Stuck on "Ramdisk load started!" about ssh-rd HOT 13 OPEN

Disconnect and reconnect.
@Yumistar

Ramdisk load started!
MobileDevice event: DfuDisconnect, 1227, 2008930

This happens when I disconnect and reconnect the usb (notice that there is no connection event). I am using a jailbroken 5.1.1 iPad 1st gen.

from ssh-rd.

ok , update. It gets stuck at "Ramdisk load started" now. I dont know if it is getting me anywhere near fixing it. Can anyone help?

from ssh-rd.

Did anyone have any results or fixes for this in the end?

from ssh-rd.

Hey there. I think maybe have a solution for you all. In mux_redux/itmd.c we log to the file /tmp/md.log. After the RecoveryConnect event, you can see the following in the logs

2023-05-21 14:00:32.000 java[54483:1ea03]: amai: AMAuthInstallPlatformCreateBufferFromNativeFilePath: open failed: No such file or directory
2023-05-21 14:00:32.000 java[54483:1ea03]: amai: AMAuthInstallPlatformCreateBufferFromNativeFilePath: /var/folders/sw/rjkzvfjx5gsdq42bpy8qzlrr0000gn/T/ssh_rd/ipsw_ipod11_7E18/BuildManifest.plist
2023-05-21 14:00:32.000 java[54483:1ea03]: amai: AMAuthInstallBundleCopyPublishedVariantsArray: No build manifest. Checking for a different file.
2023-05-21 14:00:32.000 java[54483:1ea03]: amai: AMAuthInstallPlatformCreateBufferFromNativeFilePath: open failed: No such file or directory
2023-05-21 14:00:32.000 java[54483:1ea03]: amai: AMAuthInstallPlatformCreateBufferFromNativeFilePath: /var/folders/sw/rjkzvfjx5gsdq42bpy8qzlrr0000gn/T/ssh_rd/ipsw_ipod11_7E18/BuildManifesto.plist

You may be able to see where this is going... For some reason the file BuildManifesto.plist is missing from the firmware folder in the ssh_rd temp directory. To solve this, you can extract BuildManifesto.plist from the IPSW file by copying it, renaming it to have the extension .zip and extracting BuildManifesto.plist from the top level of the IPSW. You can place it in the extracted firmware folder, in my case ssh_rd/ipsw_ipod11_7E18, that has the .dec, .orig and .p files. Note that you can find the temp directory that is logged at the beginning and throughout the logs in the Java GUI window.

If you did not already have that temporary directory created, you will have to boot your device into DFU mode, let the application run and get stuck, copy that file into the directory, and relaunch the Java program and put your device into DFU again.

Unfortunately I think in trying to get a custom SSH Ramdisk with dd working, I may have botched my filesystem which is really disappointing. But this should be able to get the SSH Ramdisk running on your device! Before I botched it, I was able to run mount.sh and other included commands.

from ssh-rd.

Same here...

Been trying to recover some photos off this 3GS for a few weeks.

from ssh-rd.

from ssh-rd.

Disconnect and reconnect.

from ssh-rd.

Nani?
Why exploiting ssh_rd if you're jailbroken ?
Anyways, Try on another the USB port, else try on another laptop.

from ssh-rd.

Unfortunately the iPad screen is broken so that's why I'm trying to ssh into it. Yeah probably has to do something with the iTunes version. Thanks regardless.

from ssh-rd.

For me. after the ramdisk load starts, i get an error that "the device is not recognised" and then it stops

from ssh-rd.

I reconnected it and it has recognised it but it just says: " Ignoring same device Iphone 4 (GSM)

from ssh-rd.

same here too.
Device: iPhone 4(A1332, iPhone3,1)
OS: Windows XP 32bit on real machine(Pentium E6300, 1GB ram)

in my case, after show "Ramdisk load started!" and
showed log on GUI:

...
Ramdisk load started!
MobileDevice event: DfuDisconnect, 1227, 8930
MobileDevice event: DfuConnect, 1227, 8930
DFU device 'iPhone 4 (GSM)' connected
Ignoring same device iPhone 4 (GSM)
MobileDevice event: DfuDisconnect, 1227, 8930
MobileDevice event: RecoveryConnect, 1281, 8930
MobileDevice event: RecoveryDisconnect, 1281, 8930
Almost there..
MobileDevice event: RecoveryConnect, 1281, 8930
MobileDevice event: RecoveryDisconnect, 1281, 8930
Almost there..
MobileDevice event: RecoveryConnect, 1281, 8930

At command prompt, showed logs:

...
RestoreProgress: dev=14DE3738, op=0 progress=98 ctx=152A24F0
RestoreProgress: dev=14DE3738, op=0 progress=99 ctx=152A24F0
RestoreProgress: dev=14DE3738, op=0 progress=100 ctx=152A24F0
RestoreProgress: dev=14DE3738, op=0 progress=4294967295 ctx=152A24F0

(sorry for my dirty English. I'm Korean, so i write this text as a translator)

from ssh-rd.

Hey @FrederickGeek8, thanks a lot for discovering the missing piece and sharing your repo! 🥳 I have tried to run it on my old iPad but after following the instructions it failed on the 'Sending fake data' step with a SIGSEGV coming from irecv_control_transfer in jsyringeapi.jnilib.

Have you encountered something similar? I don't think you changed anything in the jsyringeapi.c that would cause this, so unfortunately for me, it might be device specific.

Logs from Eclipse:

Waiting for new TCP connection on port 2022
Waiting for device...
Initializing libpois0n
No matching processes belonging to you were found
Waiting for device to enter DFU mode
opening device 05ac:1227...
Found device in DFU mode
Checking the device type
Preparing to upload limera1n exploit
Resetting device counters
Sending chunk headers
Sending exploit payload
Sending fake data
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0x000000012b93c2c9, pid=54555, tid=62467
#
# JRE version: OpenJDK Runtime Environment Homebrew (20.0.1) (build 20.0.1)
# Java VM: OpenJDK 64-Bit Server VM Homebrew (20.0.1, mixed mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, bsd-amd64)
# Problematic frame:
# C  [jsyringeapi.jnilib+0x32c9]  irecv_control_transfer+0x49
#
# No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# An error report file with more information is saved as:
# .../java/hs_err_pid54555.log
#
# If you would like to submit a bug report, please visit:
#   https://github.com/Homebrew/homebrew-core/issues
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#
Checking if device is compatible with this jailbreak
Identified device as iPad1,1

from ssh-rd.