demo_bruteforce.py connection refused

[GoogleCodeExporter]

What steps will reproduce the problem?
1. sudo python ./demo_bruteforce.py

What is the expected output? What do you see instead?
 - script running
 - the following output 

Traceback (most recent call last):
  File "./demo_bruteforce.py", line 62, in <module>
    bf_system()
  File "./demo_bruteforce.py", line 19, in bf_system
    client = RamdiskToolClient()
  File "/Users/sid/Desktop/IphoneDataProtection/python_scripts/util/ramdiskclient.py", line 29, in __init__
    self.connect()
  File "/Users/sid/Desktop/IphoneDataProtection/python_scripts/util/ramdiskclient.py", line 33, in connect
    self.s.connect((self.host, self.port))
  File "<string>", line 1, in connect
socket.error: [Errno 61] Connection refused

What version of the product are you using? On what operating system?
 - the latest at the moment of writing : fc60e7b35bb2 
 - on Mac OS X 10.6.7

Please provide any additional information below.

Original issue reported on code.google.com by forge...@gmail.com on 9 Oct 2011 at 6:20

[GoogleCodeExporter]

In order to connect to the ramdisk, you need to forward local port 1999 to port 
1999 on the device. You can do this using the following command :
cd usbmuxd-python-client && python  tcprelay.py -t 22:2222 1999:1999

This also allows you to ssh into the device by connecting to localhost:2222
(documentation will be updated soon :)

Original comment by jean.sig...@gmail.com on 9 Oct 2011 at 7:47

• Changed state: Accepted

[GoogleCodeExporter]

Hello Jean.
Tank you again for the propt response.
i will follow your advice certain that it will work.

As far as documentation goes, i think it would cut your workload in half as far 
as handling these issues goes if at least some generic documentations existed 
in the workflow. I think this is a fantastic set of tools and at least the 
purpose of them could be mentioned in such workflow.
then of course compiling errors etc can always be discussed.

To just explain what this mentions to my case. 
i have already done dd backup of my 30GB iphone 4 partition. i can already 
browse it with hfs explorer (though every photo i export is unleggible, but 
that is for another time.). so my need is to decrypt this thing and i'm led to 
believe i can do that with emf_decrypter. this last one i have correctly built 
on mac with all the right dependencies and the binary runs fine. so i turns out 
i need the plist file.
i have access to all levels of my device (infact i need to decrypt the backup 
so i can then photorec on it).
the device is jailbroken, and i have ssh access. is there anyway for me to 
retrieve such plist file without the rest of the process.
and if not, so i so at least i move into the productive direction,
what are the simplest pointers you could hand me?

again, thank you in advance and best regards

Original comment by forge...@gmail.com on 10 Oct 2011 at 9:17

[GoogleCodeExporter]

tcprelay works like a charm now. like i mentioned b4 my device is already jb-ed 
so i'm hoping that means i won't have to start injecting. at this point i'm 
thinking all i need is that plist file.

if it's not too much hassle how do i go abt that?
i have been reading through all of the readme files and all the issues trying 
to get pointers, and i could be wrong but all i read is abt injecting to jb. 
which is done.

again, thank you in advance and best regards

Original comment by forge...@gmail.com on 10 Oct 2011 at 7:59

[GoogleCodeExporter]

Hi,
you have to build the ramdisk using the build_ramdisk.sh script (assuming the 
ramdisk tools are compiled ok)
Then, compile cyanide_bootramdisk and syringe, and boot the ramdisk using the 
following command :
./syringe/utilities/tetherboot -p cyanide_bootramdisk/payload -r myramdisk.dmg

Original comment by jean.sig...@gmail.com on 10 Oct 2011 at 8:14

[GoogleCodeExporter]

Fantastic. Now i feel i'm moving in a good direction.
Seems like device needs to be in DFU mode for this right.
The ramdisk i created is the default one done by the bash script, and it's 4.1- 
Meanwhile on my phone is on 4.3.3.
Is that going to be a problem? i can still kick my phone off dfu afterwards 
right? the usual reboot way?

Original comment by forge...@gmail.com on 10 Oct 2011 at 8:40

[GoogleCodeExporter]

Yes, you need to be in dfu mode
the version of the ramdisk does not have to match the installed version.
once you are done with the ramdisk you can reboot using the "reboot" command 
through ssh, or just rebooting the device with the buttons

Original comment by jean.sig...@gmail.com on 10 Oct 2011 at 9:15

[GoogleCodeExporter]

Went into  DFU and proceeded as instructed.
At this point i am at the issue reported here 
http://code.google.com/p/iphone-dataprotection/issues/detail?id=20

i'm in a going to try again. as the binary exited just as reported above.

once again i'd like to thank you for your great help and contribution.

meanwhile i see present on my mac : kernelcache.release.n90, iBSS.n90ap, 
DeviceTree.n90ap.

so i hopefully don't have to bother you anymore, seeing i will work on this for 
ages tonight, what is my following step once i make this go the right way?

given the above ste

Original comment by forge...@gmail.com on 10 Oct 2011 at 9:23

[GoogleCodeExporter]

repeating. tried it with firmware 4.3.3. though as you said it would not matter.

after resetting device counters i get this.
libusb:error [darwin_transfer_status] transfer error: timed out
Exiting libpois0n

on the iphone screen, after a long process:

Listening on port 1999
AppleBCMWLAN::handleIOKitBusyWatchdogTimeout(): Error, no successful firmware 
download after 60000 ms!! Giving up...

I'm gonna try again. though i was sure i cleared the devicetree...

Original comment by forge...@gmail.com on 10 Oct 2011 at 10:53

[GoogleCodeExporter]

Hello,
if you have the "Listening on port 1999" message on the device it means it 
worked, you can now run the demo_bruteforce.py script and it will created the 
plist file required for emf_decrypter. You can also ssh into the device at that 
point.

Original comment by jean.sig...@gmail.com on 11 Oct 2011 at 6:11

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Perfect. 
I was just being thick. Long day. hehe

so i went agead and repeated the process (for some reason repeating it with a 
4.1 ipsw left me hanging on white screen on the device. 4.3.3 worked just 
fine), tcprelay-ed into the device and ran the python bruteforce script.

The output i believe is certainly positive as it had all of my account pwds 
showing in cleartext.
Then i found my keychain and the plist file.

Now onto emf_decrypter (which i have previously compiled, so no hassle there).

This is going to take a bit as i have to decrypt a 30G image.

Original comment by forge...@gmail.com on 11 Oct 2011 at 8:05

[GoogleCodeExporter]

Ok,
do not forget to make a backup of the disk image before in case something goes 
wrong.
Also, you should use the python version of emf_decrypter, the C version has 
known bugs. For the python version you need pycrypto and construct.

Original comment by jean.sig...@gmail.com on 11 Oct 2011 at 8:07

[GoogleCodeExporter]

In fact something went wrong with the c version :)
I just opened an issue about it.

I had made a backup and now i'm making a second copy yo try again :)
will the python version need the plist too in the same path?

Original comment by forge...@gmail.com on 11 Oct 2011 at 8:11

[GoogleCodeExporter]

Original comment by jean.sig...@gmail.com on 14 Oct 2011 at 12:49

• Changed state: Done