Closed GoogleCodeExporter closed 9 years ago
In order to connect to the ramdisk, you need to forward local port 1999 to port
1999 on the device. You can do this using the following command :
cd usbmuxd-python-client && python tcprelay.py -t 22:2222 1999:1999
This also allows you to ssh into the device by connecting to localhost:2222
(documentation will be updated soon :)
Original comment by jean.sig...@gmail.com
on 9 Oct 2011 at 7:47
Hello Jean.
Tank you again for the propt response.
i will follow your advice certain that it will work.
As far as documentation goes, i think it would cut your workload in half as far
as handling these issues goes if at least some generic documentations existed
in the workflow. I think this is a fantastic set of tools and at least the
purpose of them could be mentioned in such workflow.
then of course compiling errors etc can always be discussed.
To just explain what this mentions to my case.
i have already done dd backup of my 30GB iphone 4 partition. i can already
browse it with hfs explorer (though every photo i export is unleggible, but
that is for another time.). so my need is to decrypt this thing and i'm led to
believe i can do that with emf_decrypter. this last one i have correctly built
on mac with all the right dependencies and the binary runs fine. so i turns out
i need the plist file.
i have access to all levels of my device (infact i need to decrypt the backup
so i can then photorec on it).
the device is jailbroken, and i have ssh access. is there anyway for me to
retrieve such plist file without the rest of the process.
and if not, so i so at least i move into the productive direction,
what are the simplest pointers you could hand me?
again, thank you in advance and best regards
Original comment by forge...@gmail.com
on 10 Oct 2011 at 9:17
tcprelay works like a charm now. like i mentioned b4 my device is already jb-ed
so i'm hoping that means i won't have to start injecting. at this point i'm
thinking all i need is that plist file.
if it's not too much hassle how do i go abt that?
i have been reading through all of the readme files and all the issues trying
to get pointers, and i could be wrong but all i read is abt injecting to jb.
which is done.
again, thank you in advance and best regards
Original comment by forge...@gmail.com
on 10 Oct 2011 at 7:59
Hi,
you have to build the ramdisk using the build_ramdisk.sh script (assuming the
ramdisk tools are compiled ok)
Then, compile cyanide_bootramdisk and syringe, and boot the ramdisk using the
following command :
./syringe/utilities/tetherboot -p cyanide_bootramdisk/payload -r myramdisk.dmg
Original comment by jean.sig...@gmail.com
on 10 Oct 2011 at 8:14
Fantastic. Now i feel i'm moving in a good direction.
Seems like device needs to be in DFU mode for this right.
The ramdisk i created is the default one done by the bash script, and it's 4.1-
Meanwhile on my phone is on 4.3.3.
Is that going to be a problem? i can still kick my phone off dfu afterwards
right? the usual reboot way?
Original comment by forge...@gmail.com
on 10 Oct 2011 at 8:40
Yes, you need to be in dfu mode
the version of the ramdisk does not have to match the installed version.
once you are done with the ramdisk you can reboot using the "reboot" command
through ssh, or just rebooting the device with the buttons
Original comment by jean.sig...@gmail.com
on 10 Oct 2011 at 9:15
Went into DFU and proceeded as instructed.
At this point i am at the issue reported here
http://code.google.com/p/iphone-dataprotection/issues/detail?id=20
i'm in a going to try again. as the binary exited just as reported above.
once again i'd like to thank you for your great help and contribution.
meanwhile i see present on my mac : kernelcache.release.n90, iBSS.n90ap,
DeviceTree.n90ap.
so i hopefully don't have to bother you anymore, seeing i will work on this for
ages tonight, what is my following step once i make this go the right way?
given the above ste
Original comment by forge...@gmail.com
on 10 Oct 2011 at 9:23
repeating. tried it with firmware 4.3.3. though as you said it would not matter.
after resetting device counters i get this.
libusb:error [darwin_transfer_status] transfer error: timed out
Exiting libpois0n
on the iphone screen, after a long process:
Listening on port 1999
AppleBCMWLAN::handleIOKitBusyWatchdogTimeout(): Error, no successful firmware
download after 60000 ms!! Giving up...
I'm gonna try again. though i was sure i cleared the devicetree...
Original comment by forge...@gmail.com
on 10 Oct 2011 at 10:53
Hello,
if you have the "Listening on port 1999" message on the device it means it
worked, you can now run the demo_bruteforce.py script and it will created the
plist file required for emf_decrypter. You can also ssh into the device at that
point.
Original comment by jean.sig...@gmail.com
on 11 Oct 2011 at 6:11
[deleted comment]
Perfect.
I was just being thick. Long day. hehe
so i went agead and repeated the process (for some reason repeating it with a
4.1 ipsw left me hanging on white screen on the device. 4.3.3 worked just
fine), tcprelay-ed into the device and ran the python bruteforce script.
The output i believe is certainly positive as it had all of my account pwds
showing in cleartext.
Then i found my keychain and the plist file.
Now onto emf_decrypter (which i have previously compiled, so no hassle there).
This is going to take a bit as i have to decrypt a 30G image.
Original comment by forge...@gmail.com
on 11 Oct 2011 at 8:05
Ok,
do not forget to make a backup of the disk image before in case something goes
wrong.
Also, you should use the python version of emf_decrypter, the C version has
known bugs. For the python version you need pycrypto and construct.
Original comment by jean.sig...@gmail.com
on 11 Oct 2011 at 8:07
In fact something went wrong with the c version :)
I just opened an issue about it.
I had made a backup and now i'm making a second copy yo try again :)
will the python version need the plist too in the same path?
Original comment by forge...@gmail.com
on 11 Oct 2011 at 8:11
Original comment by jean.sig...@gmail.com
on 14 Oct 2011 at 12:49
Original issue reported on code.google.com by
forge...@gmail.com
on 9 Oct 2011 at 6:20