sock-puppet / iphone-dataprotection

Automatically exported from code.google.com/p/iphone-dataprotection
0 stars 0 forks source link

tetheredboot looses connection after "Uploading iBSS.n90ap" #4

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. ./tetheredboot -p payload -r myramdisk.dmg 
2. putting iPhone to DFU mode

What is the expected output? What do you see instead?

Expected: sucessfull jailbreak

I get:
-----
Initializing libpois0n
No matching processes belonging to you were found
Waiting for device to enter DFU mode
Device must be in DFU mode to continue
Device must be in DFU mode to continue
Device must be in DFU mode to continue
opening device 05ac:1227...
Found device in DFU mode
Checking if device is compatible with this jailbreak
Checking the device type
Identified device as iPhone3,1
Preparing to upload limera1n exploit
Resetting device counters
Sending chunk headers
Sending exploit payload
Sending fake data
libusb:error [darwin_transfer_status] transfer error: timed out
Exploit sent
Reconnecting to device
Waiting 2 seconds for the device to pop up...
opening device 05ac:1227...
Checking if kernelcache already exists
Preparing to upload iBSS
Checking if iBSS.n90ap already exists
Uploading iBSS.n90ap to device
[==================================================] 100.0%
libusb:error [darwin_reset_device] ResetDevice: device not responding
Reconnecting to device
libusb:error [darwin_close] USBDeviceClose: no connection to an IOService
Waiting 10 seconds for the device to pop up...
Connection failed. Waiting 1 sec before retry.
Connection failed. Waiting 1 sec before retry.
...
Unable to reconnect
Exiting libpois0n
------

What version of the product are you using? On what operating system?

iPhone 4, iOS 4.3.3 (reset to factory settings, no jailbreak, code lock 
activated)
current (from hg checkout)
Mac OS 10 (Snow Leopard)

Please provide any additional information below.

I tried the supplied payload as well as one generated on my system.

Original issue reported on code.google.com by jueschm...@gmail.com on 31 May 2011 at 10:58

GoogleCodeExporter commented 9 years ago
does the device screen turns white (before or after the program fails) ?

Original comment by jean.sig...@gmail.com on 1 Jun 2011 at 10:06

GoogleCodeExporter commented 9 years ago
Nope - the device stayed black and dead. I had to do a hard reset to revive it.
So my guess was that there is a communication problem.

I fixed that problem by installing another libusb (sudo port install) and 
recompile tetheredboot. Now the device gets white and it starts booting.

Now tetheredboot ends with:

----
Waiting 10 seconds for the device to pop up...
opening device 05ac:1281...
Setting to configuration 1
Setting to interface 0:0
Preparing to upload iBSS payload
[==================================================] 100.0%
Executing iBSS payload
Waiting 10 seconds for the device to pop up...
opening device 05ac:1281...
Setting to configuration 1
Setting to interface 0:0
Preparing to upload devicetree
Checking if DeviceTree.n90ap already exists
Preparing to fetch firmware image from Apple's servers
Fetching Firmware/all_flash/all_flash.n90ap.production/DeviceTree.n90ap.img3...
[==================================================] 100.0%
Resetting device counters
Uploading DeviceTree.n90ap to device
[==================================================] 100.0%
Preparing to upload ramdisk
[==================================================] 100.0%
Executing ramdisk
libusb:error [darwin_transfer_status] transfer error: timed out
Preparing to upload kernelcache
Checking if kernelcache already exists
Resetting device counters
[==================================================] 100.0%
libusb:error [darwin_transfer_status] transfer error: timed out
Exiting libpois0n
----

Don't really know if this is sucess or not.
On the device I get:
---
...
Listening on port 1999
Running /sbin/sshd
AppleBCMWLAN: handleIOKitBusyWatchdogTimeout(): Error no successful firmware 
download after 60000 ms!! Giving up ...
---

followed by warnings "limiting USB input current"

So the device is up and running, it reacts on USB (dis-)connect events,
sshd has been started -- but I still can't connect to it :-(
tcprelay reports incoming requests but not connection

Any hint what I have to look out for?

Original comment by jueschm...@gmail.com on 1 Jun 2011 at 10:59

GoogleCodeExporter commented 9 years ago
ok so the ramdisk boots fine, this looks like some kind of usb issue, i never 
had the "limiting USB input current" warnings on my test setup. Does the device 
show up in system profiler ? Could you also post the tcprelay output ? Thanks

Original comment by jean.sig...@gmail.com on 1 Jun 2011 at 11:11

GoogleCodeExporter commented 9 years ago
I guess that we can ignore the "current" thing - it is related to charging 
limitations. I also get a message "Charging not supported with this 
accessories" when I connect the running device via USB. They all disappear if I 
remove the USB extension cable.

tcypreplay does not show anything interesting:

$ python tcprelay.py -t 22:2222 5900:5900 1999:1999 1234:1234
Forwarding local port 2222 to remote port 22
Forwarding local port 5900 to remote port 5900
Forwarding local port 1999 to remote port 1999
Forwarding local port 1234 to remote port 1234
Incoming connection to 2222

There is no answer and/or status if I try to connect to any of the ports.

System profiler shows an iphone connected to USB (serial number: blah)

There are a couple of other errors in the output on the iphone like: 

GetMasterBlock: Error 16 opening /dev/md0

I just don't know what is relevant.

Original comment by jueschm...@gmail.com on 1 Jun 2011 at 12:22

GoogleCodeExporter commented 9 years ago
ok, not a usb bug then. This is weird, since "Running /sbin/sshd" is displayed 
it should be ok. I'll try to reproduce the issue and dig further.

Original comment by jean.sig...@gmail.com on 1 Jun 2011 at 12:50

GoogleCodeExporter commented 9 years ago
Is the exit of tetheredboot ok?

---
Resetting device counters
[==================================================] 100.0%
libusb:error [darwin_transfer_status] transfer error: timed out
Exiting libpois0n
----

Is there a way to check, if tcprelay is really talking to the device?
Can I do some kind of "ping" over ther USB line, to see if the device is alive?

fyi: I will be away from my lab from tomorrow until next monday, so I can't do 
any further testing. 

Original comment by jueschm...@gmail.com on 1 Jun 2011 at 1:08

GoogleCodeExporter commented 9 years ago
yes, if the ramdisk boots with verbose output on the device screen then 
tetherboot should be ok.
I've attached a modified usbmux.py script with debug prints, could you post the 
ouput ?

Otherwise, this is not a real solution but you can also try using tetherboot 
under windows (a compiled binary is available on the download page).

Original comment by jean.sig...@gmail.com on 1 Jun 2011 at 1:37

Attachments:

GoogleCodeExporter commented 9 years ago
# ssh -p 2222 root@localhost

Incoming connection to 2222
connect /var/run/usbmuxd
self.listener.listen()
listen
sendpacket
self.socket.send(data)
getreply
self.socket.recv(4)
---
# nc localhost 1234

Incoming connection to 1234
connect /var/run/usbmuxd
self.listener.listen()
listen
sendpacket
self.socket.send(data)
getreply
self.socket.recv(4)

Original comment by jueschm...@gmail.com on 1 Jun 2011 at 2:21

GoogleCodeExporter commented 9 years ago
On my Windows XP test system, tetheredboot.exe crashes after saying "Fetching 
kernelcache.release" leaving the device black and dead.

Original comment by jueschm...@gmail.com on 1 Jun 2011 at 3:25

GoogleCodeExporter commented 9 years ago
Just checked: tetheredboot.exe also crashes on Windows Vista using:

tetheredboot.exe -p payload -r myramdisk.dmg

Original comment by jueschm...@gmail.com on 7 Jun 2011 at 10:17

GoogleCodeExporter commented 9 years ago
Same on Windows 7 - crash after "Fetching kernelcache.release"
Double checked in admin mode

Original comment by jueschm...@gmail.com on 7 Jun 2011 at 10:39

GoogleCodeExporter commented 9 years ago
i can't look into it that much this week, does it crashes or does the process 
just exits ? also are you running windows in a virtual machine ?

Original comment by jean.sig...@gmail.com on 7 Jun 2011 at 11:42

GoogleCodeExporter commented 9 years ago
It crashes. I am offered to send info to Microsoft. I can try to extract, 
whatever you need and send it to you (just drop me a mail to ju_at_heisec.de).
To avoid problems with USB, I did not use VMs but real hardware in all 3 cases.

Maybe we should split this in to issues:

1) no communication with jailbroken iphone 
2) Windows tetheredboot.exe crashes

Original comment by jueschm...@gmail.com on 7 Jun 2011 at 1:24

GoogleCodeExporter commented 9 years ago
I'm trying this same thing, on iphone 4 on 4.3.2 and when I get to the part to 
/ mount I get this error:

GetMasterBlock: Error 16 opening /dev/md0

Can someone help?

Original comment by ja...@burtmanindustries.com on 30 Sep 2011 at 10:51

GoogleCodeExporter commented 9 years ago

Original comment by jean.sig...@gmail.com on 6 Oct 2011 at 6:54