Wednesday, January 11, 2012

Automatic SSH ramdisk creation and loading

A runnable JAR archive - works on OS X or Windows; needs 32-bit JRE on Windows.
Supported devices - hopefully everything Syringe supports (devices with A4 chips and lower) plus iPhone 2G, iPhone 3G and iPod Touch 1G.
The tool automatically downloads required files from Apple using @planetbeing's Partial Zip, patches them and sends to the device.
If everything works as it should, the only thing you need is an SSH client.
Credits:

Made possible thanks to Camilo Rodrigues (@Allpluscomputer)

Including xpwn source code by the iPhone Dev Team and @planetbeing
Including syringe source code by Chronic-Dev and @posixninja
syringe exploits by @pod2g, geohot & @posixninja
pwnage2 exploit by iPhone Dev Team
Special thanks to @iH8sn0w
code.google.com/p/iphone-dataprotection - EMF tools and kernel patches

To see more verbose stuff, run from command line: java -jar ssh_rd_rev04b.jar
Source on github.

Changelog:
* [01/15/12] updated to rev02b: colorized log messages; more prominent success message; exception traces; usb_mux starts immediately on app launch, so you can restart the app and reconnect SSH without having to go through DFU again
* [01/18/12] rev02c: iPhone 4 CDMA actually works now; iPhone 3G should as well - please leave a comment if it doesn't ..
* [01/20/12] rev02d: Should work with iTunes >= 10.0 and Windows XP.
* [01/25/12] rev03: Added 'ls' ;). Added an auto-mount script. Added bin paths from /mnt1 to PATH in .profile.
* [01/26/12] Added a YouTube video demo
* [02/05/12] rev03b: Fixed Snow Leopard compatibility
* [03/07/12] rev03c: Using fw 4.2.1 with iPhone 3G (instead of 4.0.1 in earlier builds)
* [07/09/12] rev04a: Added device_infos tool from code.google.com/p/iphone-dataprotection - if the user volume is corrupted, you can image it and decrypt with emf_decrypter.py (see Readme). Also, local ipsw files are used if present (for offline use).
* [06/29/13] rev04b: Fixed crash when connecting iOS7 devices on OS X and DLL load errors on Windows.

How to report bugs

Windows How-To

Video demo:

395 comments:

1 – 200 of 395   Newer›   Newest»
Unknown said...

Tested and working on 4.3.3 & 4.1 3GS, thanks for your work!

ReanimationXP said...

For those of you who need a working JRE 32-bit download, here's a link. The link in the article does not point to a download:

http://www.filehorse.com/download-java-runtime/

msft.guy said...

@ReanimationXP: Thanks, updated the link!

ReanimationXP said...

Welcome :)

Additionally for those of you new to this.. I recommend connecting with Putty rather than something like WinSCP.

If you are using this tool due to Springboard crashing on boot (because of a MobileSubstrate plugin crashing so bad it won't kick into Safe Mode), here are the commands to run to disable all Mobile Substrate plugins (dylibs) and effectively manually kick your phone into Safe Mode. You can turn them back on in the MobileSubstrate area of SBSettings -> More.

Connect using Putty, and for devices on iOS 5, run the following. Copy and paste into Notepad so you can see what is on each line incase it word-wraps:

fsck_hfs /dev/disk0s1s1
mount_hfs /dev/disk0s1s1 /mnt1
PATH=$PATH\:/mnt1/bin
cd /mnt1/Library/MobileSubstrate
for file in *.dylib ; do mv $file 'echo $file | sed 's/\(.*\.\)dylib/\1disabled/''
ls

All your .dylib files should now be changed to .disabled, and your phone will boot successfully next time you boot. If you are brought to the "Connect to iTunes" screen on the next boot, it's a side effect of @msft_guy's tool. Simply run the "Kick Out of Recovery Loop" tool in iREB 5, and you'll be all good.

Alternatively instead of the for loop above, you could rename DynamicLibraries folder to something else as I've demonstrated below. This will kick Safe Mode on as well. Change it back with iFile once you've removed the problem child, and respring.

mv DynamicLibraries DynamicLibraries2

FOR DEVICES ON IOS4, the commands above are slightly different. Replace /dev/disk0s1s1 with /dev/disk0s1. For some reason it was changed in iOS5. Thanks to @msft_guy for pointing this out.. I was lost until he told me :]

Thanks for this awesome tool!!

msft.guy said...

@ReanimatorXP: Small correction: I think it should be '/mnt1/Library/MobileSubstrate/DynamicLibraries'; otherwise you'll rename MobileSubstrate.dylib, and stuff will break because it's the main MobileSubstrate module and all processes are trying to load it when MobileSubstrate is installed.

iPaco said...

cd /mnt1/Library/MobileSubstrate

when i type that command it says no file directory exist. Am I missing something? plzz help thanks!

iPaco said...

cd /mnt1/Library/MobileSubstrate

When I put that command it says no file or directory found. Help please?? Thanks!

Anonymous said...

You totally rock. I've been using your old method of an iphone 3G on and off for emergency fixes, but it's a long drawn out process, since iREB sometimes had issues if I didn't run it from sn0wbreeze. I tried to upgrade at one point, but it didn't work, and I had a solution that did the job. But a one click would be fantastic.

For whatever reason, when I tried to run your jar, I get the following error:
Could not load mux_redux.dll from C:\Documents and Settings\\Local Settings\Temp\ssh_rd\native\mux_redux.dll; ABORTING
though I see this file exists. I'm running on an XP machine. The popup is unhelpful with an "INIT FAILED (mux thread)!"

Past that, I'd be happy to help confirm/test it works on a 3G (still running 3.1.3).

On a slightly related note - my current issue is that it won't boot, even into Safe Mode, I can't ssh in normally. In the past, I've always been able to fix it, but this one has me stumped. If I move away all the dylibs, I get syslog errors about not being able to load particular dylibs (grr).

Otherwise, I seem to be getting mostly "Cannot Stack" errors, and ones about being unable connect to lockdown, though I'm not positive either of those is actually the culprit. Any tips, o wise ones?

msft.guy said...

@fcc14fe0: Confirmed an XP bug (I really need to test stuff before releasing, dammit!), will build a fixed version soon.
On a slightly related note - please email logs/excerpts.. If those dylibs are mobilesubstrate plugins, it's worth figuring out who loads them - or just disable mobilesubstrate completely and see if that helps?
On old versions, you needed to remove all references to mobilesubstrate from /system/library/launchdaemons/*plist, (EnvironmentVariables/DYLD_INSERT_LIBRARIES subkey); now it seems it's enough to rename /etc/launchd.conf

Anonymous said...

Gah. Is that really how my account showed up? Whatever.

The phone is actually riddled with problems - I mostly use it as a toy these days. Sometime around a year ago the WiFi stopped working, so most of the packages are admittedly rather outdated. Something made me want to try and revisit the perma-Safe-Mode issue it has, which is why I was trying again.

It's entirely possible that what caused the issue now was my attempting to update mobilesubstrate to the latest version (I scped over the deb to install). However, I can't reinstall the old one, since when I dpkg --root=/mnt1 -i , it dies on the postrm, because of this:
dyld: Library not loaded: /System/Library/Frameworks/Foundation.framework/Foundation
Referenced from: /mnt2/lib/dpkg/info/mobilesubstrate.postrm
Hilarity ensues.

The phone itself has too much junk on it, so it's probably a poorly written and old dylib, I think one of them was PwnTunes. But I can upload the syslog next time I power it up into the ramdisk. Is there anywhere in particular you'd like me to send it?

Anonymous said...

Whoops. Forgot to also ask: I thought MobileSubstrate was needed for most of the Jailbreak. What does it load if it can't find the dylib for it? Springboard? I can try, though.

msft.guy said...

@fcc..: 1. Removing it in a legit way will be tricky, hence you only disable it via ssh, then remove/reinstall once the phone boots
2. It's needed for most tweaks, not the jailbreak. Since it injects dylibs to native Apple processes, without it, your phone will behave close to what Apple stock phone does - except you still will be able to run unsigned JB apps such as Cydia (so repairing MS should be pretty easy).

Anonymous said...

Yup, I can now confirm that your jar works on both Windows XP, and on a 3G. Much faster and simpler than my last method, too.

I tried your tip for removing MobileSubstrate, but the first time it just managed to recreate the /etc/launchd.conf, and the MobileSubstrate.dylib symlink. The next time I moved the entire Framework directory, but SpringBoard kept crashing, and it wouldn't boot.

Eventually I figured out that the problem was because a couple of symlinks (/Applications and /usr/share) had somehow disappeared. I have no idea how it happened, but recreating them managed to get the phone booting again, so I'm happy.

It makes me wonder, though, if any other links might be missing. Is there an authoritative list of ones that get created by the Jailbreak?

Anonymous said...

Hmm. Perhaps I spoke too soon. A couple of reboots later, and I'm unable to ssh in (or boot normally) again. I suspect another symlink may be at fault. Any suggestions? Here's the log:
http://pastebin.com/Rz8g8WR6

msft.guy said...

@fcc: You didn't disable your MS plugins; apparently one of them is crashing lockdownd and it's all crap from that point.
Seriously, just rename your plugins directory (/Library/MobileSubstrate/DynamicLibraries)

Anonymous said...

I did that earlier - I was trying to slowly re-enable the plugins to get some of them working. I'd been restarting SpringBoard along the way, but I hadn't realized one could crash it at startup. All these used to be around before the issues started a few days ago. But I can try removing the whole thing, again.

Is there any simple way to figure out, specifically, which one is crashing lockdownd, or do I have to enable them one-by-one, and restart each time?

msft.guy said...

@fcc: http://en.wikipedia.org/wiki/Dichotomic_search

Anonymous said...

Yeah, I know that one. Sadly, it doesn't take into account the vastly different costs of failure and success - in this case, failure means that you have to fail to reboot, boot into ramdisk, fsck, revert, reboot, repeat.

Hence why I was wondering if there was some better way to tell. Guess not, so I've got my work cut out for me. *sigh* Thanks anyway.

msft.guy said...

@fcc: you can weigh ratios proportionally to the costs involved: e.g. if failure is N times costlier than success, add 1/N of the remaining dylibs per try. Which, of course, might be close to 1 in your case ;)

angad said...

the problem is when i access using winscp , folders mnt1 , mnt2 are empty
and i dont know how to use putty comands
please let me know the exact commands .
i just want to copy the pictures in dcim folder
plzzzzzz helppppppppp

Anonymous said...

I'm stuck on the command portion...


My iPod's battery drained and was stuck in the low battery/Apple logo loop and it was refusing to charge and etc.


Anyways, I ran everything as instructed and it finished. At the end it said to connect to localhost, which I'm assuming is normal. So I follow the instructions and connect using WinSCP. Now what I'm stumped on is where or how do I enter these commands?

I've even installed Putty to try and enter the command, but it says not found.

I'm not too familiar with commands via SSH. So if you guys could help me out with that part I'd be so grateful.

I'd hate to restore my iPod and lose everything because my old computer crashed with all my music and etc.

Thanks a lot if it works you guys are life savers!

Anonymous said...

Also, my iPod just has the reload wheel at the bottom of the screen.

And I think I just found out how to enter commands in WinSCP, Commands > Open Terminal - Now I entered the said command, but nothing is happening in WinSCP or my iPod...

Am I doing something wrong?

Also, could that my battery is low be playing a factor into this?

Anonymous said...

Alright...well I think my iPod charges now because it doesn't shut off like before.

But now it's still stuck on the Apple logo with the reloading wheel right beneath it, not sure what to do now...just wait it out and see if it'll boot?

n0uzul said...

Hello,
Firstly I would like to send out big thanks to msft.guy, reanimator and everybody who has worked on this. This is the very definition of giving back. Wanted to let you know there are ppl out there that appreciate what you guys are doing here.

Well I can now get access to MobileSubstrate directory, which is great. However I was not able to execute the command to disable the individual .dylib's (even from within the DynamicLibraries directory). I tried renaming the the whole DynamicLibraries directory as reanimator had suggested, no joy, when I reboot still stuck on apple logo. Is there other common problems that can cause "stuck on apple logo", other than the mobile substrate department? Any other thoughts as to what I could try, either regarding mobile substrate or other possible issues.

I would really appreciate any help or perceptive anybody can offer. My phone has been out since before Christmas, just this past weekend I was again considering wiping it all and starting from scratch, an unpleasant solution to say the least. That was before I discovered your new easier method which gave me new hope, I feel like I am so close.

Cheers,
TC of yourselves and thanks again.
Johann

ReanimationXP said...

@n0uzul

Unfortunately the problem I'm describing is probably different than what you're seeing. The problem I'm describing (the Springboard crashing dylib issue) is when you have just installed a new Cydia tweak, and upon respring, your phone just resprings in a loop endlessly (never reaches Safe Mode). MobileSubstrate is designed to kick you into Safe Mode in this circumstance, but in rare instances it does not, rendering your phone useless.

However, this problem usually means you will at least /see/ the lockscreen before the phone crashes, sending to you back to the lockscreen again. This indicates there's a bad .dylib installed that is crashing MobileSubstrate as soon as SpringBoard loads.

So.. is SpringBoard even loading? One of the first indications of SpringBoard loading is if you hear the 'charging' sound when booting your phone while it's hooked to the charger or a computer. If you never get a charging sound, SpringBoard isn't loading at all and .dylibs are /not/ the problem. I have seen this with one person's phone once, and unfortunately there's nothing I could do to correct it besides a restore. It would be hard to determine what was causing that issue without having a Verbose Boot option enabled.

However, using @msft.guy's awesome tool, you're still able to use some of my commands above to mount the data partition and then back up your files, provided you know where they're at. I recommend using my commands to mount using Putty, then using a visual tool like WinSCP to perform the rest.

With either tool, you'll be connecting to localhost, port 2022. @msft.guy was correct that my 4th command should be:

cd /mnt1/Library/MobileSubstrate/ DynamicLibraries

***Remember*** to paste all my commands into notepad so you can see which is on what line. The long "for" command word-wrapped to the next line as expected, and the directory correction above will too.

angad said...

Plzz help me @reanimationxp .. I want to copy pics from my iphone .. Just tell me the commands plzzz .. Thnku ..

Unknown said...

I have an iphone4 that I had updated pdanet on and it forced a reboot and since has been hanging at the apple/pinwheel. i want to SSH so I can recover my pictures of my newborn daughter and possibly just remove pdanet and fix it completely. ive read so much but I am still so confused... can someone lay it out for me in an easier way to understand? ive been without my phone for 2 days because I refuse to lose my daughters pictures. my phone is running 4.3.1. THANKS IN ADVANCE

SK said...

Hi, please help i have successfully connected via SSH, however i can not see the folders where the pictures reside. When i click on the Var folder on the root, I can only see the following folders:
db
root
tmp

could someone tell me what i am doing wrong please
Thanks SK

msft.guy said...

@angad, @ANVIL, @SK: Hope the video helps..
On Windows, you'd be using PuTTY and WinSCP instead of ssh and Cyberduck, but it's pretty much the same stuff.

Jester said...

tested this on my jailbroken iphone 4
running ios 5.0.1 works perfect. i would like to make some modifications so tryed to clone the git repo how ever the xpwn and syringe folders are empty. this appears to stem from the fact the xpwn and syring *.git files are a 404 (point to the wrong git hub url) also what do i compile this with? im using git on cygwin to check out from the repo basically id like to forward 5555 same way as you forward 2202 so i can do a dd if=/dev/rdisk0s2 bs=4096 | nc 127.0.0.1 5555 :)

msft.guy said...

@Jester:
1. You can run another instance of itnl to forward port 5555

2. xpwn and syringe are submodules, you need to run 'git submodule init; git submodule update' to pull them

3. If you only need to change the Java part, you can build java/gui/ project with Eclipse and reuse the jni libraries extracted from the latest .jar in downloads; they're 4 files (dll and jnilib) at res/native/

n0uzul said...

Hello again,

Thanks for your reply reanimator. I have been a little busy as of late. Well I have given up on being able to boot up my phone without restoring it, however I would like to back up everything first. Using reanimators comment I was able to get to the root directory and copied everything off, there were a few errors but I assume (I know, a dangerous thing) nothing too important was left out (if anybody has a easy fix to copying everything let me know, I am all ears). Using the instructions in the video msft.guy posted recently I am not able to get to my user partition. Is there a script? Where can it be found? Does it have anything to do with me using windows (I have access to macs but they dont seem to want to run the .jar)? Might be important that I am on ios 4.3.x, what is the user partition called / where is it located (disk0s2)? Anyway, I am getting really tired of this dumb phone replacement and would like to restore today if at all possible, no pressure of course, I am grateful for any insight you can offer.

Cheers,
Regards,
Johann

msft.guy said...

@n0uzul: Open %TEMP%\ssh_rd directory (on Windows) and delete everything from there; then make sure you're using the latest jar version (rev03). This is necessary to delete the ssh ramdisk made with older versions of the jar that didn't have the mount script.
There should be no difference between OS X and Windows versions; although I'm very interested in errors you're getting on OS X. If you're on Lion, try installing Java for Lion from http://support.apple.com/kb/DL1421

Vince said...

i'm stucked at entering ssh -p 2022 root@localhost in MacOSX Lion. Any suggestions??

Anonymous said...

I'd like to thank you immensely for what you have developed, it is astounding. Not only that, it is also simple and straightforward for the less experienced users.
By the way, this works for iPod Touch 4, 5.0.1
Keep up the good work.

Mario said...

Pleeease, make it for iphone 4s jailbreak

ls said...

i can mount disk0s1 on my girlfriend's iphone 4 but when i do the fsck_hfs /dev/disk0s2 i get an error (on windows) and when i do mount.hs on my Mac when it tries to mount said disk it has the error "mount_hfs invalid argument" any suggestions or help? the whole idea of doing this is to get files, unless someone can help to get the phone to boot?

msft.guy said...

@ls: can't you post ssh logs to pastie.org or something? "i get an error (on windows)" doesn't tell me anything..
iPhone4 user volume is /dev/disk0s1s2 (ios4) or /dev/disk0s2s1 (ios5).
If mount says 'invalid argument', it's most likely disk corruption - try fsck_hfs -fy /path/to/disk
Also here http://code.google.com/p/iphone-dataprotection/wiki/README are some tools that might allow you to decrypt the files if you image the user volume (but that stuff's pretty hairy).

Biloky said...

Was reading some ibooks when suddenly my 3Gs (32gb iOS4.1) crashed. It rebooted into recovery mode and I wasn't able to kick out of it using tools like iReb or TU.

Then using your tool (awesome!!), I found out that it was because the data volume (disk0s2s1) cannot be mounted due to some error.

Using fsck_hfs, it spits out something like:
...
Invalid sibling links
Rebuilding Catalog b-tree
Disk full error
...
And still, "invalid argument" when trying to mount it normally.

Also tried fsck_hfs -r and -f and -fy to no avail.

Yesterday, I was able to extract important files (photos, notes, etc) by mounting it read-only:

mount -t hfs -r /dev/disk0s2s1 /mnt2

I read somewhere that you should not fill your HFS volume beyond 85%. Mine has ~800mb left!! And I thought maybe if somehow I could mount it r/w and free up some space, unmount it, and let fsck do its job. Is this even possible? I mean, force mounting r/w a volume that has errors in it?

Thanks :)

msft.guy said...

@Biloky: Yeah, 'Disk full error' and 800MB free does sound like a weird combination. I'm not up to speed on HFS+, but it could be that free space bitmap is corrupted and free space information is inconsistent.
Try adding -d flag to fsck_hfs and maybe checking out fsck_hfs source? at http://opensource.apple.com/source/diskdev_cmds/diskdev_cmds-540.1/fsck_hfs.tproj

If you have time to spare, you can try imaging the whole disk and use some HFS+ editor tool to fix that; then diff old vs new disk image and apply that difference to the device using a script with dd commands..

Just keep in mind that there's an additional logical file-based encryption layer that will prevent you from reading cleartext data from files in the image you'll make - I think http://code.google.com/p/iphone-dataprotection/ has some decryption tools for this; but if you only fix disk structures and don't rewrite file data, this should not be an issue.
Alternatively, you can try restore and then copy stuff back file by file using rsync - just make sure not to overwrite the keybag since it's per install..
You can run into issues with some files encrypted using iPhone Data Protection API (e.g. Mail database) not decrypting correctly after restore - again, iphone-dataprotection might have some scripts to help mitigate that. At least most data files and jailbreak-made customizations will be preserved!

ReanimationXP said...

Hello all,

Sorry to those who have had trouble with my commands. I found a couple bugs, sorry for any trouble that caused. I've corrected them below.

If you are using this tool due to Springboard crashing on boot (because of a MobileSubstrate plugin crashing so bad it won't kick into Safe Mode), these commands will disable all Mobile Substrate plugins (dylibs) and effectively manually kick your phone into Safe Mode. You can turn them back on in the MobileSubstrate area of SBSettings -> More.

INSTRUCTIONS:

1. Run @msft.guy's tool.
2. Using Putty, connect to the address specified when the tool is done running. (I believe the default is localhost port 2022).
3. Follow the link to Pastie.org below and run the commands based on your IOS version. Commands to re-enable all MobileSubstrate plugins are there too.

I've verified these are correct :)

http://pastie.org/3318896

msft.guy said...

@ReanimationXP: Awesome! If you'd like to add those commands to the tool as scripts, just submit a pull request on github; /bin is here: https://github.com/msftguy/ssh-rd/tree/master/java/gui/sshtar/bin.
Or just upload a zip somewhere if you don't want to bother with git/github account setup.

Itai Zemah said...

Can I reenable auto-boot with Redsn0w Fix Recovery?

TCF38012 said...
This comment has been removed by the author.
msft.guy said...

@Itai Zemah: Sure; just keep in mind that jar revisions >= 03 re-enable auto-boot automatically.

sicklittlemonkey said...

Awesome! Thanks so much the great tool. Worked flawlessly on an iPhone 3G (3.1) from Vista 32-bit. Got the holiday photos of my daughter, and my gym training notes.

Screw you Apple!

Luisgavi said...
This comment has been removed by the author.
Sham.ED. said...

hi. im in desperate need of ur help. i'm on windows 7 n i can only get as far as runnin ur .jar application. aft dat my phone shows the apple logo with the bar at the bottom. i downloaded putty but im not too sure how to use it. i cant even seem to estab a connection. wat do fill in the fields? n wat do i do aft dat? im a SUPER NOOB. so pls guide me step by step. ive been workin on this phone fr months. ur my only hope msft.guy PLS HELP.

Milosm10 said...

I have done this with a phone. but after when you start to do this things in diffrent programs i cant follow.. can you explain which program do i need to use and after that? thanks...

QerO said...

having my 3gs stuck at skull screen, try the ramdisk and disable all the mobile substrate in http://pastie.org/3318896

reboot and it still stuck at the skull logo. my 3gs is 4.21 i think(not very sure) with greenp0ision JB.

am looking a way to recover my contacts and pictures -_-;

msft.guy said...

@Sham.ED., @Milosm10, @QerO:
Check out the Windows howto

KaRMaN said...

Hi!

First of all I want to thank you for this awesome tool. It can be used to every non-A5 devices, that's great.

I ended up to this tool because I have a 1st gen iPod Touch that its stuck on recovery mode (plug to iTunes).

I tried to restore it with iTunes in recovery mode and in dfu mode, with original and jailbroken firmwares (pwnagetool) but it gaves always errors.

So looked for some info on recovery and found the ramdisk method (wich I tried successfully in iphone 3g and 4 GSM) hoping to boot something in the iPod touch, but no luck. Your tool shows starting to upload ramdisk and 4 or 5 connections and disconnectios of the same iPod in DFU mode.

I'm out of ideas. What else can I try?

QerO said...

msft.guy, I cannot mount the /mnt2, mnt1 is mounted. any hints?

msft.guy said...

@KaRMaN: Make sure to kill iTunes and iTunesHelper before connecting the iPod in DFU mode; otherwise iTunes will send its own payload that will interfere with the Pwnage exploit.

@QerO: did you try fsck_hfs -r ?

Kevin said...

Hi, I can´t mount /mnt1 or /mnt2 and I don´t know what else to do. I´ve tried fsck_hfs -r /mnt2 and it says: Can´t get device block size.

What else can I do ?

I´m on an iPad with 3.2 OS


Thank you!

msft.guy said...

@Einstein: you need to run fsck on /dev/disk0s2s1 (or /dev/disk0s2), not the mountpoint..

Kevin said...

@msft.guy


Yeah, I´ve tried that and gives me this:

-sh-4.0# fsck_hfs -r /dev/disk0s1
** /dev/rdisk0s1
Executing fsck_hfs (version diskdev_cmds-547~162).
volumeType is 0
0000: 0000 0000 0000 0000 0000 0000 0000 0000 |................|
. . .
01b0: 0000 0000 0000 0000 4d56 774c 0000 0000 |........MVwL....|
01c0: 0000 ee00 0000 2200 0000 0640 7700 0000 |............w...|
01d0: 0000 0000 0000 0000 0000 0000 0000 0000 |................|
. . .
01f0: 0000 0000 0000 0000 0000 0000 0000 55aa |..............U.|


And I don´t know what is it.

I use dev/disk0s1 because thats the file I found under /dev

There are also: disk0 and disk0s1s1 Tried both but seems to happen the same thing.

What am I doing wrong ?

Thank you!

Kevin said...

Please help!


Any advices ¡?


Thank you!

iknowaguy said...

I get as far as the Ramdisk load started! but then my phone just boots normally to my lock screen. Win xp, iPhone 4 version 4.3

msft.guy said...

@Einstein: sorry, not sure what to do next. Could be ios5 not seing ios3 style volumes, so you could try to boot an ios3.2 based ramdisk manually. I don't have an ipad1 to test if that's so or not ;/
@iknowaguy: syringe (the exploit injection library) can be sometimes finicky, try on another machine maybe? The symptoms are reboot instead of pwning the DFU mode, just like you described.

ReanimationXP said...

@msft.guy

This probably goes without asking, but would I be correct in assuming there's no way this tool's actions could be done on A5 devices until/unless there is a bootrom exploit?

mick07 said...

hi just whaving a problem, have an iphone 4 and it gets to this stage

Using syringe to exploit the bootrom..
Exploit sent!
Preparing to load the ramdisk..
Ramdisk load started!
MobileDevice event: DfuDisconnect, 7231227, 8930
MobileDevice event: DfuConnect, 7231227, 8930
DFU device 'iPhone 4 (GSM)' connected
Ignoring same device iPhone 4 (GSM)
MobileDevice event: DfuDisconnect, 7231227, 8930
MobileDevice event: RecoveryDisconnect, 7231281, ffffffff
Almost there..
MobileDevice event: RecoveryConnect, 7211281, 8930


and wont go any further, just keeps disconnecting and connecting! if you have any ideas your help would be much appreciated!

QerO said...

@msft.guy, tried fsck_hfs -q /dev/disk0s2s1 and then fsck_hfs -r /dev/disk0s2s1 and then mount.sh

one after one, and finally got the /mnt2 folder accessible with lots of files.

THANK you very much!

now, I'm figuring what is what. do you know if any place on the web could tell me where is the picture/movie? where is the contacts? and where is the notes?

^_^

arm_asm said...

wonderful! this is awesome reversing work and saved my life. thanks so much!

KaRMaN said...

I finally managed to restore not one but two iPod Touchs.

Thank you for your tool, is amazing and proffesional tool.

KaRMaN said...

I finally managed to restore not one but two iPod Touchs.

Thank you for your tool, is amazing and proffesional tool.

QerO said...

Found it, just for someone who needs.

picture: mobile\Media\DCIM
contacts: mobile\Library\AddressBook\AddressBook.sqlitedb

download sqlite3 and do the following

sqlite3 AddressBook.sqlitedb

sqlite> .mode csv
sqlite> .output contacts.csv
sqlite> SELECT ROWID, First, Last, ABMultiValue.value, record_id FROM ABPerson, ABMultiValue WHERE ROWID=record_id;
sqlite > .quit

you will find the contacts.csv file on the same folder.

in case you are exporting other than english, you may get "??????" open in excel. use notepad to open contacts.csv, safe as, pick same filename, and over write the file. open it on excel again and you will see all the words you want :) I tried this for my chinese name contacts.

anyway, GOOD works! I found all the data!

QerO said...

What a surprise!

my iphone 3gs is back! it boots!

perhaps, it's because I did disable all Mobile Substrate plugins (dylibs) and rebuild the partition with

fsck_hfs -q and then
fsck_hfs -r the disk0s2s1

backup all data from /mnt2 and reboot. suddenly, my phone boots, I put it back to DFU and re-enable the mobile substrate plugins and it still boots!

SUPER!

msft.guy said...

@mick07: weird.. try on another computer or read this: https://github.com/msftguy/ssh-rd/wiki/Reporting-bugs

@QerO, @arm_asm, @KaRMaN: glad it worked!

T0t4r4 said...
This comment has been removed by the author.
T0t4r4 said...
This comment has been removed by the author.
T0t4r4 said...
This comment has been removed by the author.
msft.guy said...

@Matt: the most common 8900 issue is iTunes interfering with DFU process (it send the DFU payload that prevents Pwnage from exploiting in the true DFU mode), you'll have to kill iTunes processes (iTunes and iTunes Helper) manually - sorry about that.

T0t4r4 said...

Thanks. iTunes processes were already killed.

Finally yesterday it got down to the "RAMDisk load started" message and got stuck here.

After half an hour (I've been patient), I decided to close the .jar and turn the iphone off.

This morning, the jar does detect the iphone in DFU with the message
"MobileDevice event: RecoveryConnect, 3721281, 12803100"

and then hangs here.

Any idea ?

T0t4r4 said...

Ok Re-did it and now ive got this message
http://pastie.org/private/oojyjp3689qjw2idslkq
which is the same as yesterday in fact.
Now it's stuck here.
What should I do ?
Thanks
Mat

T0t4r4 said...

Here is the md.log contents showing what's happened yesterday and today :
http://pastie.org/private/j6v5yyaofytlgay2mwtmg

Many thanks
Mat

T0t4r4 said...

Good news. I killed every possible service and process running that wasn't critical.
I Closed the jar, didn't touch the phone (still plugged in)
I restarted the jar, which now says it Loaded the RAMDisk. Now the phone's screen is blank but I still can't access it with putty...

jar output:
http://pastie.org/private/4lnd0j9wkoakh7pwrxxzg

md.log
http://pastie.org/private/kyllctgxuxsk0igwgv5a

msft.guy said...

@T0t4r4: You need to enter true DFU mode again after killing all those processes.
Your log says "Connect a device in DFU mode .. DFU device 'iPhone 3G' connected"
It should say 'DFU Mode S5L8900 Device' first.

Just reset the phone, then enter DFU again and retry.

TCF38012 said...

@mick07 I had this problem to

Just go to your temporary directory and delete "ssh_rd"

The ramdisk may be corrupted

@msft.guy Im working to port this to linux and maybe improve it greatly and call it ios recovery disk builder with partitioning tools, etc

TCF38012 said...

@msft.guy

Why is
/dev/disk0s1s1 /mnt1
and
/dev/disk0s1s2 /mnt2

when it could be
/dev/disk0s1s1 /mnt
and
/dev/disk0s1s2 /mnt/private/var

That maybe why dpkg doesn't uninstall from the user partition

msft.guy said...

@TCF38012: on the Linux port - awesome ;)

on mnt2: a couple of reasons:
1. historical - this is what restored does
2. won't cause issues if sysvol fails to mount

Generally, people who would mess with dpkg on a ramdisk shouldn't have problems remounting the volumes or changing the scripts in ssh.tar ;)

T0t4r4 said...

Hi msft.guy,

I did this and it is still stuck at
'8900 exploit load started'

http://pastie.org/private/5t8zbaa1rcbfa7fsyiwwzw

What should I do next ?
Thanks !

T0t4r4 said...
This comment has been removed by the author.
TCF38012 said...
This comment has been removed by the author.
T0t4r4 said...

I haven't succeeded in starting the ramdisk...

I will try on the mac and see if that changes something...

Cheers

tmainframe said...

Hey, isn't actually doing anything for me just gets to the point below and does nothing. Tried on Mac and Windows. ios 4.* (between 4.2 and 4.3) iphone 4. phone hasn't been jailbreaked. Any help would be much appreciated.

Extracted resource to /var/folders/tT/tTvtZxJXGJy5FVYf9ihdJU+++TI/-Tmp-/ssh_rd/native/jsyringeapi.jnilib
Extracted resource to /var/folders/tT/tTvtZxJXGJy5FVYf9ihdJU+++TI/-Tmp-/ssh_rd/native/mux_redux.jnilib

Connect a device in DFU mode
MobileDevice event: RecoveryConnect, 1281, 8930

msft.guy said...

@tmainframe: yeah, because you're not entering DFU mode; instead, you're in Recovery. Find a DFU tutorial on YouTube.

EazyCut said...

@msft.guy

Hi msft.guy. Your job is great!!

I have a problem when running your tool with an iphone4, tryed on win7 and now on winxp pc. here are the output:


Downloading 038-3715-001.dmg
Downloaded to C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\ssh_rd\ipsw_iphone31_9A405\038-3715-001.dmg.orig
Decrypted to C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\ssh_rd\ipsw_iphone31_9A405\038-3715-001.dmg.dec
Extracted resource to C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\ssh_rd\ssh.tar
Added ssh.tar to the ramdisk
Ramdisk prepared at C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\ssh_rd\ipsw_iphone31_9A405\038-3715-001.dmg
Using syringe to exploit the bootrom..
Exploit sent!
Preparing to load the ramdisk..
Ramdisk load started!
MobileDevice event: DfuDisconnect, 3811227, 8930
MobileDevice event: DfuConnect, 3811227, 8930
DFU device 'iPhone 4 (GSM)' connected
Ignoring same device iPhone 4 (GSM)
MobileDevice event: DfuDisconnect, 3811227, 8930
MobileDevice event: DfuConnect, 3811227, 8930
DFU device 'iPhone 4 (GSM)' connected
Ignoring same device iPhone 4 (GSM)
MobileDevice event: DfuDisconnect, 3811227, 8930
MobileDevice event: DfuConnect, 3811227, 8930
DFU device 'iPhone 4 (GSM)' connected
Ignoring same device iPhone 4 (GSM)
MobileDevice event: DfuDisconnect, 3811227, 8930
MobileDevice event: DfuConnect, 3811227, 8930
DFU device 'iPhone 4 (GSM)' connected
Ignoring same device iPhone 4 (GSM)
MobileDevice event: DfuDisconnect, 3811227, 8930
MobileDevice event: DfuConnect, 3811227, 8930
DFU device 'iPhone 4 (GSM)' connected
Ignoring same device iPhone 4 (GSM)
MobileDevice event: DfuDisconnect, 3811227, 8930
MobileDevice event: DfuConnect, 3811227, 8930
DFU device 'iPhone 4 (GSM)' connected
Ignoring same device iPhone 4 (GSM)
MobileDevice event: DfuDisconnect, 3811227, 8930
MobileDevice event: DfuConnect, 3811227, 8930
DFU device 'iPhone 4 (GSM)' connected
Ignoring same device iPhone 4 (GSM)
MobileDevice event: DfuDisconnect, 3811227, 8930
MobileDevice event: DfuConnect, 3811227, 8930
DFU device 'iPhone 4 (GSM)' connected
Ignoring same device iPhone 4 (GSM)


And thats it, nothing more. Phone screen black. Its like it hangs here. I try to put in DFU mode again and same answer "Ignoring same device iPhone 4 (GSM)"



What i can see the itunes is not loaded and not helper either. my version of itune is 10.3xx
Should i try other version of itunes?

Schoolboy said...

Is there anyway I can make it use local files? I already have the 5.0.1 ispw

msft.guy said...

@EazyCut: Yes, since 5.x ipsw is available for your device, it's what is used, and it requires iTunes 10.5

@Schoolboy: Without code modification you have two possible options:
1. Replace the downloadUrl key in all_keys.plist inside the .jar (strip the URL and just leave the filename). It will ask you to put the ipsw file into the ssh_rd folder, then extract the files locally.
2. Extract the needed files into ssh_rd/ipsw_(model)_(build), appending .orig suffix to files that are patched and keeping the name for those that are not.
e.g. DeviceTree is unchanged, but iBSS gets an '.orig' appended to the filename. In this case, the download will be skipped.

Note that the total download size is about ~30MB(ramdisk+kernel), since partial download lib is used, and that files are reused once they're downloaded (on OS X, until you reboot, since the base dir is in $TMPDIR)

T0t4r4 said...

Hi msft.guy ,

It's me again, this time i've tried on my MACOSX Snow leopard.

The .jar GUI now stops at "Almost there" (after having downloaded and applied the necessary files correctly).

My iPhone3G (8GB) seems to be booting on the RAMdisk as it displays an apple logo with a progress bar underneath. After a minute or so, the screen gets black again with a progress circle icon at the bottom, indefinitely.

I attached the md.log here :
http://pastie.org/private/fghq9cpuomdjuaq9ia0v0q

FYI, this device had iDroid installed with BootLance, and OpeniBoot, but to be able to go in DFU I had to remote OpeniBoot (I can always put it back if needed)

Thanks for helping,
Matt

Mad Max said...
This comment has been removed by the author.
Mad Max said...

I am having trouble decrypting a Disk dump. Usually, I use this command with a JB and Open SSH:

dd if=/dev/rdisk0 bs=8k | ssh administrator@192.168.2.XX 'dd
of=iphone3gs.img'

But I get an error using the ssh ramdisk:

ssh: connect to host 192.168.2.XX port 22: No route to host

Will using the ssh ramdisk give me an unencrypted backup?

If no can someone point me in the right direction to decrypt a DD?

luis_cornejo said...

Hey for those that are having problems with the 3b jar file, I wen ahead and ran 3b instead from GIT and it worked on my i4 5.0.1

luis_cornejo said...

Hey for those that are having problems with the 3b jar file, I wen ahead and ran 3b instead from GIT and it worked on my i4 5.0.1

Mina ZombieVixen said...

Hello,
Okay I have a 3gs running ios 5.0.1 that is stuck in itunes loop..... I have done it all, redsnow, ifaith, fixrecovery(very experienced in fixing errors etc) but this phone will not come to life with any program i have used. I came across this page and figured why not.... Everything works like a charm for me except when I get to the SSH party. Im using Putty on win7 and Ive managed to learn some basic Linux over the last 3 days... my issue is this I pretty much just want to repair what ever files are corrupt and keeping this phone from booting up. I dont care to save any of the stuff.... but doing the process to save will be fine, its all about learning... I get into Putty login in and Im confused as to which /dev/diskxxxx I use. Ive read some conflicting things...its your operating system, its the phone version and the operating system.... And when I do type in commands I get some different things
alot of:
-no such file or directory
-Device or resource busy
and some:
-invalid b tree node size
-quick check only no hfs signature found
-fsck_hfs missing special drive
If i could just get some assistance as to which /dev/deviceXXXX i should use it would be greatly appreciated.

Schoolboy said...

You are awesome! Great work with the GUI

Kid said...

I have the same problem as T0t4r4. Any solution for this?

msft.guy said...

@T0t4r4, @Kid: weird.. verbose mode might have helped here, otherwise I don't have a clue what's happening.
I noticed 4.0.1 fw is used for iPhone 3G, I'm going to switch to 4.2.1 just in case.. probably just a red herring. To enable verbose mode you need to patch '-progress' into '-v' followed by a 00 byte in iBSS.dfu

@Mad Max: WiFi is off, so you can't connect _from_ the iPhone - run the _source_ dd in tunneled ssh. e.g. ssh -p 2022 root@localhost dd blah > image.dmg

@luis_cornejo: it's already linking to github, or do you mean some other version than 3b?

@Mina ZombieVixen: Just run mount.sh , that should do the trick..

Kid said...

I kept trying a few more times and it works!
Awesome work here!

msft.guy said...

@T0t4r4: just in case, a version that uses version 4.2.1
is at https://github.com/downloads/msftguy/ssh-rd/ssh_rd_rev03c.jar

EazyCut said...

hi again. I tryed nnow everything you said, stil hangs at certain point. tryed all your versions up to 03c.jar..

Please check my Md.log and jar.log and see what you can do. I need pics back on my newborn daughter.

http://pastie.org/private/nahvjbg0k4qdllsevnnikw

Best regards
Eazycut

T0t4r4 said...

@msft.guy Thanks I tried with 3b, same thing. I did not find a file called iBSS.dfu in /var/Folders so I couldn't enable verbose mode.
I know ive installed iOS3.1.2(or3.1.3 can't remember) but I don't know what FW is on my iphone.
I'm stuck here.

@Kid: what do you mean by "tried many times", what did you do exactly ?

Thanks guys for your help

T0t4r4 said...

@msft.guy I've tried...but I don't understand what you said here
"To enable verbose mode you need to patch '-progress' into '-v' followed by a 00 byte in iBSS.dfu"
Yes, I'm a dev... What do you mean by patching X into Y ? you mean "add" ?

Thanks

virtue said...
This comment has been removed by the author.
virtue said...

hi, i have an iPad 1st generation, i don't know why when i wanted to connect to iTunes, it says "need restore" , a few minutes before it was working fine...

the iOS is 5.01, so i use the latest redsn0w and do the jailbreak process, after that it comes to life but only showing "apple logo" for a minute and then rebooots itself.

after googling i found this life saving blog, as i really need the data inside my iPad and restore is not an option :(...

can this recovery method works with iPad 1st generation iOS 5.01, and jailbroken with redsn0w 09.10b5c?

please help :)

virtue said...

i'm a noob looking for step by step instructions for using it with iPad 1 iOS 5.01 and windows XP :D

Mina ZombieVixen said...

Im getting could not mount system volume, retry later or file a bug.... could not mount user date volume...etc.

I tried mount /
same thing
i tried
mount_hfs /dev/disk0s2s1 /mnt1
with os1, os2 os1s1, os1s2, os2s2, os2s1...every combo
i get getmasterblock error 16 or 2
i also get
missing special device
help please

Don said...

I'm at the same stage as Mina ZombieVixen.

Finally got "something". I made an SSH connection but all the folders I need are not there, or at least not visible. Using terminal commands, I also can't mount any partition.

I didn't do anything weird with my iphone. All it did was completely drain the battery. If only I had known...

yawn said...

My iPod 4G gets is detected in DFU mode, but the app just sits there forever?

Why doesn't itunes pop up in the demo? It does every time I connect in DFU...

I've tried 3 windows PCs, and one Mac - same every time. I've tried with and without iTunes (inc different versions). Nothin.

iPod is running 4.0.1, jailbroken back when 4.0.1 was "modern". Annoying kids changed the password and forgot what they changed it too... Grrr... and I foolishly installed "SSH Toggle" before that. Grrr X 2...

msft.guy said...

@T0t4r4 i mean overwrite the bytes, so that the string changes from -progress to -v, and write a 00 byte after '-v' so that the string ends there

@virtue: there's a video and a Windows howto link, it's not really device specific

@Mina ZombieVixen, @Don: really no clue .. either partition table got erased somehow or just a hardware problem with the flash memory

@yawn: use the 'reporting bugs' link, I can't say anything without the logs.. try to run java from command line to get console output as well. I killed iTunes and iTunes Helper before recording the demo, they are mostly harmless (unless your model is 2G/3G iPhone or 1G iPod Touch)

yawn said...

bug report sent. win7 / Winxp / osxlion all same - no logs, no console output other than "... Waiting for device...", and no activity after the GUI detects "MobileDevice event: RecoveryConnect, ???1281, 8008930"

msft.guy said...

@yawn: that's because you need DFU mode and you're in recovery mode. Just google the dfu instructions.

Don said...

Hmm that would not be nice. How did it erase its partition (tables). Or the flash memory going bad. It just had a drained battery and turned off itself.
When I plugged in the adapter, nothing weird at first. The phone displayed the (red) battery charging screen. After about half an hour I went back to the phone and suddenly it showed an Apple logo. After that I never got it back on again.

Would it be possible to swap the HD (is this the NAND?) into another iphone 4 to get to my data?

elizarov said...

Thank you very much! I was able to recover files from my wife's bricked iPhone 3GS, including some unique non-backed up videos with my daugher. The only complaint is that 'mount.sh' did not automatically mount /dev/disk0s2s1 on /mnt2 for me and I had to do it manually (iOS version of device was 3.2.x)

XuluniX said...

Nice work
is chroot possible?
i get "Segmentation fault: 11" error

Kire said...

First of all, I would like to say thanks one million times to msftguy for writing this post. I saved my gf's iPhone which did not have any back up of the contacts and the photos.

This was iPhone 3GS, new bootroom, jailbreaked with snowbreeze, preserved baseband 05.11.07, firmware 4.2.1 (did the custom IPSW)

After almost 2 years usage, one day the phone was around 2-3% battery life. Few seconds after ending a phone call, the phone switched off by itself. When it was put for charging and started, the apple logo showed and stayed like that for 5 min. and still on. Tried to restart with holding power plus home button, didn't boot, the connect to itunes logo showed up, and since then it never booted up again. tried many types of restarts with hardware buttons, no result, again stuck in the same connect to itunes logo (probably so called recovery mode loop).

I tried every possible program to somehow exit from the recovery loop, from Tiny umbrella (did not show the device, it said device invalid, tried fix recovery in DFU mode, tried exit recovery mode, but still nothing), to iReb, Fixrecovery, Irecovery (with Libusb), blackra1n, Recboot, Easyrecovery, etc., but non of them worked, every time i got back to the same damn recovery mode, connect to itunes logo.

Then I tried to find a way to at least back up the contacts and the photos before I restore the phone, but none of the programs recognized the phone (ifunbox, phonedisk,diskaid,iphone transfer, tanseeiphone, ixplorer and more).

The finally when I found this way, at first i did everything as in the instruction, however the /mnt2 was empty. Then i tried with the command fsck_hfs -r /dev/disk0s2s1 and then mount.sh and it worked!!! (so of you don't see mnt1, use the fsck_hfs -r command to repair mnt1 if that is also not working before you enter the command mount.sh). So afterwards I copied all the photos and videos, contacts, messages and downloaded files. Then I tried @ReanimationXP's instruction to get it to boot again (with the correction from msft guy), [ cd /mnt1/Library/MobileSubstrate/DynamicLibraries
for file in *.dylib ; do mv $file 'echo $file | sed 's/\(.*\.\)dylib/\1disabled/''
ls, ] , and did the manual restart (home plus power 10sec), and the phone FINALLY BOOTED normally :).
It was alive and it had everything as before :-).

Biloky said...

Hi msft.guy...

Sorry took me this long to post back. :)

Tried the -d flag but to no avail and not hardcore enough to dig into the fsck_hfs source :)

Since all my important data were already backed up using your tool, I ended up restoring to 4.2.1 instead.

Thanks for your reply. I really learned a lot from this. Thanks again!

Unknown said...

Hi,

I'm having trouble at the mount_hfs part. Always says "resource busy". I can mount /mnt1 but not /mnt2.

Please see http://pastie.org/3635473

I've tried -r, -fy, -q but noting works. I'm not sure whether to use /dev/disk0s1 or /dev/disk0s2s1.

Please advise if I've done something wrong.

Thanks for your help!

Anonymous said...

hey, can you make another build for it to automatically map all files on iDevice to FTP, so we just can run this java program, wait, and go to ftp, this could be the breakthrough against restoring! :) thanks for your time

Anonymous said...
This comment has been removed by the author.
mxcats said...
This comment has been removed by the author.
mxcats said...

ah i get Could not mount system volume; retry later or file a bug.
Could not mount user data volume; retry later or file a bug.
plase help. runing os 5.0.1 iphone 3gs

mxcats said...

so apple logo comes up on the phone but does the bar under it need to fill up or stay empty.

Anonymous said...

is there a way we can use the files locally, instead of downloading from appldndl site

Anonymous said...

It always says Download Failed...

Chortos-2 said...

On the first run, it crashed:

Waiting for new TCP connection on port 2022
Waiting for device...
///---[1]
| No exact match
| Top5:
| 0.86 at 0x00004592
| 0.52 at 0x00007D24
| 0.49 at 0x000077D2
| 0.48 at 0x00001594
| 0.46 at 0x00004AFC
\\\---Patch 1 applied at 0x00004592
///---[2]
| Exactly one match at 0x000078FC
\\\---Patch 2 applied at 0x000078FC
===============================================================================
2 of 2 applied (100%)
Exploiting 8900 vulnerability (/var/folders/Op/OpppQ-6+EVO2N3GIz+GoZU+++TI/-Tmp-/ssh_rd/ipsw_dfu8900_7E18/Firmware/dfu/WTF.s5l8900xall.RELEASE.dfu)... ;)
Invalid memory access of location 0x40 rip=0x12073d782

Segmentation fault


On the second run, it told me it couldn’t download the ipsw from Apple (iPod touch 1G, 3.1.3), and after I found my ipsw and put it where it wanted it, proceeded to do stuff but stopped after this line (the GUI didn’t hang, but nothing was happening):

RestoreProgress: dev=0x11d45ed50, op=2 progress=98 ctx=0x11d40b550


After several attempts to re-run the jar and SSH into the iPod, I got the bright idea to turn it off and re-enter DFU, and for good measure also unplug it before doing so. Re-run the jar, and voilà! I can bring the /usr/lib that I foolishly moved to the /var file system earlier today back!

Thanks!

mxcats said...

Also does the device have to be jailbroken

Anonymous said...

@msft.guy

"@EazyCut: Yes, since 5.x ipsw is available for your device, it's what is used, and it requires iTunes 10.5

@Schoolboy: Without code modification you have two possible options:
1. Replace the downloadUrl key in all_keys.plist inside the .jar (strip the URL and just leave the filename). It will ask you to put the ipsw file into the ssh_rd folder, then extract the files locally.
2. Extract the needed files into ssh_rd/ipsw_(model)_(build), appending .orig suffix to files that are patched and keeping the name for those that are not.
e.g. DeviceTree is unchanged, but iBSS gets an '.orig' appended to the filename. In this case, the download will be skipped.

Note that the total download size is about ~30MB(ramdisk+kernel), since partial download lib is used, and that files are reused once they're downloaded (on OS X, until you reboot, since the base dir is in $TMPDIR)"

can you give an example for :ipsw_(model)_(build) please, and how can I put them back into a JARfile again please "sorry I'm not an expert on this area" thanks in advance

hudson said...

Hi guys I have a iphone 4 GSM on 4.3.4 and I am having issue at the part where when i type mount.sh I get this error "Could not mount system volume; retry later or file a bug. Could not mount user data volume; retry later or file a bug"

This seem to be the same issue I see @mxcat running into. Has anyone found a solution to this yet? If so please post thank you.

Moe007 said...

I've been looking for help for 2 days now. I had a disaster with my iphone. I am running iOS4.0 on an iPhone 4. I never upgraded and for the last year and a half it's been working fine. Friday April 6, 2012 morning, I decided (while in bed half asleep) to run Cydia and upgrade critical compnents. My phone went into a respring loop and I havent been able to access it. When I connect via USB to the computer, I can't even hear the phone recognition by my computer. I've tried some instructions to replace the launchd file using redsn0w (which are supposedly instructions by Saurik), but redwn0w doesn't like my IPSW. I'm stuck and I have 9 months worth of notes and data and contact that are not backed up because I didn't sync the device in 9 months because I'm a complete idiot. Can anyone help me at all? I am willing to pay for this help if anyone is willing to help. My email is BioMed0077@gmail.com

Moe007 said...

I've been looking for help for 2 days now. I had a disaster with my iphone. I am running iOS4.0 on an iPhone 4. I never upgraded and for the last year and a half it's been working fine. Friday April 6, 2012 morning, I decided (while in bed half asleep) to run Cydia and upgrade critical compnents. My phone went into a respring loop and I havent been able to access it. When I connect via USB to the computer, I can't even hear the phone recognition by my computer. I've tried some instructions to replace the launchd file using redsn0w (which are supposedly instructions by Saurik), but redwn0w doesn't like my IPSW. I'm stuck and I have 9 months worth of notes and data and contact that are not backed up because I didn't sync the device in 9 months because I'm a complete idiot. Can anyone help me at all? I am willing to pay for this help if anyone is willing to help. My email is BioMed0077@gmail.com

Unknown said...

Ur GOD Thank You!
iPhone 3G 3.1.3

CoreOfLore said...

Why am I getting this when i type in the correct command into PuTTy

fsck_hfs /dev/disk0s2s1

** /dev/rdisk0s2s1
Executing fsck_hfs (version diskdev_cmds-
** Checking Journaled HFS Plus volume.
** Detected a case-sensitive volume.
** Checking extents overflow file.
** Checking catalog file.
Invalid index key
(4, 1200)
** Rebuilding catalog B-tree.
** The volume Data could not be repaired.


then i do (to give you guys info that may help)

-sh-4.0# fsck_hfs -rfd /dev/disk0s2s1
** /dev/rdisk0s2s1
Using cacheBlockSize=32K cacheTotalBlock=1012 cacheSize=32384K.
Executing fsck_hfs (version diskdev_cmds-488.1.7~391).
Journal replay returned error = 6
** Checking Journaled HFS Plus volume.
** Detected a case-sensitive volume.
** Checking extents overflow file.
** Checking catalog file.
** Rebuilding catalog B-tree.
** The volume Data could not be repaired.
volume type is pure HFS+
primary MDB is at block 0 0x00
alternate MDB is at block 0 0x00
primary VHB is at block 2 0x02
alternate VHB is at block 14175582 0xd84d5e
sector size = 512 0x200
VolumeObject flags = 0x07
total sectors for volume = 14175584 0xd84d60
total sectors for embedded volume = 0 0x00

Is there any way i can fix this? I understand that my volume can't be repaired for some reason and due to this my mnt2 can't be mounted unfortunately, however my mnt1 mounts perfectly fine.
Anyone experiencing the same problem, or know how to fix it? Help would be greatly appreciated and I will be forever in your debt.

link64 said...

Thanks

worked 100%

very good job

Darkwhyt said...

I could really use some help.

Here's the deal. I have a friends 3gs and it won't boot past the apple logo. No spinning wheel at all. I tried running the jar file to see if I could retrieve his files without having to restore. (not backed up of course) and it gets stuck on the recovery portion. See below

Exploit sent!
Preparing to load the ramdisk..
Ramdisk load started!
DFU device 'iPhone 3GS' connected
Ignoring same device iPhone 3GS
MobileDevice event: DfuDisconnect, 82c1227, 8920
MobileDevice event: DfuConnect, 82e1227, 8920
DFU device 'iPhone 3GS' connected
Ignoring same device iPhone 3GS
MobileDevice event: DfuDisconnect, 82e1227, 8920
MobileDevice event: RecoveryConnect, 82e1281, 8920
MobileDevice event: RecoveryDisconnect, 82e1281, 8920
Almost there..
MobileDevice event: RecoveryConnect, 82e1281, 8920
MobileDevice event: RecoveryDisconnect, 82e1281, 8920
Almost there..
MobileDevice event: RecoveryConnect, 82e1281, 8920
MobileDevice event: RecoveryDisconnect, 82e1281, 8920
Almost there..
MobileDevice event: RecoveryConnect, 82e1281, 8920
MobileDevice event: RecoveryDisconnect, 82e1281, 8920
Almost there..
MobileDevice event: RecoveryConnect, 82e1281, 8920
MobileDevice event: RecoveryDisconnect, 82e1281, 8920
Almost there..
MobileDevice event: RecoveryConnect, 82e1281, 8920

Is there anything I can do to this thing to make it boot so I can ssh into the thing? I'm not sure if there's any service that can get this data off without charging an arm and a leg but I'm sure he'd be willing to pay for it!

Any help is greatly appreciated!

CoreOfLore said...

You connected in DFU right?

victoroni said...

Hi guys,
I'm using a macbook with 10.5.8 leopard and for some reason the jar file won't open, it says please check console for possible error message.

According to software update everything is up to date, is there anything I can do to fix this?

enderfish said...

Hello everyone,

I too am getting a mount_HFS: Invalid argument error when I am trying to mount /dev/disk0s2s1 to /mnt2.

I was successfully able to mount /dev/disk0s1 to /mnt1 and view all the files, but I am unable to mount /dev/disk0s2s1 to /mnt2 and consequently unable to see any files.

I have tried every combination of fsck_hfs -fy, -r, /dev/disk0s2s1 that is possible but I still can't mount /dev/disk0s2s1.

Does anyone have any idea what is going wrong here? I am trying to recover photos that are very valuable sentimentally. I know lots of people are in similar situations, but it would really mean so much to me if anyone has any helpful suggestions.

Thank you so much.
Neal

Bleu said...

I have problem when using this tools
The original issue is reboot again and again in white Apple logo.
Recovery or DFU Mode recovery or upgrade was all failed in jump in to reboot loop again and not load the S/W in.

And I searched and found this tool.
the log as follow:

DFU device 'iPhone 4 (GSM)' connected
Building ramdisk for device 'iPhone 4 (GSM)'
Extracted resource to C:\DOCUME~1\GEORGE~1\LOCALS~1\Temp\ssh_rd\all_keys.plist
Working dir set to C:\DOCUME~1\GEORGE~1\LOCALS~1\Temp\ssh_rd
IPSW at http://appldnld.apple.com/iPhone4/041-3309.20111109.64rtg/iPhone3,1_5.0.1_9A405_Restore.ipsw
Downloading Restore.plist
.
.
.
.
Kernel file: kernelcache.release.n90
Restore ramdisk file: 038-3715-001.dmg
.
.
.
Using syringe to exploit the bootrom..
MobileDevice event: DfuDisconnect, 3471227, 8930
MobileDevice event: DfuConnect, 3471227, 8930
Exploit sent!
Preparing to load the ramdisk..
Ramdisk load started!
DFU device 'iPhone 4 (GSM)' connected
Ignoring same device iPhone 4 (GSM)
MobileDevice event: DfuDisconnect, 3471227, 8930
MobileDevice event: DfuConnect, 38c1227, 8930
DFU device 'iPhone 4 (GSM)' connected
Ignoring same device iPhone 4 (GSM)
MobileDevice event: DfuDisconnect, 38c1227, 8930

At this step, it boot again and back to reboot loop again, and the tools seems stop here.
and why it download iPhone3,1_5.0.1_9A405_Restore.ipsw?
I remember the iPhone4 I used is iOS 4.3.1

Is there any suggestion to resolve the problem?
I'm trying to save the photos back from the phone before send back to Apple.

28 Skidoo said...

AMAZING WORK. Success with iPhone 3,1 5.0.1 9A405. I've done this twice before via the command line, vfdecrypting / patching files manually, and I screwed up one other phone using the wrong kernel version which decided to blow away the effacable storage area for no reason. You're a lifesaver.

Do you have Paypal? I'd like to throw a few bucks your way.

Daveychan said...

Thank you so very very much!!!

My iPad (v1 - FW 5.0.1) was in the SWOD and there nothing i could do, other than lose everything and start over... until i found you!!!

This worked like a charm and i'm currently grabbing the contents of my iPad data.

I just wanted to extend my gratitude!

Thank you so very very much!!!

Bleu said...

Today I put the device in DFU mode try this again.
and open the Remote desktop and telnet services in win7

the log shows
"
....
Using syringe to exploit the bootrom..
Exploit sent!
Preparing to load the ramdisk..
Ramdisk load started!
MobileDevice event: DfuDisconnect, 54e1227, 8930
MobileDevice event: DfuConnect, 54e1227, 8930
DFU device 'iPhone 4 (GSM)' connected
Ignoring same device iPhone 4 (GSM)
MobileDevice event: DfuDisconnect, 54e1227, 8930
MobileDevice event: RecoveryConnect, 54e1281, 8930
"

It's stopped here and iPhone4 shows the recovery screen.
any comment on this issue?

fabio said...

This worked like a charm and i recover all my data

Many many thanks..!

onezero said...

I have my iPhone 4S (iOS 5.1.1) acting as a dead brick (only DFU mode) with pictures and videos of our baby girl. Am looking forward to try your method/tool to retrieve these assets and restore my iPhone. Do you expect to be able to benefit from the upcoming iOS 5.1.1 jailbreak / untether and support the iPhone 4S? Much appreciated :)

rockon4vr said...

!wonderful work on this. u have the only program capable of fixing this.
-i think i had the same problem as tot4r4. but i checked all my necessary and unnecessary services and rebooted then it worked further. took a couple trys. the process was slow as my partition2 had serious errors that it was fixing. then use putty and then winscp and i was in.
-getting into dfu mode is a little tricky as u have to do the steps exactly good timing or u end up in recovery mode showing the itunes and cable logos. however dfu mode showed only black screen with a slight backlight. only way i knew was yer program recognizing it.
-after backing up some files i tried booting it and i have my phone back after 2 months. did backups and syncs. plan on doing the att unlock soon.
- im curious after doing this is my phone now seen as a partial jailbreak? or is your app completely stealth after reboot? so i can do normal operations without future trouble like the official att unlock?
-iphone 3g 4.2.1
- you're a lifesaver

unixbigot said...

THANK YOU so incredibly much!

Recovered about 8 hours of irreplaceable audio
recordings made in the day before my wife's phone
fell into recovery mode coma.

Two Investing said...

CoreOfLore,

I'm getting the exact same error. I've tried repairing with fsck. Have you had any luck fixing this error or at least copying the raw data elsewhere?

Thanks,
Scott

zippori said...

My iPhone 4s is in boot loop and I am trying to recover photos and videos I am using the "Automatic SSH ramdisk creation and loading" but got the following message:

MobileDevice event: DfuConnect, 1227, 8008940
DFU device 'UNSUPPORTED' connected
Ignoring unsupported device UNSUPPORTED

Anonymous said...

Amazing work...

Chrisall said...

Can anybody advise why I'm getting this:

Preparing to load the ramdisk..
Ramdisk load started!
MobileDevice event: DfuDisconnect, 33b1227, 12223100
MobileDevice event: DfuConnect, 33b1227, 12223100
DFU device 'iPhone 3G' connected
Ignoring same device iPhone 3G
MobileDevice event: DfuDisconnect, 33b1227, 12223100
MobileDevice event: DfuConnect, 33b1227, 12223100
DFU device 'iPhone 3G' connected
Ignoring same device iPhone 3G
MobileDevice event: DfuDisconnect, 33b1227, 12223100
MobileDevice event: DfuConnect, 33b1227, 12223100
DFU device 'iPhone 3G' connected
Ignoring same device iPhone 3G
MobileDevice event: DfuDisconnect, 33b1227, 12223100
MobileDevice event: DfuConnect, 33b1227, 12223100
DFU device 'iPhone 3G' connected
Ignoring same device iPhone 3G
MobileDevice event: DfuDisconnect, 33b1227, 12223100
MobileDevice event: DfuConnect, 33b1227, 12223100
DFU device 'iPhone 3G' connected
Ignoring same device iPhone 3G

It's just stuck there now.

Chrisall said...

UPDATE - didn't work on Windows box, as per above, but got hold of an Intel Mac and it connects perfectly.

No idea how to get the iphone to boot though! fsck reports the ramdisk appears to be ok.

Cheers,
Chrisall

Chrisall said...

Is this normal for these /dev/disk0s2 directories to be symlinked?

etc -> private/etc
var -> private/var

Any help appreciated...I'm not conviced the filesystem is correct....why can't I just fdisk it and completely reinstall?

Cheers,
Chrisall

Rebecca Butler said...
This comment has been removed by the author.
Rebecca Butler said...

Hi (on Windows 7 with a bricked ipod touch 4g), when I am in putty I keep getting the 'could not mount system volume' error...so I have to manully mount right? I have no idea how to do this, can someone assist? Also once I get into winscp I don't understand how navigate to /mnt2 or will that be obvious after I am able to mount.sh in putty?
thanks for any help!!!

shaggy said...

My wife has a 3gs that is jailbroken i believe ios 4.0.1
it will not boot all of a sudden
i was able to ssh into it with your tool and run mount.sh

i get -sh-4.0# mount.sh
Checking /dev/disk0s1 ..
** /dev/rdisk0s1
Executing fsck_hfs (version diskdev_cmds-547~162).
** Checking non-journaled HFS Plus Volume.
** Detected a case-sensitive volume.
The volume name is Baker8B117.N88OS
** Checking extents overflow file.
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
** Trimming unused blocks.
** The volume Baker8B117.N88OS appears to be OK.
Mounting /dev/disk0s1 on /mnt1 ..
Mounting /dev/disk0s2s1 on /mnt2 ..
mount_hfs: Invalid argument

i tried


-sh-4.0# fsck_hfs -fy /dev/disk0s2s1
** /dev/rdisk0s2s1
Executing fsck_hfs (version diskdev_cmds-547~162).
** Checking Journaled HFS Plus volume.
** Detected a case-sensitive volume.
The volume name is Data
** Checking extents overflow file.
** Checking catalog file.
Invalid sibling link
(4, 1840)
** Rebuilding catalog B-tree.

at this point with -r as well it will disconnect from ssh and reboot the iphone.

all i want to do is be able to pull photos of the dcim folder and then do a restore.
thanks for any help

Unknown said...

I got the "Disk Full error" on my iPhone 4 4.2.1

** /dev/rdisk0s2s1
Executing fsck_hfs (version diskdev_cmds-547~162).
** Checking Journaled HFS Plus volume.
** Detected a case-sensitive volume.
The volume name is Data
** Checking extents overflow file.
** Checking catalog file.
Invalid index key
(4, 4866)
** Rebuilding catalog B-tree.
Disk full error
** The volume Data could not be repaired.
-sh-4.0# mount.sh
/dev/disk0s1 already mounted on /mnt1
Mounting /dev/disk0s2s1 on /mnt2 ..
mount_hfs: Invalid argument
-sh-4.0#


Any help? :(
I need to get the data back.

Unknown said...
This comment has been removed by the author.
Mike said...

This tool is a lifesaver.. If I can get it working! I'm trying on a iPhone 4 with 5.0.1 9A405. It is stuck at the "Almost there"

Verbose shows the following:

RestoreProgress: dev=069F3DC0, op=0 progress=98 ctx=06BA1280
RestoreProgress: dev=069F3DC0, op=0 progress=99 ctx=06BA1280
RestoreProgress: dev=069F3DC0, op=0 progress=100 ctx=06BA1280
RestoreProgress: dev=069F7E18, op=4 progress=4294967295 ctx=06BA1280
RestoreProgress: dev=069F7E18, op=42 progress=4294967295 ctx=06BA1280
RestoreProgress: dev=069F7E18, op=5 progress=4294967295 ctx=06BA1280
RestoreProgress: dev=069F7E18, op=6 progress=4294967295 ctx=06BA1280
RestoreProgress: dev=069F7E18, op=7 progress=4294967295 ctx=06BA1280
RestoreProgress: dev=069F7E18, op=8 progress=4294967295 ctx=06BA1280
RestoreProgress: dev=069F7E18, op=9 progress=4294967295 ctx=06BA1280

Anonymous said...

I have an itouch 4g and i am getting the error Mounting /dev/disk0s2s1 on /mnt2 ..
mount_hfs: Invalid argument
i tried fsck_hfs with different parameters and it always fails. i am resigned to the fact that the volume is corrupt. are there any tools available to rebuild the volume? i only want to save my pictures, everything else can be wiped.

Unknown said...

@66141ce4-c4fa-11e1-a047-000bcdcb471e

Same here..
Is there any ways to repair the corrupted volume?
Or anyway to extract the data?

Dj-Abi said...

guys how to use on windows should i launch CMD or what because when i type first command on cmd nothing happens ! please help

Dj-Abi said...

guys how to use on windows should i launch CMD or what because when i type first command on cmd nothing happens ! please help

Unknown said...
This comment has been removed by the author.
Unknown said...

Hi im new here can someone please just tell me how to fix this been at it all day right i have a iphone 3gs it says enter code i dont know the code so cant enter it but dont want to do a reinstall of the fw as i dont want to lose the pictures so how can i ssh into the fone when its asking for the code which i dont know please let me know ps i did try another program but it says cant load keybag

thanks

TestingBlog said...

DAMN AWESOME !!! THANKS A LOT MY FRIEND !

TestingBlog said...

DAMN AWESOME !!! THANKS A LOT MY FRIEND !

Unknown said...

I successfully connected to IPhone 2G in DFU, but coluld not run the dd command:
-sh-4.0# dd --list
-sh: dd: command not found

On PC I have dd for windows (http://www.chrysocome.net/dd).

Iphone couldn't load in normal mode having error invalid node structure
(3,0)
** Volume check failure
dev/rdisk0s2 (hfs) Exited with signal 8
fsck failed!

fsck_hfs -r dev/rdisk0s2 never helped. I am trying to make disk dump to PC (WinXP) and try to restore it where, using
-sh-4.0# dd if=/dev/rdisk0 | ssh root@localhost 'dd of=iphone-dump.img'
-sh: dd: command not found

Help, please what do i need to do else to have dd on iphone?

msft.guy said...

@Лена Дзюбенко: Either extract dd from the coreutils-bin deb (http://apt.saurik.com/cydia/debs/coreutils-bin_8.12-7_iphoneos-arm.deb) using either 7-Zip or dpkg -x, and copy it to the ramdisk, or just copy the rdisk file with CyberDuck - it supports devices, even though regular scp doesn't..
.. Or just use 'cat'.

Unknown said...
This comment has been removed by the author.
Unknown said...
This comment has been removed by the author.
Unknown said...

@msft.guy Great thanks for Your attenmtion! I could mount.sh via PuTTY /dev/disk0s1 (needed partition disk0s2 with user data i couldn't mount) and then access it via WinSCP - so I could search files. dd was found. One more little step, but trying

-sh-4.0# /mnt1/bin/dd if=/dev/disk0s2 | /mnt1/usr/lib/apt/methods/ssh root@localhost 'dd of=C:\iphone-dump.img'
100 Capabilities
Version: 1.0
Send-Config: true

- still no dump. (if use /rdisk0s2 instead /disk0s2- says Invalid argument) Now will try your advise for cat and CyberDuck. Phanks once more.

Skidz said...

I cant load the jar file... with which program do u open it?? and will this work on iPhone 3G iOS 4.2.1?? I messed the file trying to overclock it and saved it with different name so now it loops on boot I know the problem so I can fix it without requiring to restore but when i right click and go for open with.. and chose java it just shuts the window, why and which program should i choose?? plz help fast since I need my iPhone before sunday....

Anonymous said...

Hey msftguy,
your ssh creator is awesome!
Is it possible to let the user decide, whether he want's to add some custom files to the ramdisk?

Ra1ningsn0w
www.ra1ningsn0w.tk

Skidz said...

hello?? anyone here??

Skidz said...

im on windows xp btw...

msft.guy said...

@Raining: There's no UI for that; you can put whatever you want into the ssh.tar inside the .jar and repack..

@Skidz: Just install the JRE from http://download.oracle.com/otn-pub/java/jdk/7/jre-7-windows-i586-iftw.exe then doubleclick the .jar

Skidz said...

well i used jar to exe converter but it detects as a high risk virus and i downloaded the old version and it says this:
Connect a device in DFU mode
Extracted resource to C:\DOCUME~1\*****~1\LOCALS~1\Temp\ssh_rd\native\jsyringeapi.dll
Extracted resource to C:\DOCUME~1\*****~1\LOCALS~1\Temp\ssh_rd\native\mux_redux.dll
Sorry, your device (n82ap) is not supported

Unknown said...

@msft.guy Thanks - it was great hint of You to extract missing utitlities from Cydia .deb packages! Copying by WinSCP and chenging permission to 0755 I can use netcat!

On this step, seems, I cannot use CyderDuck or WinSCP because they use sfpt, and I have to make on PC raw disk dump of broken partition which i couldn't mount from iphone.

Some sources like http://my.safaribooksonline.com/book/networking/forensic-analysis/9780596153588/forensic-recovery/recovering_the_media_partition explain how to do it over wifi. But I couldn't use wifi because I have access only throught DFU.

Running nc -l 3333 from one PC i see 'test' entering echo 'test' | nc 192.168.0.28 3333 on other PC. But entering
-sh-4.0# echo 'test' | netcat 192.168.0.12 3333
Error: Couldn't create connection (err=-5): No route to host
-sh-4.0# echo 'test' | netcat 127.0.0.1 3333
-sh-4.0#

On PC I see nothing.

Can you clarify, please, how I can redirect output of netcat run at iphone to PC? Maybe, I need IP address of PC and port how it is seen from iphone?

msft.guy said...

@Лена Дзюбенко:
I meant 'cat'.. as in:
$ ssh -p 2022 root@localhost cat /dev/rdisk0s2 >~/Desktop/rdisk0s2.dmg
root@localhost's password:

Then just wait for a while..

PS. Cyberduck copies the image just fine, too - at least in SFTP mode - just go to the '/dev' directory and download 'rdisk0s2', then add the '.dmg' extension.

msft.guy said...

@Skidz: I'm not sure what your problem is. Why did you use the 'converter'? What's wrong with just installing the JRE and double-clicking the .jar file?? Or with using Google?..
Or just copy the jar to your desktop, open the command line, type 'cd Desktop', then 'java -jar ssh_rd_rev04a.jar'..

PS. Of course that version doesn't support iPhone 3G, it's from mid-January!

Skidz said...

well it dosen't open while I have JRE 6 & 7 but not sure it doesn't get me going to app, it opens in command screen then it just dissapears... same happened on my uncle's win 7... do i need java SDK aswell or not?? plus I accidently messed the fstab name and its content trying to overclock... so will it work without fstab??

msft.guy said...

@Skidz: OK, try this: http://johann.loefflmann.net/en/software/jarfix/index.html - download jarfix.exe, run it, then try double-clicking the jar again.
It's also possible that there's a crash that causes the app to immediately terminate, but I can't diagnose that without you running those commands in the command line (cmd.exe).

Skidz said...

it worked after re-installing jre7 but now i can't find the fstab file in directory in /private/etc/.... can you copy it off your iDevice and give it to me but plz hurry or I might restore it since I need to go out for week.... thnx!!

Unknown said...

Tried it on Iphone 4, ios 4.2.1 but the .jar doesn't do anything when opened (iphone is connected to computer in dfu mode, and computer is running jre 32-bit) just displays "MobileDevice event: RecoveryConnect, 7431281, 8930" and that's it...

T-Blog said...
This comment has been removed by the author.
CrazyShark1031 said...

Hey i am completely lost! I type in "mount.sh" and it says "Could not mount system volume; retry later or file a bug. Could not mount user data volume; rety later or file a bug.." What can I do or what is wrong?? PLEASE AND THANK YOU

Jon said...

Hey awesome tool, I was futzing with a few plist in iFile, rebooted and now its stuck on apple logo. I used this tool to revert to the percent-file backup, rebooted and no dice. I recently had to restore because of the deactivation ticket on redsn0w trying to get official unlock to work without restore. But it failed, had to do full restore (and still locked), but now i cant figure out whats hanging it. where are the logs i can see thats causing the boot failures so i can revert that too? i did the dylib but the for script fails, its expecting something else b/c the angle bracket shows up... but i digress, any other ways?

once i do backup all these files, sms, photo, etc, i assume i can then do a full restore, jb, and scp these files back and it'll be good?

where are the app progresses? like i have games and dont want to lose it as well. i know i should of done full backup but i dont think my plist fun is the cause of this, i think its the jailbreak possibly. i been respringing lately finely, but never rebooted until now. any help is tremendously grateful!

Unknown said...

I am having an issue as indicated in the running of this jar file. Below is the last portion of the log


Exploit sent!
Preparing to load the ramdisk..
Ramdisk load started!
DFU device 'iPhone 4 (GSM)' connected
Ignoring same device iPhone 4 (GSM)
MobileDevice event: DfuDisconnect, 1227, 8930
MobileDevice event: DfuConnect, 1227, 8930
DFU device 'iPhone 4 (GSM)' connected
Ignoring same device iPhone 4 (GSM)
MobileDevice event: DfuDisconnect, 1227, 8930
MobileDevice event: RecoveryConnect, 1281, 8930
MobileDevice event: RecoveryDisconnect, 1281, 8930
Almost there..

after this the iphone 4 is stuck in a progress spiral

Please help me to get out of this.

Also, earlier I had tried restoring my iPhone 4 to factory settings and it was not happening as iTunes was giving an error.. Tried using TinyUmbrella to start a server.

I started trying all this after my iPhone 4 would not boot up (the apple logo and boot animation would work and after that just a blank screen). Any one please help me this is an emergency

mxdupnut said...

I have the JAR program running but it seems to be stuck on "almost there" for about 2 hours now...
I am trying to save my boss's iphone 3g running ios 3.1.2 or 3.1.3 im not real sure... this program is the only thing that has given me any hope but it doesnt seem to be working...
any help would be appreciated...
running the JAR program on a dual core windows xp machine if that helps...
here is part of the verbage from the JAR program also:


DFU device 'iPhone 3G' connected
Building ramdisk for device 'iPhone 3G'
Extracted resource to C:\DOCUME~1\DSYSTE~1\LOCALS~1\Temp\ssh_rd\all_keys.plist
Working dir set to C:\DOCUME~1\DSYSTE~1\LOCALS~1\Temp\ssh_rd
IPSW at http://appldnld.apple.com/iPhone4/061-9853.20101122.Vfgt5/iPhone1,2_4.2.1_8C148_Restore.ipsw
Downloading Restore.plist
Skipping processing of C:\DOCUME~1\DSYSTE~1\LOCALS~1\Temp\ssh_rd\ipsw_iphone12_8C148\Restore.plist, file already exists!
Restore.plist downloaded to C:\DOCUME~1\DSYSTE~1\LOCALS~1\Temp\ssh_rd\ipsw_iphone12_8C148\Restore.plist
Parsing Restore.plist..
Kernel file: kernelcache.release.n82
Restore ramdisk file: 038-0029-002.dmg
Downloading Firmware/dfu/iBSS.n82ap.RELEASE.dfu
Skipping processing of C:\DOCUME~1\DSYSTE~1\LOCALS~1\Temp\ssh_rd\ipsw_iphone12_8C148\Firmware\dfu\iBSS.n82ap.RELEASE.dfu, file already exists!
iBSS prepared at C:\DOCUME~1\DSYSTE~1\LOCALS~1\Temp\ssh_rd\ipsw_iphone12_8C148\Firmware\dfu\iBSS.n82ap.RELEASE.dfu
Downloading Firmware/dfu/WTF.s5l8900xall.RELEASE.dfu
Skipping processing of C:\DOCUME~1\DSYSTE~1\LOCALS~1\Temp\ssh_rd\ipsw_iphone12_8C148\Firmware\dfu\WTF.s5l8900xall.RELEASE.dfu, file already exists!
WTF.s5l8900xall prepared at C:\DOCUME~1\DSYSTE~1\LOCALS~1\Temp\ssh_rd\ipsw_iphone12_8C148\Firmware\dfu\WTF.s5l8900xall.RELEASE.dfu
Downloading Firmware/dfu/WTF.n82ap.RELEASE.dfu
Skipping processing of C:\DOCUME~1\DSYSTE~1\LOCALS~1\Temp\ssh_rd\ipsw_iphone12_8C148\Firmware\dfu\WTF.n82ap.RELEASE.dfu, file already exists!
WTF.n82ap.RELEASE.dfu prepared at C:\DOCUME~1\DSYSTE~1\LOCALS~1\Temp\ssh_rd\ipsw_iphone12_8C148\Firmware\dfu\WTF.n82ap.RELEASE.dfu
Downloading Firmware/all_flash/all_flash.n82ap.production/DeviceTree.n82ap.img3
Skipping processing of C:\DOCUME~1\DSYSTE~1\LOCALS~1\Temp\ssh_rd\ipsw_iphone12_8C148\Firmware\all_flash\all_flash.n82ap.production\DeviceTree.n82ap.img3, file already exists!
Device tree prepared at C:\DOCUME~1\DSYSTE~1\LOCALS~1\Temp\ssh_rd\ipsw_iphone12_8C148\Firmware\all_flash\all_flash.n82ap.production\DeviceTree.n82ap.img3
Downloading Firmware/all_flash/all_flash.n82ap.production/manifest
Skipping processing of C:\DOCUME~1\DSYSTE~1\LOCALS~1\Temp\ssh_rd\ipsw_iphone12_8C148\Firmware\all_flash\all_flash.n82ap.production\manifest, file already exists!
Downloading kernelcache.release.n82
Skipping processing of C:\DOCUME~1\DSYSTE~1\LOCALS~1\Temp\ssh_rd\ipsw_iphone12_8C148\kernelcache.release.n82, file already exists!
Kernel prepared at C:\DOCUME~1\DSYSTE~1\LOCALS~1\Temp\ssh_rd\ipsw_iphone12_8C148\kernelcache.release.n82
Downloading 038-0029-002.dmg
Skipping processing of C:\DOCUME~1\DSYSTE~1\LOCALS~1\Temp\ssh_rd\ipsw_iphone12_8C148\038-0029-002.dmg, file already exists!
Ramdisk prepared at C:\DOCUME~1\DSYSTE~1\LOCALS~1\Temp\ssh_rd\ipsw_iphone12_8C148\038-0029-002.dmg
Preparing to load the ramdisk..
Ramdisk load started!
MobileDevice event: DfuDisconnect, 3841227, 12223100
MobileDevice event: RecoveryConnect, 3851281, 12803100
MobileDevice event: RecoveryDisconnect, 3851281, 12803100
Almost there..

mxdupnut said...

@msft.guy can you help me?

msft.guy said...

@mxdupnut You need to kill iTunes and iTunesHelper processes, then put the phone in DFU and try again.

@alphaQuestionOfLife2023/2012?: I'm afraid I can't help.. but restore logs might give you a clue, so try looking into these.

mxdupnut said...

@msft.guy I dont have either one of those processes running on my computer... any other ideas?

mxdupnut said...

@msft.guy YOU ROCK!!!!!!!!!!
I decided to try it on another computer and viola! it worked!!!!!
this is one of the best things I have ever seen... now we just need it for the A5 devices, lol!

Thank You! Thank You! Thank You! Thank You!

You have helped me score many kudos with my boss! I cannot thank you enough! If I had the money I would definitely donate to you!
I hope the Karma comes back around on you 7x7x7 times in the best way possible!

Once again, Thank You!

jgatlabayan said...

@msft.guy

Thank you for creating this blog. You're a life saver. Thank you also for everyone who posted helpful comments and everyone involved in creating the tools featured in the blog.

Turns out I wasn't able to mount disk0s2s1 because it was corrupted.

Repaired it with

fsck_hfs -q /dev/disk0s2s1
fsck_hfs -r /dev/disk0s2s1
mount.sh

iPhone 3gs booted perfectly after repair.

Thank you again.

mxdupnut said...

Looking back I think one of my problems was of my own making because I was using an aftermarket cord... There might be an issue with windows xp also due to recent updates for xp in the SP3... Might want to look into it... The computer that it worked for me was a windows 7 machine so I don't know...

Unknown said...

Great Tool

Gets stuck for me at "Almost There"

I tried WinXP and Win7 and 2 different cables.

After reviewing the post, it seems there is no fix for this issue.

mxdupnut said...

@Kyle Johnson. Did you make sure to kill the iTunes & ituneshelper processes?

mxdupnut said...

Also it doesn't work for A5 devices...

Nt92 said...

Hi msft.guy, I'm on a 3gs running 4.21, jailbroken using greenp0ison. One day I was listening to music, my phone crashed, and it was in an apple logo loop, and then went into recovery loop, I tried using your program to save precious photos and all my contacts, but it's stuck at this

Connect a device in DFU mode
MobileDevice event: DfuConnect, 17831227, 8920
DFU device 'iPhone 3GS' connected
Building ramdisk for device 'iPhone 3GS'
Extracted resource to C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\all_keys.plist
Working dir set to C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd
IPSW at http://appldnld.apple.com/iOS5.1.1/041-4347.20120427.o2yov/iPhone2,1_5.1.1_9B206_Restore.ipsw
Downloading Restore.plist
Local file C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\iPhone2,1_5.1.1_9B206_Restore.ipsw not found; downloading from http://appldnld.apple.com/iOS5.1.1/041-4347.20120427.o2yov/iPhone2,1_5.1.1_9B206_Restore.ipsw
Downloaded to C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\ipsw_iphone21_9B206\Restore.plist
Restore.plist downloaded to C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\ipsw_iphone21_9B206\Restore.plist
Parsing Restore.plist..
Kernel file: kernelcache.release.n88
Restore ramdisk file: 038-4349-020.dmg
\ipsw_iphone21_9B206\Firmware\dfu\iBSS.n88ap.RELEASE.dfu.dec.p
iBSS prepared at C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\ipsw_iphone21_9B206\Firmware\dfu\iBSS.n88ap.RELEASE.dfu
Downloading Firmware/dfu/iBEC.n88ap.RELEASE.dfu
Downloaded to C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\ipsw_iphone21_9B206\Firmware\dfu\iBEC.n88ap.RELEASE.dfu.orig
Decrypted to C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\ipsw_iphone21_9B206\Firmware\dfu\iBEC.n88ap.RELEASE.dfu.dec
Extracted resource to C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\nor5.patch.json
Patched to C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\ipsw_iphone21_9B206\Firmware\dfu\iBEC.n88ap.RELEASE.dfu.dec.p
iBEC prepared at C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\ipsw_iphone21_9B206\Firmware\dfu\iBEC.n88ap.RELEASE.dfu
Downloading Firmware/all_flash/all_flash.n88ap.production/DeviceTree.n88ap.img3
Downloaded to C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\ipsw_iphone21_9B206\Firmware\all_flash\all_flash.n88ap.production\DeviceTree.n88ap.img3
Device tree prepared at C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\ipsw_iphone21_9B206\Firmware\all_flash\all_flash.n88ap.production\DeviceTree.n88ap.img3
Downloading Firmware/all_flash/all_flash.n88ap.production/manifest
Downloaded to C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\ipsw_iphone21_9B206\Firmware\all_flash\all_flash.n88ap.production\manifest
Downloading kernelcache.release.n88
Downloaded to C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\ipsw_iphone21_9B206\kernelcache.release.n88.orig
Decrypted to C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\ipsw_iphone21_9B206\kernelcache.release.n88.dec
Extracted resource to C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\kernel5.patch.json
Patched to C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\ipsw_iphone21_9B206\kernelcache.release.n88.dec.p
Kernel prepared at C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\ipsw_iphone21_9B206\kernelcache.release.n88
Downloading 038-4349-020.dmg
Downloaded to C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\ipsw_iphone21_9B206\038-4349-020.dmg.orig
Decrypted to C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\ipsw_iphone21_9B206\038-4349-020.dmg.dec
Extracted resource to C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\ssh.tar
Added ssh.tar to the ramdisk
Ramdisk prepared at C:\DOCUME~1\ADMINI~1.PTR\LOCALS~1\Temp\ssh_rd\ipsw_iphone21_9B206\038-4349-020.dmg
Using syringe to exploit the bootrom..
Exploit sent!
Preparing to load the ramdisk..
Ramdisk load started!


I waited for Ramdisk load started for a long time, but it's still not working, can you please tell me what to do??

thank you.

«Oldest ‹Older   1 – 200 of 395   Newer› Newest»