kosmakoff / iphone-dataprotection Goto Github PK

What steps will reproduce the problem?
1. Install current Xcode
2. Compile the sources
3. Run the exploit on an iPhone/iPad
4. Try to connect to the iPhone/iPad per SSH.

What is the expected output? What do you see instead?
Instead of some kernel output and the expected "OK", the iPhone shows an 
Apple-logo and an empty progress bar below. 

What version of the product are you using? On what operating system?
Current version, cloned out of the repository today.
Current version of Mac OS X Lion.
Current version of Xcode.
iPhone 4 with iOS 5.0.1

Please provide any additional information below.
The compiling process seemed to be ok, but the iPhone showed the described 
screen and was not accessible by usbmux/ssh. The same thing I had a while ago 
(issue 16) . I tried to downgrade the XCode to the version which worked these 
days, but it now crashes. I think that's because I'm using OS X Lion today. 
Could it be it's a SDK problem again?


Output of the tcprelay after trying to connect per ssh:
Connecting to device <MuxDevice: ID 5 ProdID 0x1297 Serial 
'ffffffffffffffffffffffffffffffffffffffff' Location 0x24110000>
----------------------------------------
Exception happened during processing of request from ('127.0.0.1', 62749)
Traceback (most recent call last):
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/SocketServer.py", line 582, in process_request_thread
    self.finish_request(request, client_address)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/SocketServer.py", line 323, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/SocketServer.py", line 639, in __init__
    self.handle()
  File "usbmuxd-python-client/tcprelay.py", line 82, in handle
    dsock = mux.connect(dev, self.server.rport)
  File "/Users/Steff/Desktop/iphone-ios5/usbmuxd-python-client/usbmux.py", line 235, in connect
    return connector.connect(device, port)
  File "/Users/Steff/Desktop/iphone-ios5/usbmuxd-python-client/usbmux.py", line 206, in connect
    raise MuxError("Connect failed: error %d"%ret)
MuxError: Connect failed: error 3
----------------------------------------

Hello;
Wonderful job on this research.
I would like to request a "1, 2, 3" tutorial for these tools; they look quite 
interesting to experiment with.  The readmes and info files don't have enough 
information for a noob like me.  I been using Zdziarski's book to start, but 
have too many gaps.
I've been looking for other forums where this could be discussed.
Would love to hear an audio of your talk at hitb (only have the slides).

Thanks in advance,
Jo

What steps will reproduce the problem?
1. Running ./bruteforce

What is the expected output? What do you see instead?
Bruteforcing the keychain. Instead i get the following error:
-sh-4.0# ./bruteforce                     
IOAESAccelerator returned: e00002c1
FAIL: missing UID kernel patch

What version of the product are you using? On what operating system?
iOS Version 4.1 with a RAMdisk of custom ipws of 4.1

I was not able to build the cyanide payload by myself so i executed the RAMdisk 
with:

./tetheredboot -i 4.1.iBSS.n88ap.RELEASE.dfu 
./itnl --kernelcache 4.1.kernelcache.release.n88 --devicetree 
4.1.DeviceTree.n88ap.img3 --ramdisk 4.1.ramdisk.dmg 
[INFO] Waiting for a device in Recovery mode to connect..
[INFO] Ramdisk 4.1.ramdisk.dmg loaded
[INFO] Devicetree 4.1.DeviceTree.n88ap.img3 loaded
[INFO] Kernelcache 4.1.kernelcache.release.n88 loaded

Is it possible to patch the kernel after the ramdisk is uploaded and executet? 
can you provide a build of the payload?

What steps will reproduce the problem?
1. python python_scripts/keychain_tool.py -p 
db5dada4418ed906f9ba2c05ab027a55a2602f60/keychain-2.db 
db5dada4418ed906f9ba2c05ab027a55a2602f60/a4b53ec4add2e7c7.plist 


What is the expected output? What do you see instead?

Keybag: SIGN check OK
Keybag unlocked with passcode key
Keychain version : 5
Traceback (most recent call last):
  File "python_scripts/keychain_tool.py", line 72, in <module>
    main()
  File "python_scripts/keychain_tool.py", line 54, in main
    k.save_passwords()
  File "/Users/DragonJAR/Downloads/iphone-dataprotection/python_scripts/keychain/keychain.py", line 91, in save_passwords
    passwords = "\n".join(map(render_password,  self.get_passwords()))
  File "/Users/DragonJAR/Downloads/iphone-dataprotection/python_scripts/keychain/keychain.py", line 55, in get_passwords
    return self.get_items("genp")
  File "/Users/DragonJAR/Downloads/iphone-dataprotection/python_scripts/keychain/keychain.py", line 51, in get_items
    self.items[table] = filter(lambda x:x!={}, map(self.decrypt_item, self.store.get_items(table)))
  File "/Users/DragonJAR/Downloads/iphone-dataprotection/python_scripts/keychain/keychain4.py", line 47, in decrypt_item
    dict["data"] = dict["v_Data"].data
KeyError: 'v_Data'

What version of the product are you using? On what operating system?
Mac OS X Lion over VMWare Fusion 4.1.1
iPhone 4 whit iOS 5.0.1

Please provide any additional information below.
with other parameters such as -c o -s no problem

What steps will reproduce the problem?
1. Install iOS 5 GM seed
2. Jailbreak, install Keychain Viewer
3. Try to view a saved password

What is the expected output? What do you see instead?
Expect decrypted password, get "Error! decryption failed"

What version of the product are you using? On what operating system?
deprecated 0.1 deb package

Please provide any additional information below.

syslog excerpt:
Oct  7 13:44:54 bacon 
UIKitApplication:com.yourcompany.KeychainViewer[0xb1f0][803]: (null)
Oct  7 13:44:55: --- last message repeated 9 times ---
Oct  7 13:44:55 bacon 
UIKitApplication:com.yourcompany.KeychainViewer[0xb1f0][803]: 
IOConnectCallMethod returned e00002bc
Oct  7 13:44:55 bacon 
UIKitApplication:com.yourcompany.KeychainViewer[0xb1f0][803]: 
AppleKeyStore_keyUnwrap = e00002bc

e00002bc is kIOReturnError. It seems that IOKit_call can't find the 
AppleKeyStore service anymore.

I know there have been a few commits since the deb package was built, but I 
didn't see them touch related code, so I'm reporting this anyway. When I get a 
chance I'll build the new version and try it out to see if there's any changed 
behavior.

What steps will reproduce the problem?
1. cd cyanide_bootramdisk
2. make

What is the expected output? What do you see instead?

expected: clean make
get: ld error

---
arm-elf-gcc -o payload.elf entry.o main.o  commands.o patch.o  
-Ttext=0x42F00000 -nostdlib -lc -lm -lgcc
/opt/local/lib/gcc/arm-elf/4.6.0/../../../../arm-elf/bin/ld: cannot open linker 
script file text=0x42F00000: No such file or directory
collect2: ld returned 1 exit status
make: *** [payload.elf] Error 1

---

What version of the product are you using? On what operating system?

MacOS Snow Leopard
arm-elf-binutils               @2.21.51.0.9    cross/arm-elf-binutils
arm-elf-gcc                    @4.6.0          cross/arm-elf-gcc

Please provide any additional information below.

fix: change Makefile

--- Makefile-org    2011-05-31 12:19:53.000000000 +0200
+++ Makefile    2011-05-31 12:20:12.000000000 +0200
@@ -6,7 +6,7 @@
 OBJCOPY = $(CROSS)objcopy
 OBJECTS = entry.o main.o  commands.o patch.o 
 CFLAGS = -I./$(SRC)/include -nostdlib -mlittle-endian
-LDFLAGS = -Ttext=$(LOADADDR) -nostdlib -lc -lm -lgcc
+LDFLAGS = -Ttext $(LOADADDR) -nostdlib -lc -lm -lgcc

This gives:

$ make
arm-elf-gcc -o payload.elf entry.o main.o  commands.o patch.o  -Ttext 
0x42F00000 -nostdlib -lc -lm -lgcc
arm-elf-objcopy -O binary payload.elf payload
xxd -i payload > payload.h

python python_scripts/keychain_tool.py -d UDID/keychain-2.db 
UDID/DATAVOLUMEID.plist after successful bruteforce with python 
python_scripts/demo_bruteforce.py gives the following error:

Traceback (most recent call last):
  File "python_scripts/keychain_tool.py", line 51, in <module>
    main()
  File "python_scripts/keychain_tool.py", line 31, in main
    k.print_all(options.sanitize)
  File "/Users/haraldmuller/Downloads/iphone-dataprotection/python_scripts/keychain/keychain.py", line 119, in print_all
    certs, pkeys = self.get_certs()
  File "/Users/haraldmuller/Downloads/iphone-dataprotection/python_scripts/keychain/keychain.py", line 65, in get_certs
    subject = str(cert.get_subject().get_entries_by_nid(M2Crypto.X509.X509_Name.nid['CN'])[0].get_data())
IndexError: list index out of range

What steps will reproduce the problem?
1. trying to boot ramdisk img script
2.
3.

What is the expected output? What do you see instead?
successful loading of myramdisk img so i can ssh, instead i get "Bus error: 10" 
and a crash report from redsn0w.

What version of the product are you using? On what operating system?


Please provide any additional information below.

What steps will reproduce the problem?
1. Do everything described in the README at 
http://code.google.com/p/iphone-dataprotection/wiki/README up to and including 
./dump_data_partition.sh
2. Run
python_scripts/emf_decrypter.py --nowrite UDID/data_DATE.dmg 
(substituting the correct values, of course). 

What is the expected output? What do you see instead?

I had hoped for a decrypted image. Instead I got the following:
Keybag: SIGN check OK
Keybag unlocked with passcode key
Not an EMF image, no root com.apple.system.cprotec xattr
Test mode : the input file will not be modified
Press a key to continue or CTRL-C to abort

Traceback (most recent call last):
  File "python_scripts/emf_decrypter.py", line 24, in <module>
    main()
  File "python_scripts/emf_decrypter.py", line 21, in main
    v.decryptAllFiles()
  File "/Volumes/Voodoo/iphone-dataprotection/python_scripts/hfs/emf.py", line 164, in decryptAllFiles
    self.catalogTree.traverseLeafNodes(callback=self.decryptFile)
  File "/Volumes/Voodoo/iphone-dataprotection/python_scripts/hfs/btree.py", line 142, in traverseLeafNodes
    callback(k,v)
  File "/Volumes/Voodoo/iphone-dataprotection/python_scripts/hfs/emf.py", line 177, in decryptFile
    fk = self.getFileKeyForCprotect(cprotect)
  File "/Volumes/Voodoo/iphone-dataprotection/python_scripts/hfs/emf.py", line 125, in getFileKeyForCprotect
    if self.cp_root.major_version == 2:
AttributeError: 'EMFVolume' object has no attribute 'cp_root'

What version of the product are you using? On what operating system?
hg clone https://code.google.com/p/iphone-dataprotection/ 
on Mac OS X 10.6.8

When trying to output to a .csv file, exceptions are raised such as:

UnicodeDecodeError: 'ascii' codec can't decode byte 0xb1 in position 0: ordinal 
not in range(128)

This looks to be due to the binary passwords in the keychain trying to be 
handled as ASCII inside the render_password function in keychain.py

Attached is a patch for keychain.py that resolved the issue for me (patch 
created with diff)

What steps will reproduce the problem?
1. Install current Xcode with iPhoneOS4.3.sdk included
2. Compile the sources
3. Run the exploit on an iPhone/iPad
4. Try to connect to the iPhone/iPad per SSH.

What is the expected output? What do you see instead?
Instead of some kernel output and an "sshd-running"-information, the iPhone 
shows an Apple-logo and an empty progress bar below.

What version of the product are you using? On what operating system?
Current version, cloned out of the repository yesterday.
Current version of Mac OS X Snow Leopard.
Current version of Xcode .

Please provide any additional information below.
The compiling process seemed to be ok, but the iPhone showed the described 
screen and was not accessible by usbmux/ssh. Downgraded to iPhoneOS4.2.sdk, 
everything went OK.

What steps will reproduce the problem?
1. Make payload at Mac OS X 10.6.7
2. Boot fron custom recovery ramdisk

What is the expected output? What do you see instead?

Clean make & boot from crd

I am using custom recovery ramdisks for a while since iOS 2 with iRecovery. 
Right now I used a version based on msftguy's crd using:
./tetheredboot -i iBSS.n90ap.RELEASE.dfu
./itnl --kernelcache kernelcache.release.n90 --devicetree DeviceTree.n90ap.img3 
--ramdisk 038-1449-003.dmg.ssh
to boot from crd at iOS 4.3.3 iPhone 4. This one is working. 

Tried to use your crd. I am on a Mac only enviroment. The binary tetheredboot 
does compile fine on my Mac. 
Running make on cyanide payload did not run before you updated and does not 
right now. I got stuck with:
iMacQuad:cyanide_bootramdisk volksquad$ make
arm-elf-gcc -c entry.S -o entry.o  -I././include -nostdlib -mlittle-endian 
entry.S: Assembler messages:
entry.S:55: Error: bad instruction `push {r0-r12,lr}'
entry.S:57: Error: bad instruction `lsr r5,#24'
entry.S:107: Error: bad instruction `pop {r0-r12,pc}'
make: *** [entry.o] Error 1

Using the "old" payload binary you provide when going for

./tetherboot -p payload -r myramdisk.dmg
I do end up

...
Checking if kernelcache already exists
Fetching kernelcache.release.n90...
[==================================================] 100.0%
Preparing to upload iBSS
Checking if iBSS.n90ap already exists
Preparing to fetch DFU image from Apple's servers
Fetching Firmware/dfu/iBSS.n90ap.RELEASE.dfu...
[==================================================] 100.0%
Uploading iBSS.n90ap to device
[==================================================] 100.0%
Reconnecting to device
Waiting 10 seconds for the device to pop up...
Connection failed. Waiting 1 sec before retry.
...
Unable to reconnect
Exiting libpois0n

What version of the product are you using? On what operating system?
Mac OS X 10.6.7, SDK 4.3

Please provide any additional information below.

Took me a while to get all Python modules in place to run your scripts, Mac 
only, but this is working right now. I used to get the ramdisk tools compile 
kind of ok before the last update. ./bruteforce did work at least running 
manually from Terminal. Don't do now but this is a different story.

What steps will reproduce the problem?
1. ./tetheredboot -p cyanide_bootramdisk/payload -r myramdisk.dmg

What is the expected output? 

Initializing libpois0n
Waiting for device to enter DFU mode
Device must be in DFU mode to continue
opening device 05ac:1227...
Found device in DFU mode
Checking if device is compatible with this jailbreak
Checking the device type
Identified device as iPhone3,1

What do you see instead?

Initializing libpois0n
Waiting for device to enter DFU mode
Device must be in DFU mode to continue
opening device 05ac:1227...
Found device in DFU mode
Checking if device is compatible with this jailbreak
Checking the device type
Identified device as UH??AWAVAUATSH??
Sorry device is not compatible with this jailbreak
Your device in incompatible with this exploit!


What version of the product are you using? 
iPhone 4 Verizon

On what operating system?
4.2.7

Please provide any additional information below.
https://github.com/Chronic-Dev/syringe hasn't been updated in awhile and I am 
not sure where else to look.

What steps will reproduce the problem?
1. python python_scripts/keychain_tool.py -d UDID/keychain-2.db 
UDID/DATAVOLUMEID.plist
2.
3.

What is the expected output? What do you see instead?

To display the keychain database contents. 

Instead I see:

Keybag: SIGN check OK
Keybag unlocked with passcode key
Keychain version : 4
------------------------------------------------------------
                    Passwords
------------------------------------------------------------
Traceback (most recent call last):
  File "python_scripts/keychain_tool.py", line 51, in <module>
    main()
  File "python_scripts/keychain_tool.py", line 31, in main
    k.print_all(options.sanitize)
  File "/Users/tristank/Downloads/iphone-dataprotection/python_scripts/keychain/keychain.py", line 106, in print_all
    for p in self.get_passwords():
  File "/Users/tristank/Downloads/iphone-dataprotection/python_scripts/keychain/keychain.py", line 50, in get_passwords
    return map(self.decrypt_item, self.conn.execute("SELECT rowid, data, svce, acct, agrp FROM genp"))
  File "/Users/tristank/Downloads/iphone-dataprotection/python_scripts/keychain/keychain4.py", line 39, in decrypt_item
    version, clas = struct.unpack("<LL", row["data"][0:8])
TypeError: 'NoneType' object is unsubscriptable


What version of the product are you using? On what operating system?
Latest hg clone with Snow Leopard 10.6.8

Please provide any additional information below.
iPhone 4.3.3 GSM

What steps will reproduce the problem?
1. cd ramdisk_tools
2. make

What is the expected output? What do you see instead?

expected: clean make

get:

---
ld: framework not found IOMobileFrameBuffer
collect2: ld returned 1 exit status
make: *** [data_partition] Error 1

---


What version of the product are you using? On what operating system?

MacOS 10 Snow Leopard

Please provide any additional information below.

Fix: s/IOMobileFrameBuffer/IOMobileFramebuffer/ in Makefile

---

--- Makefile-org    2011-05-30 15:16:41.000000000 +0200
+++ Makefile    2011-05-30 15:17:06.000000000 +0200
@@ -1,6 +1,6 @@
 CC=/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/arm-apple-darwin10-gcc-4.0.1 
 CFLAGS=-Wall -arch armv6 -isysroot /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.2.sdk/
-CFLAGS_IOKIT=$(CFLAGS) -I/usr/local/include -framework IOKit -framework 
CoreFoundation -framework Security -O3 
-F/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.2.sdk/System/L
ibrary/PrivateFrameworks/ -framework IOMobileFrameBuffer -framework 
CoreGraphics -framework CoreSurface -framework ImageIO
+CFLAGS_IOKIT=$(CFLAGS) -I/usr/local/include -framework IOKit -framework 
CoreFoundation -framework Security -O3 
-F/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.2.sdk/System/L
ibrary/PrivateFrameworks/ -framework IOMobileFramebuffer -framework 
CoreGraphics -framework CoreSurface -framework ImageIO

Great tools!

It seems like current scripts does not support iOS 5 backups. iOS 5 backup does 
not contain Manifest.mbdx file. So backup4.py is not working against it.  

Hello, I am attempting to do the SSH tutorial and everything was going fine but 
when I enter the command "hg clone 
https://code.google.com/p/iphone-dataprotection/" I got the error "-bash hg: 
command not found"

How would I go about fixing this?

Thanks!

What steps will reproduce the problem?
1.open command promt as an administrative user

2.aim the directory to my redsnow path, and copy all required files
  to the working folder " myramdisk, kernelcache.release.n90.patched , iphoneipsw file

3. run the command redsn0w -i path\iphone3,1_5.0_9A334_Restore.ipsw -r 
myramdisk.dmg -k kernelcach.release.n90.patched


What is the expected output? What do you see instead?
the expected output is the iphone4 booting with the ok and progress bar.

the actual result is redsn0w crashing in command prompt.

What version of the product are you using? On what operating system?
using iphone 4 with ios 4.3.3 8j2 

Please provide any additional information below.

these are the results generated in terminal from the VMware OSX 10.6.8

Last login: Fri Jan 20 23:33:18 on console
Snow-Leopard-Users-Mac:~ User$ cd iphone-dataprotection
Snow-Leopard-Users-Mac:iphone-dataprotection User$ make -C img3fs
make: `img3fs' is up to date.
Snow-Leopard-Users-Mac:iphone-dataprotection User$ cp 
redsn0w_mac_0.9.9b8/redsn0w.app/Contents//MacOS/keys.plist .
Snow-Leopard-Users-Mac:iphone-dataprotection User$ python 
python_scripts/kernel_patcher.py 
users/user/downloads/iphone3,1_5.0_9a334_restore.ipsw
Traceback (most recent call last):
  File "python_scripts/kernel_patcher.py", line 175, in <module>
    main(args[0], options)
  File "python_scripts/kernel_patcher.py", line 82, in main
    ipsw = zipfile.ZipFile(ipswname)
  File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/zipfile.py", line 685, in __init__
    self.fp = open(file, modeDict[mode])
IOError: [Errno 2] No such file or directory: 
'users/user/downloads/iphone3,1_5.0_9a334_restore.ipsw'
Snow-Leopard-Users-Mac:iphone-dataprotection User$ python 
python_scripts/kernel_patcher.py 
/users/user/downloads/iphone3,1_5.0_9a334_restore.ipsw
Decrypting kernelcache.release.n90
Unpacking ...
Doing CSED patch
Doing getxattr system patch
Doing _PE_i_can_has_debugger patch
Doing IOAESAccelerator enable UID patch
Doing AMFI patch
Patched kernel written to kernelcache.release.n90.patched
Created script make_ramdisk_n90ap.sh, you can use it to (re)build the ramdisk
Snow-Leopard-Users-Mac:iphone-dataprotection User$ sh ./make_ramdisk_n90ap.sh
Found iOS SDK 4.3
make: Nothing to be done for `all'.
Archive:  /users/user/downloads/iphone3,1_5.0_9a334_restore.ipsw
  inflating: 018-7923-347.dmg        
TAG: TYPE OFFSET 14 data_length:4
TAG: DATA OFFSET 34 data_length:104b000
TAG: SEPO OFFSET 104b040 data_length:4
TAG: KBAG OFFSET 104b05c data_length:38
KBAG cryptState=1 aesType=100
TAG: KBAG OFFSET 104b0a8 data_length:38
TAG: SHSH OFFSET 104b10c data_length:80
TAG: CERT OFFSET 104b198 data_length:794
Decrypting DATA section
Decrypted data seems OK : ramdisk
/dev/disk3                                              /Volumes/ramdisk
"disk3" unmounted.
"disk3" ejected.
myramdisk.dmg created
You can boot the ramdisk using the following command (fix paths)
redsn0w -i /users/user/downloads/iphone3,1_5.0_9a334_restore.ipsw -r 
myramdisk.dmg -k kernelcache.release.n90.patched
Snow-Leopard-Users-Mac:iphone-dataprotection User$ 

What steps will reproduce the problem?
0.5. A novice in scripts and coding.
1.python python_scripts/kernel_patcher.py iPhone3,1_5.0_9A334_Restore.ipsw

What do you see instead?
Traceback (most recent call last):
  File "python_scripts/kernel_patcher.py", line 8, in <module>
    from Crypto.Cipher import AES
ImportError: No module named Crypto.Cipher

What version of the product are you using? On what operating system?
VMWare Mac OS Lion with Xcode installed

Please help, I've been viewing your video and read me file trying to follow it. 
 Many thanks.

Since iOS 4.3.4 my iPhone 4 boots in Recovery Mode after a RAMdisk was started 
on the device. With iOS <= 4.3.3 everything works fine (device boots into 
normal mode).

What steps will reproduce the problem?
1. Install iOS 4.3.4
2. Build RAMdisk with SSH (build_ramdisk.sh)
3. Boot RAMdisk (using tetheredboot)
4. Reboot device (using SSH and "kill 1")

What is the expected output? What do you see instead?
iPhone sould boot into normal mode.
iPhone boots into recovery mode

What version of the product are you using? On what operating system?
iDevice: iPhone 4, Model MC603DN, 16 GB, iOS 4.3.4 (8K2)
RAMdisk: 4.2.1 (), 4.3.3 (), 4.3.4 ()
OS:      Mac OS X (Build RAMdisk) / Windows Vista 32bit (Run tetheredboot)

Please provide any additional information below.
With iOS <=4.3.3 a restart boots the device into normal mode. Anyone with 
simliar issues?

What steps will reproduce the problem?
1. ./tetheredboot -p payload -r myramdisk.dmg 
2. putting iPhone to DFU mode


What is the expected output? What do you see instead?

Expected: sucessfull jailbreak

I get:
-----
Initializing libpois0n
No matching processes belonging to you were found
Waiting for device to enter DFU mode
Device must be in DFU mode to continue
Device must be in DFU mode to continue
Device must be in DFU mode to continue
opening device 05ac:1227...
Found device in DFU mode
Checking if device is compatible with this jailbreak
Checking the device type
Identified device as iPhone3,1
Preparing to upload limera1n exploit
Resetting device counters
Sending chunk headers
Sending exploit payload
Sending fake data
libusb:error [darwin_transfer_status] transfer error: timed out
Exploit sent
Reconnecting to device
Waiting 2 seconds for the device to pop up...
opening device 05ac:1227...
Checking if kernelcache already exists
Preparing to upload iBSS
Checking if iBSS.n90ap already exists
Uploading iBSS.n90ap to device
[==================================================] 100.0%
libusb:error [darwin_reset_device] ResetDevice: device not responding
Reconnecting to device
libusb:error [darwin_close] USBDeviceClose: no connection to an IOService
Waiting 10 seconds for the device to pop up...
Connection failed. Waiting 1 sec before retry.
Connection failed. Waiting 1 sec before retry.
...
Unable to reconnect
Exiting libpois0n
------


What version of the product are you using? On what operating system?

iPhone 4, iOS 4.3.3 (reset to factory settings, no jailbreak, code lock 
activated)
current (from hg checkout)
Mac OS 10 (Snow Leopard)



Please provide any additional information below.

I tried the supplied payload as well as one generated on my system.

I followed all steps and ramdisk tools fail to build and all process won't work.
See logs below.

/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/arm-apple-darwin10-llvm
-gcc-4.2 -Wall -isysroot 
/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS5.0.sdk/ 
-framework IOKit -framework CoreFoundation -framework Security -O3 -I. -o 
device_infos device_infos.c device_info.c IOAESAccelerator.c 
AppleEffaceableStorage.c AppleKeyStore.c bsdcrypto/pbkdf2.c bsdcrypto/sha1.c 
bsdcrypto/key_wrap.c bsdcrypto/rijndael.c util.c IOKit.c registry.c
device_infos.c: In function ‘main’:
device_infos.c:9: warning: initialization discards qualifiers from pointer 
target type
AppleEffaceableStorage.c:50:25: warning: multi-character character constant
bsdcrypto/pbkdf2.c: In function ‘pkcs5_pbkdf2’:
bsdcrypto/pbkdf2.c:102: warning: pointer targets in passing argument 3 of 
‘hmac_sha1’ differ in signedness
bsdcrypto/pbkdf2.c:106: warning: pointer targets in passing argument 3 of 
‘hmac_sha1’ differ in signedness
bsdcrypto/key_wrap.c: In function ‘aes_key_wrap’:
bsdcrypto/key_wrap.c:71: warning: pointer targets in passing argument 2 of 
‘rijndael_encrypt’ differ in signedness
bsdcrypto/key_wrap.c:71: warning: pointer targets in passing argument 3 of 
‘rijndael_encrypt’ differ in signedness
bsdcrypto/key_wrap.c: In function ‘aes_key_unwrap’:
bsdcrypto/key_wrap.c:106: warning: pointer targets in passing argument 2 of 
‘rijndael_decrypt’ differ in signedness
bsdcrypto/key_wrap.c:106: warning: pointer targets in passing argument 3 of 
‘rijndael_decrypt’ differ in signedness
ld: warning: -force_cpusubtype_ALL will become unsupported for ARM architectures
ldid -S device_infos
util/ldid.cpp(578): _assert(2:false)
util/ldid.cpp(583): _assert(0:WIFEXITED(status))
make: *** [device_infos] Trace/BPT trap: 5
make: *** Deleting file `device_infos'

Keychain Viewer only supports iOS 4.x keychain format : add support for the old 
keychain format (items encrypted with key 0x835).
Is the keychain migrated to the new format when upgrading from 3.x to 4.x ?
Also, compile keychain viewer with iOS 3 SDK to support old firmwares ?

Crash reported via email :

OS Version:      iPhone OS 4.3.2 (8H7)
Report Version:  104

Exception Type:  EXC_CRASH (SIGABRT)
Exception Codes: 0x00000000, 0x00000000
Crashed Thread:  0

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   libsystem_kernel.dylib          0x36dd1a1c 0x36dc0000 + 72220
1   libsystem_c.dylib               0x34adb3b4 0x34aa8000 + 209844
2   libsystem_c.dylib               0x34ad3bf8 0x34aa8000 + 179192
3   libstdc++.6.dylib               0x370cea64 0x3708a000 + 281188
4   libobjc.A.dylib                 0x347fa06c 0x347f4000 + 24684
5   libstdc++.6.dylib               0x370cce36 0x3708a000 + 273974
6   libstdc++.6.dylib               0x370cce8a 0x3708a000 + 274058
7   libstdc++.6.dylib               0x370ccf5a 0x3708a000 + 274266
8   libobjc.A.dylib                 0x347f8c84 0x347f4000 + 19588
9   CoreFoundation                  0x3109b1b8 0x30ff9000 + 663992
10  CoreFoundation                  0x3109a642 0x30ff9000 + 661058
11  CoreFoundation                  0x31011178 0x30ff9000 + 98680
12  UIKit                           0x36619044 0x3656b000 + 712772
13  KeychainViewer                  0x00008430 0x1000 + 29744
14  UIKit                           0x365cc9e6 0x3656b000 + 399846
15  UIKit                           0x365cc764 0x3656b000 + 399204
16  UIKit                           0x365c50c6 0x3656b000 + 368838
17  UIKit                           0x365c4276 0x3656b000 + 365174
18  UIKit                           0x365705f4 0x3656b000 + 22004
19  CoreFoundation                  0x31004efc 0x30ff9000 + 48892
20  QuartzCore                      0x33c84bae 0x33c82000 + 11182
21  QuartzCore                      0x33c84966 0x33c82000 + 10598
22  QuartzCore                      0x33c8a1be 0x33c82000 + 33214
23  QuartzCore                      0x33c89fd0 0x33c82000 + 32720
24  QuartzCore                      0x33c8304e 0x33c82000 + 4174
25  CoreFoundation                  0x3106ea2e 0x30ff9000 + 481838
26  CoreFoundation                  0x3107045e 0x30ff9000 + 488542
27  CoreFoundation                  0x31071754 0x30ff9000 + 493396
28  CoreFoundation                  0x31001ebc 0x30ff9000 + 36540
29  CoreFoundation                  0x31001dc4 0x30ff9000 + 36292
30  GraphicsServices                0x36243418 0x3623f000 + 17432
31  GraphicsServices                0x362434c4 0x3623f000 + 17604
32  UIKit                           0x36599d62 0x3656b000 + 191842
33  UIKit                           0x36597800 0x3656b000 + 182272
34  KeychainViewer                  0x00002ebc 0x1000 + 7868
35  KeychainViewer                  0x00002e30 0x1000 + 7728

What steps will reproduce the problem?
1. After suing putty program to get access to iphone files
2. Error seen in this log http://pastie.org/2619662
3. GetMasterBlock: Error 16 opening /dev/md0 (when trying to do the / moount 
command


Iphone 4
4.3.2
Windows xp

I can't save the data because it won't let me mount the drive. Any help would 
be apprecaited asap.

What steps will reproduce the problem?
1. Copying Keys.plist from redsn0w
2. Applying python scripts kernel_patcher.py to the iOS IPSW
3. Result = "No keys found for kernel"
I've tried using redsn0w_mac_0.9.9b8 and redsn0w_mac_0.9.10b4 on 
iPhone4,1_5.0_9A334_Restore.ipsw, iPhone4,1_5.0.1_9A405_Restore.ipsw and 
iPhone4,1_5.0.1_9A406_Restore.ipsw.  I got the same result from all of their 
combinations.

I'm helping my friend to recover pics in an iPhone and now being blocked by 
this issue.  Please kindly help.

What steps will reproduce the problem?
1. ./emf_decrypter iphone_image.dmg


What is the expected output? What do you see instead?
The decryption process without errors.

SidMac:emf sid$ ./emf_decrypter ../../iphonebackup.img 
WARNING ! This tool will modify the hfs image and possibly wreck it if 
something goes wrong !
Make sure to backup the image before proceeding
Press a key to continue or CTRL-C to abort

Volume identifier : fe2ae574d6dd94a7
Searching for ../../fe2ae574d6dd94a7.plist
Data partition offset = 1ce04
Reading class keys, NSProtectionComplete files should be decrypted OK
Decrypting iNode1012708
Decrypting iNode1012711
Decrypting iNode7159
Decrypting iNode7162
Decrypting iNode7169
Decrypting iNode7207
Decrypting iNode7211
Decrypting iNode7212
Decrypting iNode7217
Decrypting iNode7218
Decrypting iNode7221
Decrypting iNode7222
Decrypting iNode7224
Decrypting iNode7233
Decrypting iNode7254
Decrypting iNode7266
Decrypting iNode7267
Decrypting iNode7269
Decrypting iNode7272
Decrypting iNode7273
Decrypting iNode7280
Decrypting iNode7284
Decrypting iNode7285
Decrypting iNode7290
Decrypting iNode7300
Decrypting iNode7305
Decrypting iNode7311
Decrypting iNode7316
Decrypting iNode7321
Decrypting iNode7326
Decrypting iNode7334
Decrypting iNode7337
Decrypting iNode7345
Decrypting iNode7348
Decrypting iNode7354
Decrypting iNode7361
Decrypting iNode7363
Decrypting iNode7368
Decrypting iNode7371
Decrypting iNode7379
Decrypting iNode7381
Decrypting iNode7384
Decrypting iNode7385
Decrypting iNode7394
Decrypting iNode7402
Decrypting iNode7410
Decrypting iNode7420
Decrypting iNode7422
Decrypting iNode7426
Decrypting iNode7435
Decrypting iNode7436
Decrypting iNode7439
Decrypting iNode7442
Decrypting iNode7447
Decrypting iNode7456
Decrypting iNode7460
Decrypting iNode7463
Decrypting iNode7475
Decrypting iNode7476
Decrypting iNode7477
Decrypting iNode7482
Decrypting iNode7483
Decrypting iNode7484
Decrypting iNode7485
Decrypting iNode7488
Decrypting iNode7491
Decrypting iNode7494
Decrypting iNode7497
Decrypting iNode7511
Decrypting iNode7517
Decrypting iNode7522
Decrypting iNode7523
Decrypting iNode7524
Decrypting iNode7525
Decrypting iNode7529
Decrypting iNode7531
Decrypting iNode7532
Decrypting iNode7536
Decrypting iNode7540
Decrypting iNode7585
Decrypting iNode7593
Decrypting iNode7595
Decrypting iNode7627
Decrypting iNode7628
Decrypting iNode7636
Decrypting iNode7637
Decrypting iNode7639
Decrypting iNode7643
Decrypting iNode7650
Decrypting iNode7657
Decrypting iNode7668
Decrypting iNode7677
Decrypting iNode7696
Decrypting iNode7732
Decrypting iNode7751
Decrypting iNode7752
Decrypting iNode7763
Decrypting iNode7775
Decrypting iNode7788
Decrypting iNode7791
Decrypting temp1025131
Decrypting temp1025132
Decrypting TrustStore.sqlite3
Decrypting keychain-2.db
Decrypting ocspcache.sqlite3
Decrypting aircrack-ng
Decrypting airdecap-ng
Decrypting airmon-ng
Decrypting AUTHORS
Decrypting CHANGELOG
Decrypting LICENSE
Decrypting README
Decrypting README_AIROPDATE
Decrypting airopdate.sh
Decrypting airopdate.sh~(0).tmp
Decrypting airoscript.sh
Decrypting airoscript.sh~(0).tmp
Decrypting ivstools
Decrypting kstats
Decrypting makeivs
Decrypting aircrack-ng.1
Decrypting airdecap-ng.1
Decrypting aireplay-ng.1
Decrypting airmon-ng.1
Decrypting airodump-ng.1
Decrypting airtun-ng.1
Decrypting ivstools.1
Decrypting kstats.1
Decrypting makeivs.1
Decrypting packetforge-ng.1
Decrypting PKGBUILD
Decrypting aircrack-ng.spec
Decrypting slack-desc
Decrypting packetforge-ng
Decrypting acx-20070101.patch
Decrypting bcm43xx-injection-linux-2.6.20.patch
Decrypting hostap-driver-0.4.7.patch
Decrypting hostap-kernel-2.6.18.patch
Decrypting ieee80211_inject.patch
Decrypting ipw2200-1.1.4-inject.patch
Decrypting linux-wlanng-0.2.8.patch
Decrypting madwifi-ng-r2277.patch
Decrypting madwifi-old-r1417.patch
Decrypting hostap-driver-0.3.9.patch
Decrypting hostap-driver-0.4.5.patch
Decrypting hostap-kernel-2.6.16.patch
Decrypting ipw2200-1.1.3-inject.patch
Decrypting linux-wlan-0.2.3.packet.injection.patch
Decrypting linux-wlan-0.2.5.packet.injection.patch
Decrypting madwifi-cvs-20050707.patch
Decrypting madwifi-cvs-20050814.patch
Decrypting madwifi-cvs-20051025.patch
Decrypting madwifi-ng-r1457-1473_disable_retry_raw.patch
Decrypting madwifi-ng-r1475_disable_retry_raw.patch
Decrypting madwifi-ng-r1486.patch
Decrypting madwifi-ng-r1520.patch
Decrypting madwifi-ng-r1526.patch
Decrypting madwifi-ng-r1545.patch
Decrypting madwifi-ng-r1679.patch
Decrypting madwifi-ng-r1713.patch
Decrypting madwifi-ng-r1730.patch
Decrypting madwifi-ng-r1886.patch
Decrypting madwifi-ng-r1983.patch
Decrypting rt2500-cvs-20050724.patch
Decrypting rt2500-cvs-20051008-prismheader.patch
Decrypting rt2500-cvs-2005112305.patch
Decrypting rt2570-cvs-20050824.patch
Decrypting rt2570-cvs-20051008-prismheader.patch
Decrypting rt2570-cvs-2005112305.patch
Decrypting rtl8180-0.21.patch
Decrypting rtl8187_1010.0622.patch
Decrypting rtl8187_1010.0622v2.patch
Decrypting rtl8187_1025v2.patch
Decrypting rtl8187_2.6.20.patch
Decrypting rtl8187_2.6.20v2.patch
Decrypting rtl8187_2.6.20v3.patch
Decrypting rtl8187_2.6.20v4.patch
Decrypting rtl8187_2.6.21v2.patch
Decrypting wlanng-0.2.1-pre26.patch
Decrypting zd1211rw_malformed.patch
Decrypting prism54-svn-20050724.patch
Decrypting rtl8180-0.21v2.patch
Decrypting rtl8187_2.6.21v3.patch
Decrypting zd1211rw_inject_2.6.17.patch
Decrypting zd1211rw_inject_2.6.20.patch
Decrypting zd1211rw_inject_2.6.21-gentoo.patch
Decrypting aircrack-ng.c
Decrypting aircrack-ng.h
Decrypting aircrack-ptw-lib.c
Decrypting aircrack-ptw-lib.h
Decrypting airdecap-ng.c
Decrypting aireplay-ng.c
Decrypting airodump-ng.c
Decrypting airtun-ng.c
Decrypting common.c
Decrypting crc.c
Decrypting crctable.h
Decrypting crypto.c
Decrypting crypto.h
Decrypting ivstools.c
Decrypting kstats.c
Decrypting packetforge-ng.c
Decrypting pcap.h
Decrypting sha1-mmx.S
Decrypting uniqueiv.c
Decrypting version.h
Decrypting makeivs.c
Decrypting password.lst
Decrypting wep.open.system.authentication.cap
Decrypting wep.shared.key.authentication.cap
Decrypting wpa.cap
Decrypting wpa2.eapol.cap
Decrypting touch.ivs
Decrypting com.hackyouriphone.synchronicity_2.0_iphoneos-arm.deb
Decrypting lock
Decrypting pkgcache.bin
Decrypting srcpkgcache.bin
Decrypting DUID_IA.plist
Decrypting en0-1,7c:c5:37:81:62:fa
Decrypting dhcpd_leases
Decrypting overrides.plist
Decrypting systembag.kb
Decrypting extended_states
Decrypting apt.modmyi.com_dists_stable_Release
Decrypting apt.modmyi.com_dists_stable_Release.gpg
Decrypting apt.modmyi.com_dists_stable_main_binary-iphoneos-arm_Packages
Decrypting 
apt.modmyi.com_dists_stable_main_binary-iphoneos-arm_Packages.IndexDiff
Decrypting apt.modmyi.com_dists_stable_main_binary-iphoneos-arm_Packages.ed
Decrypting apt.saurik.com_dists_ios_550.58_Release
Decrypting apt.saurik.com_dists_ios_550.58_Release.gpg
Decrypting apt.saurik.com_dists_ios_550.58_main_binary-iphoneos-arm_Packages
Decrypting apt.thebigboss.org_repofiles_cydia_dists_stable_Release
Decrypting apt.thebigboss.org_repofiles_cydia_dists_stable_Release.gpg
Decrypting 
apt.thebigboss.org_repofiles_cydia_dists_stable_main_binary-iphoneos-arm_Package
s
Decrypting 
apt.thebigboss.org_repofiles_cydia_dists_stable_main_binary-iphoneos-arm_Package
s.IndexDiff
Decrypting 
apt.thebigboss.org_repofiles_cydia_dists_stable_main_binary-iphoneos-arm_Package
s.ed
Decrypting cydia.guizmovpn.com_._Packages
Decrypting cydia.hackulo.us_._Packages
Decrypting cydia.hackulo.us_._Release
Decrypting cydia.myrepospace.com_otosan_._Packages
Decrypting cydia.myrepospace.com_otosan_._Release
Decrypting cydia.touch-mania.com_._Packages
Decrypting cydia.touch-mania.com_._Release
Decrypting cydia.winterboarder.com_._Packages
Decrypting cydia.winterboarder.com_._Release
Decrypting cydia.xsellize.com_._Packages
Decrypting cydia.xsellize.com_._Release
Decrypting cydia.zodttd.com_repo_cydia_dists_stable_Release
Decrypting cydia.zodttd.com_repo_cydia_dists_stable_Release.gpg
Decrypting 
cydia.zodttd.com_repo_cydia_dists_stable_main_binary-iphoneos-arm_Packages
Decrypting 
cydia.zodttd.com_repo_cydia_dists_stable_main_binary-iphoneos-arm_Packages.FAILE
D
Decrypting 
cydia.zodttd.com_repo_cydia_dists_stable_main_binary-iphoneos-arm_Packages.Index
Diff
Decrypting 
cydia.zodttd.com_repo_cydia_dists_stable_main_binary-iphoneos-arm_Packages.ed
Decrypting i.danstaface.net_deb_._Packages
Decrypting i.danstaface.net_deb_._Packages.IndexDiff
Decrypting i.danstaface.net_deb_._Release
Decrypting iphone.org.hk_apt_._Packages
Decrypting lock
Segmentation fault

What version of the product are you using? On what operating system?
The latest svn at this moment.

What steps will reproduce the problem?
1. install keychainviewer
2. start it
3. enter one of the categories like "Generic Passwords"

What is the expected output? What do you see instead?

expected: keychain entries
actually: empty rows

What version of the product are you using? On what operating system?

keychainviewer0.2.deb, Oct. 14th
iOS 5.0.1 on iphone 4


Please provide any additional information below.

Note: Everything worked ok on iOS 4
Reinstalled after upgrade and Jailbreak

What steps will reproduce the problem?
1. Start Keychain Viewer
2. Select Generic Password
3. App crashes

What is the expected output? What do you see instead?

I expect to see my stored Generic Passwords. Instead the app crashes.

What version of the product are you using? On what operating system?

iPhone 3GS running iOS 4.3, jailbroken.

Hi i want to run your demo python scripts. do you know this error?

What steps will reproduce the problem?
1. Boot RAM Disk
2. Run demo_bruteforce.py

What is the expected output? What do you see instead?

./python demo_bruteforce.py 
Connect
None
Device udid : 
Traceback (most recent call last):
  File "demo_bruteforce.py", line 62, in <module>
    bf_system()
  File "demo_bruteforce.py", line 20, in bf_system
    di = client.getDeviceInfos()    
  File "/DataProtection/python_scripts/util/ramdiskclient.py", line 38, in getDeviceInfos
    print "Device udid : ", self.device_infos.get("udid")
AttributeError: 'NoneType' object has no attribute 'get'


What version of the product are you using? On what operating system?
Python 2.7.1

I don't think it is an iOS problem but i use a iPhone 4.1

Please provide any additional information below.

What steps will reproduce the problem?
1. open any entry in Keychain Viewer
2. look at Protection class


What is the expected output? What do you see instead?

expected: see which Protection class applies - i.e. "Always", "WhenUnlocked"
get: kSecAttrAcces...


What version of the product are you using? On what operating system?

current

Please provide any additional information below.

Fix: strip the unecessary "kSecAttrAccessible" and display only the suffix 
"Always", "AfterFirstUnlock" or "WhenUnlocked"

What steps will reproduce the problem?
1. sudo python ./demo_bruteforce.py

What is the expected output? What do you see instead?
 - script running
 - the following output 

Traceback (most recent call last):
  File "./demo_bruteforce.py", line 62, in <module>
    bf_system()
  File "./demo_bruteforce.py", line 19, in bf_system
    client = RamdiskToolClient()
  File "/Users/sid/Desktop/IphoneDataProtection/python_scripts/util/ramdiskclient.py", line 29, in __init__
    self.connect()
  File "/Users/sid/Desktop/IphoneDataProtection/python_scripts/util/ramdiskclient.py", line 33, in connect
    self.s.connect((self.host, self.port))
  File "<string>", line 1, in connect
socket.error: [Errno 61] Connection refused

What version of the product are you using? On what operating system?
 - the latest at the moment of writing : fc60e7b35bb2 
 - on Mac OS X 10.6.7

Please provide any additional information below.

What steps will reproduce the problem?
1. I followed the instructions on the readme file.
 http://code.google.com/p/iphone-dataprotection/wiki/README

2. Everything was going fine till I got to the part where I typed        making 
-C img3fs/
I received an error message of          -bash: make: command not found


3. I'm a total newbie and can only follow simple instructions. Please explain 
it to me like I'm 5 years old.

Thank You

What steps will reproduce the problem?
1. with phone off and plugged into my mac, I typed in the following

./redsn0w_mac_0.9.9b8/redsn0w.app/Contents/MacOS/redsn0w -i 
iphone3,3_5.0_9a334_restore.ipsw -r myramdisk.dmg -k 
kernelcache.release.n92.patched

2. I followed the onscreen instructions given by redsnow for putting the iphone 
in dfu mode. It seems to be going fine till it says "waiting for reboot"

3. The Issue. It reboots like normal and I get an apple instead what I think 
should be a pineapple. I've tried it multiple times with the same results. 

Does it have to do with the ios I'm using. I'm using the 5.0  As you know there 
is 5.0.1 but I couldn't make a ramdisk using it.

I've been following the instructions step by step
https://code.google.com/p/iphone-dataprotection/wiki/README

1. So now I'm stuck at this point.  This is what I typed

     python python_scripts/kernel_patcher.py iPhone3,3_5.0_9A334_Restore.ipsw

2. And this is the message I got back. 

Traceback (most recent call last):
  File "python_scripts/kernel_patcher.py", line 8, in <module>
    from Crypto.Cipher import AES
ImportError: No module named Crypto.Cipher

* Disclaimer, I'm a total newbie and can only follow simple instructions

Add support for older devices : iPhone 2G/3G, etc
Older devices do not support encryption, so bruteforce is only required for 
keychain access (for devices running iOS 4). dd images of the data partition 
should be readable directly.
Todo: add ARMv6 kernel patches, test ramdisk.

What steps will reproduce the problem?

1. Boot iPhone 4, CDMA model, to ramdisk, and ssh to it.
2. Try running data_partition or bruteforce tools.


What is the expected output? What do you see instead?

Expected: tools to complete normally

Actual: data_partition does not return DKey or EMF Key, bruteforce fails to run 
with:

IOAESAccelerator returned: e00002c2
FAIL: missing UID kernel patch


What version of the product are you using? On what operating system?

iPhone 4, CDMA (Verizon), iOS 4.2.10


Please provide any additional information below.

I pulled open the kernelcache from an IOS 4.2.10 IPSW, and loaded it into a hex 
editor. I was able to manually apply the UID and CSED patches, but I was unable 
to locate and apply the AMFI patch. Another patch must exist, as there are 
jailbreaks for the CDMA iPhone 4, but I haven't been able to locate it yet. In 
the meantime, does anyone have any insight here?

The modified HFSExplorer loads encryption keys from an xml plist file generated 
by the ramdisk tools. The java XML parser wants to validate the plist dtd, and 
tries to download the file http://www.apple.com/DTDs/PropertyList-1.0.dtd.
When not connected to the internet, this will fail, the keys wont be loaded and 
the files wont be decrypted. This is annoying. I've tried a bunch of methods to 
disable dtd validation but my java-fu is weak.

workaround : download the dtd in the same folder as the plist file, and edit 
the dtd declaration in the plist file (remove http://www.apple.com/DTDs/).

What steps will reproduce the problem?
1. create dd image of phone
2. generate device keys and store in same folder as dd image
3. ./emf_decrypter dd_image

What is the expected output? 
Not Sure.

What do you see instead?

Decrypting VolcanicPercolatorDaySpa.resrc
Decrypting VolcanicPercolatorDaySpa.scene
Decrypting main_l.png
Decrypting main_r.png
Decrypting miniPipeBg.png
Decrypting mixer.png
Decrypting pipe.png
Decrypting prettyFlower.png
Decrypting weed.png
Decrypting WaterLock.level
Decrypting WaterLock.resrc
Decrypting WaterLock.scene
Decrypting fakewater.png
Decrypting main.png
Decrypting mombb.png
Decrypting pipe.png
Decrypting WeatherVane.level
Decrypting WeatherVane.resrc
Decrypting WeatherVane.scene
Decrypting bg.png
Decrypting main.png
Decrypting vaneMain.png
BTree inconsistent!


What version of the product are you using? 
latest svn

On what operating system?
OSX 10.6.7

Please provide any additional information below.

emf_decrypter decrypted roughly 1000 files then halted with error 
"BTree inconsistent!"

Good morning.
1 - How to generate the device keys?
2 - Emf_decrypter how to use windows and associate the device keys?
cordially

What steps will reproduce the problem?
1.  sh make_ramdisk_n88ap.sh 

What is the expected output? What do you see instead?

Found iOS SDK 4.3
/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/arm-apple-darwin10-gcc-
4.0.1 
/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/arm-apple-darwin10-gcc-
4.2.1 
/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/arm-apple-darwin10-llvm
-gcc-4.2 -Wall -isysroot 
/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.3.sdk/ 
-framework IOKit -framework CoreFoundation -framework Security -O3 -I. -o 
device_infos device_infos.c device_info.c IOAESAccelerator.c 
AppleEffaceableStorage.c AppleKeyStore.c bsdcrypto/pbkdf2.c bsdcrypto/sha1.c 
bsdcrypto/key_wrap.c bsdcrypto/rijndael.c util.c IOKit.c registry.c
device_infos.c: In function ‘main’:
device_infos.c:9: warning: initialization discards qualifiers from pointer 
target type
AppleEffaceableStorage.c:50:25: warning: multi-character character constant
bsdcrypto/pbkdf2.c: In function ‘pkcs5_pbkdf2’:
bsdcrypto/pbkdf2.c:102: warning: pointer targets in passing argument 3 of 
‘hmac_sha1’ differ in signedness
bsdcrypto/pbkdf2.c:106: warning: pointer targets in passing argument 3 of 
‘hmac_sha1’ differ in signedness
bsdcrypto/key_wrap.c: In function ‘aes_key_wrap’:
bsdcrypto/key_wrap.c:71: warning: pointer targets in passing argument 2 of 
‘rijndael_encrypt’ differ in signedness
bsdcrypto/key_wrap.c:71: warning: pointer targets in passing argument 3 of 
‘rijndael_encrypt’ differ in signedness
bsdcrypto/key_wrap.c: In function ‘aes_key_unwrap’:
bsdcrypto/key_wrap.c:106: warning: pointer targets in passing argument 2 of 
‘rijndael_decrypt’ differ in signedness
bsdcrypto/key_wrap.c:106: warning: pointer targets in passing argument 3 of 
‘rijndael_decrypt’ differ in signedness
ld: warning: -force_cpusubtype_ALL will become unsupported for ARM architectures
ld: warning: ignoring file 
/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/arm-apple-darwin10-gcc-
4.2.1, file was built for unsupported file format which is not the architecture 
being linked (arm)
ld: warning: ignoring file 
/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/arm-apple-darwin10-llvm
-gcc-4.2, file was built for unsupported file format which is not the 
architecture being linked (arm)
ldid -S device_infos
util/ldid.cpp(578): _assert(2:false)
util/ldid.cpp(583): _assert(0:WIFEXITED(status))
make: *** [device_infos] Trace/BPT trap: 5
make: *** Deleting file `device_infos'
Archive:  
/Users/nilsschmitt/iphone-dataprotection2/iPhone2,1_5.0_9A334_Restore.ipsw
  inflating: 018-7919-343.dmg        
TAG: TYPE OFFSET 14 data_length:4
TAG: DATA OFFSET 34 data_length:1039000
TAG: SEPO OFFSET 1039040 data_length:4
TAG: KBAG OFFSET 103905c data_length:38
KBAG cryptState=1 aesType=100
TAG: KBAG OFFSET 10390a8 data_length:38
TAG: SHSH OFFSET 103910c data_length:80
TAG: CERT OFFSET 1039198 data_length:79e
Decrypting DATA section
Decrypted data seems OK : ramdisk
/dev/disk1                                              /Volumes/ramdisk
cp: ramdisk_tools/restored_external: No such file or directory
You can boot the ramdisk using the following command (fix paths)
redsn0w -i 
/Users/nilsschmitt/iphone-dataprotection2/iPhone2,1_5.0_9A334_Restore.ipsw -r 
myramdisk.dmg -k kernelcache.release.n88.patched


What version of the product are you using? On what operating system?

I installed SDK 4.3 instead of SDK 5.0 to get arm-apple-darwin10-gcc-4.0.1 
(this file does not exists in the xCode 4.2 Developer Folder)

OSX 10.7.2


Please provide any additional information below.

This is what I get with SDK 5: 
(there is no arm-apple-darwin10-gcc-4.0.1 in this folder)


make_ramdisk_n88ap.sh Found iOS SDK 5.0 
/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/arm-apple-darwin10-gcc-
4.0.1 -Wall -isysroot 
/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS5.0.sdk/ 
-framework IOKit -framework CoreFoundation? -framework Security -O3 -I. -o 
device_infos device_infos.c device_info.c IOAESAccelerator.c 
AppleEffaceableStorage?.c AppleKeyStore?.c bsdcrypto/pbkdf2.c bsdcrypto/sha1.c 
bsdcrypto/key_wrap.c bsdcrypto/rijndael.c util.c IOKit.c registry.c make: 
/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/arm-apple-darwin10-gcc-
4.0.1: No such file or directory make: device_infos? Error 1 Archive: 
/Users/user/iphone-dataprotection/iPhone2,1_5.0_9A334_Restore.ipsw

inflating: 018-7919-343.dmg
TAG: TYPE OFFSET 14 data_length:4 TAG: DATA OFFSET 34 data_length:1039000 TAG: 
SEPO OFFSET 1039040 data_length:4 TAG: KBAG OFFSET 103905c data_length:38 KBAG 
cryptState=1 aesType=100 TAG: KBAG OFFSET 10390a8 data_length:38 TAG: SHSH 
OFFSET 103910c data_length:80 TAG: CERT OFFSET 1039198 data_length:79e 
Decrypting DATA section Decrypted data seems OK : ramdisk mount_fusefs: mount 
point /private/tmp/img3 is itself on a MacFUSE volume /dev/disk1 
/Volumes/ramdisk cp: ramdisk_tools/restored_external: No such file or directory 
You can boot the ramdisk using the following command (fix paths)

Hi can anyone please help me 
So far i have created a custom ipsw with pwnagetool. then i have created a ssh 
ramdisk.i uploaded ibss via tethredboot. then when i upload kernel cache and 
ssh ramdisk via itunnel it just says waiting for device. i personally think the 
problem is with itunnel. i am no newb in ios jailbreaking i have been around 
since the 1.x days, and i have also performed this ssh ramdisk method countless 
times. but with ios5 that is different. any help would be greatly appreciated! 
Thanks

The scripts for decrypting itunes backups wont work with ios 5 because they use 
the mdbx index file that is no longer created by itunes.

iOS 5 keychain backup format is also slightly different (same as the on-device 
sqlite changes). Try to unify the keychain code for sqlite and backup formats 
(plist).

Hello. Is there a tutorial complete with your tools on how OSX and / or windows 
get the contents of a bitwise Iphone 4 and then carving do to find the videos?
cordially

What steps will reproduce the problem?
1. cd IphoneDataProtection
2. make -C ramdisk_tools

What is the expected output? What do you see instead?
 - ramdisk_tools begining to build
 - output is attached



What version of the product are you using? On what operating system?
 - the latest at the moment of writing : fc60e7b35bb2
 - Mac OS X Snow Leopard 10.6.7

Please provide any additional information below.
- Previously successfully built emf_decrypter ahdn hfsplus on the same machine. 
hence the need to get the plist with ramdisk_tools

What steps will reproduce the problem?
1. trying to boot ramdisk img script
2.
3.

What is the expected output? What do you see instead?
successful loading of myramdisk img so i can ssh, instead i get "Bus error: 10" 
and a crash report from redsn0w.

What version of the product are you using? On what operating system?


Please provide any additional information below.

This isnt really an issue with the software, just a question/observation I 
have. I could not find a suitable method for posting this question to you.

How can an unallocated disk sector be decrypted correctly if the data is 
encrypted with a filekey? If the data is unallocated then there can be no 
resource fork for the data, if this is the case how is it possible to decrypt 
the unallocated data?

What steps will reproduce the problem?
1. start demo_bruteforce.py

What is the expected output? What do you see instead?

Crashes on a couple of NULL errors:

----
  File "keychain/keychain4.py", line 37, in decrypt_data
    if len(blob) < 48:
TypeError: object of type 'NoneType' has no len()
----

  File "keychain/keychain.py", line 97, in sanitize
    if pw.startswith("bplist"):
AttributeError: 'NoneType' object has no attribute 'startswith'
----


What version of the product are you using? On what operating system?

current

Please provide any additional information below.

Until a bootROM/bootloader-level exploit is found for those devices, it is 
impossible to boot a custom ramdisk.
However, for devices jailbroken with Absinthe and ssh access, it should be 
possible to use the tools, provided that the "IOAESAccelerator enable UID" 
kernel patch is applied.

What steps will reproduce the problem?
1. ./bruteforce on an iPad1 running 4.3.1
2.
3.

What is the expected output? What do you see instead?

When running ./bruteforce on an iPad running 4.3.1 I get the following error.

CoreFoundation: failed to dynamically link symbol _CFSocketStreamCreatePair
CoreFoundation: failed to dynamically link symbol _CFErrorCreateWithStreamError
CoreFoundation: failed to dynamically link symbol _CFStreamErrorFromCFError

The passcode does go on to be cracked the passcode key and the 0x835 key get 
printed to the screen, once the passcode is found I get the same three errors 
printed to the console.

I also get the same three errors when using the ./data_partition command.

What version of the product are you using? On what operating system?

OSX 10.6.7, tools compiled using iOS4.2 SDK.

Please provide any additional information below.

When compiling the ramdisk_tools I got a lot of errors relating to IOKit and 
IOKit\IOKitLib.h to overcome this I had to copy the IOKit.Framework from the 
iOS Simulator PrivateFramework folder into the iOSPlatform. Trying to compile 
with this configuration gets me errors about IOKit being compiled for the wrong 
framework, to resolve this error I copied the IOKit binary from the 
/System/Library/IOKit.Framework folder into the IOKit.Framework folder on my 
Mac and the code correctly compiled.