Baseband 04.03.13_G Secpack

Here is the highly anticipated secpack for iPhone baseband 04.03.13_G:

Secpack 04.03.13_G

With this secpack, any accidentally upgraded 1.1.3 iPhones that have bootloader 3.9 can be fully downgraded to earlier versions. NOTE: starting from OTB 1.1.2, Apple has updated the bootloader to version 4.6.

Brief Steps to Downgrade to 03.14.08_G

1. Downgrade iPhone firmware to 1.0.2, you may have to downgrade in this order: 1.1.3 -> 1.1.2 -> 1.1.1 -> 1.0.2 you need to put iPhone into DFU mode first before downgrading.

If you prefer reflashing on 1.1.1, it’s fine, but keep in mind that 1.1.1 will shutdown WiFi once you issue the ieraser command, so you may have to use MobileTerminal (aka Term-vt100) or initiate a script running in background through SSH. For me, 1.0.2 is my favorite testbench, as the WiFi stays during the whole process.

2. Extract and upload the following files to iPhone, put into /reflash:

Secpack 04.03.13_G

3. If you wanna use SSH (I do), then install these packages:

BSD Subsystem

If you prefer doing it through Term-vt100, install these packages:

BSD Subsystem

4. SSH login to iPhone (or use Term-vt100), and enter the following commands in SSH or Term-vt100:

cd /reflash
chmod 755 *
launchctl remove
./bbupdater -f *fls -e *eep
./bbupdater -v (you should see version 03.14.08_G)
launchctl load /System/Library/LaunchDaemons/

UPDATE: If you want to do it on 1.1.1:

Write a script similar to the following

cd /reflash
chmod 755 *
launchctl remove
./bbupdater -f *fls -e *eep
./bbupdater -v
launchctl load /System/Library/LaunchDaemons/

Then issue the command from SSH:

nohup sh > ~/downgrade.log 2>&1 &

You’ll notice the WiFi disappears and you lost SSH connection during the process, don’t worry, wait some minutes, don’t touch your iPhone, let it go, it will reboot once the process is done, the output is at /var/root/downgrade.log.

P.S. script not tested, use at your own risk.


The above steps have been tested on non-OTB 1.1.3 (modem 04.03.13_G, bootloader 3.9, which means it’s upgrade from OTB 1.0.x or OTB 1.1.1), I upgraded one of my iPhones from 1.0.2 to 1.1.3, and then downgraded it back to 1.0.2 without any problems. Read my experience HERE.

UPDATE: Don’t do this on an OTB 1.1.2, there’s no way to flash a baseband with bootloader 4.6 at this time.

Why A 1.1.3 Upgraded from OTB 1.1.2 Can’t Be Downgraded

The OTB 1.1.2 comes with bootloader 4.6 which has changed the version checking algorithm, the algorithm is like this:

if (secpack version > current baseband version)
    allow to erase
    deny it

The above statement indicates with bootloader 4.6, a higher (than current) version of secpack is required to erase the current baseband. So to erase a baseband 04.03.13_G with bootloader 4.6, you have to have a >04.03.13_G secpack. That’s why you can’t downgrade a 1.1.3 iPhone upgraded from OTB 1.1.2, because when an OTB 1.1.2 is upgraded to 1.1.3, the modem is also upgraded to 04.03.13_G, to erase it, a higher version (>04.03.13_G) is required, which means you have to wait till the next baseband update.

UPDATE: Don’t do this on an OTB 1.1.2, there’s no way to flash a baseband with bootloader 4.6 at this time.

Why A 1.1.3 Upgraded From OTB < 1.1.2 Can Be Downgraded

The old iPhone comes with bootloader 3.9, which has a slighly different version checking algorithm, like shown below:

if (secpack version >= current baseband version)
    allow to erase
    deny it

Have you noticed the differences? Yes, the >= is the point, which means with bootloader 3.9, you can erase the current baseband using a newer version OR a current version secpack, so you can use a 04.03.13_G secpack to erase a 04.03.13_G with bootloader 3.9.

NOTE: the bootloader is the last resort to salvage the phone when something really bad happens, so it never gets flashed during an update. The ieraser erases the secpack, not the bootloader.

The following contents are copied as-is from George Hotz weblog as a backup purpose for my easy access.

Hardware Unlocking

The following contents are from George Hotz (HERE), it downgrades the bootloader from 4.6 to 3.9 so that you can later downgrade you baseband to previous versions. The contents are copied here as-is for my easy local access:

1. Copy all the files to a directory on your phone. It is imperative you do not shut off the phone after ieraser, or you cannot restore wifi, since the only fls which works on 4.6 is 1.1.3

2. Run ienew. This is ieraser, and it erases your 1.1.2 firmware to allow the testpoint to work.

3. Find an old 3.9 nor dump and create a file called “nor” with the first 0x20000 bytes of the old nor dump. This is the 3.9 bootloader.

4. Copy “nor” into the folder and run iunew. This is iunlocker and runs just like the old one. You will need the A17 testpoint on before running this. See the following for info on this testpoint:

A17 TestpointThe red line is covering the A17 trace. In order to trick the chip into thinking the flash is erased in the correct section, you will need to pull this high.

Scrape away at the trace with something like a multimeter probe. Then solder a very thin wire to it. Be very careful. Only scrape away at that solder mask above that one trace. YOU DO NOT WANT TO BREAK THE TRACE. This is the hardest step in the whole process; the rest is cake.

Also solder a wire to the 1.8v line. Connect to wire coming from the trace and the wire coming from the 1.8v to your unlock switch. Be careful, you only get one chance to do this right. Thanks again to Nick Chernyy for the picture.

5. The bootloader is now 3.9!!! Run bbupdater or restore phone with the AnySimmable firmware of your choice.

6. Run AnySim and, as usual, enjoy your unlocked iPhone.

The H/W unlocking required files: OTB 1.1.2 Hardware Unlocking Package
The ready-to-go NOR file for Step 3: First 0×20000 Bytes of 3.9 NOR Dump (Bootloader)


  1. magicwang
    Posted January 18, 2008 at 11:50 pm | Permalink

    sorry my english is poor
    I have a otb 1.12 iphone
    I try to downgrade modem flowing you
    ./ieraser OK
    but ./bbupdater -f *fls -e *eep
    at last it tell me “error:Failed to download .EEP: Could not verify downloaded image.”
    I dont know where is wrong??
    thx for your help

  2. Posted January 19, 2008 at 12:07 am | Permalink

    Sorry, I have no OTB 1.1.2 to play with, so I can’t help you at this point, I said it probably works, of course it might also be a false alarm, better wait for technical people to try it before taking the steps.

  3. Morphius
    Posted January 19, 2008 at 12:12 am | Permalink

    Since we have the SECPACK 04.03_13 in hand..
    can we fool the BL to think its always a higher version… or is it the secpack is completely encrypted…
    OR can we change the BL to the old ‘>’ check instead of ‘>=’ check.. I think that wouldn’t be possible … to modify the BL.. but just some thoughts..

  4. magicwang
    Posted January 19, 2008 at 12:12 am | Permalink

    thank you all the same
    ieraser may be worked and the baseband must be eraser
    what shuld I do ?

  5. Posted January 19, 2008 at 12:31 am | Permalink


    Fake baseband version? No, it’s not gonna work because of the encryption 🙂
    Change BL? No, you have to be able to reflash the BL which is the point in H/W 1.1.2 unlocking (downgrading the BL to 3.9) but there’s no software solution yet.


    You may want to try a full restore to 1.1.2.

  6. magicwang
    Posted January 19, 2008 at 1:06 am | Permalink

    I try to restore to 1.1.2
    but it show 1002 error

  7. Posted January 19, 2008 at 1:17 am | Permalink

    Sorry, I really can’t help you much on OTB 1.1.2 ‘cos I don’t have one in hand, all my suggestions are based on common knowledge.

  8. magicwang
    Posted January 19, 2008 at 1:21 am | Permalink

    i will try it myself
    thx a lot!

  9. Posted January 19, 2008 at 1:36 am | Permalink

    Don’t upgrade to 1.1.3 yet, wait for some days, if a software solution is out, you can still get your phone back. Otherwise, you’ll have to wait till next baseband update because your baseband will become 04.03.13_G after upgrading.

  10. magicwang
    Posted January 19, 2008 at 1:47 am | Permalink

    NO I won’t upgrade to 1.13
    I will wait the s/w solution and I know it must be realse soon!

  11. Bruno Bolescao
    Posted January 19, 2008 at 2:02 am | Permalink

    Hi George..
    congrats on your good work !
    I have a OTB 1.1.2, Bootloader 4.6
    I`ve downloaded 1.1.2otb Pack, to downgrade the bootloader.
    I have the 3.9 NORDumper but dont know how to create a file called “nor” with the first 0×20000 bytes.
    And dont know what it is the A17 testpoint ?!
    Than after all, i have to copy this created nor file to the same folder i copy the 1.1.2otb pack, and run iunew.
    Thats it !
    Bootloader 3.9 !
    As simple as that !?
    Can you help here, please !?

    Thank you for the very good work !


  12. Posted January 19, 2008 at 2:05 am | Permalink

    after i put
    launchctl remove

    it says

    launchctl remove error: No sach process

    what should i do

    thx a lot

  13. Posted January 19, 2008 at 2:09 am | Permalink

    If it says ‘No such process’, either there’s typo in your command, or the CommCenter has been closed. Just go ahead, if the ieraser says ‘Resource Busy’, then you didn’t turn off the CommCenter yet, try rebooting and start from the ground.

  14. Posted January 19, 2008 at 2:16 am | Permalink

    after i put

    it says

    permission denied: ./ieraser

    what should i do

    thx a lot

  15. Posted January 19, 2008 at 2:23 am | Permalink

    ivan, looks like you’re on Windows, you need to make it executable, try enter the following command after the ‘cd /reflash’:

    chmod 755 *
  16. Bruno Bolescao
    Posted January 19, 2008 at 2:28 am | Permalink

    Hey ivan..

    you need to set the “ieraser” permission to 775

  17. Posted January 19, 2008 at 2:31 am | Permalink

    Bruno Bolescao, refresh the page, I’ve just uploaded it.

  18. ivan
    Posted January 19, 2008 at 2:41 am | Permalink


    i did it

    thanks very much!

  19. Bruno Bolescao
    Posted January 19, 2008 at 2:49 am | Permalink


    I can`t understand the step 3….
    Is the 3.9 bootloader file the same NORDumper renamed to nor ?
    where can i find this to download…
    please help me here…
    thank you !!

  20. Posted January 19, 2008 at 2:52 am | Permalink

    Bruno Bolescao,

    I have uploaded the extracted NOR file for you, just download and expand it, you don’t have to hex edit it, it’s already ready-to-go.

  21. Bruno Bolescao
    Posted January 19, 2008 at 3:19 am | Permalink


    Just downloaded !!
    thank you very much !
    Now i can downgrade the 4.6 bootloader to 3.9…

    Thank you very much !!

    Keep it high !


  22. magicwang
    Posted January 19, 2008 at 3:35 am | Permalink

    I really didn’t know why my otb1.12 phone cant downgrade the modem
    I have some questions
    what the purpose do we downgrade modem for 04.02.13 to 03.04.08?
    why George Hotz didn’t downgrade the modem and unlock it ? Did he try it ?
    may be my questions look like a little stupid.

  23. Posted January 19, 2008 at 4:18 am | Permalink

    Since the article may confuse people at some point, I have slightly modified it.

  24. Fahed
    Posted January 19, 2008 at 12:55 pm | Permalink

    George, you are a genius…!!
    I was able to downgrade my bb back to 03.14.08 from 04.03.13…
    My wife upgraded to 1.1.3 by mistake from OOTB 1.1.1 and I’ve been messing with the phone for a couple of days trying to downgrade the bb…I’m so lucky to have found your blog….now on to my next step—> upgrade to 1.1.1 and unlock back to TMO

    keep up the good work

  25. Fahed
    Posted January 19, 2008 at 2:10 pm | Permalink

    OK good news….but let me tell you the story trail….
    a mistake led to the update of iPhone from 1.1.1 (FW 04.03.12_G) to 1.1.3 (iTunes did an automatic upgrade)
    lost all my 3rd party apps and the phone was returned to 1.1.3 factory settings with modem firmware 04.03.13_G
    for a moment there, I thought I was screwed cause all the other forums and users warned about updating to 1.1.3 since there is no downgrade path to earlier firmwares….still I didn’t give up. I managed using SSH & iBricker to downgrade back to 1.0.2 but still was stuck with modem firmware 04.03.13_G
    then I found George’s Blog and followed his secpack downgrade method which got me back to 03.14.08 then it was just standard unlocking stuff….

    now I’m at 1.1.2 jailbroken/unlocked running on TMO with EDGE and youtube and all the 3rd party apps ..

    Thanks George again and everyone in the development community…

  26. magicwang
    Posted January 19, 2008 at 8:51 pm | Permalink

    I try downgrade modem again
    and I find a problem
    ieraser is used to eraser the bl 3.9 phone
    and the new file ienew is used to eraser a otb 1.12 phone??
    I try ./ienew on my brick otb 1.12 iphone and it show me some different datas
    and after doing that at setting–>about,it is only left wifi and blueteeth,(no wifi blueteeth 00:00:00:00:00:00)
    the ICCID IMEI MEDOM isn’t on the list
    Does it mean that the modem is erasered?
    But I still can’t reflash the modem “error:Failed to download .EEP: Could not verify downloaded image”
    I will go on tring it

  27. mathias
    Posted January 21, 2008 at 10:10 pm | Permalink

    Did you actually decrypt the firmware restore file to get the secpack or did you get it from some kind of hardware dump? I’m currently seeking for a way to decrypt the dmg files in the restore file to get hold of the contained binaries. Do you have the necessary crypt-keys and passwords?

    I ran across your site today and i really like both; layout and content. Keep up…

  28. Posted January 22, 2008 at 11:12 pm | Permalink

    The exploit used to extract the secpack in previous versions have been fixed, this secpack comes from the hardware method by some brave people with the appropriate devices, and the process of retrieving this secpack destroyed 6 iPhones. The dev team also claimed that they’ve got the secpack nearly a month ago, no comments on how they got it though.

  29. Luis Giorgi
    Posted January 23, 2008 at 1:15 am | Permalink

    Hi George,

    I have an iPhone 1.1.2 OTB and accidentally i’ve updated to 1.1.3 using iTunes 7.5.

    The problem is that modem firmware was updated to 04.03.13_G as mentioned here in your blog, and the original was 04.02.13_G.

    Do you know if there’s a way to downgrade modem firmware to 04.02.13_G or do i have to wait for a while?

    Thanks in advance.

  30. Posted January 23, 2008 at 1:37 am | Permalink

    Luis, I’m afraid you’ll have to wait till the next baseband update because you need a newer (than 04.03.13_G) secpack. With a proper secpack, the hardware method can downgrade the bootloader from 4.6 to 3.9, and with a bootloader 3.9, you can downgrade to earlier versions of baseband.

  31. Kristoffer
    Posted January 24, 2008 at 12:05 am | Permalink

    where is the directory to put the files into???


    I don’t find that on the iPhone.

    also, is it easier to do the hardware unlock now, or should i just wait for a new unlocking for the baseband. is it possible to use iPhone as a actual phone when it has the bootloader 4,6??

    from a curious and anxious 15 year old boy

  32. Sean
    Posted January 24, 2008 at 8:51 am | Permalink

    George, two questions, 1> could you confirm Hardware bootloader downgrade method need to erase modem firmware first, if thats the case, because we could not erase 4.03.13G, even with Hardware method, we can not downgrade bootloader to 3.9. That means even with HW method, 1.1.3 with Bootloader 4.6 could not be hacked.. Why those guys in vietnam claim that they break the iphone with 1.1.3 using hardware method, confusing…

  33. Posted January 24, 2008 at 9:11 am | Permalink

    Kristoffer, the /reflash is just my example, I create it manually, you may put the files anywhere as long as its on the ‘executable’ volume. Since /var is mounted as ‘noexec’, you can’t put files in any folders under /var (unless you remount it withouth ‘noexec’). BTW, h/w method is pretty dangerous, especially when you have little experience on such things before. I would suggest you waiting for an easier solution.

    Sean, you need to erase it before reflashing, if your OTB 1.1.2 was upgraded to 1.1.3, too bad, you gotta wait for new baseband update that comes with new secpack.

  34. Al
    Posted January 24, 2008 at 5:07 pm | Permalink

    the bbupdater -f *.fls gives me an endless loop, after a while I have to manully stop the process, any reason why?

  35. Al
    Posted January 24, 2008 at 5:45 pm | Permalink

    The bbupdater -f *.fls after completing, returned the following error:

    Error: Failed to download .FLS: Expecting checksum 13FB got D064

    Can you help pls

  36. Posted January 24, 2008 at 8:40 pm | Permalink

    Al, maybe your baseband was not erased successfully, try re-erase it before flashing.

  37. 000000yyy
    Posted January 24, 2008 at 11:04 pm | Permalink

    thanks for the thing you have done~
    i got a problem,i have a otb 1.1.2,but when i using anysim,it is broken,it tells me repair needed,ano no wifi no imei no iccid
    i tried to using the way you did,at last it tell me “error:Failed to download .EEP: Could not verify downloaded image.”
    is there any other ways to save wo iphone?or should i wait for the new secpark…..

  38. Posted January 24, 2008 at 11:20 pm | Permalink

    Geez, didn’t you notice the article is NOT for OTB 1.1.2? You gotta wait for a solution to reflash the baseband.

  39. 000000yyy
    Posted January 24, 2008 at 11:28 pm | Permalink

    oooo…have to wait…..thank you all the same

  40. Victor
    Posted January 25, 2008 at 10:28 am | Permalink


    Jailbreak for 1.1.3 has been released… and it seems it does not upgrade the secpack (not really sure though).

    Would it be possible (while the tools to open my iPhone arrive) to jailbreak to 1.1.3 and then when the tools arrive, downgrade to 1.1.1 and proceed with this bootloader downgrade?

    Thanks a lot

  41. 000000yyy
    Posted January 25, 2008 at 12:41 pm | Permalink

    George,Jailbreak for 1.1.3 has been released.,what about secpark for otb 1.1.2,do you know about it

  42. Posted January 25, 2008 at 10:06 pm | Permalink

    Victor, you may jailbreak to 1.1.3 and later downgrade the firmware to previous version. As you speculated, the jailbreak only touches the firmware, so when it’s done, you’ll have a 1.1.3 firmware + current baseband hybrid iPhone.

    000000yyy, I don’t know what you’re talking about, the secpack for 1.1.2 has been published weeks ago.

  43. 000000yyy
    Posted January 25, 2008 at 10:59 pm | Permalink

    George,i mean the secpark for the otb 1.1.2,that secpark you said may be for NON-OTB 1.1.2 ONLY,i saw it in your blog ,but i cant use it to downgrade my modem,it tells me error:Failed to download .EEP: Could not verify downloaded image

  44. Posted January 26, 2008 at 12:16 am | Permalink

    I’m afraid you still don’t know what a secpack is and what it is for, I said the baseband downgrading method may not be used for OTB 1.1.2, did I say ‘the secpack may not be for NON-OTB 1.1.2’ ? I won’t say something like that because a OTB 1.1.2 and non-OTB 1.1.2 require the same secpack to erase. You can’t reflash the OTB 1.1.2 baseband because bootloader 4.6 doesn’t allow you to do so even though you may still erase the baseband.

  45. 000000yyy
    Posted January 26, 2008 at 12:32 am | Permalink

    i think i did not explain it clearly,i mean that my iphone modem is borken,i need ref it,but 4.6 doesn’t allow me to do this
    ,so i have to down to 3.9
    what should i do,using Hardware Unlocking to made bl to 3.9,then reflash the modem? and someone tell me i could up to 1.1.3,it could reflash my modem,but i think it may be dangerous,for the unlock of it,is that right?
    the most important thing for me is to down the bl4.9 to 3.6~~~~is there any good ways?
    sorry,my english is poor………….

  46. Posted January 26, 2008 at 5:56 pm | Permalink

    uhm , i accidentally upgraded my phone to 1.1.3 via iTunes , and i’m trying to restore to 1.0.2 but the Baseband version 04.03.13_G (1.1.3’s), on iBrickr i manage to jailbreak the phone but after the phone reboots it still shows the activation screen with incorrect sim warning

    any way to downgrade the firmware ?

  47. Ander
    Posted January 26, 2008 at 5:57 pm | Permalink

    Hi George!
    Just to say this guide works perfectly! Thank you very much!!

    But to make it work to me, i had to set all the files to have permission 775.. DUnno why.. :S


  48. Posted January 26, 2008 at 8:32 pm | Permalink

    can a OTB1.1.2 upgraded to 1.1.3 be downgraded ?

  49. Posted January 26, 2008 at 9:18 pm | Permalink

    akihito, to downgrade the firmware, you need to let iPHone enter DFU mode.

    Ander, you’re right, the executables NEED to have permission 0755 or 0555 (minimum 0100 for iPhone :), that’s the common knowledge on a Unix system, so I didn’t write it in the article. Sorry, I often forget there’re Windows users out there 🙂

    axlemilio, NO! Don’t do it atm.

  50. 000000yyy
    Posted January 26, 2008 at 11:55 pm | Permalink

    sorry to trouble you ,have you seen my wors,could you give me any advise, i just want to repair it soon

  51. Posted January 27, 2008 at 12:00 am | Permalink

    000000yyy, I’m afraid there’s no solution atm, the leaked jailbreak 113 only activates the iPhone. There’s no solution to your baseband issue unless the method to reflash the baseband with bootloader 4.6 (not the bootloader itself) is found. BTW, the H/W method may also be a way but it’s too dangerous.

  52. 000000yyy
    Posted January 27, 2008 at 12:04 am | Permalink

    thanks so much,i have to try

  53. Paula
    Posted January 27, 2008 at 7:06 am | Permalink

    Hi, George. I just have an OTB 1.1.2 from UK. I unlocked it to use as an ipod, but i tried to use the baseband downgrader, from…that’s when my nightmare started. Now i’m trying to downgrade to firmware 1.0.2, so i can use iBrickr to install bsd and openSSH to try to restore the 04.02.13 baseband, since i don’t have wi-fi, IMEI or ICCID anymore. When i found the secpack 04.03.13, i wonder if i can use it, since bootloader 4.6 –> “if (secpack version > current baseband version) allow the further operations”.
    Is that possible?
    Thank you veeeeeeery much!

  54. Posted January 27, 2008 at 7:12 am | Permalink

    No, don’t do that! You can erase the baseband, but you can NOT flash a new baseband in.

  55. Mike
    Posted January 27, 2008 at 7:57 am | Permalink

    Paula- I had the same problem. What I did was, restored using 1.1.3 (unmodded. figuring that it would “update” the modem/bootloader). Then did the task of downgrading. I haven’t successfully unlocked it yet.

    George- I’m stuck at where it says failed to download .EEP. I’m assuming that the *fls and *eep command that “*” is a the wild card for the files. Can’t I just type out the file names here?

    Better yet, can you post a downloadable script for the 1.1.1 so it can be run in terminal?

  56. Posted January 27, 2008 at 8:01 am | Permalink

    Mike, I think you made the wrong choice (upgrading to 1.1.3), now you have to wait for another baseband update that contains new secpack. You can’t flash the baseband when you have a bootloader 4.6.

  57. Posted January 27, 2008 at 8:45 am | Permalink


    so, if a 1.1.2 bl4.6 iphone was h/w tp’d, and at the point of the iunew tp success, the phone shut down, and required a restore, and was then left without a bootloader… are you saying there is no way to get a bootloader back onto it at this point? how would apple do it? if i sent them the iphone for restore/repair, how would they do it?

    thank you for your time!

  58. Posted January 27, 2008 at 9:00 am | Permalink

    Eric Jarvies,

    No, iunew utilizes the A17 testpoint to flash the bootloader, when it’s done, the bootloader has been downgraded to 3.9. If you reboot right after iunew, you still have bootloader, but lost the baseband firmware. Since it has been a 3.9, you can always use bbupdater to reflash the baseband firmware even though you have lost WiFi.

  59. Paula
    Posted January 27, 2008 at 9:05 am | Permalink

    The most strange part is that i’m having big problems to unlock it even in 1.0.2fw…iBrikr is not doing it’s job. I already restored 1.1.2, 1.1.1 and 1.0.2 thousand times…well, i guess i’ll just have to wait for the sw unlock, so i’ll can flash the baseband, virginize it and then, unlock.
    Damned baseband downgrader…

  60. Posted January 27, 2008 at 9:12 am | Permalink

    Paula, you said (in your previous comment) you have a OTB 1.1.2, so its baseband is 04.02.13_G, bootloader is 4.6, the problem is not in the firmwares, but the bootloader. Downgrading firmware from 1.1.2 to 1.0.2 does not help unlocking, it just downgrades the operating system, not the baseband. Since there’s no way to reflash a baseband that has bootloader 4.6, you can’t downgrade baseband, can’t virginize, can’t do whatever you feel interesting things. Just use your phone as an iPod, wait for the next update, pray dev team could find a way to break into this bootloader 4.6 😉 or use a TurboSim.

  61. Paula
    Posted January 27, 2008 at 9:47 am | Permalink

    Yeah, George…that’s my idea, but i’m not being able to unlock it anymore in 1.1.1 nor 1.0.2. iBrikr and appinstaller are useless at this time. I used a tutorial that suggested to use wINstallerGUI ( the activation button ), and that’s when my truble began. Since then, i Brikr and AppInstaller aren’t working. The far i can go is using iBrikr to “free my iPhone”, then, when it reboots, i get the loop reboot, with blue blink, and the script running, and then, here comes the loop again. So i put it in DFU mode and reinstall 1.0.2. I tried to reinstall all the firmware versions, then downgrade ’til 1.0.2. All attempts failed…

  62. Posted January 27, 2008 at 9:50 am | Permalink

    Paula, I think you didn’t get the point: if you have (or had) an OTB 1.1.2, you can NOT unlock it atm no matter what you do unless using TurboSIM. Are you trying to activate it or unlock it?

  63. Paula
    Posted January 27, 2008 at 10:13 am | Permalink

    Sorry, George. I got u confused. I know that i can’t unlock it, i mean, i won’t have it working as a phone. I wanted it as an iPod, until Dev Team releases a sw unlocking. But all my attempts to restore the fw ( i tried 1.0.2 and 1.1.1 ), i can’t jailbreak it and activate…iBrikr and AppInstall.exe processes all failed.
    Sorry bothering and confusing you. 🙂

  64. Posted January 27, 2008 at 10:20 am | Permalink

    Ah, now I see 😉

  65. Paula
    Posted January 27, 2008 at 10:22 am | Permalink

    i’ll just give up…sit, cry, pray and wait!!!
    thanks a lot!

  66. Patrick
    Posted January 27, 2008 at 10:03 pm | Permalink

    Hi, i have a OOTB 1.1.2 /BL 4.6 UK iPhone. Its jailbroken and activated.

    Accidentally i updated it to 1.1.3, what got me to the basband 4.03.13_G.

    Is it possible for me to downgrade my bootloader using the hardware method?

    Thanks so far.

  67. Posted January 28, 2008 at 1:49 pm | Permalink


    No, you can’t, you need a newer (than 04.03.13_G) secpack.

  68. Mike
    Posted January 28, 2008 at 1:57 pm | Permalink

    SO I tryed the HW hack. now my phone says it needs repair. I tried restoring with 1.1.3 but it keeps coming up with a 1101 error when I’m restoring (using mac or PC) and itunes says that its unable to read sim card. Is there any way to restore at least wifi?

  69. Balacobaco
    Posted January 28, 2008 at 2:03 pm | Permalink

    Hi George! Congrats for the article and patience to explain sometimes over and over…:)

    Well… It’s pretty clear that Patrick(above) is as much screwed as I am. I have a 1.1.2 OTB 4.6 Bootloader and updated to 1.1.3 via ITUNES and got the baseband upgrated to 4.03.13_G. So myself, Patrick and others screwed people have to wait until the next baseband release, according you so clearly described. Just a question remains…

    In my case, I have used TurboSIM to unlock and after Ibrickr to 1.1.3 I got the “Itouch” functionalities , but the phone is dead. It didn`t even says that there is a Simcard. Above in one of responses you adivises to try a TurboSim. This TurboSim you cites, must be a 1.1.3 powered or you see there is another solution to my case by my current TurboSim?


  70. Posted January 28, 2008 at 3:32 pm | Permalink

    Mike & Balacobaco,

    For the H/W unlocking, I would suggest you to ask the original author George Hotz through the link in the article ‘cos I didn’t H/W unlock my phone this time 🙂 The contents are copied as-is from Geohotz’s site as a backup purpose in case I need it later. I only used the H/W method to unlock my 1.0.2 which was months ago.

  71. Balacobaco
    Posted January 28, 2008 at 3:50 pm | Permalink

    Thanks anyway!

    For those who have the same problem, I’ve found some related article about “manual unlock” and “lockdown”. Aparently all the current *Sim (TurboSim, StealthSim, etc…) doesn’t work wih 1.1.3. Some gurus say that can be done (maybe) doing this manual unlock…I really don’t know. 🙁

    As far as it is, aparently we must hold until new baseband is released to perform the downgrade.

    Meanwhile, let’s enjoy our expensive and oversized IPOD!


  72. Posted January 28, 2008 at 7:27 pm | Permalink


    I’ll say the firmware 1.1.3 DOES work with *SIM as long as you don’t have a 04.03.13_G modem, I tried it on a 1.1.3 + 04.02.13_G and it worked. But with the new baseband 04.03.13_G, I have no idea whether the *SIM can work, as I didn’t try it on a 1.1.3 + 04.03.13_G yet.

  73. Enrique
    Posted January 28, 2008 at 11:27 pm | Permalink

    George, I need the extracted NOR.
    Please help me

  74. mistletoe
    Posted January 29, 2008 at 2:25 am | Permalink

    我用硬解的方法把bootloader从4.6降到3.9,然后恢复到1.1.1,Modem降到1.1.1的Modem,用anySIM1.1解锁不成功,然后升级到1.1.2下面用anySIM1.2.1u解锁成功,我想问一下,这以后恢复1.1.2的固件或者降到1.1.1(包括Modem)还需要重新解锁吗? 或者要重新解锁的话还要不要还处? 还一个问题,现在降到3.9了能直接用itunes升级到1.1.3而不用解锁吗? 求解,谢谢了!

  75. mistletoe
    Posted January 29, 2008 at 2:26 am | Permalink

    我的是OTB1.1.2 🙂

  76. Posted January 29, 2008 at 2:32 am | Permalink



    对于1.1.3 Jailbreak,你看错文章了,这个是讲降级的,你该看另一篇”Official Jailbreak 1.1.3 Issues”。不过可以简单告诉你,不能用iTunes升级到1.1.3,需要用软件方法来“只升级Firmware,不升级Modem”。

  77. mistletoe
    Posted January 29, 2008 at 2:47 am | Permalink

    你说的”降级则完全不受影响” 意思是说就算我现在 固件连同Modem降到1.1.1或者1.02 也不需要再重新进行解锁?

    “不能用iTunes升级到1.1.3,需要用软件方法来“只升级Firmware,不升级Modem”。 1.1.3不能像解锁以后的1.1.1升级1.1.2一样 升级1.1.3以后再把固件降到1.1.2,再进行软升级到1.1.3 而不用再解锁? (这样的话固件包括Modem都是1.13的)

  78. mistletoe
    Posted January 29, 2008 at 2:49 am | Permalink

    这么晚还没睡啊 难道你在国外那边是白天? 🙂

  79. Posted January 29, 2008 at 2:54 am | Permalink




  80. mistletoe
    Posted January 29, 2008 at 2:56 am | Permalink


  81. Rich
    Posted January 29, 2008 at 4:46 pm | Permalink

    Hi George

    Do you have any information you could give us about why the 04.03 can’t be patched like 04.02 has been for a sim unlock with 39BL.


  82. pootz
    Posted January 29, 2008 at 5:14 pm | Permalink

    I have the same problem of that guys

    Are there something to solve this problem?

    Thaks in advance!

  83. Aptitud
    Posted January 30, 2008 at 8:02 pm | Permalink

    Hi George,
    I have same problem than Balacobaco, is a 1.1.2 OTB 4.6 Bootloader and updated to 1.1.3 via ITUNES (a bib deal…) and got the baseband upgrated to 4.03.13_G.
    I had downgraded and jalibreak to 1.1.1. again, but No works the phone with the newer Turbosim.
    Any idea to have a phone?

  84. Posted January 30, 2008 at 8:33 pm | Permalink

    Aptitud, I’m afraid you’ll have to use it as an expensive iPod for quite some time till people find out how to deal with the bootloader 4.6.

  85. Mike
    Posted January 31, 2008 at 5:44 am | Permalink

    I have an otb 1.0.2 and accidentally upgraded to 1.1.3. I’ve been able to downgrade to 1.1.1 but the firmware remains 04.03.10_G. ive tried downgrading but it remains the same. Anysim wont work with this. any advice. i want to unlock my phone to use with tmobile

  86. Fresh
    Posted January 31, 2008 at 7:14 am | Permalink

    Dear George,

    I have a BL 3.9 iPhone here with no wifi, IMEI or ICCID at all. I’m trying to reflash the baseband with your method using the 04.03.13_G secpack. Allthough I do unload the commcenter, I keep on getting replies from BBUPDATER “Failed to initialize the comm layer: (is it open by another app?). I even unloaded the commcenter using UIctl, but still the same result. Do you have any idea what is going on here?
    Thank you for your help.

  87. Aptitud
    Posted January 31, 2008 at 4:12 pm | Permalink

    Thanks George,
    any idea about remaining time to people find out how to deal with bootloader 4.6?
    I have really a expensive and heavy ipod… jaja

  88. Ionut
    Posted February 1, 2008 at 3:48 am | Permalink

    Is there any way to HARDWARE downgrade the bootloader from 4.6 to 3.9, my baseband is 4.3.13_G. I have the iPhony wide open on my desk.

  89. Posted February 1, 2008 at 9:02 am | Permalink

    I’m not George Hotz 🙂 Please check his blog at for H/W unlocking details.

  90. Posted February 1, 2008 at 8:21 pm | Permalink


    Seriously man.. This worked like a charm!

  91. dev_es
    Posted February 5, 2008 at 3:06 pm | Permalink


    I have a question. If bootloader 4.6 lets you erase your baseband, then there must be some other kind of check, besides the secpack_ver >= baseband_ver, isn’t it? Or am I missing something? I’m asking because I erased unintentionally the baseband on a 1.1.2 OTB phone. I’ve read that some people in the same situation have restored the baseband by upgrading to 1.1.3 from iTunes, and I’d like to know if you (or anyone reading this) know anything in this respect. I know I’d be trapped with 4.03.13_G until a new baseband is released, but at least that way the only thing missing would be the phone functionality.

    Thank you all in advance for your answers!

  92. Khaled
    Posted February 6, 2008 at 2:25 am | Permalink

    Hi there,

    i hve an iphone that i accedinetly upgaded to 1.1.3 thru Itunes. i manged to bring it back to 1.1.1(3A109a), firmware is 03.14.08_G, IMEI 011300004719986. i ran Isim and it unlocked but somehow i am not getting connecting to any of the networks. i tried with alternate sim cards but did not get connected also. Can you help.


  93. Inutero
    Posted February 6, 2008 at 4:54 am | Permalink

    Hi guys,
    I have an 1.1.2OTB, so i try a hardware unlock everything looks good after iunew (downgrade to 3.9) but after restart the phone i lost wifi, no imei and no modem firmware, so i googled i i found that you need to restore to 1.1.2 to recover the wifi, no luck after restore, so restored to 1.1.3 and no luck,, my only alternative it was to recover to 1.02 because i dont have wifi to jailbreak it , well i done this and use ibrick to upload terminal vt100 and bsd subsystem files to try a baseband downgrade, well i try … but when i execute bbupdater -f *.fls -e *.epp the phone try to flash the baseband with no luck its says “bootloader to old, upgrade to 1.8 and try again” after 10 tries, so now im lost :S, a try to view the actual baseband (bbupdater -v) and the phone respond trying to “pinging basebband time out” so i asume that i dont have it…. well this is good to downgrade the baseband but i dont know why i cant flash it. please help!!! PS: i asume to that i have now the 3.9 bootloader because the hardware dump work ok with no errors, im all right? tks again

  94. Asgad
    Posted February 6, 2008 at 9:57 pm | Permalink

    Thanks George, this certainly saved my bacon.

    Didn’t use VT100 had issues typing in the commands on the iphone, so just used Terminal on my Mac and ssh’d into the phone, then copy and pasted you commands.

    Anyway, thanks a million again.

  95. Yusuf
    Posted February 7, 2008 at 5:06 pm | Permalink

    i had a 1.1.2 OTB and the vry first time i connected it to the laptop i upgraded it to 1.1.3 04.03.13_G( my bad)….the serial says 48 so im thinkin its a 4.6 bootloader….
    help me…….
    i m trying to downgrade it but it keeps giving me an error(1) for both 1.1.1 and 1.1.2 downgrade…

  96. G
    Posted February 7, 2008 at 5:27 pm | Permalink

    Hi George (and others),

    I have a jailbroken and activated OTB 1.1.2 (week 46).

    Version: 1.1.2 (3B48b)
    Serial: 7V746B….. (week 46)
    Modem firmware: 04.02.13_G
    Bootloader: 4.6

    What options are there to unlock this device and use it in the EU (Netherlands)? (SW/HW?)

  97. dleo
    Posted February 7, 2008 at 5:52 pm | Permalink

    我的是OTB1.1.2的,但我硬破把Bootloader 降到了3.9可以用你这个方法操作么?谢谢

  98. Posted February 7, 2008 at 6:54 pm | Permalink

    Yusuf, enter DFU mode first, you may downgrade firmware, but you can’t downgrade modem.

    G, no software unlock for your OTB 1.1.2 yet.

    dleo, might be, but nobody tried yet.

  99. Yusuf
    Posted February 7, 2008 at 7:29 pm | Permalink

    yes i did enter the DFU mode but still i get the error(1) adn i cant not downgrade firmware. how should i go about tht???
    can i give it for a hardware unlock, by professionals ???

    and the serial says 48….am i right, is it the 48th week and is my iphoen a 4.6 bootloader?

  100. dleo
    Posted February 7, 2008 at 8:36 pm | Permalink

    thank u
    OTB1.1.2的,但我硬破把Bootloader 降到了3.9

    # ./bbupdater -v
    Resetting target…
    pinging the baseband…
    issuing +xgendata…
    firmware: DEV_ICE_MODEM_04.02.13_G
    eep version: EEP_VERSION:208
    eep revision: EEP_REVISION:1
    bootloader: BOOTLOADER_VERSION:3.9_M3S2


    # ./bbupdater -v
    Resetting target…
    pinging the baseband…
    issuing +xgendata…
    firmware: DEV_ICE_MODEM_04.02.13_G
    eep version: EEP_VERSION:208
    eep revision: EEP_REVISION:1
    bootloader: BOOTLOADER_VERSION:3.9_M3S2

  101. Posted February 7, 2008 at 8:43 pm | Permalink

    Yusuf, sorry no idea, afaik, you can always downgrade the firmware (not modem) regardless of whether it’s bl 3.9 or 4.6 as long as you enter the dfu mode.

    dleo, 你没明白我的意思,我知道怎么硬解,但你的想法没人试过,我也不知道,手里从来没有原生1.1.2.

  102. Yusuf
    Posted February 7, 2008 at 8:56 pm | Permalink

    ok then….can u guide me how to downgrade it…and wat softwares wud i need.
    thanks…appreciate it aalot

  103. Posted February 7, 2008 at 9:00 pm | Permalink

    Yusuf, I said I have no idea, because DFU mode is the only point, if you can’t get it working then I really can’t help.

  104. dleo
    Posted February 7, 2008 at 9:11 pm | Permalink

    # ./bbupdater -v
    Resetting target…
    pinging the baseband…
    issuing +xgendata…
    firmware: DEV_ICE_MODEM_04.02.13_G
    eep version: EEP_VERSION:208
    eep revision: EEP_REVISION:1
    bootloader: BOOTLOADER_VERSION:3.9_M3S2

    # ./bbupdater -v
    Resetting target…
    pinging the baseband…
    issuing +xgendata…
    firmware: DEV_ICE_MODEM_03.14.08_G
    eep version: EEP_VERSION:208
    eep revision: EEP_REVISION:1
    bootloader: BOOTLOADER_VERSION:3.9_M3S2

    现在我已经用AnySIM 1.1.3,Official 1.1.3 Upgrader成功升级到了1.13了,谢谢了

  105. Posted February 8, 2008 at 3:05 am | Permalink

    Dude! I did all the parts but when I typed ./bbupdater -v the version that command reported back was the same version as before. what can I do?

  106. Nelson
    Posted February 9, 2008 at 3:31 am | Permalink

    Hi,I have a iphone which the baseband was 04.01.13_G and was jailbreak. Last week I have tried to upgrade to 1.1.3, but everything went wrong and now I have the baseband 04.03.13_G!! But the phone is blocked and is not working properly. I have tried to downgrade to 1.1.1 but it is not working and I need your help.Please, could you tell me what to do, and how to do it properly?Many Thanks for your help!

  107. OMG
    Posted February 10, 2008 at 3:23 am | Permalink

    Hi to George & the rest of the community!
    I am one of the screwed ones: I’m running 1.1.1 on an iPhone (OOTB 1.1.2.) with 04.03.13_G and Bootloader Version 4.6_M3S2 and at the moment there is no way for me to use the phone functions even though I originally bought a TurboSim aswell. =(
    Now here is my, probably silly, question:
    For those of us who would like to expand there 8GB iphones to 16GB (would 32GB ipod Toch work?) Would putting in a new memory with 16GB mean getting rid of the baseband/bootloader problem?
    Thx for any suggestions
    and an extra big THANK YOU to the people working on the matter!

  108. Felipe
    Posted February 10, 2008 at 3:58 am | Permalink

    Hello to all, I was on the same problem, I have a OTB 1.1.2 (Bootloader 4.6) and I upgraded to the 1.1.3 firmware (that installed the 04.03.13_G base band), with no luck to downgrade…. until now.
    I followed these instructions, but first I needed to do the following:
    1. I used the IPHUC method to downgrade to firmware 1.1.1 and the activation method. (All the time I was dealing with the warning: Sim Incorrect).
    2. I followed these instructions: that tells you to add a resource and install it (GeohotUnlock) and It worked!! Now I have a a 04.02.13_G unlocked.

    I hope this helps!!

  109. OMG
    Posted February 10, 2008 at 4:14 am | Permalink

    Wow thanks Felipe! That really looks good!
    I’ve just got one little question before I start: Do I have to soft-upgrade my phone to 1.1.2 in order to use the “iclarified” method?
    I’ll let you guys know if it worked tomorrow.
    @Felipe: Would you be prepared to give out your icq- adress or something in case I have any questions, please.
    Thanks again
    greets OMG

  110. Felipe
    Posted February 10, 2008 at 4:31 am | Permalink

    OMG, I didn’t do the upgrade to 1.1.2, actually, I thought that, and I was waiting for an error, but nothing happens. (I followed the instructions using the 1.1.1 jailbreak and that correct the base band from 04.03.13_G to 04.02.13_G). That method also worked without upgrading to 1.1.2.
    After the GeoHot Unlock install, I did the OktoPrep Install, to get to the upgrade 1.1.2 (using then the jailbreak 1.1.2), that worked too. So now I did the software upgrade to 1.1.3 and still have the 04.02.13_G and it worked, and I remain unlock and happy =)

  111. Miguel
    Posted February 10, 2008 at 2:11 pm | Permalink

    HI help yesterday i tried the method of geohot with the gunlock and all of that then after that, i dont have signal i used the brick tools and then i reboot my iphone, it says need rapair, no wifi, no sound, and now im trying to restore to 1.1.3 or 1.1.2 or 1.1.1 or 1.0.2 and it says the iphone cant be restored, and it shows the error 1012 help me please im desperated. my mail is help me im so sad

  112. OMG
    Posted February 11, 2008 at 4:35 am | Permalink

    It’s unlocked =)

  113. Felipe
    Posted February 11, 2008 at 4:43 am | Permalink

    Miguel, the same happened to me. So the thing I did was:

    1. Normal restore from iTunes using the Update to 1.1.3. (That should restore your phone with the latest update). If you can restore it (that means that you should have the screen for activation), then I don’t know more.
    2. If you get the restore to 1.1.3, then you need to do the iPHUC method in order to do at least downgrade just the firmware to 1.1.1, and put the jailbreak 1.1.1.
    3. After you jailbreak 1.1.1(you should have the 04.03.13_G still), you can do the GeoHot method:
    4. After that you should have the phone, wifi and everything working. (you should have now the 04.02.13_G now).
    5. You can do the jailbreak 1.1.2 then the jailbreak 1.1.3 (via App Install). and that shoudl keep your phone working.

  114. Posted February 13, 2008 at 2:02 am | Permalink

    Latest news: 1.1.3 OTB is now fully unlocked.. All iPhones with 1.1.3 OTB or upgraded from 1.1.2 OTB to 1.1.3 can now be unlocked, even the 1.1.3 16gb version of iPhone.. check this URL for more information:

  115. Posted February 13, 2008 at 2:06 am | Permalink

    Old news 🙂 I’m sure you didn’t check other NEWER articles on the blog, this article was posted on Jan 18 😉 Thanks anyway.

  116. Ahimsa
    Posted February 14, 2008 at 8:13 pm | Permalink

    Hi George,
    Congrats for your awesome work you have done!
    I have a problem which is, I have upgraded my iPhone [8GB] v1.1.2 baseband 4.6 and firware 04.03.13_G to v1.1.3 baseband 4.9 and firware 04.03.13_G using iTunes and my iPhone is now SIM locked and says Connect to iTunes and when I do so, it says that wrong SIM or invalid sim and I can get an AT&T sim but as I am in India the GSM Network won’t support. and in it I have no more options or bottons on that Connect to iTunes screen except “Slide for EMERGENCY CALL” and a small ” (i) ” which when I tap it shows the IMEI an the ICCID codes. I gave my phone to an Apple Software Engineer in India, he said that now we can’t do anything to the phone because the bootloader is 4.9. You are the only person whom I can get help from. So please reply soon!! 🙂

  117. Ahimsa
    Posted February 14, 2008 at 8:36 pm | Permalink

    Hi George,
    I have an iPhone [8GB]
    + Bootloader – 4.6
    + Firware – 04.02.13_G
    + Version – 1.1.2

    I upgraded it using iTunes and now it is

    + Bootloader – 4.9
    + Firware – 04.03.13_G
    + Version – 1.1.3

    My iPhone says that “Connect to iTunes”
    As I did it, it said “incorrcet SIM” in the iTunes screen and also in the iPhone
    And the iphone is fully locked
    I have no other options or buttons on the iPhone screen to tap except “Slide for Emergency Call” and a small button ” (i) ” when I press that (i) It shows the ICCID an the IMEI codes.
    I gave my iPhone to an Apple Software Engineer, He said that “Now nothing can be done because the bootloader is 4.9 and we need to downgrade it, which is not possible !”
    And one more thing, I am in India where Apple is not so known
    What shall I do please help me 🙁

  118. Posted February 15, 2008 at 12:46 pm | Permalink

    Ahimsa, it’s normal, please read “Real Jailbreak 1.1.3 with ZiPhone”, your “phone” will soon become a phone 🙂

  119. Peter
    Posted March 3, 2008 at 10:46 am | Permalink


    How and where to put “secpack” file? I have an iPhone of 1.1.3 orginally and accidently upgraded (not complete) to 1.1.4.. now in General-Setting-About, ther eis no information below WiFi (no address either), even no IMEI. No Modem inforamtion etc…Of course, can’t recognize any sim card.. Thanks in advance for your help.


  120. Shuja
    Posted October 15, 2008 at 12:43 am | Permalink

    Hi George:
    You are doing a good job for the guys like me, i should really thank you for all this and the stuff u keep on this site.

    my iphone’s baseband is corrupt nothing seems to work… no imei, no iccid, no wifi….no modem firmware…. i am currently on 1.1.4….
    tried almost everything but all in vain

    ieraser stucks at “waiting for data”
    could you please help me out to make my iphone work again
    BootNeuter stucks at “Determing Current Settings”

    is there any way i can restore my baseband
    i have tried all versions from 1.1.1 to 2.0.1

    any help will be appreciated

WordPress Appliance - Powered by TurnKey Linux