iPhone Reboot Loops (mobilewatchdog.bundle & blackra1n)

[imoddedmyi]

PROBLEM (short description):
Can't finish reboot using blackra1n, because two minutes are exceeded (mobilewatchdog.bundle timeout); can't move mobilewatchdog.bundle because I can't seem to access the file system.

PC OS: XP Pro SP3

iPhone 3GS, manufactured before week 45 (something along the lines of week 20 to 30 from the code)
firmware 3.1.2, 7D11, updated baseband
jailbroken using blackra1n RC3
no backup w/ iTunes but
Apple Mobile Device Support service started & iTunesMobileDevice.dll installed (from iTunes 9.02 package)

If you have any input on this I'll appreciate it - I'll post the things I've tried below.

PROBLEM (long description):
Using blackra1n RC3 (Windows binary) I can reboot from recovery mode to the blackra1n specific background (Windows binary says "done, wait for device to reboot" & pops up window about donations) with progress indicator (similar to http://affiliates.ebookers.com/offsi...ax-loading.gif), which after a few minutes reboots again, showing the Apple logo and the progress indicator - which moves a bit, then stops, then reboots and starts again with the Apple logo.

I'm not entirely sure I've got too many applications installed - I've installed a few, but I wouldn't say it's overkill (I'd say probably around 30 to 40 apps, tops, with maybe not even 200 or 300 MiB used; certainly nothing even close - or intended - to what's described here: ~1000 apps on a 3GS running 3.1.2 & JB = endless reboot loop) - however, the symptoms are apparently the same. From this assumption I've mainly tried to disable the software watchdog via moving - however I can't seem to access the file system.

The phone worked fine until it had to reboot at some point; wasn't thrown on the ground or anything else that could mechanically or electronically damage it (like unassembly, fluid spills, microwaving w/ salt sprinkles [the kind of advice you get on some forums :P]...).

iRecovery
I can use iRecovery which allows a few commands, such as bgcolor and reboot. It doesn't echo any success or failure to commands, though, e. g. setenv auto-boot true gets the following result:

(Recovery) iPhone$ setenv auto-boot true
(Recovery) iPhone$

So it's not completely clear which iRecovery commands actually (still) work and which ones don't (e. g. printenv would be helpful for setenv auto-boot true).

I've tried the fs command for the mobilewatchdog.bundle (fs mv /System/Library/SystemConfiguration/mobilewatchdog.bundle/ /) but after reboot or fsbooting this didn't change a thing (also, I didn't get any echo on this command either).

The phone registers with libusb test mode (tried both recovery and DFU mode and it differentiates between the two).


SSH
Can't use SSH (tried all possible IP addresses via WiFi - where the phone registers -
and USB via iPhone Tunnel Suite 3.0); apparently it's disabled, although iirc openssh was installed.

Also tried DiskAid, iFunbox, iPHUC, iBooter, iPhone Browser - the first four didn't find the phone, probably because of the missing afc2 stuff; iBooter said the phone wasn't in recovery mode with the iTunesMobileDevice.dll that came with it. When supplied with my (current) dll it found the iPhone but crashed as soon as I sent a command.


A restore might work, but that's not an option as I've got quite a bit of stuff on the phone that I'd like to keep (unless there's a restore variant that lets you keep your data). See updates below; think I've tried lots and lots of stuff and finally tried restoring, which is an adventure on its own.


Update: Also tried fs mv /var/mobile/Applications to ApplicationsSomethingElse.

Update: Used redsn0w 0.9.4 to switch to verbose boot mode - there are two variants I get to during boot:

1. Stop at AppleBCMWLAN::halt() (cursor in next line); previous messages are similar to #743938 - Pastie; the line previous to the halt() is

AppleBCMWLANN88PlatformManager::handleBBNotificati onGated(): Baseband Reset, wifi down

2. Rarely (maybe one out of five tries) it says

en0: Error configuring transmit antenna (index = -1

with a few other things - all of them after the halt().

When using iRecovery previously I saw "performing full NAND R/O restore" which happens during boot as well, followed by "running fsck on boot volume" (or something similar). Very rarely it will find a Volume Bit Map Minor Error, happened once so far but not at any time after that.

Update: Newest boot message goes as follows:

AppleBCMWLAN::halt()
AirPort: Enabled AppleBCMWLAN (link 1, sys 0, user 1)
AppleBCMWLAN::setPOWER() [configd]: Supply down, deferring powerstate change 1
en0: Error configuring antenna diversity (index = -1).
en0: Error configuring transmit antenna (index = -1).
AppleBCMWLAN::setPOWER() [configd]: Supply down, deferring powerstate change 0

Phone shows the progress indicator the middle of the screen after that.

libusb's test mode reports this, if I put the phone in recovery mode:

bus/device idVendor/idProduct
bus-0/.libusb0-0001--0x05ac-0x1281 05AC/1281
- Manufacturer : Apple Inc.
- Product : Apple Mobile Device (Recovery Mode)
- Unable to fetch serial number string
wTotalLength: 64
bNumInterfaces: 2
bConfigurationValue: 1
iConfiguration: 4
bmAttributes: 80h
MaxPower: 250
bInterfaceNumber: 0
bAlternateSetting: 0
bNumEndpoints: 1
bInterfaceClass: 254
bInterfaceSubClass: 1
bInterfaceProtocol: 2
iInterface: 0
bEndpointAddress: 04h
bmAttributes: 02h
wMaxPacketSize: 512
bInterval: 0
bRefresh: 0
bSynchAddress: 0
bInterfaceNumber: 1
bAlternateSetting: 0
bNumEndpoints: 0
bInterfaceClass: 255
bInterfaceSubClass: 255
bInterfaceProtocol: 81
iInterface: 0
bInterfaceNumber: 1
bAlternateSetting: 1
bNumEndpoints: 2
bInterfaceClass: 255
bInterfaceSubClass: 255
bInterfaceProtocol: 81
iInterface: 5
bEndpointAddress: 81h
bmAttributes: 02h
wMaxPacketSize: 512
bInterval: 0
bRefresh: 0
bSynchAddress: 0
bEndpointAddress: 02h
bmAttributes: 02h
wMaxPacketSize: 512
bInterval: 0
bRefresh: 0
bSynchAddress: 0

Next update: Tried sn0wbreeze 3.1.2 with a NOR only IPSW via iTunes.

If iTunes doesn't recognize the iPhone in recovery mode, restart using power & home button and put it into recovery mode again (i. e.: connect to iTunes sign - iTunes doesn't recognize phone - close iTunes - hold power & home - Apple logo visible - release power but hold home - connct to iTunes sign visible - start iTunes).

Stuck in "preparing iPhone for restore" in iTunes: Kill the iTunes process (e. g. via Task Manager or Process Explorer (Process Explorer), wait a few seconds, restart iTunes, click ok on found an iPhone that needs restore, hold Shift, left-click on Restore, select NOR-only IPSW again (works for other IPSWs as well, but I'm trying to keep my data) and start the restore just like before. Next it'll reboot from black screen (where it was stuck) and go to the Apple logo with a progress bar immediately below the logo, fill the bar, the reboot.

Unfortunately I'm stuck at the AppleBCMWLAN::setPOWER() mentioned above again after the NOR-only restore. I can provoke USB cable connected message at the verbose boot until a few seconds after the halt() is displayed. Also tried the NOR-only restore w/o verbose boot mode (but w/ custom boot logo so I can see there was actually a change in the IPSW).

So next: Full iPhone2,1_3.1.2_7D11_Restore.ipsw (customized) w/ sn0wbreeze 3.1.2 (verbose boot mode, custom logos) - the standard, not customized, version makes iTunes cry "Device not eligible." (or along those lines). Customized version makes iTunes cry "Unknown error. (14)".

While up to here blackra1n RC3 crashed sometimes, it did work to at least reboot with the Frodo/Geohot face as boot pic.

Next: sn0wbreeze 1.5.1 w/ 3.1.3 IPSW, customized, NOR-only. No cigar, error 27.

Next: sn0wbreeze 1.5.1 w/ 3.1.3 IPSW, customized, full restore. Back to SpringBoard now, w/ sn0wbreeze's Enjoy Your Jailbroken Device wallpaper. Couldn't connect to carrier, so retried building IPSW w/o activation.

This finally worked.
I'd like to say that I kept all the data I had on the phone, but I didn't. So one of the first things I did when reinstalling apps was to enable and test openssh via WiFi during boot (for the mobilewatchdog.bundle thing to work).

Now I wonder whether Google phones are like little capricious princesses, too...

Any and all constructive ideas & comments welcome and highly appreciated (even after all the stuff I tried)! I'll make an effort to supply any additional info you might need.
Please don't tell me "should have made backups", "pwned", "don't jailbreak" etc.

[imoddedmyi]

Well, one good starting point might be getting touch with the guys that actually did redsn0w, sn0wbreeze or iLibrary+. ;-)

As far as methods go, I've refrained from using blackra1n again and went with sn0wbreeze - I'm on an unlocked, jailbroken 3.1.3 phone now (w/o baseband update).

Something I'm wondering about, though: I've been seeing lots and lots of iPhones that have tons - literally five to eight screens - full of apps, all of them jailbroken. None of these screens were littered with web clips. I doubt that iPhones are so different between one and the other that some can hold lots of apps without a > 2 min boot time while others don't. So what's the secret there (none of the people I asked could explain it, unfortunately). Any ideas there? Is the problem happening only with blackra1n'd phones?

I've been meticulously counting the seconds during recent bootups (72 so far with one and a half screen of apps). I can do USB connections fine, even added the afc2 service via Cydia (anyone got an input whether that's moot effort when not using blackra1n?).

For now, it'd cool if there was a step by step guide that detailed how you can do the disable mobilewatchdog.bundle stuff beginning with which things to install during setting up your phone (e. g. openssh).

Finally, is this an issue for phones without jailbreak as well?

As an aside, I strongly believe Apple and care are antonyms, obviously when it comes to making jailbroken life easier. ;-)

[dresaa]

Ok here you can see how i could manage to save all my data (on the User directory [/var/mobile/media/] from my unbootable Ipod Touch 2g (MB version):

My problems:
-Ipod stuck at boot-logo
-No OpenSSH installed
-Can't access files through usb
-Itunes only can restore my ipod w/ erasing my files

It's possible to simple change the process of restoring with a simple update ("downgrade was tested successfully too)

You will need:
iPod2,1_2.2.1_5H11a_Restore.ipsw
iBSS.n72ap.RELEASE.dfu (from 2.1.1)
hex editor (havent tested it with simply renaming)
irecovery (which needs installed libusb)
libusb
itunes (any version but it has to support your device [i used itunes 8]
an operating system that can can use the programs above
Ipod Touch 2g (under MC versions, because you need to patch the device so it accepts the modded ipsw file for which we use redsn0w lite commands, which actually was only released for the Ipod Touch 2g)

Now lets begin:
we are changing the names of the two little dmg files (not the big one) inside the ipsw
1)open iPod2,1_2.2.1_5H11a_Restore.ipsw with your hex-editor and change following values:
at offset 115A69B6 change the value 33 to 34
at offset 115A69FF change the value 34 to 33
(or in text: change 018-4493-11.dmg to 018-4494-11.dmg and 018-4494-11.dmg to 018-4493-11.dmg)
[if yo search it by text-string there will be two times 018-4493-11.dmg and two times 018-4493-11.dmg, only change the second ones (don't forget you renamed them, when counting)]
save the file

2)now connect you Ipod in DFU mode or Recovery mode (just hold Sleep-Button and Home-Button until you see the Connect-to-Itunes-Screen)

3a)now with irecovery do the following:
Upload theiBSS.n72ap.RELEASE.dfu
iRecovery -f iBSS.n72ap.RELEASE.dfu

3b)Disconnect your device and reconnect it (your screen should get white)

3c)
"redsn0w"-command
iRecovery -s

arm7_stop
mw 0x9000000 0xe59f3014
mw 0x9000004 0xe3a02a02
mw 0x9000008 0xe1c320b0
mw 0x900000c 0xe3e02000
mw 0x9000010 0xe2833c9d
mw 0x9000014 0xe58326c0
mw 0x9000018 0xeafffffe
mw 0x900001c 0x2200f300
arm7_go
arm7_stop
/exit

4a)open up Itunes and select while pressing the SHIFT button "Restore"

4b)select your modified Firmware and don't worry about iTunes warning you about your data going to be erased

5)Your Ipod will probably not do anything for the next few minutes, but don't worry as long as Itunes doesn't show up an error-message all is going fine

6)Your done. Your Ipod should now boot up with all your data on it (even it was called a restore)

It should actually work for EVERY firmware on EVERY device. However the problem is that i know no way about how to get the newer devices to accept the modified (and due to that unsigned) Firmware.

[Klasniedryg]

dresaa,
Couple questions for you.
1. The custom pawn created ispw does not have two small ones, one large, and one small. The original has two small ones, and one that is large about 230mb. Is it ok ot use the original one?
2. Also, I opened the ispw and change the file names, and closed it back up as a zip and chnaged the extention back to ispw. It that ok, or hexing it is better?
3. After the BSS... file, I did not get a white screen. Do you want me to put the phone into dfu mode? But then iRecovery cannot see it. only sees it in restore mode.
4. When I type the commands...
arm7_stop
mw 0x9000000 0xe59f3014
mw 0x9000004 0xe3a02a02
mw 0x9000008 0xe1c320b0
mw 0x900000c 0xe3e02000
mw 0x9000010 0xe2833c9d
mw 0x9000014 0xe58326c0
mw 0x9000018 0xeafffffe
mw 0x900001c 0x2200f300
arm7_go
arm7_stop
/exit

Am I suppose to see/get something after each line?or will the cursor just go down to the next? Which is what happens to me.

I hope this works!....

[dresaa]

the tutorial above is only for the ipod touch 2g (mb).
say me your exact device and your firmware your using.

to ya wuestions:
1)thats right: 1 big (file system),2 little ones (one for restore and one for updating)--->these two we gonna change

2)Zipping and renaming SHOULD work also. however hex-editing way my way as it doesnt change the file compression level.

3+4)thats if you have an ipod touch 2g (mb).

--> say me your device and firmware. and i dowload that firmware and look into it.

[Klasniedryg]

I solved my issue...
check out the link [ame="http://www.hackint0sh.org/showthread.php?p=548507#post548507"]here[/ame].

thanks

[dresaa]

just one question:
do you got OpenSSH installed?

IF NOT-->awsome

ELSE-->that was my problem...only way i could save my files was the way above

edit: by the way i noticed that this way (not ur link) could EASILY work when u use iREB (not tested but it SHOULD) as it makes nearly the same.
so that would replace step 2 + 3
-->so supported are all devices iReb supports...
-->other way: for mac users: search for "canihazrecover"
--->also could work if ya upload teh wtf-file out of canihazrecover and send it with windows irecovery or dfuutil

[Kaujin]

Ok here you can see how i could manage to save all my data (on the User directory [/var/mobile/media/] from my unbootable Ipod Touch 2g (MB version):

My problems:
-Ipod stuck at boot-logo
-No OpenSSH installed
-Can't access files through usb
-Itunes only can restore my ipod w/ erasing my files

It's possible to simple change the process of restoring with a simple update ("downgrade was tested successfully too)

You will need:
iPod2,1_2.2.1_5H11a_Restore.ipsw
iBSS.n72ap.RELEASE.dfu (from 2.1.1)
hex editor (havent tested it with simply renaming)
irecovery (which needs installed libusb)
libusb
itunes (any version but it has to support your device [i used itunes 8]
an operating system that can can use the programs above
Ipod Touch 2g (under MC versions, because you need to patch the device so it accepts the modded ipsw file for which we use redsn0w lite commands, which actually was only released for the Ipod Touch 2g)

Now lets begin:
we are changing the names of the two little dmg files (not the big one) inside the ipsw
1)open iPod2,1_2.2.1_5H11a_Restore.ipsw with your hex-editor and change following values:
at offset 115A69B6 change the value 33 to 34
at offset 115A69FF change the value 34 to 33
(or in text: change 018-4493-11.dmg to 018-4494-11.dmg and 018-4494-11.dmg to 018-4493-11.dmg)
[if yo search it by text-string there will be two times 018-4493-11.dmg and two times 018-4493-11.dmg, only change the second ones (don't forget you renamed them, when counting)]
save the file

2)now connect you Ipod in DFU mode or Recovery mode (just hold Sleep-Button and Home-Button until you see the Connect-to-Itunes-Screen)

3a)now with irecovery do the following:
Upload theiBSS.n72ap.RELEASE.dfu
iRecovery -f iBSS.n72ap.RELEASE.dfu

3b)Disconnect your device and reconnect it (your screen should get white)

3c)
"redsn0w"-command
iRecovery -s


4a)open up Itunes and select while pressing the SHIFT button "Restore"

4b)select your modified Firmware and don't worry about iTunes warning you about your data going to be erased

5)Your Ipod will probably not do anything for the next few minutes, but don't worry as long as Itunes doesn't show up an error-message all is going fine

6)Your done. Your Ipod should now boot up with all your data on it (even it was called a restore)

It should actually work for EVERY firmware on EVERY device. However the problem is that i know no way about how to get the newer devices to accept the modified (and due to that unsigned) Firmware.

dresaa

have the same problem with iPhone 3gs Firmware 3.1.2.
Can you help me?