Support for A5+ devices (iPhone 4S, iPad 2, iPhone 5, ...) about iphone-dataprotection HOT 176 OPEN

This does seem to be the case - the tools execute, device_infos returns some 
information, useful at least for a partial decryption of a physical image.

Is it feasible to patch kernel memory once a jailbroken A5 device is already 
booted? Or would this require a modification to the Corona payload to apply the 
new kernel patch along with the others.

I am waiting on some hardware to be able to start looking into this myself. In 
the meantime, any perspective on how to go about this would be greatly 
appreciated.

Yes, turns out corona applies the "task for pid 0" kernel patch that allows a 
root application to read/write kernel memory.
Attached is a small program that uses that to apply the "IOAESAccelerator 
enable UID" kernel patch. Should work on ipad 2 5.0.1.
Let me know if this works for you. Thanks.

Great Success! (on iPhone 4S 5.0.1)

The ramdisk tools seem to be working fine now. This kernel patcher was exactly 
the sort of process I was envisioning; thank you for providing the method! 
(I'll remember task_for_pid() and vm_read()/vm_write())

Great ! Let me know if there are issues with the other tools on this device.
Also, known bug : the UDID computed by the tools is wrong on A5 devices because 
the formula changed (see http://iphonedevwiki.net/index.php/Lockdownd)

I'm trying to save some pictures I have only on my ipad 2 (5.0.1), jailbroken 
with Absinthe. I used your tools before with other iphones (great success :), 
but never on an A5 device. How does this work? Do I need to create a custom 
ramdisk and boot from it; does this even work?

The latest redsn0w's (0.9.10b6) Keys.plist does not contain the KBAG keys (IV 
and Key) for A5 devices' firmwares, but from the previous comments it seems 
they are available.
Would it be possible to post them to the appropriate theiphonewiki.com page, or 
here?
TIA

grapple: First, install OpenSSH on the A5 device through Cydia. Then, use scp 
or sftp to upload the ramdisk tools (specifically, bruteforce and device_infos; 
restored_external doesn't matter here) and kernel_patcher (attachment in this 
issue) to the device. Once the files are uploaded, connect with ssh. Run 
kernel_patcher to gain access to the crypto engine, then you can run 
device_infos followed by bruteforce to generate the keys. I haven't quite 
figured out pulling an image, as the filesystem is mounted and active while the 
device is running (I pulled a dd image, but there were some issues with trying 
to decrypt it, probably because I was still using the phone while the image was 
running...). That is the general idea of what to do, hope it helps get you 
started.

simg: Unfortunately, without access to the GID key, the encrypted KBAGs cannot 
be decrypted. By the time iBoot is finished and passes control to the kernel, 
the GID key is rendered inaccessible until a reboot of the device. The limera1n 
exploit allows running unsigned code at a stage in the boot process where the 
GID key is still accessible. Corona (which Absinthe is used to inject on A5 
devices) exploits the kernel, so by the time it takes place, the GID key is 
inaccessible.

tl;dr KBAG keys will not be available on A5 devices until a limera1n style 
exploit is discovered :)

Great Success! (on iPhone 4 5.0.1)
this dynamic patcher looks like cool

I'm trying to recompile kernel_patcher.c for another purpose, but I can't get 
it to run on my device.  This is my compile command:

"/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Develope
r/usr/bin/gcc -arch armv6 -isysroot 
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer
/SDKs/iPhoneOS5.1.sdk -mthumb -o kernel_pathcer kernel_patcher.c"

That seems to work (it compiles and runs anyway), and I then sign the 
application with codesign:

"codesign -f -s Han\ Solo ./kernel_patcher"

I then upload it to the device, but any time I run it I get the following error:

"task_for_pid returned 5 : missing tfp0 kernel patch or wrong entitlements"

I'm obviously doing something wrong here, but I can't figure out what.  If I 
just run the binary on the site, it works just fine.  I'm just trying to patch 
a different location, so I need to recompile.  Any suggestions on what I'm 
doing wrong?

Try adding "--entitlements tfp0.plist" to the codesign command (and grab the 
tfp0.plist file from above post).

That did it.  Thanks!

I need a custom ipsw that includes ssh so that i can take the kernel files
and ramdisk from the ipsw and use it to tethered boot that device and
access the files via ssh.
My main need is the ipsw with ssh for every device that runs ios5!

If you can do this, I am willing to pay you $250. Please let me know
something soon.


Thanks, Brooklyn

I'm in deep trouble here... probably amateur problems for you guys.
Short story- ipad 2 5.0.1 jb with absinthe. 
wanted to use iUsers but realized after install it was for 4.x and lower. 
Uninstalled iUsers, caused springboard to crash every respring.
Was planning to re-jb with absinthe however unable to jb because "stash" is 
found. 
I simply went into iFile, renamed "stash" to "stashs" then on the next respring 
i have gotten stuck on the apple logo. i would like to stay on 5.0.1 until 5.1 
is jb'en.
if anyone has a suggestion on what i can do- i would be greatly appreciative. 
also, blobs saved but not working so my only alternative im aware of is restore 
n update (super sad face)
thanks in advance.
-mike 

@iDenverLLC
For now there is no way to boot a custom ramdisk on A5 devices, so if your 
device is stuck in a reboot loop there is (afaik) nothing you can do to fix it 
without restoring.

Could this be a work around. 

http://www.idownloadblog.com/2012/03/25/new-a5-ios-5-1-downgrade-bug/

I came across this by accident, @jean on comment #2 can the patch be modified 
to 1) patch out the usb power restrictions on the ipad camera connection kit? 
2) Overclock A5 devices?

@Gero3977 i suppose it is possible, you can look at comex's tool which has the 
signature for the code to patch (it might have changed on newer 
kernels/devices):
https://github.com/comex/datautils0/blob/master/make_kernel_patchfile.c#L67
For overclocking i have no idea if it is possible or not.

[deleted comment]

How is this used?  I have an iPhone 4s that needs the passcode cracked but if I 
can't get in, how will I install SSH in Cydia?

@dr.modean indeed the tools only work on A5 devices if you know the passcode 
and you can install ssh, or if ssh is already installed.

Hi, I'm not an expert, but I can't stop here. I'm trying to recover deleted 
videos from an iphone 4S, here is where I got:
- I have an dd .img file of the data partition
- I got a file called dbc8ae0fc259ea91.plist from the device with all possible 
keys

What I want is to run this command:
  python python_scripts/emf_decrypter.py /Users/marc/iphonebackup_rdisk0s1s2.img 

but here is the output:
Traceback (most recent call last):
  File "python_scripts/emf_decrypter.py", line 34, in <module>
    main()
  File "python_scripts/emf_decrypter.py", line 18, in main
    v = EMFVolume(p, device_infos)
  File "/Users/marc/Programs and scripts/iphone-dataprotection/python_scripts/hfs/emf.py", line 98, in __init__
    raise Exception("Missing keyfile")
Exception: Missing keyfile

Where do I put the keyfile so it can decrypt ?

Later I want to use photorec to find deleted files.

Thanks fro your help.

@marc.mathys
try passing the plist filename as a second parameter to emf_decrypter.py :
python python_scripts/emf_decrypter.py /Users/marc/iphonebackup_rdisk0s1s2.img 
dbc8ae0fc259ea91.plist

however, emf_decrypter only decrypts existing files, so photorec won't find any 
deleted files in the image. the tools here do not support deleted files 
recovery for the iPhone 4S (except the emf_undelete script but it is very 
limited).

I have very new to this.My iphone 4s is stuck in apple logo boot loop.Is it 
possible to use this method to hack into the iphone 4s and retrieve my 
pics/videos.Not trying to recover deleted pics as they are not deleted.Just 
would like to access my pics and copy.Any help would be appreciated.

@johnp1569 currently there is no bootloader exploit for newer devices (iPhone 
4S/5, iPad 2/3), so it is not possible to get access if the device is stuck in 
a boot loop.

hi!
i need to recover deleted photos and video from an iphone 4s. i already saved 
the rdisk0 image with
ssh -p 2222 root@localhost dd if=/dev/rdisk0 bs=4096 | dd of=iphoneraw
and the keychain with keychain_dump so i got cert.plist genp.plist inet.plist 
keys.plist.
now i'm a little bit confused. i red that is not possible to recover deleted 
data using emf_decrypter but it's possible with emf_undelete.
could you tell me how i should use the emf_undelete script??

now. i need also to wipe the iphone and put a not jailbreak ios. so in order to 
this what else i should save from the iphone that will able me to recover 
deleted files in the future? something else like dd or keychain_dump??

thanks in advance

@andrei.mihajlovic
the emf_undelete script is very limited and will most likely recover nothing. 
if you want to use it, you have to dump rdisk0s1s2 and follow the instructions 
in this comment : 
http://code.google.com/p/iphone-dataprotection/issues/detail?id=49#c7

a better way to recover deleted files is to dump the nand, but currently the 
nand dumping tools do not support the iphone 4S.

@[email protected]
i look at the files in ramdisk_tools folder. there are only the source code of 
device_infos.c and systemkb_bruteforce.c
the problem is that i work under linux so i can not compile them.
>gcc device_infos.c -o device_infos
>device_infos.c:3:43: fatal error: CoreFoundation/CoreFoundation.h: File o 
directory non esistente
compilation terminated
may i ask you the favor to compile these files so i can execute them on the 
iphone?

thank you very much

you can get compiled binaries in this blogpost :
http://www.securitylearn.net/2012/04/22/extracting-aes-keys-from-iphone/

Jean is it possible to access 4s/5 file system over SSH if you don't know the 
password to access the phone? Ramdisk won't work still right?

this is not possible, unless the device is jailbroken and ssh is installed.

Jean is it possible to get the shsh blobs from my jailbroken ipad2 after I 
patch the living kernel? 

yes it should be, theres a tool on the repository to do that but i dont 
remember testing it on the ipad2
(http://code.google.com/p/iphone-dataprotection/source/browse/ramdisk_tools/shsh
_dump.c)

i'll see if it works and let you know if thats the case

Sadly it failed, saying:
"
NAND configuration: 16GiB (2 CEs of 4096 blocks of 256 pages of 8192 bytes 
data, 32 bytes spare
iOS 5 kernel detected, replacing IOFlashControlerUserClient::externalMethod
Found IOFlashControlerUserClient::externalMethod at 806088d0
IOMemoryDescriptor__withAddress=80223e8d
Found externalMethod ptr at 8060e070
vm_write into kernel_task OK
Mallocing 300000 bytes for boot partition
Segmentation fault: 11
"

I managed to get a core dumped as other *nixes, but ipHonEos seems not with 
this function.

[deleted comment]

this solution is for iphone 4s, and ipad 2. But what will happen if i apply it 
for ipad 3?

My 4S is stuck in a boot loop (recodver mode)  ,because i deleted somw 
springboard file in the ifile accidentally , is it possible to access ssh and 
undelete those files hopefully to get the device to boot again my 4s is on 
5.1.1 please help

Hi there.

When will the nand dumping tools support the iphone 4S / 5? :)

Thx for your work!

Dumping the nand on iphone 4S/5 requires two things
- ssh acces on the device through jailbreaking, afaik thats not yet possible 
for the iphone 5 or the iphone 4S on ios 6.
- fixing the nand dumper code for newer devices, and reversing the ppnftl to 
extract data from the images. this is still on my todo list but nothing has 
been done yet, i'll update issue 61 when i make some progress.

This issue was updated by revision a409017586f5.

@persmule that last commit should fix the segfault. However currently the tool 
will only display the apticket.

Issue 90 has been merged into this issue.

I am trying to use it for iPhone 4s 6.1 but kernel patching fails. any ways to 
make it work?

The kernel patcher needs modifications to handle the iOS 6 kernel (KASLR, non 
writable code pages). I'll post it here when its done.

Hello, I have updated my ipad3 from jailbeaked 5.1.1 to 6.1 using OTA and it 
crashed. It's now in a recovery loop.
I want to recover my data stored in my iPad!

I have tried restarting the update (I made a little program that uses 
libmobiledevice). The output stop at fsck verifying /dev/disk0s1s2. It's 
frustrating because it tells "Limited repair mode, not all repairs available 
[...] failed to repair"!
It there absolutely no way to access nand without a bootrom exploit?
Wouldn't be possible to execute a custom update process or execute a custom 
signed executable?

Kernel patching modified for overclocking.
It's it possible?
And is kernel patching permanant or temporary only?
BTW, yea iOS implement better kernel protection. Kernel Patch should modified 
to turn off essential security. Such as: KASLR. Etc
Hope someone can answer my question.

@guillaume afaik its not possible on the ipad3

@darrenliew96 i have no clue about overclocking, but that seems dangerous ;) 
the kernel_patcher tool here is temporary, you have to re-run it after a reboot.

@Jean: CPU frequency shows the MHZ of CPU.
It works on iOS5 but not showing cpu frequency anymore in iOS6
I quickly uses sysctl -a and I cannot find hw.cpufrequency in system call.
Any idea on where apple place the hw.cpufrequency in recent iOS?

I have an iPhone 4s running 5.1.1, jailbroken with redsn0w.  Appsync 3.1 was 
installed and now the phone is stuck in a boot loop to the point that I 
couldn't get into DFU mode.  I am now able to get in DFU and iTunes recognizes 
it. (iTunes does recognize the phone while boot looping but displays an error 
that it's password protected.  I don't know how to get past that.) The backup I 
have is over a year old and there is some notes that I need to retrieve.  Is 
there a way to do that or fix it from boot looping?

I've got an iphone 4s stuck in apple logo -> recovery mode loop. Its jailbroken 
with absinthe. Is it possible to ramdisk it and save the files? Is there any 
workarounds for A5 devices? I have tried tools such as tinyumbrella etc...

Please Can you help my iphone 4s??

My 4S is stuck in a boot loop and apple logo. All I did was update in cydia and 
now I cant get it back on for last 5 days. I have too many important files on 
my phone, i can not restore. is it possible to access ssh and undelete those 
files hopefully to get the device to boot again my 4s 
 thankyou

afaik, it is not possible to fix or recover files on A5 devices stuck in boot 
loop (because there is no bootloader exploit), sorry.

hello how can i ssh into my iphone 4s if it stuck on applelogo? i cant seem to 
find my iphone ip address through my router, well i find it but cyberduck 
doesnt recognize it. there has to be a way to get into my iphone files??

@mrju30 : you can't

Issue 96 has been merged into this issue.

[deleted comment]

Hello

DEV: iphone 4s    IOS: 6.0.1  

mark:/bin root# device_infos
Trace/BPT trap: 5
mark:/bin root# bruteforce
Trying to patch IOAESAccelerator kernel extension to allow UID key usage
IOAESAccelerator Kernel patching failed
IOAESAccelerator returned: e00002c1
IOAESAccelerator returned: e00002c1
Trace/BPT trap: 5

I have the exact problem as @mrju30!!! My last backup was November. I decided 
to just wipe it all out and allow the upgrade to iOS6.

Is there anyway I can capture a disk image (e.g. with dd) of the current iPhone 
4s state (only about 4gb of 64gb used) and in the future recovery files 
(Nov-March) from that disk image?

I have so many photos and video... I just need to know if I can capture a disk 
image with dd tool and will that preserve the iPhone filesystem for future, 
low-level scan, recovery? Or.. better yet.. send disk image to data recovery 
center? Is this possible?

And what specifically do I capture? Is it /dev/disk0 (the whole thing) or what 
of the other variations (e.g. /dev/disk0s1s2). And what is NAND? Is that a 
low-level capture? I just want to be able to capture the device as it is 
(though iOS6 is now installed with 4gb of data used) for future recovery or 
send that image to a data recovery place. If I use dd will it preserve the 
low-level architecture so it can undelete files in the future? Please let me 
know! Thanks!!!

I SWEAR TO ALLAH!! I would pay $5grand to get this data back... Now or within a 
couple years! Someone let me know if I can use dd or another tool and what 
specifically to back up.

Please note.. I have very little knowledge on how hard disks and flash and NAND 
or whatever works. I'm a complete ignorant fool about that. The only thing I do 
know is Python, Django and C. But I know nothing about hardware.

@wubilei48 this is a known issue (see above), the kernel patcher does not works 
yet on ios 6.

@mrmatwilson
if the device was wiped then it is afaik impossible to recover the old data, as 
the wipe is done in a secure manner and master encryption keys are physically 
erased from the nand flash.

Does anyone know when i can SSH into my 6.1.3 iphone 4s ?

^ install APT from cydia and openssh

[deleted comment]

Hi,

i have some problems with a iPhone 4s.

After downloading and compiling ur latest tools and execute, i get the 
following outputs:
--------
./1_kernel_patcher 
Found IOAESAccelerator UID ptr at 8056198c
vm_write into kernel_task OK
--------
./2_device_infos 
--> lots of device informations
--------
./3_bruteforce 
Writing results to 81304c87ca204542.plist
--> and the bruteforce
--------

Now i want to decrypt my dd.

Here is what i do whith the emf_decrypter and what i get:
--------
./emf_decrypter rdisk0s1s2 81304c87ca204542.plist
WARNING ! This tool will modify the hfs image and possibly wreck it if 
something goes wrong !
Make sure to backup the image before proceeding
Press a key to continue or CTRL-C to abort
a
Volume identifier : 81304c87ca204542
Searching for ./81304c87ca204542.plist
Data partition offset = 49000
Reading class keys, NSProtectionComplete files should be decrypted OK
--------

After this step no Data is decrypted. Whats the problem?

@Hybrid-Heaven the C version of emf_decrypter is not maintained anymore, you 
have to use the python version (python_scripts/emf_decrypter.py)

Ok, this was the problem! Works fine now! Thank u!

Does the kernel patcher work on iOS 6 yet? I look forward to dd'g and 
decrypting the images of more recent iOS platforms :)

Thanks!

@deniselee80 no, it isnt done yet. i will update this issue when it is.

HI Guys,

this seems to be the right place to ask: is it, in general, possible to have 
photos recovered from an iphone 4s which was restored by itunes? i mean, IF i 
can access by ssh(atm 6.1.3 no chance) and get a "disk image", will there be a 
chance, that "normal" recovery software like getdataback/photo recovery will 
find anything in it?

since i just lost 300 photos/videos of my daughters first half year, i am also 
glad i anyone will break this apple-thing and get the photos from the flash ;)

pls dont ask: NO there is NO backup... done ever... :(

@kaigorski79 if the device was restored then there is afaik no way to recover 
the data, as the restore process does the equivalent of a wipe on the data 
partition.

[deleted comment]

I am a begginer and from the above comments ,it would work on iPad 2.However ,I 
don't know how to use the attach files,you know the previous "kernel_patcher" 
is a py script,but there ,it is a text file. Can you help me ?Thank you in 
advance.

@jean: but hopefully wipe/restore is not equal with low level format.. my hope 
is that the data still exists as blocks without allocationtable an can be 
restored as i get access on filesystem(jb)

Anyone knows how restore works on ios devices? 

Sorry for offtopic

Hi Jean,

I just wanted to clarify under what circumstances a iPhone 4s is recoverable.

I was up to running the kernel_patcher script and the output indicated that no 
keys were pulled from the 4s image. After reading these comments on this page 
several times it looks like:

 * If you can actually get into a jailbroken phone you can run the tools assuming the per-requisite software / kernel is installed/patched.
* Even if you can get the image decrypted, emf_decrypter can't decrypt deleted 
files and therefore is only of use for existing files.

I must be missing something but if can get access to the phone but can't use 
emf_decrypter to help restore deleted files, is there any use in running these 
tools at all on a 4s? Because surely the reason to be running them on a 4s is 
if you have deleted files. If you don't have deleted files and just want to 
restore (non)deleted files AND you have can get into the phone, surely you 
could just SCP them off the phone?

If you DO have access into a 4s AND have deleted files, you are currently out 
of luck until (if) a suitable exploit can be found?

Cheers.

@kaigorski79 afaik restore wipes the data partition, i'll make some tests to 
make sure of that and create a wiki page soon so this question is documented.

@scottpstapleton well technically the undelete stuff would work if you have ssh 
access on a jailbroken 4s, but the scripts need to be updated for the new nand 
ftl (so its not working yet). also, the kernel patcher needs to be updated for 
ios6. if you don't have ssh access and cant jailbreak the device then theres 
nothing you can do because there is no bootloader exploit.

i have a question, this seems like the place to go to as i can't find any 
answers anywhere else.  i have an iphone 5 on 6.1.2....i installed 
respringcachefix, which basically dumps the /tmp folder on resprings.  i was 
messing around with ifunbox's terminal, and typed in respring...and noticed 
that access was denied to a bunch of the tmp files...keep in mind i am not 
advanced as far as all of these scripts go..but i was like wtf it's not 
deleting everything out of the /tmp folder (i thought that was just cache stuff 
that could be deleted to free space)...so i changed the permission of the 
folder '/tmp' and when i resprang...it deleted everything except for the 
launchd folder..which only contained a lockdown file.  i thought everything was 
fine..until i rebooted.  now i'm stuck in a loop (can still put in dfu..but 
that is it).  openssh is installed on the phone..but nothing will recognize my 
phone so i can get to the terminal.  My brother also has a 6.1.2 jb iphone so i 
could get any file i needed from his if it were possible...so, is there ANY..i 
mean ANY way i can access my phone?  i have iLEX r.a.t. installed with backups, 
and as stated before i could get files from my brothers phone if i needed.  

Is there any possible way to get my phone to a state to where i can access it 
via the terminal?  forgive the lack of knowledge of this stuff, but i'd really 
like to get my phone back up and running.  My sister has an unjailbroken 6.0.1 
(or something similar, not up to 6.1.2 though)iphone5, and she said she'd be 
more than happy to just give it to me and i'd restore/update this phone to 
6.1.4 for her...but that would be a last case scenario for me...i want to fix 
this. i like being on the latest OS possible. I know this doesn't mean much but 
i have all shsh blobs saved from 6.0 on my computer via tinyumbrella. multiple 
backups...and even icloud has a bunch of my stuff.  but i want to fix this 
phone.

sorry for the long post...but if anyone knows how to fix this, please..please 
post and let me know.

sorry, i should say - iTunes and tiny umbrella do see it as a DFU device being 
connected...but both ifunbox and winscp won't recognize the device.  please 
help!

@BrandonD518 afaik if your device does not boot to the point you can get 
access, then there is nothing you can do (except restore).

Hi there!

I'm runing the "undelete" command of ios_examiner in an iPhone 3GS. The 
undeletion process is working OK (is recovering files etc) but it's been 
running for more than 48 hours now (the device has 32 GB but ONLY 4 GB of free 
space) and still no clue when it will end.

A previous attempt (with the device nearly empty, so nearly 32 GB of free 
space) crashed after 48+ hours.

Any advice will be more than welcome.

I'm using this for some experiments in my PhD studies. If an iPad1 or an 
iPhone4 will be noticeably faster, I might purchase one of those as well (our 
test devices include also an iPhone5 and an iPad3, but those are not supported 
yet. Please fix kernel_patcher! :)

Best regards, congratulations, and keep up the good work!!! :**

did you acquire an image (nand_dump command, then restart ios_examiner with the 
image file and plist as parameters), or did you run the undelete command 
directly ? running the command directly is very slow because all the read 
operations are proxyfied over usb to the device.
in any case, after 48h is there still some new output, or is is stuck ? what is 
the last output in that case ?
you can create a new issue with this information and any other details that 
might be useful.
thanks.

Hi all,plz help..
can i ssh into my iphone 4s ios 5.1.1 stuck on bootloop? My iphone doesnt 
recognized in any iphone file manager.i try to fix it with desable 
mobilesubstrat but no thing work.i try the last version of iphone data 
recovery.and when i put my iphone in dfu mode this application blocked then 
give an error.i'm stuck & i need my data plz help..& i never backup my data 
with itunes.if there is a way to backup data from dfu mode or creat 
no_erase_data ipsw or any solution ...thank you for ur replly

@armada.dj87
afaik it is not possible to fix bootloops on iphone4S and newer devices without 
restoring.

Thank's ... I can say goodbye to my data...

hi I have problem in my iPhone 4s.. I lost my camera app. I don't know why its 
gone and even my application menu was gone. so now I cannot used my camera 
either in any way . what should I do have that back?

I hope you can help me soon I need my camera app. back

thanks 

Franz

Hello, jean.
Is it okay to patch the living ios 6 kernel, to crack the lockdown passcode of 
a dual-core idevice with bruteforce?

Now, bruteforce and kernel_patcher will crash the kernel instantly.

Thanks for regardness!

persmule

@persmule
i havent fixed kernel_patcher to support ios 6 yet, still in the todo-list ...

I have got a jailbroken iphone 4s running ios 5.0.1, and I try to run your 
shsh_dump to get its shsh blobs. But the program get the IMG2 magic 0x1e925e60 
(not 0x494d4732) and return with -1. What is wrong with my device? Can I bypass 
the magic check at shsh_dump.c:132?

Hey guys,

it's now already 6 months ago that Armada asked the question. Did anyone find 
in the meantime a solution to recover the data of a not jailbreaked iphone 4s? 
DFU as well as recovery mode works, iphone data recovery Crash....
Thanks Joe 

Hello!

Can anyone tell me if it is possible to run "device_infos" on an 4S device 
running iOS 6.0.1?

compiling "device_infos", using code pulled on Oct 7 2013, then ssh'ing it over 
to the device and running, results in:
Trace/BPT trap: 5

The device is jb and I have been able to extract an image, but have not been 
able to decrypt the image since I cannot figure out how to extract the keys.

My ultimate goal is to be able to decrypt the entire image and then mount it so 
that I can look through it.

Any help anyone may have would be greatly appreciated.

Thank you,

frankmarco2000

@persmule the tool is buggy, sorry...
@Joe.Pagels not possible afaik for devices newer than iphone 4
@frankmarco2000 the tools wont work on ios6, the kernel patcher needs to be 
updated

Hi Jean,

Although i wasn't able to use your instruction (iOS 6) i want to thank you for 
the support your giving to all these unknown people. Tells me your a great 
person!

Keep up the good work :-)

Hi People,

I have this damn Ipad2 i think it has A5 chip, and dont know the IOS version 
4.3 or 5.1? , it was Jailbroken with (it had Cydia & Installous) and kids 
wanted to upgrade within IPAD/ Software Update, and now its STUCK, RECOVERY 
MODe (bootloop) i have tried TinyUmbrella etc.  i just wanted to get some 
videos out of it and throw it away, im trying [SSH ramdisk maker & loader] but 
its saying:

Connect a device in DFU mode
MobileDevice event: DfuConnect, 47c1227, 4008940
DFU device 'UNSUPPORTED' connected
Ignoring unsupported device UNSUPPORTED

Cant seems to find the problem? should i wait for an upgrade of RAMDISK?

I have SHSH Blob i got from tinyUmbrella, does that help?

HOW TO PATCH USING WINDOWS? I GOT IPHONE 4S HERE

devices newer than iphone4 are not supported (and will most likely never be)

ok guys, i am green here but up until couple of days ago i had 5.0.1 running on 
4s (A5) jb absinthe. so before i restored it to 7.0.4 i ssh and dump the entire 
disk0 to my pc.(disk0, not rdisk0)
i know the image is not perfect since the disk was mounted ( couldn't figure 
out how to creare a ramdrive and boot from it to unmount the disk 'cause i 
wasn't sure if it is possible at all).
anyway its a 32gb file.
now i am on 7.0.4 jb Evasi0n.
got ssh.
is it possible to to deploy the img back ? 
(how if at all can i create ram drive to boot from?)

@jean

  Is it possible in the future to fix bootloops on iphone4S ?  thank you

@Yakirkid not possible to deploy the image back or decrypt it if you did not 
grab the encryption keys before restoring

@xiejinsheng not to my knowledge, there is still no bootloader exploit for 
those devices

have ssh to connect into DFU mode for iPhone 5? 

Where can I have ssh to connect to DFU mode for ipad 4?

iH8Sn0w Discovers iBoot Exploit Making A5(X) Devices Jailbreakable for Life!