iPhone 4 (Rev. A) support (iPhone3,2/n90bap)

[GoogleCodeExporter]

These devices are starting to appear in the wild. They appear to be A4 devices 
with iBoot-574.4, thus should still be vulnerable to limera1n.

The problem here is that 6.0 seems to be the earliest firmware version 
available for this device. I am aware of Issue 49; this seemed to me different 
enough to justify its own report.

Original issue reported on code.google.com by 0x56.0x6...@gmail.com on 27 Mar 2013 at 8:10

[GoogleCodeExporter]

Anybody get ios_examiner to work on one of these iPhone 4's (8GB-version, i.e. 
"iPhone3,2")?
Firmware version 5.1.1 seems to boot just fine, maybe since it had same A4-chip 
thats in the standard iPhone4. However, ios_examiner fails miserably on startup:

{{{
bash$ python python_scripts/ios_examiner.py 
Connecting to device : <snip>
Device model: iPhone 4 GSM
UDID: <snip>
ECID: <snip>
Serial number: <snip>
key835: edf... <snip>
key89B: d48... <snip>
!!! Unknown deviceReadId 32942945, assuming 1 physical bank /CE, will probably 
fail
Chip id 0x32942945 banks per CE physical 1
NAND geometry : 8GB (2 CEs (1 physical banks/CE) of 4096 blocks of 128 pages of 
8192 bytes data, 12 bytes metdata)
Searching for special pages...
Found DEVICEUNIQUEINFO, NANDDRIVERSIGN, DEVICEINFOBBT special pages in CE 0
NAND signature 0x43313100 flags 0x10006 withening=1, epoch=
Effaceable generation 68
Effaceable CRC OK
Found effaceable lockers in ce 1 block 1 page 96
Lockers : BAG1, DONE, Dkey, LwVM
Found DEVICEUNIQUEINFO, serial number=<snip>
Using VSVFL
VSVFL context open OK
YaFTL_readCxtInfo FAIL, restore needed maxUsn=5139620
FTL restore in progress
100% |######... <snip> ...###########################################|
BTOC not found for block 288 (usn 5139708), scanning all pages
314 used pages in block
LwVM header CRC OK
cprotect version : 4 (iOS 5)
Traceback (most recent call last):
  File "python_scripts/ios_examiner.py", line 370, in <module>
    main()
  File "python_scripts/ios_examiner.py", line 367, in main
    ExaminerShell(image).cmdloop("")
  File "python_scripts/ios_examiner.py", line 94, in __init__
    grab_system_version(self.system, self.device_infos)
  File "python_scripts/ios_examiner.py", line 42, in grab_system_version
    SystemVersion = system.readFile("/System/Library/CoreServices/SystemVersion.plist", returnString=True)
  File "/home/ios/iphone-dataprotection/python_scripts/hfs/hfs.py", line 223, in readFile
    xattr = self.getXattr(v.data.fileID, "com.apple.decmpfs")
  File "/home/ios/iphone-dataprotection/python_scripts/hfs/hfs.py", line 147, in getXattr
    return self.xattrTree.searchXattr(fileID, name)
  File "/home/ios/iphone-dataprotection/python_scripts/hfs/btree.py", line 270, in searchXattr
    k,v = self.search((fileID, name))
  File "/home/ios/iphone-dataprotection/python_scripts/hfs/btree.py", line 121, in search
    return self.search(searchKey, stuff[len(stuff)-1].childNode)
  File "/home/ios/iphone-dataprotection/python_scripts/hfs/btree.py", line 120, in search
    return self.search(searchKey, stuff[i].childNode)
  File "/home/ios/iphone-dataprotection/python_scripts/hfs/btree.py", line 109, in search
    type, stuff = self.readBtreeNode(node)
  File "/home/ios/iphone-dataprotection/python_scripts/hfs/btree.py", line 101, in readBtreeNode
    raise Exception("Invalid node type " + str(btnode)) 
Exception: Invalid node type Container({'bLink': 3176837449,
 'fLink': 3983040742,
 'height': 115,
 'kind': 8,
 'numRecords': 23349,
 'reserved': 26377})
bash$
}}}

Anyone have any tips to help me out?

Original comment by rev.die...@gmail.com on 16 May 2013 at 6:49

[GoogleCodeExporter]

@rev.diesel this looks like a bug in the HFS code, which is not good enough to 
handle partitions that would need a fsck. did you try rebooting the device into 
ios (so that it can run fsck on the data partition) then trying again ?
as a workaround, you can boot the device without the nand-disable flag, and use 
the shell scripts on the ramdisk to mount or dump the data partition (unless 
you want to use the features that are specific to ios_examiner).

the good news is that the older ipsw works on those new devices ;)

Original comment by jean.sig...@gmail.com on 16 May 2013 at 8:22

• Changed state: Accepted

[GoogleCodeExporter]

I have been testing "iPhone3,1_5.1.1_9B206_Restore.ipsw" and 
"iPhone3,1_5.1.1_9B208_Restore.ipsw" on this devices (iPhone 4 Rev. A) and it 
doesn't work for me.

Could you tell us what IPSW worked for you?

Original comment by jse...@gmail.com on 8 Jun 2013 at 12:39

[GoogleCodeExporter]

Rebooted device into ios and tried again - no dice. Same error in the HFS code.

I have, however, been successful in booting without the nand-disable flag and 
using scripts to read partitions. So a bit further so far. Haven't analyzed the 
dumped data, so no telling yet how well this works. 

I used redsn0w_mac_0.9.15b3 and iPhone3,1_5.1.1_9B206_Restore.ipsw on the 
iPhone 4 Rev. A.

Original comment by rev.die...@gmail.com on 7 Aug 2013 at 8:51

[GoogleCodeExporter]

If this iPhone 4 is in fact an iPhone3,2, the iPhone3,1 kernel and ramdisk are 
similar enough to that of the 3,2 to boot it, but there will be many subtle 
problems. The solution in this case is to use an iOS 6 IPSW (which is not 
currently supported with this tool).

Original comment by 0x56.0x6...@gmail.com on 9 Oct 2013 at 9:20

[GoogleCodeExporter]

Also tested it and had not worked wirh the 5.1.1 but i noticed when using 
bootflags redsn0w is crashimg somtimes when uploadimg something to phone 
Normal?

Original comment by s.ali...@gmail.com on 19 Oct 2013 at 6:53

[GoogleCodeExporter]

I tried with both 9B208 and 9B206, but redsn0w is failing on the reboot after 
"second stage". the device is 6.1.3. I disabled flags.

In can boot in pwned DFU, but I can't fetch blob SHSH.

Is there a way to dump the nand, without destroying data? 

Otherwise it works well on iPhone 4 (rev 1) !!

Thanks for the work!! 

Original comment by matthieu...@gmail.com on 13 Dec 2013 at 10:08

[GoogleCodeExporter]

Just pushed a fix to create kernel/ramdisk from ios6 ipsw (thanks to 0x56 for 
the tips). just run kernel_patcher.py on the ipsw, then build_ramdisk_ios6.sh

@matthieu.regnery
the nand dumping tool won't work when booting with the ios6 kernel, as the 
kernel patching required to dump the nand is complicated to port to ios6. 
however if the fix i pushed works for you, you should at least be able to dump 
the hfs partitions.

Original comment by jean.sig...@gmail.com on 14 Dec 2013 at 2:15

[GoogleCodeExporter]

I'll test that on Monday. I'm interested in running the undelete script. It 
should be possible with the dump of the HFS partition, right ? If not, would it 
be possible to implement it? And how can I help you with it ?

Thanks.

Original comment by matthieu...@gmail.com on 14 Dec 2013 at 7:00

[GoogleCodeExporter]

I tried the new version you pushed.
On the 3,1_6.0_10A403 firmware the kernel_patcher script gives the following 
output :

Decrypting kernelcache.release.n90
Unpacking ...
Doing CSED patch
=> FAIL, count=0, do not boot that kernel it wont work
Doing getxattr system patch
Doing nand-disable-driver patch
Doing task_for_pid_0 patch
Doing IOAES gid patch
=> FAIL, count=0, do not boot that kernel it wont work
Doing AMFI patch
=> FAIL, count=0, do not boot that kernel it wont work
Doing _PE_i_can_has_debugger patch
=> FAIL, count=0, do not boot that kernel it wont work
Doing IOAESAccelerator enable UID patch
=> FAIL, count=0, do not boot that kernel it wont work
Patched kernel written to kernelcache.release.n90.patched
Created script make_ramdisk_n90ap.sh, you can use it to (re)build the ramdisk

I also tried on the 3,2_6.0_10A403 firmware and I have the "No keys found for 
kernel"

Which IPSW did you used ?

Original comment by matthieu...@gmail.com on 16 Dec 2013 at 8:31

[GoogleCodeExporter]

Are you sure you updated to the latest version (hg pull -u) ?
it should work on iPhone3,1_6.0_10A403_Restore.ipsw and output "using ios6 
kernel patches"

for the undelete script, it is very limited on the hfs partition 
(emf_undelete.py), for good result you need a raw nand image and the undelete 
command in ios_examiner.py. to acquire a nand image currently we need to patch 
the kernel (see ramdisk_tools/ ioflash/ ioflash_kernel.c), but the kernel 
patching is more tricky on ios 6.

Original comment by jean.sig...@gmail.com on 16 Dec 2013 at 9:57

[GoogleCodeExporter]

Sorry I needed to run hg update. hg pull -u was not enough.

So the kernel_patcher went well.
build_ramdisk_ios6.sh output this weird line :
tar: Error exit delayed from previous errors.

and then, running rednow with all parameters given by the sh gives the same 
thing : no reboot after the "uploading second stage".

what step is this ? 

Original comment by matthieu...@gmail.com on 16 Dec 2013 at 11:17

[GoogleCodeExporter]

ok, the tar error is "normal". i don't known about the redsn0w error, maybe try 
using the ipsw for your device revision, iPhone 3,2 or 3,3 ?

Original comment by jean.sig...@gmail.com on 16 Dec 2013 at 12:09

[GoogleCodeExporter]

the device revision is iPhone 3.2, but when running kernel_patcher on the IPSW 
it says "no keys found for kernel".
How can I extract them ?

Original comment by matthieu...@gmail.com on 16 Dec 2013 at 1:07

[GoogleCodeExporter]

try this patch on kernel_patcher.py, i just hardcoded the keys for 
iPhone3,2_6.0_10A403_Restore.ipsw from theiphonewiki :
http://theiphonewiki.com/wiki/Sundance_10A403_(iPhone_4_GSM_Rev_A)

Original comment by jean.sig...@gmail.com on 16 Dec 2013 at 1:30

Attachments:

• kernel_patcher_iphone3.2.patch

[GoogleCodeExporter]

Support for iOS 6.0 and the iPhone3,2 was added in redsn0w 0.9.15:
https://sites.google.com/a/iphone-dev.com/files/home/redsn0w_mac_0.9.15b3.zip

You'll also need the 6.0 IPSW for the iPhone3,2:
http://appldnld.apple.com/iOS6/Restore/041-7177.20120919.xqoqs/iPhone3,2_6.0_10A
403_Restore.ipsw 

Original comment by 0x56.0x6...@gmail.com on 16 Dec 2013 at 2:33

[GoogleCodeExporter]

The patch you submitted worked.
I could dump the rdisks1s2 partition. Files are still encrypted though.

I can ssh but scripts can not connect to port 1999. IOS_examiner crashes for 
example with a can not connect to port exception. The log on the device just 
report one error : it can not open /dev/md0. 

When I run device_infos in the shell, it also crashes. 

Original comment by 4n6fra...@gmail.com on 16 Dec 2013 at 6:18

[GoogleCodeExporter]

Sorry, wrong email for the previous post.

Also I compiled against 5.1 SDK. I did not try against a 6.0 (quite hard to 
find without apple account :-))

I don't know if it can change something... I think about ramdisk tools like 
device_infos 

Original comment by matthieu...@gmail.com on 16 Dec 2013 at 6:38

[GoogleCodeExporter]

here is a temporary patch to prevent bruteforce & device_infos from crashing. 
the "can not connect to port 1999" error is normal, you cannot use ios_examiner 
yet when running with the ios 6 kernel. i have to fix this properly (and issue 
120 as well), next month i should have more time to work on this. in the 
meantime using the bruteforce tool you should be able to decrypt the HFS image 
with emf_decrypter.py.

Original comment by jean.sig...@gmail.com on 17 Dec 2013 at 10:00

Attachments:

• ioflash.patch

[GoogleCodeExporter]

I applied your patch and tried the different tools but they are still crashing. 
Here is the output of the different scripts :

$ python python_scripts/demo_bruteforce.py 
Connecting to device : a2b7a599e26d726252cad1ec6976c0708ce80c2d
Traceback (most recent call last):
  File "python_scripts/demo_bruteforce.py", line 88, in <module>
    bf_system()
  File "python_scripts/demo_bruteforce.py", line 11, in bf_system
    client = RamdiskToolClient()
  File "/Users/inl/iphone-dataprotection/python_scripts/util/ramdiskclient.py", line 48, in __init__
    self.getDeviceInfos()
  File "/Users/inl/iphone-dataprotection/python_scripts/util/ramdiskclient.py", line 74, in getDeviceInfos
    keys = self.grabDeviceKeys()
  File "/Users/inl/iphone-dataprotection/python_scripts/util/ramdiskclient.py", line 163, in grabDeviceKeys
    r = self.aesUID(b)
  File "/Users/inl/iphone-dataprotection/python_scripts/util/ramdiskclient.py", line 143, in aesUID
    return self.aes(data, kIOAESAcceleratorUIDMask, kIOAESAcceleratorEncrypt)
  File "/Users/inl/iphone-dataprotection/python_scripts/util/ramdiskclient.py", line 153, in aes
    "bits": 128
  File "/Users/inl/iphone-dataprotection/python_scripts/util/ramdiskclient.py", line 127, in send_req
    self.send_msg(dict)
  File "/Users/inl/iphone-dataprotection/python_scripts/util/ramdiskclient.py", line 104, in send_msg
    return self.s.send(data)
socket.error: [Errno 32] Broken pipe

$ python python_scripts/demo_bruteforce.py 
Connecting to device : a2b7a599e26d726252cad1ec6976c0708ce80c2d
Traceback (most recent call last):
  File "python_scripts/demo_bruteforce.py", line 88, in <module>
    bf_system()
  File "python_scripts/demo_bruteforce.py", line 11, in bf_system
    client = RamdiskToolClient()
  File "/Users/inl/iphone-dataprotection/python_scripts/util/ramdiskclient.py", line 47, in __init__
    self.connect(udid)
  File "/Users/inl/iphone-dataprotection/python_scripts/util/ramdiskclient.py", line 70, in connect
    raise Exception("Connexion to device port %d failed" % self.port)
Exception: Connexion to device port 1999 failed

$ ssh -p 2222 root@localhost
root@localhost's password: 
-sh-4.0# ./device_infos 
bruteforce           device_infos         mount_partitions.sh  
-sh-4.0# ./device_infos 
Trace/BPT trap: 5
-sh-4.0# ./bruteforce   
Trying to mount data partition
Trace/BPT trap: 5
-sh-4.0# sh mount_partitions.sh 
-sh-4.0# ./bruteforce           
Trying to mount data partition
Trace/BPT trap: 5
-sh-4.0# 

Original comment by matthieu...@gmail.com on 17 Dec 2013 at 2:54

[GoogleCodeExporter]

I'm up to the same point as #20 with an iPhone3,2. Now have an encrypted image 
of the data partition, but device_infos & bruteforce or any of the scripts 
fail. Is there a way to decrypt this data yet? (I found that BPT trap: 5 is 
"...has to do with not being able to find/load a dylib.")

Original comment by strayw...@gmail.com on 21 Feb 2014 at 10:53

[GoogleCodeExporter]

@straywasp iPhone3,2 support is still broken, i'll update this issue when its 
fixed

Original comment by jean.sig...@gmail.com on 25 Feb 2014 at 10:16

[GoogleCodeExporter]

Thanks for the update. For others finding this thread, I was able to dump the 
data partition manually using "ssh -p 2222 root@localhost /bin/dd 
if=/dev/rdisk0s1s2 bs=8192 | dd of=/Users/me/Desktop/dump.img" 

Original comment by strayw...@gmail.com on 28 Feb 2014 at 2:46

[GoogleCodeExporter]

Just wanted to report that this has now been fixed in the new version. (using 
build.py etc). Thanks... :-)

Original comment by strayw...@gmail.com on 15 Jul 2014 at 3:18

[GoogleCodeExporter]

@straywasp thanks for confirming !

Original comment by jean.sig...@gmail.com on 16 Jul 2014 at 5:26

[GoogleCodeExporter]

I also have an iPhone3,2/n90bap with iOS 7.1 and use the newest build.py with 
new ramdisk, patchfile.

It says: "PPN device, use nand_dump + info, other commands will fail" That is 
true. nand_dump works and info command also. But cant do anything else like 
undelete. Will this be fixed?

One more error there is when I start ios_examiner: "!!!! Unkown deviceReadId 
xxxxxxxxx, assuming 1 physical bank /CE, will probably fail"

Original comment by Peter.lu...@gmail.com on 21 Jul 2014 at 12:24

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

This issue is not fixed, running demo_bruteforce.py gives this:

Connecting to device : d1d7a6c6a3b37706e773fc99179abc30bdafe067
Traceback (most recent call last):
  File "python_scripts/demo_bruteforce.py", line 88, in <module>
    bf_system()
  File "python_scripts/demo_bruteforce.py", line 11, in bf_system
    client = RamdiskToolClient()
  File "/Users/fazio/iphone-dataprotection/python_scripts/util/ramdiskclient.py", line 47, in __init__
    self.connect(udid)
  File "/Users/fazio/iphone-dataprotection/python_scripts/util/ramdiskclient.py", line 70, in connect
    raise Exception("Connexion to device port %d failed" % self.port)
Exception: Connexion to device port 1999 failed

Original comment by techshu...@gmail.com on 6 Feb 2015 at 5:46