iPhone 1.1.3 – Jailbreak done

Wiggle Wiggle

After someone of the dev team, ex dev team member now, jumped the gun and released a jailbreak and upgrade solution for 1.1.3, the original team now released an “official” version which completely runs on the iPhone. From what I saw there’s now a version out which doesn’t need a PC/Mac at all and runs off, but I can’t say anything about that one.

I used the dev team’s solution which is available here. You simply copy all of the files via scp over to the iPhone and run them from there. If you have an unlocked iPhone, like I do, the phone will continue to work. The current update solution does not update the baseband, which means there’s no additional unlock necessary. My iPhone is one of the first ones that came out. It came with iPhone firmware 1.0.1 (or 1.0.2 – can’t really remember), so I have an old bootloader which makes many things much easier.

The current jailbreak requires a jailbroken iPhone 1.1.2, a step which I took a few months back. After you made sure you can ssh into your iPhone you’re pretty much set to copy the files via wifi to the phone and run them from there. The script which runs on the iPhone does pretty much anything on its own, so the README is really short.

1. Set Auto-Lock to “Never” in your settings to prevent the Phone from locking and shutting down your connection.

2. This installer downloads a significant amount of data from Apple’s website. Be sure you have WiFi turned on so that you don’t use your mobile connection – or you’ll be sitting there a while!

3. Be sure to perform this upgrade with the charge cable connected

After making sure this is the case you copy the files, start the script on the phone and wait for the “magic” (and a reboot) to happen.

1. Copy this entire distribution to / on your iPhone/iTouch so you will have /update-prebinding-path.txt and so on:

# scp -r ./* root@YOUR-IPHONE-IP:/

2. SSH to Run the script:

# ssh -lroot YOUR-IPHONE-IP
(enter password when prompted – it’s alpine)
# cd /
# sh

3. The device will perform an upgrade and reboot into 1.1.3

While the process is running it looks something like this (note: my iPhone’s IP in this case is

$ ssh -lroot
root@’s password:
Last login: Sun Jan 27 15:28:33 2008 from
# cd /
# ls -alF
total 1762
drwxrwxr-t 32 root admin 1156 Jan 27 15:29 ./
drwxrwxr-t 32 root admin 1156 Jan 27 15:29 ../
drwxr-xr-x 6 root wheel 272 Nov 24 03:00 .svn/
drwxrwxr-x 23 root admin 782 Jan 5 20:41 Applications/
drwxrwxr-x 10 root admin 340 Oct 24 02:37 Library/
-rw-r–r– 1 root admin 1824 Jan 27 15:29 README
-rw-r–r– 1 root admin 4591 Jan 27 15:29 Services.plist
drwxr-xr-x 3 root wheel 102 Oct 11 02:44 System/
drwxr-xr-x 40 root wheel 1360 Jan 26 15:32 bin/
-rwxr-xr-x 1 root admin 14280 Jan 27 15:29 chown*
-rw-r–r– 1 root admin 623 Jan 27 15:29 com.devteam.rm.plist
drwxrwxr-t 2 root admin 68 Oct 10 08:32 cores/
-rwxr-xr-x 1 root admin 97408 Jan 27 15:29 cp*
dr-xr-xr-x 3 root wheel 740 Jan 22 17:30 dev/
-rwxr-xr-x 1 root admin 23340 Jan 27 15:29 ditto*
-rwxr-xr-x 1 root admin 18832 Jan 27 15:29 dmg2img*
lrwxr-xr-x 1 root admin 11 Oct 24 02:37 etc@ -> private/etc
-rwxr-xr-x 1 root admin 3364 Jan 27 15:29*
-rwxr-xr-x 1 root admin 15476 Jan 27 15:29 ipatcher*
lrwxr-xr-x 1 root admin 11 Oct 24 02:37 mach@ -> mach_kernel
drwxr-xr-x 5 root wheel 170 Nov 24 03:04 private/
drwxr-xr-x 17 root wheel 578 Jan 26 15:32 sbin/
drwxr-xr-x 4 root admin 136 Jan 27 15:29 sources/
lrwxr-xr-x 1 root admin 15 Oct 24 02:37 tmp@ -> private/var/tmp
-rwxr-xr-x 1 root admin 14916 Jan 27 15:29 umount*
-rw-r–r– 1 root admin 5995 Jan 27 15:29 update-prebinding-paths.txt
drwxr-xr-x 8 root wheel 272 Nov 24 03:04 usr/
lrwxr-xr-x 1 root admin 11 Oct 24 02:37 var@ -> private/var
-rwxr-xr-x 1 root admin 19500 Jan 27 15:29 vfdecrypt*
-rwxr-xr-x 1 root admin 9260 Jan 27 15:29 vncontrol*
-rwxr-xr-x 1 root admin 8988 Jan 27 15:29 vsu*
-rwxr-xr-x 1 root admin 616728 Jan 27 15:29 wget*
# sh ./
=> `/private/var/’
Connecting to||:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 169,950,551 (162M) [application/octet-stream]

100%[================== [..] ====>] 169,950,551 968.48K/s ETA 00:00

15:32:41 (997.68 KB/s) – `/private/var/’ saved [169950551/169950551]

keyDerivationAlgorithm 0
keyDerivationPRNGAlgorithm 0
keyDerivationIterationCount 0
keyDerivationSaltSize 0

blobEncryptionIVSize 0

blobEncryptionKeySizeInBits 0
blobEncryptionAlgorithm 0
blobEncryptionPadding 0
blobEncryptionMode 0
encryptedBlobSize 0

dmg2img v0.3a is derived from dmg2iso by vu1tur (

/private/var/decrypted.dmg –> /private/var/disk0s1.dd

reading property list, 67461 bytes from address 128314665 …
partition 0: begin=336, size=430, decoded=284
partition 1: begin=994, size=430, decoded=284
partition 2: begin=1651, size=430, decoded=284
partition 3: begin=2311, size=58695, decoded=39524
partition 4: begin=61227, size=430, decoded=284
partition 5: begin=61909, size=26, decoded=10
partition 6: begin=62131, size=26, decoded=10
partition 7: begin=62353, size=26, decoded=10
partition 8: begin=62614, size=516, decoded=342
partition 9: begin=63326, size=851, decoded=565
partition 10: begin=64373, size=504, decoded=333
partition 11: begin=65112, size=1541, decoded=1032
partition 12: begin=66888, size=434, decoded=286

opening partition 0 … 0.00 % ok
opening partition 1 … 0.00 % ok
opening partition 2 … 0.00 % ok
opening partition 3 … 100.00 % ok
Archive successfully decompressed as /private/var/disk0s1.dd
[i] Performing the lockdownd patch
[i] found unpatched 1.1.3 lockdownd, patching
[i] patch succeeded
[i] Lockdownd patch succeeded
** /dev/rvn0
** Checking HFS Plus volume.
** Detected a case-sensitive catalog.
** Checking Extents Overflow file.
** Checking Catalog file.
** Checking Catalog hierarchy.
** Checking Extended Attributes file.
** Checking volume bitmap.
** Checking volume information.
** The volume LittleBear4A93.UserBundle appears to be OK.
** /dev/rvn0
** Checking HFS Plus volume.
** Detected a case-sensitive catalog.
** Checking Extents Overflow file.
** Checking Catalog file.
** Checking Catalog hierarchy.
** Checking Extended Attributes file.
** Checking volume bitmap.
** Checking volume information.
** The volume LittleBear4A93.UserBundle appears to be OK.
chown: cannot access `/private/tmp/MediaCache’: No such file or directory
mkdir: /private/var/logs/Baseband: File exists
Connection to closed by remote host.
Connection to closed.


After the reboot your iPhone is running 1.1.3. Things like Google Maps’ new locate feature do not work (yet). According to some forums this happens because the modem baseband isn’t updated, but the dev team is working on it. Just wait a few more days and I’m pretty sure we’ll see a fully working 1.1.3, either hacked for this feature or an unlock for the 1.1.3 baseband. If you want a locate feature be sure to try the “LocateMe” applications which is available from

Important note: Make sure you don’t change the password for root. This will result in an continously restarting springboard. As a result: Do not enable/install the openssh server as this might result in a serious security hole.

Because I restored from a backup the syncing issue didn’t come up until now. To make syncing of bookmarks, calendar, contacts, etc. work with the devteam-upgrade you need to make some symlinks on the iPhone:

mv /var/root/Library/AddressBook /var/root/Library/AddressBook_backup
mv /var/root/Library/Calendar /var/root/Library/Calendar_backup
mv /var/root/Library/Mail /var/root/Library/Mail_backup
mv /var/root/Library/Preferences /var/root/Library/Preferences_backup
mv /var/root/Library/Safari /var/root/Library/Safari_backup

ln -s /var/mobile/Library/AddressBook /var/root/Library/AddressBook
ln -s /var/mobile/Library/Calendar /var/root/Library/Calendar
ln -s /var/mobile/Library/Mail /var/root/Library/Mail
ln -s /var/mobile/Library/Preferences /var/root/Library/Preferences
ln -s /var/mobile/Library/Safari /var/root/Library/Safari

Also here’s how to make Google Maps “locate me” feature work. Works fairly well, but my issues could be caused by a very bad reception where I live.