Open GoogleCodeExporter opened 9 years ago
This does seem to be the case - the tools execute, device_infos returns some
information, useful at least for a partial decryption of a physical image.
Is it feasible to patch kernel memory once a jailbroken A5 device is already
booted? Or would this require a modification to the Corona payload to apply the
new kernel patch along with the others.
I am waiting on some hardware to be able to start looking into this myself. In
the meantime, any perspective on how to go about this would be greatly
appreciated.
Original comment by 0x56.0x6...@gmail.com
on 29 Feb 2012 at 4:32
Yes, turns out corona applies the "task for pid 0" kernel patch that allows a
root application to read/write kernel memory.
Attached is a small program that uses that to apply the "IOAESAccelerator
enable UID" kernel patch. Should work on ipad 2 5.0.1.
Let me know if this works for you. Thanks.
Original comment by jean.sig...@gmail.com
on 1 Mar 2012 at 12:17
Attachments:
Great Success! (on iPhone 4S 5.0.1)
The ramdisk tools seem to be working fine now. This kernel patcher was exactly
the sort of process I was envisioning; thank you for providing the method!
(I'll remember task_for_pid() and vm_read()/vm_write())
Original comment by 0x56.0x6...@gmail.com
on 1 Mar 2012 at 6:01
Great ! Let me know if there are issues with the other tools on this device.
Also, known bug : the UDID computed by the tools is wrong on A5 devices because
the formula changed (see http://iphonedevwiki.net/index.php/Lockdownd)
Original comment by jean.sig...@gmail.com
on 1 Mar 2012 at 7:03
I'm trying to save some pictures I have only on my ipad 2 (5.0.1), jailbroken
with Absinthe. I used your tools before with other iphones (great success :),
but never on an A5 device. How does this work? Do I need to create a custom
ramdisk and boot from it; does this even work?
Original comment by grapple...@gmail.com
on 8 Mar 2012 at 9:03
The latest redsn0w's (0.9.10b6) Keys.plist does not contain the KBAG keys (IV
and Key) for A5 devices' firmwares, but from the previous comments it seems
they are available.
Would it be possible to post them to the appropriate theiphonewiki.com page, or
here?
TIA
Original comment by simg...@gmail.com
on 9 Mar 2012 at 5:43
grapple: First, install OpenSSH on the A5 device through Cydia. Then, use scp
or sftp to upload the ramdisk tools (specifically, bruteforce and device_infos;
restored_external doesn't matter here) and kernel_patcher (attachment in this
issue) to the device. Once the files are uploaded, connect with ssh. Run
kernel_patcher to gain access to the crypto engine, then you can run
device_infos followed by bruteforce to generate the keys. I haven't quite
figured out pulling an image, as the filesystem is mounted and active while the
device is running (I pulled a dd image, but there were some issues with trying
to decrypt it, probably because I was still using the phone while the image was
running...). That is the general idea of what to do, hope it helps get you
started.
simg: Unfortunately, without access to the GID key, the encrypted KBAGs cannot
be decrypted. By the time iBoot is finished and passes control to the kernel,
the GID key is rendered inaccessible until a reboot of the device. The limera1n
exploit allows running unsigned code at a stage in the boot process where the
GID key is still accessible. Corona (which Absinthe is used to inject on A5
devices) exploits the kernel, so by the time it takes place, the GID key is
inaccessible.
tl;dr KBAG keys will not be available on A5 devices until a limera1n style
exploit is discovered :)
Original comment by 0x56.0x6...@gmail.com
on 9 Mar 2012 at 7:18
Great Success! (on iPhone 4 5.0.1)
this dynamic patcher looks like cool
Original comment by ann...@gmail.com
on 13 Mar 2012 at 3:09
I'm trying to recompile kernel_patcher.c for another purpose, but I can't get
it to run on my device. This is my compile command:
"/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Develope
r/usr/bin/gcc -arch armv6 -isysroot
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer
/SDKs/iPhoneOS5.1.sdk -mthumb -o kernel_pathcer kernel_patcher.c"
That seems to work (it compiles and runs anyway), and I then sign the
application with codesign:
"codesign -f -s Han\ Solo ./kernel_patcher"
I then upload it to the device, but any time I run it I get the following error:
"task_for_pid returned 5 : missing tfp0 kernel patch or wrong entitlements"
I'm obviously doing something wrong here, but I can't figure out what. If I
just run the binary on the site, it works just fine. I'm just trying to patch
a different location, so I need to recompile. Any suggestions on what I'm
doing wrong?
Original comment by engineer...@gmail.com
on 16 Mar 2012 at 4:14
Try adding "--entitlements tfp0.plist" to the codesign command (and grab the
tfp0.plist file from above post).
Original comment by jean.sig...@gmail.com
on 16 Mar 2012 at 4:30
That did it. Thanks!
Original comment by engineer...@gmail.com
on 16 Mar 2012 at 4:52
I need a custom ipsw that includes ssh so that i can take the kernel files
and ramdisk from the ipsw and use it to tethered boot that device and
access the files via ssh.
My main need is the ipsw with ssh for every device that runs ios5!
If you can do this, I am willing to pay you $250. Please let me know
something soon.
Thanks, Brooklyn
Original comment by brooklyn...@gmail.com
on 31 Mar 2012 at 7:53
I'm in deep trouble here... probably amateur problems for you guys.
Short story- ipad 2 5.0.1 jb with absinthe.
wanted to use iUsers but realized after install it was for 4.x and lower.
Uninstalled iUsers, caused springboard to crash every respring.
Was planning to re-jb with absinthe however unable to jb because "stash" is
found.
I simply went into iFile, renamed "stash" to "stashs" then on the next respring
i have gotten stuck on the apple logo. i would like to stay on 5.0.1 until 5.1
is jb'en.
if anyone has a suggestion on what i can do- i would be greatly appreciative.
also, blobs saved but not working so my only alternative im aware of is restore
n update (super sad face)
thanks in advance.
-mike
Original comment by iDenver...@gmail.com
on 2 Apr 2012 at 8:04
@iDenverLLC
For now there is no way to boot a custom ramdisk on A5 devices, so if your
device is stuck in a reboot loop there is (afaik) nothing you can do to fix it
without restoring.
Original comment by jean.sig...@gmail.com
on 8 Apr 2012 at 9:32
Could this be a work around.
http://www.idownloadblog.com/2012/03/25/new-a5-ios-5-1-downgrade-bug/
Original comment by brooklyn...@gmail.com
on 24 Apr 2012 at 6:10
I came across this by accident, @jean on comment #2 can the patch be modified
to 1) patch out the usb power restrictions on the ipad camera connection kit?
2) Overclock A5 devices?
Original comment by Gero3...@gmail.com
on 1 Aug 2012 at 3:21
@Gero3977 i suppose it is possible, you can look at comex's tool which has the
signature for the code to patch (it might have changed on newer
kernels/devices):
https://github.com/comex/datautils0/blob/master/make_kernel_patchfile.c#L67
For overclocking i have no idea if it is possible or not.
Original comment by jean.sig...@gmail.com
on 4 Aug 2012 at 12:15
[deleted comment]
How is this used? I have an iPhone 4s that needs the passcode cracked but if I
can't get in, how will I install SSH in Cydia?
Original comment by dr.mod...@gmail.com
on 22 Aug 2012 at 9:37
@dr.modean indeed the tools only work on A5 devices if you know the passcode
and you can install ssh, or if ssh is already installed.
Original comment by jean.sig...@gmail.com
on 26 Aug 2012 at 11:15
Hi, I'm not an expert, but I can't stop here. I'm trying to recover deleted
videos from an iphone 4S, here is where I got:
- I have an dd .img file of the data partition
- I got a file called dbc8ae0fc259ea91.plist from the device with all possible
keys
What I want is to run this command:
python python_scripts/emf_decrypter.py /Users/marc/iphonebackup_rdisk0s1s2.img
but here is the output:
Traceback (most recent call last):
File "python_scripts/emf_decrypter.py", line 34, in <module>
main()
File "python_scripts/emf_decrypter.py", line 18, in main
v = EMFVolume(p, device_infos)
File "/Users/marc/Programs and scripts/iphone-dataprotection/python_scripts/hfs/emf.py", line 98, in __init__
raise Exception("Missing keyfile")
Exception: Missing keyfile
Where do I put the keyfile so it can decrypt ?
Later I want to use photorec to find deleted files.
Thanks fro your help.
Original comment by marc.mat...@gmail.com
on 29 Aug 2012 at 1:49
@marc.mathys
try passing the plist filename as a second parameter to emf_decrypter.py :
python python_scripts/emf_decrypter.py /Users/marc/iphonebackup_rdisk0s1s2.img
dbc8ae0fc259ea91.plist
however, emf_decrypter only decrypts existing files, so photorec won't find any
deleted files in the image. the tools here do not support deleted files
recovery for the iPhone 4S (except the emf_undelete script but it is very
limited).
Original comment by jean.sig...@gmail.com
on 29 Aug 2012 at 7:12
I have very new to this.My iphone 4s is stuck in apple logo boot loop.Is it
possible to use this method to hack into the iphone 4s and retrieve my
pics/videos.Not trying to recover deleted pics as they are not deleted.Just
would like to access my pics and copy.Any help would be appreciated.
Original comment by johnp1...@gmail.com
on 5 Oct 2012 at 3:08
@johnp1569 currently there is no bootloader exploit for newer devices (iPhone
4S/5, iPad 2/3), so it is not possible to get access if the device is stuck in
a boot loop.
Original comment by jean.sig...@gmail.com
on 6 Oct 2012 at 1:09
hi!
i need to recover deleted photos and video from an iphone 4s. i already saved
the rdisk0 image with
ssh -p 2222 root@localhost dd if=/dev/rdisk0 bs=4096 | dd of=iphoneraw
and the keychain with keychain_dump so i got cert.plist genp.plist inet.plist
keys.plist.
now i'm a little bit confused. i red that is not possible to recover deleted
data using emf_decrypter but it's possible with emf_undelete.
could you tell me how i should use the emf_undelete script??
now. i need also to wipe the iphone and put a not jailbreak ios. so in order to
this what else i should save from the iphone that will able me to recover
deleted files in the future? something else like dd or keychain_dump??
thanks in advance
Original comment by andrei.m...@gmail.com
on 7 Oct 2012 at 10:51
@andrei.mihajlovic
the emf_undelete script is very limited and will most likely recover nothing.
if you want to use it, you have to dump rdisk0s1s2 and follow the instructions
in this comment :
http://code.google.com/p/iphone-dataprotection/issues/detail?id=49#c7
a better way to recover deleted files is to dump the nand, but currently the
nand dumping tools do not support the iphone 4S.
Original comment by jean.sig...@gmail.com
on 9 Oct 2012 at 7:13
@jean.sig...@gmail.com
i look at the files in ramdisk_tools folder. there are only the source code of
device_infos.c and systemkb_bruteforce.c
the problem is that i work under linux so i can not compile them.
>gcc device_infos.c -o device_infos
>device_infos.c:3:43: fatal error: CoreFoundation/CoreFoundation.h: File o
directory non esistente
compilation terminated
may i ask you the favor to compile these files so i can execute them on the
iphone?
thank you very much
Original comment by andrei.m...@gmail.com
on 10 Oct 2012 at 10:56
you can get compiled binaries in this blogpost :
http://www.securitylearn.net/2012/04/22/extracting-aes-keys-from-iphone/
Original comment by jean.sig...@gmail.com
on 21 Oct 2012 at 12:46
Jean is it possible to access 4s/5 file system over SSH if you don't know the
password to access the phone? Ramdisk won't work still right?
Original comment by anthonyj...@gmail.com
on 7 Nov 2012 at 3:11
this is not possible, unless the device is jailbroken and ssh is installed.
Original comment by jean.sig...@gmail.com
on 7 Nov 2012 at 10:07
Jean is it possible to get the shsh blobs from my jailbroken ipad2 after I
patch the living kernel?
Original comment by persm...@gmail.com
on 28 Nov 2012 at 2:07
yes it should be, theres a tool on the repository to do that but i dont
remember testing it on the ipad2
(http://code.google.com/p/iphone-dataprotection/source/browse/ramdisk_tools/shsh
_dump.c)
i'll see if it works and let you know if thats the case
Original comment by jean.sig...@gmail.com
on 4 Dec 2012 at 8:48
Sadly it failed, saying:
"
NAND configuration: 16GiB (2 CEs of 4096 blocks of 256 pages of 8192 bytes
data, 32 bytes spare
iOS 5 kernel detected, replacing IOFlashControlerUserClient::externalMethod
Found IOFlashControlerUserClient::externalMethod at 806088d0
IOMemoryDescriptor__withAddress=80223e8d
Found externalMethod ptr at 8060e070
vm_write into kernel_task OK
Mallocing 300000 bytes for boot partition
Segmentation fault: 11
"
I managed to get a core dumped as other *nixes, but ipHonEos seems not with
this function.
Original comment by persm...@gmail.com
on 4 Dec 2012 at 10:16
[deleted comment]
this solution is for iphone 4s, and ipad 2. But what will happen if i apply it
for ipad 3?
Original comment by taod...@gmail.com
on 21 Dec 2012 at 3:08
My 4S is stuck in a boot loop (recodver mode) ,because i deleted somw
springboard file in the ifile accidentally , is it possible to access ssh and
undelete those files hopefully to get the device to boot again my 4s is on
5.1.1 please help
Original comment by sonna22...@gmail.com
on 23 Dec 2012 at 6:31
Hi there.
When will the nand dumping tools support the iphone 4S / 5? :)
Thx for your work!
Original comment by wernald...@gmail.com
on 27 Dec 2012 at 11:24
Dumping the nand on iphone 4S/5 requires two things
- ssh acces on the device through jailbreaking, afaik thats not yet possible
for the iphone 5 or the iphone 4S on ios 6.
- fixing the nand dumper code for newer devices, and reversing the ppnftl to
extract data from the images. this is still on my todo list but nothing has
been done yet, i'll update issue 61 when i make some progress.
Original comment by jean.sig...@gmail.com
on 30 Dec 2012 at 1:10
This issue was updated by revision a409017586f5.
Original comment by jean.sig...@gmail.com
on 30 Dec 2012 at 1:16
@persmule that last commit should fix the segfault. However currently the tool
will only display the apticket.
Original comment by jean.sig...@gmail.com
on 30 Dec 2012 at 1:17
Issue 90 has been merged into this issue.
Original comment by jean.sig...@gmail.com
on 5 Feb 2013 at 9:45
I am trying to use it for iPhone 4s 6.1 but kernel patching fails. any ways to
make it work?
Original comment by shan...@tech-zion.com
on 6 Feb 2013 at 12:20
The kernel patcher needs modifications to handle the iOS 6 kernel (KASLR, non
writable code pages). I'll post it here when its done.
Original comment by jean.sig...@gmail.com
on 10 Feb 2013 at 12:05
Hello, I have updated my ipad3 from jailbeaked 5.1.1 to 6.1 using OTA and it
crashed. It's now in a recovery loop.
I want to recover my data stored in my iPad!
I have tried restarting the update (I made a little program that uses
libmobiledevice). The output stop at fsck verifying /dev/disk0s1s2. It's
frustrating because it tells "Limited repair mode, not all repairs available
[...] failed to repair"!
It there absolutely no way to access nand without a bootrom exploit?
Wouldn't be possible to execute a custom update process or execute a custom
signed executable?
Original comment by verdeau....@gmail.com
on 22 Feb 2013 at 11:01
Kernel patching modified for overclocking.
It's it possible?
And is kernel patching permanant or temporary only?
BTW, yea iOS implement better kernel protection. Kernel Patch should modified
to turn off essential security. Such as: KASLR. Etc
Hope someone can answer my question.
Original comment by darrenli...@gmail.com
on 24 Feb 2013 at 8:11
@guillaume afaik its not possible on the ipad3
@darrenliew96 i have no clue about overclocking, but that seems dangerous ;)
the kernel_patcher tool here is temporary, you have to re-run it after a reboot.
Original comment by jean.sig...@gmail.com
on 24 Feb 2013 at 10:34
@Jean: CPU frequency shows the MHZ of CPU.
It works on iOS5 but not showing cpu frequency anymore in iOS6
I quickly uses sysctl -a and I cannot find hw.cpufrequency in system call.
Any idea on where apple place the hw.cpufrequency in recent iOS?
Original comment by darrenli...@gmail.com
on 24 Feb 2013 at 2:15
Attachments:
I have an iPhone 4s running 5.1.1, jailbroken with redsn0w. Appsync 3.1 was
installed and now the phone is stuck in a boot loop to the point that I
couldn't get into DFU mode. I am now able to get in DFU and iTunes recognizes
it. (iTunes does recognize the phone while boot looping but displays an error
that it's password protected. I don't know how to get past that.) The backup I
have is over a year old and there is some notes that I need to retrieve. Is
there a way to do that or fix it from boot looping?
Original comment by anthal...@gmail.com
on 27 Feb 2013 at 3:36
I've got an iphone 4s stuck in apple logo -> recovery mode loop. Its jailbroken
with absinthe. Is it possible to ramdisk it and save the files? Is there any
workarounds for A5 devices? I have tried tools such as tinyumbrella etc...
Original comment by jimmyte...@gmail.com
on 28 Feb 2013 at 6:44
Please Can you help my iphone 4s??
My 4S is stuck in a boot loop and apple logo. All I did was update in cydia and
now I cant get it back on for last 5 days. I have too many important files on
my phone, i can not restore. is it possible to access ssh and undelete those
files hopefully to get the device to boot again my 4s
thankyou
Original comment by mrj...@gmail.com
on 4 Mar 2013 at 4:15
Original issue reported on code.google.com by
jean.sig...@gmail.com
on 4 Feb 2012 at 10:20