Unable to find VSVFL context for CE %d" % ce

[GoogleCodeExporter]

What steps will reproduce the problem?
1. NAND image.bin successfully completed using the following:  nand_dump 
iphone4_nand.bin

2. Attempting to execute the ios_examiner.py script using the following:
    python python_scripts/ios_examiner.py iphone4_nand.bin iphone4.plist undelete ( and without "undelete"        same issue)

What is the expected output? What do you see instead?

Expecting to see outcome (recovered files) and seeing instead the following:

Loading device information from iphone4.plist
Device model: iPhone 4 GSM
UDID: 3d4e5b8a9204e5621e0355a6e974a4ae4a4a05c6
ECID: 3585307992975
Serial number: 88207F9MA4S
key835: 7776885bdf2151992a6c357060fac693
key89B: 0744dff1758f7f8c10effc3955d96486
Chip id 0x3294e798 banks per CE physical 1
NAND geometry : 16GB (4 CEs (1 physical banks/CE) of 4100 blocks of 128 pages 
of 8192 bytes data, 12 bytes metdata)
Image size matches expected size, looks ok
Searching for special pages...
Found DEVICEUNIQUEINFO, NANDDRIVERSIGN, DEVICEINFOBBT special pages in CE 0
NAND signature 0x43313132 flags 0x10006 withening=1, epoch=2
Effaceable generation 42
Effaceable CRC OK
Found effaceable lockers in ce 1 block 1 page 96
Lockers : BAG1, DONE, Dkey, LwVM
Found DEVICEUNIQUEINFO, serial number=88207F9MA4S
Using VSVFL
Traceback (most recent call last):
  File "python_scripts/ios_examiner.py", line 369, in <module>
    main()
  File "python_scripts/ios_examiner.py", line 363, in main
    image = NAND(nandimagename, device_infos)
  File "/Users/daron/iphone-dataprotection/python_scripts/nand/nand.py", line 124, in __init__
    self.vfl = VSVFL(self)
  File "/Users/daron/iphone-dataprotection/python_scripts/nand/vsvfl.py", line 86, in __init__
    raise Exception("Unable to find VSVFL context for CE %d" % ce)
Exception: Unable to find VSVFL context for CE 0

What version of the product are you using? On what operating system?

Recent version of the tools python27 and OS x 10.6.7

Original issue reported on code.google.com by fremanof...@gmail.com on 22 Aug 2012 at 1:56

[GoogleCodeExporter]

This happens to me when I try to run the script without having the ramdisk 
loaded onto the phone. I load the ramdisk >>  

./redsn0w.app/Contents/MacOS/redsn0w -i iphone511.ipsw -r myramdisk_n90ap.dmg 
-k kernelcache.release.n90.patched -a "-v rd=md0 nand-disable=1" 

and then this error goes away. I'm new to this, hope I'm right and hope this 
helps.

Original comment by robert.f...@gmail.com on 25 Aug 2012 at 2:55

[GoogleCodeExporter]

Also, a tip I learned for myself - again, I have no idea if I'm doing it right 
BUT it did something, and that made me happy! 

1) load the ramdisk, run the >> python python_scripts/ios_examiner.py  (only if 
you have taken the time to do the "nand dump" before)

the keybag will be locked still. run the >> bruteforce  (by typing 'bruteforce' 
at the prompt)

You already created the iphone4.plist, so type in the filename iphone4.plist 
and choose N no to overwrite. The keybag will then be unlocked. You can verify 
this by typing: keychain 

THEN run the >> undelete

It takes a while to run and "undelete". 

type >> dd FILENAME.dmg  (to dump current partition to FILENAME.dmg - so you 
can mount it and read it)

I haven't had succes on recovering anything yet, but I am getting there! (i 
think/hope lol) 

Original comment by robert.f...@gmail.com on 25 Aug 2012 at 3:07

[GoogleCodeExporter]

Thnx for your advice! I can confirm that the second tip works well and I see 
first recovered jpegs in undeleted directory, this process is very slow so it 
probably will take a few days to see the whole outcome. The first tip 
unfortunately doesn't work for me. Anyway thank you for your contribution.

Original comment by fremanof...@gmail.com on 25 Aug 2012 at 6:52

[GoogleCodeExporter]

@fremanofarrakis
The error only occurs when you run ios_examiner on the nand dump file, but when 
you run it without parameters (with the ramdisk loaded) there is no error ?

Original comment by jean.sig...@gmail.com on 26 Aug 2012 at 9:30

[GoogleCodeExporter]

Yes, it's exactly as you say.

Original comment by fremanof...@gmail.com on 26 Aug 2012 at 9:41

[GoogleCodeExporter]

ok, could you try to change line 42 in python_scripts/nand/image.py from
if r1 != 0x0:
to 
if r1 == 0xe00002e5:

and try again the "python python_scripts/ios_examiner.py iphone4_nand.bin 
iphone4.plist" command. Thanks.

Original comment by jean.sig...@gmail.com on 26 Aug 2012 at 11:04

• Changed state: Accepted

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

I've already test it, unfortunately with the same upshot. Another question - I 
want to recover just one type of file e.g. m4a format, so has undelete script 
any data filtering option?

Original comment by fremanof...@gmail.com on 27 Aug 2012 at 7:10

[GoogleCodeExporter]

ok, i'll have to try and figure it out but for now i cannot reproduce the issue.
there is currently no filtering option for the undelete script.

Original comment by jean.sig...@gmail.com on 29 Aug 2012 at 7:14

[GoogleCodeExporter]

I made a setup using Linux Debian and MacOSX Mountain Lion 10.8.1 with Xcode 
4.3.3.
Same error on both environments.
My solution was : make another nand_dump from ios_examiner (IOS 5.1.1 - Iphone 
4 32GB)

(iPhone4-data) / bruteforce
Enter passcode or leave blank for bruteforce:

(iPhone4-data) / nand_dump iphone4_nand.bin
Dumping 32GB NAND to iphone4_nand.bin
100% |########################################################################|
NAND dump time : 1:35:13.450000
SHA1: 0000000000000000000000000000000000000000
(iPhone4-data) / exit

Thanks 
Regards

Original comment by gbdura...@gmail.com on 6 Sep 2012 at 2:32

[GoogleCodeExporter]

I'm getting this error after every dump, tried about 4 dumps and all of them I 
get this error.

When I try to run python python_scripts/ios_examiner.py without parameters I 
see the following message on iOS device:

FAIL: Could not get AppleEffaceableStorage service
IOConnectCallMethod on  AppleEffaceableStorage selector 1 returned 10000003
AppleIOPFMI: ERROR: First Failing CE: 0

I can access system and data partitions without problems via SSH.

The dand_dump run OK but running python_scripts/ios_examiner.py nand_dump.bin 
iphone4.plist fail returning Unable to find VSVFL context for CE 0.

Some idea ?
Thanks
Regards

Original comment by gbdura...@gmail.com on 15 Oct 2012 at 11:47

[GoogleCodeExporter]

Hi, havin' same issue. (iPhone 4, iOS 6) Here's my output:

Using VSVFL
Traceback (most recent call last):
  File "python_scripts/ios_examiner.py", line 366, in <module>
    main()
  File "python_scripts/ios_examiner.py", line 361, in main
    image = NAND(nandimagename, device_infos)
  File "/Users/giovi/src/iphone-dataprotection/python_scripts/nand/nand.py", line 124, in __init__
    self.vfl = VSVFL(self)
  File "/Users/giovi/src/iphone-dataprotection/python_scripts/nand/vsvfl.py", line 86, in __init__
    raise Exception("Unable to find VSVFL context for CE %d" % ce)
Exception: Unable to find VSVFL context for CE 0

Comment 6 didn't help too... Any ideas?

Original comment by grapple...@gmail.com on 18 Oct 2012 at 3:06

[GoogleCodeExporter]

Can you apply the attached patch to add debug output, run ios_examiner.py with 
the nand dump and plist file as parameters and post the output here ? Thanks.

Original comment by jean.sig...@gmail.com on 21 Oct 2012 at 12:21

Attachments:

• vsvfl.debug.patch

[GoogleCodeExporter]

Patch applied, output attached. Thank you!

Original comment by grapple...@gmail.com on 22 Oct 2012 at 9:13

Attachments:

• vsvfl_debug_output

[GoogleCodeExporter]

Great, can you also apply this patch to debug the checksum issues ? just run 
the same command, also if you still have the device that was dumped and you can 
run ios_examiner.py with no parameters (with the ramdisk booted) and post the 
two outputs. Thanks a lot.

Original comment by jean.sig...@gmail.com on 22 Oct 2012 at 8:58

Attachments:

• vsvfl_checksum_debug.patch

[GoogleCodeExporter]

python python_scripts/ios_examiner.py iphone4_nand.bin iphone4.plist 
Loading device information from iphone4.plist
Device model: iPhone 4 GSM
UDID: 
ECID: 
Serial number:
key835: 
key89B: 
Chip id 0x32956845 banks per CE physical 2
NAND geometry : 32GB (4 CEs (2 physical banks/CE) of 8192 blocks of 128 pages 
of 8192 bytes data, 12 bytes metdata)
Image size matches expected size, looks ok
Searching for special pages...
Found DEVICEUNIQUEINFO, NANDDRIVERSIGN, DEVICEINFOBBT special pages in CE 0
NAND signature 0x43313131 flags 0x10005 withening=1, epoch=1
Effaceable generation 76
Effaceable CRC OK
Found effaceable lockers in ce 3 block 1 page 96
Lockers : BAG1, DONE, Dkey, LwVM
Found DEVICEUNIQUEINFO, serial number=
Using VSVFL
vfl checksum got c886a3ab 8f887c55 expected 2832bae0 28092eea
vfl checksum got af259746 2f99e614 expected 545385db e09a24cf
vfl checksum got fa813816 deb892d6 expected 7eccc8cb 5a5d9d9e
vfl checksum got 730eabd1 4539a7f7 expected ebc15f0 ffff1b2c
vfl checksum got 1c05e901 2f4cda83 expected 6977d829 bdc74bce
Traceback (most recent call last):
  File "python_scripts/ios_examiner.py", line 366, in <module>
    main()
  File "python_scripts/ios_examiner.py", line 361, in main
    image = NAND(nandimagename, device_infos)
  File "/Users/gabriel/Desktop/iphone-dataprotection/python_scripts/nand/nand.py", line 124, in __init__
    self.vfl = VSVFL(self)
  File "/Users/gabriel/Desktop/iphone-dataprotection/python_scripts/nand/vsvfl.py", line 86, in __init__
    raise Exception("Unable to find VSVFL context for CE %d" % ce)
Exception: Unable to find VSVFL context for CE 0

python python_scripts/ios_examiner.py 
Connecting to device : 
Device model: iPhone 4 GSM
UDID: 
ECID: 
Serial number: 
key835: 
key89B: 
Chip id 0x32956845 banks per CE physical 2
NAND geometry : 32GB (4 CEs (2 physical banks/CE) of 8192 blocks of 128 pages 
of 8192 bytes data, 12 bytes metdata)
Searching for special pages...
Found DEVICEUNIQUEINFO, NANDDRIVERSIGN, DEVICEINFOBBT special pages in CE 0
NAND signature 0x43313131 flags 0x10005 withening=1, epoch=1
Effaceable generation 76
Effaceable CRC OK
Found effaceable lockers in ce 3 block 1 page 96
Lockers : BAG1, DONE, Dkey, LwVM
Found DEVICEUNIQUEINFO, serial number=
Using VSVFL
vfl checksum got 20a234e b6b3c670 expected 20a234e b6b3c670
vfl checksum got 2332361 b69ac675 expected 2332361 b69ac675
vfl checksum got 8609ca0e bcd2d874 expected 8609ca0e bcd2d874
vfl checksum got 863cca25 bce5d875 expected 863cca25 bce5d875
vfl checksum got bfd6f566 aef3c46c expected bfd6f566 aef3c46c
vfl checksum got c021f58b aed0c47b expected c021f58b aed0c47b
vfl checksum got 8078828a b701cedc expected 8078828a b701cedc
vfl checksum got 80968298 b71fced2 expected 80968298 b71fced2
VSVFL context open OK
YaFTL context OK, version=CX01 maxIndexUsn=775909 context usn=775909
LwVM header CRC OK
cprotect version : 4 (iOS 5)
iOS version:  5.1.1
Keybag state: locked

Original comment by gbdura...@gmail.com on 24 Oct 2012 at 3:41

[GoogleCodeExporter]

There you go :)

Original comment by grapple...@gmail.com on 24 Oct 2012 at 7:41

Attachments:

• vsvfl_checksum_debug_output
• ios_examiner_output

[GoogleCodeExporter]

Can you move this line
hexdump(d[:1024])
out of the if statement so that it shows the hexdump in the case where it works 
(ios_examiner without parameters)
Thanks.

Original comment by jean.sig...@gmail.com on 24 Oct 2012 at 8:17

[GoogleCodeExporter]

Did it, hope it helps...

Original comment by grapple...@gmail.com on 24 Oct 2012 at 10:45

Attachments:

• vsvfl_checksum_debug_hexdump_output

[GoogleCodeExporter]

ok, sorry for the multiple tries to get this right, but could you change the
hexdump(d[:1024])
to
hexdump(d)
exit(0)

and repost both outputs. Thanks a lot.

Original comment by jean.sig...@gmail.com on 24 Oct 2012 at 8:40

[GoogleCodeExporter]

easy, thank you for the support :) here's the adapted output...

Original comment by grapple...@gmail.com on 25 Oct 2012 at 9:38

Attachments:

• vsvfl_checksum_hexdump_output
• ios_examiner_hexdump_output

[GoogleCodeExporter]

ok i see where the bug is coming from, can you just post the contents of the 
"nand" dictionnary in the plist file ? Thanks.

<key>nand</key>
<dict>
...
</dict>

Original comment by jean.sig...@gmail.com on 25 Oct 2012 at 4:37

[GoogleCodeExporter]

Here it is...

Original comment by grapple...@gmail.com on 26 Oct 2012 at 6:33

Attachments:

• nand_3218a653bf

[GoogleCodeExporter]

i haven't had a chance yet to try and reproduce the issue. I assume you tried 
to redump the nand image on the same device and still had the same issue ?

Original comment by jean.sig...@gmail.com on 7 Nov 2012 at 8:51

[GoogleCodeExporter]

same issue here again

Original comment by gbdura...@gmail.com on 11 Nov 2012 at 7:39

[GoogleCodeExporter]

yes, tried to redump, same error...

Original comment by grapple...@gmail.com on 19 Nov 2012 at 11:41

[GoogleCodeExporter]

ok, heres a temporary patch for the nand dumper, you have to rebuild the 
ramdisk with the new ioflashstoragekit binary and redump the nand. based on the 
hexdumps it should fix the error but i'm still not quite sure how this happens. 
thanks

Original comment by jean.sig...@gmail.com on 22 Nov 2012 at 9:09

Attachments:

• ioflash_debug1.patch

[GoogleCodeExporter]

Should I  update all  Comment patch for every files?like vsvfl.debug.patch, 
vsvfl_checksum_debug.patch ....

I update all the patch files,but it still doesn't work.

or I just need to patch some of Comment patch,not all of it?

can you provider all fix files for this issue in source->Changes, because the 
hp clone files is still old.

thks.

Original comment by AllPassC...@gmail.com on 9 Jan 2013 at 3:18

[GoogleCodeExporter]

This bug is not yet fixed. Did you try applying the ioflash_debug1.patch and 
redump the nand ? However i dont think this patch will work. I now have a good 
idea of the root cause, just need to implement missing code and testing it 
properly. Hopefully i will update this issue soon and commit a proper patch.

Original comment by jean.sig...@gmail.com on 14 Jan 2013 at 3:21

[GoogleCodeExporter]

Also, if you can post the first 0x600 bytes of the nand dump, that would be 
very helpful. Thanks.

Original comment by jean.sig...@gmail.com on 14 Jan 2013 at 3:25

[GoogleCodeExporter]

Hi jean, tried again to redump with no luck. Here's the first 0x600 bytes of my 
nand... Hope it helps. Thanks.

Original comment by grapple...@gmail.com on 28 May 2013 at 3:39

Attachments:

• first_0x600_bytes_nand_dump.txt

[GoogleCodeExporter]

here is another patch that i believe has a chance of fixing the issue ;) you'll 
have to redump again.
if it still does not work and you have spare time, you can try running the 
script from this comment : 
https://code.google.com/p/iphone-dataprotection/issues/detail?id=86#c17
it will not fix the issue but should help understand it better.
thanks.

Original comment by jean.sig...@gmail.com on 28 May 2013 at 4:57

Attachments:

• ioflash_patch_buffer.patch

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Applied the patch, but no luck... I also receive the same error if I run the 
script from the other comment (see attached output). The errors refer to the 
same lines in nand.py and vsvfl.py...

Original comment by grapple...@gmail.com on 30 May 2013 at 8:55

Attachments:

• output