From The Apple Wiki
BootNeuter on firmware 2.0.

BootNeuter allows one to unlock their iPhone, "neuter" it, flash a Fakeblank bootloader, and flash the 3.9 or 4.6 bootloader image, regardless of the iPhone's bootloader version. Bootneuter does not support the X-Gold 608 and X-Gold 618, used by the successors to the original iPhone.


A neutered bootloader has many restrictions placed by the bootloader removed. With a neutered bootloader:

  • The baseband is no longer integrity-checked, so modifications (including unlocking) can be made.
  • Secpack restrictions are removed
    • You are free to downgrade your baseband using bbupdater without having to run ieraser/ienew first.
    • No longer does the “greater than” (4.6BL) or “greater than or equal” (3.9BL) rule apply. You can arbitrarily go up and down regardless of what secpacks you use.
  • Secpack signatures are ignored
    • The RSA encrypted header is no longer checked for correct hash values by the bootloader
    • The *.fls files can be patched and fed to bbupdater directly
    • A copy of the last used secpack will be saved at a03c0000, retrievable via norz or similar dumpers. Not that secpacks even matter anymore.


BootNeuter gives you the option to unlock your 1.1.4 or 2.0 (iPhone only) baseband. The bootloader will need to be neutered for unlocking.

A neutered bootloader will let you use bbupdater on modified ICE*.fls files, so now you don't even need a separate app to unlock. As discussed on the simple_unlock page, you can now unlock the baseband before it even gets put on your iPhone!

Bootloader Version[edit]

BootNeuter is able to switch your first generation iPhone's bootloader between 3.9 or 4.6 at will. If your iPhone got onto bootloader 3.8, BootNeuter can upgrade it. Although BootNeuter makes flashing the bootloader easy, you should still only switch versions as necessary.


A Fakeblank bootloader allows for iPhone hackers to be able to run serial payloads directly at S-Gold 2 reboot time. If BootNeuter detects that your iPhone is currently fakeblanked, it will do all of its bootloader operations via serial payload and won't need to erase/reprogram the baseband to make bootloader changes. If you don't know what FakeBlank means, you probably should leave it off when using BootNeuter.


User:MuscleNerd, gray, chris, wizdaz, planetbeing, and the entire iPhone Dev Team. Thanks to geohot for the Minus 0x20000 with Back Extend Erase vulnerability for bootloader 4.6.