iPhone 3G S: Restoring "forbidden" firmware

Updated: May 14, 2010

Page 1 of 2

Who is this guide for?
  • 3G S iPhones.
  • I used iTunes 9.0.3
  • I used OS X 10.6.2

Saurik wrote at great length about Apple's latest trick to thwart those of us that like to jailbreak and unlock our iPhones. The 3G S is the only model being targeted, for now.

When you want to restore your iPhone and connect it to iTunes, Apple receives a request to restore along with your phone's ECID (Exclusive Chip Identification number). This will happen even if you have the firmware stored on your computer! The Apple server then checks to see if you are requesting to restore to the most current firmware version available. If you are, the server then "signs" a file and sends it back through iTunes authorizing the restore. If you request to restore any other firmware version than the most recent, the server denies the request, and you can not restore.

Saurik's article is about how he has set up Cydia to grab the ECID SHSH file for everyone's iPhones. This file is the one that iTunes receives when a user requests a restore of their iPhone from Apple. This ensures you can restore to the firmware version, that you jailbroke on, indefinitely. You will also be able to restore to new firmware updates as Cydia will continue to generate the file it needs for newer firmwares automatically.




The next step in the evolution of this process came about when ModMyi.com member Semaphore came up with a way of expanding Saurik's concept. He recognized that while Saurik's method is very helpful, it relies on Saurik's servers to be operating. What if something happend to his servers? He then posed the question: Wouldn't it be great if you could get the ECID SHSH file using your own computer? By doing this, you could restore any time you felt like it, and your file would always be safe, because you had control over it. That's where the method I'm going to cover in this tutorial comes in.

Before I start, let me tell you what I'm about to write about will not do.
  • The programs you will download have nothing to do with the restoring process itself.
  • These programs will not upgrade your iPhone to 3.1.3 (or any other) firmware.
  • These programs will not store the ECID SHSH file for 3.0, or 3.0.1, 3.1, or 3.1.2 firmware (unless you previously saved them with Cydia) since Apple is no longer signing these firmwares.

To learn more about the iTunes verification process, read this article by iGuru.



Denied request example.

Let me show you what happens when I try to restore 3.1.2 firmware to my iPhone 3G S, after Apple has stopped signing 3.1.2 firmware restore requests (because 3.1.3 is now out). Here's my About screen so you can see I'm on 3.1.2 and with the unlockable modem firmware 4.26.08. Note: I always erase my serial number, Wi-Fi address, Bluetooth address, IMEI and ICCID for privacy reasons.

iPhone       iPhone



Next I launch iTunes, click Option and then Restore. I then point to where I have 3.1.2 firmware already on my computer. I receive this message and select Restore.

iPhone



Then the restore request is sent to iTunes...

iPhone



And now for the bad news. Fortunately, it's easy to beat the system...

iPhone




Step 1.

To get around this restriction Apple has put in place, there are two important numbers we need to look up on the iPhone - the iBoot version and the ECID.

If you aren't even jailbroken yet, you need to be aware that newer iPhone 3G S models (manufactured after October 13, 2009) may have a newer version of iBoot. This updated iBoot prevents the jailbreak from working fully. Every time your reboot your phone, or if it crashes or runs out of battery power, you will have to rerun the jailbreak process to reboot it. This happens with iBoot version 359.3.2 (or later).

You may be able to determine if you have an older version of iBoot prior to purchase by looking at the serial number of the iPhone. Look at the fourth and fifth digits. This is the week the phone was manufactured. If that number is 40 or higher than you just might have this new iBoot.

Here is how you definitively check your iBoot version. Place the iPhone into DFU mode: have the phone connected via USB, turn it off. Press and hold the Home and the Sleep/Wake buttons for ten seconds. Then let go of the Sleep/Wake button and continue holding the Home button for 10 seconds. The screen will appear black but it will be on.

Click on the Apple in the top left corner of your screen. Select About This Mac. Click the More Info... button on the pop up that appears.

iPhone       iPhone



Under the Hardware menu select USB. Now go to the USB High-Speed Bus menu and look for the Apple Mobile Device (DFU Mode). In the Serial Number field look for SRT:[iBoot-XXX.X]. Your version number is here. My version, pictured below, allows the jailbreak to function.

On the line above the iBoot is the ECID. You should write this down somewhere for future reference, you'll need it. To leave DFU mode, simply continue holding the Home and Sleep/Wake buttons until the iPhone reboots.

iPhone





Step 2.

The next thing to do is launch Cydia on your iPhone and check for one of two things. In the picture on the left you'll see a line of text just above the Cydia icon that says "This device has SHSHs on file for iPhone OS: 3.1, 3.1.2." It may also list 3.0, 3.0.1, and 3.1.3. This means that for every firmware listed, you can restore to that firmware even if Apple no longer wants you to. This does not mean you can restore the modem firmware of that version. Remember, modem firmwares are not downgradeable on the 3G S. So if you restored "accidentally" to 3.1.3 firmware, you would get the new 5.12.01 modem firmware. If you had an SHSH on file for 3.0 you could then downgrade to 3.0, but you would be stuck with the 5.12.01 modem firmware, which can not be unlocked. Follow this?

If you see the picture on the right instead, then press the button that says "Make my life easier, thanks!" Do this immediately! At this point it will only get the SHSH on file for the most recent firmware - at the time of this writing 3.1.3 firmware. You can not go back in time and retrieve SHSHs for earlier firmwares.

Note: Saurik does have a method where you can edit your hosts file to point the Apple authorization server request to his server instead, I'm going to use another method.

iPhone       iPhone




Step 3.

Download the program Umbrella here, and TinyTSS here. Save these to your desktop! Note: Umbrella is currently at version 03.13.32. TinyTSS doesn't appear to be offered as a download anymore from the program creator so I'm hosting it. TinyTSS is currently being integrated into Umbrella and should be available shortly.

You should have these files on your computer now. Decompress the TinyTss file (unless your browser already did this for you).

iPhone




Step 4.

Double click the .dmg file from Step 3. Drag the application icon into your Applications folder on your Mac.

iPhone



Make sure your iPhone is connected to your Mac and launch the Umbrella program and you will be greeted with this pop up message. Click the OK button. I will cover this later.

iPhone



Here is the Umbrella program. It will tell your what firmware, baseband, and boot loader versions you have along with what model of iPhone you have.

iPhone



If you check the Advanced Options box, you will see more information. There will be a number in the ECID box, but this is not your ECID. You will need to clear out this box and enter your ECID that you found in Step 1.

You can select what device or version of firmware you'd like to use to create your ECID. You can select the location that the ECID SHSH is downloaded from. You can retrieve this from Apple (which will only be for the most recent firmware) or from Cydia (who may have other ECID SHSH files for your particular iPhone). The localhost option is for testing TinyTSS, and is not normally used. Once you've made your selections, click the Save my SHSH button at the top. Note: I've erased my ECID from the screen shot as that is private information.

iPhone



I have Little Snitch firewall running so I had to approve the outbound connection.

iPhone



Umbrella will now tell you it has saved the file.

iPhone





The ECID SHSH file will be placed in your Applications folder. Drag this file to your desktop. Then place it into the TinyTSS folder which should also be on your desktop.

iPhone




Click here to go to page 2






Return to top of page