PwnageTool: An In-depth Look

PwnageTool is the revolutionary new software that allows custom-made firmware files (.ipsw) to be uploaded to iPod Touches and iPhones straight through iTunes. Recently distributed by the iPhone Dev Team, it’s going to revolutionize the jailbreaking scene. And I’ve taken an in-depth look at how it works, how to customize it for your own use, and a guide to using some of the basic features.

.:How It Works:.

Built into the iPhone OS is a system that checks firmwares to prevent things like the custom firmwares , to make sure the firmwares are from Apple. As opposed to jailbreaking a phone, which allows limited file writing access to the Apple-made firmware, Pwnage tells that low-level firmware system to ignore the check, and allows far freer customization.

The best part about this is, because the check is very low-level, it’s basically the same in all versions of iPhone OS. Right now only 1.1.4 is supported by PwnageTool (along with one of the 2.0 betas), but in the future the 2.0 firmwares will be just as easily hacked.

As of right now, the official version of Pwnage is only available for Mac (10.4.11 and above). However, a separate party has been working on a Windows version, Winpwn. It’s still in beta though, so be careful.

.:How to Use:.

Using Pwnage is probably one of the easiest iPod/iPhone hacking processes yet. Here’s how it goes.

(May ’08: For now, this is only for iPods, because I do not have a phone and don’t know how different the process is. Apple Juice hopes to have an iPhone writer soon.)

PART 1: Downloading

A) Download Pwnage here: http://iphone-dev.org/

B) We need a firmware file to activate the program. Currently, the only supported iPhone OS 1.X supported is 1.1.4: iPod1,1_1.1.4_4A102_Restore.ipsw. Make sure you keep it in a folder that is easy to find later.

PART 2: Preparation

There are a couple of steps you need to take before we can get a’Pwning.

A) First, we need to load that IPSW iPod restore file. Open up Pwnage and click on the “Browse .ipsw” button. Navigate to wherever you saved that file, highlight it and click “Open.”

*NOTE: Custom firmwares you create later cannot be loaded in this way. Much like the iPhone OS checks, PwnageTool has its own checks that only allows the original 1.1.4 firmware file (along with, at time of writing, the firmware file for the iPhone OS 2.0 beta 5a225c).*

B) Pwnage requires your iPod/iPhone to be in Recovery mode. To do this easily, follow these steps:

  1. Turn the iPod/iPhone off by holding down the “Power” button and sliding the red slider when told.
  2. Plug the iPod into the computer while holding down the “Home” button. The iPod should turn on, Apple logo and all, but keep holding that “Home” button until the “Connect to iTunes” screen pops up.

C) iTunes will pop up with a message saying “iTunes has detected an iPod in recovery mode. You must restore this iPod before it can be used with iTunes.” Ignore it, and quit iTunes. PwnageTool cannot pwn an iPod if iTunes is open.

PART 3: Pwnage

Now for the fun part!

A) Click the “iPwner” button.

And that’s it. This message will come up:

And the process will run itself. In about 2 minutes the iPod will restart, only instead of the traditional silver Apple, a pineapple will appear! That’s your cue to start uploading new custom firmwares. Which leads us to…

PART 4: IPSW Builder

The whole idea behind the custom firmware business of Pwnage is that you can upload firmwares with extra programs already installed in them (as opposed to jailbreaking and adding them through Installer, one by one). Thus, a firmware file has to be created with these packages in them. Fortunately, the good iPhone Dev Team have provided us with a tool to do just that. To create your very own custom firmware file, follow these simple instructions:

A) Click the “IPSW Builder” button, which will bring up a new menu window thing. The first page, “General,” is all deactivated. This is because these options are for iPhones only, and, seeing as we’re not focusing on iPhones, this doesn’t bother us. (If Apple Juice finds an iPhone correspondent, you can be sure there’ll be an appendix to this guide pertaining to this page.)

B) Go to the tab labelled “Custom Packages.” Here you’ll find the list of custom packages you are able to install into your firmware. You’ll also find it… Rather empty. The only options by default are Installer (the standard package installer used by jailbreak methods such as ZiPhone), BSD Subsystem (a set of UNIX tools), and OpenSSH (a way to see the file systems of the iPod). Not very much choice. However, there are ways to add more options. The catch is, it’s a very complicated process. See the section “For Advanced Users” below.

Anyway, choose which packages you want to use by checking them off on the left.

C) This step is optional, but PwnageTool allows for the addition of custom boot and recovery images. There are STRICT guidelines for these though:

  • 320×480 maximum resolution
  • RGB or Greyscale
  • Needs to be transparent at some point (don’t worry, it shows up black); stated in PwnageTool as “alpha channel”
  • 24-bit PNG
  • Less than 100 KB in size

As long as you follow those, you can add any image you want. I like adding my own personal touch to any iPod I pwn, just as a hint of advertising.

D) Then, once you’re satisfied, hit the “OK” button. PwnageTool will ask you where to save the file. Choose somewhere that it’s easily found later on. And, like magic, your custom firmware is made while you wait!

PART 5: Restoring with your custom firmware

The last piece in the puzzle, this is how you enact all the changes you’ve made so far.

A) Open up iTunes and navigate to your iPod. WHILE HOLDING DOWN THE OPTION KEY, hit “Restore” in iTunes. Theoretically, Upgrade would work too, but using Restore is cleaner and easier.

B) Navigate to your custom firmware, and hit OK. If everything went right so far, iTunes should restore your custom firmware with no hiccups.

And you’re done! You’re ready to install any number of cool applications just as you normall would with any jailbreak.

.:For Advanced Users:.

For those of you that just aren’t satisfied with PwnageTool’s limited number of packages, there is a solution: You can make your own custom bundle. Bundles are the packages in which Installer, BSD Subsystem, etc are stored. These bundles can be found by:

  1. Right-clicking on PwnageTool.app
  2. Selecting “Show Package Contents…”
  3. Navigating to Contents > Resources > InternalPackages

Bundles are made very similarly to making an Installer repository: each requires folders of the files you want uploaded and a property list which states what you want done with each of them. I’ve had trouble with creating one of these from scratch, so for more information I direct you here: http://www.ipodtouchfans.com/forums/showthread.php?t=57676

For a process a little bit easier (and what I use), there’s a program in development called iBuilder. It works just like Installer: you add sources, and double-click packages you want put into your custom bundle. When you’re done, hit the “Build!” button and a personalized Pwnage bundle will appear on your desktop. you then move it into that InternalPackages folder, and your package will show up under “Custom Packages” in PwnageTool.

The catch: iBuilder’s only for WIndows, while PwnageTool is only for Mac. Weird. Also, be careful, because some applications (mostly those that require file manipulation from multiple folders across the iPod file system, like MobileScrobbler or AFPd) won’t work when installed by this method!

And there you have it! Everything you ever wanted to know about Pwnage. Enjoy.



2 Responses to “PwnageTool: An In-depth Look”

  1. 1 blunden
    June 2, 2008 at 7:10 PM

    Tried WinPwn. Works great. For some reason though it didn’t work when I had already set it in DFU mode when connection it. Just plugging it in normally worked fixed that though. My 16 GB ipod touch simply crashed or hanged all the time when jailbreaked with ZiPhone 3.0. The jailbreakme.com hack with 1.1.1 didn’t work either. This worked like a charm though. Now it runs just as fast as before. Great app indeed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

May 2008



%d bloggers like this: