Support for A5+ devices (iPhone 4S, iPad 2, iPhone 5, ...)

[GoogleCodeExporter]

Until a bootROM/bootloader-level exploit is found for those devices, it is 
impossible to boot a custom ramdisk.
However, for devices jailbroken with Absinthe and ssh access, it should be 
possible to use the tools, provided that the "IOAESAccelerator enable UID" 
kernel patch is applied.

Original issue reported on code.google.com by jean.sig...@gmail.com on 4 Feb 2012 at 10:20

[GoogleCodeExporter]

afaik, it is not possible to fix or recover files on A5 devices stuck in boot 
loop (because there is no bootloader exploit), sorry.

Original comment by jean.sig...@gmail.com on 4 Mar 2013 at 8:57

[GoogleCodeExporter]

hello how can i ssh into my iphone 4s if it stuck on applelogo? i cant seem to 
find my iphone ip address through my router, well i find it but cyberduck 
doesnt recognize it. there has to be a way to get into my iphone files??

Original comment by mrj...@gmail.com on 4 Mar 2013 at 3:36

[GoogleCodeExporter]

@mrju30 : you can't

Original comment by jean.sig...@gmail.com on 6 Mar 2013 at 9:28

• Changed title: Support for A5+ devices (iPhone 4S, iPad 2, iPhone 5, ...)

[GoogleCodeExporter]

Issue 96 has been merged into this issue.

Original comment by jean.sig...@gmail.com on 6 Mar 2013 at 9:31

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Hello

DEV: iphone 4s    IOS: 6.0.1  

mark:/bin root# device_infos
Trace/BPT trap: 5
mark:/bin root# bruteforce
Trying to patch IOAESAccelerator kernel extension to allow UID key usage
IOAESAccelerator Kernel patching failed
IOAESAccelerator returned: e00002c1
IOAESAccelerator returned: e00002c1
Trace/BPT trap: 5

Original comment by wubile...@gmail.com on 9 Mar 2013 at 9:45

[GoogleCodeExporter]

I have the exact problem as @mrju30!!! My last backup was November. I decided 
to just wipe it all out and allow the upgrade to iOS6.

Is there anyway I can capture a disk image (e.g. with dd) of the current iPhone 
4s state (only about 4gb of 64gb used) and in the future recovery files 
(Nov-March) from that disk image?

I have so many photos and video... I just need to know if I can capture a disk 
image with dd tool and will that preserve the iPhone filesystem for future, 
low-level scan, recovery? Or.. better yet.. send disk image to data recovery 
center? Is this possible?

And what specifically do I capture? Is it /dev/disk0 (the whole thing) or what 
of the other variations (e.g. /dev/disk0s1s2). And what is NAND? Is that a 
low-level capture? I just want to be able to capture the device as it is 
(though iOS6 is now installed with 4gb of data used) for future recovery or 
send that image to a data recovery place. If I use dd will it preserve the 
low-level architecture so it can undelete files in the future? Please let me 
know! Thanks!!!

Original comment by mrmatwil...@gmail.com on 19 Mar 2013 at 4:59

[GoogleCodeExporter]

I SWEAR TO ALLAH!! I would pay $5grand to get this data back... Now or within a 
couple years! Someone let me know if I can use dd or another tool and what 
specifically to back up.

Please note.. I have very little knowledge on how hard disks and flash and NAND 
or whatever works. I'm a complete ignorant fool about that. The only thing I do 
know is Python, Django and C. But I know nothing about hardware.

Original comment by mrmatwil...@gmail.com on 19 Mar 2013 at 5:04

[GoogleCodeExporter]

@wubilei48 this is a known issue (see above), the kernel patcher does not works 
yet on ios 6.

@mrmatwilson
if the device was wiped then it is afaik impossible to recover the old data, as 
the wipe is done in a secure manner and master encryption keys are physically 
erased from the nand flash.

Original comment by jean.sig...@gmail.com on 19 Mar 2013 at 9:00

[GoogleCodeExporter]

Does anyone know when i can SSH into my 6.1.3 iphone 4s ?

Original comment by R.Dempst...@gmail.com on 22 Mar 2013 at 1:16

[GoogleCodeExporter]

^ install APT from cydia and openssh

Original comment by c...@indulgence.sg on 3 Apr 2013 at 5:03

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Hi,

i have some problems with a iPhone 4s.

After downloading and compiling ur latest tools and execute, i get the 
following outputs:
--------
./1_kernel_patcher 
Found IOAESAccelerator UID ptr at 8056198c
vm_write into kernel_task OK
--------
./2_device_infos 
--> lots of device informations
--------
./3_bruteforce 
Writing results to 81304c87ca204542.plist
--> and the bruteforce
--------

Now i want to decrypt my dd.

Here is what i do whith the emf_decrypter and what i get:
--------
./emf_decrypter rdisk0s1s2 81304c87ca204542.plist
WARNING ! This tool will modify the hfs image and possibly wreck it if 
something goes wrong !
Make sure to backup the image before proceeding
Press a key to continue or CTRL-C to abort
a
Volume identifier : 81304c87ca204542
Searching for ./81304c87ca204542.plist
Data partition offset = 49000
Reading class keys, NSProtectionComplete files should be decrypted OK
--------

After this step no Data is decrypted. Whats the problem?

Original comment by hybridhe...@googlemail.com on 8 Apr 2013 at 1:15

[GoogleCodeExporter]

@Hybrid-Heaven the C version of emf_decrypter is not maintained anymore, you 
have to use the python version (python_scripts/emf_decrypter.py)

Original comment by jean.sig...@gmail.com on 9 Apr 2013 at 8:21

[GoogleCodeExporter]

Ok, this was the problem! Works fine now! Thank u!

Original comment by hybridhe...@googlemail.com on 11 Apr 2013 at 10:41

[GoogleCodeExporter]

Does the kernel patcher work on iOS 6 yet? I look forward to dd'g and 
decrypting the images of more recent iOS platforms :)

Thanks!

Original comment by denisele...@gmail.com on 25 Apr 2013 at 11:23

[GoogleCodeExporter]

@deniselee80 no, it isnt done yet. i will update this issue when it is.

Original comment by jean.sig...@gmail.com on 26 Apr 2013 at 8:51

[GoogleCodeExporter]

HI Guys,

this seems to be the right place to ask: is it, in general, possible to have 
photos recovered from an iphone 4s which was restored by itunes? i mean, IF i 
can access by ssh(atm 6.1.3 no chance) and get a "disk image", will there be a 
chance, that "normal" recovery software like getdataback/photo recovery will 
find anything in it?

since i just lost 300 photos/videos of my daughters first half year, i am also 
glad i anyone will break this apple-thing and get the photos from the flash ;)

pls dont ask: NO there is NO backup... done ever... :(

Original comment by kaigorsk...@googlemail.com on 4 May 2013 at 9:00

[GoogleCodeExporter]

@kaigorski79 if the device was restored then there is afaik no way to recover 
the data, as the restore process does the equivalent of a wipe on the data 
partition.

Original comment by jean.sig...@gmail.com on 6 May 2013 at 8:17

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

I am a begginer and from the above comments ,it would work on iPad 2.However ,I 
don't know how to use the attach files,you know the previous "kernel_patcher" 
is a py script,but there ,it is a text file. Can you help me ?Thank you in 
advance.

Original comment by liangwei...@gmail.com on 9 May 2013 at 5:53

[GoogleCodeExporter]

@jean: but hopefully wipe/restore is not equal with low level format.. my hope 
is that the data still exists as blocks without allocationtable an can be 
restored as i get access on filesystem(jb)

Anyone knows how restore works on ios devices? 

Sorry for offtopic

Original comment by kaigorsk...@googlemail.com on 9 May 2013 at 8:06

[GoogleCodeExporter]

Hi Jean,

I just wanted to clarify under what circumstances a iPhone 4s is recoverable.

I was up to running the kernel_patcher script and the output indicated that no 
keys were pulled from the 4s image. After reading these comments on this page 
several times it looks like:

 * If you can actually get into a jailbroken phone you can run the tools assuming the per-requisite software / kernel is installed/patched.
* Even if you can get the image decrypted, emf_decrypter can't decrypt deleted 
files and therefore is only of use for existing files.

I must be missing something but if can get access to the phone but can't use 
emf_decrypter to help restore deleted files, is there any use in running these 
tools at all on a 4s? Because surely the reason to be running them on a 4s is 
if you have deleted files. If you don't have deleted files and just want to 
restore (non)deleted files AND you have can get into the phone, surely you 
could just SCP them off the phone?

If you DO have access into a 4s AND have deleted files, you are currently out 
of luck until (if) a suitable exploit can be found?

Cheers.

Original comment by scottpst...@gmail.com on 19 May 2013 at 2:13

[GoogleCodeExporter]

@kaigorski79 afaik restore wipes the data partition, i'll make some tests to 
make sure of that and create a wiki page soon so this question is documented.

@scottpstapleton well technically the undelete stuff would work if you have ssh 
access on a jailbroken 4s, but the scripts need to be updated for the new nand 
ftl (so its not working yet). also, the kernel patcher needs to be updated for 
ios6. if you don't have ssh access and cant jailbreak the device then theres 
nothing you can do because there is no bootloader exploit.

Original comment by jean.sig...@gmail.com on 19 May 2013 at 10:00

[GoogleCodeExporter]

i have a question, this seems like the place to go to as i can't find any 
answers anywhere else.  i have an iphone 5 on 6.1.2....i installed 
respringcachefix, which basically dumps the /tmp folder on resprings.  i was 
messing around with ifunbox's terminal, and typed in respring...and noticed 
that access was denied to a bunch of the tmp files...keep in mind i am not 
advanced as far as all of these scripts go..but i was like wtf it's not 
deleting everything out of the /tmp folder (i thought that was just cache stuff 
that could be deleted to free space)...so i changed the permission of the 
folder '/tmp' and when i resprang...it deleted everything except for the 
launchd folder..which only contained a lockdown file.  i thought everything was 
fine..until i rebooted.  now i'm stuck in a loop (can still put in dfu..but 
that is it).  openssh is installed on the phone..but nothing will recognize my 
phone so i can get to the terminal.  My brother also has a 6.1.2 jb iphone so i 
could get any file i needed from his if it were possible...so, is there ANY..i 
mean ANY way i can access my phone?  i have iLEX r.a.t. installed with backups, 
and as stated before i could get files from my brothers phone if i needed.  

Is there any possible way to get my phone to a state to where i can access it 
via the terminal?  forgive the lack of knowledge of this stuff, but i'd really 
like to get my phone back up and running.  My sister has an unjailbroken 6.0.1 
(or something similar, not up to 6.1.2 though)iphone5, and she said she'd be 
more than happy to just give it to me and i'd restore/update this phone to 
6.1.4 for her...but that would be a last case scenario for me...i want to fix 
this. i like being on the latest OS possible. I know this doesn't mean much but 
i have all shsh blobs saved from 6.0 on my computer via tinyumbrella. multiple 
backups...and even icloud has a bunch of my stuff.  but i want to fix this 
phone.

sorry for the long post...but if anyone knows how to fix this, please..please 
post and let me know.

Original comment by BrandonD...@gmail.com on 23 May 2013 at 3:14

[GoogleCodeExporter]

sorry, i should say - iTunes and tiny umbrella do see it as a DFU device being 
connected...but both ifunbox and winscp won't recognize the device.  please 
help!

Original comment by BrandonD...@gmail.com on 23 May 2013 at 3:20

[GoogleCodeExporter]

@BrandonD518 afaik if your device does not boot to the point you can get 
access, then there is nothing you can do (except restore).

Original comment by jean.sig...@gmail.com on 26 May 2013 at 11:07

[GoogleCodeExporter]

Hi there!

I'm runing the "undelete" command of ios_examiner in an iPhone 3GS. The 
undeletion process is working OK (is recovering files etc) but it's been 
running for more than 48 hours now (the device has 32 GB but ONLY 4 GB of free 
space) and still no clue when it will end.

A previous attempt (with the device nearly empty, so nearly 32 GB of free 
space) crashed after 48+ hours.

Any advice will be more than welcome.

I'm using this for some experiments in my PhD studies. If an iPad1 or an 
iPhone4 will be noticeably faster, I might purchase one of those as well (our 
test devices include also an iPhone5 and an iPad3, but those are not supported 
yet. Please fix kernel_patcher! :)

Best regards, congratulations, and keep up the good work!!! :**

Original comment by p...@lgomez.es on 26 May 2013 at 9:14

[GoogleCodeExporter]

did you acquire an image (nand_dump command, then restart ios_examiner with the 
image file and plist as parameters), or did you run the undelete command 
directly ? running the command directly is very slow because all the read 
operations are proxyfied over usb to the device.
in any case, after 48h is there still some new output, or is is stuck ? what is 
the last output in that case ?
you can create a new issue with this information and any other details that 
might be useful.
thanks.

Original comment by jean.sig...@gmail.com on 27 May 2013 at 4:00

[GoogleCodeExporter]

Hi all,plz help..
can i ssh into my iphone 4s ios 5.1.1 stuck on bootloop? My iphone doesnt 
recognized in any iphone file manager.i try to fix it with desable 
mobilesubstrat but no thing work.i try the last version of iphone data 
recovery.and when i put my iphone in dfu mode this application blocked then 
give an error.i'm stuck & i need my data plz help..& i never backup my data 
with itunes.if there is a way to backup data from dfu mode or creat 
no_erase_data ipsw or any solution ...thank you for ur replly

Original comment by armada.d...@gmail.com on 27 May 2013 at 6:37

[GoogleCodeExporter]

@armada.dj87
afaik it is not possible to fix bootloops on iphone4S and newer devices without 
restoring.

Original comment by jean.sig...@gmail.com on 28 May 2013 at 5:20

[GoogleCodeExporter]

Thank's ... I can say goodbye to my data...

Original comment by armada.d...@gmail.com on 29 May 2013 at 5:15

[GoogleCodeExporter]

hi I have problem in my iPhone 4s.. I lost my camera app. I don't know why its 
gone and even my application menu was gone. so now I cannot used my camera 
either in any way . what should I do have that back?

I hope you can help me soon I need my camera app. back

thanks 

Franz

Original comment by franz.si...@gmail.com on 1 Jun 2013 at 11:47

[GoogleCodeExporter]

Hello, jean.
Is it okay to patch the living ios 6 kernel, to crack the lockdown passcode of 
a dual-core idevice with bruteforce?

Now, bruteforce and kernel_patcher will crash the kernel instantly.

Thanks for regardness!

persmule

Original comment by persm...@gmail.com on 24 Jul 2013 at 9:25

[GoogleCodeExporter]

@persmule
i havent fixed kernel_patcher to support ios 6 yet, still in the todo-list ...

Original comment by jean.sig...@gmail.com on 24 Jul 2013 at 8:53

[GoogleCodeExporter]

I have got a jailbroken iphone 4s running ios 5.0.1, and I try to run your 
shsh_dump to get its shsh blobs. But the program get the IMG2 magic 0x1e925e60 
(not 0x494d4732) and return with -1. What is wrong with my device? Can I bypass 
the magic check at shsh_dump.c:132?

Original comment by persm...@gmail.com on 27 Sep 2013 at 3:31

[GoogleCodeExporter]

Hey guys,

it's now already 6 months ago that Armada asked the question. Did anyone find 
in the meantime a solution to recover the data of a not jailbreaked iphone 4s? 
DFU as well as recovery mode works, iphone data recovery Crash....
Thanks Joe 

Original comment by Joe.Pag...@googlemail.com on 4 Oct 2013 at 10:07

[GoogleCodeExporter]

Hello!

Can anyone tell me if it is possible to run "device_infos" on an 4S device 
running iOS 6.0.1?

compiling "device_infos", using code pulled on Oct 7 2013, then ssh'ing it over 
to the device and running, results in:
Trace/BPT trap: 5

The device is jb and I have been able to extract an image, but have not been 
able to decrypt the image since I cannot figure out how to extract the keys.

My ultimate goal is to be able to decrypt the entire image and then mount it so 
that I can look through it.

Any help anyone may have would be greatly appreciated.

Thank you,

frankmarco2000

Original comment by frankmar...@gmail.com on 8 Oct 2013 at 7:16

[GoogleCodeExporter]

@persmule the tool is buggy, sorry...
@Joe.Pagels not possible afaik for devices newer than iphone 4
@frankmarco2000 the tools wont work on ios6, the kernel patcher needs to be 
updated

Original comment by jean.sig...@gmail.com on 8 Oct 2013 at 7:56

[GoogleCodeExporter]

Hi Jean,

Although i wasn't able to use your instruction (iOS 6) i want to thank you for 
the support your giving to all these unknown people. Tells me your a great 
person!

Keep up the good work :-)

Original comment by denso...@gmail.com on 13 Oct 2013 at 1:03

[GoogleCodeExporter]

Hi People,

I have this damn Ipad2 i think it has A5 chip, and dont know the IOS version 
4.3 or 5.1? , it was Jailbroken with (it had Cydia & Installous) and kids 
wanted to upgrade within IPAD/ Software Update, and now its STUCK, RECOVERY 
MODe (bootloop) i have tried TinyUmbrella etc.  i just wanted to get some 
videos out of it and throw it away, im trying [SSH ramdisk maker & loader] but 
its saying:

Connect a device in DFU mode
MobileDevice event: DfuConnect, 47c1227, 4008940
DFU device 'UNSUPPORTED' connected
Ignoring unsupported device UNSUPPORTED

Cant seems to find the problem? should i wait for an upgrade of RAMDISK?

Original comment by mas...@gmail.com on 11 Nov 2013 at 2:14

[GoogleCodeExporter]

I have SHSH Blob i got from tinyUmbrella, does that help?

Original comment by mas...@gmail.com on 11 Nov 2013 at 2:21

[GoogleCodeExporter]

HOW TO PATCH USING WINDOWS? I GOT IPHONE 4S HERE

Original comment by kidma...@gmail.com on 20 Nov 2013 at 6:24

[GoogleCodeExporter]

devices newer than iphone4 are not supported (and will most likely never be)

Original comment by jean.sig...@gmail.com on 14 Dec 2013 at 2:29

[GoogleCodeExporter]

ok guys, i am green here but up until couple of days ago i had 5.0.1 running on 
4s (A5) jb absinthe. so before i restored it to 7.0.4 i ssh and dump the entire 
disk0 to my pc.(disk0, not rdisk0)
i know the image is not perfect since the disk was mounted ( couldn't figure 
out how to creare a ramdrive and boot from it to unmount the disk 'cause i 
wasn't sure if it is possible at all).
anyway its a 32gb file.
now i am on 7.0.4 jb Evasi0n.
got ssh.
is it possible to to deploy the img back ? 
(how if at all can i create ram drive to boot from?)

Original comment by Yakir...@gmail.com on 27 Dec 2013 at 12:33

[GoogleCodeExporter]

@jean

  Is it possible in the future to fix bootloops on iphone4S ?  thank you

Original comment by xiejinsh...@gmail.com on 29 Dec 2013 at 4:19

[GoogleCodeExporter]

@Yakirkid not possible to deploy the image back or decrypt it if you did not 
grab the encryption keys before restoring

@xiejinsheng not to my knowledge, there is still no bootloader exploit for 
those devices

Original comment by jean.sig...@gmail.com on 29 Dec 2013 at 11:36

[GoogleCodeExporter]

have ssh to connect into DFU mode for iPhone 5? 

Original comment by VictorIm...@gmail.com on 25 Jan 2014 at 11:25

[GoogleCodeExporter]

Where can I have ssh to connect to DFU mode for ipad 4?

Original comment by roat...@gmail.com on 1 Feb 2014 at 6:20

[GoogleCodeExporter]

iH8Sn0w Discovers iBoot Exploit Making A5(X) Devices Jailbreakable for Life!

Original comment by xiejinsh...@gmail.com on 2 Feb 2014 at 4:00