Modifying the restore ramdisk manually - msftguy/ios-jb-tools GitHub Wiki

Tools needed: OS X, xpwntool

• Unpack the original ramdisk: xpwntool orig_restore_rd.dmg restore_rd.dec.dmg -iv .. -k .. (use the keys from wiki)
• (For those who have a "read-only partition" error when modifying stuff on RD: hdiutil convert -format UDRW restore_rd.dec.dmg -o rd.udrw.dmg )
• Mount the ramdisk: hdiutil attach restore_rd.dec.dmg (or rd.udrw.dmg)
• Free up some space: rm /Volumes/ramdisk/(some unneeded large-ish file)
• Patch asr: mv /Volumes/ramdisk/usr/sbin/asr /tmp/; bspatch /tmp/asr /Volumes/ramdisk/usr/sbin/asr (bundle_path)/asr.patch
• Fix asr hashes : ldid -s /Volumes/ramdisk/usr/sbin/asr
• Change the restore options: edit /Volumes/ramdisk/usr/local/share/restore/options.plist with Property List Editor, add 'UpdateBaseband' = false - see http://theiphonewiki.com/wiki/index.php?title=Preventing_Baseband_Update for details
• Unmount the ramdisk: hdiutil detach /Volumes/ramdisk
• Re-encrypt the ramdisk: xpwntool restore_rd.dec.dmg (or rd.udrw.dmg) pwned_restore_rd.dmg -t orig_restore_rd.dmg -iv .. -k ..
• Replace the ramdisk inside of CFW produced by the Pwnage Tool with pwned_restore_rd.dmg You can either unzip and re-zip the CFW or replace it inside of /tmp/ipsw dir when PwnageTool is running.