Disable SSLv3 - lockdown error: -5

[Qwertylex]

I have an iPad Mini (1st gen) on iOS 6.1.3, after upgrading Arch Linux, which upgraded packages:

libimobiledevice (from 1.2.0-1 to 1.2.0-3) and openssl (from 1.0.2.f-1 to 1.0.2.g-3) 
(the Disable SSLv3 patch)

My iPad Mini stopped connecting to linux, leaving messages:

usbmuxd: preflight_worker_handle_device_add: The stored pair record for device a6de54 is invalid. Removing.
usbmuxd: preflight_worker_handle_device_add: ERROR StartSession failed on device a6de54, lockdown error -5

I deleted /var/lib/lockdown and I reinstalled libimobiledevice and usbmuxd, same issue.

I downgraded libimobiledevice and openssl and everything worked normally.

[kHasnain0]

You are right sir. I had the same problem and I tried everything till I came across your post.
I was getting the following error:
$ ifuse iphone/
Failed to connect to lockdownd service on the device.
Try again. If it still fails try rebooting your device.

and also

ERROR: Could not connect to lockdownd, error "code -5"

I am running arch linux and did the following:
I went to /var/cache/pacman/pkg and downgraded to libimobiledevice 1.2.0-1 and openssl 1.0.2.e-1.

I am currently running libimobiledevice 1.2.0-1, 1.0.2.e-1, libplist 1.12-4, usbmuxd 1.1.0-2, ifuse 1.1.3-3, ideviceinstaller-git 1.1.0.r12.g824bb9a-1, libideviceactivation 1.0.0-3, libusbmuxd 1.0.10-1, and libplist 1.12-4.

It is all working now. Thank you Qwertylex

[mexmer]

elder version of use SSLv3, so if you use openssl without SSLv3, it will fail. Newer versions also support TLS
problem is not in libimobile itself, but in openssl library you use

[Qwertylex]

Supposedly the old iOS device I have does not support TLS.

[Anachron]

Subscribing, I also experience the same issue here.

[mexmer]

@Qwertylex no they don't support TLS, that's why you need SSLv3

[randomize]

As an alternative to use old iOS devices in Arch is building latest upstream libimobiledevice with --disable-openssl - in this case GnuTLS will be used as backend and it still has SSLv3 enabled in Arch repos at this moment. The Arch way will be to just write simple PKGBUILD that uses git source and passes that flag to configure -- here is example PKGBUILD - quick and dirty, but worked for me, can be cleaned up to have pkgver support for example.

[andrewmichaelsmith]

Update - Ignore everything I said below. I think I was using the wrong libimobiledevice (the one ubuntu had installed). After re-reading this issue I realised it was about compatibility with an old iOS version, whereas I'm using a new one.

I fully removed Ubuntu's 1.1 libimobiledevice and made sure I was actually using 1.2.1 built off master (also using latest usbmuxd build off master). I built normally (OpenSSL, not GnuTLS) and it works perfectly on iOS 9.3.1.

------ ignore below here -------

Just to add to this - right now I'm getting "lockdown error: -5" when trying to run ideviceinfo.

I tried @randomize's trick which appears to have switched my compile to GnuTLS:

Configuration for libimobiledevice 1.2.1:
-------------------------------------------

  Install prefix: .........: /usr
  Debug code ..............: no
  Python bindings .........: no
  SSL support backend .....: GnuTLS

But I still get the -5 error when trying ideviceinfo. (If it's relevant) I built usbmuxd off master.

This is on Ubuntu 16.04 LTS, iOS 9.3.1.

[webavant]

My comment will be off-topic, since I'm addressing a makepkg issue, not a libimobiledevice issue, but just to help the above commenter, @andrewmichaelsmith:

If you have already installed the libimobiledevice-git package from AUR, you will need to locally create the PKGBUILD file that @randomize suggested, then run makepkg -if within its directory in order to rebuild and force install the package.

I'll confirm that using --disable-openssl to force using GnuTLS was a successful workaround on my iOS8 device.

[mexmer]

@webavant there are 3 options, you pick, which suits you best

1. use gnutls (eg. --disable-openssl)
2. downgrade openssl to version with SSLv3 support (not recommended)
3. recompile openssl with SSLv3 support ... it was not removed from openssl yet, it's just disabled in default configuration, which is used by most distributions

[webavant]

@mexmer thanks for clarifying! Should be helpful for anyone confused. I meant to answer @andrewmichaelsmith's question, although now I'm realizing my response wasn't even appropriate for his problem, although it might be helpful to anyone unfamiliar with makepkg. Feel free to delete.

[nikias]

Can you check if it works with my latest commit? SSLv23_method() should be available from my understanding.

[nikias]

Should be fixed with latest code from git master.

[pmnordkvist]

Gaah! This is killing me! I have compiled several times with latest master and --disable-openssl option. Always get the "GnuTLS error: Error in the pull function." message when running ideviceinfo or ifuse. paring and validating works as expected.

I have also tried to downgrade openssl to "1.0.1e" and compile with openssl but that does not work either. Same result: "GnuTLS error: Error in the pull function.". Should I even get that message when using openssl? Have been testing 3 different devices on versions 9.3.5 and 9.3.2 and I'm running out of ideas.

Any specific version of gnutls required for this to work? My best guess right now is bad gnutls version.

[joecool1029]

@pmnordkvist #365 (comment) rebuild nettle and then gnutls and let me know how goes.

[VasilijSviridov]

this worked for me appium/appium#6597 (comment) =)

[joecool1029]

@VasilijSviridov that is a totally unrelated issue on OSX. I am on Linux.

[VasilijSviridov]

@joecool1029 thought this will help you : brew uninstall libimobiledevice && brew install --HEAD libimobiledevice

[joecool1029]

@VasilijSviridov you thought wrong

[nikias]

The pairing record generation with newer GnuTLS was broken. I just fixed it with commit 23069d1.
Make sure to remove invalid paring records by deleting the appropriate files or call idevicepair unpair for the affected devices.

[ankitrwt]

I am having same problem on ubuntu 16.04 with Iphone6 ios 10.0.2
pair_record_generate_keys_and_certs(*pair_record, public_key) returns -5
i am using OpenSSL 1.0.2g

[joemclo]

Also getting the same issue on 16.04 Ubuntu.
I've pulled your latest fix as well.

Any debug info that would be helpful ?

[ankitrwt]

using ubuntu 16.04 i successfully updated Iphone6 ios 10.1.1, stil as I mention in my above comment i am unable to get ideviceinfo it says ERROR: Could not connect to lockdownd, error code -5
Anyone have any Idea where I am doing wrong, and I think ios 10.0.2 have some issues as it was unable to upgrade iphone6 through idevicerestore

[lifayk]

Same issue. iPhone 6S, IOS: 10.1.1 (14B100)

$ uname -a; cat /etc/issue; lsusb -d 05ac:12a8; apt list *imobile*; ideviceinfo 
Linux t4 4.8.0-28-generic #30-Ubuntu SMP Fri Nov 11 14:03:52 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Ubuntu 16.10 \n \l

Bus 002 Device 006: ID 05ac:12a8 Apple, Inc. iPhone5/5C/5S/6
Listing... Done
libimobiledevice-dev/yakkety 1.2.0+dfsg-3ubuntu1 amd64
libimobiledevice-doc/yakkety,yakkety 1.2.0+dfsg-3ubuntu1 all
libimobiledevice-utils/yakkety,now 1.2.0+dfsg-3ubuntu1 amd64 [installed]
libimobiledevice6/yakkety,now 1.2.0+dfsg-3ubuntu1 amd64 [installed,automatic]
libimobiledevice6-dbg/yakkety 1.2.0+dfsg-3ubuntu1 amd64
python-imobiledevice/yakkety 1.2.0+dfsg-3ubuntu1 amd64
GnuTLS error: Error in the pull function.
ERROR: Could not connect to lockdownd, error code -5

[ankitrwt]

check SSL version you have and what SSL version libimobiledevice using
@lifayk

[lifayk]

$ apt list libimobiledevice6; apt show libimobiledevice6; openssl version
Listing... Done
libimobiledevice6/yakkety,now 1.2.0+dfsg-3ubuntu1 amd64 [installed,automatic]
Package: libimobiledevice6
Version: 1.2.0+dfsg-3ubuntu1
Priority: optional
Section: libs
Source: libimobiledevice
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 181 kB
Depends: libc6 (>= 2.15), libgcrypt20 (>= 1.7.0), libgnutls30 (>= 3.4.2), libplist3 (>= 1.11), libtasn1-6 (>= 4.5), libusbmuxd4 (>= 1.0.10)
Recommends: usbmuxd
Suggests: libusbmuxd-tools
Conflicts: libiphone0
Replaces: libimobiledevice0, libimobiledevice1, libiphone0
Homepage: http://libimobiledevice.org/
Task: ubuntu-desktop, ubuntu-usb, kubuntu-desktop, kubuntu-full, edubuntu-desktop, edubuntu-usb, xubuntu-core, xubuntu-desktop, mythbuntu-desktop, lubuntu-desktop-share, lubuntu-gtk-desktop, lubuntu-desktop, lubuntu-qt-desktop, ubuntustudio-desktop-core, ubuntustudio-desktop, ubuntu-gnome-desktop, ubuntu-touch, ubuntukylin-desktop, ubuntu-mate-core, ubuntu-mate-desktop
Supported: 9m
Download-Size: 59.0 kB
APT-Manual-Installed: no
APT-Sources: http://ru.archive.ubuntu.com/ubuntu yakkety/main amd64 Packages
Description: Library for communicating with the iPhone and iPod Touch
 libimobiledevice is a library that talks the native Apple USB protocols that
 the iPhone and iPod Touch use. Unlike other projects, libimobiledevice does
 not depend on using any existing libraries from Apple.

OpenSSL 1.0.2g  1 Mar 2016

Everything from official repository.
@ankitrwt

[ankitrwt]

https://github.com/libimobiledevice/libimobiledevice/issues/254
@lifayk