[miscreanity]

My first Apple purchase ever - a shiny black 16GB 3GS (IPSW 3.0/7A341). Being a Linux user for longer than I can remember, it took a couple of weeks to get access to a Windows box with iTunes (ver. 8.2.1.6). During the interim, I put on about 200 pics/photos and 1000 or so texts, with another 1000 IMs through Beejive. On first connection iTunes, it recognized the phone and began a sync. All was well with the world.

A notification popped up about the update to IPSW 3.0.1 which proclaimed a fix for the SMS vulnerability. I figure sure, it can't be that bad to pop in a minor update. Oh, how wrong I was. The single point of catastrophic failure known as iTunes deemed my precious toy to be in need of a solid bricking.

Now, sitting with a lump of a dark mirror in my hands (but what a pretty lump), it was time to research my options. The restore from iTunes swore it would steal every ounce of life that once resided in the entropized confines of my handheld, but offered the promise that it would restore the backed-up data to its former glory. Being unsure at this point, I decided to make absolutely certain that there was a backup, only to find that there was absolutely, certainly... nothing. Well, aside from some of the crash logs.

I am now perturbed. By perturbed, I mean that I desire for Steve Jobs to get cancer again and undergo multiple tooth extraction performed by Liza Minnelli on acid - all while having severe, full-body muscle spasms.

The recovery options available online all fail... often taking Windows down with them. I discover that my phone is in DFU mode, which I assume has something to do with a dead fetuses. I decide that someone at Apple has a medically-oriented sick sense of humor. This makes me even more perturbed.

My iPhone is still staring at me blankly. Since I can still see the device on USB under Linux, and iTunes pops up and wants to restore every time I plug it into the Windows system, I know something can be done to extract my data. After a brief stint of modifying the source of irecovery in an attempt to interact with full-on DFU mode, my desire to reverse-engineer just didn't hold as much appeal as it did in my earlier years. More exploration into the options of mounting the drive lead to the option of jailbreaking. That was an option I had no intention of pursuing, but it seems Apple has made that the only viable choice in order to extract my goodies. Finally, I decide to take the plunge and restore through iTunes.

Once that's done, I have a clean slate. All those dirty conversations have been wiped. Damn.

No! I can rebuild the lost data! I have the technology! I have the capability to... Anyway, the frosty thing with a zero for a letter works, and next thing I know, there's some Martian program installed. With a hop, skip & a jump, I frolic into the seedy world of freedom. As an aside, it smells nice there.

With the OpenSSH daemon now running, it's time to play. I found no way to mount the drive, but there was a neat little SSH trick. The way it was pushed didn't appeal, so I used the pull style instead.

Push version seen everywhere online:
dd if=/dev/disk0 | ssh user@iphone-ip 'dd of=iphone.img'

Pull version which I prefer (but requires auto-lock to be disabled):
ssh user@iphone-ip dd if=/dev/disk0 | dd of=iphone.img

Again, simply a matter of preference. In any case, the results kept coming up fruitless.

"dd: reading `/dev/disk0': Invalid argument"

"dd: opening `/dev/disk0s1': Resource busy"

Visuals of the 5th Ave Apple Cube being melted into glassy slag prance around me.

After running through a couple of proof-of-concept tests going from one SSH box to another just to make sure I'm not going insane, I confirm that the command will work even while a device is mounted. Perhaps the iPhone simply won't do the nasty while it's mounted. That seems counter-productive, but I'll kick it off for a moment. What's this? There's no 'umount' command? Who does that!?

Even as root, trying to force the file system into a read-only mode fails. There isn't an immediately apparent way to show open files, or even currently running processes. Yes, further searching may yield clues, but I need a break. None of the techniques I've found seem to work with my 3GS using the 3.0 system software. Something like SSHFS is obviously too high-level.

I am now searching for sharp objects to use during my hostage stand-off at a certain Cupertino software company headquarters. Help prevent that from happening - tell me something good, or at least point me in a direction. Anyone? Bueller... Bueller... Bueller?

Cheers!

[cpjr]

Not really sure what your getting at.

[pokekid]

are you asking for help or ranting? I'm pretty sure every owner has lost some important data at one point or another. sucks to hear though. hope u find a way to get your precious back

[miscreanity]

Just being a spaz, for the most part. Also needed a break from sifting through countless forums and articles. What better way to do that than to rant about the offending subject? On a good note, my phone is back in action after restoring, just without all the juicy morsels.

I am looking for some other direction to take as far as getting a raw dump off of the phone. There was mention that the 'umount' utility is on a ramdisk, which I'm looking further into. Otherwise, I'm considering looking into the iPhone dev toolchain to build a Darwin binary that can be uploaded. None of the current programs I've seen are on the forensics side of the fence.

I've never done any coding for an Apple platform before, but I am aware that it's BSD based at the lower levels. This tells me that, so long as it's jailbroken, it can be done - success just depends on how much effort I'm willing to put in.

Of course, my project after figuring out how to get a dump from the 3GS will be to work on a tool to extract the useful information. I'll probably use Python, as I've seen a very nice, small script that can pull at least some of the data.

Again, any suggestions are appreciated.

[iJulien]

Hi,
Same problem here after reading http://modmyi.com/forums/file-mods/6...backed-up.html
Have you come up with a solution yet?
Did you try Zdiarski's method? Webcast: iPhone Forensics Demonstration

[miscreanity]

iJulien,

The Zdziarski method of using a custom boot loader seems to be overkill when I can easily jailbreak using redsn0w and (hopefully) unmount the partitions. Of course, that's assuming a dd dump will be possible after doing so. The 3GS seems to be more aggravating than previous iterations.

So I'm planning on extracting 'umount' from the 3.0/7A341 IPSW since I have yet to find it online. I'm using Linux and don't have access to a Mac, so I'll have to use the xpwn utilities. Sadly, I haven't had time to compile and test it yet.

With any luck, I'll have the opportunity during the next couple of days. After that, it's a quick upload using scp and a few commands to determine viability. You can be sure there'll be a post here if it works!

[Efrdman2008]

I'll be honest, although I can't help you, that was an extremely entertaining read.

[iJulien]

Thank you miscreanity. Frustrating.
Here's what I get after using redsn0w, installed cydia and the nc tool.

Last login: Tue Aug 18 23:52:16 on ttys000
OSX-JULIEN:~ Ju$ ssh root@192.168.2.5
root@192.168.2.5's password:
Blueberry:~ root# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/disk0s1 750M 536M 208M 73% /
devfs 27K 27K 0 100% /dev
/dev/disk0s2s1 30G 17G 13G 58% /private/var
Blueberry:~ root# mount
/dev/disk0s1 on / (hfs, local, noatime)
devfs on /dev (devfs, local)
/dev/disk0s2s1 on /private/var (hfs, local, noatime)
Blueberry:~ root# /bin/dd if=/dev/disk0s2s1 bs=4096 | nc 192.168.2.4 7000
/bin/dd: opening `/dev/disk0s2s1': Resource busy
Blueberry:~ root# /bin/dd bs=4096 if=/dev/disk0s2s1 | ssh Julien@192.168.2.4 'dd of=iphone-dumpz.img'
/bin/dd: opening `/dev/disk0s2s1': Resource busy
Password:
0+0 records in
0+0 records out
0 bytes transferred in 0.000034 secs (0 bytes/sec)
Blueberry:~ root#


Should I try to umount the disk0s2s1 first?

[miscreanity]

E-man - thanks, glad you enjoyed the tirade!

iJ - yes, the partition will need to be unmounted. There's no way to know for sure whether it'll work, but it's still a simpler procedure than creating a custom iBoot a la Zdziarski. However, by default the iPhone does not have the umount command installed. The utility needs to be extracted from the appropriate IPSW ramdisk. For 3.0+ IPSW, the ramdisk needs to be decrypted first, and it's a huge PITA for the latest version. Hopefully, I'll be able to get it done soon (as in hours to days). I have to say, it may be easier on your OSX box when it comes to mounting the decrypted dmg. If you can get it extracted on your system following the directions in the aforementioned links, you'll make the process much easier.

Other than that, I'll keep you posted.

[miscreanity]

Welcome back to the continuing saga. This evening, we'll have Apple Computer starring as the psychotically jealous lover, opposite iPhone users scrambling for restraining orders before Apple ruins the experience. May a thousand marsupials trample Apple and AT&T into a gooey mess. Google, take me away!

So far, there's good news and bad news.

The bad news first: I got a chance to decrypt and take a peek at the 3.0 ramdisks and found that there is no 'umount' utility in any of the usual places (sbin, usr/sbin, etc...). While this is bad, it indicates that unmounting the partitions will allow a dd image to be generated. Of course, that requires the umount utility to be available. Without it, this little project is dead in the water.

The good news: There is hope! Basically, it boils down to someone with the iPhone SDK (which possibly isn't low-level enough) or Darwin/iPhone 3.0 source (more likely) compiling the umount binary for the correct target hardware platform - the S5L8920. If I do undertake this endeavor, it will likely be some time before I can pop out a properly targeted binary, if at all. Does anyone else care to step up to the plate? Preferably someone with a Mac.

Another method that may work is downgrading to 2.x system software. I haven't explored the option using the 3GS yet. If it works at least you'd be able to dump data from that version. Keep your fingers crossed...

[guisquil]

Hi,

So there is no way to get the .img yet from the 3GS using this technique ? i get the same errors as you guys...

Thanks

[Poseidon79]

A more fruitful endeavor may be to research why an initial back-up was never made so you are not left in the same predicament again. If you figure that out then all the rest is moot.

[guisquil]

Mom is that you?

[cyclonefr]

Just wanted to post I managed to finally dump my /private/var partition from my 3GS : the culprit is the dd command you need to type and isn't the correct one :

the correct one is :

ssh user@iphone-ip dd if=/dev/disk0 bs=1M | dd of=iphone.img

so just add bs=1M and it should work.. It did for me !

Enjoy !

P.S: if you only wanna backup the private/var partition, specify rdisk0s2s1

[guisquil]

WOW that is great how long did it take and do you get a visual of the percentage of how the file being written?