Iphone 3GS 32gb iOS 4.1 Data recovery

[wirl]

Hello! Here's my story.

A friend of mine have wanted to jailbreak his iphone for a long time (since I've done it) and I told him to make a backup before doing any of that just in case it all goes to hell.
A couple of days ago he told me he wanted to jailbreak it now, I said sure, no problem, it's easy!
So we downloaded greenpoison (RC4) and apparently there was a bug in it so it couldn't be jailbreaked. The iphone went into recovery mode after the failed jailbreak attempt so I just tried the RC3 version and it didn't work either for some reason...
We couldn't boot up his iphone (had to plug it in to itunes to do a restore) so I started thinking of backups and I asked my friend "You have done a backup right?". Apparently he had not done so for the last two months and I was unsure if itunes iphone restore would actually remove all photos etc. (I don't see why it has to?!) so there was no point of return (actually there was but we didn't think it were) so we decided to try a restore and hope that all his pictures of his newborn baby, video of him proposing to his girlfriend, etc. was still there after the restore.
Ofcourse they wasn't there anymore .
I felt really horrible for not reminding him of a backup but I can't blame all me, it was his responsibility to back things up too.

So with all anxiety I had I googled around and found a few websites telling you how to do a photo/video recovery of an iphone, either it was the expensive iphone usb spy stick or running linux and ssh into the iphone and use the dd command.

To cut a long story short I finally managed to get dd going properly and here's what I do:

Code:

wirl@ubuntu:~$ ssh [email protected] dd if=/dev/rdisk0s2s1 bs=1M | dd of=/home/wirl/iphone.img

rdisk0s2s1 is the (user data partition). People claim that using rdisk0 will copy the entire drive but I had no success in that, it just copies around 750 mb (the os partition I think) and then stops. Interesting thing is that a site I read up on is using bs=4096 instead of 1M but only 1M works of me. And to verify that rdisk0s2s1 actually it the user data:

Code:

xxxxxs-iphone:~ root# df
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/disk0s1            768000    672784     87536  89% /
devfs                       33        33         0 100% /dev
/dev/disk0s2s1        30750376    411520  30338856   2% /private/var

Anyway, this all works and I had the iphone over night grabbing the entire user partition to my machine and the next day when I was going to use photorec for recovery, I noticed it couldn't get any partition data out of the img file. I think this was odd because I can get partition data out of the 750~ mb image file (rdisk0) and recover a lot of OS files without any problems at all!
But for some reason, when using the dd command on the rdisk0s2s1, it wont be able to recover from the image file at all.



So I have run out of options now and that's why I am here. Anyone have any experience in iphone data recovery and can explain to me why I can recover from the OS partition and not the user partition?

Thanks !

PS. You are my last hope .




EDIT:

Hm interesting, tried the same thing on my iphone and I get the same results but I can recover a lot of files. Hm!

[domfactor]

Hi mate, I have been trying to recover data from my 4.1 3gs 32gb /private/var for the last few days and have been unsuccessful just like you. I have tried *everything* I could find on the net. I even bought the iPhone Forensics book by Jonathan Zdziarski but he only covers up to 3.1.3. I sent him an email to ask him if he's figured out how to do it in 4.1 and will post his reply if he gets back to me.

Have you had success in recovering your data from your 4.1 3gs?

Good luck to both of us!

P.S. I also had the problem of not being able to unmount /private/var and remount read-only. I was able to pull a 31.4 GB image off of rdisk0s2s1 - it seems that the 'bs' doesn't really matter above 1M as long as it works because I pulled off images via USB+SSH with 2M, 4M and they were all the same number of bits.

[wirl]

Hello!

I have an Iphone 3GS 16gb running iOS 4.1 and my friend has the same model and same iOS version but has the 32gb version.

I tried above commands on my phone and his phone and I can recover files from the image taken off of my iphone but I am unable to recover files from his iphone image.

I've tried mounting both image files and it works, I can browse around through the different folders so the data is there but it seems the lost data on the 32gb version cannot be recovered for unknown reasons.
Maybe it's a bug in photorec (I have not tried any other tool yet), though I doubt it.

What could differ from the 16gb and 32gb that much that a file recovery will fail?

Very strange!

[latinodancer15]

The only advice I can give you guys is to use your iPhone less and less as using it more will definitely overwrite the data.

PHP Code:

on iphone, restore firmware, download openssh and mobile terminal.

to setup ssh server:
download ubuntu, burn iso, boot it, select the one with no changes.

http://ftp.ucsb.edu/pub/mirrors/linux/ubuntu/jaunty/ubuntu-9.04-desktop-i386.iso

 

Make sure to add repos to sources.list otherwise you’ll get error before doing the next step.

 

Go to Admin – Software Sources – Third Party Software- Add those two sources.

 

Go to terminal and put in

Sudo apt-get install openssh-server openssh-client

 

open terminal, install sshd by typing:
sudo apt-get install openssh-server

then change password:
sudo passwd

find your ip address, look at inet addr:
ifconfig

now your done with the ssh server.

Put iPhone in “Never Lock”


Go to terminal in Ubuntu and type

ssh root@youriphone’sIPaddress

password:alpine

 

then put on of these:

 

iPhone 2G, 3G Recovery
dd if=/dev/disk0 | ssh root@ipaddress 'dd of=/dump.img'

iPhone 3GS Recovery

The whole thing

dd if=/dev/rdisk0 bs=1M | ssh username@Computer’sIPaddress ‘dd of=iphone-dump.img’

Just the system partition

dd if=/dev/rdisk0s1 bs=1M | ssh username@Computer’sIPaddress ‘dd of=iphone-dump.img’

Just the user partition
dd if=/dev/rdisk0s2s1 bs=1M | ssh username@Computer’sIPaddress ‘dd of=iphone-dump.img’

 

Should be located at the “home.” If done right, hit “Refresh” and the size should keep getting bigger and bigger everytime you hit refresh.

 

Should take a long time depending on the capacity of your iPhone.

 

now go back to ssh server, find dump.img, move/copy it to your hard drive.


now reboot pc, download magicdisc:
Mount ISO Files - Freeware MagicDisc Download

and download photorec:
TestDisk Download - CGSecurity

mount the img file, and follow these directions to run photorec.
PhotoRec Step By Step - CGSecurity 


This is what I used when I did my OWN image file. I copied the same thread you went to, and added a couple of things a lot of way so I could remember how to do it next time. I'm sorry if it isn't organized or anything.

Same thing as you - 32GB 3GS. 3.1.2 however. I have an iPhone 4 right now, and I'm trying to recover something on my own.

If you have any questions, I'll try to answer, but since this was long ago, I may have to refresh my memory, or I can't answer. Good luck!

[wirl]

Thanks for the advice. I'll try that magicdisc thingy and see if it'll turn out any better.

[domfactor]

Hello!

I have an Iphone 3GS 16gb running iOS 4.1 and my friend has the same model and same iOS version but has the 32gb version.

I tried above commands on my phone and his phone and I can recover files from the image taken off of my iphone but I am unable to recover files from his iphone image.

I've tried mounting both image files and it works, I can browse around through the different folders so the data is there but it seems the lost data on the 32gb version cannot be recovered for unknown reasons.
Maybe it's a bug in photorec (I have not tried any other tool yet), though I doubt it.

What could differ from the 16gb and 32gb that much that a file recovery will fail?

Very strange!

Hi mate, thanks for testing it out. Yeah it is very strange! Im going to download and install scalpel to try it and will post an update if it works. Anyone out there have any other ideas?

[Estefan]

It seems that iOS4 user partition is encrypted and we should wait until someone find a way to decrypt it.

decryption key supposed to be in /private/var/keybags/systembag.kb

I'm waiting for solution too.

[mskreind]

I have just jail-broken and unlocked my iPhone 32GB, 3GS to 4.2.1 with Modem Firmware up to 16.15.00. Everything seems to be working fine except the icons for many of my installed apps are no longer on the springboard. I can access them through the search mode and they are all there but they are not visible. Does anyone know how to get them to reappear on the springboard. Do I have to reinstall them one by one from the App store?

This is an addendum to my post written above at 10:47 AM. At approximately 6 hours after I had completed the above-mentioned jail-breaking with Redsn0w to update my iPhone software to OS 4.2.1 with modem firmware 16.50.00 and unlocking with Ultrasn0w 1.2, all my app icons spontaneously reappeared on my springboard. I have no idea what made them not appear initially, and I have no idea what made them reappear so suddenly after such a long time. I thought that they would be lost forever. If anyone has an idea as to why this happened I would certainly be interest in knowing. I am happy to say that everything is working great at the moment.