Discuss trying to save user data on 3GS stuck in recovery mode at the PwnageTool - Hackint0sh.org; ...
trying to save user data on 3GS stuck in recovery mode
(I apologize in advance if this is in the wrong place, or contains erroneous conclusions or technical information.)
My wife dropped her iphone 3gs in water for a few seconds. The unit stopped working. I am hopeful that it will work again, at least to get some data off of it, because 1) iTunes indicates it recognizes an iPhone in recovery mode, 2) I can put the phone into recovery mode (i.e., so that the unit displays the Connect to iTunes image), 3) it seems to take and hold a charge, and 4) after some time with the “Connect to iTunes” image, it returns to display the apple logo (though the screen is very faint).
My goal is to save the photos she took on it but didn’t sync to our macbook.
I believe there are 2 basic ways to proceed: 1) attempt to get the iPhone out of recovery mode to boot in normal mode, without performing the entire “restore” operation, or 2) perform the restore operation, and then attempt to use forensic data recovery techniques to attempt to recover the data itself.
I have not performed the restore operation in iTunes because my understanding is that this will delete the filesystem on the user data partition, making it much harder to get the data off of the iPhone, though I believe it wouldn’t erase the data itself.
Based on my research, it appears that Ziphone used to have the functionality I am looking for, but does not for a 3gs. Also, it appears that the Pwnage Tool versions 3.14 and 3.15 have the option “Disable partition wipe-out” greyed out so that option can’t be checked.
So, I have ordered Zdziarski’s book “iphone forensics,” and have several times watched a youtube video narrated by the author and distributed by the publisher, o’reilly. I believe the following steps should work to accomplish my goal:
1. Customize a .ipsw file to include both a) allowing iphone to accept unsigned code, and b) the actual unsigned code that disables the user partition wipe-out that normally occurs as part of iTunes’s restore operation; and
2. Use iTunes’s Restore Mode to deliver that customized .ipsw file to the iphone.
Step 2 is easy – just using iTunes. I believe I can perform step 1 via a combination of Pwnage tool version 3.14 or 3.15 and xpwn and/or the ipsw application, using the –nowipe operator in ipsw (which I am gathering functions similar to the bin/true function in allowing the restore function to complete and exit gracefully without wiping the user data partition.
So my 4 questions are,1) do you think the above would/should work, 2) if so, where can I find most recent ipsw application, and a step-by-step description of how to compile (?) and run it, 3) is there a better/easier/known way to do this? And 4) should it matter which firmware version I use, i.e. does it need to match what was on there before, or does it just need to work with an iphone 3gs.
I do not know which firmware version was on the iphone. Is there any way to tell from the serial number? The 4th and 5th digits of the serial number are 37, which I believe means the device was manufactured in the 37th week of 2009, which would translate to approximately mid-late September based on information from apple’s website and Wikipedia, and google searches.
Please let me know if you have ANY thoughts or suggestions. Thanks for reading and helping.
Good news is that it is an old bootrom 3GS. So you can load the custom IPSW without a problem.
I want to dive into this area also but I lack time. I can give you some tips but I have not got much further than you on this issue yet.
Please read the stickies & search forum before posting! How to report an iTunes restore/update fail in a useful manner
iPad 3G 64GB (4.3.3, Redsn0w) oldest SHSH 3.2.2
iPhone 4 32GB (4.2.1, Redsn0w JB-monte) oldest SHSH 4.1
iPhone 3GS 32GB (4.3.3; Pwnagetool) factory unlocked oldest SHSH 3.1
iPhone 8GB (3.1.3; Pwnagetool) AT&T Locked - Unlocked with bootneuter
Did we solve your problem? Got a dollar or two spare ? Donate!
Olethros, thank you for your quick and helpful reply. Are you able to tell that it is the old bootrom based on the serial number, or some other way? Also, I have found a windows version of ipsw.exe, that contains the -nowipe operator. Do you think that taking a .ipsw file that has already been customized via Pwnage 3.14 for firmware version 3.1.2, and then using the ipsw application with the -nowipe operator will yield the file I need to restore with? Do you know of any other sources of information about ipsw.exe vs. xpwntool.exe? Thanks again.
ipsw.exe --> i never heard of such thing. I suggest you don't go near that.
You are looking for something really special that cannot be easily explained. Basically, you need a custom ipsw that does only the NOR restore and leaving the NAND in-tact.
However, in your situation, I am not sure if the NOR-only restore would work since the phone was dropped in water and now in recovery mode which normally means you need a full restore which will wipe your data completely.
My question for you is: has this iphone been jailbroken before ? If the device is not jailbroken prior then there is no way to slap a custom firmware on the device.
Olethros is away for a few days. I'm no expert on dealing with forensic stuff, however, I will try to help as much as i possibly can. In the mean time, i suggest you tread carefully with the iphone in its current condition. One wrong move and you're toasted.
Based on the week of production of your 3GS, anything that is produced prior to week 40 can be concluded as having an old bootrom which is also another requirement for using custom ipsw.
** If you just want to support hackint0sh.org with a donation click here **
dtube, thanks. ipsw is an application that is part of xpwn. the readme file in xpwn describes in reasonable detail how it's used. basically it is a program to create a custom .ipsw from an existing .ipsw (just like pwnage etc.), with certain specifications, including one that allows the NAND to be left intact. The problem there is it appears ipsw will not customize firmware for 3gs.
The phone was not previously jailbroken, that is why i was attempting to use Pwnage tool 3.14 to get the boot rom to accept unsigned custom firmware (other post of mine you responded to where pwnage tool 3.14 is hanging when trying to put it into dfu mode.) Not sure I answered your questions, but am out the door - will follow up later. thanks again.
ahh ... ok. I forgot all about xpwn :-). sorry about that.
xpwn needs to be updated to support 3gs firmware and compiling xpwn for windows is not for the faint of heart.
If your phone was jailbroken before then LLB is pwned. It will take a custom ipsw on the device with old bootrom.
Now we must understand why the iphone is in REcovery mode ?. Right now, when you turn off the phone (slide to power off) then turn it on, what is it doing? What appears on the phone ?. What firmware was on the phone before ? How did you jailbreak the iphone (with redsn0w or blackra1n) ?. We need more info before attempting to fix this.
** If you just want to support hackint0sh.org with a donation click here **
The phone was not previously jailbroken
Can you at least provide some relevant info?
Originally Posted by WillW
1. iBoot/NOR version: post iRecovery -s output you get after putting the phone into recovery mode.
2. Firmware version: you probably don't know that, that's why first point is really necessary
3. bootrom version: How to Check iPhone 3GS New Bootrom / Old Bootrom (iBoot) Version | Redmond Pie Serial number only provides you an estimate. You need to get bootrom version in DFU to be sure.
Two relevant links:
Mostly iPhone hacking: Working iPhone recovery ramdisk with SSH ;-)
Mostly iPhone hacking: Data recovery: not just for iBoot-pwned devices
Also you might be overestimating the importance of those pix - I don't know how much your own time costs, but the time of people that are trying to help you is also valuable - please consider that before proceeding with your recovery attempts.
PS. Zdiarsky's book is a bit outdated AFAIK - it was written in FW 1.x-2.x timeframe when there was a DFU-level exploit 'pwnage' available for all devices and NOR wasn't personalized.
By RecoveryPowner in forum iPod Touch 2G
Last Post: 01-02-2014, 02:30 PM
By zwiebl in forum General
Last Post: 01-19-2013, 04:03 PM
By gearwhore in forum iPhone 3G
Last Post: 06-25-2009, 08:37 PM
By Nikolas.A in forum General
Last Post: 05-09-2008, 04:09 AM
Tags for this Thread