Emergency SSH access using a pwn'd DFU mode RamDisk

[facebook.com]

---

Emergency SSH access using a pwn'd DFU mode RamDisk (Win7-32)

Use at your own risk. Experienced users only !! If you don't know what you're doing, stay away!!

Management summary:

When an iDevice won't boot, several remedies are available. SSH, iPhoneExplorer/Browser, etc and iTunes restore are the normal methods to either restore or to gain access to a non-bootable device and implement a fix. This is an alternative approach when the normal methods don't work and all else fails. Warning: Significant iPhone/computer experience required!!

Disclaimer:

This is not new work. It uses this reference as THE source (
To view links or images in this forum your post count must be 1 or greater. You currently have 0 posts.
), adds changes for iOS 4.2.1 and lots of clarification. All thanks go to MsftGuy and so many others.

Purpose:

Acquire SSH access to the root and user filesystems, modify and/or delete the of*****ng program, and reboot without any damage or noticeable change. This process should be considered a last resort. It builds a new ramdisk with SSH included, uses current jb'ing exploits to download the ramdisk and access the iDevice. It requires technical knowledge, significant computer and iPhone experience, and is NOT for the beginner or the faint of heart.

Discussion:

Since the release of 4.x, many have experienced booting issues after installing a non-compatible or faulty MobileSubstrate app. Most of the time, the 3GS will boot or respring into safe mode where it can be accessed and fixed. Unfortunately, once in awhile, it does not boot into safe mode. It hangs at the Apple logo. When this happens, I typically get the normal Apple logo for about 5 minutes, then it adds a spinning wheel for another 2-3 minutes, then everything freezes. It doesn't reboot, it does nothing! A force shutdown works, but it does the same thing over and over again.

The problem: !!! No access !!!

During this 'once in awhile' situation: SSH, AFC2, iPhoneBrowser/Explorer, iTunes, does not work and the computer does not recognize the device. Nothing I've tried will access or even recognize the device. Without access, it can not be fixed.

Note: If your iDevice continually reboots (does not freeze), a simpler solution is likely. SSH/AFC2 access may be available for a short time during the reboot process.

Applicability:

Claimed support: iPhone4, iPad I, 3GS old & new bootrom
iOS 4.0 and above
Tested: 3GS, old bootrom, iOS 4.2.1 (Windows 7 PC, iTunes 10.1), jb'd w/PwnageTool
Tested: 3GS, new bootrom, iOS 4.1 (Windows 7 PC, iTunes 10.4), jb'd w/redsn0w (using 4.1 files and keys, see end of post )
Previously jailbroken (any method)
Implements: limera1n for a pwn'd DFU mode exploit
NOT FOR older 2G, 3G devices, or any iOS 3.x
(A similar method using iRecovery is available, see links above)

Note: Instructions are written for 3GS/4.2.1. Newer/older iOS/iDevices should work. My primary reference (msftguy link in 2nd paragraph above) provides a 4.1/3GS tutorial. Make appropriate changes (different custom ipsw with different file names) for your iOS / iDevice version.

Requirements:

1: RecoveryRamdiskBuilder_rev_2.zip:
To view links or images in this forum your post count must be 1 or greater. You currently have 0 posts.

(Reference:
To view links or images in this forum your post count must be 1 or greater. You currently have 0 posts.
)
2: Restore Ramdisk (038-0082-001.dmg) IV & KEY (3GS, iOS 4.2.1): from
To view links or images in this forum your post count must be 1 or greater. You currently have 0 posts.

3: Custom 4.2.1 ipsw created by PwnageTool or Sn0wbreeze
4: tetheredboot utility from
To view links or images in this forum your post count must be 1 or greater. You currently have 0 posts.

5: itunnel_mux (rev71):
To view links or images in this forum your post count must be 1 or greater. You currently have 0 posts.


Process:

1. Create a "New Folder"
2: Extract everything (except the custom ipsw) to "New Folder"
2: Extract the custom 4.2.1 ipsw (I use 7-zip) to a temporary folder
From the temporary folder, find and copy to "New Folder"
a. IBSS.n88ap.RELEASE.dfu,
b. kernelcache.release.n88,
c. DeviceTree.n88ap.img3, and
d. 038-0082-001.dmg. (the restore ramdisk)


3: execute: RecoveryRamdiskBuilder.exe (Build the new ramdisk with ssh included)
Copy/Paste IV and KEY (from theiphonewiki....)
Select ramdisk: 038-0082-001.dmg (the 4.2.1 custom ipsw ramdisk)
A new ramdisk is created: 018-0082-001.dmg.ssh (automatically builds)
If successful: Completes with: ALL OK; boot with '038-0082-001.dmg.ssh' ramdisk ......


To view links or images in this forum your post count must be 1 or greater. You currently have 0 posts.


Finished building. Your directory should contain these files:


To view links or images in this forum your post count must be 1 or greater. You currently have 0 posts.



4: Put the device in normal DFU mode (
To view links or images in this forum your post count must be 1 or greater. You currently have 0 posts.
)
5: Open a cmd.exe window (run as admin) and navigate to "New Folder"
6: Run tetheredboot and load 3 files on the iDevice:
tetheredboot -i iBSS.n88ap.RELEASE.dfu -k kernelcache.release.n88 -r 038-0082-001.dmg.ssh

Note: The 3GS screen should be totally white while tetheredboot is running.

------------ Displayed by tetheredboot ------------------
...initializing libpois0n
...ERROR: The process "iTunes.exe" not found.
...ERROR: The process "iTunesHelper.exe" not found.
...Waiting for the device to enter DFU mode
...Found device in DFU mode
...Checking if device is compatible with this jailbreak
...Checking the device type
...Identified device as iPhone2,1
...Preparing to upload limera1n exploit
...Resetting device counters
...Sending chunk headers
...Sending exploit payload
...Sending fake data
...Expoit send
...Reconnecting to device
...Waiting 2 seconds for the device to pop up...
...Uploading iBSS.n88ap.RELEASE.dfu to device
...[================================================] 100.0%
...Waiting 10 seconds for the device to pop up...
...Uploading 038-0082-001.dmg.ssh to device
...[================================================] 100.0%
...Uploading kernelcache.release.n88 to device
...[================================================] 100.0%
...Exiting libpois0n

If the process stops at "Waiting 2 seconds....", start over at step 4.

Note: After loading, the 3GS screen should have a white Apple logo with an empty progress bar


To view links or images in this forum your post count must be 1 or greater. You currently have 0 posts.



...If no errors (except iTunes), go to step 7...

Note: If #6 tetheredboot fails to load the ramdisk (which tends to happen with large ramdisks),
you can try using itunnel_mux to load kernel and ramdisk:
6a: tetheredboot -i iBSS.n88ap.RELEASE.dfu
6b: itunnel_mux --kernelcache kernelcache.release.n88 --devicetree DeviceTree.n88ap.img3 --ramdisk 038-0082-001.dmg.ssh

7: execute itunnel_mux.exe to forward SSH connection to the USB (does not terminate):
itunnel_mux --lport 22

------------Displayed by itunnel_mux----------------------------
...[INFO] Waiting for new TCP connection on port 22
...[INFO] Waiting for device ...
...[INFO] Device connected: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
.............. more messages after a connection is made ...........
Note: Leave this window open ...............

8: Open a new cmd.exe window (run as admin recommended)
9. Create/start an SSH session (I use Cygwin for ssh)
ssh root@localhost -p 22

Note: If 1st log-in, a new RSA certificate will be generated. Enter 'yes' to accept

11: Enter password: alpine
12: This is your logged in prompt: -sh-4.0#

Note1: itunnel_mux window: [INFO] Device connected .....
Note2: After the connection, the 3GS screen will change to totally white
Note3: If no ssh response/message from either window, check local firewall settings

Mount / (root) filesystem (contains system settings & files, MobileSubstrate dylibs, etc)
13: -sh-4.0# fsck_hfs /dev/disk0s1
14: -sh-4.0# mount_hfs /dev/disk0s1 /mnt1/

Mount /usr filesystem (everything else, IE: music, media, photos, apps, data, etc)
15: -sh-4.0# fsck_hfs /dev/disk0s2s1
16: -sh-4.0# mount_hfs /dev/disk0s2s1 /mnt2/

To set the path correctly so you can easily navigate the filesystem:
17: -sh-4.0# PATH=$PATH\:/mnt1/bin

Congratulations, you now have full root access
To view links or images in this forum your post count must be 1 or greater. You currently have 0 posts.
Up to this point, the iDevice has NOT been modified in any way --- so be careful! After you're done messing around, play it safe - execute: sync; sync; sync This will flush any pending filesystem writes.

When finished, to terminate the session and restart the iPhone:
18: -sh-4.0# kill 1

Other common commands:
ls (list directory), rm (delete), mv (rename or move), cp (copy)

Note: If you save the directory "New Folder". Subsequent emergency SSH access is quick & easy. Start at step 4.

All the information you need is available in this thread and on the internet. Experienced users only.

For a 3GS on iOS 4.1 (note: cfw built by pwnage):
iBSS.n88ap.RELEASE.dfu: 108.932 bytes
kernelcache.release.n88: 4,761,412 bytes
018-7080-079.dmg.ssh: 17.962,308 bytes