Skip to main content

How to: Jailbreak iOS 4 of iPhone 3GS New Bootrom [Mac]

I knew that iH8sn0w is not going to leave Mac users without Jailbreaking their iPhone 3GS new bootrom, this is guide done by a professional person in OpenPwn and credits is for iH8s0w who has posted today the guide to Jailbreak iPhone 3GS new bootrom on iOS 4 but was for windows, So if you are a Mac user hit the jump for the guide…

If you didn’t save SHSH before of 3.1.2 then Stay away from this guide and wait for a new jailbreak guide or tool.

Note: This guide is tethered Jailbreak which means that whenever you turn off your iPhone, you have to re-connect it to your computer to get it on again.

Here’s the guide as mentioned in OpenPwn forums:

Credits to iH8sn0w. Thanks to lilstevie for help.
iOS 3.1.2, 4.0 — [Helpful Link]
iOS 3.1.2 SHSH blobs [Helpful Link]
Download this (

STEP 1 : Grabbing your 3.1.2 iBSS file.
Pointing your hosts :
I : If you have your shsh blobs saved on Cydia/Saurik’s server then follow this tutorial. —
II : If you have it saved with TinyUmbrella, then download the GUI here. —
Restoring to grab the iBSS file.
I : Place your device in DFU.
II : Start up the iBSS/iBEC grabber.
III : Put the save folder on a new folder on your desktop.
IV : Hit “Start Monitoring”.
V : Now go back to iTunes and do SHIFT + Restore. Then browse for your 3.1.2 IPSW. You will need to restore
to 3.1.2 in order to pwn 4.0.

STEP 2: Creating your custom firmware
Use Pwanage Tool ( to create a custom ipsw ignore the warnings about the new bootrom.

Extract the zip file we downloaded earlier and use terminal to enter it

Create a new folder inside this called 3.1.2 and extract your 3.1.2 ipsw here (unzip *.ipsw in terminal)

Use xpwntool to patch iBoot & iBSS (run this in terminal)

xpwntool Firmware/dfu/iBSS.n88ap.RELEASE.dfu ibss.d -iv 41639d34547ae3dd7921bf3539dba529 -k 9121de4a038675d92e1a28683b2138b7a3bdb80994273d090398051c7f5af53c; bspatch ibss.d ../exploitibss312 ../ibss.patch; xpwntool Firmware/all_flash/all_flash.n88ap.production/iBoot.n88ap.RELEASE.img3 iboot.d -iv 127aa60e77da219961ee70707f44cbd4 -k c72ab4aae971f3a9ec356dfe555e4aef72d8e96c480698445ac236904e6a3443; bspatch iboot.d ../iboot.payload ../iboot.patch; cd ..; rm -rf 3.1.2

Create a folder called 4.0_cust inside 4.0_pwn and enter it with terminal and copy your custom 4.0 ipsw here.

Extract your custom ipsw (unzip *.zip)

Run the following in terminal:

cp kernelcache.release.n88 ../kcache.40; cp Firmware/dfu/iBEC.n88ap.RELEASE.dfu ../iBEC.40; cd ..;

Copy your signed iBSS from earlier into 4.0_pwn

STEP 10:
Place your device in dfu mode (power home for 10 seconds, release power keep holding home (blank screen and itunes asking to restore).

STEP 11:
Run the following in terminal:

./irecovery -u ibss312.dfu; ./irecovery -r; sleep 10; ./irecovery -e exploitibss312; ./irecovery -u iBEC.40; ./irecovery -c go; sleep 10; ./irecovery -u sn0w.img3; ./irecovery -c “setpicture 0”; ./irecovery -c “bgcolor 1 1 1”;

STEP 12:
Restore your custom 4.0 ipsw
Booting your device:
Run the following in terminal (once in the 4.0_pwn directory):

./irecovery -u ibss312.dfu; ./irecovery -r; sleep 10; ./irecovery -e exploitibss312; ./irecovery -u iBEC.40; ./irecovery -c go; sleep 10; ./irecovery -u sn0w.img3; ./irecovery -c “setpicture 0”; ./irecovery -c “bgcolor 1 1 1”; ./irecovery -u kcache.40; ./irecovery -c bootx;

iTunes will detect your device several times before it boots.
PS: When i wake up i will write a script to automate most of this.

After following the guide to Jailbreak, You will be Easily able to Unlock your iPhone 3GS on any Baseband Including 05.13.04 / 05.12.01 Using Ultrasn0w 0.93, Step by Step guide posted here.

Also iH8sn0w is not leaving iPod Touch 3G and iPod Touch 2G MC Model owners, Soon guys you will be able to Jailbreak iOS 4 [Confirmed], more details posted here.

Update 1: Now iH8sn0w has posted instructions and successfully working for Jailbreaking iPod Touch 3G and 2G (MC Model), also iPhone 3GS (New Bootrom), check the guide posted here.