Thursday, January 30, 2014

How to Downgrade iPhone 2G to iOS 1.0

I recently worked out a flawless method to downgrade iPhone 2G to iOS 1.0, as well as how to jailbreak, activate and unlock it.  It's fairly straightforward as long as you follow these directions exactly.


Requirements

A virtual machine or computer running Windows XP**
An iPhone 2G (derp!)

**NOTE:
I personally used VMware Workstation 8 to create a virtual machine using my old copy of Windows XP Professional (fresh install) in order to do most of this.  You could also likely use Windows XP Mode (if you have Windows 7 Pro/Ultimate/Enterprise).  An obvious option is a computer running Windows XP, however if it's already had a newer version of iTunes installed on it you may run into issues.


Before you begin, some things you should know

First things first -- credit where credit is due:
            George Zhu - for iLiberty+ and his great blog
            iphone-elite - for information on how to patch lockdownd to be activated
            SonnyDickson (Modmyi forums) - for posting the iTunes version & OS needed
            ... and of course everyone else that contributed to the scene that made this possible.

It should be stated that I have gone through this entire process with a fine-toothed comb in terms of every detail.  I have run through this many, many times on my phone in order to make sure this process works without a hitch.

And don't be scared -- if anything goes wrong at all, you can always start fresh with a DFU mode restore to iOS 3.1.3 and start everything over again.  Trust me, I have done it about 30-40 times now. :)

Also, it should be noted that after jailbreaking iOS 1.0, iTunes doesn't seem to recognize the phone anymore.  It appears for a split second, then disappears.  I'm not sure how to resolve this issue, it might simply be an effect of the iOS 1.0 jailbreak itself.


The Long-Winded Background Story

I repair iPhones as a side business, and over the years I started to collect iPhones.  One day I decided I would buy an iPhone 2G (the original iPhone) to have in my collection.  I managed to get one off eBay that was in decent condition and in the original box.

When it arrived, I wasn't surprised that it had iOS 3.1.3 installed on it, since the owner had likely restored the phone before selling it.  At that point I made it my goal to see if I could somehow get the original iOS 1.0 (technically iPhoneOS 1.0) installed on it.

Initial attempts to downgrade the iPhone 2G to iOS 1.0 using the latest iTunes failed miserably.  I started trying older versions, one by one, without success.  I even had Mac OSX running in a virtual machine and tried multiple versions there, again without success.  I kept plugging away at it, figuring it must be possible.  As Henry Ford said, "Whether you think you can, or you think you can't -- you're right."

After much time spent searching, reading, trial and error, followed by more searching, I finally found the key that makes this work.  Proper credit must be given to SonnyDickson of Modmyi forums, who posted the proper iTunes and OS versions required to downgrade properly.

It turns out that you must use iTunes 7.5.0.20 running under Windows XP in order to ensure a smooth downgrade to iOS 1.0.  If you do not use this exact combo, you will almost certainly run into iTunes error 20, error 1600, error 1601, 1602, etc.  While it is possible that other iTunes versions or OS's may work, I'm simply sharing what has worked for me.  If you know of another iTunes version or OS that will work, let me know and I will post an update.

So after a lot of fighting with my iPhone 2G, I finally managed to get iOS 1.0 installed on it.  Yay! Good times, right?  Well, sort of.  Even though it starts up fine, the phone is stuck at the 'Activate iPhone' screen.  Since Apple has deactivated their 2G activation servers, there is unfortunately no way to legitimately activate an iPhone 2G.  Which means we must turn to software modifications at this point.

I stumbled across a forum post on the MacRumors forums where hackerwayne mentioned he was able to hacktivate iOS 1.0 successfully using a modified version of iLiberty+.  I started looking into it and found that iLiberty+ comes with a package to activate iOS 1.0.2 - 1.1.4, but without support for iOS 1.0.

I opened the script file, and noticed it checking iOS versions before applying patches.  Somewhat haphazardly, I decided to modify the value it was looking for so that "1.0" would install the patch for iOS 1.0.2.  Guess what... it worked!

I wasn't satisfied, though... I wanted the phone to be unlocked, to see if there was a chance it would work on my carrier (spoiler alert: it doesn't).  The unlock only supports baseband 03.14.08 to 04.04.05, and since iOS 1.0 uses 03.12.08 it doesn't work.  Using files from George Zhu's blog, I created my own script to reflash the bootloader to 03.14.08 (download here if you have any use for it).  However the unlock didn't want to work on 03.14.08, so that seems to have been a wasted effort.

I also didn't feel right using the 1.0.2 version of lockdownd on iOS 1.0, so I decided to see if I could make my own patched lockdownd for iOS 1.0.  I managed to find a fantastic post on George Zhu's blog that describes the differences between lockdownd patches by iOS version, and it lists the patches required for iOS 1.0 and 1.0.1.  Sure enough, they are at different offsets than the one for iOS 1.0.2, so I decided I'd make my own Activation script for 1.0 and 1.0.1.

After some research, I figured out how to extract content from IPSW files and after a few minutes with a hex editor I had a patched copy of lockdownd for iOS 1.0.  While I was at it I decided to extract and patch lockdownd for iOS 1.0.1 as well, in order to give iLiberty+ the ability to activate the full range of iOS 1 versions.

I also managed to find an app called iPatcher by iphone-elite, which should activate iOS 1.0 to iOS 1.1.2.  I created a script that runs it (download it here if you like), however it doesn't seem to work.  I may have done something wrong, if anyone is able to get it working please let me know.

After all this work, I decided to make a blog post about it in case anyone wants to replicate what I've done.  I hope you enjoy it as much as I enjoyed working on it. :)


Phase 1 - Restore to iOS 3.1.3, without syncing

First you will need to restore the iPhone to iOS 3.1.3.  You should do a DFU mode restore to ensure a clean, fresh install.  It doesn't matter which version of iTunes or which OS you use to accomplish this.  For reference, I'm using iTunes 11.1.0.126 on Windows 7 Home Premium.

NOTE: It's very important that you do not let iTunes sync the phone after restoring to iOS 3.1.3, otherwise the downgrade may fail and you'll have to start over again.  To save yourself some hassle, keep an eye on the restore progress and as soon as the phone restarts, be ready to unplug it.  Keep watching the screen (and pressing home to keep it lit) until it changes from the "Connect to iTunes" background to the battery icon.  At that point immediately unplug it before iTunes has a chance to sync.  You can now close iTunes and move on to Phase 2.

HILARIOUS: After the phone is done restoring, and if you have a valid SIM inserted, the iPhone may display the message "Waiting for activation. This may take some time."  That's a bit of an understatement, considering Apple's no longer running activation servers for the iPhone 2G. :-/


Phase 2 - Downgrade to iOS 1.0

Now it's time to prepare your Windows XP computer or virtual machine.  You will need to download the iOS 1.0 firmware file, iTunes 7.5.0.20 as well as iLiberty+ 1.3.0.113.  After installing iTunes and iLiberty, make sure you extract the Activate 1.0 - 1.0.1 payload into iLiberty's payloads folder.  The default location is C:\Program Files\iLiberty\payloads.

Start iTunes 7.5 and connect the iPhone.  iTunes will warn you that you need version 8.2 or higher, click OK.  Put the phone into DFU mode.  Once the phone is detected, hold Shift and click Restore, then select the iOS 1.0 firmware file. 

iTunes will display "Extracting software", followed by "Preparing iPhone for restore".  The screen on the phone will turn white, then display the Apple logo, and shortly afterward display the 'spinning' icon at the bottom of the screen.  iTunes will go through the typical restore procedure, and after about 5-10 minutes or so, your phone should restart into iOS 1.0. :)

After the restore is done, iTunes will show a message saying you need iTunes 10 or higher (for which reason I do not understand).  Close iTunes and move on to Phase 3.

TROUBLESHOOTING: If you get error 1604 and your phone displays the regular "Connect to iTunes" screen, it means your iPhone may have synced after restoring to iOS 3.1.3.  Try the above steps once more, if you end up with the same result you should start over with a DFU mode restore to a fresh iOS 3.1.3 and be careful to not let iTunes sync it when the restore is done.


Phase 3 - Jailbreak, Activate, and Unlock using iLiberty+

The first thing you want to do in iLiberty+ is update the address for the repo.  Go to Tools, Options, and replace the old address with the new one:

http://iliberty.insideiphone.com/repo.plist

Do not check anything on the main screen (Standard tab).  Instead, select the Advanced tab, and then click the Refresh button.  Then select the "Available On Repo" tab (at the bottom), scroll down until you locate "Reflash baseband to 04.04.05_G (BL3.9 only)", check it off and click Download.

Next, click the Local tab (at the bottom) and check off the following payloads:
- Activate 1.0 - 1.0.1
- Downgrade bootloader from 4.6 to 3.9 (if you are certain that your phone has bootloader 3.9 you can leave this unchecked -- it's harmless if you're on 3.9)
- Reflash baseband to 04.04.05_G (BL3.9 only)
- Unlock 03.14.08_G - 04.04.05_G

Cydia is included, however it's a very old version and not well supported as I'm sure you can imagine.  It does work, but it sure doesn't like talking to the repo.  There are also very limited options for software.  I personally chose to leave it off my phone to keep the stock home screen.

When you're ready, click Go for it! After a couple seconds iLiberty should ask you to disconnect and reconnect the phone.  After doing so click OK.  You should then see a progress bar as the ramdisk is uploaded, and the status bar (at the bottom) will say "Sending ramdisk to device..." followed by "Booting ramdisk..."

Once it says "Booting ramdisk..." click the Other Tools tab and the 'Jump Out of Recovery Mode' button which should kick-start the process.

Pass 1 of iLiberty+ should now run, which looks like a lot of text scrolling on your screen.  After 20-30 seconds your phone will reboot and display the Apple logo, followed by iLiberty Pass 2. 


Wait for Pass 2 to finish (takes about 7-8 minutes for everything to complete), after which your phone will reboot.  Everything should now be hunky dory.  Enjoy iOS 1.0! :)

34 comments:

Matthew Kristof said...

I am trying to downgrade a 4g iPhone 2g to 1.0 from 3.1.3, like your instructions. I tried all your methods. I have an old computer that wasn't needed anymore, and I took my old copy of xp pro and installed it clean. I installed itunes and iliberty.

I've tried about eight times now, but I keep getting stuck. On the screen, it says "Restoring iPhone firmware", then it stops and says "the Phone could not be restored. An unknown error has occurred. (1012)."

I don't know of any fixes for this error. What am I doing wrong?

Unknown said...

I follow rigorously the instructions but I have a problem. When I downgrade with the iOS 1.0 iTunes sop on "waiting for iphone". What can I do? I try many things (others computers, others itunes version) but it still not working.

sysadmin said...

Mr. Matthew,
If you go to iLiberty+ and select tools, then select boot out of recovery mode, it should work.

Matthew Kristof said...

i have the same problem as victor...

i got it down to 1.1.4 and when i try to get 1.0 on it, it says "waiting for iPhone" and stuck in a loop.

help!

sysadmin said...

Well, you could try to restore the iPhone to iOS 3.1.3, and restart the operation. Instead of selecting iOS 1.1.4 though, select iOS 1.0

Anonymous said...

Do you absolutely need a SIM card in the phone to do this? I'm at the iLiberty step now and it's not working because iTunes won't pair with the phone since it doesn't have a SIM.

Jason Cox said...

Dammit, I couldn't get this either. Same roadblock as Matthew. There must be a way!

Dylan Cooke said...

For those having troubles, all I can suggest is to make sure you are using all the exact same software versions that I listed. The Windows XP I used had SP3 installed and was a brand new install without any Windows updates or anything else installed. I just installed WinXP SP3 in VMware Workstation 8 and then immediately performed the procedures listed.

As soon as XP SP3 was installed I made a snapshot in VMWare, so I could go back and try different iTunes versions without having to uninstall/reinstall, which seems to mess iTunes up.

I ran into MANY failures such as error 1600, error 1012 and many other errors, and ultimately the only way I was able to make it work was to use the exact software versions listed.

Once I was able to make it work that way, I repeated the procedure about 30-40 times to make sure the procedure I developed was spot-on. I did try back-tracking and trying a few other versions with what I'd learned, but ultimately found that there was only one procedure that worked reliably.

If this procedure doesn't work for you after following it exactly, it must be some other combination of factors that is preventing your hardware/software from working like mine did. In that case I'm really not sure what to suggest, other than to keep trying!

Nate: I'm fairly certain I always had a SIM card in the phone when I was trying to hacktivate it.

Dylan Cooke said...

Also, I should add that I didn't downgrade the phone to 1.1.4 or any other version in between.

First I did a DFU restore to iOS 3.1.3 using my Windows 7 laptop and iTunes 11 (latest version of iTunes should work fine). It's important to unplug the phone as soon as the restore is complete, so that iTunes doesn't sync with it.

Once it's at iOS 3.1.3 without being synced, that is basically your starting point. From then you should be able to use iTunes v7.5.0.20 on a fresh VMware install of WinXP SP3 to downgrade directly to iOS 1.0 in one step.

You also need to make sure the VM has internet access, as iTunes will need to contact Apple's servers in order to do the restore.

sysadmin said...

I actually successfully downgraded to iPhone OS 1.0, but I have no idea how to get music or videos on the iPhone afterwards.

soundmattersnl said...
This comment has been removed by the author.
soundmattersnl said...

Hello!

Thanks for this awesome manual!
It seems like my iPhone has a weird modem Firmware: 04.05.04_G This makes the process in step 3 fail.

Any tips on how to fix this?

Thanks so much for replying!

Dylan Cooke said...

soundmattersnl:

One thing you could try is editing the iLiberty payload so that it bypasses the firmware version check.

To do this you would go into the iLiberty's Payloads folder and open the 01BL39BasebandTo040405 file with a text editor (I recommend TextPad, Notepad won't display it properly). Near the beginning of the script you will see this:


echo "Checking baseband versoin..."
GetBootloaderVersion bl_ver
if [ ${bl_ver} != "3.9_M3S2" ]; then
echo "Wrong bootloader version: ${bl_ver}"
echo "Abort in 10 seconds"
sleep 10
exit 1
else
echo "Bootloader version: ${bl_ver}"
fi


You can simply remove the entire section I've listed, or you can change the version it's comparing to so that it matches your phone.

Either option will bypass the version check and force a reflash of 04.04.05_G.

This is of course at your own risk. There's a possibility it could screw up the baseband on your phone as you are basically forcing an upgrade. My best guess is that it will work fine.

Let me know how it goes! I hope it works out for ya! :)

Jason Cox said...

So close... I still get the 1012 error when restoring to 1.0 via iTunes 7.5 but I carry onto iLiberty and it seems to work, but I get stuck at the activation screen....forever. :/ Bummer!

app73n3rd said...

I successfully downgraded to 1.0 but iTunes won't recognize by phone to sync. Any suggestions? Any computer I try has this problem and other phones are recognized. I have tried iTunes versions 7.3, 7.5 and newer. Thanks

ASHLEEEEE x said...

Can somebody please upload the iLiberty file somewhere? The link for it is down and I can't do this :(!! Thank you!

app73n3rd said...

I have all the files ASHLEEE. email me

app73n3rd AT gmail DOT com

app73n3rd said...

I've done this a few times now to different 2g iPhones. You must have had your baseband flashed with Pwnagetool for it to work. If you dig up an old iPhone on an old firmware, update it to 3.1.3, neuter and flash with Pwnagetool, then you can successfully downgrade and use iLiberty.

Unknown said...

It say's error on http://iliberty.insideiphone.com/repo.plist. 115

Cheloute said...

@Michael Ferris
insideiphone.com isn't active anymore.

If you can get the payloads you need, it doesn't matter.

Get a copy of iLiberty from https://web.archive.org/web/20120101122455/http://iliberty.insideiphone.com/Setup/iLibertySetup_1.3.0.113.exe

And a copy of the following paylod not included in the iLiberty package : http://www.mediafire.com/?wyfwyg0x7gm Unzip it into the payload folder of iLiberty as you did with the Payload-Activate10And101 package, restart iLiberty and you'll see all the needed payload into the local tab.

Next, everything should be right.

leart78 said...

holly crap, it worked on my first ipod, before these tutorial i always collected just failures, thank you very much dude :D

Jeremy said...

I've followed the steps carefully but am now stuck restoring.
The iPhone is on the apply logo with the spinning wheel down the bottom, iTunes says "Waiting for iPhone" and sits there.
Running on Dell laptop with XP SP3, clean install of the software you've linked to. Any ideas why the restore doesn't progess? Definately in DFU mode

imodfrenzy said...

iLiberty link is broken, WayBack machine has it though. incase you have problems finding it.

Cheloute said...

If you have any "Waiting for iPhone" trouble, make sure your iPhone was originally delivered with iphoneos 1.0. I mean, iPhone 16GB has been released almost one year after iPhone 4GB and iPhone 8GB, so it's first Iphone OS can't be 1.0, but 1.1.3 or event 1.1.4 (both released at earlier 2008)

This tutorial works great for iPhone 4GB and 8GB, but not for iPhone 16GB...

leart78 said...

well thats obvious lol

Unknown said...

very good! thanks mate. in a new windows 7 sp1 without updates i get no one error

Unknown said...

I wanted my phone to be unlocked too but I just called AT&T and they factory unlocked it for me even though I have never had an account with AT&T. You can also buy an AT&T IMEI unlock on eBay for $1 and I've done that with several iPhones as well. Thanks for this guide! I am wanting to do the same thing but I actually purchased my iPhone 2G from the Apple Store myself in 2007. I then continued to use it for 6 years. And it still works!!! These things are tanks! Needless to say, I am quite connected to my first ever iPhone.

jcoz00 said...

I keep getting stuck on restoring iPhone firmware when trying to downgrade. Any ideas?

Unknown said...

This process still works, just completed it successfully 2/2019. I ran into an issue when I did this where iLiberty would only work the first time after a fresh flash to iOS 1.0. If I tried to use iLiberty a 2nd time without completely reflashing the phone again I'd get an error. Also, the 'Reflash baseband to 04.04.05_G (BL3.9 only)' is no longer available in the online repository and it's not included with the original iLiberty download local files. I was able to get ahold of the original creator of these files, George Zhu, and he was able to dig them up before he deleted them forever. See below for the download links. Put these files into the payload folder of iLiberty and you'll see the 'Reflash baseband to 04.04.05_G (BL3.9 only)' available for selection along with all the other payloads the instructions require you select to successfully downgrade.

https://drive.google.com/file/d/1mw2kVK3dhyHQYp5raqYOxXMzATJ5FWNz/view?usp=sharing
https://drive.google.com/file/d/1Hs2UJKLZqpDwNqbnjI648GzPxaqoDVW3/view?usp=sharing

Daniel said...


Hello I'm desperate, I have an iPhone 2g of 2007 that can be downgrade, because it is the week 30, When I try to downgrade to ios 1.0 the screen is blank and itunes in iTunes waiting for the iPhone. I think it's because I think I have the bootloader in 4.6, because when I use redsnow I always configure it in 4.6 and not 3.9. I tried to downgrade but I do not know how to HELP

Doc said...

Thanks "Unknown" for the 2 links for Iliberty reflash baseband payloads!!!

Really helped!!

Donny said...

Doubt i’ll get a response, but worth a try. i’m able to downgrade my 1st gens to iOS 1.0 every time, but the phone stays on the screen with the spinning wheel at the bottom the whole restore, then iTunes gives me error 1012, and the phone goes into recovery mode with the ios 1.0 caution symbol.
I can then click Jump out of recovery mode in iLiberty, and get to the Activation screen. ZiPhone works to activate the phone, but iLiberty won’t unlock the phone, says “Failed, abort in 10 seconds, the baseband and bootloader of my 4gb are 04.04.05_G and 3.9_MS32.
Ziphone doesn’t unlock them either, inserting a sim gives “Incorrect SIM” message. Any ideas? Using dell laptop XP SP2, i’ll try SP3

Donny said...

*3.9_M3S2, and SP3 has the exact same issue

app73n3rd said...

iOS 1.0 unlock with sync
Install 1.0
Use iBrickr to modify
Use ZiPhone to jailbreak and activate
Install anysim 1.0 with iBrickr
Run anysim

Guide:

Install iTunes 7.5. I used a virtual machine running Windows XP.
DFU restore iOS 1.0 by holding shift and clicking restore in iTunes. Point to 1.0 IPSW.
After restore, let iTunes recognize iPhone.
Quit iTunes.
Install iBrickr in Windows and launch.
Free your phone with iBrickr. It will boot into recovery, but you can fix it on the next screen.
Once phone reboots, install and open ZiPhone.
Select Jailbreak and Activate. Do NOT attempt to unlock, as you’ll get no service at all when it finishes.
Insert desired SIM card.
Open iBrickr again and click to install applications.
Follow the steps and reboot when prompted.
Install PXL for anySIM. I used the earliest version 1.0.
Open anySIM on your iPhone and run it. The process takes about 10-15 minutes. It will give an error at the end but it can be ignored.
Use iBrickr to remove anySIM once unlock finishes.
You now have an unlocked iPhone running 1.0 that will sync with iTunes.