How to downgrade iPhone 3GS from iOS 6.1.6 to 4.1 (Baker) – No blobs, No iPad Baseband – Full Carrier Support WITH PROOFS!

I created this method originally as on YouTube you could only find a method that requires you to have the OLD Bootrom (very rare devices) in order to flash an iPad Baseband as Apple does signs the 4.1 iPSW but not it's Baseband. New Bootrom iPhone 3GS units get bricked forever if you use that method. Another method I found on YouTube required you to actually have SHSH Blobs saved, which of course I don't have and most likely you don't have either. SO I CREATED MY ORIGINAL method which DOESN'T require you to have the OLD Bootrom, nor to have any blobs, and you can restore with no issue.
Also, as a bonus, you get signal on your carrier so you can be on iOS 4.1 (You're getting vintage, don't you?) and you can still call, access 3G internet and send messages.

If you consider my research and my work valuable for the iOS community, please SUBSCRIBE and give a rating (being it like or dislike depending on what you feel), and a share to this video 🙂

iPhone 3GS has two different versions. After the discovery of 0x24000 Segment Overflow Exploit, more exactly seven months after the exposure, Apple began selling new units of 3GS with a new BOOTROM that was, of course, immune to this exploit.

According to The iPhone Wiki, this exploit's aim is to gain arbitrary code execution capability.

The exploit, as proposed by planetbeing, uses the overflow to overwrite one of the addresses of the SHA1 registers. The particular register is the only one that directly copies data to be hashed into the hardware (or into an arbitrary memory location, once the destination address has been overwritten). Code execution is achieved by writing data into the stack, specifically by overwriting the LR of the function performing the write to the "SHA1 register" so that instead of returning to the main SHA1 routine, it returns to a chosen location in memory that contains the payload code. The location chosen is within the range of memory that is filled with the LLB's IMG3, so that the payload code can be placed within the LLB's IMG3. – The iPhone Wiki

Things you need:
RedSn0w and Sn0wBreeze:
iOS 4.1 iPhone 3GS IPSW:,1_4.1_8B117_Restore.ipsw

Check out my Android Channel:

P.S. This video and the site is protected by Copyright (D.M.C.A) therefore, copying it will, of course, result in a Strike, as we report anything copied.


About GeoSn0w

C#, C, Objective-C Programmer | Beginner iOS Security Researcher | Content Creator | Web Developer I like to bring the latest news from the iOS / iDevice / Jailbreak battlefield to you in a beautiful manner :) I hope you like the site. If you do, don't forget to check out my channel :)

Leave a Reply