Here is the highly anticipated secpack for iPhone baseband 04.03.13_G:

With this secpack, any accidentally upgraded 1.1.3 iPhones that have bootloader 3.9 can be fully downgraded to earlier versions. NOTE: starting from OTB 1.1.2, Apple has updated the bootloader to version 4.6.

Brief Steps to Downgrade to 03.14.08_G

1. Downgrade iPhone firmware to 1.0.2, you may have to downgrade in this order: 1.1.3 -> 1.1.2 -> 1.1.1 -> 1.0.2 you need to put iPhone into DFU mode first before downgrading.

If you prefer reflashing on 1.1.1, it’s fine, but keep in mind that 1.1.1 will shutdown WiFi once you issue the ieraser command, so you may have to use MobileTerminal (aka Term-vt100) or initiate a script running in background through SSH. For me, 1.0.2 is my favorite testbench, as the WiFi stays during the whole process.

2. Extract and upload the following files to iPhone, put into /reflash:

3. If you wanna use SSH (I do), then install these packages:

BSD Subsystem

If you prefer doing it through Term-vt100, install these packages:

BSD Subsystem

4. SSH login to iPhone (or use Term-vt100), and enter the following commands in SSH or Term-vt100:

cd /reflash
chmod 755 *
launchctl remove
./bbupdater -f *fls -e *eep
./bbupdater -v (you should see version 03.14.08_G)
launchctl load /System/Library/LaunchDaemons/

UPDATE: If you want to do it on 1.1.1:

Write a script similar to the following

cd /reflash
chmod 755 *
launchctl remove
./bbupdater -f *fls -e *eep
./bbupdater -v
launchctl load /System/Library/LaunchDaemons/

Then issue the command from SSH:

nohup sh > ~/downgrade.log 2>&1 &

You’ll notice the WiFi disappears and you lost SSH connection during the process, don’t worry, wait some minutes, don’t touch your iPhone, let it go, it will reboot once the process is done, the output is at /var/root/downgrade.log.

P.S. script not tested, use at your own risk.


The above steps have been tested on non-OTB 1.1.3 (modem 04.03.13_G, bootloader 3.9, which means it’s upgrade from OTB 1.0.x or OTB 1.1.1), I upgraded one of my iPhones from 1.0.2 to 1.1.3, and then downgraded it back to 1.0.2 without any problems. Read my experience HERE.

UPDATE: Don’t do this on an OTB 1.1.2, there’s no way to flash a baseband with bootloader 4.6 at this time.

Why A 1.1.3 Upgraded from OTB 1.1.2 Can’t Be Downgraded

The OTB 1.1.2 comes with bootloader 4.6 which has changed the version checking algorithm, the algorithm is like this:

if (secpack version > current baseband version)
    allow to erase
    deny it

The above statement indicates with bootloader 4.6, a higher (than current) version of secpack is required to erase the current baseband. So to erase a baseband 04.03.13_G with bootloader 4.6, you have to have a >04.03.13_G secpack. That’s why you can’t downgrade a 1.1.3 iPhone upgraded from OTB 1.1.2, because when an OTB 1.1.2 is upgraded to 1.1.3, the modem is also upgraded to 04.03.13_G, to erase it, a higher version (>04.03.13_G) is required, which means you have to wait till the next baseband update.

UPDATE: Don’t do this on an OTB 1.1.2, there’s no way to flash a baseband with bootloader 4.6 at this time.

Why A 1.1.3 Upgraded From OTB < 1.1.2 Can Be Downgraded

The old iPhone comes with bootloader 3.9, which has a slighly different version checking algorithm, like shown below:

if (secpack version >= current baseband version)
    allow to erase
    deny it

Have you noticed the differences? Yes, the >= is the point, which means with bootloader 3.9, you can erase the current baseband using a newer version OR a current version secpack, so you can use a 04.03.13_G secpack to erase a 04.03.13_G with bootloader 3.9.

NOTE: the bootloader is the last resort to salvage the phone when something really bad happens, so it never gets flashed during an update. The ieraser erases the secpack, not the bootloader.

The following contents are copied as-is from George Hotz weblog as a backup purpose for my easy access.

Hardware Unlocking

The following contents are from George Hotz (HERE), it downgrades the bootloader from 4.6 to 3.9 so that you can later downgrade you baseband to previous versions. The contents are copied here as-is for my easy local access:

1. Copy all the files to a directory on your phone. It is imperative you do not shut off the phone after ieraser, or you cannot restore wifi, since the only fls which works on 4.6 is 1.1.3

2. Run ienew. This is ieraser, and it erases your 1.1.2 firmware to allow the testpoint to work.

3. Find an old 3.9 nor dump and create a file called “nor” with the first 0x20000 bytes of the old nor dump. This is the 3.9 bootloader.

4. Copy “nor” into the folder and run iunew. This is iunlocker and runs just like the old one. You will need the A17 testpoint on before running this. See the following for info on this testpoint:

A17 TestpointThe red line is covering the A17 trace. In order to trick the chip into thinking the flash is erased in the correct section, you will need to pull this high.

Scrape away at the trace with something like a multimeter probe. Then solder a very thin wire to it. Be very careful. Only scrape away at that solder mask above that one trace. YOU DO NOT WANT TO BREAK THE TRACE. This is the hardest step in the whole process; the rest is cake.

Also solder a wire to the 1.8v line. Connect to wire coming from the trace and the wire coming from the 1.8v to your unlock switch. Be careful, you only get one chance to do this right. Thanks again to Nick Chernyy for the picture.

5. The bootloader is now 3.9!!! Run bbupdater or restore phone with the AnySimmable firmware of your choice.

6. Run AnySim and, as usual, enjoy your unlocked iPhone.

The H/W unlocking required files: OTB 1.1.2 Hardware Unlocking Package
The ready-to-go NOR file for Step 3: First 0×20000 Bytes of 3.9 NOR Dump (Bootloader)


