blog_title: Working iPhone recovery ramdisk with SSH ;-)

Requirements: a jailbroken device with patched (pwned) iBoot OR saved SHSH for 3.1.2.

If your iPhone does not boot and you are too lazy to reinsall everything/have some data that needs to be recovered, this may just work for you. Allows you to copy full disk images among other things.

Ramdisk preparation:
Use this tool (Windows with .NET Framework 4 and a pwned ipsw required): RecoveryRamdiskBuilder_rev_2.zip - iphonetunnel-usbmuxconnectbyport - Ramdisk builder package rev '2' - now finds its tar file ;-) - Project Hosting on Google Code

Now we can boot the ramdisk:

iRecovery -f 018-6051-014.dmg.ssh
iRecovery -c ramdisk

iRecovery -f kernelcache.release.s5l8920x
iRecovery -c bootx

Now you need a custom build of iPhone_tunnel utility to connect to SSH:
iphonetunnel-usbmuxconnectbyport - Project Hosting on Google Code

Launch iPhone_tunnel, forward remote port 22 as local port 2022: ./iPhone_tunnel 22 2022
Connect using SSH: ssh root@localhost -p 2022

I tried your tutorial to recover the data, but I get stuck at the iPhone_tunnel part.
It says "waiting for devices" and on my iphone I have a recovery screen. And Winscp is searching, but cannot find host.

Also, -c ramdisk and -c bootx ... what do these commands do? I typed them in after the "-f" commands, but all it did was display "irecovery recovery unitlity by..." info

Originally Posted by Klasniedryg

It says "waiting for devices" and on my iphone I have a recovery screen.

Also, -c ramdisk and -c bootx ... what do these commands do? I typed them in after the "-f" commands, but all it did was display "irecovery recovery unitlity by..." info

This means you haven't booted the ramdisk yet ;-(

When it boots successfully, it shows an Apple logo with the progress bar, just like when it starts an actual restore.

Maybe your version of iRecovery has different option names? what does it say if you launch it without parameters?

Also, what's your device model, iBoot version (just post output of 'iRecovery -s') and what type of jailbreak is installed?

New bootrom devices are supported via a iBSS payload; currently you have to be an advanced user (be able to hex-edit a file and compile a piece of C code) for that..

BTW, I'm looking for volunteers with new-bootrom 3GS and 3.1.2 hashes on file to simplify that step..

Originally Posted by msft.guy

This means you haven't booted the ramdisk yet ;-(

When it boots successfully, it shows an Apple logo with the progress bar, just like when it starts an actual restore.

Maybe your version of iRecovery has different option names? what does it say if you launch it without parameters?

Also, what's your device model, iBoot version (just post output of 'iRecovery -s') and what type of jailbreak is installed?

New bootrom devices are supported via a iBSS payload; currently you have to be an advanced user (be able to hex-edit a file and compile a piece of C code) for that..

BTW, I'm looking for volunteers with new-bootrom 3GS and 3.1.2 hashes on file to simplify that step..

Here is what I have...

-iRecovery -s
iBoot for n88ap, Copyright 2009, Apple Inc.
BUILD_TAG: iBoot-636.66
BUILD_STYLE: RELEASE
USB SN.....
==================
[FTL:MSG] Apple NAND Driver (AND) RO
[NAND} Found Chip .....
[NAND} Found Chip .....
[NAND} Found Chip .....
Entering recovery mode, starting command prompt
limiting USB input current to 400 mA
limiting USB input current to 400 mA
limiting USB input current to 400 mA
le signature 0x43313133 (line:375)
[FTL:MSG] VSVFL Register [OK]
[FTL:MSG] VFL Init [OK]
[FTL:MSG] VFL_Open [OK]
[FTL:MSG] YAFTL Register [OK]
yaFTL::YAFTL_Open(1:2630): CXT is not valid. Performing full NAND R/O restore ...
[FTL:MSG] VFL_Open [OK]
Boot Failure Count: 15 Panic Fail Cont: 0
Entering recovery mode, starting command prompt
limiting USB input current to 400 mA
limiting USB input current to 400 mA
limiting USB input current to 400 mA
(Recovery) iPhone$


I am using 3gs, 3.12 with 5.11.01 Jailbroken with Blackra1n. No unlock, I have ATT.

I have also been directed to this link. A fella had a almost exact situation as I.

Originally Posted by Klasniedryg

Here is what I have...
BUILD_TAG: iBoot-636.66
...
(Recovery) iPhone$
..
I am using 3gs, 3.12 with 5.11.01 Jailbroken with Blackra1n. No unlock, I have ATT.

iRecovery shell works; that's good. Now try those:

Code:

iRecovery -f 018-6136-014.dmg.ssh

- make sure 018-6136-014.dmg.ssh file is in the same directory as iRecovery; it should output something like 'sending file' and it should take about a minute. If it returns quickly, something is wrong - try another version of iRecovery.

Code:

iRecovery -s

wait for prompt, type 'ramdisk' command and see what happens.
It should output something like this:

Code:

creating ramdisk at 0x44000000 of size 0xf2d600, from image at 0x41000000

Also check the instructions on the wave as most up to date/relevant.

Originally Posted by Klasniedryg

I have also been directed to this link. A fella had a almost exact situation as I.

Except he's got an iPod.. mw and arm7_go commands aren't present in your iBoot..

Alright! I can finally see inside my phone!
The downside, is that I cant find my data anywhere
Do I still need to mount the disks?
There are a bunch of system folders, and two folders 'mnt1' and 'mnt2'

Once again, thank you so much for your help so far.

You probably need to be looking under mnt2

I looked under mnt2 and there is nothing in the folder. I also looked in /dev/mnt2 and the file size is '0'
Please dont tell me I lost it all!!!!

oh well. My wife will have my head off tomorrow when she finds out I cant restore our baby pictures. ......

You may have to mount the iPhone filesystem. Remember that you are running from a ramdisk currently.

The other thing is that I used the pawned 018-6051-014.dmg.ssh file. Maybe I should have used the original?
Also, How do I go about mounting the iphone file system?