CPICH is back again with another small tweak for the iPhone, he has released a set of patches for iBoot for the iPhone, iPhone 3G and the iPhone 3GS which will allow you to boot into verbose mode, perfect for you nerds out there who prefer a non-graphical bootup. This patch does not work on the iPod touch (iPod1,1, iPod2,1 or iPod3,1), and I don’t think he will be working on them either. This will ONLY WORK FOR FW 3.1.2! ALSO REQUIRES PWNED IDEVICE AND PWNAGETOOL CREATED CUSTOM IPSW! YOU WILL BE PATCHING THE FILES MENTIONED BELOW FROM YOUR STOCK IPSW THEN MOVING THE NEW PATCHED FILES TO YOUR CUSTOM IPSW! WILL NOT WORK WITH TETHERED JAILBREAK!
There is a video at the end of this post. Thanks to Kaatje for the visual tutorial!
WARNING: NEITHER CPICH OR MYSELF CAN BE HELD LIABLE FROM THIS HACK. IT COMES WITH ABSOLUTELY NO WARRANTY WHATSOEVER. IF YOU HAVE ISSUES BECAUSE OF THIS, SIMPLY RESTORE.
EDIT: CPICH has released bspatches, so if you’d rather download and do yourself, grab the patches here. These are the proper patches needed because iBoot is encrypted and the binaries that were up were unencrypted, causing iTunes and Activation errors unless you re-encrypted them. These patches patch the already encrypted files so no need to re-encrypt. EDIT: See below.
To do this, you will be making use of Terminal, the cd, bspatch and zip commands.
NOTES
iPhone iBoot = /Firmware/all_flash/all_flash.m68ap.production/iBoot.m68ap.RELEASE.img3
iPhone 3G iBoot = /Firmware/all_flash/all_flash.n82ap.production/iBoot.n82ap.RELEASE.img3
iPhone 3GS iBoot = /Firmware/all_flash/all_flash.n82ap.production/iBoot.n88ap.RELEASE.img3
First rename from .ipsw to .zip then do the following in terminal:
sudo unzip /path/to/ipsw.zip
cd /<path to extracted firmware for your device>/Firmware/all_flash/all_flash.yXXap.production
bspatch iBoot.yXXap.RELEASE.img3 iBoot.yXXap.RELEASE.img3.NEW iBoot.yXXap.RELEASE.patch
yXX = m68, n82 or n88 depending on your device.
After patching your file, check the MD5 of the new file. They should be as follows:
2G iBoot: b159b4bb3b2310a06e468a5686ba6818
3G iBoot: ce19a63712171723b4daf66cbc1ffa07
3GS iBoot: 4b8b07270adaa3c7b0035c00df3f75c4
If they match, then do the same unzip method for your CUSTOM ipsw you made from PwnageTool and placing the patched files into the custom IPSW and doing the following:
cd /<path to extracted custom firmware for your device>
sudo zip -r <Name of IPSW>.ipsw *
The new IPSW you have will be inside the folder you cd’d to before running the zip command. That SHOULD be all you have to do, and you shouldn’t encounter any more errors. It seems that the cause was lacking HSF+ resource forks when extracting with a GUI tool such as Archive Manager or when compressing with Finder.
EDIT: CPICH just handed me the NOR-only .patches for verbose booting your iPhone (sorry iPod touch users). The process is exactly the same as the iBoot patches above, except you’ll be working with the ramdisk .dmg file in the STOCK firmware and then inserting this into the custom IPSW’s root folder in addition to using the patched iBoot (YOU NEED THIS FOR THIS METHOD TO WORK). This allows a NOR only restore, and leaves your current filesystem intact (iBoot is on NOR, filesystem is on NAND). Make sure you don’t forget that part, otherwise it will fail. You do not have to be concerned about what options you selected with the custom IPSW as this is only patching the NOR during reboot and again not touching any of the NAND data where the jailbroken filesystem is located.
NOTES
2G/3G RAMDISK = 018-6136-014.dmg
3GS RAMDISK = 018-6051-014.dmg
The .patch files are named the same as the dmg files they are meant for. Grab them here. EDIT: See below.
MD5′s
New 2G/3G RAMDISK = 68b128bf4453c20c78f2dee52af55b60
New 3GS RAMDISK = 39d56fbe57d505c7022c80b1e2653a44
EDIT: At the request of MuscleNerd, I have removed the patches. Because of the nature of the patch, the patches technically contain Apple code even though the patches change offsets, they go through the whole code, which means any code that is supposed to stay unchanged is still in the patch file and is technically distributing Apple code.
I’ve always wanted to boot my iPhone 3G in verbose mode. Would love to do this, but I’m not going to use custom firmwares ever again. Blackra1n for life!
Tried on a fresh IPSW build for iPhone 3g restored IPSW with replaced file upon first boot it showed verbose but itunes would not activate the phone saying there was problems restored fresh IPSW without modded file and working again like new
now upon unzipping the IPSW and going to /Firmware/all_flash/ there are two folders all_flash.n82ap.production and all_flash.m68ap.production
do i need to replace them in both or no
i would do the patching myself but cant find instructions to do so
You’ll need to put the patched 3G iBoot in all_flash.n82ap.production. You shouldn’t have to replace the one in all_flash.m68ap.productions (that’s the 2G stuffs, I don’t know why it’s included in the iPhone1,2 firmware bundle).
Please report back if this works.
cmdshift
Ok Started Over Square 1
I created a new IPSW on desktop renamed to zip extracted it. Went to /Firmware/all_flash/all_flash.n82ap.production/ took file iboot3g_verbose.img3 from your zip renamed to iBoot.n82ap.RELEASE.img3 and replaced it rezipped files renamed with IPSW restored phone upon reboot i was able to see the verbose mode but itunes still gives error and will not activate phone with att sim i would do the activation through pwnage but i like push working
still getting the problem with iphone error in itunes
Chris
I think the problem is that iBoot is encrypted and if I’m right, then the patched binaries are not encrypted and are causing the failure.
I recommend using the bspatch files. I’ve updated the post with the appropriate info. Sorry for the mixup!
Hi, I just tried the aforementioned procedure, but encountered a problem. I have an iPhone 3GS so the correct files for me are the ones versioned n88. Yet, when I created the custom firmware using latest Pwnage Tool (3.1.4), it created a bundle containing n82 version iBoot. How is that possible?
the updated way still gives the same error tried 2 times and still a no go
thanks for the effort and hope someone figures it out cause im stumped
is there any way todo this without restoring? e.g like the commcentre patch for tethering?
Somw can says if it wordks for the iPod touch 1G running the firmware 3.1.2:
“Open up the terminal and type the folowing command:
nvram boot-args=”-v”
and enter:
reboot”
Thanks.
Can’t some just upload the patched iBoots? That would be so much better. Or someone email them to me, I’ll upload them :)
vincent {at} osxmobile.nl
I must be missing something…
I patched the img3 and copied it into the correct folder for my device (iPhone 3G), and the MD5 matched those given. I right clicked on the folder and clicked “compress” to make it into a zip again, then renamed it to make it an ipsw.
But iTunes complains that the firmware image is not compatible. It doesn’t even get to the “extracting” part!
Btw, André- that won’t work with the newer versions of iBoot. You have to be on version 1.x for that to work.
you shouldn’t recompress it like that, I don’t know what mac user’s use, I have heard about “stufit” or something like that.
I am also having trouble getting the firmware folder back to an ipsw file. I have tried several archiving applications with no success. Has anyone had success in getting your decompressed folder back to an .ipsw?
@CPICH
Thanks- using another zip utility worked. (For the record, I copied the img3 directly into the zip archive with WinZip, but I’m sure another utility [such as Stuffit] would have worked just fine)
I don’t know why OS X’s built-in compressor didn’t work. It appeared to create a zip file, but perhaps it was using a different algorithm than iTunes was looking for.
Anyway, thanks again.
Jake
The GUI zip decompressor Archive Utility.app and Finder’s built in Zip archiver seem to ignore HFS+ resource forks. I’m updating the post with the proper method, it’s strictly done through Terminal.app using zip.
I can confirm it is working SWEET!… so thank U soooo very much for this GEM!
Ok, for JAKE:
I made the same mistake and after thinking about it, I found out that I was right clicking on the folder named “iPhone2,1_3.1.2_7D11_” and making a ZIP out of it, but it will never work as it INCLUDES the root folder inside it so… to make it work you just have to drop the CONTENTS of the “iPhone2,1_3.1.2_7D11_” to (for example) BetterZIP window and create the zip file out of that and it will work sweet! :)
Hope this helps you and that I did explain my self somehow :p
CIAO!
CeK!
How to do this in windows?
So just to be clear there is no way to do this without restoring your phone?
can’t do it. am in thte right path…then at bspatch i get
bspatch: iBoot.n88ap.RELEASE.img3.NEW: Permission denied
no idea how to stop it..any help?=(
Curveball
No, I wont host the iBoot binaries. Also, for Windows, you’d pretty much do the same process, except you can just rename from .ipsw to .zip, use WinZip to view and extract just the iBoot image. You will need to either compile bspatch for Windows or find the compiled bspatch executable for Windows, then run it from command prompt and patch the iBoot image (bspatch for Windows’ command structure is the same as the Mac OS X version above), then view the IPSW contents in WinZip again, browse to the proper iBoot directory and replace the new patched image there. Rename back from .zip to .ipsw and load into iTunes.
Kyle
You probably need to use sudo and enter your password.
Pingback: [cmdshft] / NOR-only iBoot patches
Pingback: Jailbreak-Nachbarschaftsstreit; geprellte Käufer und + v
Cmdshift: have verbose boot for itouch. We’ll get in touch with you about this
hi i made it but it doesn’t boot up after it restores so i dn’t know what i did wrong……
Windows or Mac? You need to supply more info. This is working for everyone else on both platforms, so you must have done something incorrectly, most likely didn’t check the MD5′s or you didn’t zip the IPSW properly.
dtube
Very good news!
How do you make a NOR only ipsw to apply the NOR only bspatch to?
[WORDPRESS HASHCASH] The poster sent us ’0 which is not a hashcash value.
Beautiful. I just applied it onto my 3G and it worked perfectly. Thanks!
Pingback: Need Help, stuck in recovery mode - Hackint0sh
is there more of a Noob tuturial for this, I trying to use windows
Use redsn0w 0.9beta3, it now includes enabling verbose mode. I will make a video tutorial soon.
There’s good info here. I did a search on the topic and found most people will agree with your blog. Keep up the good work mate!
-Robert Shumake
[WORDPRESS HASHCASH] The poster sent us ’0 which is not a hashcash value.
Thank you! I added this page to bookmark)) I think would be useful …
[WORDPRESS HASHCASH] The poster sent us ’0 which is not a hashcash value.
Pingback: 3GS 16GB big problem !!! please help - Page 2 - Hackint0sh
Pingback: 3G stuck on Apple screen, Blackrain with 3.1.2 - Hackint0sh
or just use redsnow
[WORDPRESS HASHCASH] The poster sent us ’0 which is not a hashcash value.
Very cool.
Does this work for 3.1.3.
No, this doesn’t work on 3.1.3.
[WORDPRESS HASHCASH] The poster sent us ’0 which is not a hashcash value.
any updates coming ?
[WORDPRESS HASHCASH] The poster sent us ’0 which is not a hashcash value.