How to Jailbreak iOS 4.3 on iPhone with PwnageTool [Tethered] [Mac]

We previously shared a tutorial for Windows users on how to Jailbreak iOS 4.3 Final using Sn0wBreeze. This time we got instructions on how to perform the same tethered jailbreak using PwnageTool on your Mac.

In case you haven’t upgraded to iOS 4.3 yet, make sure you read the previous post Should I Upgrade my iPhone to iOS 4.3? Since this is a tethered jailbreak you will have to boot tethered using your computer, everytime the iOS device restarts. Ultrasn0w unlockers beware, you cannot unlock carrier on iOS 4.3 yet.

Note: PwnageTool hasn’t officially been updated yet for iOS 4.3 [Final] yet. We will make use of the bundles released for the iOS 4.3 GM build(beta iOS) since they work just fine with the final release. Works fine for me, except that it’s a tethered method.

This is a somewhat complicated tutorial compared to the previous ones. Novice users should just wait for a simpler jailbreak tool to be released later this month.

Tools Required for Jailbreaking iOS 4.3:

Also, download PwnageTool bundles for your device here:

  • iPhone 4
  • iPhone 3GS (New Bootrom)
  • iPhone 3GS (Old Bootrom)
  • iPad

Instructions to Jailbreak iOS 4.3:

Modify PwnageTool:

Extract the bundles archive that you downloaded in the previous steps. Right Click on PwnageTool and select Show Package Contents. Navigate to Contents/Resources/FirmwareBundles/ and paste the downloaded custom bundle file.

Now run the Ramdisk Fixer and follow onscreen instructions.

Creating Custom Firmware:

Launch the modified PwnageTool and then select Expert Mode at the top.


Click on the iPhone’s icon and then on the blue arrow to proceed.


Now tap on browse for IPSW and point it to the firmware file you downloaded above and click on open.


Click on General and then on Next arrow. Select Activate the iPhone if you are not using a SIM from official carrier. If on official carrier make sure you deselect the option.


Now click on Back and then on Build. When you press the next button you will be asked where to save the custom firmware file. Your IPSW is now being saved.


After the custom firmware has been built you will see instructions to place iPhone into the DFU mode for restoring in iTunes.



Once in DFU mode, close PwnageTool and launch iTunes.



Press Alt key on your Mac’s keyboard and click on Restore. Show iTunes the location of the custom IPSW file. After a while the iPhone will reboot once restore is over.

Boot in Tethered Mode:

Change the extension of the IPSW file to .zip and extract its contents. From the folder Firmware>Dfu copy the following three files to the folder containing TetheredBoot utility. To make it easier place everything in a folder called tboot on your desktop.

  • kernelcache.release.n90
  • iBEC.n90ap.RELEASE.dfu
  • iBSS.n90ap.RELEASE.dfu

Put your iPhone into Recovery Mode by referring to this guide.

Now launch Terminal and type these two commands:

sudo sh

You will be requested to enter the password. Type it(no onscreen feedback) and press enter.

/Users/Rajat/Desktop/tetheredboot/tetheredboot /Users/Rajat/Desktop/tetheredboot/iBSS.n90ap.RELEASE.dfu /Users/Rajat/Desktop/tetheredboot/kernelcache.release.n90

Don’t forget to change username. press enter after the previous command. Now you need to put iPhone in DFU mode again, like you did earlier. Tutorial on how to place iPhone in DFU here.

Your iPhone should boot in a few minutes and Terminal will display “Exiting libpois0n”

Have fun with your jailbroken iPhone and iOS 4.3.

2 thoughts on “How to Jailbreak iOS 4.3 on iPhone with PwnageTool [Tethered] [Mac]”

  1. Hello,

    I followed all your step, but I got all failed and coultn’t manage it working :(.
    Last login: Wed Mar 23 21:42:09 on ttys000
    Maris-Puces-iMac:~ maaris8$ sudo sh
    sh-3.2# /Users/maaris8/Desktop/tetheredboot/tetheredboot /Users/maaris8/Desktop/tetheredboot/iBSS.n90ap.RELEASE.dfu /Users/maaris8/Desktop/tetheredboot/kernelcache.release.n90
    Initializing libpois0n
    No matching processes were found
    Waiting for device to enter DFU mode
    opening device 05ac:1227…
    Found device in DFU mode
    Checking if device is compatible with this jailbreak
    Checking the device type
    Identified device as iPhone3,1
    Preparing to upload limera1n exploit
    Resetting device counters
    Sending chunk headers
    Sending exploit payload
    Sending fake data
    libusb:error [darwin_transfer_status] transfer error: timed out
    Exploit sent
    Reconnecting to device
    Waiting 2 seconds for the device to pop up…
    Connection failed. Waiting 1 sec before retry.
    Connection failed. Waiting 1 sec before retry.
    Connection failed. Waiting 1 sec before retry.
    Connection failed. Waiting 1 sec before retry.
    Connection failed. Waiting 1 sec before retry.
    Connection failed. Waiting 1 sec before retry.
    Connection failed. Waiting 1 sec before retry.
    Connection failed. Waiting 1 sec before retry.
    opening device 05ac:1227…

    Could you explain why so, please?


  2. Use this tetheredboot command instead:

    /Users/maaris8/Desktop/tetheredboot/tetheredboot -i /Users/maaris8/Desktop/tetheredboot/iBSS.n90ap.RELEASE.dfu -k /Users/maaris8/Desktop/tetheredboot/kernelcache.release.n90

Comments are closed.