Wednesday, January 11, 2012

Automatic SSH ramdisk creation and loading

A runnable JAR archive - works on OS X or Windows; needs 32-bit JRE on Windows.
Supported devices - hopefully everything Syringe supports (devices with A4 chips and lower) plus iPhone 2G, iPhone 3G and iPod Touch 1G.
The tool automatically downloads required files from Apple using @planetbeing's Partial Zip, patches them and sends to the device.
If everything works as it should, the only thing you need is an SSH client.

Made possible thanks to Camilo Rodrigues (@Allpluscomputer)

Including xpwn source code by the iPhone Dev Team and @planetbeing
Including syringe source code by Chronic-Dev and @posixninja
syringe exploits by @pod2g, geohot & @posixninja
pwnage2 exploit by iPhone Dev Team
Special thanks to @iH8sn0w - EMF tools and kernel patches

To see more verbose stuff, run from command line: java -jar ssh_rd_rev04b.jar
Source on github.

Wednesday, July 27, 2011

Lion, Time Machine and AFP feature bits.

Update2: SMB should be supported in _r2 version. Probably not a very good idea unless your network connection is solid. Also remember that you can't restore the whole system from a TM image on an SMB share.. at least not from OS X boot disk.
Update1: Please try updating your NAS firmware first; most manufacturers will be releasing updates that make their devices Lion-compatible in the near future.
These new flags made mandatory in Lion help with AFP session recovery after network connection loss, so you will be at a higher risk of data corruption when using this workaround over spotty WiFi.

'The network backup disk does not support the required AFP features' message means that
Lion's backupd now requires 'TM Lock Stealing' and 'Server Reply Cache' AFP features on all TM destinations.

TMShowUnsupportedNetworkVolumes workaround affects the UI but has no effect on actual daemon behaviour.
So, seeing as how I'm not going to buy a Time Capsule any time soon, an idea was born:
What if we could make backupd work with those unsupported volumes and unleash any potentially data-munching-monster-ish bugs this unsupportedness shall surely entail? Sounds like a plan!

tldr: Download, unzip and run the script.

^^ A dylib that fakes those new shiny AFP feature bits for your old musty half-dead early 20th century NAS-o-saurus.

Disclaimer: Use at your own risk; data-corru¾*{5Ë# may occur!

Boring tech details: just read the source.

Monday, January 17, 2011

Ultrasn0w (with preserved baseband) on 4.3..


4.3 seems to have enabled slidable image address randomization (ASLR). This broke ultrasn0w code naively using 0x1000 as the main executable base address. In addition to that, its FindReference function was using hardcoded offset/xref pairs for slidable images, which means every fw update will break it.
So, I've written a small dylib that works around those issues.

Only tested on 3GS; will require changes for next betas.

Saturday, November 20, 2010

Sunday, November 7, 2010

Booting 4.2 bundle - instructions

  • Download the appropriate tetheredboot binary for Windows or OS X from
    • Update: OS X version does NOT need libUSB from MacPorts any more.
  • Put the device in DFU mode
  • Use the command line tetheredboot -i iBSS.CPUap.RELEASE.dfu -k kernelcache.release.CPU to boot, where CPU is k48 for iPad, n90 for iPhone4
    • These files (iBSS and kernelcache) need to be extracted from custom ipsw you made using the bundle!

    Thursday, July 8, 2010

    Data recovery: not just for iBoot-pwned devices

    Deprecated: Now you can use greenpois0n to load an SSH ramdisk on any new device.

    Update: wrote a tool to generate upgrade IPSWs automatically
    iPad data recovery!
    If your user data partition is not corrupted, it's possible to get your data back (say, after some Cydia app made your oversized iTouch hang on boot!)

    Should also work for iOS 4.0 new bootrom 3GS iPhones and 3G iTouches.

    Will it work if you were jailbroken with:
    PwnageTool: Not recommended/might work
    SnowBreeze: Not recommended/might work
    Spirit: YES
    redsn0w: YES
    blackra1n: YES
    Not jailbroken: YES

    Other necessary conditions:
    Mountable user data volume - not always the case!

    Other warnings:
    You'll obviously lose your jailbroken state and will have to re-Spirit if using iPad or just back up and restore if using a PwnageTool/SnowBreeze iOS4 jailbreak!

    When should you use this method?
    • You have an iDevice that does not boot (stuck in DFU/on Apple logo) with important data on it (kids pix, financial reports, names of Russian spies)
    • You are not jailbroken with PwnageTool/redsn0w/blackra1n/Sn0wbreeze
      • If you are jailbroken using one of those jailbreak methods, check out SSH ramdisk method first as it guarantees non-destructive recovery.
    • You don't need the device to remain jailbroken/unlocked or can jailbreak/unlock a device that has been restored to latest firmware version.
    Windows versionPython source

    Use current firmware version that is still being signed by Apple (4.1 ATM)!
    Drag and drop original unmodified IPSW file over the tool icon, wait for it to generate a UPG_...ipsw file, restore to that using iTunes.
    Make sure you've read the necessary conditions and warnings sections!

    Look at the source code if you want an insight into what exactly happens here.

    Wednesday, July 7, 2010

    iRecovery functionality on Windows without libUSB

    itunnel_mux_rev6.exe <- this unfortunately named tool now supports loading stuff into iBoot, including USB exploit payloads.
    Usage example: 
    itunnel_mux_rev6.exe --ibss iBSS.n88ap.RELEASE.dfu --exploit exploit --ibec
     iBEC.n88ap.RELEASE.dfu --ramdisk  018-6461-399.dmg.ssh --devicetree 
    DeviceTree.n88ap.img3 --kernelcache kernelcache.release.n88
    Due to some hardcoded structure offsets still left, will probably only work with iTunes 9.2.