[HOW TO] Downgrade a 3G[S] From 3.1 and Jailbreak

[Kyle Matthews]

Jay Freeman (saurik) has been a busy man lately. for the past two years. for a while now. His latest project to come our way was just released less than an hour ago - a way to finally downgrade your iPhone 3G[S] from 3.1 (with a few "well, if"s in there) to something currently jailbreakable (like 3.0.1).

saurik's got some crap to toss on Apple's wall, too, with this one. The guide article features not only an informative look into the methods of jailbreaking, and a history of Apple's push for individuality (and of course the instructions on how to downgrade your iPhone 3G[S}) - it goes so far as to offer up some tasty tidbits like "Congratualations, you just overthrew your orwellian overlord, and have taken back control of your device," and "Apple, as a company, has turned into a corporate hypocracy, embodying the very ideals that it claims to be rebelling against."

It's a great read with some solid points - if you're at all interested in this stuff, you should read the whole thing.

The gist of the situation is this - people can't downgrade their 3G[S]s from 3.1 (until now with this new method) because Apple has implemented a new security method. When you restore an iPhone 3G[S] in iTunes from 3.1, iTunes will show

"Verifying restore with Apple...", during which time a challenge/response protocol is used between the iPhone and Apple: a "partial digest" of the firmware files being used is sent to a server, which can then decide to sign off on the result... or not.

Saurik's solution was to build his own activation server which is checked instead of Apple's - verifying the [perfectly fine] firmware where iTunes wouldn't.

A big, gaping stopping point, at the moment, is if you didn't press the "yes i like jailbreaking" or wtvr that link said in Cydia for the few days it was there (over 50,000 3G[S] users did), you don't have an ECID SHSH "on file" with Cydia's servers - meaning you can't downgrade. This will only work if you pressed that link in Cydia while it was there (before 3.1 came out). Read saurik's article for full reasoning behind it.

An exploit is [supposedly] available for 3.1 though, so you will be able to jailbreak 3.1 anyway soon. However, this doesn't mean you don't need your ECID SHSH "on file" with Cydia - you still should (when the jailbreak comes up for 3.1 you'll be able to get it on file again). Because as of 3.1, you can NEVER downgrade without this method (yet) unless Apple specifically signs the firmware. Meaning - they decide what firmware you can use and can't use.

The instructions in saurik's guide, while straight-forward, are a bit more complicated than "plug in, press the Easy button" - so be warned, it's a fun throwback to the earlier days of iPhone modding, when you had to actually DO something.

Read the full guide and article here, and ask questions in the iPhone 3G[S] Downgrade forum.

[Cowboy]

Yes finally

[criz3r]

I just got my 3Gs today, thank god it wasn't 3.1, but I don't have ECID SHSH.

[StealthBravo]

Nice

[sickchris714]

wooo this is the best news today

[NArush]

Excellent article!

[exNavy]

Hopefully, for those of us who missed the boat with the Cydia ECID thing, Saurik will give us all more heads up notice about this the next time.

Hopefully news sites will pick up on this and also push this as very important to do.

I don't know about the rest of you, but I launch Cydia maybe once a week. News sites, on the other hand, I read every day.

As others have stated, if you selected no on the Cydia ECID thing when it was availalbe the page went away and there was no apparent way to reload the option and select yes a second time. Hopefully this is made much more obvious as well.

[Chefanim]

Saurik is a genius and we all owe so much to him. I've made my donation to him and hope others do as well.

[Kyle Matthews]

exNavy - the issue was a time crunch this time around. Jay was still ironing out some bugs, and Apple [slightly] unexpectedly closed the door on the process when 3.1 hit. Once 3.1 is jailbroken, it won't happen again.

[kissdaring]

i have a question hope you all can help me out

i have a 3gs on 3.0.1 not 3.1 that is unlocked and jailbroken.

i want to do a restore, back to 3.0.1 i have the firmware 3.0 and 3.0.1 stored in my hard drive is this possible for me or not. the reason why i ask is because alot of ppl seem to talk about it not being possible?

im still on itunes 8.2 is that helps.
and have my Ecid files on cydia

thank you
Kissdaring.

[GmAz]

I got my purplerain file. Is this the same thing? I'm on 3.0.1 still. I'm smart enough to not upgrade when it comes out. But since I don't check cydia every day, I missed this ECIS SHSH thing will my purplerain file work?

[blkcadi]

Awesome, this is what many have been waiting for. Props to saurik and others who have helped.

[Melech518]

I am assuming this method will work for us on 3.0.1 or 3.0 who simply need to restore

[Raptors]

Wohho!! :d:d

[A Retired Mod]

I got my purplerain file. Is this the same thing? I'm on 3.0.1 still. I'm smart enough to not upgrade when it comes out. But since I don't check cydia every day, I missed this ECIS SHSH thing will my purplerain file work?

Read here...
For a Purple Ra1ny Day
Apple's 3G[S] security mechanism, however, fails this test. Rather than even using a simple random number, they use a hardcoded challenge per device. The specific number they have chosen is the device's ECID, or "unique-chip-id", a number that all devices have so far had, although we haven't seen any previous use for it.
This means that, given an ECID, one can ask Apple's signature server to sign any firmware that they currently consider "OK" (which returns a blob that includes the critical SHSH, which is the signature hash) and then store the result forever.
In practice, there is only one critical file that we need signed: the one with the bug. ;P This is the iBSS, which is one of the modes of iBoot. Given that ECID/iBSS signature, one can load the buggy code and then continue with the jailbreak.
This is, in fact, what purplera1n.com was doing: it returned to you a file that contained just the signature hash for the iBSS file, as that is "sufficient". Eventually someone may write a tool to use this file.

[JedixJarf]

Ahh, the early days....mostly all cli

[slorg]

Here, everything ok. 3.0 and jailbroken again.
Thanks Saurik.

[keysloser]

Excellent work by Saurik!

I couldn't agree more with his article on Apple, since I go way back with Apple computers.

People who got to know Apple through iPhone/iPod should know there used to be a "think different" ideology behind the apple logo.

Now the company (with 1,21 billion $ profit in the first three months of 2009) has become the "true enemy", the Big Brother it was set up to fight against.

Again great job @Saurik!

[davenb2]

Hopefully, for those of us who missed the boat with the Cydia ECID thing, Saurik will give us all more heads up notice about this the next time.

Hopefully news sites will pick up on this and also push this as very important to do.

I don't know about the rest of you, but I launch Cydia maybe once a week. News sites, on the other hand, I read every day.

As others have stated, if you selected no on the Cydia ECID thing when it was availalbe the page went away and there was no apparent way to reload the option and select yes a second time. Hopefully this is made much more obvious as well.

Not to be rude but it was at the top of the page and never went away...Just bad luck

[linuxnoob]

amazing work that jay is doing, in conjunction with the dev team, geohot, etc...these guys are undoing what (i assume) the best corporate programmers are putting in to prevent unlocking (i have to believe that is the motivation, more than jailbreaking)...and they are doing it in a matter of hours or at most days.

worthy of your support and contributions, those of you that can. im personally amazed that he got 50K ECID on file. Thats in like 7 days worth of time?