Closed GoogleCodeExporter closed 8 years ago
sorry i have to update this issue. i was no able to boot with your tetheredboot
and the payload you provide in the download section. however, when i try to
execute bruteforce i still get the same error.
./tetheredboot -p payload -r 4.1.ramdisk.dmg
Initializing libpois0n
No matching processes belonging to you were found
Waiting for device to enter DFU mode
opening device 05ac:1227...
Found device in DFU mode
Checking if device is compatible with this jailbreak
Checking the device type
Identified device as iPhone2,1
Preparing to upload limera1n exploit
Resetting device counters
Sending chunk headers
Sending exploit payload
Sending fake data
libusb:error [darwin_transfer_status] transfer error: timed out
Exploit sent
Reconnecting to device
Waiting 2 seconds for the device to pop up...
opening device 05ac:1227...
Checking if kernelcache already exists
Fetching kernelcache.release.n88...
[==================================================] 100.0%
Preparing to upload iBSS
Checking if iBSS.n88ap already exists
Preparing to fetch DFU image from Apple's servers
Fetching Firmware/dfu/iBSS.n88ap.RELEASE.dfu...
[==================================================] 100.0%
Uploading iBSS.n88ap to device
[==================================================] 100.0%
Reconnecting to device
Waiting 10 seconds for the device to pop up...
opening device 05ac:1281...
Setting to configuration 1
Setting to interface 0:0
Preparing to upload iBSS payload
[==================================================] 100.0%
Executing iBSS payload
Waiting 10 seconds for the device to pop up...
opening device 05ac:1281...
Setting to configuration 1
Setting to interface 0:0
Preparing to upload devicetree
Checking if DeviceTree.n88ap already exists
Preparing to fetch firmware image from Apple's servers
Fetching Firmware/all_flash/all_flash.n88ap.production/DeviceTree.n88ap.img3...
[==================================================] 100.0%
Resetting device counters
Uploading DeviceTree.n88ap to device
[==================================================] 100.0%
Preparing to upload ramdisk
[==================================================] 100.0%
Executing ramdisk
libusb:error [darwin_transfer_status] transfer error: timed out
Preparing to upload kernelcache
Checking if kernelcache already exists
Resetting device counters
[==================================================] 100.0%
libusb:error [darwin_transfer_status] transfer error: timed out
Exiting libpois0n
-sh-4.0# ./bruteforce
IOAESAccelerator returned: e00002c2
FAIL: missing UID kernel patch
Original comment by riccardo...@inverted.ch
on 25 Jul 2011 at 4:30
This is weird, the return code is different : e00002c1 means the kernel patch
was not applied (kIOReturnNotPrivileged), but e00002c2 is kIOReturnBadArgument.
I assume you compiled the tetheredboot binary from the latest revision, can you
try removing the following changes (revert the firmware urls back to 4.3.1) :
http://code.google.com/p/iphone-dataprotection/source/detail?r=c0d4fd4747bb7db53
6a92ae5bb6d230ec401505f
Then recompile and remove the previously downloaded devicetree, ibss and
kernelcache files.
For the payload, you can use the one from the download section, but be aware
that if the device has iOS >= 4.3.4 installed it won't reboot and you'll have
to restore. Otherwise, you can compile the latest payload by installing
arm-elf-gcc from macports.
Original comment by jean.sig...@gmail.com
on 26 Jul 2011 at 8:43
I did revert to the old version and replaced the url in libirecovery.h to
"http://appldnld.apple.com/iPhone4/041-0549.20110325.ZxP8u/iPhone2,1_4.3.1_8G4_R
estore.ipsw". Afterwards i compiled the lib and the tetheredboot again. but it
still does not work, see the details log below.
./tetheredboot -p payload -r 4.1.ramdisk.dmg
Initializing libpois0n
No matching processes belonging to you were found
Waiting for device to enter DFU mode
opening device 05ac:1227...
Found device in DFU mode
Checking if device is compatible with this jailbreak
Checking the device type
Identified device as iPhone2,1
Preparing to upload limera1n exploit
Resetting device counters
Sending chunk headers
Sending exploit payload
Sending fake data
libusb:error [darwin_transfer_status] transfer error: timed out
Exploit sent
Reconnecting to device
Waiting 2 seconds for the device to pop up...
opening device 05ac:1227...
Checking if kernelcache already exists
Preparing to upload iBSS
Checking if iBSS.n88ap already exists
Uploading iBSS.n88ap to device
[==================================================] 100.0%
Reconnecting to device
Waiting 10 seconds for the device to pop up...
opening device 05ac:1281...
Setting to configuration 1
Setting to interface 0:0
Preparing to upload iBSS payload
[==================================================] 100.0%
Executing iBSS payload
Waiting 10 seconds for the device to pop up...
opening device 05ac:1281...
Setting to configuration 1
Setting to interface 0:0
Preparing to upload devicetree
Checking if DeviceTree.n88ap already exists
Resetting device counters
Uploading DeviceTree.n88ap to device
[==================================================] 100.0%
Preparing to upload ramdisk
[==================================================] 100.0%
Executing ramdisk
Preparing to upload kernelcache
Checking if kernelcache already exists
Resetting device counters
[==================================================] 100.0%
libusb:error [darwin_transfer_status] transfer error: timed out
Exiting libpois0n
-sh-4.0# ./bruteforce
IOAESAccelerator returned: e00002c2
FAIL: missing UID kernel patch
Other tetheredboot binaries need the iBSS file etc from a patched firmware like
i can build with PwnageTool. Do you patch the iBSS on the fly with the payload
provided?
Original comment by riccardo...@inverted.ch
on 28 Jul 2011 at 8:29
[deleted comment]
[deleted comment]
[deleted comment]
i have an idea why it maybe not work. i created the ramdisk slightly different
from your approach. because i was not successful with it. i had to replace
/sbin/reboot with the sshd binary to get it work. otherwise i did not get any
connection. could this be the problem?
is your restored_external implementation part of the patching process? when is
it called and by whom?
i generated now a ramdisk your way. based on the restore image of iOS 4.3.3
ipsw. my iphone is running 4.3.3 now. the upload everything works fine. but i
get stuck on the white screen and i am not able to connect with ITNL
Original comment by riccardo...@inverted.ch
on 28 Jul 2011 at 3:27
i don't think the issue comes from the ramdisk, the restored_external binary is
launched at boot and just enables the usb multiplexer, then starts sshd. The
kernel patching is done by the "cyanide payload", that is running in the
context of iBSS. Right now i have no idea why you get the error code e00002c2,
which indicates that the kernel is patched ok but that the arguments are wrong.
The brute force binary you used was compiled without modifications ?
For the white screen, can you try on windows using the tetheredboot.exe from
the download section ? Also, if you can boot the ramdisk built using
build_ramdisk.sh, you have to use the usbmux tcprelay script (in the
usbmuxd-python-client folder) instead of ITNL.
Original comment by jean.sig...@gmail.com
on 28 Jul 2011 at 10:41
[deleted comment]
Ok i have now the following test setup:
- iPhone 3GS with installed 4.3.3
- 4.3.3 Ramdisk built with your script. Did successfully run through. all other
scripts are in place.
- None of your C apps are modified
I booted the ramdisk with a Mac OS X:
./tetheredboot -p payload -r 4.3.3.ramdisk.dmg
Initializing libpois0n
...
The Screen of the iPhone is not white anymore. i get the following console
output:
> AppleEmbeddedUSBArbitrator::start : finished
> AppleEmbeddedUSBArbitrator::setPowerStateGated : powerstate = 1
> AppleS5L8920XIOPSDIOIopManager::init(): Failed to get AppleS5L8920XARM7M
after 10 sec
some research i did with google says that this is a problem with Greenpois0n
and that it is not supported with 4.3.1+
Running the python usbmux is not successfull:
.python ../DataProtection/usbmuxd-python-client/tcprelay.py -t 22:2222
> Forwarding local port 2222 to remote port 22
> Incoming connection to 2222
> Waiting for devices...
> No device found
Can you tell me what the screen should look like if the boot of the ramdisk was
completely successful? I will try the same thing with windows later.
Original comment by riccardo...@inverted.ch
on 29 Jul 2011 at 7:42
It works ! i don't know what i exactly changed, maybe it was just to try it
again and again. but now it works! thank you very much. it could be possible
that i did not delete the DeviceTree, iBSS and kernelcache files after i tryed
it with the 4.1 ramdisk.
the DeviceTree, iBSS and kernelcache files the script downloaded, are these the
original ones from the ipsw or are they patched now?
one last question, do i depend on the installed iOS version on the iPhone? Or
should my 4.3.3 ramdisk work with every iPhone 3GS below <= 4.3.3?
Thank you !
Original comment by riccardo...@inverted.ch
on 29 Jul 2011 at 7:59
The DeviceTree, iBSS and kernelcache files are the orignal ones, iBSS and
kernelcache are patched on the fly on the device. It should work regardless of
the installed iOS version on the device, but if ios >= 4.3.4 is installed make
sure to recompile the cyanide payload from the latest revision (and do not use
the one from the downloads section), because of a change introduced in 4.3.4
(see issue 19).
Original comment by jean.sig...@gmail.com
on 29 Jul 2011 at 8:08
Alright thank you very much. I used a 4.3.3 ramdisk on the iPhone 4. everything
worked very well (congrats to this! really good tools!) but now i am not able
to get it back from the recovery mode ;) not even with irecovery or
tinyumbrella. i thought this only happens with 4.3.4?
Original comment by riccardo...@inverted.ch
on 29 Jul 2011 at 2:17
Could you post the error messages displayed in irecovery ?
Original comment by jean.sig...@gmail.com
on 30 Jul 2011 at 12:44
Original issue reported on code.google.com by
riccardo...@inverted.ch
on 25 Jul 2011 at 3:54