Jonathan Zdziarski iPhone Tools [Discussion]

Has anyone had any success getting a file system from a device running 4.3.1 yet?

Using the Linux tools I have added the following line under the iPhone 4 (GSM) header in the firmware.txt file

A1332+4.3.1=http//appldnld.apple.com/iPhone4/041-0551.20110325.Aw2Dr/iPhone3,1_4.3.1_8G4_Restore.ipsw

I have updated our lab iPhone 4 to 4.3.1 and I can run boot-liverecovery and boot-kernel fine. It then gives me a 0 byte recovered file system.

I have tried unplugging and plugging in, running through the process a few times, various restarts etc. Nothing seems to work!

Any suggestions?

What recovery module are you using? You should be using recover-tarball.sh, not recover.sh

Has anyone had any success getting a file system from a device running 4.3.1 yet?

Using the Linux tools I have added the following line under the iPhone 4 (GSM) header in the firmware.txt file

A1332+4.3.1=http//appldnld.apple.com/iPhone4/041-0551.20110325.Aw2Dr/iPhone3,1_4.3.1_8G4_Restore.ipsw

I have updated our lab iPhone 4 to 4.3.1 and I can run boot-liverecovery and boot-kernel fine. It then gives me a 0 byte recovered file system.

I have tried unplugging and plugging in, running through the process a few times, various restarts etc. Nothing seems to work!

Any suggestions?

What recovery module are you using? You should be using recover-tarball.sh, not recover.sh (Assuming those are still the names of the recovery modules).

LE can and does make money off his methods, and other phone software methods of removing data from cellphones.

You have to think outside the box to find this answer, but any idea how they do it?

"As is stated on his personal website, Non-LE requests will not be answered. I'm sure he doesn't want others making money off of his research and work, especially the commercial entities. "

That's easy, here in the States, some of the States allow Police Officers to "moonlight" as PI's. So the officer learns the tricks of the trade at work and then works on the side on cases and makes the bucks.
Me thinks it's called "Double Dipping". Personally it's not fair to those of us in the Private sector who are willing to pay out of our own pocket to learn the same tricks. And yes, I'm a retired cop, but because I don't carry a badge anymore, I've not been allowed in the club.

Has anyone had any success getting a file system from a device running 4.3.1 yet?

Using the Linux tools I have added the following line under the iPhone 4 (GSM) header in the firmware.txt file

A1332+4.3.1=http//appldnld.apple.com/iPhone4/041-0551.20110325.Aw2Dr/iPhone3,1_4.3.1_8G4_Restore.ipsw

I have updated our lab iPhone 4 to 4.3.1 and I can run boot-liverecovery and boot-kernel fine. It then gives me a 0 byte recovered file system.

I have tried unplugging and plugging in, running through the process a few times, various restarts etc. Nothing seems to work!

Any suggestions?

What recovery module are you using? You should be using recover-tarball.sh, not recover.sh (Assuming those are still the names of the recovery modules).

I was using the recover-fs.sh module.

Cheers,

I have been able to perform a file system dump on an iPhone 3Gs and an iPhone 4 both running iOS 4.3.1. However, I did not use JZ tools as they aren't up to date but the methodology used is pretty much the same as JZ has implemented in his automated tools.

I created a recovery ramdisk that has SSH on it. I then booted the iPhones from this ramdisk and used the secure copy command (scp) to download the filesystem from the devices. You can also use SFTP to perform the download operation, but the great thing with scp is that you can use some options to preserve permissions and timestamps.

You can find the procedure I used to do this here http//www.hackint0sh.org/f128/132063-6.htm

However, using this procedure, you won't be able to download emails from the device as it results in permission errors. I believe it's either a bug in the SSH binary that was packed in the ramdisk or it's a security feature from the Apple crypto API. The only way I was able to retrieve the emails was to jailbreak the iPhones, install Cydia and then install OpenSSH. After that, I was able to download the Mail folder without any issue.

Now (before I get flamed on this forum), I know that jailbreaking a device is not a forensic process, but in this case, we had written consent from the owner, we really needed the emails and we are ready to testify in court what has been done and why.

Hope this helps.

I appreciate the fact that you were an officer, thank you for your service.

The officers that I know don't do this, but I have heard of some who do, and that's all fine until our side does an aff of software or a depo and finds out what they have been using and if any of that is a fruit of being an officer.

A few current officers I know have gone to great lengths to distance themselves from any software they acquired in an officer capacity and in an private capacity.

LE can and does make money off his methods, and other phone software methods of removing data from cellphones.

You have to think outside the box to find this answer, but any idea how they do it?

"As is stated on his personal website, Non-LE requests will not be answered. I'm sure he doesn't want others making money off of his research and work, especially the commercial entities. "

That's easy, here in the States, some of the States allow Police Officers to "moonlight" as PI's. So the officer learns the tricks of the trade at work and then works on the side on cases and makes the bucks.
Me thinks it's called "Double Dipping". Personally it's not fair to those of us in the Private sector who are willing to pay out of our own pocket to learn the same tricks. And yes, I'm a retired cop, but because I don't carry a badge anymore, I've not been allowed in the club.

Can someone familiar with these tools give me some guidance? I am trying to using the boot-passcode tool to remove the sim card lock and let me in to the phone. This is a data recovery case, not forensic. Everytime I try and use the automated tools, I get errors. So I decided just to open the .sh and type the commands one by one to the terminal (linux). However, when I do the ./injectgreen I get ./injectgreen 1 syntaxt error Unterminated quoted string

I can't find the source on the site for the injectgreen file, so I can't fix the code and recompile. If anyone can help, please PM me. I obviously have valid access to these tools, but am just learning to use them.

Thanks

UPDATE I thought maybe it was a linux issue, so I pulled out a Mac and tried to run the scripts on there. I get the same problems. On top of the error listed above, it doesn't seem to run any of the binaries (xpwntool, irecovery). It's like they didn't compile correctly, but I can't find the sources for those to compile myself. HELP!!!!

UPDATE Got everything except the injectgreen binary to work. I ended up getting xpwntool and irecovery from different sources. Linux will still not execute the injectgreen. I get "bash ./injectgreen cannot execute binary file"

When dealing with the latest Linux scripts is there an easy way to get them ready to use on a stand alone machine with no internet connection?

I know that once you have run (for example) a 3GS running 4.2.1 for the first time it will have downloaded the relevant firmware files and can be completed again in the future without the need to connect to the internet.

My question is that I want to set up a machine that will not need to be on the internet once it has been created. Because of this I want to download all the firmware parts and have all the scripts set up and not have to worry about it again until there are updates. But sadly I do not have access to all the iOS devices running all the firmwares to go through and manually and set the tool up by downloading the firmware packages for each hardware/iOS combination.

Is there an easy way to do this?

Could I download all the firmwares listed in firmware.txt URLs and change the firmware.txt file so it points to a local location (download folder) rather than the Apple site?

Could I download all the firmwares listed in firmware.txt URLs and change the firmware.txt file so it points to a local location (download folder) rather than the Apple site?

I thought that if you downloaded the files locally the scripts would do a local filesystem lookup before going off to the internets to download the file.

Why dont you have a go for yourself and see? Just do a wget on the firmware text file or something.

I can confirm that this works!

Just change the path in the firmware.txt file to point to a local folder and then you do not need to be connected to the internet. This makes for a much more secure and portable way of working with the tools.