Saturday, November 20, 2010

Booting SSH ramdisk on new devices

This information is deprecated; please use the new automatic tool here.



Geohot has recently made his limera1n exploit publicly available: time to update the instructions for new devices.
Troubleshooting
  • If tetheredboot fails to load the ramdisk (which tends to happen with large ramdisks), you can try using itunnel_mux to load kernel and ramdisk: 
    • tetheredboot -i iBSS._CPU_ap.RELEASE.dfu;  
    • itnl --kernelcache kernelcache.release._CPU_ --devicetree DeviceTree._CPU_ap.img3 --ramdisk 0XX-XXX-XXX.dmg.ssh 

Copyrights

107 comments:

ikke de olifant said...

Thank you, this worked exactly as described on my i4.

a said...

am trying to make it work under 64 bit linux. with a few makefile tweaks it compiles. both injectpois0n and tetheredboot fail when "Waiting 10 seconds for device.."

based on dmesg errors, I added "libusb_claim_interface(usb_handle, 0);" after the libusb_open in libirecovery.c, but doesn't seem to have fixed/changed behavior.

any tips?

a said...

on OSX 10.6.4 w/itunes 10.1, using a ramdisk created with your ramdisktool and the restore ramdisk for 4.1, (and ibss and kernelcache from pwnagetool), screen turns white, the ends up on apple with empty progress bar and end of output is like this: (and tunnel seems not to work - using iPhoneTunnel for OSX which seems to do what its supposed to - could this be my issue?)

Waiting 10 seconds for the device to pop up...
opening device 05ac:1281...
Setting to configuration 1
Setting to interface 0:0
Uploading 018-7082-092.dmg.ssh to device
[==================================================] 100.0%
libusb:error [darwin_transfer_status] transfer error: timed out
Uploading kernelcache.release.n90 to device
[==================================================] 100.0%
libusb:error [darwin_transfer_status] transfer error: device not responding (value = 0xe00002ed)
Exiting libpois0n

msft.guy said...

@a: sorry, my itunnel doesn't build on Linux and it has some specific hack to support SSH ramdisk mode: it uses the MobileDevice API to issue a 'reboot' command which instead launches SSHD, because ramdisk builder replaces /sbin/reboot with sshd. It's possible to write a custom utility that would replace restored/restored_external and just enable USB mux, then exec sshd; but so far I had no need for that. If you want to write such a tool, here's the pastie comex created with a code snippet that can enable USB MUX: http://pastie.org/970295 (that needs to be built with iPhone SDK and replaces restored on the restore ramdisk).

a said...

thanks, that helped. your itunnel is magic :)
i do wish tetheredboot worked on linux, regardless of the way your ramdisk functions. it fails during limera1n, from what i can tell. while ibss gets uploaded, device never comes back (fails on the 10 second wait) and never turns white.

I)estym said...

Hello,

I have an issue with 3G iPod Touch (3.1.2 Jailbreakme untethered) not being able to boot/stuck at apple logo.
Following the instructions gives the following output:

d:\iPod>tetheredboot.exe -i iBSS.n18ap.RELEASE.dfu -k kernelcache.release.n18 -r
018-7081-078.dmg.ssh
Initializing libpois0n
ERROR: The process "iTunesHelper.exe" not found.
Waiting for device to enter DFU mode
Found device in DFU mode
Checking if device is compatible with this jailbreak
Checking the device type
Identified device as iPod3,1
Preparing to upload limera1n exploit
Resetting device counters
Sending chunk headers
Sending exploit payload
Sending fake data
Exploit sent
Reconnecting to device
Waiting 2 seconds for the device to pop up...
Uploading iBSS.n18ap.RELEASE.dfu to device
[==================================================] 100.0%
Waiting 10 seconds for the device to pop up...
Uploading 018-7081-078.dmg.ssh to device
[==================================================] 100.0%
Uploading kernelcache.release.n18 to device
[==================================================] 100.0%
Exiting libpois0n

After that device reboots and there is no progress bar under the Apple logo (so it's probably not in recovery mode?). Itunnel keeps saying 'Waiting for device'.

Any insight on this issue is greatly appreciated.

msft.guy said...

@I)estym: 3.x and 4.x use devicetree files that aren't interchangeable. You need to use tetheredboot tool to get into a 'pwned' DFU mode (it does that when ran without arguments), then proceed with itunnel_mux thingie to load ibss, devicetree, ramdisk and kernelcache. Linkie here: http://code.google.com/p/iphonetunnel-usbmuxconnectbyport/downloads/list

Leo101 said...

Hi, Great tutorial - I've managed to get it working and even copy of my rdisk with my user data on it. However none of the files will load, im guessing they're encrypted. Any ideas? Has anyone else managed to recover photos or data via this method? Thanks guys

msft.guy said...

@Leo101: Interesting .. Did you copy rdisk0s2? Did it mount correctly in OS X? Did you tried mounting it on the iPhone from the ramdisk environment? Do all files seem corrupted or only some? Can you see the directory structure?

I)estym said...

@msft.guy: thanks so much for your help, it worked!

@Leo101: once you've got SSH working, you need to mount your data partition in order to get files from it. Run FS check on your data partition:
-sh-4.0# fsck_hfs /dev/disk0s2s1
After it completes mount it:
-sh-4.0# mount_hfs /dev/disk0s2s1 /mnt2/
After that fire up WinSCP to actually copy files. Your photos will be in /mnt2/mobile/Media/DCIM/
Your application data will be in /mnt2/mobile/Applications although it will take some time to figure out which dir corresponds to which app.

Leo101 said...

@msft.guy + l)estym

Thank you very much for your replies, this has solved my problems, I just have the druelling task of copying files out on my mac 1 by 1 now - but much better than losing them! thank you again. Im going to see if I can just dump the whole lot to a dd file or something incase I miss anything before restoring the firmware, will post and let you know how I do. Thank you again

Leo101 said...

Just to update - at the moment on my mac I am experimenting with dd imaging just the user disk so for those who have lots of information such as myself, it can be recovered all as once. (I hope this can be of use to others)

Currently I have;

dd if=/dev/disk0 | ssh -p 2222 root@localhost 'dd of=iphone-dump.img'

unfortunately the mac connects to iphone then displays sh dd: command not found. Will keep trying. If anyone has any ideas, I would be greatful for any suggestions. Thanks

msft.guy said...

@Leo101: this seems to be a new feature in iOS4. Each file on the image is encrypted.. Until someone figures out the key derivation algorithm, you'll have to mount the FS on the phone and copy file by file.. Undelete doesn't seem workable either :(

Edgar said...

I know this may sound a REAL novice question, but Music Controls messed up my phone - restarts, and doesn't go to the springboard.

I can't SSH into the phone anymore because I lost the connection with my computer and the iPhone. Otherwise, I would have delete Music Controls, and I wouldn't have a problem.

You said that I need to make a pwned ipsw for 4.1. I'm on 4.0.1 - will your method work for me considering that I can't SSH into my phone, and that firmware is NOT 4.1?

iPhone 4, 4.0.1 - Jailbroken with Jailbreakme. Not unlocked.

I)estym said...

@Edgar Music Controls doesn't look like something that could mess your boot process. However, it depends on MobileSubstrate for code injection, so if you've updated MS as well, this is a known case. There was an issue with one of the recent versions of MS and this has caused trouble to me as well.
Check out this topic: http://modmyi.com/forums/ipad-jailbreaking/737967-anyone-get-boot-loop-after-mobilesubstrate-update-morning.html

I)estym said...

@Leo101 - Here is a dd binary I extracted from my firmware. No idea if this will work for you but at least give it a try.
http://dl.dropbox.com/u/4821368/dd.zip

@Edgar - Also, this method should work on firmwares different from 4.1, I personally used it on my 3.1.2 iPod Touch (see above) and everything went smoothly.

a said...

for anyone trying to compile msftguy's syringe from github under linux, don't use the binary toolchains from gnuarm.com. building my own with scripts from the idroid project made all the difference - after building my own arm toolchain, tetheredboot et all now build and seem to work under linux.

Edgar said...

@I)estym

Yes, it has to be MS. http://www.reddit.com/r/iphone/comments/eakxj/anyone_else_getting_apple_logo_screen_boot_loop/c16n92s

It was a combination of this crap also. Lol.

So, should I extract the ibss and kernelcache files from a 4.0.1 or 4.1 custom ipsw. I'm on 4.0.1 and I don't think I can find a pwned 4.0.1, seeing as that only Limera1n and Jailbreakme did not create custom ipsws.

Thanks!

Edgar said...

Oh yeah, I have OpenSSH in my phone already. I did prior to the loop, but I lost the connection with the computer and the iPhone and can't SSH back in.

Will these directions allow me to do that?

Are these ALMOST the same directions: http://www.techmobicity.com/jailbreak-iphone-4-with-ios-4-2-1-while-preserving-baseband-02-10-04-with-pwnagetool-bundle/

Obviously, they're trying to achieve something different, but the procedure seems about the same here.

Edgar said...

This is what I'm getting. I have an iPhone 4 - 4.0.1 trying to upload the iBSS.

1) I downloaded iPhone 4, 4.1 ipsw. Pwned it with Snowbreeze.

2) Removed 018-7082.092.dmg.ssh, DeviceTree.n90ap.img3, iBEC.n90ap.RELEASE.dfu, iBSS.n90ap.RELEASE.dfu and kernelcache.release.n90 from the pwned ipsw. (I'm guessing the built ramdisk is in there somewhere)

3) Put iPhone in DFU mode.

4) Ran tetheredboot utility.

This runs:

"Initializing libpois0n
ERROR: The process "iTunes.exe" not found.
ERROR: The process "iTunesHelper.exe" not found.
Waiting for device to enter DFU mode
Device must be in DFU mode to continue
Found device in DFU mode
Checking if device is compatible with this jailbreak
Checking the device type
Identified device as iPhone3,1
Preparing to upload limera1n exploit
Resetting device counters
Sending chunk headers
Sending exploit payload
Sending fake data
Exploit sent
Reconnecting to device
Waiting 2 seconds for the device to pop up..."

Then tetheredboot disappears. I'm guessing now it's in pwned DFU mode.

From here I'm lost, I tried doing this, but I have no idea if I'm doing it correctly.

5) I open CMD. Run this command "tetheredboot -i iBSS.n90ap.RELEASE.dfu"

I see this.

C:\Users\SS\Desktop\Making The Backup>tetheredboot -i iBSS.n90ap.RELEASE.dfu
Initializing libpois0n
ERROR: The process "iTunes.exe" not found.
ERROR: The process "iTunesHelper.exe" not found.
Waiting for device to enter DFU mode
Found device in DFU mode
Checking if device is compatible with this jailbreak
Checking the device type
Identified device as iPhone3,1
Preparing to upload limera1n exploit
Resetting device counters
Sending chunk headers
Sending exploit payload
Sending fake data
Exploit sent
Reconnecting to device
Waiting 2 seconds for the device to pop up... ({MY IPHONE TURNS ON HERE))
Uploading iBSS.n90ap.RELEASE.dfu to device
Unable to upload iBSS
Unable to find device

What am I doing right and wrong? Sorry for all the newb questions, but I'm tech saavy, but not very into commands like these. I'm interested in learning of course.

I)estym said...

@Edgar try the following:
First, run tetheredboot to enter pwned DFU (like you did)
When in pwned DFU, use itunnel_mux to upload files, not tetheredboot. I'm guessing you will need 3 files: iBSS, kernelcache and ramdisk.
To figure out the ramdisk thing go to http://theiphonewiki.com/wiki/index.php?title=Firmware and figure out what is the ramdisk filename inside your IPSW. Then use the RamdiskBuilder utility to add SSH to it:
http://code.google.com/p/iphonetunnel-usbmuxconnectbyport/downloads/detail?name=RecoveryRamdiskBuilder_rev_2.zip

Leo101 said...

@ msft.guy

Thank you for your reply, it just seems strange that encryption would allow each file to be opened and transferred but stop block transfers - but to be fair apple work in weird and wonderful ways, on a separate matter I cant quiet understand why they've removed the orientation lock off the iPads. Thank you again for your help and time

@ I)estym
Thank you too for your reply. I have transferred the dd to the root directory in the iphone inside the mounted mnt2 folder. I have tried the following, any ideas what im doing wrong? Sorry to take up so much of your time, thank you for your help:

dhcp-10-54-151-119:~ macbook$ ssh -p 2222 root@localhost
root@localhost's password:
-sh-4.0# mount_hfs /dev/disk0s2s1 /mnt2/
<dev/disk0s2s1 | ssh -p 2222 root@localhost dd of=myiphonedata.dmg
-sh: ssh: command not found
/mnt2/root/dd: opening `/dev/disk0s2s1': Resource busy
< | ssh -p 2222 root@localhost dd of=iphone-dump.dmg
/mnt2/root/dd: opening `/dev/disk0s2s1': Resource busy
-sh: ssh: command not found
-sh-4.0#


i've also tried:
Macbook:~ macbook$ dd if=/mnt2 | ssh -p 2222 root@localhost '/mnt2/folders/dd of=myiphonedata.dmg'
dd: /mnt2: No such file or directory
root@localhost's password:
dyld: Library not loaded: /usr/lib/libgcc_s_v6.1.dylib
Referenced from: /mnt2/folders/dd
Reason: image not found

I)estym said...

@Leo101 well frankly I'm a bit confused with the syntax, but it looks like you are getting this error because you are trying dd on a mounted partition. Why not copy the dd utility to the ramdisk itself (not sure if it has enough free space though) or to the system partition (which is /dev/disk0s1)?

msft.guy said...

@Leo101: Again, if you're doing this on iOS4, you won't be able to use any of the files on the user volume because of the encryption. Just use SFTP (CyberDuck/PsFTP) to copy rdisk0s2s1, it's easier than configuring dd
@Edgar: I mentioned iOS 4.1 because PwnageTool only supports 4.1+ firmware and you need files (ibss and kernelcache) from 'pwned' ipsw to boot the ramdisk.

Mike said...

Can anyone point me to step-by-step instructions to accomplish this on OS X with an iPhone 4/iOS 4.1? These instructions seem to require Windows, and the linked pages all seem to say "go [HERE] for updated instructions" until I finally wind up at a Google Wave page which I can't even figure out how to use, because it bogs down Safari to the point that every mouse click requires a 2-3 minute wait for the beachball cursor to go away.

Thanks in advance.

Edgar said...

C:\Users\SS\Desktop\Making The Backup>itunnel_mux_r61.exe --ramdisk 018-7082-092
.dmg.ssh
Will try to kick connected devices out of the Recovery mode..
dfu_connect_callback


And it stays there...Suggestions?


Gosh, I'm so confused about this entire thing, but I'm not giving up!

I guess I need way better directions so a newb can understand... If you guys could help me out, you would be giving me my phone back after a week! :)

Leo101 said...

@ I)estym

You don't by any change know where theres a compiled version of nc (netcat) for the iphone do you? I've found one but its asking for extra library's etc
Cheers

Edgar said...
This comment has been removed by the author.
Edgar said...

After being on the "dfu_connect_callback" line, I forcefully rebooted it, and put it in recover mode manually.

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\SS>"C:\Users\SS\Desktop\Making The Backup\itunnel_mux_r61.exe"

iphone_tunnel v2.0 for Win/Mac
Created by novi. (novi.mad@gmail.com)
Restore mode hack by msft.guy ((rev 5))

Usage: iphone_tunnel --tunnel [--iport ] [--lport ] [De
vice ID, 40 digit]]
OR: iphone_tunnel --autoboot to kick out of the recovery mode
OR: iphone_tunnel [--ibss ] [--exploit ]
[--ibec ] [--ramdisk ]
[--devicetree ] [--kernelcache ]
Example: iphone_tunnel 22 9876 0123456...abcdef
Default ports are 22 22

C:\Users\SS>"C:\Users\SS\Desktop\Making The Backup\itunnel_mux_r61.exe" --ibec i
BEC.n90ap.RELEASE.dfu --ramdisk 018-7082-092.dmg.ssh --devicetree DeviceTree.n90
ap.img3 --kernelcache kernelcache.release.n90 --ramdisk-delay 5
Will try to kick connected devices out of the Recovery mode..
dfu_connect_callback
dfu_disconnect_callback
recovery_connect_callback
getUsbDeviceName: \\?\USB#VID_05AC&PID_1281#CPID:8930_CPRV:20_CPFM:03_SCEP:01_BD
ID:00_ECID:00000387D611D52D_IBFL:01_SRNM:[87025VJSA4T]_IMEI:[012339009356757]#{B
8085869-FEB9-404B-8CB1-1E5C14FA8C54}\0000
WinDFU::OpenDFUDevice: path: \\?\USB#VID_05AC&PID_1281#CPID:8930_CPRV:20_CPFM:03
_SCEP:01_BDID:00_ECID:00000387D611D52D_IBFL:01_SRNM:[87025VJSA4T]_IMEI:[01233900
9356757]#{B8085869-FEB9-404B-8CB1-1E5C14FA8C54}\0000
WinDFU::OpenDeviceByPath: \\?\USB#VID_05AC&PID_1281#CPID:8930_CPRV:20_CPFM:03_SC
EP:01_BDID:00_ECID:00000387D611D52D_IBFL:01_SRNM:[87025VJSA4T]_IMEI:[01233900935
6757]#{B8085869-FEB9-404B-8CB1-1E5C14FA8C54}\0000
WinDFU::InitUpdate: CreateFile failed
WinDFU::UploadFile: InitUpdate failed, error: -3
WinDFUUpload: UploadFile failed, error: -3
getUsbDeviceName: \\?\USB#VID_05AC&PID_1281#CPID:8930_CPRV:20_CPFM:03_SCEP:01_BD
ID:00_ECID:00000387D611D52D_IBFL:01_SRNM:[87025VJSA4T]_IMEI:[012339009356757]#{E
D82A167-D61A-4AF6-9AB6-11E52236C576}\IB0000
iBEC iBEC.n90ap.RELEASE.dfu loaded


Then it hangs THERE. Anything?

Mel~ said...
This comment has been removed by the author.
Edgar said...

Ugh. Why does it stall? Does it usually take this long?

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\SS>cd desktop

C:\Users\SS\Desktop>cd making the backup

C:\Users\SS\Desktop\Making The Backup>itunnel_mux_r61 --ibec iBEC.n90ap.RELEASE.
dfu --ramdisk 018-7082-092.dmg.ssh --devicetree DeviceTree.n90ap.img3 --kernelca
che kernelcache.release.n90 --ramdisk-delay 5
Will try to kick connected devices out of the Recovery mode..
dfu_connect_callback

Am I doing this right? The next step would be to LOAD them with tetheredboot right?

Mel~ said...

I have the exact same problem. Stuck at getting the files to upload to my iphone. Similar to Edgar. Any luck your side yet?

Mel~ said...
This comment has been removed by the author.
Mel~ said...
This comment has been removed by the author.
Edgar said...

No, nothing yet. I'm not sure if we're manually supposed to get out of DFU mode, and go into Recovery Mode, or it does it by itself.

Even if I do manually get out of pwned DFU mode, I'm stuck at the - iBEC iBEC.n90ap.RELEASE.dfu loaded line. I'm not even sure if I should proceed from that point.

a said...

anyone trying on linux, sending the ramdisk fails for me unless i disable usb2 with "rmmod ehci_hcd". then it's slower,but actually works.

not that anyone reading these blog comments appears to be using linux...

i looked at the code for itunnel_mux and it uses what look like reverse engineered Apple APIs to send the reboot command. Any pointers to how I might achieve the same with libimobiledevice or libirecevory? Neither has "reboot" apis but its probably just a control message or similar?

I)estym said...

Ugh. Sorry for the slow reply guys.

@Edgar you keep using itunnel_mux 6.1 however there is a newer version (7.1) available. Have you tried it?

@Leo101 here's a deb file from Cydia: http://dl.dropbox.com/u/4821368/netcat_0.7.1-2_iphoneos-arm.deb
Unfortunately I'm not familiar with the package format and have no time figuring it out right now... but hopefully you'll be able to make sense out of it.

msft.guy said...

@Edgar: You don't need iBEC, just a patched iBSS ... You don't need iTunnel either, just run tetheredboot with correct args: -i ibss -r ramdisk -k kcache. Dont' rerun tetheredboot without resetting the device and reentering DFU (exploit won't work correctly if applied twice).

Edgar said...

Yes, after my last post and prior to yours, I found out that I was using an older version of iTunnel. So I gave the newer version a try, and I still get the stall:

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\SS>cd desktop

C:\Users\SS\Desktop>cd making the backup

C:\Users\SS\Desktop\Making The Backup>itunnel_mux.exe --ibec iBEC.n90ap.RELEASE.
dfu --ramdisk 018-7082-092.dmg.ssh --devicetree DeviceTree.n90ap.img3 --kernelca
che kernelcache.release.n90 --ramdisk-delay 5
[INFO] Waiting for a device in Recovery mode to connect..

Edgar said...

I didn't even see msft.guy's response until later.

So I tried using your suggestion of using tetheredboot to upload these files and this is what I get.

C:\Users\SS\Desktop\Making The Backup>tetheredboot -i iBSS.n90ap.RELEASE.dfu -k
kernelcache.release.n90 -r 018-7082-092.dmg.ssh
Initializing libpois0n
ERROR: The process "iTunes.exe" not found.
ERROR: The process "iTunesHelper.exe" not found.
Waiting for device to enter DFU mode
Found device in DFU mode
Checking if device is compatible with this jailbreak
Checking the device type
Identified device as iPhone3,1
Preparing to upload limera1n exploit
Resetting device counters
Sending chunk headers
Sending exploit payload
Sending fake data
Exploit sent
Reconnecting to device
Waiting 2 seconds for the device to pop up...
Uploading iBSS.n90ap.RELEASE.dfu to device
[==================================================] 100.0%
Waiting 10 seconds for the device to pop up...
Uploading 018-7082-092.dmg.ssh to device
[==================================================] 100.0%
Uploading kernelcache.release.n90 to device
[==================================================] 100.0%
Exiting libpois0n


The screen turns white and stays white. This looks exactly like I)estym's post earlier, but then you told him to fix his problem by using tetheredboot to get into pwned DFU mode, and using iTerminal to upload the files, so right now, I'm confused! Lol.

Then I run this as the directions in the main post say:

C:\Users\SS\Desktop\Making The Backup>itunnel_mux --lport 22
[INFO] Waiting for new TCP connection on port 22
[INFO] Waiting for device...

Concombre said...

Hello,

I want to modify syringe so it can boot another ramdisk.
I saw that the ramdisk is inside /include/resources/ramdisk.h
I wrote that binary data to the disk and noticed the img3 header, that is 64 bytes long. Then I stripped it, and was able to mount the unencrypted HFS+ disk image that starts just after the img3 header.

First question: is it possible to just reuse the img3 header that I stripped off with another ramdisk (e.g. msftguy's ramdisk.dmg.ssh), so I can replace the syringe ramdisk in ramdisk.h with my new one.

Second: can someone give me some ramdisk theory, or give a good link about that. For instance, what gets executed first when the ramdisk loads ? Or do I always have to issue a command to the device to get things started, like "reboot", that loads sshd in the msftguy's ramdisk case, because he replaced /sbin/reboot with sshd ?

One more thing: I don't have access to a Mac, but I can still compile stuff (C/C++/obj-C) directly on an iPhone device.

Leo101 said...

@ I)estym & msft.guy

I've had the following error appear when running commands from terminal onto the iphone:

dyld: Library not loaded: /usr/lib/libgcc_s_v6.1.dylib
Referenced from: /mnt2/nc
Reason: image not found

This one when trying to run netcat. I've read bits from online sources who believe it to be missing libraries which apple have removed. Any ideas? Do you know of a work around or solution? I imagine you've come across this problem before,

Thank you for your time

Davvido said...

Does it work with iPhone3G 3.1.3 (pwned via redsn0w)?

Concombre said...

@a, I work on linux only too.
About your last question, have you tried this libirecovery function: irecv_send_command(client, "reboot"); ?

What have you managed to do so far ?
I try to modify posixninja's syringe so it loads another ramdisk than the chronic-dev ramdisk.
I haven't been able to do anything valuable using the tetheredboot utility from posixninja's git, that's why I try to work with syringe (the injectpois0n binary).

So far, I've modified syringe so it can upload any ramdisk to the device, but then nothing happens on the phone, so I need help on all the ramdisk stuff.

Also, do you know what is the purpose of the "Moving ramdisk" command, which is either:
irecv_send_command(client, "go memory move 0x9000040 0xC000000 0x100000");
...or:
irecv_send_command(client, "go memory move 0x41000040 0x44000000 0x100000");
...depending on the CPU type ?

Is it needed to keep this (and the following "set kernel bootargs" and "go fsboot" commands) when only working with the ramdisk with no need for an actual fsboot ?

Thanks for your time, any advice helping me to move forward would be appreciated ;)

a said...

@concombre,

i'll try that irecovery call and see what happens -thanks. I am probably not the correct person to help anyone but here's what works for me.

build msftguy's syringe from github and then run the tetheredboot utility to send pwned iBSS (can get from pwnagetool ipsw) + stock kernelcache + pwned ramdisk created with msftguy's ramdisk recovery tool (there's links to it in blog).

tetheredboot will let you boot any ramdisk, and the ramdisktool will give you a working one to start with.

if you see an apple with an empty progress bar under it on the device's screen when trying with msftguy's ramdisk, you've succesfully booted a non-apple ramdisk. i haven't yet modified it in a meaningful way but look at the google wave linked in another recent blog here for hints.

a said...

@msftguy,

could you possibly publish a fuzzy patcher json module for verbose boot for arm7 iBSS / iOS 4.x ?

@linuxers,

turns out a watchdog or something in apple's restore ramdisk kicks in after about 2 minutes and causes a reboot (screen turns white). at this point you can use usbmuxd/iproxy to reach ssh. no proprietary OS needed!

Concombre said...

@a

Tried the tetheredboot utility from posixninja a few days ago, with an iBSS and a kernelcache from an IPSW generated with snowbreeze, without any luck.
The process would fail at some point and the phone would finally boot on the filesystem as usual.

Any chances you have some hacked 3.1.3 iBSS and kernelcache files which you know working with tetheredboot ?

Tomorrow, I'll have a look at the newer versions of syringe/tetheredboot that you point.

Edgar said...

Hey, msft.guy, can you get on TeamViwer maybe tomorrow? I've been trying your suggestions, and I've been stuck in the same place for the last 4 days....

Concombre said...

Hello again,
thanks, a, for your advice on the openiboot toolchain, easy to install and just works.

Now I need some help on anthrax. I want my launchd to execute a binary I added on the ramdisk (let's say it's an hello world, nothing more), and that is pseudo signed with ldid -S.

I tried:
* adding libSystem and libgcc to the ramdisk and using printf/fprintf/write to STDOUT_FILENO or STDERR_FILENO
* compiling the hello world app with the syscall.S provided in anthrax and the -static -nostdlib options, and using write
* adding a console_setup to the hello world app like the one in launchd.c
* etc...
and nothing would ever print :(

So, what's the right way ?
It has to be possible because dyld is able to print error messages to the console.

big thanks to anyone that can help to sort this out

Edgar said...

I've been trying to work this for over a week now, and I can't seem to get it to work.

I'm following the directions to the T, and I just don't see how this won't be working for me. Anyone have more advice?

Edgar said...

Recapping all in one so others won't see my other posts. Lol. :)

I have an iPhone 4, 4.0.1, and I have the rebooting loop. It would turn on, stall and the wheel would come.

I downloaded MS about three weeks ago, and it caused my phone to go in the rebooting loop.

I managed to SSH in my phone successfully trying to fix the problem (at that time, I didn't know WHAT the problem, seeing that upgraded more than 4 files.)

I renamed a couple of folders (watchdog, and MobileSubstrate, I think). After I did this, the rebooting loop was gone so I figured I fixed it. But, alas, my phone didn't. I still had my SSH connection, though So I was able to change them back and forth and see what the problem was.

My internet was going slow, so I restarted my router and modem. HUGE MISTAKE. This made me lose connection between the iPhone and my computer so there's no way to connect.

For the last two weeks I've been trying this ramdisk method to no success.

I have done the following:

1) Built the ramdisk by extracting pwned iPhone 4 4.1 snowbreezed ipsw's kernelcache, iBSS,and ramdisk.

2) Used Ramdisk Builder to create a SSH Ramdisk.

3) Put iPhone in DFU mode.

4) Used tetheredboot utility and inputed this:


tetheredboot -i iBSS.n90ap.RELEASE.dfu -k
kernelcache.release.n90 -r 018-7082-092.dmg.ssh

I got this:

C:\Users\SS\Desktop\Making The Backup>tetheredboot -i iBSS.n90ap.RELEASE.dfu -k
kernelcache.release.n90 -r 018-7082-092.dmg.ssh
Initializing libpois0n
ERROR: The process "iTunes.exe" not found.
Waiting for device to enter DFU mode
Found device in DFU mode
Checking if device is compatible with this jailbreak
Checking the device type
Identified device as iPhone3,1
Preparing to upload limera1n exploit
Resetting device counters
Sending chunk headers
Sending exploit payload
Sending fake data
Exploit sent
Reconnecting to device
Waiting 2 seconds for the device to pop up...
Uploading iBSS.n90ap.RELEASE.dfu to device
[==================================================] 100.0%
Waiting 10 seconds for the device to pop up...
Uploading 018-7082-092.dmg.ssh to device
[==================================================] 100.0%
Uploading kernelcache.release.n90 to device
[==================================================] 100.0%
Exiting libpois0n

My screen is all white.

5) From there, I use itunnel_mux (7.1) to put this:


itunnel_mux --lport 22


I get this:


C:\Users\SS\Desktop\Making The Backup>itunnel_mux --lport 22
[INFO] Waiting for new TCP connection on port 22
[INFO] Waiting for device...

It just stays there. And now, I'm stuck.

I've tried other methods like running tethered boot utility to get into 'pwned' DFU mode and then, using iTunnel, upload these files using this command as said in other instructions:

itunnel_mux --ibec iBEC.n90ap.RELEASE.dfu --ramdisk 018-7082-092.dmg.ssh --devicetree DeviceTree.n90ap.img3 --kernelcache kernelcache.release.n90 --ramdisk-delay 5

I get this:

C:\Users\SS\Desktop\Making The Backup>itunnel_mux.exe --ibec iBEC.n90ap.RELEASE.
dfu --ramdisk 018-7082-092.dmg.ssh --devicetree DeviceTree.n90ap.img3 --kernelca
che kernelcache.release.n90 --ramdisk-delay 5
[INFO] Waiting for a device in Recovery mode to connect..

And it stalls there.

Hopefully you guys can give me an answer as I'm going crazy without a phone.

In the end it'll be worth it, knowing that my data is safe. :)

The Markers said...
This comment has been removed by the author.
The Markers said...

Edgar, it looks like you don't have iTunes installed.

Edgar said...

I do have it installed, it's just not open while running tetheredboot. I open it, and it's the same thing except

ERROR: The process "iTunesHelper.exe" not found.

which I'm guessing is irrelevant in this point.

:) Thanks for replying, though. I appreciate it!

The Markers said...

Edgar, I believe iTunes is required. If iTunesHelper.exe is not found, then iTunes is not installed correctly.

I)estym said...

@The Markers, I disagree. Had the same message however everything worked fine for me...
I have the whole process captured on video, maybe will put in on YouTube a bit later. However, absolutely no warranty that what has helped me will help everyone else. :)

Joerg said...

Hello,

thanks for the tools and instructions. It's really great work.
I still have one question: is there a way to extend the tools in the ramdisk, e.g. to include 'ls, 'dd''and 'nc'? If I add these programms to the ssh.tar file I get an error message that ramdiskbuilder can not extract the tar file?

ReanimationXP said...

I am in the exact same boat Edgar is in, to the T. iPhone 4 4.0.1, extracted pwned ibss and kernelcache from a sn0wbreeze 4.1 ipsw, ramdisk created using msft.guy's process with correct 4.1 restore keys.

I'm also able to get tetheredboot to complete successfully (it appears). The screen turns white after it sends the IBSS, remains white, then turns a dark gray after uploading kernelcache is complete.

I'm not getting an apple logo with white bar under it per what someone said here.. perhaps there is something wrong with the ramdisk or one of our files? I would really appreciate a response today, as I will be leaving town soon and will be forced to restore.

Thank you!

ReanimationXP said...

Someone also mentioned trying a stock IBSS with tetheredboot / itunnel too. I have tried it as an alternate to the pwned one with no difference.

Edgar said...

Use tetheredboot utility to upload JUST the patched ibss.

Then use itunnel_mux to upload the rest. (DeviceTree, kernelcache, ramdisk)

Example:

tetheredboot -i iBSS.n90ap.RELEASE.dfu

then -

itunnel_mux --ramdisk 018-7082-092.dmg.ssh --devicetree DeviceTree.n90ap.img3 --kernelcache kernelcache.release.n90 --ramdisk-delay 5

Of course, the names are different.

Then:

itunnel_mux -lport 22

ReanimationXP said...

As an update for anyone wondering, the tetheredboot tool does work as advertised, but does not appear to work if you are running 4.0.1.

I am now on 4.2.1 after using the noerase ipsw tool, and ran the tetheredboot tool again with the ssh ramdisk, and all is well. This was probably just created with 4.1 and later devices in mind.

You will see a picture of a snowflake or apple logo with an empty loading bar if ramdisk loading was successful. Otherwise, you will see a white then dark gray screen. An audible USB sound should be heard in windows when the ramdisk successfully boots as well.

When in doubt, use the noerase tool and upgrade. I had to figure this out the hard way.

ReanimationXP said...

Command strings I used after updating (via noerase ipsw tool) to 4.2.1:

tetheredboot.exe -i iBSS.n90ap.RELEASE.dfu -k kernelcache.release.n90 -r 018-7082-092.dmg.ssh

itunnel_mux_r71.exe --lport 22

ReanimationXP said...

Sigh,

Now that I'm actually in the damn ramdisk the instructions STILL aren't working. You really need to fix up this article msft.guy.

After watching the video, ignore the article and use these commands:

To check the disk:
fsck_hfs /dev/disk0s1

To mount the user disk as mnt1:
mount_hfs /dev/disk0s1 /mnt1

To use ls to show directory:
/mnt1/bin/ls /mnt1

To set the path correctly so you can use cd and ls to naviate the filesystem:
PATH=$PATH\:/mnt1/bin

Do these in order, and you will have a usable terminal.

ReanimationXP said...

If you need to fix MobileSubstrate from crashing (which was my problem and I would imagine many others), navigate here and either delete the offending .dylib plugin in the DynamicLibraries folder, or rename the entire DynamicLibraries folder to DynamicLibraries2 using the 'move' command:

cd /mnt1/Library/MobileSubstrate
mv DynamicLibraries DynamicLibraries2

This will boot your phone into Springboard. You can then use a tool like iFile to create /Library/MobileSubstrate/DynamicLibraries again, and slowly copy dylibs in there, respringing along the way to make sure they're not breaking things. I'm not sure what needs to be in there to prevent it from going to safemode, but I would reccommend adding back these basic ones to start out with, if they exist:

Activator
Backgrounder
fis
IconSupport
libhide
libstatusbar
PreferenceLoader
SpringBoardAccess
Winterboard

One of the above controls whether or not MobileSubstrate kicks into safe mode. If it is not present, it will do so. Adding it back kicks it to normal mode.

Hope this helps.

Edgar said...

I can confirm that this DOES work for 4.0.1.

I had an iPhone 4, 4.0.1 stuck in the loop and was able to to successfully connect to the phone using those args.

lao2008 said...

Hi, has anyone had problems running this on a mac?

If so whats the process, it keeps failing on my tests,
Cheers

lao2008 said...

Sorry details:

I ran:

Mac-Pro:~ ray$ sudo /Users/ray/Desktop/iphone\ tools/tetheredboot -i /Users/ray/Desktop/iphone\ tools/iBSS.n90ap.RELEASE.dfu -k /Users/ray/Desktop/iphone\ tools/kernelcache.release.n90 -r /Users/ray/Desktop/iphone\ tools/018-7082-092.dmg.ssh

and get this:


Initializing libpois0n
No matching processes were found
Waiting for device to enter DFU mode
opening device 05ac:1227...
Found device in DFU mode
Checking if device is compatible with this jailbreak
Checking the device type
Identified device as iPhone3,1
Preparing to upload limera1n exploit
Resetting device counters
Sending chunk headers
Sending exploit payload
Sending fake data
libusb:error [darwin_transfer_status] transfer error: timed out
Exploit sent
Reconnecting to device
Waiting 2 seconds for the device to pop up...
opening device 05ac:1227...
Uploading /Users/ray/Desktop/iphone tools/iBSS.n90ap.RELEASE.dfu to device
[==================================================] 100.0%
Waiting 10 seconds for the device to pop up...
opening device 05ac:1281...
Setting to configuration 1
Setting to interface 0:0
Uploading /Users/ray/Desktop/iphone tools/018-7082-092.dmg.ssh to device
[==================================================] 100.0%
Uploading /Users/ray/Desktop/iphone tools/kernelcache.release.n90 to device
[==================================================] 100.0%
libusb:error [darwin_transfer_status] transfer error: timed out
Exiting libpois0n
Mac-Pro:~ ray$

lao2008 said...

The iphone screen changes to an apple symbol and progress bar. I then run:

Mac-Pro:python-client ray$ sudo python tcprelay.py -t 22:2222 &

and get:

[1] 16580
Mac-Pro:python-client ray$ Forwarding local port 2222 to remote port 22
Incoming connection to 2222
Waiting for devices...
Connecting to device
----------------------------------------
Exception happened during processing of request from ('127.0.0.1', 50414)
Traceback (most recent call last):
File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/SocketServer.py", line 558, in process_request_thread
self.finish_request(request, client_address)
File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/SocketServer.py", line 320, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/SocketServer.py", line 615, in __init__
self.handle()
File "tcprelay.py", line 82, in handle
dsock = mux.connect(dev, self.server.rport)
File "/Users/ray/Desktop/iphone tools/python-client/usbmux.py", line 235, in connect
return connector.connect(device, port)
File "/Users/ray/Desktop/iphone tools/python-client/usbmux.py", line 206, in connect
raise MuxError("Connect failed: error %d"%ret)
MuxError: Connect failed: error 3
----------------------------------------


Then when I try to connect with:
Mac-Pro:~ ray$ sudo ssh -p 2222 root@localhost



I get:

ssh_exchange_identification: Connection closed by remote host


I would really appreciate your help. It is an iPhone 4 and I am trying to get my camera photos off before I restore it.

Thank you

Tunnel said...

@ lao2008
I had the same issue, if you plug it into a windows machine and connect via putty the screen will turn white and it will work. However, you can then transfer it back to your mac and connect without problems.


Does anyone know how to do this without having to use windows to connect the first time?

Jamie Graham said...

msft.guy, I can't thank you enough. I was stuck in restore loop and thought I would lose a ton of precious photos, contacts, music, etc. After trying your original ramdisk method, and the upgrade ipsw method, I tried this method and it worked for me! I got everything off the phone. Huge thanks.

lao2008 said...

Update:
I know the uploading custom ramdisk completes (despite showing errors) as when plugged from the mac into a windows machine I can make the initial connection with putty to turn the screen white, I can then plug back into the mac and connect via ssh as the instructions state.

Therefore I know the problem is around the first connection, does it do anything special on putty which terminal on the mac doesn't? I've also tried connecting via sftp on the mac with no luck.

I would really appreciate some help if possible. Thank you

R said...

My iPhone 3g fw 4.2.1 bb 6.51 is stuck at the apple logo... I have my shsh files and tried looking through all your info to figure out how to get ramdisk working... Is it possible to retrieve my contacts and my photos at all?

Pascal said...

hi,
I hope to get help this way because I read at modmyi that a while ago (may 2010) you and beej worked together on a modified redsnow version to get an iphone that is stuck in apple logo boot loop to restart again. He wrote that you helped him a lot.

Unfortunately, something happened to him and he lost his equipment and code. plus I cannot reach him.

I am looking for
b33jsn0w-killsub-0.1-win.zip
b33jsn0w-killsub-0.1-mac.zip

Anyone who has them...
Please if you have them then send to pascal.mister(@)gmail.com
Thank you so much,
regards pascal

Jinko said...

Any noob friendly guide for this? I'm trying to fix my iphone 4

ndouba said...

Hi msft.guy,

I've used your method before with much success. However, this time I am attempting to use the method on an iPad 4.2.1. I downloaded the 4.2.1 bundle and used Pwnagetool to patch the necessary files. I then extracted the recovery ramdisk and injected the ssh payload as described in your tutorials. However when I run tetheredboot I get the following output and the iPad remains stuck on a white screen, no Apple logo with progress bar:


tetheredboot -i iBSS.k48ap.RELEASE.dfu -k kernelcache.release.k48 -r 038-0032-002.dmg.custom Initializing libpois0n
No matching processes belonging to you were found
Waiting for device to enter DFU mode
opening device 05ac:1227...
Found device in DFU mode
Checking if device is compatible with this jailbreak
Checking the device type
Identified device as iPad1,1
Preparing to upload limera1n exploit
Resetting device counters
Sending chunk headers
Sending exploit payload
Sending fake data
libusb:error [darwin_transfer_status] transfer error: timed out
Exploit sent
Reconnecting to device
Waiting 2 seconds for the device to pop up...
opening device 05ac:1227...
Uploading iBSS.k48ap.RELEASE.dfu to device
[==================================================] 100.0%
libusb:error [darwin_reset_device] ResetDevice: device not responding
libusb:error [darwin_close] USBDeviceClose: no connection to an IOService
Waiting 10 seconds for the device to pop up...
opening device 05ac:1281...
Setting to configuration 1
Setting to interface 0:0
Uploading 038-0032-002.dmg.custom to device
[==================================================] 100.0%
libusb:error [darwin_transfer_status] transfer error: timed out
Uploading kernelcache.release.k48 to device
[==================================================] 100.0%
Exiting libpois0n

Funny thing is, the behaviour is intermittent. 9 times out of 10 it will fail. The only time it succeeds, I see the Apple logo with the progress bar for 30 seconds and then the device reboots. Any ideas?

QuynhLam said...

Hi All,
I always had an Error: Device Service
looks like the device was not jailbroke but actually it was jailbroke.
Any comment please

QuynhLam said...

Hi All,
I have jailbroken iPhon4 4.1
Everything went well and I got progress bar.
But putty and winSCP failed to connect to iPhone and I got the error
[ERROR] USBMuxConnectByPort = 274d handle=ffffffff
[ERROR] Error: Device Service
And the phone just hang there.
I had iTunes 9.2 and then updated to 10.1, got same error
Any comment please,
Thanks

aino said...

Hi All,
I have the same problem like
QuynhLam !!!

I have jailbroken iPhon3GS 3.1.2
Everything went well and I got progress bar.
itunnel_mux_r61 -lport 22 ok
- Device connecte: 12......
Info: Waiting for new TCP conncetion on port 22
Info: New cvonnection
restore_dev = 00E301F8
muxCOnn = 6
Info: Device connected
and then got the error
[ERROR] USBMuxConnectByPort = 274d handle=ffffffff
[ERROR] Error: Device Service

And the phone just hang there.
I had iTunes 10.1.2.17
Any comment please,
Thanks
peppi

Joerg said...

Hi,

I can confirm the problem reported by ndouba with FW 4.2.1 on iPhone 3GS. The device stuck on the white screen, no Apple logo with progress bar.

If I use my old 4.1.2 ramdisk and the 4.2.1 iBSS and kernelcache files, I can load the ramdisk successfully.

Martin said...

tetheredboot didn't seem to want to work on an iPhone 3G @ 4.01...device incompatible error, but putting in pwned DFU via iReb 4.01, then sending kernelcache, devicetree and ramdisk via itunnel, and then sending over pwned ibss over the top gets you to the progress bar instead of ih8sn0w customfirmware logo,

you can then launch itunnel again specify a port and SSH into to recover the data...

I'm trying to look at the systembag.kb and user lock code to remove only that now, I can recover all user data which is more than ok..just the password would be the icing on the cake,

you could take a dd image and write back from a inside a ramdisk couldn;t you?? Thanks so much for all your tools and contributions msft.guy.. You have helped me out a huge deal!!

wvgl said...

Thank you for putting all this out there--these instructions have saved me so much grief.

I got this working on an iPad running 4.2.1 stuck in recovery mode.

Some notes on my experience for those, like me, not steeped in all this jailbreaking arcana.

1. I found the decryption keys needed by the ramdisk builder at: http://theiphonewiki.com/wiki/index.php?title=Jasper_8C148_%28iPad%29

2. PwnageTool 4.2 didn't recognize my device right off. I needed to download and point PwnageTool to the following ipsw file: http://appldnld.apple.com/iPad/061-9857.20101122.VGthy/iPad1,1_4.2.1_8C148_Restore.ipsw

3. The correct kernelcache file for the iPad is the one with the "k48" suffix (not n90 or n81).

4. The tetheredboot utility did not successfully load the ramdisk (stuck at white screen) as anticipated by the instructions, but using itunnel_mux to load the ramdisk worked, as suggested in the troubleshooting section of the instructions. In my case, I used itnl, the Mac version of the itunnel_mux utility:

./tetheredboot -i iBSS.k48ap.RELEASE.dfu
./itnl --kernelcache kernelcache.release.k48 --devicetree DeviceTree.k48ap.img3 --ramdisk 038-0032-002.dmg.ssh

At this point the iPad displayed the apple logo with empty status bar underneath.

5. To get SSH access, as root (password is "alpine"):

./itnl --iport 22 --lport 10022
ssh root@127.0.0.1 -p 10022

6. To check and mount the system disk:

mount /
fsck_hfs /dev/disk0s1
mount_hfs /dev/disk0s1 /mnt1

To set the path so you can use cd and ls to navigate the filesystem, and scp to copy files (as suggested above by ReanimatedXP):
PATH=$PATH\:/mnt1/bin

To check and mount the user disk:

fsck_hfs /dev/disk0s2s1
mount_hfs /dev/disk0s2s1 /mnt2

In my case the user disk was corrupted and I needed to repair with fsck_hfs -r before mounting.

7. At this point I pulled files of the iPad using scp. I was looking for photos, which were on the user disk under /mobile/Media/PhotoData.

combined said...

Hi MSFT,

I don't know who u are, but i would like say a very big THANK YOU, from the bottom of my heart.

Using your methods and much inference, I managed recovery of all my important files on a pretty much bricked iphone 3gs ios4.1 which suddenly/mysteriously had its catalog tree corrupted "Invalid Node Structure" - recovery mode loop.

I literally scoured the net for methods to recover data, only to find so many others stuck in the same helpless state, held hostage by the very same device that plays a major part in our personal & professional lives, now being coerced into the only possible solution to lose everything and restore, rather than even offering to try a self-fix/safe-mode/usb direct access. Only when something goes wrong does one see how ridiculous the whole ios design/architecture is.

Now Im not sure at this point what the trade-offs were in making the decision to follow this design and with no expected change on the horizon. But regardless of all that crap, the world is truly lucky to have ppl like u and those in your circle - providing an alternative path for us humble folk rather than simply pandering to corporate policies.

Using my limited knowledge in this recovery process, I'll try to c what i can do for my community... i'm sure there're tons facing the same bleak situation i faced earlier.

- Anyone needing advice to "fill in the gaps" of this process can contact me at lfi1206@singnet.com.sg

In the meantime, I wish u all the best and once again, Thank YOU.

Gabriel

Brett said...

Msftguy... I don't know how to tell you how much I appreciate this! Restored my dead iphone and pulled some really important stuff that I had lost!

Brett said...

Also, I hope you don't mind but I found your paypal e-mail address and sent you a small tip as a token of my appreciation. Thanks again!

Fotios said...

Hi MSFT Guy,

i need some advice...

I restored my iphone without having a backup, to 4.3.1 and i want to restore my data (lost photos and videos). The phone originally was on 4.2.1 and its an iphone 4. I have tried almost everything i could find on the internet... i managed to get a raw disk image of my phone but from what i found out, the image is encrypted and i was refereed to your method using SSH and custom ramdisk. From what i have read, i understand this applies to phones trapped in a boot loop... would the method you talk about above be applicable to my situation? if not, do you have any suggestions?

Your reply and help will be greatly appreciated.

Thanks in advance.

FV.

MobileExpert said...

@Fotios:
Once you restored the iPhone, all the data are lost. Like formating a hard disk, and install new OS, you cannot recover the data.

Leo said...

Hi,

When extracting data using scp or pscp to extract all my iphone pictures, files etc from user partition, even though I specify to preserve timestamps so I can sort through the files easier the created date always changes. The accessed date is the earliest date, the modified is an 'earlier' date than the created and the created date is the date the file was transferred to my pc.

Any ideas how I can preserve the created date? I've lots of duplicate documents and i'm just trying to work out the ones I need without opening them all.

Thank you very much

imarkon said...

has a solution for the iphone3G been found?
ive been driven totally crazy by this matter: the tetheredboot exe just doesnt want to work and says that iphone1,2 is not supported, while itunnel says that its waiting for a DFU mode device (and of course my iphone in DFU mode already).

so i dunno what to do now, i just need to move one file in the system folder to get my iphone back and running. anyone managed to fix this on 3g ?

nerdcore said...

./tetheredboot -i 4.1.iBSS.n88ap.RELEASE.dfu
Initializing libpois0n
No matching processes belonging to you were found
Waiting for device to enter DFU mode
opening device 05ac:1227...
Found device in DFU mode
Checking if device is compatible with this jailbreak
Checking the device type
Identified device as iPhone2,1
Preparing to upload limera1n exploit
Resetting device counters
Sending chunk headers
Sending exploit payload
Sending fake data
libusb:error [darwin_transfer_status] transfer error: timed out
Exploit sent
Reconnecting to device
Waiting 2 seconds for the device to pop up...
opening device 05ac:1227...
Uploading 4.1.iBSS.n88ap.RELEASE.dfu to device
[==================================================] 100.0%
Waiting 10 seconds for the device to pop up...
opening device 05ac:1281...
Setting to configuration 1
Setting to interface 0:0
Exiting libpois0n

./itnl --kernelcache 4.1.kernelcache.release.n88 --devicetree 4.1.DeviceTree.n88ap.img3 --ramdisk 4.1.ramdisk.dmg
[INFO] Waiting for a device in Recovery mode to connect..

After a while i get the apple logo with an empty progressbar. when i create now a ssh tunnel and connect to it, the system restarts with the original firmware.

./itnl --iport 22 --lport 10022

do you know this problem? does the version of the ramdisk has to be the same as the one installed on the phone?

thank you very much !

carlosmarioagamez said...

Hi, can you please help me out with this'; i need to recover some video files accidently deleted from my iPod Touch 4Gen iOS 4.3.1, can i recover those data using this method and Ubuntu Linux?, thanks for reply.

Alexander said...

How is rextored_external supposed to run reboot? It doesn't for me.

am0_oma said...
This comment has been removed by the author.
am0_oma said...
This comment has been removed by the author.
am0_oma said...

Plz help I stuck in
[INFO] Waiting for a device in Recovery mode to connect..
iphone 4 ios 5.0 itunes 10.5.0.142 windows 7 64bit
tethered jailbroken using redsn0w and had problem from semitethered
i need to ssh to remove the mobilesubtrate and semitether deps

the problem happen as below,
I put my iphone in normal DFU mode then i enter the following:

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
D:\hackiphone\tetheredboot_win32>tetheredboot -i iBSS.n90ap.RELEASE.dfu
Initializing libpois0n
ERROR: The process "iTunes.exe" not found.
ERROR: The process "iTunesHelper.exe" not found.
Waiting for device to enter DFU mode
Found device in DFU mode
Checking if device is compatible with this jailbreak
Checking the device type
Identified device as iPhone3,1
Preparing to upload limera1n exploit
Resetting device counters
Sending chunk headers
Sending exploit payload
Sending fake data
Exploit sent
Reconnecting to device
Waiting 2 seconds for the device to pop up...
Uploading iBSS.n90ap.RELEASE.dfu to device
[==================================================] 100.0%
Waiting 10 seconds for the device to pop up...
Exiting libpois0n

&&&&&&&&&&&&&&&&&&&&&&&&&
then i did

D:\hackiphone\tetheredboot_win32>itunnel_mux --kernelcache kernelcache.release.n90
--devicetree DeviceTree.n90ap.img3 --ramdisk 018-7923-347.dmg.ssh
[INFO] Waiting for a device in Recovery mode to connect..

I stuck in this point plz help

angel said...

my device: iPhone 4 (IOS 5.0.1) freeze on apple logo (tried 2 tether boot but still same freeze)

so i followed the tut posted in this thread... and here r the results....


1. extracted the 4 files from custom IOS 5.0.1 snowbreeze.
i upload the ibss using tetheredboot successfully, but
when i upload the ramdisk and othe 2 files using itunnel,,,,
itunnel just gets stuck at..
"Waiting for device in recovery mode to connect...."
nothing happens after this...

2. this time extracted 4 files from custom IOS 4.2.1.
and uploaded ibss from IOS 4.2.1 while rest of the files remained from IOS 5.0.1.
this time the itunnel uploaded teh 3 fiiles successfully....
but when i tried itunnel --iport 22 --lport 2222
itunnel gets stuck at...
"Waiting for device...."

3. this time, i used all the files from IOS 4.2.1 and only used the ramdisk from IOS 5.0.1. and same thing happened, when i tried itunnel --iport 22 --lport 2222
itunnel gets stuck at...
"Waiting for device...."

4. now i used all the files from IOS 4.2.1, adn everything got connected.....
uploaded allt eh 4 files,,,when i tried itunnel --iport 22 --lport 2222
it got connected to the phone successfully. now the problem is..

mount / ------> getmasterblock: error opening /dev/md0

fsck_hfs -r /dev/disk0s1 --------> /dev/disk0s1:no such file or directory. cant stat /dev/disk0s1

mount_hfs /dev/disk0s1 /mnt1/ -------------> getmasterblock: error 2 opening /dev/rdisk0s1
mount_hfs : no such file or directory.

__________________________________________

i had also installed semi-tether previously but when i try 2 start phone it just goes into recovery mode, and when i try 2 tether boot, it stucks at apple logo.

pals, now needed help in recoverying my data....

hoping 4 a positive help..and responce..

thanx

angel

am0_oma said...

angel, plz check

http://msftguy.blogspot.com/2010/07/data-recovery-not-just-for-iboot-pwned.html
that will help you restore without lost your data, I try it, it worked successfully

angel said...

@ am0_oma
bro. the tut says that the device shouldnt be jailbroken using snowbreeze, but my device is....and secondly, i cannot restore to current version as it will upgrade my baseband which will make my device useless,as i m using gevey...

angel said...

pals..
without running any mount command,..
i sshed using winscp, and checked /dev folder....
the folder doesnt have anything as disk0s1 or disk0s2s1. just rdisk0.
and also all the files in "dev" folder are zero size....
also mnt1 and mn2 folders are empty...

angad said...

angel- i am havng the same problem .. mnt2 is empty .. what to do ??

Incon said...
This comment has been removed by the author.
Incon said...

Hi Guys,

I have been following this guide the best I can, I am now stuck on

step 'Booting the recovery ramdisk with SSH'

1) I put the iphone into DFU mode and run the following in terminal 1 successfully

[i]./tetheredboot -i iBSS.n90ap.RELEASE.dfu

./itnl --kernelcache kernelcache.release.n90 --devicetree

DeviceTree.n90ap.img3 --ramdisk 038-1035-007.dmg.ssh[/i]


2) In terminal 2 I successfully run:

[i]./itnl --iport 22 --lport 2222[INFO] Waiting for new TCP

connection on port 2222
[INFO] Waiting for device...
[INFO] Device connected:

55c5284e39617ccf1425d059efa3900519553a68
[INFO] Info: New connection...
[INFO] Device disconnected:

55c5284e39617ccf1425d059efa3900519553a68
[INFO] Device connected[/i]



3) The problem I am facing is when running ssh -p 2222 root@localhost in terminal 3

There is no result in terminal 3 but in terminal 2 I receive the following error message:


[i][INFO] Info: New connection...
[INFO] Device disconnected:

55c5284e39617ccf1425d059efa3900519553a68
[INFO] Device connected
[ERROR] USBMuxConnectByPort = 16, handle=ffffffff
[ERROR] Error: Device Service[/i]


Does this mean that my phone is rejecting the ssh connection when I run ssh -p 2222 root@localhost ?

I have done some searching and it may be that I am ' not using kernelcache file from an ipsw made with PwnageTool '

I think I am close enough to connect and get my files off the

iphone, any help would be much appreciated.

Please let me know if more info is needed.

Thanks

Con

msft.guy said...

@Incon: I wrote a new GUI tool available from https://github.com/msftguy/ssh-rd/downloads - run ssh_rd.jar and this should cover the steps to prepare and load the ramdisk. For now, you still have to run itunnel_mux --lport 2022 manually after the tool. If you're on windows, install 32-bit JRE 7 before running the jar.

iocnoting said...

msft guy
the jar is absolutely f.cking awesome!!!!!!!!!!
thank you !!!!

hmkegypt said...

Hello,

I have an IPad 2 with jailboken IOS 5.01.
I deleted a cache file by mistake, and now stuck in boot screen.
Will any of your methods help me fix this without loosing my data?

Thank you.

spockers said...

Ricky Smith, must you spam? You suck.

Adam Alt Del said...

Nice article.
Please send me ssh iphone 5 ios 7 on my email : aad607@gmail.com
Thanks.

Ravika leova said...

I think these guidelines appear to oblige Windows, and the joined pages all appear to say "go [here] for redesigned directions" until I at last wind up at a Google Wave page which I can't even evaluate how to utilize, in light of the fact that it impedes Safari to the point that each mouse click obliges a 2-3 moment hold up for the beachball cursor to go away.
Android Phone Watch