Here’s what you will need:
- PwnageTool 4.1.2
- Access to iOS 4.3 Beta firmware
- iTunes 10.1.1
- Mac OS X
- PwnageTool bundle for iPhone 4, iPad or iPod touch 4G
- Cydia is fully working on iOS 4.3 Beta.
- It is a semi-tethered jailbreak.
- Your baseband will not be upgraded during restore process.
WARNING: The jailbreaking procedure is complex, and hence is meant for advanced users only. It will require you to make your own ramdisk because the latest official version of PwnageTool makes a broken one for iOS 4.3. Proceed at your own risk only. We are not to be held responsible if you end up bricking your iPhone, iPad or iPod touch.
Step 1: Download PwnageTool bundle for your version of iOS device. Extract the .zip folder, in there you will find two files: CydiaInstaller.bundle and a .bundle file, for this guide, we are using iPhone 4 bundle iPhone3, 1_4.3_8F5148b.bundle. Move all these files to your desktop.
Step 2: Download PwnageTool 4.1.2 and copy it to your desktop. Right click, and then click on “Show Package Contents” as shown in the screenshot below.
Step 3: Navigate to Contents/Resources/FirmwareBundles/ and paste iPhone3, 1_4.3_8F5148b.bundle file in this location.
Step 4: Now navigate to Contents/Resources/CustomPackages and here replace theCydiaInstaller.bundle file with the version that you downloaded in Step 1, and then simply close this folder.
Building a Custom Firmware
Step 5: Download iOS 4.3 Beta. Move this file to your desktop.
Step 6: Start PwnageTool in “Expert mode” and select your device:
Step 7: Browse for iOS 4.3 beta firmware for your device as shown in the screenshot below:
Step 8: Now select “Build” to start creating custom 4.3 firmware file:
Step 9: PwnageTool will now create the custom .ipsw file for your iPhone which will be jailbroken.
Step 10: Once you have created the custom firmware, quit PwnageTool. Don’t restore to this firmware yet.
Creating Custom Ramdisk for iOS 4.3 Custom Firmware
Step 11: Download Ramdisk_Maker.zip by DjayB6, extract the file, and move the folder to your desktop.
Step 12: Now open ramdisk_maker.sh file, and edit the paths required in a program like TextEdit, as shown highlighted in the screenshot below.
Step 13: Now start Terminal and run the following commands:
Now from here on, this automated script in Terminal will guide you on what to do next as shown highlighted in the screenshot below.
Step 14: First, create a folder on desktop named My_Ramdisk. Then change the extension of the original iOS 4.3 Beta file from .ipsw to .zip, and then extract this .zip file.
Step 15: Here you will see a file named 038-0408-002.dmg. This is the file we need. Copy this file to My_Ramdisk folder that you created on desktop.
Step 16: Once you have done that, you will notice that Terminal screen will automatically move to the next step as shown in the screenshot below.
Step 17: Now go to ramdisk_maker folder that you saved earlier on desktop, here open the file Options.plist in a program like TextWrangler (available for free on the Mac App Store). Here change the <integer></integer> value under SystemPartitionSize <key></key> to 1116, as also shown highlighted in the screenshot below.
Step 18: Now save this Options.plist file and move it to My_Ramdisk folder. At this point, you will once again notice that Terminal will automatically move to complete the process.
Step 19: Once done, you will now notice a new file named final_ramdisk.dmg in My_Ramdiskfolder. Rename this file as 038-0408-002.dmg
Step 20: Now change the extension of the custom iOS 4.3 Beta firmware file that you created earlier from .ipsw to .zip, and then extract this .zip file.
Step 21: Here, replace 038-0408-002.dmg file with the one you created in Step 19 above.
Step 22: Now select all files, and click on “Compress 9 Items” so that it is converts back into .zip file. Now change the extension of this .zip file to .ipsw and you are done making the custom firmware, with fixed ramdisk.
Restore iOS 4.3 Custom Firmware Using iTunes
Step 23: Start iTunes, click on your iOS device icon from the sidebar in iTunes. Now press and hold left “alt” (option) button on Mac, or Left “Shift” button if you are on Windows on the keyboard and then click on “Restore” (Not “Update” or “Check for Update”) button in the iTunes and then release this button.
This will make iTunes prompt you to select the location for your custom firmware 4.3 file. Select the required custom .ipsw file that you created in Step 22 above, and click on “Open”.
Step 24: Now sit back and enjoy as iTunes does the rest for you. This will involve a series of automated steps. Be patient at this stage and don’t do anything silly. Just wait while iTunes installs the new firmware 4.3 on your iOS device. Your iOS device screen at this point will be showing a progress bar indicating installation progress. After the installation is done, your iPhone, iPad or iPod touch will be jailbroken on iOS 4.3.
Booting in Tethered Mode
Last but not the least, since there is no untethered jailbreak for iOS 4.3 yet, we will have to boot it into a tethered jailbroken state. To do this, we will make use of a utility named “tetheredboot” as shown in the steps below.
Step 25: Download tetheredboot.zip utility for Mac OS X and extract the .zip file.
Step 26: First, we will need three files from the original iOS 4.3 Beta firmware namely:kernelcache.release.n90, iBEC.n90ap.RELEASE.dfu, and iBSS.n90ap.RELEASE.dfu.
Change the extension of the original iOS 4.3 Beta file from .ipsw to .zip, like you did in Step 14 above, and then extract this .zip file.
Now copy kernelcache.release.n90 file, and then copy iBEC.n90ap.RELEASE.dfu, andiBSS.n90ap.RELEASE.dfu files which are found under /Firmware/dfu/.
Move all these three files, and tetheredboot utility to a new folder named “tetheredboot” on the desktop as shown in the screenshot below.
Step 27: Now to boot your iPhone, iPad or iPod touch into tethered mode, connect it with your computer and start it in Recovery Mode by holding Home and Power buttons until the connect to iTunes screen appears on your device.
Step 28: Start Terminal and run the following commands:
enter your administrator password, then:
./tetheredboot iBSS kernel
You should now see some code running in the Terminal windows, at some point, it will ask you to enter DFU mode. Now follow the following steps to enter DFU mode:
- Hold Power and Home buttons for 10 seconds
- Now release the Power button but continue holding the Home button for 10 more seconds
- You device should now be in DFU mode
Now wait for your device to boot, Terminal at this point will be showing “Exiting libpois0n” message. After a short while, your iPhone, iPad or iPod touch will be booted in a jailbroken tethered mode !