0bj3ct1veC / iphone-dataprotection

Automatically exported from code.google.com/p/iphone-dataprotection
0 stars 0 forks source link

Support for A5+ devices (iPhone 4S, iPad 2, iPhone 5, ...) #49

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Until a bootROM/bootloader-level exploit is found for those devices, it is 
impossible to boot a custom ramdisk.
However, for devices jailbroken with Absinthe and ssh access, it should be 
possible to use the tools, provided that the "IOAESAccelerator enable UID" 
kernel patch is applied.

Original issue reported on code.google.com by jean.sig...@gmail.com on 4 Feb 2012 at 10:20

GoogleCodeExporter commented 9 years ago
This does seem to be the case - the tools execute, device_infos returns some 
information, useful at least for a partial decryption of a physical image.

Is it feasible to patch kernel memory once a jailbroken A5 device is already 
booted? Or would this require a modification to the Corona payload to apply the 
new kernel patch along with the others.

I am waiting on some hardware to be able to start looking into this myself. In 
the meantime, any perspective on how to go about this would be greatly 
appreciated.

Original comment by 0x56.0x6...@gmail.com on 29 Feb 2012 at 4:32

GoogleCodeExporter commented 9 years ago
Yes, turns out corona applies the "task for pid 0" kernel patch that allows a 
root application to read/write kernel memory.
Attached is a small program that uses that to apply the "IOAESAccelerator 
enable UID" kernel patch. Should work on ipad 2 5.0.1.
Let me know if this works for you. Thanks.

Original comment by jean.sig...@gmail.com on 1 Mar 2012 at 12:17

Attachments:

GoogleCodeExporter commented 9 years ago
Great Success! (on iPhone 4S 5.0.1)

The ramdisk tools seem to be working fine now. This kernel patcher was exactly 
the sort of process I was envisioning; thank you for providing the method! 
(I'll remember task_for_pid() and vm_read()/vm_write())

Original comment by 0x56.0x6...@gmail.com on 1 Mar 2012 at 6:01

GoogleCodeExporter commented 9 years ago
Great ! Let me know if there are issues with the other tools on this device.
Also, known bug : the UDID computed by the tools is wrong on A5 devices because 
the formula changed (see http://iphonedevwiki.net/index.php/Lockdownd)

Original comment by jean.sig...@gmail.com on 1 Mar 2012 at 7:03

GoogleCodeExporter commented 9 years ago
I'm trying to save some pictures I have only on my ipad 2 (5.0.1), jailbroken 
with Absinthe. I used your tools before with other iphones (great success :), 
but never on an A5 device. How does this work? Do I need to create a custom 
ramdisk and boot from it; does this even work?

Original comment by grapple...@gmail.com on 8 Mar 2012 at 9:03

GoogleCodeExporter commented 9 years ago
The latest redsn0w's (0.9.10b6) Keys.plist does not contain the KBAG keys (IV 
and Key) for A5 devices' firmwares, but from the previous comments it seems 
they are available.
Would it be possible to post them to the appropriate theiphonewiki.com page, or 
here?
TIA

Original comment by simg...@gmail.com on 9 Mar 2012 at 5:43

GoogleCodeExporter commented 9 years ago
grapple: First, install OpenSSH on the A5 device through Cydia. Then, use scp 
or sftp to upload the ramdisk tools (specifically, bruteforce and device_infos; 
restored_external doesn't matter here) and kernel_patcher (attachment in this 
issue) to the device. Once the files are uploaded, connect with ssh. Run 
kernel_patcher to gain access to the crypto engine, then you can run 
device_infos followed by bruteforce to generate the keys. I haven't quite 
figured out pulling an image, as the filesystem is mounted and active while the 
device is running (I pulled a dd image, but there were some issues with trying 
to decrypt it, probably because I was still using the phone while the image was 
running...). That is the general idea of what to do, hope it helps get you 
started.

simg: Unfortunately, without access to the GID key, the encrypted KBAGs cannot 
be decrypted. By the time iBoot is finished and passes control to the kernel, 
the GID key is rendered inaccessible until a reboot of the device. The limera1n 
exploit allows running unsigned code at a stage in the boot process where the 
GID key is still accessible. Corona (which Absinthe is used to inject on A5 
devices) exploits the kernel, so by the time it takes place, the GID key is 
inaccessible.

tl;dr KBAG keys will not be available on A5 devices until a limera1n style 
exploit is discovered :)

Original comment by 0x56.0x6...@gmail.com on 9 Mar 2012 at 7:18

GoogleCodeExporter commented 9 years ago
Great Success! (on iPhone 4 5.0.1)
this dynamic patcher looks like cool

Original comment by ann...@gmail.com on 13 Mar 2012 at 3:09

GoogleCodeExporter commented 9 years ago
I'm trying to recompile kernel_patcher.c for another purpose, but I can't get 
it to run on my device.  This is my compile command:

"/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Develope
r/usr/bin/gcc -arch armv6 -isysroot 
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer
/SDKs/iPhoneOS5.1.sdk -mthumb -o kernel_pathcer kernel_patcher.c"

That seems to work (it compiles and runs anyway), and I then sign the 
application with codesign:

"codesign -f -s Han\ Solo ./kernel_patcher"

I then upload it to the device, but any time I run it I get the following error:

"task_for_pid returned 5 : missing tfp0 kernel patch or wrong entitlements"

I'm obviously doing something wrong here, but I can't figure out what.  If I 
just run the binary on the site, it works just fine.  I'm just trying to patch 
a different location, so I need to recompile.  Any suggestions on what I'm 
doing wrong?

Original comment by engineer...@gmail.com on 16 Mar 2012 at 4:14

GoogleCodeExporter commented 9 years ago
Try adding "--entitlements tfp0.plist" to the codesign command (and grab the 
tfp0.plist file from above post).

Original comment by jean.sig...@gmail.com on 16 Mar 2012 at 4:30

GoogleCodeExporter commented 9 years ago
That did it.  Thanks!

Original comment by engineer...@gmail.com on 16 Mar 2012 at 4:52

GoogleCodeExporter commented 9 years ago
I need a custom ipsw that includes ssh so that i can take the kernel files
and ramdisk from the ipsw and use it to tethered boot that device and
access the files via ssh.
My main need is the ipsw with ssh for every device that runs ios5!

If you can do this, I am willing to pay you $250. Please let me know
something soon.

Thanks, Brooklyn

Original comment by brooklyn...@gmail.com on 31 Mar 2012 at 7:53

GoogleCodeExporter commented 9 years ago
I'm in deep trouble here... probably amateur problems for you guys.
Short story- ipad 2 5.0.1 jb with absinthe. 
wanted to use iUsers but realized after install it was for 4.x and lower. 
Uninstalled iUsers, caused springboard to crash every respring.
Was planning to re-jb with absinthe however unable to jb because "stash" is 
found. 
I simply went into iFile, renamed "stash" to "stashs" then on the next respring 
i have gotten stuck on the apple logo. i would like to stay on 5.0.1 until 5.1 
is jb'en.
if anyone has a suggestion on what i can do- i would be greatly appreciative. 
also, blobs saved but not working so my only alternative im aware of is restore 
n update (super sad face)
thanks in advance.
-mike 

Original comment by iDenver...@gmail.com on 2 Apr 2012 at 8:04

GoogleCodeExporter commented 9 years ago
@iDenverLLC
For now there is no way to boot a custom ramdisk on A5 devices, so if your 
device is stuck in a reboot loop there is (afaik) nothing you can do to fix it 
without restoring.

Original comment by jean.sig...@gmail.com on 8 Apr 2012 at 9:32

GoogleCodeExporter commented 9 years ago
Could this be a work around. 

http://www.idownloadblog.com/2012/03/25/new-a5-ios-5-1-downgrade-bug/

Original comment by brooklyn...@gmail.com on 24 Apr 2012 at 6:10

GoogleCodeExporter commented 9 years ago
I came across this by accident, @jean on comment #2 can the patch be modified 
to 1) patch out the usb power restrictions on the ipad camera connection kit? 
2) Overclock A5 devices?

Original comment by Gero3...@gmail.com on 1 Aug 2012 at 3:21

GoogleCodeExporter commented 9 years ago
@Gero3977 i suppose it is possible, you can look at comex's tool which has the 
signature for the code to patch (it might have changed on newer 
kernels/devices):
https://github.com/comex/datautils0/blob/master/make_kernel_patchfile.c#L67
For overclocking i have no idea if it is possible or not.

Original comment by jean.sig...@gmail.com on 4 Aug 2012 at 12:15

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
How is this used?  I have an iPhone 4s that needs the passcode cracked but if I 
can't get in, how will I install SSH in Cydia?

Original comment by dr.mod...@gmail.com on 22 Aug 2012 at 9:37

GoogleCodeExporter commented 9 years ago
@dr.modean indeed the tools only work on A5 devices if you know the passcode 
and you can install ssh, or if ssh is already installed.

Original comment by jean.sig...@gmail.com on 26 Aug 2012 at 11:15

GoogleCodeExporter commented 9 years ago
Hi, I'm not an expert, but I can't stop here. I'm trying to recover deleted 
videos from an iphone 4S, here is where I got:
- I have an dd .img file of the data partition
- I got a file called dbc8ae0fc259ea91.plist from the device with all possible 
keys

What I want is to run this command:
  python python_scripts/emf_decrypter.py /Users/marc/iphonebackup_rdisk0s1s2.img 

but here is the output:
Traceback (most recent call last):
  File "python_scripts/emf_decrypter.py", line 34, in <module>
    main()
  File "python_scripts/emf_decrypter.py", line 18, in main
    v = EMFVolume(p, device_infos)
  File "/Users/marc/Programs and scripts/iphone-dataprotection/python_scripts/hfs/emf.py", line 98, in __init__
    raise Exception("Missing keyfile")
Exception: Missing keyfile

Where do I put the keyfile so it can decrypt ?

Later I want to use photorec to find deleted files.

Thanks fro your help.

Original comment by marc.mat...@gmail.com on 29 Aug 2012 at 1:49

GoogleCodeExporter commented 9 years ago
@marc.mathys
try passing the plist filename as a second parameter to emf_decrypter.py :
python python_scripts/emf_decrypter.py /Users/marc/iphonebackup_rdisk0s1s2.img 
dbc8ae0fc259ea91.plist

however, emf_decrypter only decrypts existing files, so photorec won't find any 
deleted files in the image. the tools here do not support deleted files 
recovery for the iPhone 4S (except the emf_undelete script but it is very 
limited).

Original comment by jean.sig...@gmail.com on 29 Aug 2012 at 7:12

GoogleCodeExporter commented 9 years ago
I have very new to this.My iphone 4s is stuck in apple logo boot loop.Is it 
possible to use this method to hack into the iphone 4s and retrieve my 
pics/videos.Not trying to recover deleted pics as they are not deleted.Just 
would like to access my pics and copy.Any help would be appreciated.

Original comment by johnp1...@gmail.com on 5 Oct 2012 at 3:08

GoogleCodeExporter commented 9 years ago
@johnp1569 currently there is no bootloader exploit for newer devices (iPhone 
4S/5, iPad 2/3), so it is not possible to get access if the device is stuck in 
a boot loop.

Original comment by jean.sig...@gmail.com on 6 Oct 2012 at 1:09

GoogleCodeExporter commented 9 years ago
hi!
i need to recover deleted photos and video from an iphone 4s. i already saved 
the rdisk0 image with
ssh -p 2222 root@localhost dd if=/dev/rdisk0 bs=4096 | dd of=iphoneraw
and the keychain with keychain_dump so i got cert.plist genp.plist inet.plist 
keys.plist.
now i'm a little bit confused. i red that is not possible to recover deleted 
data using emf_decrypter but it's possible with emf_undelete.
could you tell me how i should use the emf_undelete script??

now. i need also to wipe the iphone and put a not jailbreak ios. so in order to 
this what else i should save from the iphone that will able me to recover 
deleted files in the future? something else like dd or keychain_dump??

thanks in advance

Original comment by andrei.m...@gmail.com on 7 Oct 2012 at 10:51

GoogleCodeExporter commented 9 years ago
@andrei.mihajlovic
the emf_undelete script is very limited and will most likely recover nothing. 
if you want to use it, you have to dump rdisk0s1s2 and follow the instructions 
in this comment : 
http://code.google.com/p/iphone-dataprotection/issues/detail?id=49#c7

a better way to recover deleted files is to dump the nand, but currently the 
nand dumping tools do not support the iphone 4S.

Original comment by jean.sig...@gmail.com on 9 Oct 2012 at 7:13

GoogleCodeExporter commented 9 years ago
@jean.sig...@gmail.com
i look at the files in ramdisk_tools folder. there are only the source code of 
device_infos.c and systemkb_bruteforce.c
the problem is that i work under linux so i can not compile them.
>gcc device_infos.c -o device_infos
>device_infos.c:3:43: fatal error: CoreFoundation/CoreFoundation.h: File o 
directory non esistente
compilation terminated
may i ask you the favor to compile these files so i can execute them on the 
iphone?

thank you very much

Original comment by andrei.m...@gmail.com on 10 Oct 2012 at 10:56

GoogleCodeExporter commented 9 years ago
you can get compiled binaries in this blogpost :
http://www.securitylearn.net/2012/04/22/extracting-aes-keys-from-iphone/

Original comment by jean.sig...@gmail.com on 21 Oct 2012 at 12:46

GoogleCodeExporter commented 9 years ago
Jean is it possible to access 4s/5 file system over SSH if you don't know the 
password to access the phone? Ramdisk won't work still right?

Original comment by anthonyj...@gmail.com on 7 Nov 2012 at 3:11

GoogleCodeExporter commented 9 years ago
this is not possible, unless the device is jailbroken and ssh is installed.

Original comment by jean.sig...@gmail.com on 7 Nov 2012 at 10:07

GoogleCodeExporter commented 9 years ago
Jean is it possible to get the shsh blobs from my jailbroken ipad2 after I 
patch the living kernel? 

Original comment by persm...@gmail.com on 28 Nov 2012 at 2:07

GoogleCodeExporter commented 9 years ago
yes it should be, theres a tool on the repository to do that but i dont 
remember testing it on the ipad2
(http://code.google.com/p/iphone-dataprotection/source/browse/ramdisk_tools/shsh
_dump.c)

i'll see if it works and let you know if thats the case

Original comment by jean.sig...@gmail.com on 4 Dec 2012 at 8:48

GoogleCodeExporter commented 9 years ago
Sadly it failed, saying:
"
NAND configuration: 16GiB (2 CEs of 4096 blocks of 256 pages of 8192 bytes 
data, 32 bytes spare
iOS 5 kernel detected, replacing IOFlashControlerUserClient::externalMethod
Found IOFlashControlerUserClient::externalMethod at 806088d0
IOMemoryDescriptor__withAddress=80223e8d
Found externalMethod ptr at 8060e070
vm_write into kernel_task OK
Mallocing 300000 bytes for boot partition
Segmentation fault: 11
"

I managed to get a core dumped as other *nixes, but ipHonEos seems not with 
this function.

Original comment by persm...@gmail.com on 4 Dec 2012 at 10:16

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
this solution is for iphone 4s, and ipad 2. But what will happen if i apply it 
for ipad 3?

Original comment by taod...@gmail.com on 21 Dec 2012 at 3:08

GoogleCodeExporter commented 9 years ago
My 4S is stuck in a boot loop (recodver mode)  ,because i deleted somw 
springboard file in the ifile accidentally , is it possible to access ssh and 
undelete those files hopefully to get the device to boot again my 4s is on 
5.1.1 please help

Original comment by sonna22...@gmail.com on 23 Dec 2012 at 6:31

GoogleCodeExporter commented 9 years ago
Hi there.

When will the nand dumping tools support the iphone 4S / 5? :)

Thx for your work!

Original comment by wernald...@gmail.com on 27 Dec 2012 at 11:24

GoogleCodeExporter commented 9 years ago
Dumping the nand on iphone 4S/5 requires two things
- ssh acces on the device through jailbreaking, afaik thats not yet possible 
for the iphone 5 or the iphone 4S on ios 6.
- fixing the nand dumper code for newer devices, and reversing the ppnftl to 
extract data from the images. this is still on my todo list but nothing has 
been done yet, i'll update issue 61 when i make some progress.

Original comment by jean.sig...@gmail.com on 30 Dec 2012 at 1:10

GoogleCodeExporter commented 9 years ago
This issue was updated by revision a409017586f5.

Original comment by jean.sig...@gmail.com on 30 Dec 2012 at 1:16

GoogleCodeExporter commented 9 years ago
@persmule that last commit should fix the segfault. However currently the tool 
will only display the apticket.

Original comment by jean.sig...@gmail.com on 30 Dec 2012 at 1:17

GoogleCodeExporter commented 9 years ago
Issue 90 has been merged into this issue.

Original comment by jean.sig...@gmail.com on 5 Feb 2013 at 9:45

GoogleCodeExporter commented 9 years ago
I am trying to use it for iPhone 4s 6.1 but kernel patching fails. any ways to 
make it work?

Original comment by shan...@tech-zion.com on 6 Feb 2013 at 12:20

GoogleCodeExporter commented 9 years ago
The kernel patcher needs modifications to handle the iOS 6 kernel (KASLR, non 
writable code pages). I'll post it here when its done.

Original comment by jean.sig...@gmail.com on 10 Feb 2013 at 12:05

GoogleCodeExporter commented 9 years ago
Hello, I have updated my ipad3 from jailbeaked 5.1.1 to 6.1 using OTA and it 
crashed. It's now in a recovery loop.
I want to recover my data stored in my iPad!

I have tried restarting the update (I made a little program that uses 
libmobiledevice). The output stop at fsck verifying /dev/disk0s1s2. It's 
frustrating because it tells "Limited repair mode, not all repairs available 
[...] failed to repair"!
It there absolutely no way to access nand without a bootrom exploit?
Wouldn't be possible to execute a custom update process or execute a custom 
signed executable?

Original comment by verdeau....@gmail.com on 22 Feb 2013 at 11:01

GoogleCodeExporter commented 9 years ago
Kernel patching modified for overclocking.
It's it possible?
And is kernel patching permanant or temporary only?
BTW, yea iOS implement better kernel protection. Kernel Patch should modified 
to turn off essential security. Such as: KASLR. Etc
Hope someone can answer my question.

Original comment by darrenli...@gmail.com on 24 Feb 2013 at 8:11

GoogleCodeExporter commented 9 years ago
@guillaume afaik its not possible on the ipad3

@darrenliew96 i have no clue about overclocking, but that seems dangerous ;) 
the kernel_patcher tool here is temporary, you have to re-run it after a reboot.

Original comment by jean.sig...@gmail.com on 24 Feb 2013 at 10:34

GoogleCodeExporter commented 9 years ago
@Jean: CPU frequency shows the MHZ of CPU.
It works on iOS5 but not showing cpu frequency anymore in iOS6
I quickly uses sysctl -a and I cannot find hw.cpufrequency in system call.
Any idea on where apple place the hw.cpufrequency in recent iOS?

Original comment by darrenli...@gmail.com on 24 Feb 2013 at 2:15

Attachments:

GoogleCodeExporter commented 9 years ago
I have an iPhone 4s running 5.1.1, jailbroken with redsn0w.  Appsync 3.1 was 
installed and now the phone is stuck in a boot loop to the point that I 
couldn't get into DFU mode.  I am now able to get in DFU and iTunes recognizes 
it. (iTunes does recognize the phone while boot looping but displays an error 
that it's password protected.  I don't know how to get past that.) The backup I 
have is over a year old and there is some notes that I need to retrieve.  Is 
there a way to do that or fix it from boot looping?

Original comment by anthal...@gmail.com on 27 Feb 2013 at 3:36

GoogleCodeExporter commented 9 years ago
I've got an iphone 4s stuck in apple logo -> recovery mode loop. Its jailbroken 
with absinthe. Is it possible to ramdisk it and save the files? Is there any 
workarounds for A5 devices? I have tried tools such as tinyumbrella etc...

Original comment by jimmyte...@gmail.com on 28 Feb 2013 at 6:44

GoogleCodeExporter commented 9 years ago
Please Can you help my iphone 4s??

My 4S is stuck in a boot loop and apple logo. All I did was update in cydia and 
now I cant get it back on for last 5 days. I have too many important files on 
my phone, i can not restore. is it possible to access ssh and undelete those 
files hopefully to get the device to boot again my 4s 
 thankyou

Original comment by mrj...@gmail.com on 4 Mar 2013 at 4:15