Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.
04-08-2011, 09:44 PM #1Emergency SSH access using a pwn'd DFU mode RamDisk
Emergency SSH access using a pwn'd DFU mode RamDisk (Win7-32)
Use at your own risk. Experienced users only !! If you don't know what you're doing, stay away!!
When an iDevice won't boot, several remedies are available. SSH, iPhoneExplorer/Browser, etc and iTunes restore are the normal methods to either restore or to gain access to a non-bootable device and implement a fix. This is an alternative approach when the normal methods don't work and all else fails. Warning: Significant iPhone/computer experience required!!
This is not new work. It uses this reference as THE source (Mostly iPhone hacking: Booting SSH ramdisk on new devices), adds changes for iOS 4.2.1 and lots of clarification. All thanks go to MsftGuy and so many others.
Acquire SSH access to the root and user filesystems, modify and/or delete the offending program, and reboot without any damage or noticeable change. This process should be considered a last resort. It builds a new ramdisk with SSH included, uses current jb'ing exploits to download the ramdisk and access the iDevice. It requires technical knowledge, significant computer and iPhone experience, and is NOT for the beginner or the faint of heart.
Since the release of 4.x, many have experienced booting issues after installing a non-compatible or faulty MobileSubstrate app. Most of the time, the 3GS will boot or respring into safe mode where it can be accessed and fixed. Unfortunately, once in awhile, it does not boot into safe mode. It hangs at the Apple logo. When this happens, I typically get the normal Apple logo for about 5 minutes, then it adds a spinning wheel for another 2-3 minutes, then everything freezes. It doesn't reboot, it does nothing! A force shutdown works, but it does the same thing over and over again.
The problem: !!! No access !!!
During this 'once in awhile' situation: SSH, AFC2, iPhoneBrowser/Explorer, iTunes, does not work and the computer does not recognize the device. Nothing I've tried will access or even recognize the device. Without access, it can not be fixed.
Note: If your iDevice continually reboots (does not freeze), a simpler solution is likely. SSH/AFC2 access may be available for a short time during the reboot process.
Claimed support: iPhone4, iPad I, 3GS old & new bootrom
iOS 4.0 and above
Tested: 3GS, old bootrom, iOS 4.2.1 (Windows 7 PC, iTunes 10.1), jb'd w/PwnageTool
Tested: 3GS, new bootrom, iOS 4.1 (Windows 7 PC, iTunes 10.4), jb'd w/redsn0w (using 4.1 files and keys, see end of post )
Previously jailbroken (any method)
Implements: limera1n for a pwn'd DFU mode exploit
NOT FOR older 2G, 3G devices, or any iOS 3.x
(A similar method using iRecovery is available, see links above)
Note: Instructions are written for 3GS/4.2.1. Newer/older iOS/iDevices should work. My primary reference (msftguy link in 2nd paragraph above) provides a 4.1/3GS tutorial. Make appropriate changes (different custom ipsw with different file names) for your iOS / iDevice version.
1: RecoveryRamdiskBuilder_rev_2.zip: http://iphonetunnel-usbmuxconnectbyp...lder_rev_2.zip
(Reference: Mostly iPhone hacking: Booting SSH ramdisk on new devices)
2: Restore Ramdisk (038-0082-001.dmg) IV & KEY (3GS, iOS 4.2.1): from VFDecrypt Keys - The iPhone Wiki
3: Custom 4.2.1 ipsw created by PwnageTool or Sn0wbreeze
4: tetheredboot utility from https://github.com/downloads/msftguy...boot_win32.zip
5: itunnel_mux (rev71): http://iphonetunnel-usbmuxconnectbyp..._mux_rev71.zip
1. Create a "New Folder"
2: Extract everything (except the custom ipsw) to "New Folder"
2: Extract the custom 4.2.1 ipsw (I use 7-zip) to a temporary folder
From the temporary folder, find and copy to "New Folder"
c. DeviceTree.n88ap.img3, and
d. 038-0082-001.dmg. (the restore ramdisk)
Copy/Paste IV and KEY (from theiphonewiki....)
Select ramdisk: 038-0082-001.dmg (the 4.2.1 custom ipsw ramdisk)
A new ramdisk is created: 018-0082-001.dmg.ssh (automatically builds)
If successful: Completes with: ALL OK; boot with '038-0082-001.dmg.ssh' ramdisk ......
Finished building. Your directory should contain these files:
4: Put the device in normal DFU mode (iClarified - iPhone - How to Put an iPhone Into DFU Mode)
5: Open a cmd.exe window (run as admin) and navigate to "New Folder"
6: Run tetheredboot and load 3 files on the iDevice:
tetheredboot -i iBSS.n88ap.RELEASE.dfu -k kernelcache.release.n88 -r 038-0082-001.dmg.ssh
Note: The 3GS screen should be totally white while tetheredboot is running.
------------ Displayed by tetheredboot ------------------
...ERROR: The process "iTunes.exe" not found.
...ERROR: The process "iTunesHelper.exe" not found.
...Waiting for the device to enter DFU mode
...Found device in DFU mode
...Checking if device is compatible with this jailbreak
...Checking the device type
...Identified device as iPhone2,1
...Preparing to upload limera1n exploit
...Resetting device counters
...Sending chunk headers
...Sending exploit payload
...Sending fake data
...Reconnecting to device
...Waiting 2 seconds for the device to pop up...
...Uploading iBSS.n88ap.RELEASE.dfu to device
...Waiting 10 seconds for the device to pop up...
...Uploading 038-0082-001.dmg.ssh to device
...Uploading kernelcache.release.n88 to device
If the process stops at "Waiting 2 seconds....", start over at step 4.
Note: After loading, the 3GS screen should have a white Apple logo with an empty progress bar
...If no errors (except iTunes), go to step 7...
Note: If #6 tetheredboot fails to load the ramdisk (which tends to happen with large ramdisks),
you can try using itunnel_mux to load kernel and ramdisk:
6a: tetheredboot -i iBSS.n88ap.RELEASE.dfu
6b: itunnel_mux --kernelcache kernelcache.release.n88 --devicetree DeviceTree.n88ap.img3 --ramdisk 038-0082-001.dmg.ssh
7: execute itunnel_mux.exe to forward SSH connection to the USB (does not terminate):
itunnel_mux --lport 22
------------Displayed by itunnel_mux----------------------------
...[INFO] Waiting for new TCP connection on port 22
...[INFO] Waiting for device ...
...[INFO] Device connected: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
.............. more messages after a connection is made ...........
Note: Leave this window open ...............
8: Open a new cmd.exe window (run as admin recommended)
9. Create/start an SSH session (I use Cygwin for ssh)
ssh root@localhost -p 22
Note: If 1st log-in, a new RSA certificate will be generated. Enter 'yes' to accept
11: Enter password: alpine
12: This is your logged in prompt: -sh-4.0#
Note1: itunnel_mux window: [INFO] Device connected .....
Note2: After the connection, the 3GS screen will change to totally white
Note3: If no ssh response/message from either window, check local firewall settings
Mount / (root) filesystem (contains system settings & files, MobileSubstrate dylibs, etc)
13: -sh-4.0# fsck_hfs /dev/disk0s1
14: -sh-4.0# mount_hfs /dev/disk0s1 /mnt1/
Mount /usr filesystem (everything else, IE: music, media, photos, apps, data, etc)
15: -sh-4.0# fsck_hfs /dev/disk0s2s1
16: -sh-4.0# mount_hfs /dev/disk0s2s1 /mnt2/
To set the path correctly so you can easily navigate the filesystem:
17: -sh-4.0# PATH=$PATH\:/mnt1/bin
Congratulations, you now have full root access Up to this point, the iDevice has NOT been modified in any way --- so be careful! After you're done messing around, play it safe - execute: sync; sync; sync This will flush any pending filesystem writes.
When finished, to terminate the session and restart the iPhone:
18: -sh-4.0# kill 1
Other common commands:
ls (list directory), rm (delete), mv (rename or move), cp (copy)
Note: If you save the directory "New Folder". Subsequent emergency SSH access is quick & easy. Start at step 4.
All the information you need is available in this thread and on the internet. Experienced users only.
For a 3GS on iOS 4.1 (note: cfw built by pwnage):
iBSS.n88ap.RELEASE.dfu: 108.932 bytes
kernelcache.release.n88: 4,761,412 bytes
018-7080-079.dmg.ssh: 17.962,308 bytes
Last edited by Mes; 09-09-2011 at 09:55 AM. Reason: Added 4.1 file notes
04-08-2011, 09:50 PM #2
04-08-2011, 10:34 PM #3
You, sir, are a boss.
Not like a boss.
A full-on boss.
Glad to see someone wrote up a (very good) tut for booting a "recovery" ramdisk. Now do one for OS X?
04-08-2011, 11:14 PM #4
Thank you STRAYunINFIDEL and orbyorb for your kind comments
Last edited by Mes; 04-09-2011 at 12:57 AM.
04-09-2011, 06:06 AM #5
04-12-2011, 03:12 AM #6
you are a god.
my iP4 is stuck on a boot loop, ive tried every possible solution out there besides a restore, which i dont wanna do because ill lose all my photos etc..
im gonna give this a shot tomorrow and see if i can get to the filesystem.
one thing though, as far as the custom ispw goes, im running 4.0, so wouldnt i need a custom 4.0 ispw?
04-12-2011, 06:20 PM #7
04-13-2011, 11:37 AM #8
How would I to mount the /private/var/mobile/ directory? I'm trying to backup my photos using this method because my iPhone would not boot up at all, but that directory is not there.
Edit: Nevermind, I was searching the wrong folders, sorry for the bother. On the other hand. Amazing post, thank you so much, saved my precious photos ^.^
Last edited by khoacalacan; 04-13-2011 at 12:15 PM.
04-14-2011, 10:00 PM #9
Great write-up, Mes. The only issue I have (which I am surprised Orby didn't didn't point out), is that SSH is Secure Shell. As in over a network. I realize you probably know this and are just rolling with the common term used by the community, but if not, I just thought I would point it out.
This is pretty much CLI over USB. Other than that, I'm sure this will help a lot of people.
The Following User Says Thank You to moon#pie For This Useful Post:
04-16-2011, 01:43 PM #10
This should help since I moved the mobilesubstrate file and now it won't boot :P
Nice new sig, Stray. Now it's not so creepy that you said you love me.
04-16-2011, 02:08 PM #11
The Following User Says Thank You to Stray For This Useful Post:
04-18-2011, 02:02 AM #12
Hi everyone, first of all, thanks for the instructions, I think I'm halfway through with recovering my files (iPhone 4 with iOS 4.2.1 stuck at recovery loop) ... but I think I'm stuck here:
-sh-4.0# fsck_hfs /dev/disk0s2s1
Apparently the volume is corrupted or something and it tries to fix it but fails after 3 attempts... it says "The volume data could not be repaired after 3 attempts"
Should I proceed to mount it?
And after I mount it, what should I do in order to backup my needed files just before I finally decide to restore it?
Thanks in advance for the reply!
EDIT: Couldn't mount it... it returned "mount_hfs invalid argument"
Any clues on what I should I be doing next?
Last edited by ramar; 04-18-2011 at 02:42 AM. Reason: update
04-23-2011, 02:03 AM #13
can someone help me i cant upload ramdisk in step 6 i try step 6a and 6b but dont get it need help asap pls help. ipod touch 3g 4.2.1
04-25-2011, 02:10 AM #14
If you are receiving an error message (or other unexpected behavior), it'd be helpful if you'd share what the message/weirdness is, what you're expecting instead of the message, and what you were doing immediately before you got your weird behavior.
04-27-2011, 03:36 AM #15
dw problem fixed, something was wrong with my sn0wbreeze dmg so got my mac and made a custom firwmare with pwnagetool thx alot guys
04-27-2011, 02:12 PM #16
To ramar -
Have you tried "fsck_hfs -r /dev/disk0s2s1"?
May work for you, but it didn't work for me. I get the same. Can't mount mnt2.
iPhone 4, 4.1
05-23-2011, 05:07 PM #17
Hi, 4.3.1 for 3gs doesnt have any IV and Keys, its not encrypted, how would we use ramdisk builder under windows? It seems to crash.
I tried 4.2.1 and goes through successfully but I need 4.3.1. Thank you for your prompt reply.
05-23-2011, 11:35 PM #18
Try using "0" (may get by with one zero each, you may need 256 bits worth of zeroes) as the KEY and IV. That's what I'd do at least...
05-24-2011, 12:44 AM #19
Hi, tried your zero approach and still no go, ramdiskbuilder crashes. It does work for the other IOS's that have keys form the wiki. Ones not encrypted dont seem to work. Im gonna try to get my hands on a mac and maybe try the mac method. Until then Im still searching.
05-25-2011, 02:53 AM #20
So i ended up creating the ramdisk on a mac and it seemed to go through.
Next issue is loading the ramdisk
Im using this command:
tetheredboot -i iBSS.n88ap.RELEASE.dfu -k kernelcache.release.n88 -r 038-0900-005.dmg.ssh
It gets stuck loading the dms.ssh at 64%
Perhaps its because of the size of the ramdisk... so
Next commands I try are:
tetheredboot -i iBSS.n88ap.RELEASE.dfu
wait for this to exit then:
itunnel_mux --kernelcache kernelcache.release.n88 --devicetree DeviceTree.n88ap.img3 --ramdisk 038-0900-005.dmg.ssh
everything seems to load and stay loaded + iphone screen is white
Lastly I use itunnel_mux --lport 22 on an xp machine.
Firewall is off. But it keeps waiting for a device, doesnt connect. Am I on the right track here, what am I missing? Something wrong with the itunnel_mux command? Appreciate your responce.