Geohot has recently made his limera1n exploit publicly available: time to update the instructions for new devices. Build the ramdisk as described in with. Download the tetheredboot utility from. Make 4.1 custom ipsw with PwnageTool or SnowBreeze. Extract ibss and kernelcache files from custom ipsw. Put the device in DFU mode. Use to load the ramdisk: tetheredboot -i iBSS.
CPUap.RELEASE.dfu -k kernelcache.release. CPU -r 0 XX-XXX-XXX.dmg.ssh. Use itunnelmux to forward SSH connection: itunnelmux -lport 22 Troubleshooting.
A - works on OS X or Windows; needs. Supported devices - hopefully everything Syringe supports (devices with and lower) plus iPhone 2G, iPhone 3G and iPod Touch 1G.
The tool automatically downloads required files from Apple using 's, patches them and sends to the device. If everything works as it should, the only thing you need is an SSH client. Credits: Made possible thanks to Camilo Rodrigues Including xpwn source code by the and Including syringe source code by and syringe exploits by, & pwnage2 exploit by Special thanks to - EMF tools and kernel patches To see more verbose stuff, run from command line: java -jar sshrdrev04b.jar. Changelog:. 01/15/12 updated to rev02b: colorized log messages; more prominent success message; exception traces; usbmux starts immediately on app launch, so you can restart the app and reconnect SSH without having to go through DFU again. 01/18/12 rev02c: iPhone 4 CDMA actually works now; iPhone 3G should as well - please leave a comment if it doesn't. 01/20/12 rev02d: Should work with iTunes = 10.0 and Windows XP.
01/25/12 rev03: Added 'ls';). Added an auto-mount script. Added bin paths from /mnt1 to PATH in.profile. 01/26/12 Added a.
02/05/12 rev03b: Fixed Snow Leopard compatibility. 03/07/12 rev03c: Using fw 4.2.1 with iPhone 3G (instead of 4.0.1 in earlier builds). 07/09/12 rev04a: Added deviceinfos tool from - if the user volume is corrupted, you can image it and decrypt with emfdecrypter.py (see ).
Contribute to msftguy/ssh-rd development by creating an account on GitHub. Failed to load latest commit information. Automated SSH ramdisk creator/loader. Mostly iPhone hacking: Automatic SSH ramdisk creation and loading It even mounts the partitions on /mnt1 and /mnt2 (for example, /var/mobile is /mnt2/mobile). All I had to do in OS X was run it and connect with the ssh and scp commands.
Also, local ipsw files are used if present (for offline use). 06/29/13 rev04b: Fixed crash when connecting iOS7 devices on OS X and DLL load errors on Windows. Welcome:) Additionally for those of you new to this. I recommend connecting with Putty rather than something like WinSCP.
If you are using this tool due to Springboard crashing on boot (because of a MobileSubstrate plugin crashing so bad it won't kick into Safe Mode), here are the commands to run to disable all Mobile Substrate plugins (dylibs) and effectively manually kick your phone into Safe Mode. You can turn them back on in the MobileSubstrate area of SBSettings - More. Connect using Putty, and for devices on iOS 5, run the following. Copy and paste into Notepad so you can see what is on each line incase it word-wraps: fsckhfs /dev/disk0s1s1 mounthfs /dev/disk0s1s1 /mnt1 PATH=$PATH:/mnt1/bin cd /mnt1/Library/MobileSubstrate for file in.dylib; do mv $file 'echo $file sed 's/ (. )dylib/ 1disabled/' ls All your.dylib files should now be changed to.disabled, and your phone will boot successfully next time you boot. If you are brought to the 'Connect to iTunes' screen on the next boot, it's a side effect of @msftguy's tool.
Simply run the 'Kick Out of Recovery Loop' tool in iREB 5, and you'll be all good. Alternatively instead of the for loop above, you could rename DynamicLibraries folder to something else as I've demonstrated below.
This will kick Safe Mode on as well. Change it back with iFile once you've removed the problem child, and respring. Mv DynamicLibraries DynamicLibraries2 FOR DEVICES ON IOS4, the commands above are slightly different. Replace /dev/disk0s1s1 with /dev/disk0s1. For some reason it was changed in iOS5.
Thanks to @msftguy for pointing this out. I was lost until he told me: Thanks for this awesome tool!!
Anonymous said. You totally rock. I've been using your old method of an iphone 3G on and off for emergency fixes, but it's a long drawn out process, since iREB sometimes had issues if I didn't run it from sn0wbreeze.
I tried to upgrade at one point, but it didn't work, and I had a solution that did the job. But a one click would be fantastic. For whatever reason, when I tried to run your jar, I get the following error: Could not load muxredux.dll from C: Documents and Settings Local Settings Temp sshrd native muxredux.dll; ABORTING though I see this file exists. I'm running on an XP machine. The popup is unhelpful with an 'INIT FAILED (mux thread)!' Past that, I'd be happy to help confirm/test it works on a 3G (still running 3.1.3). On a slightly related note - my current issue is that it won't boot, even into Safe Mode, I can't ssh in normally.
In the past, I've always been able to fix it, but this one has me stumped. If I move away all the dylibs, I get syslog errors about not being able to load particular dylibs (grr). Otherwise, I seem to be getting mostly 'Cannot Stack' errors, and ones about being unable connect to lockdown, though I'm not positive either of those is actually the culprit. Any tips, o wise ones?
@fcc14fe0: Confirmed an XP bug (I really need to test stuff before releasing, dammit!), will build a fixed version soon. On a slightly related note - please email logs/excerpts. If those dylibs are mobilesubstrate plugins, it's worth figuring out who loads them - or just disable mobilesubstrate completely and see if that helps? On old versions, you needed to remove all references to mobilesubstrate from /system/library/launchdaemons/.plist, (EnvironmentVariables/DYLDINSERTLIBRARIES subkey); now it seems it's enough to rename /etc/launchd.conf. Anonymous said. Is that really how my account showed up? The phone is actually riddled with problems - I mostly use it as a toy these days.
Sometime around a year ago the WiFi stopped working, so most of the packages are admittedly rather outdated. Something made me want to try and revisit the perma-Safe-Mode issue it has, which is why I was trying again. It's entirely possible that what caused the issue now was my attempting to update mobilesubstrate to the latest version (I scped over the deb to install). However, I can't reinstall the old one, since when I dpkg -root=/mnt1 -i, it dies on the postrm, because of this: dyld: Library not loaded: /System/Library/Frameworks/Foundation.framework/Foundation Referenced from: /mnt2/lib/dpkg/info/mobilesubstrate.postrm Hilarity ensues. The phone itself has too much junk on it, so it's probably a poorly written and old dylib, I think one of them was PwnTunes. But I can upload the syslog next time I power it up into the ramdisk.
Is there anywhere in particular you'd like me to send it? Anonymous said. Yup, I can now confirm that your jar works on both Windows XP, and on a 3G. Much faster and simpler than my last method, too. I tried your tip for removing MobileSubstrate, but the first time it just managed to recreate the /etc/launchd.conf, and the MobileSubstrate.dylib symlink. The next time I moved the entire Framework directory, but SpringBoard kept crashing, and it wouldn't boot.
Eventually I figured out that the problem was because a couple of symlinks (/Applications and /usr/share) had somehow disappeared. I have no idea how it happened, but recreating them managed to get the phone booting again, so I'm happy.
It makes me wonder, though, if any other links might be missing. Is there an authoritative list of ones that get created by the Jailbreak? Anonymous said. I'm stuck on the command portion.
My iPod's battery drained and was stuck in the low battery/Apple logo loop and it was refusing to charge and etc. Anyways, I ran everything as instructed and it finished. At the end it said to connect to localhost, which I'm assuming is normal.
So I follow the instructions and connect using WinSCP. Now what I'm stumped on is where or how do I enter these commands? I've even installed Putty to try and enter the command, but it says not found. I'm not too familiar with commands via SSH. So if you guys could help me out with that part I'd be so grateful. I'd hate to restore my iPod and lose everything because my old computer crashed with all my music and etc.
Thanks a lot if it works you guys are life savers! Hello, Firstly I would like to send out big thanks to msft.guy, reanimator and everybody who has worked on this.
This is the very definition of giving back. Wanted to let you know there are ppl out there that appreciate what you guys are doing here. Well I can now get access to MobileSubstrate directory, which is great. However I was not able to execute the command to disable the individual.dylib's (even from within the DynamicLibraries directory). I tried renaming the the whole DynamicLibraries directory as reanimator had suggested, no joy, when I reboot still stuck on apple logo. Is there other common problems that can cause 'stuck on apple logo', other than the mobile substrate department?
Any other thoughts as to what I could try, either regarding mobile substrate or other possible issues. I would really appreciate any help or perceptive anybody can offer. My phone has been out since before Christmas, just this past weekend I was again considering wiping it all and starting from scratch, an unpleasant solution to say the least. That was before I discovered your new easier method which gave me new hope, I feel like I am so close.
Cheers, TC of yourselves and thanks again. @n0uzul Unfortunately the problem I'm describing is probably different than what you're seeing. The problem I'm describing (the Springboard crashing dylib issue) is when you have just installed a new Cydia tweak, and upon respring, your phone just resprings in a loop endlessly (never reaches Safe Mode). MobileSubstrate is designed to kick you into Safe Mode in this circumstance, but in rare instances it does not, rendering your phone useless. However, this problem usually means you will at least /see/ the lockscreen before the phone crashes, sending to you back to the lockscreen again. This indicates there's a bad.dylib installed that is crashing MobileSubstrate as soon as SpringBoard loads. Is SpringBoard even loading?
One of the first indications of SpringBoard loading is if you hear the 'charging' sound when booting your phone while it's hooked to the charger or a computer. If you never get a charging sound, SpringBoard isn't loading at all and.dylibs are /not/ the problem. I have seen this with one person's phone once, and unfortunately there's nothing I could do to correct it besides a restore. It would be hard to determine what was causing that issue without having a Verbose Boot option enabled. However, using @msft.guy's awesome tool, you're still able to use some of my commands above to mount the data partition and then back up your files, provided you know where they're. I recommend using my commands to mount using Putty, then using a visual tool like WinSCP to perform the rest.
With either tool, you'll be connecting to localhost, port 2022. @msft.guy was correct that my 4th command should be: cd /mnt1/Library/MobileSubstrate/ DynamicLibraries.Remember. to paste all my commands into notepad so you can see which is on what line. The long 'for' command word-wrapped to the next line as expected, and the directory correction above will too. Tested this on my jailbroken iphone 4 running ios 5.0.1 works perfect.
I would like to make some modifications so tryed to clone the git repo how ever the xpwn and syringe folders are empty. This appears to stem from the fact the xpwn and syring.git files are a 404 (point to the wrong git hub url) also what do i compile this with? Im using git on cygwin to check out from the repo basically id like to forward 5555 same way as you forward 2202 so i can do a dd if=/dev/rdisk0s2 bs=4096 nc 127.0.0.1 5555:). Hello again, Thanks for your reply reanimator.
I have been a little busy as of late. Well I have given up on being able to boot up my phone without restoring it, however I would like to back up everything first.
Using reanimators comment I was able to get to the root directory and copied everything off, there were a few errors but I assume (I know, a dangerous thing) nothing too important was left out (if anybody has a easy fix to copying everything let me know, I am all ears). Using the instructions in the video msft.guy posted recently I am not able to get to my user partition. Is there a script? Where can it be found?
Does it have anything to do with me using windows (I have access to macs but they dont seem to want to run the.jar)? Might be important that I am on ios 4.3.x, what is the user partition called / where is it located (disk0s2)? Anyway, I am getting really tired of this dumb phone replacement and would like to restore today if at all possible, no pressure of course, I am grateful for any insight you can offer.
Cheers, Regards, Johann. Was reading some ibooks when suddenly my 3Gs (32gb iOS4.1) crashed. It rebooted into recovery mode and I wasn't able to kick out of it using tools like iReb or TU.
Then using your tool (awesome!!), I found out that it was because the data volume (disk0s2s1) cannot be mounted due to some error. Using fsckhfs, it spits out something like. Invalid sibling links Rebuilding Catalog b-tree Disk full error. And still, 'invalid argument' when trying to mount it normally.
Also tried fsckhfs -r and -f and -fy to no avail. Yesterday, I was able to extract important files (photos, notes, etc) by mounting it read-only: mount -t hfs -r /dev/disk0s2s1 /mnt2 I read somewhere that you should not fill your HFS volume beyond 85%. Mine has 800mb left!! And I thought maybe if somehow I could mount it r/w and free up some space, unmount it, and let fsck do its job. Is this even possible? I mean, force mounting r/w a volume that has errors in it?
@Biloky: Yeah, 'Disk full error' and 800MB free does sound like a weird combination. I'm not up to speed on HFS+, but it could be that free space bitmap is corrupted and free space information is inconsistent. Try adding -d flag to fsckhfs and maybe checking out fsckhfs source? At If you have time to spare, you can try imaging the whole disk and use some HFS+ editor tool to fix that; then diff old vs new disk image and apply that difference to the device using a script with dd commands. Just keep in mind that there's an additional logical file-based encryption layer that will prevent you from reading cleartext data from files in the image you'll make - I think has some decryption tools for this; but if you only fix disk structures and don't rewrite file data, this should not be an issue.
Alternatively, you can try restore and then copy stuff back file by file using rsync - just make sure not to overwrite the keybag since it's per install. You can run into issues with some files encrypted using iPhone Data Protection API (e.g. Mail database) not decrypting correctly after restore - again, iphone-dataprotection might have some scripts to help mitigate that. At least most data files and jailbreak-made customizations will be preserved! Hello all, Sorry to those who have had trouble with my commands. I found a couple bugs, sorry for any trouble that caused. I've corrected them below.
If you are using this tool due to Springboard crashing on boot (because of a MobileSubstrate plugin crashing so bad it won't kick into Safe Mode), these commands will disable all Mobile Substrate plugins (dylibs) and effectively manually kick your phone into Safe Mode. You can turn them back on in the MobileSubstrate area of SBSettings - More.
INSTRUCTIONS: 1. Run @msft.guy's tool. Using Putty, connect to the address specified when the tool is done running. (I believe the default is localhost port 2022).
Follow the link to Pastie.org below and run the commands based on your IOS version. Commands to re-enable all MobileSubstrate plugins are there too. I've verified these are correct:) http://pastie.org/3318896. First of all I want to thank you for this awesome tool.
It can be used to every non-A5 devices, that's great. I ended up to this tool because I have a 1st gen iPod Touch that its stuck on recovery mode (plug to iTunes). I tried to restore it with iTunes in recovery mode and in dfu mode, with original and jailbroken firmwares (pwnagetool) but it gaves always errors. So looked for some info on recovery and found the ramdisk method (wich I tried successfully in iphone 3g and 4 GSM) hoping to boot something in the iPod touch, but no luck. Your tool shows starting to upload ramdisk and 4 or 5 connections and disconnectios of the same iPod in DFU mode. I'm out of ideas. What else can I try?
@msft.guy Yeah, I´ve tried that and gives me this: -sh-4.0# fsckhfs -r /dev/disk0s1. /dev/rdisk0s1 Executing fsckhfs (version diskdevcmds-547162). VolumeType is 0 0000: 0000 0000 0000 0000 0000 0000 0000 0000.
01b0: 0000 0000 0000 0000 4d56 774c 0000 0000.MVwL. 01c0: 0000 ee00 0000 2200 0000 0640 7700 0000.w. 01d0: 0000 0000 0000 0000 0000 0000 0000 0000. 01f0: 0000 0000 0000 0000 0000 0000 0000 55aa.U. And I don´t know what is it.
I use dev/disk0s1 because thats the file I found under /dev There are also: disk0 and disk0s1s1 Tried both but seems to happen the same thing. What am I doing wrong? Hi just whaving a problem, have an iphone 4 and it gets to this stage Using syringe to exploit the bootrom. Exploit sent! Preparing to load the ramdisk.
Ramdisk load started! MobileDevice event: DfuDisconnect, 7231227, 8930 MobileDevice event: DfuConnect, 7231227, 8930 DFU device 'iPhone 4 (GSM)' connected Ignoring same device iPhone 4 (GSM) MobileDevice event: DfuDisconnect, 7231227, 8930 MobileDevice event: RecoveryDisconnect, 7231281, ffffffff Almost there.
MobileDevice event: RecoveryConnect, 7211281, 8930 and wont go any further, just keeps disconnecting and connecting! If you have any ideas your help would be much appreciated! Found it, just for someone who needs. Picture: mobile Media DCIM contacts: mobile Library AddressBook AddressBook.sqlitedb download sqlite3 and do the following sqlite3 AddressBook.sqlitedb sqlite.mode csv sqlite.output contacts.csv sqlite SELECT ROWID, First, Last, ABMultiValue.value, recordid FROM ABPerson, ABMultiValue WHERE ROWID=recordid; sqlite.quit you will find the contacts.csv file on the same folder.
In case you are exporting other than english, you may get '??????' Open in excel. Use notepad to open contacts.csv, safe as, pick same filename, and over write the file. Open it on excel again and you will see all the words you want:) I tried this for my chinese name contacts. Anyway, GOOD works! I found all the data! Hey, isn't actually doing anything for me just gets to the point below and does nothing.
![]()
Tried on Mac and Windows. Ios 4. (between 4.2 and 4.3) iphone 4. Phone hasn't been jailbreaked.
Any help would be much appreciated. Extracted resource to /var/folders/tT/tTvtZxJXGJy5FVYf9ihdJUTI/-Tmp-/sshrd/native/jsyringeapi.jnilib Extracted resource to /var/folders/tT/tTvtZxJXGJy5FVYf9ihdJUTI/-Tmp-/sshrd/native/muxredux.jnilib Connect a device in DFU mode MobileDevice event: RecoveryConnect, 1281, 8930. @msft.guy Hi msft.guy.
Your job is great!! I have a problem when running your tool with an iphone4, tryed on win7 and now on winxp pc. Here are the output: Downloading 038-3715-001.dmg Downloaded to C: DOCUME1 ADMINI1 LOKALA1 Temp sshrd ipswiphone319A405 038-3715-001.dmg.orig Decrypted to C: DOCUME1 ADMINI1 LOKALA1 Temp sshrd ipswiphone319A405 038-3715-001.dmg.dec Extracted resource to C: DOCUME1 ADMINI1 LOKALA1 Temp sshrd ssh.tar Added ssh.tar to the ramdisk Ramdisk prepared at C: DOCUME1 ADMINI1 LOKALA1 Temp sshrd ipswiphone319A405 038-3715-001.dmg Using syringe to exploit the bootrom. Exploit sent! Preparing to load the ramdisk. Ramdisk load started!
@EazyCut: Yes, since 5.x ipsw is available for your device, it's what is used, and it requires iTunes 10.5 @Schoolboy: Without code modification you have two possible options: 1. Replace the downloadUrl key in allkeys.plist inside the.jar (strip the URL and just leave the filename). It will ask you to put the ipsw file into the sshrd folder, then extract the files locally. Extract the needed files into sshrd/ipsw(model)(build), appending.orig suffix to files that are patched and keeping the name for those that are not.
DeviceTree is unchanged, but iBSS gets an '.orig' appended to the filename. In this case, the download will be skipped.
Note that the total download size is about 30MB(ramdisk+kernel), since partial download lib is used, and that files are reused once they're downloaded (on OS X, until you reboot, since the base dir is in $TMPDIR). Hi msft.guy, It's me again, this time i've tried on my MACOSX Snow leopard. The.jar GUI now stops at 'Almost there' (after having downloaded and applied the necessary files correctly). My iPhone3G (8GB) seems to be booting on the RAMdisk as it displays an apple logo with a progress bar underneath. After a minute or so, the screen gets black again with a progress circle icon at the bottom, indefinitely. I attached the md.log here: FYI, this device had iDroid installed with BootLance, and OpeniBoot, but to be able to go in DFU I had to remote OpeniBoot (I can always put it back if needed) Thanks for helping, Matt. Hello, Okay I have a 3gs running ios 5.0.1 that is stuck in itunes loop.
I have done it all, redsnow, ifaith, fixrecovery(very experienced in fixing errors etc) but this phone will not come to life with any program i have used. I came across this page and figured why not.
Everything works like a charm for me except when I get to the SSH party. Im using Putty on win7 and Ive managed to learn some basic Linux over the last 3 days. My issue is this I pretty much just want to repair what ever files are corrupt and keeping this phone from booting up. I dont care to save any of the stuff.
But doing the process to save will be fine, its all about learning. I get into Putty login in and Im confused as to which /dev/diskxxxx I use.
Ive read some conflicting things.its your operating system, its the phone version and the operating system. And when I do type in commands I get some different things alot of: -no such file or directory -Device or resource busy and some: -invalid b tree node size -quick check only no hfs signature found -fsckhfs missing special drive If i could just get some assistance as to which /dev/deviceXXXX i should use it would be greatly appreciated. @T0t4r4, @Kid: weird.
Verbose mode might have helped here, otherwise I don't have a clue what's happening. I noticed 4.0.1 fw is used for iPhone 3G, I'm going to switch to 4.2.1 just in case. Probably just a red herring.
To enable verbose mode you need to patch '-progress' into '-v' followed by a 00 byte in iBSS.dfu @Mad Max: WiFi is off, so you can't connect from the iPhone - run the source dd in tunneled ssh. Ssh -p 2022 root@localhost dd blah image.dmg @luiscornejo: it's already linking to github, or do you mean some other version than 3b? @Mina ZombieVixen: Just run mount.sh, that should do the trick. Hi, i have an iPad 1st generation, i don't know why when i wanted to connect to iTunes, it says 'need restore', a few minutes before it was working fine. The iOS is 5.01, so i use the latest redsn0w and do the jailbreak process, after that it comes to life but only showing 'apple logo' for a minute and then rebooots itself. After googling i found this life saving blog, as i really need the data inside my iPad and restore is not an option:(.
Can this recovery method works with iPad 1st generation iOS 5.01, and jailbroken with redsn0w 09.10b5c? Please help:).
@T0t4r4 i mean overwrite the bytes, so that the string changes from -progress to -v, and write a 00 byte after '-v' so that the string ends there @virtue: there's a video and a Windows howto link, it's not really device specific @Mina ZombieVixen, @Don: really no clue. Either partition table got erased somehow or just a hardware problem with the flash memory @yawn: use the 'reporting bugs' link, I can't say anything without the logs. Try to run java from command line to get console output as well. I killed iTunes and iTunes Helper before recording the demo, they are mostly harmless (unless your model is 2G/3G iPhone or 1G iPod Touch). First of all, I would like to say thanks one million times to msftguy for writing this post.
I saved my gf's iPhone which did not have any back up of the contacts and the photos. This was iPhone 3GS, new bootroom, jailbreaked with snowbreeze, preserved baseband 05.11.07, firmware 4.2.1 (did the custom IPSW) After almost 2 years usage, one day the phone was around 2-3% battery life. Few seconds after ending a phone call, the phone switched off by itself. When it was put for charging and started, the apple logo showed and stayed like that for 5 min. And still on.
Tried to restart with holding power plus home button, didn't boot, the connect to itunes logo showed up, and since then it never booted up again. Tried many types of restarts with hardware buttons, no result, again stuck in the same connect to itunes logo (probably so called recovery mode loop).
I tried every possible program to somehow exit from the recovery loop, from Tiny umbrella (did not show the device, it said device invalid, tried fix recovery in DFU mode, tried exit recovery mode, but still nothing), to iReb, Fixrecovery, Irecovery (with Libusb), blackra1n, Recboot, Easyrecovery, etc., but non of them worked, every time i got back to the same damn recovery mode, connect to itunes logo. Then I tried to find a way to at least back up the contacts and the photos before I restore the phone, but none of the programs recognized the phone (ifunbox, phonedisk,diskaid,iphone transfer, tanseeiphone, ixplorer and more). The finally when I found this way, at first i did everything as in the instruction, however the /mnt2 was empty. Then i tried with the command fsckhfs -r /dev/disk0s2s1 and then mount.sh and it worked!!! (so of you don't see mnt1, use the fsckhfs -r command to repair mnt1 if that is also not working before you enter the command mount.sh). So afterwards I copied all the photos and videos, contacts, messages and downloaded files.
Then I tried @ReanimationXP's instruction to get it to boot again (with the correction from msft guy)cd /mnt1/Library/MobileSubstrate/DynamicLibraries for file in.dylib; do mv $file 'echo $file sed 's/ (. )dylib/ 1disabled/' ls, , and did the manual restart (home plus power 10sec), and the phone FINALLY BOOTED normally:). It was alive and it had everything as before:-). Anonymous said. @msft.guy '@EazyCut: Yes, since 5.x ipsw is available for your device, it's what is used, and it requires iTunes 10.5 @Schoolboy: Without code modification you have two possible options: 1.
Replace the downloadUrl key in allkeys.plist inside the.jar (strip the URL and just leave the filename). It will ask you to put the ipsw file into the sshrd folder, then extract the files locally. Extract the needed files into sshrd/ipsw(model)(build), appending.orig suffix to files that are patched and keeping the name for those that are not.
DeviceTree is unchanged, but iBSS gets an '.orig' appended to the filename. In this case, the download will be skipped. Note that the total download size is about 30MB(ramdisk+kernel), since partial download lib is used, and that files are reused once they're downloaded (on OS X, until you reboot, since the base dir is in $TMPDIR)' can you give an example for:ipsw(model)(build) please, and how can I put them back into a JARfile again please 'sorry I'm not an expert on this area' thanks in advance. I've been looking for help for 2 days now. I had a disaster with my iphone. I am running iOS4.0 on an iPhone 4.
I never upgraded and for the last year and a half it's been working fine. Friday April 6, 2012 morning, I decided (while in bed half asleep) to run Cydia and upgrade critical compnents. My phone went into a respring loop and I havent been able to access it. When I connect via USB to the computer, I can't even hear the phone recognition by my computer. I've tried some instructions to replace the launchd file using redsn0w (which are supposedly instructions by Saurik), but redwn0w doesn't like my IPSW. I'm stuck and I have 9 months worth of notes and data and contact that are not backed up because I didn't sync the device in 9 months because I'm a complete idiot. Can anyone help me at all?
I am willing to pay for this help if anyone is willing to help. My email is [email protected]. I've been looking for help for 2 days now.
I had a disaster with my iphone. I am running iOS4.0 on an iPhone 4. I never upgraded and for the last year and a half it's been working fine. Friday April 6, 2012 morning, I decided (while in bed half asleep) to run Cydia and upgrade critical compnents. My phone went into a respring loop and I havent been able to access it. When I connect via USB to the computer, I can't even hear the phone recognition by my computer. I've tried some instructions to replace the launchd file using redsn0w (which are supposedly instructions by Saurik), but redwn0w doesn't like my IPSW.
I'm stuck and I have 9 months worth of notes and data and contact that are not backed up because I didn't sync the device in 9 months because I'm a complete idiot. Can anyone help me at all? I am willing to pay for this help if anyone is willing to help. My email is [email protected]. Why am I getting this when i type in the correct command into PuTTy fsckhfs /dev/disk0s2s1. /dev/rdisk0s2s1 Executing fsckhfs (version diskdevcmds-. Checking Journaled HFS Plus volume.
Detected a case-sensitive volume. Checking extents overflow file. Checking catalog file. Invalid index key (4, 1200). Rebuilding catalog B-tree. The volume Data could not be repaired.
Then i do (to give you guys info that may help) -sh-4.0# fsckhfs -rfd /dev/disk0s2s1. /dev/rdisk0s2s1 Using cacheBlockSize=32K cacheTotalBlock=1012 cacheSize=32384K. Executing fsckhfs (version diskdevcmds-488.1.7391). Journal replay returned error = 6.
Checking Journaled HFS Plus volume. Detected a case-sensitive volume. Checking extents overflow file. Checking catalog file. Rebuilding catalog B-tree. The volume Data could not be repaired.
Volume type is pure HFS+ primary MDB is at block 0 0x00 alternate MDB is at block 0 0x00 primary VHB is at block 2 0x02 alternate VHB is at block 14175582 0xd84d5e sector size = 512 0x200 VolumeObject flags = 0x07 total sectors for volume = 14175584 0xd84d60 total sectors for embedded volume = 0 0x00 Is there any way i can fix this? I understand that my volume can't be repaired for some reason and due to this my mnt2 can't be mounted unfortunately, however my mnt1 mounts perfectly fine. Anyone experiencing the same problem, or know how to fix it? Help would be greatly appreciated and I will be forever in your debt. I could really use some help.
Here's the deal. I have a friends 3gs and it won't boot past the apple logo. No spinning wheel at all. I tried running the jar file to see if I could retrieve his files without having to restore. (not backed up of course) and it gets stuck on the recovery portion. See below Exploit sent! Preparing to load the ramdisk.
Ramdisk load started! DFU device 'iPhone 3GS' connected Ignoring same device iPhone 3GS MobileDevice event: DfuDisconnect, 82c1227, 8920 MobileDevice event: DfuConnect, 82e1227, 8920 DFU device 'iPhone 3GS' connected Ignoring same device iPhone 3GS MobileDevice event: DfuDisconnect, 82e1227, 8920 MobileDevice event: RecoveryConnect, 82e1281, 8920 MobileDevice event: RecoveryDisconnect, 82e1281, 8920 Almost there. MobileDevice event: RecoveryConnect, 82e1281, 8920 MobileDevice event: RecoveryDisconnect, 82e1281, 8920 Almost there.
MobileDevice event: RecoveryConnect, 82e1281, 8920 MobileDevice event: RecoveryDisconnect, 82e1281, 8920 Almost there. MobileDevice event: RecoveryConnect, 82e1281, 8920 MobileDevice event: RecoveryDisconnect, 82e1281, 8920 Almost there. MobileDevice event: RecoveryConnect, 82e1281, 8920 MobileDevice event: RecoveryDisconnect, 82e1281, 8920 Almost there. MobileDevice event: RecoveryConnect, 82e1281, 8920 Is there anything I can do to this thing to make it boot so I can ssh into the thing? I'm not sure if there's any service that can get this data off without charging an arm and a leg but I'm sure he'd be willing to pay for it!
Any help is greatly appreciated! Hello everyone, I too am getting a mountHFS: Invalid argument error when I am trying to mount /dev/disk0s2s1 to /mnt2. I was successfully able to mount /dev/disk0s1 to /mnt1 and view all the files, but I am unable to mount /dev/disk0s2s1 to /mnt2 and consequently unable to see any files. I have tried every combination of fsckhfs -fy, -r, /dev/disk0s2s1 that is possible but I still can't mount /dev/disk0s2s1. Does anyone have any idea what is going wrong here? I am trying to recover photos that are very valuable sentimentally.
I know lots of people are in similar situations, but it would really mean so much to me if anyone has any helpful suggestions. Thank you so much.
I have problem when using this tools The original issue is reboot again and again in white Apple logo. Recovery or DFU Mode recovery or upgrade was all failed in jump in to reboot loop again and not load the S/W in. And I searched and found this tool. The log as follow: DFU device 'iPhone 4 (GSM)' connected Building ramdisk for device 'iPhone 4 (GSM)' Extracted resource to C: DOCUME1 GEORGE1 LOCALS1 Temp sshrd allkeys.plist Working dir set to C: DOCUME1 GEORGE1 LOCALS1 Temp sshrd IPSW at Downloading Restore.plist. Kernel file: kernelcache.release.n90 Restore ramdisk file: 038-3715-001.dmg. Using syringe to exploit the bootrom. MobileDevice event: DfuDisconnect, 3471227, 8930 MobileDevice event: DfuConnect, 3471227, 8930 Exploit sent!
Preparing to load the ramdisk. Ramdisk load started! DFU device 'iPhone 4 (GSM)' connected Ignoring same device iPhone 4 (GSM) MobileDevice event: DfuDisconnect, 3471227, 8930 MobileDevice event: DfuConnect, 38c1227, 8930 DFU device 'iPhone 4 (GSM)' connected Ignoring same device iPhone 4 (GSM) MobileDevice event: DfuDisconnect, 38c1227, 8930 At this step, it boot again and back to reboot loop again, and the tools seems stop here. And why it download iPhone3,15.0.19A405Restore.ipsw?
I remember the iPhone4 I used is iOS 4.3.1 Is there any suggestion to resolve the problem? I'm trying to save the photos back from the phone before send back to Apple. Today I put the device in DFU mode try this again. And open the Remote desktop and telnet services in win7 the log shows '.
Using syringe to exploit the bootrom. Exploit sent! Preparing to load the ramdisk. Ramdisk load started! MobileDevice event: DfuDisconnect, 54e1227, 8930 MobileDevice event: DfuConnect, 54e1227, 8930 DFU device 'iPhone 4 (GSM)' connected Ignoring same device iPhone 4 (GSM) MobileDevice event: DfuDisconnect, 54e1227, 8930 MobileDevice event: RecoveryConnect, 54e1281, 8930 ' It's stopped here and iPhone4 shows the recovery screen. Any comment on this issue?
Said.!wonderful work on this. U have the only program capable of fixing this.i think i had the same problem as tot4r4. But i checked all my necessary and unnecessary services and rebooted then it worked further. Took a couple trys. The process was slow as my partition2 had serious errors that it was fixing. Then use putty and then winscp and i was in.getting into dfu mode is a little tricky as u have to do the steps exactly good timing or u end up in recovery mode showing the itunes and cable logos.
However dfu mode showed only black screen with a slight backlight. Only way i knew was yer program recognizing it.after backing up some files i tried booting it and i have my phone back after 2 months. Did backups and syncs. Plan on doing the att unlock soon.
im curious after doing this is my phone now seen as a partial jailbreak? Or is your app completely stealth after reboot? So i can do normal operations without future trouble like the official att unlock?
-iphone 3g 4.2.1 - you're a lifesaver. Can anybody advise why I'm getting this: Preparing to load the ramdisk.
Ramdisk load started! My wife has a 3gs that is jailbroken i believe ios 4.0.1 it will not boot all of a sudden i was able to ssh into it with your tool and run mount.sh i get -sh-4.0# mount.sh Checking /dev/disk0s1. /dev/rdisk0s1 Executing fsckhfs (version diskdevcmds-547162). Checking non-journaled HFS Plus Volume. Detected a case-sensitive volume. The volume name is Baker8B117.N88OS. Checking extents overflow file.
Checking catalog file. Checking multi-linked files. Checking catalog hierarchy. Checking extended attributes file. Checking volume bitmap. Checking volume information.
Trimming unused blocks. The volume Baker8B117.N88OS appears to be OK. Mounting /dev/disk0s1 on /mnt1.
Mounting /dev/disk0s2s1 on /mnt2. Mounthfs: Invalid argument i tried -sh-4.0# fsckhfs -fy /dev/disk0s2s1. /dev/rdisk0s2s1 Executing fsckhfs (version diskdevcmds-547162). Checking Journaled HFS Plus volume. Detected a case-sensitive volume.
The volume name is Data. Checking extents overflow file. Checking catalog file. Invalid sibling link (4, 1840).
Rebuilding catalog B-tree. At this point with -r as well it will disconnect from ssh and reboot the iphone. All i want to do is be able to pull photos of the dcim folder and then do a restore. Thanks for any help.
I got the 'Disk Full error' on my iPhone 4 4.2.1. /dev/rdisk0s2s1 Executing fsckhfs (version diskdevcmds-547162). Checking Journaled HFS Plus volume. Detected a case-sensitive volume. The volume name is Data. Checking extents overflow file.
Checking catalog file. Invalid index key (4, 4866). Rebuilding catalog B-tree.
Disk full error. The volume Data could not be repaired.sh-4.0# mount.sh /dev/disk0s1 already mounted on /mnt1 Mounting /dev/disk0s2s1 on /mnt2. Mounthfs: Invalid argument -sh-4.0# Any help?:( I need to get the data back.
This tool is a lifesaver. If I can get it working! I'm trying on a iPhone 4 with 5.0.1 9A405. I successfully connected to IPhone 2G in DFU, but coluld not run the dd command: -sh-4.0# dd -list -sh: dd: command not found On PC I have dd for windows (Iphone couldn't load in normal mode having error invalid node structure (3,0). Volume check failure dev/rdisk0s2 (hfs) Exited with signal 8 fsck failed! Fsckhfs -r dev/rdisk0s2 never helped.
I am trying to make disk dump to PC (WinXP) and try to restore it where, using -sh-4.0# dd if=/dev/rdisk0 ssh root@localhost 'dd of=iphone-dump.img' -sh: dd: command not found Help, please what do i need to do else to have dd on iphone? @msft.guy Great thanks for Your attenmtion! I could mount.sh via PuTTY /dev/disk0s1 (needed partition disk0s2 with user data i couldn't mount) and then access it via WinSCP - so I could search files. Dd was found. One more little step, but trying -sh-4.0# /mnt1/bin/dd if=/dev/disk0s2 /mnt1/usr/lib/apt/methods/ssh root@localhost 'dd of=C: iphone-dump.img' 100 Capabilities Version: 1.0 Send-Config: true - still no dump. (if use /rdisk0s2 instead /disk0s2- says Invalid argument) Now will try your advise for cat and CyberDuck. Phanks once more.
@msft.guy Thanks - it was great hint of You to extract missing utitlities from Cydia.deb packages! Copying by WinSCP and chenging permission to 0755 I can use netcat! On this step, seems, I cannot use CyderDuck or WinSCP because they use sfpt, and I have to make on PC raw disk dump of broken partition which i couldn't mount from iphone. Some sources like explain how to do it over wifi. But I couldn't use wifi because I have access only throught DFU. Running nc -l 3333 from one PC i see 'test' entering echo 'test' nc 192.168.0.28 3333 on other PC.
But entering -sh-4.0# echo 'test' netcat 192.168.0.12 3333 Error: Couldn't create connection (err=-5): No route to host -sh-4.0# echo 'test' netcat 127.0.0.1 3333 -sh-4.0# On PC I see nothing. Can you clarify, please, how I can redirect output of netcat run at iphone to PC? Maybe, I need IP address of PC and port how it is seen from iphone? Hey awesome tool, I was futzing with a few plist in iFile, rebooted and now its stuck on apple logo. I used this tool to revert to the percent-file backup, rebooted and no dice.
I recently had to restore because of the deactivation ticket on redsn0w trying to get official unlock to work without restore. But it failed, had to do full restore (and still locked), but now i cant figure out whats hanging it.
Where are the logs i can see thats causing the boot failures so i can revert that too? I did the dylib but the for script fails, its expecting something else b/c the angle bracket shows up. But i digress, any other ways?
Once i do backup all these files, sms, photo, etc, i assume i can then do a full restore, jb, and scp these files back and it'll be good? Where are the app progresses? Like i have games and dont want to lose it as well.
I know i should of done full backup but i dont think my plist fun is the cause of this, i think its the jailbreak possibly. I been respringing lately finely, but never rebooted until now. Any help is tremendously grateful! I am having an issue as indicated in the running of this jar file. Below is the last portion of the log Exploit sent! Preparing to load the ramdisk.
Ramdisk load started! DFU device 'iPhone 4 (GSM)' connected Ignoring same device iPhone 4 (GSM) MobileDevice event: DfuDisconnect, 1227, 8930 MobileDevice event: DfuConnect, 1227, 8930 DFU device 'iPhone 4 (GSM)' connected Ignoring same device iPhone 4 (GSM) MobileDevice event: DfuDisconnect, 1227, 8930 MobileDevice event: RecoveryConnect, 1281, 8930 MobileDevice event: RecoveryDisconnect, 1281, 8930 Almost there. After this the iphone 4 is stuck in a progress spiral Please help me to get out of this. Also, earlier I had tried restoring my iPhone 4 to factory settings and it was not happening as iTunes was giving an error. Tried using TinyUmbrella to start a server.
I started trying all this after my iPhone 4 would not boot up (the apple logo and boot animation would work and after that just a blank screen). Any one please help me this is an emergency. I have the JAR program running but it seems to be stuck on 'almost there' for about 2 hours now. I am trying to save my boss's iphone 3g running ios 3.1.2 or 3.1.3 im not real sure. This program is the only thing that has given me any hope but it doesnt seem to be working.
Any help would be appreciated. Running the JAR program on a dual core windows xp machine if that helps. Here is part of the verbage from the JAR program also: DFU device 'iPhone 3G' connected Building ramdisk for device 'iPhone 3G' Extracted resource to C: DOCUME1 DSYSTE1 LOCALS1 Temp sshrd allkeys.plist Working dir set to C: DOCUME1 DSYSTE1 LOCALS1 Temp sshrd IPSW at Downloading Restore.plist Skipping processing of C: DOCUME1 DSYSTE1 LOCALS1 Temp sshrd ipswiphone128C148 Restore.plist, file already exists!
Restore.plist downloaded to C: DOCUME1 DSYSTE1 LOCALS1 Temp sshrd ipswiphone128C148 Restore.plist Parsing Restore.plist. Kernel file: kernelcache.release.n82 Restore ramdisk file: 038-0029-002.dmg Downloading Firmware/dfu/iBSS.n82ap.RELEASE.dfu Skipping processing of C: DOCUME1 DSYSTE1 LOCALS1 Temp sshrd ipswiphone128C148 Firmware dfu iBSS.n82ap.RELEASE.dfu, file already exists! IBSS prepared at C: DOCUME1 DSYSTE1 LOCALS1 Temp sshrd ipswiphone128C148 Firmware dfu iBSS.n82ap.RELEASE.dfu Downloading Firmware/dfu/WTF.s5l8900xall.RELEASE.dfu Skipping processing of C: DOCUME1 DSYSTE1 LOCALS1 Temp sshrd ipswiphone128C148 Firmware dfu WTF.s5l8900xall.RELEASE.dfu, file already exists! WTF.s5l8900xall prepared at C: DOCUME1 DSYSTE1 LOCALS1 Temp sshrd ipswiphone128C148 Firmware dfu WTF.s5l8900xall.RELEASE.dfu Downloading Firmware/dfu/WTF.n82ap.RELEASE.dfu Skipping processing of C: DOCUME1 DSYSTE1 LOCALS1 Temp sshrd ipswiphone128C148 Firmware dfu WTF.n82ap.RELEASE.dfu, file already exists! WTF.n82ap.RELEASE.dfu prepared at C: DOCUME1 DSYSTE1 LOCALS1 Temp sshrd ipswiphone128C148 Firmware dfu WTF.n82ap.RELEASE.dfu Downloading Firmware/allflash/allflash.n82ap.production/DeviceTree.n82ap.img3 Skipping processing of C: DOCUME1 DSYSTE1 LOCALS1 Temp sshrd ipswiphone128C148 Firmware allflash allflash.n82ap.production DeviceTree.n82ap.img3, file already exists!
![]()
Device tree prepared at C: DOCUME1 DSYSTE1 LOCALS1 Temp sshrd ipswiphone128C148 Firmware allflash allflash.n82ap.production DeviceTree.n82ap.img3 Downloading Firmware/allflash/allflash.n82ap.production/manifest Skipping processing of C: DOCUME1 DSYSTE1 LOCALS1 Temp sshrd ipswiphone128C148 Firmware allflash allflash.n82ap.production manifest, file already exists! Downloading kernelcache.release.n82 Skipping processing of C: DOCUME1 DSYSTE1 LOCALS1 Temp sshrd ipswiphone128C148 kernelcache.release.n82, file already exists! Kernel prepared at C: DOCUME1 DSYSTE1 LOCALS1 Temp sshrd ipswiphone128C148 kernelcache.release.n82 Downloading 038-0029-002.dmg Skipping processing of C: DOCUME1 DSYSTE1 LOCALS1 Temp sshrd ipswiphone128C148 038-0029-002.dmg, file already exists! Ramdisk prepared at C: DOCUME1 DSYSTE1 LOCALS1 Temp sshrd ipswiphone128C148 038-0029-002.dmg Preparing to load the ramdisk. Ramdisk load started!
MobileDevice event: DfuDisconnect, 3841227, 12223100 MobileDevice event: RecoveryConnect, 3851281, 12803100 MobileDevice event: RecoveryDisconnect, 3851281, 12803100 Almost there. Hi msft.guy, I'm on a 3gs running 4.21, jailbroken using greenp0ison.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |