This information is deprecated; please use the new automatic tool here.
>> Up to date instructions HERE <<
Requirements: iPod or iPhone with fw 3.1.2 and intact iBoot (not a DFU-only brick), OR with saved SHSH hashes for 3.1.2.
If your iPhone does not boot and you are too lazy to reinstall everything/have some data that needs to be recovered, this may just work for you. Allows you to copy full disk images among other things.
Update3: Experimental support for 3GS iPhones with 3.1.2 SHSH on file, even with new bootrom.
Ramdisk prep tool (currently Windows version only, needs .NET Framework 4):
http://code.google.com/p/iphonetunnel-usbmuxconnectbyport/downloads/detail?name=RecoveryRamdiskBuilder_rev_2.zip
*Note that you still need a pwned kernelcache (from a pwnageTool generated IPSW)!
Update3: Experimental support for 3GS iPhones with 3.1.2 SHSH on file, even with new bootrom.
Ramdisk prep tool (currently Windows version only, needs .NET Framework 4):
http://code.google.com/p/iphonetunnel-usbmuxconnectbyport/downloads/detail?name=RecoveryRamdiskBuilder_rev_2.zip
*Note that you still need a pwned kernelcache (from a pwnageTool generated IPSW)!
- iRecovery -f 018-6051-014.ssh.dmg
- iRecovery -c ramdisk 0x90000000
- iRecovery -f kernelcache.release.s5l8920x
- iRecovery -c bootx
Note: If you get errors uploading kernelcache, try disconnecting and reconnecting USB cable after issuing 'ramdisk' command. This seems to happen more often with larger ramdisks..
http://code.google.com/p/iphonetunnel-usbmuxconnectbyport/
Changes made for this custom build:
- Launch iPhone_tunnel, forward remote port 22 as local port 2022 (or 22 on Windows):
./iPhone_tunnel - Connect using SSH: ssh root@localhost -p 2022
Useful commands:
Tethered support:
Advanced skills and OS X recommended.
If you have iPhone 3GS with 3.1.2 SHSH on file and new bootrom:
If you don't have SHSH for 3.1.2 saved BUT still have a working iBoot 636.66, it is possible to use a similar payload to load an unsigned ramdisk. If this is your situation, please leave a comment; since I don't have a new bootrom device, I cannot test the required payload myself, but will gladly send it to you in exchange for testing ;-)
Tech details:
restored daemon enables USB MUX kernel module to accept connections, after which we can use standard MobileDevice framework functions for port forwarding. Now we just need to start sshd.
By replacing /sbin/reboot with sshd and issuing a reboot command to restored we make restored launch sshd and hang waiting for reboot. Now we just need to make sure the restore dmg has required libraries and /bin/sh (this is the login shell for root user specified in passwd file). Password is alpine, as usual ;-)
Please use this wave for comments:
https://wave.google.com/wave/waveref/googlewave.com/w+8ZB8IWzVL
mount / ;#to make ramdisk readwrite
mount_hfs /dev/disk0s1 /mnt1 ;#if the FS still mounts.. mount_hfs /dev/disk0s2s1 /mnt2 ;# user data part export PATH=$PATH:/mnt1/bin:/mnt1/sbin:/mnt2/stash/bin: ;#more stuff to run export DYLD_LIBRARY_PATH=/mnt1/usr/lib ;#to run stuff without having to copy/symlink the libs
kill 1 ;# since we nuked the /sbin/reboot..
Tethered support:
Advanced skills and OS X recommended.
If you have iPhone 3GS with 3.1.2 SHSH on file and new bootrom:
- Replace gs.apple.com with Saurik's server or your local tinyTss.
- Start the DFU mode restore.
- !IMPORTANT! Unplug the USB right after the screen turns white. This happens after iTunes message 'preparing iPhone for restore' which loads iBSS.
- Use the payload here to patch iBSS.
- Now just load ramdisk and kernelcache as usual, then recover your data/fix the system over SSH.
If you don't have SHSH for 3.1.2 saved BUT still have a working iBoot 636.66, it is possible to use a similar payload to load an unsigned ramdisk. If this is your situation, please leave a comment; since I don't have a new bootrom device, I cannot test the required payload myself, but will gladly send it to you in exchange for testing ;-)
Tech details:
restored daemon enables USB MUX kernel module to accept connections, after which we can use standard MobileDevice framework functions for port forwarding. Now we just need to start sshd.
By replacing /sbin/reboot with sshd and issuing a reboot command to restored we make restored launch sshd and hang waiting for reboot. Now we just need to make sure the restore dmg has required libraries and /bin/sh (this is the login shell for root user specified in passwd file). Password is alpine, as usual ;-)
Please use this wave for comments:
https://wave.google.com/wave/waveref/googlewave.com/w+8ZB8IWzVL
