R1NZLR / iphone-dataprotection

Automatically exported from code.google.com/p/iphone-dataprotection
0 stars 1 forks source link

Error in ios_examiner when running with nand dump #95

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Create a nand dump by following the procedure in the readme
2. run "python python_scripts/ios_examiner.py iphone3gs_nand.bin 
iphone3gs.plist"

What is the expected output? What do you see instead?
This is the second time I ran ios_examiner with nand dumps. For the first time 
there's no error. I could successfully use the "undelete" command to recover 
deleted images. This time I ran ios_examiner with another iPhone 3GS. The 
acquisition was completed without errors. When I launched ios_examiner with the 
nand dump, I got the error message:
(On my Macbook air) TypeError: 'NoneType' object has no attribute '__getitem__'
(On my Mac Pro) TypeError: 'NoneType' object is not subscriptable

Please see the attached file for details.

What version of the product are you using? On what operating system?
OS X version : Mac OS X 10.7.4
XCode version : 4.3
Tools revision : e57806d960f7+
The iPhone 3GS is running iOS 6.0.

My earlier success was a 16GB iPhone 3GS running iOS 6.0.1. This time it is a 
32GB 3GS running iOS 6.0. Don't know if the size matters.

Thanks a lot for looking into this matter. 

Original issue reported on code.google.com by kay...@gmail.com on 25 Feb 2013 at 12:39

Attachments:

GoogleCodeExporter commented 8 years ago
Hi Jean,

If I want to try looking at the problem, would you please suggest which part I 
should start with? Thanks a lot.

Original comment by kay...@gmail.com on 4 Mar 2013 at 10:21

GoogleCodeExporter commented 8 years ago
Can you post the output of ios_examiner without parameters on the same device 
with ramdisk booted ? thanks

Original comment by jean.sig...@gmail.com on 4 Mar 2013 at 10:39

GoogleCodeExporter commented 8 years ago
Thanks for your reply. Please find the output attached.
I did the acquisition twice and got the same hash values.
Thanks a lot.

Original comment by kay...@gmail.com on 4 Mar 2013 at 2:14

Attachments:

GoogleCodeExporter commented 8 years ago
ok, can you upload the data at the end of the nand image starting at offset 
0x81f0fbfb0 until the end. Also, can you boot the ramdisk and check on screen 
for the message 
"Found DEVICEINFOBBT at page %d, banksPerCEphyiscal=%d" or "Couldnt guess the 
number of physical banks, assuming 1\n" (i assume it will be the later, the bug 
being that banksPerCEphyiscal should be set to 2 on the ramdisk).
Thanks.

Original comment by jean.sig...@gmail.com on 5 Mar 2013 at 12:25

GoogleCodeExporter commented 8 years ago
Due to some complicated reasons, my apologies that the content of the nand 
image cannot be uploaded here. What tests/checking do you want to do? May I do 
it on my own?

Unfortunately the iPhone3GS is currently not with me and all I got is only the 
nand image. Sorry that I'm unable to provide the required information. So in my 
case is there anything I can do to fix the problem with the nand image on hand? 

In any cases your kind assistance is really appreciated. Thank you very much.

Original comment by kay...@gmail.com on 6 Mar 2013 at 4:27

GoogleCodeExporter commented 8 years ago
ok, will you ever get access to the device again ? anyway if the bug is the one 
i suspect then you cant do much to fix the image, as it was dumped incorrectly. 
can you check if the following hex pattern appears in the image : "A5 A5 A5 A5 
A5 A5 FF FF"
it is the spare area of the "special pages" that should be at the end of the 
image (but apparently are not because of the bug). thanks again.

Original comment by jean.sig...@gmail.com on 6 Mar 2013 at 9:25

GoogleCodeExporter commented 8 years ago
Thanks for your prompt reply. It's not straightforward to get access to the 
device again. But if the bug can be fixed, it worths a try definitely.

I checked the image and as you anticipated, I couldn't find the pattern "A5 A5 
A5 A5 A5 A5 FF FF". I tried opening another image (which could be processed 
without any errors) and found the pattern near the end of the image. At the 
same locations (last sixteenth to nineth bytes) of the faulty image, the bytes 
read "C4 6A C1 00 00 08 FF FF". Does it imply the bug being banksPerCEphyiscal 
should be set to 2 on the ramdisk? If so, can it be fixed?

Thanks a lot again.

Original comment by kay...@gmail.com on 6 Mar 2013 at 9:53

GoogleCodeExporter commented 8 years ago
when you have the device again, you can try rebuilding the ramdisk with this 
patch : it should find the correct value for banksPerCEphyiscal, and hopefully 
produce a correct image.
thanks.

Original comment by jean.sig...@gmail.com on 6 Mar 2013 at 11:01

Attachments:

GoogleCodeExporter commented 8 years ago
I'm very grateful for your help! 

I will try to get back the device asap and test if the patch works. Will update 
you later. Thanks a lot.

Btw, would also like to know is that the value for banksPerCEphysical is only 
incorrect for 32GB device? I guess so because there's no problem with my 16GB 
device.

Original comment by kay...@gmail.com on 7 Mar 2013 at 12:53

GoogleCodeExporter commented 8 years ago
yes, it is only incorrect for this device.

Original comment by jean.sig...@gmail.com on 7 Mar 2013 at 12:09

GoogleCodeExporter commented 8 years ago
I see. Thanks.

Original comment by kay...@gmail.com on 8 Mar 2013 at 2:05

GoogleCodeExporter commented 8 years ago
I got the device and did the acquisition again with the patched ramdisk. The 
image could be processed without errors. Thank you so much for fixing the 
problem! :)

Original comment by kay...@gmail.com on 12 Mar 2013 at 2:17

GoogleCodeExporter commented 8 years ago
Great, thanks a lot for testing.

Original comment by jean.sig...@gmail.com on 15 Mar 2013 at 12:28

GoogleCodeExporter commented 8 years ago
This issue was closed by revision c14d67b57a17.

Original comment by jean.sig...@gmail.com on 26 May 2013 at 11:13