search

0bj3ct1veC / iphone-dataprotection

Automatically exported from code.google.com/p/iphone-dataprotection
0 stars 0 forks source link

Can't read dd image #74

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. jailbroken, iOS 5.1, iPhone4s
2. got plist following steps from
http://securitylearn.wordpress.com/2012/04/22/extracting-aes-keys-from-iphone/
2. dd if=/dev/disk0, and got exact 32gb image
3. failed " sudo python emf_decrypter.py --nowrite iphone.img ~~.plist"

Traceback (most recent call last):
  File "emf_decrypter.py", line 34, in <module>
    main()
  File "emf_decrypter.py", line 18, in main
    v = EMFVolume(p, device_infos)
  File "/home/samsung/hstool/python_scripts/hfs/emf.py", line 91, in __init__
    super(EMFVolume,self).__init__(bdev, **kwargs)
  File "/home/samsung/hstool/python_scripts/hfs/hfs.py", line 106, in __init__
    assert self.header.signature == 0x4858 or self.header.signature == 0x482B
AssertionError

What is the expected output? What do you see instead?
I printed self.header at the place of error and all values are 0. (createDate': 
0, 'dataClumpSize': 0, 'encodingsBitmap': 0, ..) 
HSF explorer failed too. but image file is not all zeros. because when I just 
ran PhotoRec I got ~5kb an app Icon, UI images with many useless files.

Please provide any additional information below.
- I just upgraded to iOS6, downgraded to 5.1 again and realized that I didn't 
backup. the data can be recovered from dd image? or need I nand image?
- Why it can't read the image's header?
it seems some people already did in same environment iPhone4s/iOS5.1.
http://code.google.com/p/iphone-dataprotection/issues/detail?id=62&can=1&q=5.1

Original issue reported on code.google.com by emppun...@gmail.com on 10 Sep 2012 at 2:41

GoogleCodeExporter commented 9 years ago 
The emf_decrypter script fails because it expects an image of the data 
partition (/dev/disk0s1s2) and you have a "full disk image" of /dev/disk0.
I'll have to add some code to handle both cases.
However, if you downgraded from iOS 6 the data partition and the encryption 
keys were erased during the restore process, so there is not much you can do, 
even with a nand image.

Original comment by jean.sig...@gmail.com on 15 Sep 2012 at 3:20

GoogleCodeExporter commented 9 years ago 
closing old issues

Original comment by jean.sig...@gmail.com on 11 Feb 2014 at 10:38

GoogleCodeExporter commented 9 years ago 
I'm getting the same error message when trying to decrypt a 32gb iOS7 image with

python emf_decrypter.py --nowrite iphone.img

Did you add code to handle both data partition and full disk image?

Original comment by orj...@gmail.com on 22 Aug 2014 at 6:52

GoogleCodeExporter commented 9 years ago 
Any chance to see emf_decrypter updated to try on full disk image of ios 8.0.2 
restored to 8.1.2? Also if I understand correctly I will need 8.0.2 (not 
available) keys to try to recover data from iPhone 4s?
Thanks,

Original comment by signa...@gmail.com on 3 Feb 2015 at 12:00

GoogleCodeExporter commented 9 years ago 
Should this work on OSX 10.9.5 , Darwin 13.4.0?  I am using HFSslueth and its 
output if 'volinfo' is Signature:           0x482B (H+), any ideas why I am 
getting the 'assert self.header.signature == 0x4858 or self.header.signature == 
0x482B'  AssertionError? Thanks in advance

Original comment by glenbour...@googlemail.com on 21 Apr 2015 at 3:07