Thank you very, very much for the fast reply Olethros, seriously. I would have replied sooner, but the forum was down (at least for me)...

Yes, I was able to force the device into the DFU mode, I connected it to my Macbook with OSX --> System Profiler --> got my ECID.. then I started tinyUmbrella v4.1.12 on OS X and clicked on "Manual ECID" and pasted it...

However, under "All Saved SHSHs" nothing appeared and the same thing happens when I check on my winXP PC.... but I know that I clicked on "Make my life easier... am I doing something wrong?

It looks like this: http://img192.imageshack.us/img192/1...nyumbrella.jpg

I blacked out my ECID (didn't know whether it is sensitive).. but it's exactly the same as in the system profiler...

However, my SHSH is supposed to be there... I would even be willing to just move forward as if I would have it, just to check... I also really need it, because I need to restore anyway and still need the unlock.. mhmm...

Originally Posted by tether3d

Thank you very, very much for the fast reply Olethros, seriously. I would have replied sooner, but the forum was down (at least for me)...

Yes, I was able to force the device into the DFU mode, I connected it to my Macbook with OSX --> System Profiler --> got my ECID.. then I started tinyUmbrella v4.1.12 on OS X and clicked on "Manual ECID" and pasted it...

However, under "All Saved SHSHs" nothing appeared and the same thing happens when I check on my winXP PC.... but I know that I clicked on "Make my life easier... am I doing something wrong?

It looks like this: http://img192.imageshack.us/img192/1...nyumbrella.jpg

I blacked out my ECID (didn't know whether it is sensitive).. but it's exactly the same as in the system profiler...

However, my SHSH is supposed to be there... I would even be willing to just move forward as if I would have it, just to check... I also really need it, because I need to restore anyway and still need the unlock.. mhmm...

When you enter a "manual" entry for an ECID that TinyUmbrella already knows about it doesn't add it again.

Think this is because you did this with the iPhone still connected and in recovery mode - while you had TinyUmbrella running.

Try again without the iPhone connected.

Thanks again for the advice. I did as you said, but I still didn't have any luck. I will send you my ECID via PM, maybe you could check if I am doing something wrong (although I don't know what that could be).

Regarding the ECID: In order to make sure that it is the right one, I extracted it via System Profiler in MacOSX in recover mode and via usbview.exe in recovery and DFU mode. I don't know why, but I couldn't hardware force the phone into the DFU mode while it was connected to my MAC.

Anyway, in all three instances, the ECID was exactly the same, so I think it should be the right one...

UPDATE: Olethros helped me with the SHSH files (thanks again!), so now I have my 3.1.2 shsh on file (among others).
Bringing me back to my last step: 10. Two new files have been created in the RamdiskBuilder folder: 018-6051-014.dmg.dec (~16mb) and 018-6051-014.dmg.ssh (~16mb).

UPDATE 2: Msft.guy posted a reply on the wave:

So far seems fine. Note that there's an easier way now, using GreenPois0n exploit: http://www.bingner.com/pwnstrap.html
After you load 3.1.2 ibec using manual steps from this method, you can proceed loading ramdisk and kernelcache.

My answer:

Thank you so much for your reply Msft.guy!
Just to make sure that I don't do anything wrong:
1. I will use the greenpois0n JB and then upload the iBSS from my 3.1.2 custom/pwned ipsw via irecovery, even though the site you linked to specifically says that it only works with ipsw 4.1 or higher?
2. "After you load 3.1.2 ibec using manual steps from this method" - does this mean I should do steps 1-5 from the manual procedure, or 1-6? [I assume step 7 would not be a good idea ]

Also: When I do irecovery -s, I have the feeling that my commands do not really have an effect. printenv for example doesn't do anything, I just get a new command line. "reboot" works though... I am just mentioning this because steps 2 and 6 include various commands that I am supposed to execute in iRecovery and I don't know whether this is a problem or if I should just go ahead with steps 3,4,5 and then proceed w/ loading ramdisk and the kernelcache.
Btw, the fact that printenv (for example) does not seem to "work" happens with iRecovery 1.3 and with the "unofficial iRecovery for new devices" by bingner... I have libusb v1.2.2.0 installed.

Thank you!

Ok. I have been using the mfstguy's video and i get stuck when i have to use putty.

I open the CMD, i write itunnel_mux_rev4 , i open the putty, i write localhost and press open. After that, in the vid it detects the devide but mine is not detected.

What do i do? The itunnel says that i can use it if i write iphone_tunnel 22 22 and the devide id. How can i know the device id?


C:\Users\staskesi\Desktop\Media>itunnel_mux_rev4

iphone_tunnel v2.0 for Mac
Created by novi. (novi.mad@gmail.com)
Restore mode hack by msft.guy ((rev 4))

Usage: iphone_tunnel [<iPhone port> <Local port> [Device ID, 40 digit]]
Example: iphone_tunnel 22 9876 0123456 begin_of_the_skype_highlighting 22 9876 0123456 end_of_the_skype_highlighting...abcdef
Default ports are 22 22
Waiting for device...

There it gets...

device id is also called UDID, it is a 40 digit code that is used by Apple for registering iDevices to their developer program so that they can be used to run beta iOS versions and test applications before they are submitted to the AppStore.

As you are in a "hung"/boot-loop state, you can't get this from iTunes (easiest way) - however this is represented in the MobileSync/Backup folder name that iTunes makes when you sync your iPhone. That is the best way I can think toy you could find this ID.

Hi

I have been working on this recovery today, have solved some things but something isnt right

my 3GS was either 3.1.2 or 3.1.3, it was blackrained

im on a new laptop, old HDD broke, so no backup and its never been synced with itunes on this laptop. I have 9.2 itunes installed

do i not meet one of the pre-req's???

below is the output i get from irecovery

=======================================
::
:: iRain for n88ap, Copyright 2009, Apple Inc.
::
:: BUILD_TAG: iBoot-636.66
::
:: BUILD_STYLE: RELEASE
::
:: USB_SERIAL_NUMBER: CPID:8920 CPRV:14 CPFM:03 SCEP:03 BDID:00 ECID:0xxxxxxxxxxxxx7 IBFL:01 SRNM:[8xxxxxxxxxxxR]
::
=======================================

[FTL:MSG] Apple NAND Driver (AND) RO
[NAND] Found Chip ID 0x3295DE987A on FMI0:CE0
[NAND] Found Chip ID 0x3295DE987A on FMI0:CE1
[NAND] Found Chip ID 0x3295DE987A on FMI1:Cnt: 0
Entering recovery mode, starting command prompt
SG] FIL_Init [OK]
[FTL:MSG] BUF_Init [OK]
[FTL:MSG] FPart Init [OK]
read new style signature 0x43313133 (line:375)
[FTL:MSG] VSVFL Register [OK]
[FTL:MSG] VFL Init [OK]
[FTL:MSG] VFL_Open [OK]
[FTL:MSG] YAFTL Register [OK]
yaFTL::YAFTL_Open(l:2630): CXT is not valid . Performing full NAND R/O restore .
..
[FTL:MSG] FTL_Open [OK]
Boot Failure Count: 15 Panic Fail Cont: 0
Entering recovery mode, starting command prompt

i have made a ramdisk dwg from a normal 3.1.2 ipsw file and got the kernelcache.release.s5l8920x from a pwnage 3.1.2 ipsw

If i run

iRecovery -f 018-6051-014.dmg.ssh

>>> it seems to upload fine

iRecovery -c ramdisk

>>> after this command i cannot run anything else, so i have done it from irecovery -s instead and i see

********creating ramdisk at 0x44000000 of size 0x3ec965, from image at 0x41000000

******** I then control c to be able to run next command

iRecovery -f kernelcache.release.s5l8920x

******** but again i have lost connection, so doesnt work. to get round this i uploaded before running ramdisk

iRecovery -c bootx

******** If i run this from -s then i see the following

Attempting to validate kernelcache @ 0x41000000
gBootArgs.commandLine = [rd=md0 nand-enable-reformat=1 -progress ]gBootArgBootAr
gs.commandLine = [rd=md0 nand-enable-reformat=1 -progress ]
Installing WIFI Calibration

******** on the handset i still see the connect to itunes screen, but i get the waiting clock/circle thing

At this point im not sure if the ramdisk is loaded, as i cannot get the usb to ssh step to work

i downloaded the latest windows version, i get the following

C:\Downloads\Apple\iPhone\itunnel_mux_rev71>itunne l_tunnel 22 22

iphone_tunnel v2.0 for Win/Mac
Created by novi. (novi.mad@gmail.com)
Restore mode hack by msft.guy ((rev 5))

Usage: iphone_tunnel --tunnel [--iport <iPhone port>] [--lport <Local port>] [De
vice ID, 40 digit]]
OR: iphone_tunnel --autoboot to kick out of the recovery mode
OR: iphone_tunnel [--ibss <iBSS file>] [--exploit <iBSS USB exploit payload>]
[--ibec <iBEC file>] [--ramdisk <ramdisk file>]
[--devicetree <devicetree file>] [--kernelcache <kernelcache file>]
Example: iphone_tunnel 22 9876 0123456...abcdef
Default ports are 22 22

C:\Downloads\Apple\iPhone\itunnel_mux_rev71>itunne l_tunnel 22 2022

What is the 40 digit number? cydia has my details

I have tried everything, so not sure what i am doing wrong. has the ramdisk started? do i just need to solve the usb/ssh step?

Any help much appreciated, i will leave my iphone in the loop state for the moment...

i have found my 40 digit id from a very old backup.....

Originally Posted by zippytiff

If i run

iRecovery -f 018-6051-014.dmg.ssh

>>> it seems to upload fine

iRecovery -c ramdisk

>>> after this command i cannot run anything else, so i have done it from irecovery -s instead and i see

********creating ramdisk at 0x44000000 of size 0x3ec965, from image at 0x41000000

******** I then control c to be able to run next command

iRecovery -f kernelcache.release.s5l8920x

******** but again i have lost connection, so doesnt work. to get round this i uploaded before running ramdisk

iRecovery -c bootx

******** If i run this from -s then i see the following

Attempting to validate kernelcache @ 0x41000000
gBootArgs.commandLine = [rd=md0 nand-enable-reformat=1 -progress ]gBootArgBootAr
gs.commandLine = [rd=md0 nand-enable-reformat=1 -progress ]
Installing WIFI Calibration

******** on the handset i still see the connect to itunes screen, but i get the waiting clock/circle thing

At this point im not sure if the ramdisk is loaded, as i cannot get the usb to ssh step to work

i downloaded the latest windows version, i get the following

C:\Downloads\Apple\iPhone\itunnel_mux_rev71>itunne l_tunnel 22 22

iphone_tunnel v2.0 for Win/Mac
Created by novi. (novi.mad@gmail.com)
Restore mode hack by msft.guy ((rev 5))

Usage: iphone_tunnel --tunnel [--iport <iPhone port>] [--lport <Local port>] [De
vice ID, 40 digit]]
OR: iphone_tunnel --autoboot to kick out of the recovery mode
OR: iphone_tunnel [--ibss <iBSS file>] [--exploit <iBSS USB exploit payload>]
[--ibec <iBEC file>] [--ramdisk <ramdisk file>]
[--devicetree <devicetree file>] [--kernelcache <kernelcache file>]
Example: iphone_tunnel 22 9876 0123456...abcdef
Default ports are 22 22

C:\Downloads\Apple\iPhone\itunnel_mux_rev71>itunne l_tunnel 22 2022

What is the 40 digit number? cydia has my details

I have tried everything, so not sure what i am doing wrong. has the ramdisk started? do i just need to solve the usb/ssh step?

Originally Posted by zippytiff

i have found my 40 digit id from a very old backup.....

The hint provided when you run itunnel_mux.exe are wrong

for SSH, the syntax is:

Code:

itunnel_mux.exe --lport 22 --iport 22

that is it.

I use itunnel_mux_rev71 every day on windows and mac for port forwarding SSH and VNC over USB to my iPhone and can confirm that this works for me.

do you think the ramdisk is up?

Here is what i got

C:\Downloads\Apple\iPhone\itunnel_mux_rev71>itunne l_tunnel --lport 22 --iport 22

[ERROR] locate_AMRecoveryModeDeviceSendFileToDevice: Could not locate marker str
ing!
[INFO] Waiting for new TCP connection on port 22
[INFO] Waiting for device...

i seem to have got it sorted...... i have ssh access but i have tried all the mount commands via winscp no joy

i have a 3gs


fsck_hfs /dev/disk0s2s1
mount_hfs /dev/disk0s2s1/mnt2

both commands error in various ways???

help ;-)