payload does not build, ramdisk not booting

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Make payload at Mac OS X 10.6.7
2. Boot fron custom recovery ramdisk

What is the expected output? What do you see instead?

Clean make & boot from crd

I am using custom recovery ramdisks for a while since iOS 2 with iRecovery. 
Right now I used a version based on msftguy's crd using:
./tetheredboot -i iBSS.n90ap.RELEASE.dfu
./itnl --kernelcache kernelcache.release.n90 --devicetree DeviceTree.n90ap.img3 
--ramdisk 038-1449-003.dmg.ssh
to boot from crd at iOS 4.3.3 iPhone 4. This one is working. 

Tried to use your crd. I am on a Mac only enviroment. The binary tetheredboot 
does compile fine on my Mac. 
Running make on cyanide payload did not run before you updated and does not 
right now. I got stuck with:
iMacQuad:cyanide_bootramdisk volksquad$ make
arm-elf-gcc -c entry.S -o entry.o  -I././include -nostdlib -mlittle-endian 
entry.S: Assembler messages:
entry.S:55: Error: bad instruction `push {r0-r12,lr}'
entry.S:57: Error: bad instruction `lsr r5,#24'
entry.S:107: Error: bad instruction `pop {r0-r12,pc}'
make: *** [entry.o] Error 1

Using the "old" payload binary you provide when going for

./tetherboot -p payload -r myramdisk.dmg
I do end up

...
Checking if kernelcache already exists
Fetching kernelcache.release.n90...
[==================================================] 100.0%
Preparing to upload iBSS
Checking if iBSS.n90ap already exists
Preparing to fetch DFU image from Apple's servers
Fetching Firmware/dfu/iBSS.n90ap.RELEASE.dfu...
[==================================================] 100.0%
Uploading iBSS.n90ap to device
[==================================================] 100.0%
Reconnecting to device
Waiting 10 seconds for the device to pop up...
Connection failed. Waiting 1 sec before retry.
...
Unable to reconnect
Exiting libpois0n

What version of the product are you using? On what operating system?
Mac OS X 10.6.7, SDK 4.3

Please provide any additional information below.

Took me a while to get all Python modules in place to run your scripts, Mac 
only, but this is working right now. I used to get the ramdisk tools compile 
kind of ok before the last update. ./bruteforce did work at least running 
manually from Terminal. Don't do now but this is a different story.

Original issue reported on code.google.com by volksp...@gmail.com on 23 Jun 2011 at 8:59

[GoogleCodeExporter]

I think I got passed the bad instruction errors by changing the default 
compiler in the Makefile: arm-elf-gcc (which was 4.1.0) to arm-elf-gcc-4.6.0.

Original comment by jsvankerkwijk@gmail.com on 24 Jun 2011 at 11:44

[GoogleCodeExporter]

perfect, thx a bunch!

Original comment by volksp...@gmail.com on 24 Jun 2011 at 1:50

[GoogleCodeExporter]

do you still have the issue with tetherboot ? does the device screen turns 
white ?
Also, can you post the errors for the ramdisk tools that do not compile ? thanks

Original comment by jean.sig...@gmail.com on 25 Jun 2011 at 9:53

• Changed state: Accepted

[GoogleCodeExporter]

>>do you still have the issue with tetherboot ? does the device screen turns 
white ?

When using the "old" payload binary you provided I don't get to the white 
screen, that's where it exits.

I have still been not able to build the new payload. In Makefile I have been 
editing
CC = $(CROSS)gcc
to
CC = $(CROSS)gcc-4.6.0

and got passed the bad instruction errors. But the final step failed with:

arm-elf-gcc-4.6.0 -c entry.S -o entry.o  -I././include -nostdlib 
-mlittle-endian 
arm-elf-gcc-4.6.0 -c main.c -o main.o  -I././include -nostdlib -mlittle-endian 
main.c: In function ‘find_string’:
main.c:34:12: warning: assignment makes integer from pointer without a cast 
[enabled by default]
main.c: In function ‘find_kernel_bootargs’:
main.c:42:2: warning: passing argument 1 of ‘find_string’ makes pointer 
from integer without a cast [enabled by default]
main.c:28:14: note: expected ‘unsigned char *’ but argument is of type 
‘unsigned int’
main.c:42:2: warning: return makes pointer from integer without a cast [enabled 
by default]
arm-elf-gcc-4.6.0 -c commands.c -o commands.o  -I././include -nostdlib 
-mlittle-endian 
commands.c: In function ‘find_jump_to’:
commands.c:36:3: warning: passing argument 1 of ‘patch_find’ makes pointer 
from integer without a cast [enabled by default]
././include/patch.h:24:16: note: expected ‘unsigned char *’ but argument is 
of type ‘unsigned int’
commands.c:39:3: warning: passing argument 1 of ‘patch_find’ makes pointer 
from integer without a cast [enabled by default]
././include/patch.h:24:16: note: expected ‘unsigned char *’ but argument is 
of type ‘unsigned int’
commands.c: In function ‘cmd_rdboot’:
commands.c:48:55: warning: initialization from incompatible pointer type 
[enabled by default]
commands.c:52:3: warning: passing argument 1 of ‘patch_find’ makes pointer 
from integer without a cast [enabled by default]
././include/patch.h:24:16: note: expected ‘unsigned char *’ but argument is 
of type ‘unsigned int’
commands.c:52:11: warning: assignment from incompatible pointer type [enabled 
by default]
commands.c:55:3: warning: passing argument 1 of ‘patch_find’ makes pointer 
from integer without a cast [enabled by default]
././include/patch.h:24:16: note: expected ‘unsigned char *’ but argument is 
of type ‘unsigned int’
commands.c:55:11: warning: assignment from incompatible pointer type [enabled 
by default]
arm-elf-gcc-4.6.0 -c patch.c -o patch.o  -I././include -nostdlib 
-mlittle-endian 
arm-elf-gcc-4.6.0 -o payload.elf entry.o main.o  commands.o patch.o  -Ttext 
0x42F00000 -nostdlib -lc -lm -lgcc
arm-elf-objcopy -O binary payload.elf payload
arm-elf-objcopy: payload.elf: File format not recognized
make: *** [payload.elf] Error 1

error on compiling ramdisk tools following

Original comment by volksp...@gmail.com on 25 Jun 2011 at 10:23

[GoogleCodeExporter]

>>> Also, can you post the errors for the ramdisk tools that do not compile

iPhoneOS4.3.sdk is set in Makefile

/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/arm-apple-darwin10-gcc-
4.0.1  -Wall -arch armv6 -isysroot 
/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.3.sdk/ 
-I/usr/local/include -framework IOKit -framework CoreFoundation -framework 
Security -O3 
-F/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.3.sdk/System/L
ibrary/PrivateFrameworks/ -framework IOMobileFramebuffer -framework 
CoreGraphics -framework CoreSurface -framework ImageIO -o data_partition 
data_partition.c device_info.c IOAESAccelerator.c AppleEffaceableStorage.c 
AppleKeyStore.c bsdcrypto/pbkdf2.c bsdcrypto/sha1.c bsdcrypto/key_wrap.c 
bsdcrypto/rijndael.c util.c IOKit.c registry.c
data_partition.c: In function ‘main’:
data_partition.c:9: warning: initialization discards qualifiers from pointer 
target type
AppleEffaceableStorage.c:50:25: warning: multi-character character constant
bsdcrypto/pbkdf2.c: In function ‘pkcs5_pbkdf2’:
bsdcrypto/pbkdf2.c:102: warning: pointer targets in passing argument 3 of 
‘hmac_sha1’ differ in signedness
bsdcrypto/pbkdf2.c:106: warning: pointer targets in passing argument 3 of 
‘hmac_sha1’ differ in signedness
bsdcrypto/key_wrap.c: In function ‘aes_key_wrap’:
bsdcrypto/key_wrap.c:71: warning: pointer targets in passing argument 2 of 
‘rijndael_encrypt’ differ in signedness
bsdcrypto/key_wrap.c:71: warning: pointer targets in passing argument 3 of 
‘rijndael_encrypt’ differ in signedness
bsdcrypto/key_wrap.c: In function ‘aes_key_unwrap’:
bsdcrypto/key_wrap.c:106: warning: pointer targets in passing argument 2 of 
‘rijndael_decrypt’ differ in signedness
bsdcrypto/key_wrap.c:106: warning: pointer targets in passing argument 3 of 
‘rijndael_decrypt’ differ in signedness
ld: warning: -force_cpusubtype_ALL will become unsupported for ARM architectures
ldid -S data_partition
/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/arm-apple-darwin10-gcc-
4.0.1  -Wall -arch armv6 -isysroot 
/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.3.sdk/ 
-I/usr/local/include -framework IOKit -framework CoreFoundation -framework 
Security -O3 
-F/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.3.sdk/System/L
ibrary/PrivateFrameworks/ -framework IOMobileFramebuffer -framework 
CoreGraphics -framework CoreSurface -framework ImageIO -o restored_external 
restored_external.c device_info.c remote_functions.c plist_server.c 
AppleKeyStore.c AppleEffaceableStorage.c IOKit.c IOAESAccelerator.c util.c 
registry.c AppleKeyStore_kdf.c bsdcrypto/pbkdf2.c bsdcrypto/sha1.c 
bsdcrypto/rijndael.c bsdcrypto/key_wrap.c
restored_external.c: In function ‘init_usb’:
restored_external.c:34: warning: implicit declaration of function 
‘IOUSBDeviceDescriptionCopyInterfaces’
restored_external.c:34: warning: initialization makes pointer from integer 
without a cast
remote_functions.c: In function ‘keybag_get_passcode_key’:
remote_functions.c:148: warning: pointer targets in passing argument 2 of 
‘AppleKeyStore_getPasscodeKey’ differ in signedness
AppleEffaceableStorage.c:50:25: warning: multi-character character constant
AppleKeyStore_kdf.c: In function ‘AppleKeyStore_getPasscodeKey’:
AppleKeyStore_kdf.c:31: warning: pointer targets in passing argument 3 of 
‘pkcs5_pbkdf2’ differ in signedness
bsdcrypto/pbkdf2.c: In function ‘pkcs5_pbkdf2’:
bsdcrypto/pbkdf2.c:102: warning: pointer targets in passing argument 3 of 
‘hmac_sha1’ differ in signedness
bsdcrypto/pbkdf2.c:106: warning: pointer targets in passing argument 3 of 
‘hmac_sha1’ differ in signedness
bsdcrypto/key_wrap.c: In function ‘aes_key_wrap’:
bsdcrypto/key_wrap.c:71: warning: pointer targets in passing argument 2 of 
‘rijndael_encrypt’ differ in signedness
bsdcrypto/key_wrap.c:71: warning: pointer targets in passing argument 3 of 
‘rijndael_encrypt’ differ in signedness
bsdcrypto/key_wrap.c: In function ‘aes_key_unwrap’:
bsdcrypto/key_wrap.c:106: warning: pointer targets in passing argument 2 of 
‘rijndael_decrypt’ differ in signedness
bsdcrypto/key_wrap.c:106: warning: pointer targets in passing argument 3 of 
‘rijndael_decrypt’ differ in signedness
ld: warning: -force_cpusubtype_ALL will become unsupported for ARM architectures
ldid -Skeystore_device.xml restored_external
/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/arm-apple-darwin10-gcc-
4.0.1  -Wall -arch armv6 -isysroot 
/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.3.sdk/ 
-I/usr/local/include -framework IOKit -framework CoreFoundation -framework 
Security -O3 
-F/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.3.sdk/System/L
ibrary/PrivateFrameworks/ -framework IOMobileFramebuffer -framework 
CoreGraphics -framework CoreSurface -framework ImageIO -o bruteforce 
systemkb_bruteforce.c AppleKeyStore.c AppleEffaceableStorage.c IOKit.c 
IOAESAccelerator.c util.c registry.c AppleKeyStore_kdf.c bsdcrypto/pbkdf2.c 
bsdcrypto/sha1.c bsdcrypto/rijndael.c bsdcrypto/key_wrap.c image.c device_info.c
systemkb_bruteforce.c: In function ‘saveKeybagInfos’:
systemkb_bruteforce.c:28: warning: implicit declaration of function 
‘device_info’
systemkb_bruteforce.c:28: warning: initialization makes pointer from integer 
without a cast
systemkb_bruteforce.c: In function ‘main’:
systemkb_bruteforce.c:209: warning: implicit declaration of function 
‘AppleKeyStore_getClassKeys’
systemkb_bruteforce.c:209: warning: initialization makes pointer from integer 
without a cast
AppleEffaceableStorage.c:50:25: warning: multi-character character constant
AppleKeyStore_kdf.c: In function ‘AppleKeyStore_getPasscodeKey’:
AppleKeyStore_kdf.c:31: warning: pointer targets in passing argument 3 of 
‘pkcs5_pbkdf2’ differ in signedness
bsdcrypto/pbkdf2.c: In function ‘pkcs5_pbkdf2’:
bsdcrypto/pbkdf2.c:102: warning: pointer targets in passing argument 3 of 
‘hmac_sha1’ differ in signedness
bsdcrypto/pbkdf2.c:106: warning: pointer targets in passing argument 3 of 
‘hmac_sha1’ differ in signedness
bsdcrypto/key_wrap.c: In function ‘aes_key_wrap’:
bsdcrypto/key_wrap.c:71: warning: pointer targets in passing argument 2 of 
‘rijndael_encrypt’ differ in signedness
bsdcrypto/key_wrap.c:71: warning: pointer targets in passing argument 3 of 
‘rijndael_encrypt’ differ in signedness
bsdcrypto/key_wrap.c: In function ‘aes_key_unwrap’:
bsdcrypto/key_wrap.c:106: warning: pointer targets in passing argument 2 of 
‘rijndael_decrypt’ differ in signedness
bsdcrypto/key_wrap.c:106: warning: pointer targets in passing argument 3 of 
‘rijndael_decrypt’ differ in signedness
image.c: In function ‘fb_open’:
image.c:10: warning: initialization makes integer from pointer without a cast
image.c:28: warning: implicit declaration of function 
‘IOMobileFramebufferOpen’
image.c:29: warning: implicit declaration of function 
‘IOMobileFramebufferGetLayerDefaultSurface’
image.c:31: warning: implicit declaration of function 
‘CoreSurfaceBufferGetHeight’
image.c:32: warning: implicit declaration of function 
‘CoreSurfaceBufferGetWidth’
image.c:33: warning: implicit declaration of function 
‘CoreSurfaceBufferGetBytesPerRow’
image.c:35: warning: implicit declaration of function 
‘CoreSurfaceBufferLock’
image.c:36: warning: implicit declaration of function 
‘CoreSurfaceBufferGetBaseAddress’
image.c:36: warning: assignment makes pointer from integer without a cast
image.c:37: warning: implicit declaration of function 
‘CoreSurfaceBufferUnlock’
image.c: In function ‘drawImage’:
image.c:58: warning: pointer targets in passing argument 2 of 
‘CFURLCreateFromFileSystemRepresentation’ differ in signedness
image.c:59: warning: implicit declaration of function 
‘CGImageSourceCreateWithURL’
image.c:59: warning: initialization makes pointer from integer without a cast
image.c:64: warning: implicit declaration of function 
‘CGImageSourceCreateImageAtIndex’
image.c:64: warning: initialization makes pointer from integer without a cast
ld: warning: -force_cpusubtype_ALL will become unsupported for ARM architectures
ldid -S bruteforce
ldid -Skeystore_device.xml bruteforce

Hope this helps, thanks

Original comment by volksp...@gmail.com on 25 Jun 2011 at 10:27

[GoogleCodeExporter]

i can't reproduce the error with arm-elf-objcopy, can you post the output of 
the following commands :
file payload.elf
arm-elf-objcopy --version (mine is 2.21.51.0.9.20110507)

For the ramdisk tools, the warnings are not errors, from what you pasted the 
compilation is ok, you should see the restored_external, bruteforce and 
data_partition binaries in the source folder.

Also, the cyanide payload is not the cause for the tetherboot error since its 
executed after iBSS is initialized (white screen). Can you try pressing the 
power button once when you're at the "Waiting 10 seconds for the device to pop 
up..." stage after ibss has been uploaded ? thanks

Original comment by jean.sig...@gmail.com on 25 Jun 2011 at 1:30

[GoogleCodeExporter]

>>i can't reproduce the error with arm-elf-objcopy, can you post the output of 
the following commands :
file payload.elf
arm-elf-objcopy --version (mine is 2.21.51.0.9.20110507)

My fault, had an outdated arm-elf-objcopy, it's now at 2.21.52.0.2.20110610 
payload is compiling - sorry for that.

For the ramdisk tools, the warnings are not errors, from what you pasted the 
compilation is ok, you should see the restored_external, bruteforce and 
data_partition binaries in the source folder.

They do compile and seem to work. I have been able to create a custom recovery 
ramdisk and boot from it with my old crd tools, till I don't get your 
tetheredboot/payload working. Ran the python scripts and got some keys/data 
including the code lock.

Also, the cyanide payload is not the cause for the tetherboot error since its 
executed after iBSS is initialized (white screen). Can you try pressing the 
power button once when you're at the "Waiting 10 seconds for the device to pop 
up..." stage after ibss has been uploaded ? thanks

Tried that one with the old payload and the new one I just compiled - no go. 
Screen stays black, no way getting the white screen. Cause it is doing pretty 
much the same my old crd does when booting from the ramdisk, I don't know why. 
Anyway, I will play around a bit.

Thanks for your great work, I appreciate it very much.

Original comment by volksp...@gmail.com on 26 Jun 2011 at 4:06

[GoogleCodeExporter]

Original comment by jean.sig...@gmail.com on 6 Oct 2011 at 6:54

• Changed state: Done