I got an iPad 1g wifi+3g 64g it had 4.3.5 firmware.

Windows 7 (64bit)

I downloaded redsnow 0.9.8b4 and iOS 4.3.4 & 4.3.5 and jailbroke using the 4.3.4 firmware method. It work fine and I had been using it for a few weeks. I wanted to use wifi-sync but found that I needed to down grade iTunes from 10.4.1.10 to 10.0 inorder for it to work. So I downgraded iTunes to 10.0 I ended up not messing with wifi sync. I decided to try to downgrade firmware to 4.3.3 so I could have an untethered Jailbreak. I did tons of reading and searching google. I reinstalled 10.4.1.10 I downloaded iOS 4.3.3 with Internet Explorer and changed the file ext from .zip to .ipsw. I also downloaded a buch of .exe file that I would/might need.

List of files I downloaded:

TinyUmbrellas 5.00.11
Fixrecovery43
iFaith-v1.3.2
iREB-r4
sn0wbreeze-2.7.3

ipsw files downloaded:

4.3.3
4.3.4
4.3.5


I then followed the downgrading "how-to that" on Redmondpie that said to change the host file.

This the host file that I used for this:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
74.208.105.171 gs.apple.com


I got an iTunes error code of 21. After searching on Google I found something about adding another server id to the host file (74.208.10.249 gs.apple.com) I tried with the # in front of it and with out the # no luck.

Got code 3194 this time. Found that I needed to have tinyunmbrellas TSS server running. Did that. Still got error 3194 tried rebooting computer and a few other random "fixes" that didn't work. I eventually changed the host file back to origninal and did a full iTunes restore to their current iOS 4.3.5. Jailbroke with redsn0w and saved shsh blobs in Tinyumbrellas. Tried downgrade again with TSS server running. Eventually I got it to work sort of. I think iTunes downgraded it because it showed it as working normal on iTunes and showed the current firmware as 4.3.3. but iPad was stuck in recovery mode. I went back to Google and tried a couple of things to fix it and finnaly kicked it out of recovery mode but now it had a blank screen! I then tried to restore again through iTunes useing the same iOS 4.3.3 but after that it no longer showed it was connected and working normal. I tried it multiple time in different ways that I found on google that said it would fix it. Each time I tried it I got an error code. Each time the code was one of these 3194, 20, 1600, 1601, 20. I then used iREB to put it into pwned dfu mode and tried to restore to 4.3.3 with itunes like it was a custom firmware. It sort of worked. I was no longer getting itunes errors but it still had a blank screen! I tryed to fix this using different fixes I found on Google. Still blank screen and not sure which mode its in. Last thing I have tried was iTunes restore with host file changed and selecting firmware 4.3.3. while running tinyumbrellas TSS server. Got Error code 1600 and blank screen! I dont know what else to try. Maybe I didn't do something exactly right. PLEASE HELP

As this is about a jail broken iPad I have moved this to the hacking forum.

The Archangel

The very first - and most important question - for you is: Do you have saved SHSH blobs for iOS version 4.3.3? I did not see you mention those blobs...

If you do not have the blobs, then the only thing you can do is put 4.3.5 back on it and go back to the tethered jailbreak.

If you do have them, restore the iPad using them and then you can jailbreak that version.

Let us know how you're getting on.

Marilyn

After much trial and error and more research I found out that because Apple stopped "signing" 4.3.3 I would have to have saved the singed 4.3.3 shsh blobs. I never had 4.3.3 so I dont have them. Which means no downgrading possible for 4.3.5 so I just restored factory ios and did tethered jailbreak with redsn0w. I guess I have to wait for iOS 5 to be released and hope someone finds a way to do an untethered jailbreak for that.

Good job. And yes, you are correct.
The dev team has already found some untethered jailbreaks for iOS 5 they are just waiting for the GM so apple can't patch them before everyone gets it.

I was reading something about a bootrom exploit that involves tricking the bootrom into thinking some kind of image size is larger than it is and so somehow rewrites a small portion of the "read only" boot file in effect allowing permanent untethered jailbreaking and the use of non-signed iOS(which means being able to downgrade to a non-signed iOS with out using saved signed blobs)? Dev team called it SHAtter but hasn't officially released it yet. One of the Dev team guys explained a little about it at the MyGreatFest convention back on the 17th.

Anybody know any details about that exploit?

I've never heard about it.

Sounds pretty beta to me.

Originally Posted by zeroweaver

I was reading something about a bootrom exploit that involves tricking the bootrom into thinking some kind of image size is larger than it is and so somehow rewrites a small portion of the "read only" boot file in effect allowing permanent untethered jailbreaking and the use of non-signed iOS(which means being able to downgrade to a non-signed iOS with out using saved signed blobs)? Dev team called it SHAtter but hasn't officially released it yet. One of the Dev team guys explained a little about it at the MyGreatFest convention back on the 17th.

From what I understand, you've got some fact and fiction mixed up in there based on what p0sixninja explained at MGF. He made the explanation only as an educational excercise on how an exploit works. He was not announcing some new exploit features.

SHAtter was an exploit that allowed unsigned code execution from a flaw in the bootrom of A4 based devices. There was much chatter about it a long time ago before we got the limera1n exploit for GeoHot, which he released at the very last minute to preserve SHAtter from being discovered by Apple as they were already aware of the limera1n problem and were certainly going to patch it in the A5. The idea was maybe they would not patch SHAtter. Unfortunately, they did discover it too and it was also patched in the A5. Therefore, SHAtter, whilst perfectly viable, was never used or released in a public jailbreak because limera1n did the same job perfectly well and was released first.

Where you move into realms of fiction is that it somehow permanently untethers and allows the use of non-signed IOS without blobs. It does not. It is simply a boot time door to deploy a payload in the same way limera1n works for tools like redsn0w, sn0wbreeze, and pwnage (which all use the limera1n exploit). These tools could be recoded to use SHAtter and perform the same function, but you would not magically get permanent untethers or SHSH Blob bypassing. It cannot re-write a read-only file. What it does is corrupt the run-time copy of it which is used to boot the device, however this run-time copy is always loaded from the read-only bootrom every time the device restarts.
If any of those additional things you suggested were possible then SHAtter would have been progressed and released a long time ago. I'm afraid it just doesn't work like that

As things stand it is likely that we will not see anything released using SHAtter as it is just too much of a slog for whoever does it for very little reward, since limera1n does the same thing and is proven to work.

Hope that clarifies.

Does anyone know if there might be an untethered jailbreak for 4.3.5 after iOS5 5 is released?