Emergency SSH access using a pwn'd DFU mode RamDisk

[wawuce]

First off this has been put together from parts of other posts by other users who have gotten access to their phones in dfu mode. I have also gotten access to my phone. I decided to put up a simplified (I hope) tutorial for others.


REQUIREMENTS:

1. First download https://github.com/downloads/msftguy..._rd_rev03b.jar
2. Custom 4.2.1 ipsw created by PwnageTool or Sn0wbreeze(might work for other firmwares. just use the appropriate one)
3. tetheredboot utility from https://github.com/downloads/msftguy...boot_win32.zip
4. itunnel_mux (rev71): http://iphonetunnel-usbmuxconnectbyp..._mux_rev71.zip
5. putty(ssh client): PuTTY Download Page
6. cyberduck: Cyberduck ? FTP, SFTP, WebDAV, Cloud Files, Google Docs & Amazon S3 Browser for Mac & Windows.
PROCESS:

1. create a "NEW FOLDER" and put it in your desktop.
2. Extract everything (except the custom ipsw) to "New Folder"
3. Extract the custom 4.2.1 ipsw (I use 7-zip) to a temporary folder named IPSW

From the temporary folder(IPSW), find and copy to "New Folder"
a. IBSS.n88ap.RELEASE.dfu(located in the firmware folder)
b. kernelcache.release.n88(extracted from IPSW)
c. DeviceTree.n88ap.img3(located in all flash\all_flash.n88ap.production folder)

Put phone in DFU mode

4. execute: jre-7-windows-i586-iftw.exe.

This is what you should see when running it.




When the phone shows that put the phone back in to DFU mode.
Open a cmd.exe window (run as admin) and navigate to "New Folder" (this is the folder where you saved everything.)
Right click on them and drag them to your local disk which should be c:
Then type in the command window the following:

tetheredboot exe. -i iBSS.n88ap.RELEASE.dfu -k kernelcache.release.n88 -r 038-0082-001.dmg.ssh

then hit enter

you should see the following:




then this:



5: in the command window(cmd.exe) type in the folowing:
itunnel_mux --lport 22

it then should look like this:



DO NOT CLOSE THE WINDOW


6: Open a new cmd.exe window(run as admin)

7: open putty and do the following:

where is says "HOST NAME (or Ip address) endter the words localhost(all one word) port is 22 and click open. it should look like this:



if says something about saving the authenication key click yes. After that putty will open. Enter the following:

login as: root
root@localhost's password:alpine (it won't show it on the screen)

should look like this:



To mount / (root) filesystem (contains system settings & files, MobileSubstrate dylibs, etc) type what is posted past the # sign then press enter.

8: -sh-4.0# fsck_hfs /dev/disk0s1
9: -sh-4.0# mount_hfs /dev/disk0s1 /mnt1/

Mount /usr filesystem (everything else, IE: music, media, photos, apps, data, etc)
10: -sh-4.0# fsck_hfs /dev/disk0s2s1
11: -sh-4.0# mount_hfs /dev/disk0s2s1 /mnt2/

To set the path correctly so you can easily navigate the filesystem:
12: -sh-4.0# PATH=$PATH\:/mnt1/bin

Congratulations, you now have full root access up to this point, the iDevice has NOT been modified in any way --- so be careful! After you're done messing around, play it safe - execute: sync; sync; sync This will flush any pending filesystem writes.

13: Use Cyberduck to access the phone in order to retrieve the data you need.

use the ssh terminal in the connections tab.
server is localhost
port is 22

username is root
password is alpine



Now for some reason that I haven't figured out why it doesn't correct the problem on the phone. It only lets me get into it. Get what you need and then restore the phone.

When finished, to terminate the session and restart the iPhone:
14: -sh-4.0# kill 1


Hopefully this helps anyone who has the need to save the data off the phone. If you run into a problem message me and i'll see if I can help you.

[seraphim.sophomore]

i have a problem
you state Restore Ramdisk (038-0082-001.dmg) IV & KEY (3GS, iOS 4.2.1)
but i have phone 4 with different baseband,
and you specify sure action with itunes 10.2,
can we be flexible on these two issues and yet acquire the result?

[togu]

First off this has been put together from parts of other posts by other users who have gotten access to their phones in dfu mode. I have also gotten access to my phone. I decided to put up a simplified (I hope) tutorial for others.


REQUIREMENTS:

1. First download https://github.com/downloads/msftguy..._rd_rev03b.jar
2. Custom 4.2.1 ipsw created by PwnageTool or Sn0wbreeze(might work for other firmwares. just use the appropriate one)
3. tetheredboot utility from https://github.com/downloads/msftguy...boot_win32.zip
4. itunnel_mux (rev71): http://iphonetunnel-usbmuxconnectbyp..._mux_rev71.zip
5. putty(ssh client): PuTTY Download Page
6. cyberduck: Cyberduck ? FTP, SFTP, WebDAV, Cloud Files, Google Docs & Amazon S3 Browser for Mac & Windows.
PROCESS:

1. create a "NEW FOLDER" and put it in your desktop.
2. Extract everything (except the custom ipsw) to "New Folder"
3. Extract the custom 4.2.1 ipsw (I use 7-zip) to a temporary folder named IPSW

From the temporary folder(IPSW), find and copy to "New Folder"
a. IBSS.n88ap.RELEASE.dfu(located in the firmware folder)
b. kernelcache.release.n88(extracted from IPSW)
c. DeviceTree.n88ap.img3(located in all flash\all_flash.n88ap.production folder)

Put phone in DFU mode

4. execute: jre-7-windows-i586-iftw.exe.

This is what you should see when running it.

Attachment 564268


When the phone shows that put the phone back in to DFU mode.
Open a cmd.exe window (run as admin) and navigate to "New Folder" (this is the folder where you saved everything.)
Right click on them and drag them to your local disk which should be c:
Then type in the command window the following:

tetheredboot exe. -i iBSS.n88ap.RELEASE.dfu -k kernelcache.release.n88 -r 038-0082-001.dmg.ssh

then hit enter

you should see the following:


Attachment 564270

then this:

Attachment 564269

5: in the command window(cmd.exe) type in the folowing:
itunnel_mux --lport 22

it then should look like this:

Attachment 564271

DO NOT CLOSE THE WINDOW


6: Open a new cmd.exe window(run as admin)

7: open putty and do the following:

where is says "HOST NAME (or Ip address) endter the words localhost(all one word) port is 22 and click open. it should look like this:

Attachment 564322

if says something about saving the authenication key click yes. After that putty will open. Enter the following:

login as: root
root@localhost's password:alpine (it won't show it on the screen)

should look like this:

Attachment 564273

To mount / (root) filesystem (contains system settings & files, MobileSubstrate dylibs, etc) type what is posted past the # sign then press enter.

8: -sh-4.0# fsck_hfs /dev/disk0s1
9: -sh-4.0# mount_hfs /dev/disk0s1 /mnt1/

Mount /usr filesystem (everything else, IE: music, media, photos, apps, data, etc)
10: -sh-4.0# fsck_hfs /dev/disk0s2s1
11: -sh-4.0# mount_hfs /dev/disk0s2s1 /mnt2/

To set the path correctly so you can easily navigate the filesystem:
12: -sh-4.0# PATH=$PATH\:/mnt1/bin

Congratulations, you now have full root access up to this point, the iDevice has NOT been modified in any way --- so be careful! After you're done messing around, play it safe - execute: sync; sync; sync This will flush any pending filesystem writes.

13: Use Cyberduck to access the phone in order to retrieve the data you need.

use the ssh terminal in the connections tab.
server is localhost
port is 22

username is root
password is alpine



Now for some reason that I haven't figured out why it doesn't correct the problem on the phone. It only lets me get into it. Get what you need and then restore the phone.

When finished, to terminate the session and restart the iPhone:
14: -sh-4.0# kill 1


Hopefully this helps anyone who has the need to save the data off the phone. If you run into a problem message me and i'll see if I can help you.

Is it possible to do it on Iphone 4S on 5.0.1????
Thanks in advance

UPDATE: Unsupported device.

[wawuce]

togu im not 100% sure but its worth a shot. just change the appropriate files that are needed. let me know how you make out. im curious too.

[togu]

togu im not 100% sure but its worth a shot. just change the appropriate files that are needed. let me know how you make out. im curious too.

I couldn't make pwn 4S' 5.0.1 ipsw, the reason is that redn0w doesn't support the device yet. tried the dirty way executing itunnel_mux.exe but it stays on "waiting for the device" or smtn like that but ofcourse it never works.

[togu]

deleted*

[SwagR]

I'm On a mac im how can I do this?