demo_bruteforce.py connection refused about iphone-dataprotection HOT 14 CLOSED

In order to connect to the ramdisk, you need to forward local port 1999 to port 
1999 on the device. You can do this using the following command :
cd usbmuxd-python-client && python  tcprelay.py -t 22:2222 1999:1999

This also allows you to ssh into the device by connecting to localhost:2222
(documentation will be updated soon :)

Hello Jean.
Tank you again for the propt response.
i will follow your advice certain that it will work.

As far as documentation goes, i think it would cut your workload in half as far 
as handling these issues goes if at least some generic documentations existed 
in the workflow. I think this is a fantastic set of tools and at least the 
purpose of them could be mentioned in such workflow.
then of course compiling errors etc can always be discussed.

To just explain what this mentions to my case. 
i have already done dd backup of my 30GB iphone 4 partition. i can already 
browse it with hfs explorer (though every photo i export is unleggible, but 
that is for another time.). so my need is to decrypt this thing and i'm led to 
believe i can do that with emf_decrypter. this last one i have correctly built 
on mac with all the right dependencies and the binary runs fine. so i turns out 
i need the plist file.
i have access to all levels of my device (infact i need to decrypt the backup 
so i can then photorec on it).
the device is jailbroken, and i have ssh access. is there anyway for me to 
retrieve such plist file without the rest of the process.
and if not, so i so at least i move into the productive direction,
what are the simplest pointers you could hand me?

again, thank you in advance and best regards

tcprelay works like a charm now. like i mentioned b4 my device is already jb-ed 
so i'm hoping that means i won't have to start injecting. at this point i'm 
thinking all i need is that plist file.

if it's not too much hassle how do i go abt that?
i have been reading through all of the readme files and all the issues trying 
to get pointers, and i could be wrong but all i read is abt injecting to jb. 
which is done.

again, thank you in advance and best regards

Hi,
you have to build the ramdisk using the build_ramdisk.sh script (assuming the 
ramdisk tools are compiled ok)
Then, compile cyanide_bootramdisk and syringe, and boot the ramdisk using the 
following command :
./syringe/utilities/tetherboot -p cyanide_bootramdisk/payload -r myramdisk.dmg

Fantastic. Now i feel i'm moving in a good direction.
Seems like device needs to be in DFU mode for this right.
The ramdisk i created is the default one done by the bash script, and it's 4.1- 
Meanwhile on my phone is on 4.3.3.
Is that going to be a problem? i can still kick my phone off dfu afterwards 
right? the usual reboot way?

Yes, you need to be in dfu mode
the version of the ramdisk does not have to match the installed version.
once you are done with the ramdisk you can reboot using the "reboot" command 
through ssh, or just rebooting the device with the buttons

Went into  DFU and proceeded as instructed.
At this point i am at the issue reported here 
http://code.google.com/p/iphone-dataprotection/issues/detail?id=20

i'm in a going to try again. as the binary exited just as reported above.

once again i'd like to thank you for your great help and contribution.

meanwhile i see present on my mac : kernelcache.release.n90, iBSS.n90ap, 
DeviceTree.n90ap.

so i hopefully don't have to bother you anymore, seeing i will work on this for 
ages tonight, what is my following step once i make this go the right way?

given the above ste

repeating. tried it with firmware 4.3.3. though as you said it would not matter.

after resetting device counters i get this.
libusb:error [darwin_transfer_status] transfer error: timed out
Exiting libpois0n

on the iphone screen, after a long process:

Listening on port 1999
AppleBCMWLAN::handleIOKitBusyWatchdogTimeout(): Error, no successful firmware 
download after 60000 ms!! Giving up...

I'm gonna try again. though i was sure i cleared the devicetree...

Hello,
if you have the "Listening on port 1999" message on the device it means it 
worked, you can now run the demo_bruteforce.py script and it will created the 
plist file required for emf_decrypter. You can also ssh into the device at that 
point.

[deleted comment]

Perfect. 
I was just being thick. Long day. hehe

so i went agead and repeated the process (for some reason repeating it with a 
4.1 ipsw left me hanging on white screen on the device. 4.3.3 worked just 
fine), tcprelay-ed into the device and ran the python bruteforce script.

The output i believe is certainly positive as it had all of my account pwds 
showing in cleartext.
Then i found my keychain and the plist file.

Now onto emf_decrypter (which i have previously compiled, so no hassle there).

This is going to take a bit as i have to decrypt a 30G image.

Ok,
do not forget to make a backup of the disk image before in case something goes 
wrong.
Also, you should use the python version of emf_decrypter, the C version has 
known bugs. For the python version you need pycrypto and construct.

In fact something went wrong with the c version :)
I just opened an issue about it.

I had made a backup and now i'm making a second copy yo try again :)
will the python version need the plist too in the same path?