This Does not work with 3.1.3!!!! If your device came with 3.1.3 it cannot run 3.1.2!!! THIS TUTORIAL ASSUMES YOU ARE ALREADY ON 3.1.2! Q: Why not 3.1.3??? A: The exploit used is closed in 3.1.3 and beyond. ------- WHAT YOU WILL NEED: * An iPhone 3G or iPod Touch 2G MC or iPod Touch 3-- new bootrom * 3.1.2 already installed or 3.1.2 installed via SHSH blobs. <-- Broken blackra1n'd devices will work. (Especially if Spirit messed you up!). * Payload Pwner-r4.1 * sn0wbreeze V1.7 * iBooty V1.4 * 3.1.2/4.0 firmware downloaded. * iTunes 9.2 Installed ------- STEP A : Pwning iBoot I : Download this easy tool here -- Payload Pwner-r4.1 // It will help you create the payload. II : Extract it to a directory and run Pwner.exe **SAVE THE PAYLOAD WHERE iBooty is.** ------- STEP B : Making a Custom IPSW I : Download sn0wbreeze V1.7 from here -- sn0wbreeze V1.7 II : USE EXPERT MODE! III : In General, Checkmark "Disable NOR Flash" <-- THIS IS ESSENTIAL!!!! IV : Build it. It will be on your Desktop. **CUSTOM BOOT LOGOS THAT ARE MADE IN sn0wbreeze WILL NOT WORK ON NEW BOOTROMS!** *Mac Users : PwnageTool does not have this option. I don't think it will ever be in there. Use a Windows Virtual Machine or friends PC to create your firmware.* ------- STEP C: iBooty Prep. Most of you know of the utility "iBooty" that I made for Aki_nG. It will work as long as you place all of the correct files there. I : Download iBooty GUI here -- iBooty V1.4 and Extract it. II : Extract your Custom IPSW created by sn0wbreeze with 7-Zip or another un-archiver. III : Grab the kernelcache and bring it into the same folder as ibooty. Also grab iBEC from the folder "Firmware\dfu". Aswell as DeviceTree from the folder "Firmware\all_flash\all_flash.n88ap.production\DeviceTree.n88ap". IV : * Rename your Kernel 4.0-Custom to "kernel.40" * Rename your iBEC 4.0-Custom to "ibec.40" * Rename your DeviceTree 4.0-Custom to "devtree.40" ====== Your folder should look like this : - iboot.payload <-- Created with Payload Pwner. - devtree.40 <-- Grabbed from Custom IPSW made by sn0wbreeze. - ibec.40 <-- Created with Payload Pwner. - bspatch.exe <-- Comes with iBooty. - iBooty.exe <-- Comes with iBooty. - kernel.40 <-- Grab from Custom IPSW made by sn0wbreeze. - sn0w.img3 <-- Comes with iBooty. - wait.img3 <-- Comes with iBooty. ====== ------- STEP D: Restoring to 4.0 + Booting ------- *MAKE SURE YOU ARE ON 3.1.2 WHEN DOING THIS* I : Run iBooty and Select "Prepare Device for Custom Firmware". Run the Process and if you see the image, you can proceed! II : Now open iTunes and restore to the custom ipsw. ***WHEN DONE, YOUR DEVICE WILL GO INTO RECOVERY MODE. IT WONT BOOT.*** ------- STEP E : Booting I : Just Re-Run iBooty and select "Boot It". If all goes well it will boot! ------- Enjoy! ------- ============ Taking from iH8sn0w's forums.