Unlocking the 3G S iPhone on 3.1.2 firmware using PwnageTool in Expert mode
Updated: November 9, 2009
Page 1 of 2
Who is this guide for?
All 3G S iPhones (jailbreak only - except for bootrom version 359.3.2). If you want an unlock you
should be on 04.26.08 modem firmware or lower. If you have 5.11.07 modem firmware, then you can
unlock using blacksn0w but it has some side effects for some users.
You should already have your ECID SHSH on file with Cydia, if not then press the "Make my life
easier, thanks!" button in Cydia and do it NOW!
Make sure to Sync your iPhone prior to using this tutorial. This way your personal information,
and any App Store applications will be preserved.
I used iTunes version 9.0.2.
I used OS X 10.6.1.
Thanks again go out to the iPhone Dev Team for providing this amazing, and FREE program for
jailbreaking, activating, unlocking, and customizing 3G S iPhones. You
can visit their website here,
and their blog here.
If you have a new iPhone 3G S (purchased within
the last week or so as of October 13, 2009) it may have a newer version of iBoot. This updated
iBoot prevents the jailbreak from working. There is currently no work around for this, but the
iPhone Dev Team is looking for other exploits. If it is version 359.3.2 (or later) then it won't
You may be able to check prior to purchase by looking at the serial number of the phone. This may
not be a definitive check. Look at the fourth and fifth digits. This is the week the phone was
manufactured. If that number is 40 or higher than you just might
have this new iBoot.
Here is how you definitively check your iBoot version. Place the iPhone into DFU mode: have the
phone connected via USB, turn it off. Press and hold the Home and the Sleep/Wake buttons for ten
seconds. Then let go of the Sleep/Wake button and continue holding the Home button for 10 seconds.
The screen will appear black but it will be on.
Click on the Apple in the top left corner of your screen. Select About This Mac. Click the
More Info... button on the pop up that appears. Under the Hardware menu select USB. Now go to
the USB High-Speed Bus menu and look for the Apple Mobile Device (DFU Mode). In the Serial Number
field look for SRT:[iBoot-XXX.X]. Your version number is here. My version, pictured below,
allows the jailbreak to function. To leave DFU mode, simply continue holding the Home and
Sleep/Wake buttons until the iPhone reboots.
Update: Blackra1n now provides a tethered jailbreak solution for this new
version of iBoot. What do this mean? It means once you have jailbroken, should your battery die,
the iPhone crash or lock up, you will need to run the jailbreak process over again with a computer.
I don't have one of these new 3G S iPhones, so I can't write about this myself. Go to GeoHot's
site to download the program.
You are about to take a big step with your currently jailbroken iPhone 3G S, so let's verify
something critical first. Launch Cydia and see that your ECID SHSH is already on file. If you
don't see the text "This device has a 3.1 (or 3.0/3.0.1) ECID SHSH on file.", then you should see
the screen on the right. If that is the case, then press the button that says "Make my life easier,
thanks!" Do this immediately!
Note: If you have never jailbroken before, then obviously you can't do this. When you have
finished jailbreaking perform this step IMMEDIATELY!
You might want to learn how to backup your ECID SHSH and store it locally on your computer, should
Cydia go down for whatever reason. Learn how to do this
It is best to shut down iTunes and iTunes Helper to alleviate any potential problems later on. You
can do this by going to your Applications folder, then into the Utilities folder. Launch a program
called Activity Monitor.app. Here are the programs highlighted below. You can only close them one
at a time.
When you've highlighted the program you want to close click the Quit Process button up above. Next
confirm this action by clicking Quit.
Download PwnageTool 3.1.4 from the iPhone Dev Team's download link list
You can also download the SHA1 verified file from me
If you haven't already downloaded 3.1.2 firmware from Apple, then you can
download it here.
Note: Safari likes to open "safe" files by default. You must turn this feature off for this
download to work correctly. Click "Safari", select "Preferences", from the "Geneal" tab uncheck
the box that says "Open "safe" files after downloading". Otherwise just use Firefox to download
this firmware file.
You should now have these two icons on your desktop. If your firmware file ends in .zip, then
click on the firmware icon and remove the .zip extension from the file name. Confirm this change
when you receive a pop up message warning.
Double click the PwnageTool_3.1.4.dmg. It will open the window seen below. Install PwnageTool.
Make sure to drag the program icon from the disk image into your Applications folder! Do
not attempt to run the program from the disk image window, it will cause problems.
If you have
a previous installation of PwnageTool, then overwrite it.
Launch PwnageTool. Make sure the Expert mode button in the top left corner is selected. Click the
iPhone on the right.
You should get a green check mark on the iPhone you selected. Click the blue arrow button in the
lower right corner.
PwnageTool will search for the 3.1.2 firmware on your computer. When it displays the firmware file,
click on it. Multiple firmwares may be displayed, so make sure you select the correct one. Then
click the blue arrow in the lower right corner.
You will be at this screen and have many choices you can make. Click on General. Then click the
blue arrow at the bottom.
At the General Settings screen, if you are using an authorized carrier, then do not check the box
for Activate the phone. If you are not using an authorized carrier (i.e. you want to unlock), then
check the box for Activate the phone.
Note: If you are interested in having push notifications working (and will not be using an official
contract with your iPhone - i.e. you wan to unlock), you will need to activate your iPhone with an
official AT&T SIM. This SIM does not need to be active. You could use the one that came with the
iPhone, or some old AT&T SIM you find lying around somewhere. I used one I punched out from a free
GoPhone SIM card that came with a complimentary $10 on it. Push does not work on hacktivated
iPhones. So when using PwnageTool you will need to uncheck the activate Phone box.
You can also increase your root partition size to accommodate lots of Cydia applications and themes,
et cetera. Click the blue arrow in the lower right corner when you have made your choice(s).
At the Bootneuter settings screen there is nothing to do. Click the blue arrow in the lower right
Based on Saurik's advice (the creator of Cydia), I ignore the Cydia settings screen in PwnageTool.
It is better to install any applications you need from Cydia directly. I've found problems when
using this screen to automatically install programs. This does not mean that you can't install
programs from this screen. Keep in mind if you add a lot of them you may need to increase your
root partition size back at the general settings screen. Just click the blue arrow in the lower
right corner, to continue to the next screen.
Here you can decide whether or not to install Cydia, or Icy. After you've made your choices,
click the blue arrow in the lower right corner.
At the Custom logos settings screen, you can choose to use the suggested images by leaving their
boxes checked, or uncheck them and use the stock images. If you check the boxes you can click on
Browse... to add your own images in their place. Click the blue arrow in the lower right corner when
Here is the boot graphic I like to use. It is 320 by 480 in size. It has a one pixel, transparent
border on all sides. All you have to do is paste in your 318 by 478 image onto it and center it.
Then just save the image with the transparency intact and your image will work. Make sure your
saved image is 100kb or less.
Finally, click the Build button and the blue arrow in the lower right corner.
Name your custom firmware file, and select where to save it.
You will now see this screen while your custom .ipsw is assembled. This stage is about five minutes
If you should receive a failure message, then start over. Close and restart the PwnageTool program.
You will be prompted to enter your system password. There is nothing nefarious in this request, the
reason it is asking is because it is creating your firmware and running commands as the root
account (or superuser) on your computer. There are various processes where unmounting and mounting
of a file systems is necessary. This is performed while using a system UID of 0 which causes the
prompt for a system password. The root access is only for the creation of the ipsw file. So it's
Has your iPhone been Pwned before? If you answer no, then you will be guided through placing the
iPhone into DFU mode.
If you answer yes, you will be told to place the iPhone into restore mode and then connect to iTunes
to use your custom firmware. If you do decide to answer yes, I find it much easier just to leave
the iPhone on and operating normally. Connect it to iTunes, then press your Option key on your
keyboard then click the Restore button in iTunes to install your custom firmware. In fact the iPhone
Dev Team recommends that if you are already jailbroken (by any method) don't bother with DFU mode.
I am selecting no at this point to demonstrate how to get into DFU mode.
First turn off your iPhone. iTunes may open (it won't if it wasn't running before now),
you can just drag it out of the way.
You will then have 5 seconds to press and hold both the Power (sleep/wake) and Home buttons. Don't
do this until told to though.
You will then press and continue to hold both the Power (sleep/wake) and Home buttons for 10
You will be prompted to release the Power (sleep/wake) button.
Continue holding the Home button for 10 seconds.
You are now in DFU mode. Click OK. The iPhone's screen will appear black, but it is actually on.