may be able to determine if you have an older version of iBoot prior to purchase by looking at
the serial number of the iPhone. Look at the fourth and fifth digits. This is the week the phone
was manufactured. If that number is 40 or higher than you just might
have this new iBoot.
Here is how you definitively check your iBoot version. Place the iPhone into DFU mode: have the
phone connected via USB, turn it off. Press and hold the Home and the Sleep/Wake buttons for ten
seconds. Then let go of the Sleep/Wake button and continue holding the Home button for 10 seconds.
The screen will appear black but it will be on.
Click on the Apple in the top left corner of your screen. Select About This Mac. Click the More
Info... button on the pop up that appears.
Under the Hardware menu select USB. Now go to the USB High-Speed Bus menu and look for the Apple
Mobile Device (DFU Mode). In the Serial Number field look for SRT:[iBoot-XXX.X]. Your version
number is here. My version, pictured below, allows the jailbreak to function.
On the line above the iBoot is the ECID. You should write this down somewhere for future reference,
you'll need it. To leave DFU mode, simply continue holding the Home and Sleep/Wake buttons until the
The next thing to do is launch Cydia on your iPhone and check for one of two things. In
the picture on the left you'll see a line of text just above the Cydia icon that says "This device
has SHSHs on file for iPhone OS: 3.1, 3.1.2." It may also list 3.0, 3.0.1, and 3.1.3. This means
that for every firmware listed, you can restore to that firmware even if Apple no longer wants you
This does not mean you can restore the modem firmware of that version. Remember, modem
firmwares are not downgradeable on the 3G S. So if you restored "accidentally" to 3.1.3 firmware,
you would get the new 5.12.01 modem firmware. If you had an SHSH on file for 3.0 you could then
downgrade to 3.0, but you would be stuck with the 5.12.01 modem firmware, which can not be unlocked.
If you see the picture on the right instead, then press the button that says "Make my life easier,
thanks!" Do this immediately! At this point it will only get the SHSH on file for the most
recent firmware - at the time of this writing 3.1.3 firmware. You can not go back in time and
retrieve SHSHs for earlier firmwares.
Note: Saurik does have a method where you can edit your hosts file to point the Apple authorization
server request to his server instead, I'm going to use another method.
Download the program Umbrella
Save these to your desktop! Note: Umbrella is currently at version 03.13.32. TinyTSS doesn't
appear to be offered as a download anymore from the program creator so I'm hosting it. TinyTSS is
currently being integrated into Umbrella and should be available shortly.
You should have these files on your computer now. Decompress the TinyTss file (unless your
browser already did this for you).
Double click the .dmg file from Step 3. Drag the application icon into your Applications folder
on your Mac.
Make sure your iPhone is connected to your Mac and launch the Umbrella program and you will be
greeted with this pop up message. Click the OK button. I will cover this later.
Here is the Umbrella program. It will tell your what firmware, baseband, and boot loader versions
you have along with what model of iPhone you have.
If you check the Advanced Options box, you will see more information. There will be a number in
the ECID box, but this is not your ECID. You will need to clear out this box and enter your ECID
that you found in Step 1.
You can select what device or version of firmware you'd like to use to create your ECID. You can
select the location that the ECID SHSH is downloaded from. You can retrieve this from Apple (which
will only be for the most recent firmware) or from Cydia (who may have other ECID SHSH files for
your particular iPhone). The localhost option is for testing TinyTSS, and is not normally used.
Once you've made your selections, click the Save my SHSH button at the top. Note: I've erased my
ECID from the screen shot as that is private information.
I have Little Snitch firewall running so I had to approve the outbound connection.
Umbrella will now tell you it has saved the file.
The ECID SHSH file will be placed in your Applications folder. Drag this file to your desktop.
Then place it into the TinyTSS folder which should also be on your desktop.