Support for A5+ devices (iPhone 4S, iPad 2, iPhone 5, ...)

[GoogleCodeExporter]

Until a bootROM/bootloader-level exploit is found for those devices, it is 
impossible to boot a custom ramdisk.
However, for devices jailbroken with Absinthe and ssh access, it should be 
possible to use the tools, provided that the "IOAESAccelerator enable UID" 
kernel patch is applied.

Original issue reported on code.google.com by jean.sig...@gmail.com on 4 Feb 2012 at 10:20

[GoogleCodeExporter]

This does seem to be the case - the tools execute, device_infos returns some 
information, useful at least for a partial decryption of a physical image.

Is it feasible to patch kernel memory once a jailbroken A5 device is already 
booted? Or would this require a modification to the Corona payload to apply the 
new kernel patch along with the others.

I am waiting on some hardware to be able to start looking into this myself. In 
the meantime, any perspective on how to go about this would be greatly 
appreciated.

Original comment by 0x56.0x6...@gmail.com on 29 Feb 2012 at 4:32

[GoogleCodeExporter]

Yes, turns out corona applies the "task for pid 0" kernel patch that allows a 
root application to read/write kernel memory.
Attached is a small program that uses that to apply the "IOAESAccelerator 
enable UID" kernel patch. Should work on ipad 2 5.0.1.
Let me know if this works for you. Thanks.

Original comment by jean.sig...@gmail.com on 1 Mar 2012 at 12:17

• Changed state: Started

Attachments:

• kernel_patcher.c
• tfp0.plist
• kernel_patcher

[GoogleCodeExporter]

Great Success! (on iPhone 4S 5.0.1)

The ramdisk tools seem to be working fine now. This kernel patcher was exactly 
the sort of process I was envisioning; thank you for providing the method! 
(I'll remember task_for_pid() and vm_read()/vm_write())

Original comment by 0x56.0x6...@gmail.com on 1 Mar 2012 at 6:01

[GoogleCodeExporter]

Great ! Let me know if there are issues with the other tools on this device.
Also, known bug : the UDID computed by the tools is wrong on A5 devices because 
the formula changed (see http://iphonedevwiki.net/index.php/Lockdownd)

Original comment by jean.sig...@gmail.com on 1 Mar 2012 at 7:03

[GoogleCodeExporter]

I'm trying to save some pictures I have only on my ipad 2 (5.0.1), jailbroken 
with Absinthe. I used your tools before with other iphones (great success :), 
but never on an A5 device. How does this work? Do I need to create a custom 
ramdisk and boot from it; does this even work?

Original comment by grapple...@gmail.com on 8 Mar 2012 at 9:03

[GoogleCodeExporter]

The latest redsn0w's (0.9.10b6) Keys.plist does not contain the KBAG keys (IV 
and Key) for A5 devices' firmwares, but from the previous comments it seems 
they are available.
Would it be possible to post them to the appropriate theiphonewiki.com page, or 
here?
TIA

Original comment by simg...@gmail.com on 9 Mar 2012 at 5:43

[GoogleCodeExporter]

grapple: First, install OpenSSH on the A5 device through Cydia. Then, use scp 
or sftp to upload the ramdisk tools (specifically, bruteforce and device_infos; 
restored_external doesn't matter here) and kernel_patcher (attachment in this 
issue) to the device. Once the files are uploaded, connect with ssh. Run 
kernel_patcher to gain access to the crypto engine, then you can run 
device_infos followed by bruteforce to generate the keys. I haven't quite 
figured out pulling an image, as the filesystem is mounted and active while the 
device is running (I pulled a dd image, but there were some issues with trying 
to decrypt it, probably because I was still using the phone while the image was 
running...). That is the general idea of what to do, hope it helps get you 
started.

simg: Unfortunately, without access to the GID key, the encrypted KBAGs cannot 
be decrypted. By the time iBoot is finished and passes control to the kernel, 
the GID key is rendered inaccessible until a reboot of the device. The limera1n 
exploit allows running unsigned code at a stage in the boot process where the 
GID key is still accessible. Corona (which Absinthe is used to inject on A5 
devices) exploits the kernel, so by the time it takes place, the GID key is 
inaccessible.

tl;dr KBAG keys will not be available on A5 devices until a limera1n style 
exploit is discovered :)

Original comment by 0x56.0x6...@gmail.com on 9 Mar 2012 at 7:18

[GoogleCodeExporter]

Great Success! (on iPhone 4 5.0.1)
this dynamic patcher looks like cool

Original comment by ann...@gmail.com on 13 Mar 2012 at 3:09

[GoogleCodeExporter]

I'm trying to recompile kernel_patcher.c for another purpose, but I can't get 
it to run on my device.  This is my compile command:

"/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Develope
r/usr/bin/gcc -arch armv6 -isysroot 
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer
/SDKs/iPhoneOS5.1.sdk -mthumb -o kernel_pathcer kernel_patcher.c"

That seems to work (it compiles and runs anyway), and I then sign the 
application with codesign:

"codesign -f -s Han\ Solo ./kernel_patcher"

I then upload it to the device, but any time I run it I get the following error:

"task_for_pid returned 5 : missing tfp0 kernel patch or wrong entitlements"

I'm obviously doing something wrong here, but I can't figure out what.  If I 
just run the binary on the site, it works just fine.  I'm just trying to patch 
a different location, so I need to recompile.  Any suggestions on what I'm 
doing wrong?

Original comment by engineer...@gmail.com on 16 Mar 2012 at 4:14

[GoogleCodeExporter]

Try adding "--entitlements tfp0.plist" to the codesign command (and grab the 
tfp0.plist file from above post).

Original comment by jean.sig...@gmail.com on 16 Mar 2012 at 4:30

[GoogleCodeExporter]

That did it.  Thanks!

Original comment by engineer...@gmail.com on 16 Mar 2012 at 4:52

[GoogleCodeExporter]

I need a custom ipsw that includes ssh so that i can take the kernel files
and ramdisk from the ipsw and use it to tethered boot that device and
access the files via ssh.
My main need is the ipsw with ssh for every device that runs ios5!

If you can do this, I am willing to pay you $250. Please let me know
something soon.


Thanks, Brooklyn

Original comment by brooklyn...@gmail.com on 31 Mar 2012 at 7:53

[GoogleCodeExporter]

I'm in deep trouble here... probably amateur problems for you guys.
Short story- ipad 2 5.0.1 jb with absinthe. 
wanted to use iUsers but realized after install it was for 4.x and lower. 
Uninstalled iUsers, caused springboard to crash every respring.
Was planning to re-jb with absinthe however unable to jb because "stash" is 
found. 
I simply went into iFile, renamed "stash" to "stashs" then on the next respring 
i have gotten stuck on the apple logo. i would like to stay on 5.0.1 until 5.1 
is jb'en.
if anyone has a suggestion on what i can do- i would be greatly appreciative. 
also, blobs saved but not working so my only alternative im aware of is restore 
n update (super sad face)
thanks in advance.
-mike 

Original comment by iDenver...@gmail.com on 2 Apr 2012 at 8:04

[GoogleCodeExporter]

@iDenverLLC
For now there is no way to boot a custom ramdisk on A5 devices, so if your 
device is stuck in a reboot loop there is (afaik) nothing you can do to fix it 
without restoring.

Original comment by jean.sig...@gmail.com on 8 Apr 2012 at 9:32

[GoogleCodeExporter]

Could this be a work around. 

http://www.idownloadblog.com/2012/03/25/new-a5-ios-5-1-downgrade-bug/

Original comment by brooklyn...@gmail.com on 24 Apr 2012 at 6:10

[GoogleCodeExporter]

I came across this by accident, @jean on comment #2 can the patch be modified 
to 1) patch out the usb power restrictions on the ipad camera connection kit? 
2) Overclock A5 devices?

Original comment by Gero3...@gmail.com on 1 Aug 2012 at 3:21

[GoogleCodeExporter]

@Gero3977 i suppose it is possible, you can look at comex's tool which has the 
signature for the code to patch (it might have changed on newer 
kernels/devices):
https://github.com/comex/datautils0/blob/master/make_kernel_patchfile.c#L67
For overclocking i have no idea if it is possible or not.

Original comment by jean.sig...@gmail.com on 4 Aug 2012 at 12:15

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

How is this used?  I have an iPhone 4s that needs the passcode cracked but if I 
can't get in, how will I install SSH in Cydia?

Original comment by dr.mod...@gmail.com on 22 Aug 2012 at 9:37

[GoogleCodeExporter]

@dr.modean indeed the tools only work on A5 devices if you know the passcode 
and you can install ssh, or if ssh is already installed.

Original comment by jean.sig...@gmail.com on 26 Aug 2012 at 11:15

[GoogleCodeExporter]

Hi, I'm not an expert, but I can't stop here. I'm trying to recover deleted 
videos from an iphone 4S, here is where I got:
- I have an dd .img file of the data partition
- I got a file called dbc8ae0fc259ea91.plist from the device with all possible 
keys

What I want is to run this command:
  python python_scripts/emf_decrypter.py /Users/marc/iphonebackup_rdisk0s1s2.img 

but here is the output:
Traceback (most recent call last):
  File "python_scripts/emf_decrypter.py", line 34, in <module>
    main()
  File "python_scripts/emf_decrypter.py", line 18, in main
    v = EMFVolume(p, device_infos)
  File "/Users/marc/Programs and scripts/iphone-dataprotection/python_scripts/hfs/emf.py", line 98, in __init__
    raise Exception("Missing keyfile")
Exception: Missing keyfile

Where do I put the keyfile so it can decrypt ?

Later I want to use photorec to find deleted files.

Thanks fro your help.

Original comment by marc.mat...@gmail.com on 29 Aug 2012 at 1:49

[GoogleCodeExporter]

@marc.mathys
try passing the plist filename as a second parameter to emf_decrypter.py :
python python_scripts/emf_decrypter.py /Users/marc/iphonebackup_rdisk0s1s2.img 
dbc8ae0fc259ea91.plist

however, emf_decrypter only decrypts existing files, so photorec won't find any 
deleted files in the image. the tools here do not support deleted files 
recovery for the iPhone 4S (except the emf_undelete script but it is very 
limited).

Original comment by jean.sig...@gmail.com on 29 Aug 2012 at 7:12

[GoogleCodeExporter]

I have very new to this.My iphone 4s is stuck in apple logo boot loop.Is it 
possible to use this method to hack into the iphone 4s and retrieve my 
pics/videos.Not trying to recover deleted pics as they are not deleted.Just 
would like to access my pics and copy.Any help would be appreciated.

Original comment by johnp1...@gmail.com on 5 Oct 2012 at 3:08

[GoogleCodeExporter]

@johnp1569 currently there is no bootloader exploit for newer devices (iPhone 
4S/5, iPad 2/3), so it is not possible to get access if the device is stuck in 
a boot loop.

Original comment by jean.sig...@gmail.com on 6 Oct 2012 at 1:09

[GoogleCodeExporter]

hi!
i need to recover deleted photos and video from an iphone 4s. i already saved 
the rdisk0 image with
ssh -p 2222 root@localhost dd if=/dev/rdisk0 bs=4096 | dd of=iphoneraw
and the keychain with keychain_dump so i got cert.plist genp.plist inet.plist 
keys.plist.
now i'm a little bit confused. i red that is not possible to recover deleted 
data using emf_decrypter but it's possible with emf_undelete.
could you tell me how i should use the emf_undelete script??

now. i need also to wipe the iphone and put a not jailbreak ios. so in order to 
this what else i should save from the iphone that will able me to recover 
deleted files in the future? something else like dd or keychain_dump??

thanks in advance

Original comment by andrei.m...@gmail.com on 7 Oct 2012 at 10:51

[GoogleCodeExporter]

@andrei.mihajlovic
the emf_undelete script is very limited and will most likely recover nothing. 
if you want to use it, you have to dump rdisk0s1s2 and follow the instructions 
in this comment : 
http://code.google.com/p/iphone-dataprotection/issues/detail?id=49#c7

a better way to recover deleted files is to dump the nand, but currently the 
nand dumping tools do not support the iphone 4S.

Original comment by jean.sig...@gmail.com on 9 Oct 2012 at 7:13

[GoogleCodeExporter]

@jean.sig...@gmail.com
i look at the files in ramdisk_tools folder. there are only the source code of 
device_infos.c and systemkb_bruteforce.c
the problem is that i work under linux so i can not compile them.
>gcc device_infos.c -o device_infos
>device_infos.c:3:43: fatal error: CoreFoundation/CoreFoundation.h: File o 
directory non esistente
compilation terminated
may i ask you the favor to compile these files so i can execute them on the 
iphone?

thank you very much

Original comment by andrei.m...@gmail.com on 10 Oct 2012 at 10:56

[GoogleCodeExporter]

pls email me ssh.jar iphone 4s ios 7.1.1...device not supported :( please help 
me..

jelan1528@gmail.com

Original comment by jelan1...@gmail.com on 14 Nov 2014 at 5:35

[GoogleCodeExporter]

Hello Mr. Jean i need you help pleace send me ssh my iphone 4s is dead 
helpppppmee
djtatocd@hotmail.com 

Original comment by djtat...@hotmail.com on 19 Nov 2014 at 6:31

[GoogleCodeExporter]

Dear Jean,

please tell all those people, that there is no ssh.jar supporting A5 devices at 
the moment.

Cheers

Original comment by wernald...@gmail.com on 19 Nov 2014 at 7:51

[GoogleCodeExporter]

yearly reminder : it is not possible to boot an ssh ramdisk on any device above 
iphone 4.

Original comment by jean.sig...@gmail.com on 19 Nov 2014 at 6:30

[GoogleCodeExporter]

alguem conseguiu para o 4s ?

Original comment by diogobai...@gmail.com on 19 Nov 2014 at 6:35

[GoogleCodeExporter]

This issue was updated by revision b332180ddd36.

kernel patching for iphone 5 running iOS 8.1.1 jailbroken with TaiG

Original comment by jean.sig...@gmail.com on 9 Dec 2014 at 10:06

[GoogleCodeExporter]

bypassing icloud in A5 devices is possible?

Original comment by pak...@gmail.com on 10 Dec 2014 at 3:17

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Hi my ipad 2 3g stuck by a defective gsm module in restore mode.
Is it possible to use a ramdisk to load on dfu?
There is also solution paths on linux?
If the internal keys are transferred to the apple server during the upgrade?


Greetings

Original comment by BertRa...@googlemail.com on 13 Dec 2014 at 6:07

[GoogleCodeExporter]

How's it coming?

Original comment by delfinod...@gmail.com on 24 Dec 2014 at 1:13

[GoogleCodeExporter]

Hi #156 pak...@gmail.com.
Please could you send me advise on bypassing icloud in A5 please i have tried 
every thing but nothing seems to work. my email is no1rtadersltd@hotmail.co.uk

Original comment by khazi...@googlemail.com on 2 Jan 2015 at 9:53

[GoogleCodeExporter]

any java to iphone 4s unblock?

Original comment by jHSALCED...@gmail.com on 16 Jan 2015 at 8:10

[GoogleCodeExporter]

hi everybody im not expert but my iphone 4s become icloud locked i need ssh 
ramdisk to delete setup.app please help me how to use this files please please 
on any ios !

Original comment by faisalma...@gmail.com on 29 Jan 2015 at 9:56

[GoogleCodeExporter]

hi everybody . anyone can help me . i have an ipad 4 GSM . it don't want to 
start or to restore in itunes. if i want to start it the apple appear and 
disappear .

Original comment by traorebe...@gmail.com on 29 Jan 2015 at 11:42

[GoogleCodeExporter]

Iphone 5s Device Unsupported . Ignoring Unsupported Device 
Pls Help me to fix this :) 
Send to my email : aiypwzqpshojef@gmail.com

Original comment by mabel.ba...@gmail.com on 3 Feb 2015 at 11:08

[GoogleCodeExporter]

I have unlocked iphone 4 but wont let me open settings. Wont let me Jailbreak 
or restore.
I used winSP to import ssh.jar
can anyone help me reset

Original comment by slimfu...@gmail.com on 3 Feb 2015 at 4:26

[GoogleCodeExporter]

comment faire la mise de ssh.jar revision b332180ddd36.
merci.

Original comment by leeharl...@gmail.com on 9 Feb 2015 at 5:40

[GoogleCodeExporter]

hi everybody , i have an iphone 4s it stuck on recovery mode , its any 
possibile way to connet it with ssh???? Please Help

Original comment by kastro.g...@gmail.com on 16 Feb 2015 at 2:59

[GoogleCodeExporter]

if any one have ssh for iphone 4s please mail me jdravikiran@gmail.com

Original comment by jdraviki...@gmail.com on 27 Feb 2015 at 6:47

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Hi I need help, I need to unlock an iPhone 5s, is my cousin but he lost 
password iCloud, as he bought used not you note, when he bought'm outta blocked.

Please send messages for this e-mail: bruno.castilhos@hotmail.com

Original comment by maiaracb...@gmail.com on 7 Apr 2015 at 12:07

[GoogleCodeExporter]

Hi guys need help my cousin forgot her icloud with find my iphone active how 
can i reactivate her iphone 4s? 

thanks in advance,

send me an email to r3c06n1z3@gmail.com

Original comment by jkevinpi...@gmail.com on 20 May 2015 at 4:37

[GoogleCodeExporter]

Hi I need help, I need to unlock an iPhone 6,  but he lost password iCloud, I 
ask the tool to open anyone have please help me ,

lease send messages for this e-mail: sebastian25121990@gmail.com

Original comment by dedey.d...@gmail.com on 28 May 2015 at 6:09

[GoogleCodeExporter]

hi guys
i need help
i forget my icloud ID and update my Iphone 4S to ios 8.3 and now the device is 
Lock 
how can Unlock my device?
plz plz plz Help me

maadpedram@gmail.com

Original comment by maadped...@gmail.com on 30 May 2015 at 11:58

[GoogleCodeExporter]

Iphone 5 Device Unsupported . Ignoring Unsupported Device 
Pls Help me to fix this :) 
Send to my email : antou9@gmail.com

Original comment by ant...@gmail.com on 25 Jun 2015 at 12:29

[GoogleCodeExporter]

if any one have ssh for iphone 4s please mail me nafaa00757@gmail.com

Original comment by nafaa00...@gmail.com on 20 Jul 2015 at 11:51

[GoogleCodeExporter]

Oi preciso de um ssh para iphone 4s , está dando seguinte erro no ssh , modo 
DFU 

ignoring unsupported device unsupported   , qualquer coisa entrem em contato 
via e-mail agradeço    ronaldo.molek@hotmail.com

Original comment by vitor.an...@gmail.com on 21 Aug 2015 at 1:46