Closed ro1605he closed 1 week ago
It actually shouldn't say demoted.. Check the version of your iOS iPwnder Lite, it must be 1.0.57. If it's 1.0, update it (I recently pushed a fix to the 1.0.57 package)
Wow, thanks for this quick response. We are another step closer, updating to the new version has indeed helped. The ramdisk is now booting. I see on my iPhone all white text that starts with “Running kernel space in FIPS MODE” and ends with “AppleSamsungSerial: Identified Serial Port on ARM Device=uart5 at 0x32a00000(0x91bed000)”
I assume this belongs to the Ramdisk.
Unfortunately, connecting via SSH is not yet successful. See the error in the log below: “key_exchange_identification: read: Connection reset by peer Connection reset by 127.0.0.1 port 6414"
In the Log you can see that I tried mount.sh first, which was a mistake. Which can only be done after choice 1 succeeded (I once used the kit for an iPod, it worked perfectly then).
Can you take a look at what can be done about this?
** Legacy iOS Kit ***
- Script by LukeZGD -
* Version: v24.05.07 (b4c7b1b)
* Platform: linux (Linux Mint 21.3)
* Device: iPhone5,2 (n42ap) in DFU mode
* iOS Version: Unknown
* To get iOS version, go to: Other Utilities -> Get iOS Version
* ECID: 2270545636621
> Main Menu > Other Utilities
[Input] Select an option:
1) Send Pwned iBSS 8) Create Custom IPSW
2) Get iOS Version 9) Enable disable-bbupdate flag
3) Clear NVRAM 10) Enable activation-records flag
4) Dump Baseband 11) Enable skip-ibss flag
5) Activation Records 12) (Re-)Install Dependencies
6) Just Boot 13) Go Back
7) SSH Ramdisk
#? 7
* To mount /var (/mnt2) for iOS 9-10, I recommend using 9.0.2 (13A452).
* If not sure, just press Enter/Return. This will select the default version.
[Input] Enter build version (eg. 10B329):
[Log] Checking firmware keys in ../resources/firmware/iPhone5,2/10B329
[Log] Checking URL in ../resources/firmware/iPhone5,2/10B329/url
[Log] iBSS
/home/runner/work/daibutsuCFW/daibutsuCFW/src/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 8d25aba0d538112746ea4a919ba3b047f93734be4227c96adb75385ba31b57ed6933278f6159001e9e08fab727a0179e
/home/runner/work/daibutsuCFW/daibutsuCFW/src/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 8d25aba0d538112746ea4a919ba3b047f93734be4227c96adb75385ba31b57ed6933278f6159001e9e08fab727a0179e
/home/runner/work/daibutsuCFW/daibutsuCFW/src/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 8d25aba0d538112746ea4a919ba3b047f93734be4227c96adb75385ba31b57ed6933278f6159001e9e08fab727a0179e
[Log] iBEC
/home/runner/work/daibutsuCFW/daibutsuCFW/src/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 72d529c649e3d6bd8f8fd016132297f0e86e5391d7e6d72b84dcf1f4453ebc0034fad90cd15abb83096dacc5ff1ab165
/home/runner/work/daibutsuCFW/daibutsuCFW/src/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 72d529c649e3d6bd8f8fd016132297f0e86e5391d7e6d72b84dcf1f4453ebc0034fad90cd15abb83096dacc5ff1ab165
/home/runner/work/daibutsuCFW/daibutsuCFW/src/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 72d529c649e3d6bd8f8fd016132297f0e86e5391d7e6d72b84dcf1f4453ebc0034fad90cd15abb83096dacc5ff1ab165
[Log] DeviceTree
/home/runner/work/daibutsuCFW/daibutsuCFW/src/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 10c7092fdbd04b311f22438c552f3c9f86eb171bc97ae581cfd95dd22574c7b1398bc46bdf748e288ca734f9da1f2e46
/home/runner/work/daibutsuCFW/daibutsuCFW/src/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 10c7092fdbd04b311f22438c552f3c9f86eb171bc97ae581cfd95dd22574c7b1398bc46bdf748e288ca734f9da1f2e46
/home/runner/work/daibutsuCFW/daibutsuCFW/src/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 10c7092fdbd04b311f22438c552f3c9f86eb171bc97ae581cfd95dd22574c7b1398bc46bdf748e288ca734f9da1f2e46
[Log] Kernelcache
/home/runner/work/daibutsuCFW/daibutsuCFW/src/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 060809e96c5cb972f1e91d4d2696146b09ab43aa11bd661fc4022a74f2adacdf849c030600caec5cf34b47696298266b
/home/runner/work/daibutsuCFW/daibutsuCFW/src/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 060809e96c5cb972f1e91d4d2696146b09ab43aa11bd661fc4022a74f2adacdf849c030600caec5cf34b47696298266b
/home/runner/work/daibutsuCFW/daibutsuCFW/src/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 060809e96c5cb972f1e91d4d2696146b09ab43aa11bd661fc4022a74f2adacdf849c030600caec5cf34b47696298266b
[Log] RestoreRamdisk
/home/runner/work/daibutsuCFW/daibutsuCFW/src/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 31431b4794073061867eed20c8ae828e80be9aa2588960ab3418570e59eeb344a41e45532fb4395ebb71ca2fc8b90ef0
/home/runner/work/daibutsuCFW/daibutsuCFW/src/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 31431b4794073061867eed20c8ae828e80be9aa2588960ab3418570e59eeb344a41e45532fb4395ebb71ca2fc8b90ef0
/home/runner/work/daibutsuCFW/daibutsuCFW/src/xpwn/ipsw-patch/img3.c:createAbstractFileFromImg3:643: 31431b4794073061867eed20c8ae828e80be9aa2588960ab3418570e59eeb344a41e45532fb4395ebb71ca2fc8b90ef0
[Log] Patch RestoreRamdisk
grew volume: 30000000
file: com.apple.springboard.plist (0644), size = 271
ignoring bin, type = 5
file: bin/bash (0755), size = 546768
file: bin/ls (0755), size = 152096
file: bin/mount.sh (0755), size = 1366
symlink: bin/sh (0777) -> bash
file: bin/tar (0755), size = 430304
file: bin/dd (0755), size = 124896
file: bin/cp (0755), size = 162560
ignoring sbin, type = 5
file: sbin/sshd (0755), size = 722848
file: sbin/umount (4755), size = 22784
ignoring usr, type = 5
ignoring usr/bin, type = 5
file: usr/bin/device_infos (0755), size = 75936
file: usr/bin/scp (0755), size = 49008
file: usr/bin/gptfdisk (0755), size = 164368
file: usr/bin/hfs_resize (0755), size = 12960
file: usr/bin/ttbthingy (0755), size = 61680
file: usr/bin/fixkeybag (0755), size = 71968
file: usr/bin/ibsspatch (0755), size = 51840
ignoring usr/lib, type = 5
symlink: usr/lib/libncurses.5.dylib (0777) -> libncurses.5.4.dylib
file: usr/lib/libncurses.5.4.dylib (0755), size = 335968
file: usr/lib/libhistory.6.0.dylib (0755), size = 54752
file: usr/lib/libreadline.6.0.dylib (0755), size = 198112
file: usr/lib/libcrypto.0.9.8.dylib (0755), size = 1604336
file: usr/lib/libiconv.2.dylib (0755), size = 1022528
directory: usr/libexec (0755)
file: usr/libexec/sftp-server (0755), size = 44240
ignoring private, type = 5
ignoring private/etc, type = 5
replacing private/etc/rc.boot
file: private/etc/rc.boot (0755), size = 369
directory: private/etc/ssh (0700)
file: private/etc/ssh/ssh_host_rsa_key (0600), size = 1675
file: private/etc/ssh/ssh_host_dsa_key.pub (0644), size = 590
file: private/etc/ssh/sshd_config (0644), size = 3227
file: private/etc/ssh/ssh_host_key.pub (0644), size = 627
file: private/etc/ssh/ssh_config (0644), size = 1526
file: private/etc/ssh/ssh_host_dsa_key (0600), size = 668
file: private/etc/ssh/ssh_host_rsa_key.pub (0644), size = 382
file: private/etc/ssh/moduli (0644), size = 125811
file: private/etc/ssh/ssh_host_key (0600), size = 963
ignoring private/var, type = 5
directory: private/var/root (0700)
file: private/var/root/.profile (0644), size = 391
[Log] Patch iBSS
main: Starting...
main: iBoot-1537 inputted.
patch_rsa_check: Entering...
find_bl_verify_shsh_5_6_7: Entering...
find_bl_verify_shsh_5_6_7: Found MOVW instruction at 0x636a
find_bl_verify_shsh_5_6_7: Found BL verify_shsh at 0x66f8
find_bl_verify_shsh_5_6_7: Leaving...
patch_rsa_check: Patching BL verify_shsh at 0x66f8...
patch_rsa_check: Leaving...
main: Writing out patched file to iBSS.patched...
main: Quitting...
[Log] Patch iBEC
main: Starting...
main: iBoot-1537 inputted.
patch_boot_args: Entering...
patch_boot_args: Default boot-args string is at 0x3b4df
patch_boot_args: boot-args xref is at 0x1cc8c
patch_boot_args: Relocating boot-args string...
patch_boot_args: "Reliance on this certificate" string found at 0x420f4
patch_boot_args: Pointing default boot-args xref to 0xbff420f4...
patch_boot_args: Applying custom boot-args "rd=md0 -v amfi=0xff cs_enforcement_disable=1"
patch_boot_args: Found LDR R1, =boot_args at 0x1ca3a
patch_boot_args: Found CMP R4, #0 at 0x1ca3c
patch_boot_args: Found IT EQ/IT NE at 0x1ca40
patch_boot_args: Found MOV R6, R1 at 0x1ca42
patch_boot_args: Found LDR R6, =null_str at 0x1ca3e
patch_boot_args: Pointing LDR R6, =null_str to boot-args xref...
patch_boot_args: Leaving...
patch_debug_enabled: Entering...
find_dtre_get_value_bl_insn: Entering...
find_dtre_get_value_bl_insn: debug-enabled string is at 0x3b06f
find_dtre_get_value_bl_insn: "debug-enabled" xref is at 0x1c684
find_dtre_get_value_bl_insn: Found LDR R0, ="debug-enabled" at 0x1bd56
find_dtre_get_value_bl_insn: Found BL instruction at 0x1bd6e
find_dtre_get_value_bl_insn: Leaving...
patch_debug_enabled: Patching BL insn at 0x1bd6e...
patch_debug_enabled: Leaving...
patch_rsa_check: Entering...
find_bl_verify_shsh_5_6_7: Entering...
find_bl_verify_shsh_5_6_7: Found MOVW instruction at 0x1ad56
find_bl_verify_shsh_5_6_7: Found BL verify_shsh at 0x1b3a0
find_bl_verify_shsh_5_6_7: Leaving...
patch_rsa_check: Patching BL verify_shsh at 0x1b3a0...
patch_rsa_check: Leaving...
main: Writing out patched file to iBEC.patched...
main: Quitting...
* Select Y if your device is in pwned iBSS/kDFU mode.
* Select N to place device to pwned DFU mode using ipwndfu/ipwnder.
* Failing to answer correctly will cause "Sending iBEC" to fail.
[Input] Is your device already in pwned iBSS/kDFU mode? (y/N): y
[Log] Pwned iBSS/kDFU mode specified by user.
[Log] Sending iBEC...
[==================================================] 100.0%
[Log] Finding device in Recovery mode...
[Log] Found device in Recovery mode.
[Log] Sending ramdisk...
[==================================================] 100.0%
[Log] Running ramdisk
[Log] Sending DeviceTree...
[==================================================] 100.0%
[Log] Running devicetree
[Log] Sending KernelCache...
[==================================================] 100.0%
[Log] Running iproxy for SSH...
[Log] Device should now boot to SSH ramdisk mode.
* Mount filesystems with this command:
mount.sh
* For accessing data, note the following:
* Host: sftp://127.0.0.1 | User: root | Password: alpine | Port: 6414
* Other Useful SSH Ramdisk commands:
* Clear NVRAM with this command:
nvram -c
* Erase All Content and Settings with this command (iOS 9+ only):
nvram oblit-inprogress=5
* To reboot, use this command:
reboot_bak
* SSH Ramdisk Menu
[Input] Select an option:
1) Connect to SSH 4) Erase All (iOS 7 and 8)
2) Get iOS Version 5) Reboot Device
3) Dump Baseband/Activation 6) Exit
#? mount.sh
[Input] Select an option:
1) Connect to SSH 4) Erase All (iOS 7 and 8)
2) Get iOS Version 5) Reboot Device
3) Dump Baseband/Activation 6) Exit
#? 1
[Log] Use the "exit" command to go back to SSH Ramdisk Menu
kex_exchange_identification: read: Connection reset by peer
Connection reset by 127.0.0.1 port 6414
* SSH Ramdisk Menu
[Input] Select an option:
1) Connect to SSH 4) Erase All (iOS 7 and 8)
2) Get iOS Version 5) Reboot Device
3) Dump Baseband/Activation 6) Exit
#?
Do you have a picture of the device with that screen? Not sure if I have seen that case before.. The normal thing that should happen is: the device will have a scrolling wall of text then proceeds to display apple logo and progress bar to indicate that the ramdisk is booted
Another thing to try is to force restart the device (press both buttons until Apple logo appears), enter DFU, and do the whole process again
Do you have a picture of the device with that screen? Not sure if I have seen that case before.. The normal thing that should happen is: the device will have a scrolling wall of text then proceeds to display apple logo and progress bar to indicate that the ramdisk is booted
You're totally right, on my iPod I indeed saw an Apple logo with empty progress bar when the ramdisk was booted. Attached a photo of what I see now. I already did do the process over a few times.
Does this occur on both 10B329 and 12H321 build versions of ramdisks? This is a weird issue, I cant seem to reproduce it in my device either but I'll try what I can
Let me first just say that I am amazed at your responsiveness and the way you are handling all of this.... If this finally works out and I can get my files back, you have earned more than a coffee!!! (and I'll make sure you get that too)
Yes, it happens with the 10B329 and the 12H321. I am also attaching here a picture of the debug log of iPwnder lite, maybe you can check if it looks like it should. That way we can rule out the possibility that it may already be going wrong with the pwnDFU.
Seeing the AppleRawIOAddressSpace
error in the boot (not sure what this means) makes me think that it could also be a hardware issue or something but idk if there is any way of knowing for sure
There is nothing wrong with the ipwnder output either, and the earlier "demote" is already undone by doing force restart
I don't think I will be able to help much further with this since I don't really know why the issue is occurring, sorry
You might want to try asking in LegacyJailbreak Reddit and/or Discord to see if someone knows
Seeing the
AppleRawIOAddressSpace
error in the boot (not sure what this means) makes me think that it could also be a hardware issue or something but idk if there is any way of knowing for sureThere is nothing wrong with the ipwnder output either, and the earlier "demote" is already undone by doing force restart
I don't think I will be able to help much further with this since I don't really know why the issue is occurring, sorry
You might want to try asking in LegacyJailbreak Reddit and/or Discord to see if someone knows
@LukeZGD I understand. I suspect that this error appears due to the fact that the iPhone has crashed due to full storage (no more free space). Where is the ramdisk being written to? Maybe there is not enough space. How could I fix this? And is there maybe another way to clean up some data? For example, by doing a downgrade of iOS? The iPhone was running on 8.4.1 before the crash. Any ideas? It should be a method where I do not overwrite / lose any data.
I tried with different buildnumbers, and sometimes another error comes forward. Most of the time it is: "000054.939508 AppleBasebandN41::initialize: Could not find mux function" (i.e. with 12D508). With some other buildnumbers the scrolling wall of text seems to fade and hangs. I can read 'panic' in the code. But most of the time it is the mux error or the AddresSpace error. Just to be sure: the target device is not jailbroken.
PS I did post the error in Reddit, will also let you know when there is a solution
First of all, thank you very much for all the effort you put into this toolkit...!
I want to use it to retrieve, using a SSH Ramdisk, data from my crashed (memory full) iPhone 5 (iOS 8.4.1). The iPhone 5 in question is not jailbroken.
I still had a working iPhone lying around, I applied a jailbreak to it and then (using iPwnder Lite for iOS) I was able to put the iPhone 5 into pwnd DFU mode using the camera adapter (it says demoted after executing the command, so seems good to me). I also tried this on my Linux machine but it failed every time as you also point out on the Troubleshoot page.
When I then connect the iPhone 5 to my Linux machine, it always goes wrong at the step after “sending iBEC”. See attached Log. I have tried different build numbers, although I am pretty sure that the version on the device is 8.4.1 (12H321). When trying to get the iOS version I get the same behavior, it gets stuck at "Finding device in Recovery mode" also. I tried different USB ports and cables, nothing seems to work.
After all, the crash happened back in early September 2015. But I am actually only now getting around to doing something with it and also only recently stumbled upon this toolkit and the existence of a SSH Ramdisk.
I hope you can fix this issue, there are still a lot of photos on the phone and I did not have an iCloud/iTunes backup at the time (I know, not smart)....