kamburov / iphone-dataprotection

Automatically exported from code.google.com/p/iphone-dataprotection
1 stars 0 forks source link

ios_examiner undelete takes days to run in iPhone 3GS #108

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. iPhone 3GS, 32 GB (model MC159Y/A), running iOS 6.1 (10B141), jailbroken 
using evasi0n. Note that, even when the iPhone is a 32 GB model, there are only 
3.8 GB of free space in the data partition.
2. Boot ramdisk: redsn0w_mac_0.9.14b2/redsn0w.app/Contents/MacOS/redsn0w -i 
iPhone2\,1_5.1.1_9B206_Restore.ipsw -r myramdisk_n88ap.dmg -k 
kernelcache.release.n88.patched)
3. Run ios_examiner.py, wait until it connects to the device, and launch the 
"undelete" command.

What is the expected output? What do you see instead?
The behaviour is as expected, files are correcetly being recovered, but after 
72 hours it has not finished yet. Below you will find part of the output (I 
finally interrupted manually with Ctrl+C).

What version of the product are you using? On what operating system?
OS X version : 10.8.3
XCode version : 4.6.2 (4H1003)
Tools revision : d67884c68fec tip

Please provide any additional information below.

I'm runing the "undelete" command of ios_examiner in an iPhone 3GS (running 
directly, without a previous NAND dump); it's been running for 72 hours until I 
interrupted it manually.

I confirm that valid files were still being recovered, so it's not that it got 
stuck. The screen was also refreshed accordingly and indicated correctly the 
files recovered.

* I acknowledge that, as suggested in 
https://code.google.com/p/iphone-dataprotection/issues/detail?id=49#c79, 
getting an image and re-running ios_examiner.py over the image (and with the 
.plist file) will probably work much better; I'm already trying that. However 
I've created this issue as requested to add this information.

In addition, reviewing the logs attached below, I realize that there are about 
13K lines of the type "Found deleted file record...", and 12K lines of the type 
"X versions for first LBA". Does this suggest that the process was close to end 
when I interrupted it?

==========

Output (obviously truncated; if you want the full log I can send it, it's 50K 
lines long):
*** PLEASE NOTE that I interrupted the process manually after 72 hours with 
Ctrl+C (as seen below).

roxanne:iphone-dataprotection pope$ python python_scripts/ios_examiner.py 
Connecting to device : b66d-XXXXXX-REDACTED-XXXXXX-5dc6
Device model: iPhone 3GS
UDID: b66d-XXXXXX-REDACTED-XXXXXX-5dc6
ECID: 15-XXXXXX-REDACTED-XXXXXX-59
Serial number: 88-XXXXXX-REDACTED-XXXXXX-NR
key835: 0a05-XXXXXX-REDACTED-XXXXXX-fccb
key89B: 6749-XXXXXX-REDACTED-XXXXXX-d1bf
Chip id 0x3295de98 banks per CE physical 2
NAND geometry : 32GB (4 CEs (2 physical banks/CE) of 8296 blocks of 128 pages 
of 8192 bytes data, 12 bytes metdata)
Searching for special pages...
Found NANDDRIVERSIGN, DEVICEINFOBBT special pages in CE 0
Device does not boot from NAND (=> has a NOR)
NAND signature 0x43313133 flags 0x4 withening=0, epoch=3
Using VSVFL
VSVFL context open OK
YaFTL context OK, version=CX01 maxIndexUsn=869008 context usn=869008
LwVM header CRC OK
cprotect version : 4 (iOS 5)
iOS version:  6.1
Keybag state: locked
(iPhone3GS-data) / bruteforce
Enter passcode or leave blank for bruteforce:

Passcode "" OK
Keybag state: unlocked
Save device information plist to [b66d-XXXXXX-REDACTED-XXXXXX-.plist]: 
File already exists, overwrite ? [y/n]: y
(iPhone3GS-data) / undelete
Carver output ./undelete
Building FTL lookup table v1
100% 
|###############################################################################
##|
Collecting existing file ids
22492 file IDs
Carving catalog file
Found deleted file record 55 .GlobalPreferences.plist created 2012-12-22 
04:28:06
Found deleted file record 57 
com_apple_MobileAsset_DictionaryServices_dictionary.cpio created 2012-12-17 
03:51:55
Found deleted file record 58 com_apple_MobileAsset_Font.cpio created 2012-12-17 
03:52:34
Found deleted file record 294 
breadcrumb.A508F4CA-D8FC-432B-94ED-F3ACA78E998D.plist created 2013-02-09 
13:53:47
Found deleted file record 279 
breadcrumb.84B97599-CE15-4E05-8373-C33396AAE23D.plist.incomplete created 
2013-02-09 13:53:46
Found deleted file record 178 NetworkInterfaces.plist created 2013-02-09 
13:53:38

(... this goes on for more than 13K lines ...)

Found deleted file record 107714 -4556602784609496095 created 2013-05-23 
20:31:34
Found deleted file record 107717 -4556602784609496093 created 2013-05-23 
20:31:35
Found deleted file record 107720 -4556602784609496087 created 2013-05-23 
20:31:36
Found deleted file record 107723 -4556602784609496088 created 2013-05-23 
20:31:37
Found deleted file record 107726 -4556602784609496091 created 2013-05-23 
20:31:38
Carving attribute file for file keys
13286 files, 20851 keys
468517F3-C698-4783-89F2-1B9894952157
1 versions for first lba
[818366, 818387, 818400, 818429, 818460]
Recovered 23910:468517F3-C698-4783-89F2-1B9894952157 0 missing pages, size 
308bytes, created 2013-04-14 16:56:10, contentModDate 2013-04-14 16:56:10
6525416176658451754
1 versions for first lba
[851065, 851066, 851067, 851074, 851075]
Recovered 90521:6525416176658451754 0 missing pages, size 10KB, created 
2013-05-23 19:12:51, contentModDate 2013-05-23 19:12:51
temp62822
5 versions for first lba
[837914, 837923, 837967, 837989, 837998]
Recovered 62822:temp62822 0 missing pages, size 612KB, created 2013-05-15 
14:00:25, contentModDate 2013-05-15 14:00:27
temp61496
2 versions for first lba
6C1A890E-FEDE-44BA-8AB4-8FF3C61169ED
3 versions for first lba
[834692, 834721, 834788, 834867, 834886]
Recovered 53441:6C1A890E-FEDE-44BA-8AB4-8FF3C61169ED 0 missing pages, size 
308bytes, created 2013-05-09 16:17:12, contentModDate 2013-05-09 16:17:12

(... skipping about 12K messages about "X versions of first lba" ...)

iNode9914
3 versions for first lba
-1279379104655322079
1 versions for first lba
[854794, 854803, 854804, 854813, 854824]
Recovered 96096:-1279379104655322079 0 missing pages, size 119KB, created 
2013-05-23 19:29:25, contentModDate 2013-05-23 19:29:25
chunk_0001.plist
20 versions for first lba
[837609, 837685, 837702, 837736, 837800]
Recovered 61671:chunk_0001.plist 0 missing pages, size 366bytes, created 
2013-05-14 22:50:43, contentModDate 2013-05-14 22:50:43
.dat0da6.000
12510 versions for first lba
tmpm-0x49d6da56da3d3d05
12510 versions for first lba
temp97383
12510 versions for first lba
temp105611
12510 versions for first lba
temp95260
12510 versions for first lba
HTMLbtnFVSettings.png
1 versions for first lba
temp93611
12510 versions for first lba
^CTraceback (most recent call last):
  File "python_scripts/ios_examiner.py", line 366, in <module>
    main()
  File "python_scripts/ios_examiner.py", line 363, in main
    ExaminerShell(image).cmdloop("")
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/cmd.py", line 142, in cmdloop
    stop = self.onecmd(line)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/cmd.py", line 219, in onecmd
    return func(arg)
  File "python_scripts/ios_examiner.py", line 229, in do_undelete
    self.carver.carveDeletedFiles_fast(z, f)
  File "/usr/local/bin/iphone-dataprotection/python_scripts/nand/carver.py", line 224, in carveDeletedFiles_fast
    if self.readFileHax(name, vv.data, keys):
  File "/usr/local/bin/iphone-dataprotection/python_scripts/nand/carver.py", line 282, in readFileHax
    s, ciphertext = self.nand.ftl.YAFTL_readPage(vpn, key=None, lpn=None)
  File "/usr/local/bin/iphone-dataprotection/python_scripts/nand/yaftl.py", line 222, in YAFTL_readPage
    return self.vfl.read_single_page(page, key, lpn)
  File "/usr/local/bin/iphone-dataprotection/python_scripts/nand/vsvfl.py", line 193, in read_single_page
    return self.nand.readPage(ce, pPage, key, lpn)
  File "/usr/local/bin/iphone-dataprotection/python_scripts/nand/nand.py", line 211, in readPage
    spare, data = self.image.readPage(ce, page)
  File "/usr/local/bin/iphone-dataprotection/python_scripts/nand/remote.py", line 86, in readPage
    zz = self.client.s.recv(torecv)
KeyboardInterrupt

Original issue reported on code.google.com by p...@lgomez.es on 27 May 2013 at 6:59

GoogleCodeExporter commented 9 years ago
if the script was still working i suppose it would end at some point (or crash 
the python interpreter with out of memory or something). The undelete code is 
not optimized at all, with a nand image it should be quicker but might still 
take a few hours.

Original comment by jean.sig...@gmail.com on 28 May 2013 at 5:18

GoogleCodeExporter commented 9 years ago
Yep, the NAND image did it in 2-3 hours :)
Thx! :**

Original comment by p...@lgomez.es on 28 May 2013 at 5:21