Hi everybody of this forum !


I am trying to reproduce the zdziarski's technique to dump iphone 3GS disk.
This guy has created a customized ramdisk with ssh server (live agent recovery).
iLiberty+ and PwnageTool seem cannot be used create this ram disk for the 3GS.
Does anybody know how to do that ?

Thank you for your help.

Originally Posted by kensou

Hi everybody of this forum !


I am trying to reproduce the zdziarski's technique to dump iphone 3GS disk.
This guy has created a customized ramdisk with ssh server (live agent recovery).
iLiberty+ and PwnageTool seem cannot be used create this ram disk for the 3GS.
Does anybody know how to do that ?

Thank you for your help.

You dont necessaryly need to. Is the iPhone jailbroken and cydia on it? You need OpenSSH installed on the iPhone and on the Mac/WindowsPC.
It's there on a Mac in System Settings, has to be activated. On Windows you need to dl a free OpenSSH server. On Windows you need dd aswell to be installed. NerveGas (zdziarski) uses dd and netcat but dd will do.

Find out then the following values
IP-iPhone
IP-Mac/WindowsPC
username/password iPhone : root/alpine
username/password Mac/PC

iPhone and Mac/PC have to be on the same Wlan, set iPhone's auto-lock to "never" and make sure to have it connected to ac, the process will take 3 hours if your iPhone is 8GB ;-)

On the Mac/PC start command prompt (PuTTY-Windows; Terminal-Mac), log into the iPhone

ssh -l root IP-iPhone

then

dd if=/dev/disk0 | ssh usernamePC@IP-PC 'dd of=iphone-image.img'

Thats it.

Thank you for your response.

When looking video of zdziarski, the iphone wasn't not jailbroken.
In my understanding the following steps have to be performed:

In recovery mode:
1) a custom ramdisk is sent with an openssh server embedded with iRecovery

(the openssh server cannot run yet because the iphone is not jailbroken)

2) the iphone is restarted with "boot-args (some special args) + fsboot" with irecovery

3) As the iphone is NOT jailbroken a custom kernel is sent (the same that is sent by Redsn0w)

4)the iphone is now jailbroken and the openssh server is running

5) the rest is like you describe in your procedure.


I am a newbie so I am sorry if I misunderstood somewhere

Originally Posted by kensou

Thank you for your response.

When looking video of zdziarski, the iphone wasn't not jailbroken.
In my understanding the following steps have to be performed

You are right, this is a different story. If you just want to recover lost photos cause your iPhone got stuck in recovery or so, the way above is the easiest. i have done it via ramdisk a few times, it's the correct way if you are up to forensic recovery. 99,99 % of the users are not, just wanting to recover lost stuff.

I am interrested only with forensics case.
I take the case of a stolen iphone. I'd like recover some informations without knowing the passcode.

Hope someone can help

Originally Posted by kensou

I am interrested only with forensics case.
I take the case of a stolen iphone. I'd like recover some informations without knowing the passcode.

Hope someone can help

Sorry, no help from my side. Removing the passcode is one of the things both solutions do. If you are into a gouvernment agency, I'd recommend to contact NerveGas or at least buy the book.

Thread closed.