How to downgrade bootloader on out of the box 1.1.2

This method is originally developed by George Hotz, as you can see in his blog. Big thanks to him, and the rest of the guys who helped him making this possible.

Before you start

Step 1: Prepair your phone and install software

First of all, downgrade your phone 1.1.1 (only main firmware) and then jailbreak/activate it (don't unlock sim-lock).

Now, launch Installer and let it refresh it's sources. Then tap on Sources, Edit, Add: http://i.unlock.no/ Now tap on Done, then Install the following packages in the listed order:

The commands you will run during the bootloader downgrade process can be run either from the Terminal application on the phone, or on a computer using SSH over Wifi. But since people are reporting that Wifi is lost during erasing of baseband, i'm going to use phone terminal as example in this tutorial.

Step 2: The hardware part: Disassemble your phone

Removing the covers from the phone is by most people considered to be the hardest part of the entire unlock solution. There's no really obvious advices to give on this one, but here is a tutorial that shows some pictures (STOP AT PAGE 5/9!).

After you have removed the rear covers, you will see a metal shield/cover over the baseband. This one needs to be removed as well. Use a tiny screwdriver or similar to carefully lift it a little all way around (you could lift out the battery to reach the side facing it). There's two places the shield is glued, so you'll either need to heat it up, or just use force. You now have access to the testpoints which you will need to connect in Step 4.

Some pictures showing the two testpoints:
98920   98921     143890

In the next step you are going to connect point A to B. Point B is a 1.8v power source which should be led to A which is the innermost trace on the board. The best way is to use two needles connected with a wire. If you have unlocked Nokia BB5/Siemens/Motorolas before you are already familiar with this. Since the area is pretty clear of components it's "impossible" to damage anything if you are just a little careful.

Below is a picture of the needles i used (coming from a professional unlocking device). They are spring loaded to make it easier to hold stable. But as the picture to the right demonstrates, some regular needles supported by corks from bulgarian wine will also do (thanks to nasko for pic)

98892   98897

But first, you'll need to expose a point in the trace (A). With something ultrasmall or thin, scratch VERY CAREFULLY on the wire until you see a golden surface. If you scratch too much, the trace will be cut and your phone is bricked (or maybe only the phone part?). Depending on what kind of needle you use, you might be able to just put the needle in it with a little pressure instead. You should not scratch the entire trace - only a tiny point to set the needle at!

Step 3: Erase baseband

Launch the terminal by tapping the Term-vt100 icon on your springboard.
Type these command:

launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
cd /usr/bin/

Some data is supposed to scroll through the screen (click here to show/hide expected result).

Do not restart your phone after the flash is erased!

Step 4: Write the old bootloader

You'll need to connect the testpoints at the same time as the iunew executable is executed. Since both your hands are busy with the testpoints, here is a nice trick to run the command with a 20 second delay (or any delay you need to prepair the testpoint):

sleep 20; iunew

Right after you hit return, grab your needles, and set the first needle in point A. Then put the second needle on point B. Note: If you have troubles putting it stable on top of the capacitor, you could just put it right next to it, leaning onto the side of the capacitor. If you set the delay to 20 seconds, make sure it's been at least 25 seconds since you executed the command before you release the testpoint and check what the terminal outputs. It should say one of the following:

Step 5: Completing the downgrade and start unlocking

Congratulations, you have completed the hard parts. Right now the phone is missing baseband firmware, so you need to flash it. To flash the baseband, run these commands (first one takes a few minutes):

bbupdater -f 111.fls -e 111.eep
bbupdater -v
launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist

After you run "bbupdater -v" it should show current status of the baseband - if it says BOOTLOADER_VERSION:3.9_M3S2 everything is working.

If you are going to use 1.1.1, just install AnySIM found in Unlocking tools category and unlock it now.

If you are upgrading to 1.1.2 or 1.1.3, install Oktoprep found in Tweaks 1.1.1 category, and then perform a upgrade (NOT restore!) to 1.1.2 (hold shift/option key to manually select firmware). When upgrade is complete, jailbreak iphone 3g on your device using this java application, and unlock with AnySIM 1.2.1u found in the Utilities category. If you want to upgrade to 1.1.3, you install "Official 1.1.3 Upgrader" found in System category.

Troubleshooting and common problems

I get "Did you erase the flash first?" error

Make sure you have erased the baseband with ienew. If you already did that and still get this error you probably have 04.03.13 baseband firmware (1.1.3). To check this, type this command: bbupdater -v. If you have 04.03.13 you are lost and need to wait for the next firmware to be released.

I get a "Resource Busy" error - why?

You probably forgot to disable the baseband. Run the following command:

launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist

To enable it again when you are done unlocking, use the following command:

launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist

I lost wifi - now it just says "No Wi-Fi"

Complete the procedure using the terminal on the phone. If you already finished writing nor you should just restore to 1.1.2.

I have other problems - where can i get help?

Please don't email me if you need help. I suggest that you post your questions/problems in this topic in the Hackint0sh discussion forum.

