User Tag List

  1. Mes's Avatar
    Emergency SSH access using a pwn'd DFU mode RamDisk (Win7-32)

    Use at your own risk. Experienced users only !! If you don't know what you're doing, stay away!!

    Management summary:

    When an iDevice won't boot, several remedies are available. SSH, iPhoneExplorer/Browser, etc and iTunes restore are the normal methods to either restore or to gain access to a non-bootable device and implement a fix. This is an alternative approach when the normal methods don't work and all else fails. Warning: Significant iPhone/computer experience required!!


    This is not new work. It uses this reference as THE source (Mostly iPhone hacking: Booting SSH ramdisk on new devices), adds changes for iOS 4.2.1 and lots of clarification. All thanks go to MsftGuy and so many others.


    Acquire SSH access to the root and user filesystems, modify and/or delete the offending program, and reboot without any damage or noticeable change. This process should be considered a last resort. It builds a new ramdisk with SSH included, uses current jb'ing exploits to download the ramdisk and access the iDevice. It requires technical knowledge, significant computer and iPhone experience, and is NOT for the beginner or the faint of heart.


    Since the release of 4.x, many have experienced booting issues after installing a non-compatible or faulty MobileSubstrate app. Most of the time, the 3GS will boot or respring into safe mode where it can be accessed and fixed. Unfortunately, once in awhile, it does not boot into safe mode. It hangs at the Apple logo. When this happens, I typically get the normal Apple logo for about 5 minutes, then it adds a spinning wheel for another 2-3 minutes, then everything freezes. It doesn't reboot, it does nothing! A force shutdown works, but it does the same thing over and over again.

    The problem: !!! No access !!!

    During this 'once in awhile' situation: SSH, AFC2, iPhoneBrowser/Explorer, iTunes, does not work and the computer does not recognize the device. Nothing I've tried will access or even recognize the device. Without access, it can not be fixed.

    Note: If your iDevice continually reboots (does not freeze), a simpler solution is likely. SSH/AFC2 access may be available for a short time during the reboot process.


    Claimed support: iPhone4, iPad I, 3GS old & new bootrom
    iOS 4.0 and above
    Tested: 3GS, old bootrom, iOS 4.2.1 (Windows 7 PC, iTunes 10.1), jb'd w/PwnageTool
    Tested: 3GS, new bootrom, iOS 4.1 (Windows 7 PC, iTunes 10.4), jb'd w/redsn0w (using 4.1 files and keys, see end of post )
    Previously jailbroken (any method)
    Implements: limera1n for a pwn'd DFU mode exploit
    NOT FOR older 2G, 3G devices, or any iOS 3.x
    (A similar method using iRecovery is available, see links above)

    Note: Instructions are written for 3GS/4.2.1. Newer/older iOS/iDevices should work. My primary reference (msftguy link in 2nd paragraph above) provides a 4.1/3GS tutorial. Make appropriate changes (different custom ipsw with different file names) for your iOS / iDevice version.


    (Reference: Mostly iPhone hacking: Booting SSH ramdisk on new devices)
    2: Restore Ramdisk (038-0082-001.dmg) IV & KEY (3GS, iOS 4.2.1): from VFDecrypt Keys - The iPhone Wiki
    3: Custom 4.2.1 ipsw created by PwnageTool or Sn0wbreeze
    4: tetheredboot utility from
    5: itunnel_mux (rev71):


    1. Create a "New Folder"
    2: Extract everything (except the custom ipsw) to "New Folder"
    2: Extract the custom 4.2.1 ipsw (I use 7-zip) to a temporary folder
    From the temporary folder, find and copy to "New Folder"
    a. IBSS.n88ap.RELEASE.dfu,
    b. kernelcache.release.n88,
    c. DeviceTree.n88ap.img3, and
    d. 038-0082-001.dmg.
    (the restore ramdisk)
    3: execute: RecoveryRamdiskBuilder.exe (Build the new ramdisk with ssh included)
    Copy/Paste IV and KEY (from theiphonewiki....)
    Select ramdisk: 038-0082-001.dmg (the 4.2.1 custom ipsw ramdisk)
    A new ramdisk is created: 018-0082-001.dmg.ssh (automatically builds)
    If successful: Completes with: ALL OK; boot with '038-0082-001.dmg.ssh' ramdisk ......

    Finished building. Your directory should contain these files:

    4: Put the device in normal DFU mode (iClarified - iPhone - How to Put an iPhone Into DFU Mode)
    5: Open a cmd.exe window (run as admin) and navigate to "New Folder"
    6: Run tetheredboot and load 3 files on the iDevice:
    tetheredboot -i iBSS.n88ap.RELEASE.dfu -k kernelcache.release.n88 -r 038-0082-001.dmg.ssh

    Note: The 3GS screen should be totally white while tetheredboot is running.

    ------------ Displayed by tetheredboot ------------------
    ...initializing libpois0n
    ...ERROR: The process "iTunes.exe" not found.
    ...ERROR: The process "iTunesHelper.exe" not found.
    ...Waiting for the device to enter DFU mode
    ...Found device in DFU mode
    ...Checking if device is compatible with this jailbreak
    ...Checking the device type
    ...Identified device as iPhone2,1
    ...Preparing to upload limera1n exploit
    ...Resetting device counters
    ...Sending chunk headers
    ...Sending exploit payload
    ...Sending fake data
    ...Expoit send
    ...Reconnecting to device
    ...Waiting 2 seconds for the device to pop up...
    ...Uploading iBSS.n88ap.RELEASE.dfu to device
    ...[================================================] 100.0%
    ...Waiting 10 seconds for the device to pop up...
    ...Uploading 038-0082-001.dmg.ssh to device
    ...[================================================] 100.0%
    ...Uploading kernelcache.release.n88 to device
    ...[================================================] 100.0%
    ...Exiting libpois0n

    If the process stops at "Waiting 2 seconds....", start over at step 4.

    Note: After loading, the 3GS screen should have a white Apple logo with an empty progress bar

    ...If no errors (except iTunes), go to step 7...

    Note: If #6 tetheredboot fails to load the ramdisk (which tends to happen with large ramdisks),
    you can try using itunnel_mux to load kernel and ramdisk:
    6a: tetheredboot -i iBSS.n88ap.RELEASE.dfu
    6b: itunnel_mux --kernelcache kernelcache.release.n88 --devicetree DeviceTree.n88ap.img3 --ramdisk 038-0082-001.dmg.ssh

    7: execute itunnel_mux.exe to forward SSH connection to the USB (does not terminate):
    itunnel_mux --lport 22

    ------------Displayed by itunnel_mux----------------------------
    ...[INFO] Waiting for new TCP connection on port 22
    ...[INFO] Waiting for device ...
    ...[INFO] Device connected: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    .............. more messages after a connection is made ...........
    Note: Leave this window open ...............

    8: Open a new cmd.exe window (run as admin recommended)
    9. Create/start an SSH session (I use Cygwin for ssh)
    ssh [email protected] -p 22

    Note: If 1st log-in, a new RSA certificate will be generated. Enter 'yes' to accept

    11: Enter password: alpine
    12: This is your logged in prompt: -sh-4.0#

    Note1: itunnel_mux window: [INFO] Device connected .....
    Note2: After the connection, the 3GS screen will change to totally white
    Note3: If no ssh response/message from either window, check local firewall settings

    Mount / (root) filesystem (contains system settings & files, MobileSubstrate dylibs, etc)
    13: -sh-4.0# fsck_hfs /dev/disk0s1
    14: -sh-4.0# mount_hfs /dev/disk0s1 /mnt1/

    Mount /usr filesystem (everything else, IE: music, media, photos, apps, data, etc)
    15: -sh-4.0# fsck_hfs /dev/disk0s2s1
    16: -sh-4.0# mount_hfs /dev/disk0s2s1 /mnt2/

    To set the path correctly so you can easily navigate the filesystem:
    17: -sh-4.0# PATH=$PATH\:/mnt1/bin

    Congratulations, you now have full root access Up to this point, the iDevice has NOT been modified in any way --- so be careful! After you're done messing around, play it safe - execute: sync; sync; sync This will flush any pending filesystem writes.

    When finished, to terminate the session and restart the iPhone:
    18: -sh-4.0# kill 1

    Other common commands:
    ls (list directory), rm (delete), mv (rename or move), cp (copy)

    Note: If you save the directory "New Folder". Subsequent emergency SSH access is quick & easy. Start at step 4.

    All the information you need is available in this thread and on the internet. Experienced users only.

    For a 3GS on iOS 4.1 (note: cfw built by pwnage):
    iBSS.n88ap.RELEASE.dfu: 108.932 bytes
    kernelcache.release.n88: 4,761,412 bytes
    018-7080-079.dmg.ssh: 17.962,308 bytes
    Attached Thumbnails Emergency SSH access using a pwn'd DFU mode RamDisk-tb1.png   Emergency SSH access using a pwn'd DFU mode RamDisk-tb1-1.png   Emergency SSH access using a pwn'd DFU mode RamDisk-tb2.png   Emergency SSH access using a pwn'd DFU mode RamDisk-tb3.png  
    Last edited by Mes; 2011-09-09 at 04:55 PM. Reason: Added 4.1 file notes
    2011-04-09 04:44 AM
  2. Stray's Avatar
    Very nice
    that was officially the scariest thing you have ever said str4y.
    Dude T.M.I
    2011-04-09 04:50 AM
  3. Orby's Avatar
    You, sir, are a boss.

    Not like a boss.

    A full-on boss.

    Glad to see someone wrote up a (very good) tut for booting a "recovery" ramdisk. Now do one for OS X?
    2011-04-09 05:34 AM
  4. Mes's Avatar
    Thank you STRAYunINFIDEL and orbyorb for your kind comments
    Last edited by Mes; 2011-04-09 at 07:57 AM.
    2011-04-09 06:14 AM
  5. Stray's Avatar
    No problem.
    that was officially the scariest thing you have ever said str4y.
    Dude T.M.I
    2011-04-09 01:06 PM
  6. mattmoya's Avatar
    you are a god.
    my iP4 is stuck on a boot loop, ive tried every possible solution out there besides a restore, which i dont wanna do because ill lose all my photos etc..
    im gonna give this a shot tomorrow and see if i can get to the filesystem.

    one thing though, as far as the custom ispw goes, im running 4.0, so wouldnt i need a custom 4.0 ispw?
    2011-04-12 10:12 AM
  7. Stray's Avatar
    no you shouldn't need one just make sure you have your 4.0 shsh's
    that was officially the scariest thing you have ever said str4y.
    Dude T.M.I
    2011-04-13 01:20 AM
  8. khoacalacan's Avatar
    How would I to mount the /private/var/mobile/ directory? I'm trying to backup my photos using this method because my iPhone would not boot up at all, but that directory is not there.

    Edit: Nevermind, I was searching the wrong folders, sorry for the bother. On the other hand. Amazing post, thank you so much, saved my precious photos ^.^
    Last edited by khoacalacan; 2011-04-13 at 07:15 PM.
    2011-04-13 06:37 PM
  9. moon#pie's Avatar
    Great write-up, Mes. The only issue I have (which I am surprised Orby didn't didn't point out), is that SSH is Secure Shell. As in over a network. I realize you probably know this and are just rolling with the common term used by the community, but if not, I just thought I would point it out.

    This is pretty much CLI over USB. Other than that, I'm sure this will help a lot of people.
    2011-04-15 05:00 AM
  10. Zokunei's Avatar
    This should help since I moved the mobilesubstrate file and now it won't boot :P

    Nice new sig, Stray. Now it's not so creepy that you said you love me.
    2011-04-16 08:43 PM
  11. Stray's Avatar
    Oh yeah. Hey Zokunei fix your ipod screen yet?
    that was officially the scariest thing you have ever said str4y.
    Dude T.M.I
    2011-04-16 09:08 PM
  12. ramar's Avatar
    Hi everyone, first of all, thanks for the instructions, I think I'm halfway through with recovering my files (iPhone 4 with iOS 4.2.1 stuck at recovery loop) ... but I think I'm stuck here:

    -sh-4.0# fsck_hfs /dev/disk0s2s1

    Apparently the volume is corrupted or something and it tries to fix it but fails after 3 attempts... it says "The volume data could not be repaired after 3 attempts"

    Should I proceed to mount it?
    And after I mount it, what should I do in order to backup my needed files just before I finally decide to restore it?

    Thanks in advance for the reply!

    EDIT: Couldn't mount it... it returned "mount_hfs invalid argument"
    Any clues on what I should I be doing next?
    Last edited by ramar; 2011-04-18 at 09:42 AM. Reason: update
    2011-04-18 09:02 AM
  13. mpwn's Avatar
    can someone help me i cant upload ramdisk in step 6 i try step 6a and 6b but dont get it need help asap pls help. ipod touch 3g 4.2.1
    2011-04-23 09:03 AM
  14. Orby's Avatar
    can someone help me i cant upload ramdisk in step 6 i try step 6a and 6b but dont get it need help asap pls help. ipod touch 3g 4.2.1
    Can you clarify what "you don't get?" Perhaps by phrasing your issue as a question?

    If you are receiving an error message (or other unexpected behavior), it'd be helpful if you'd share what the message/weirdness is, what you're expecting instead of the message, and what you were doing immediately before you got your weird behavior.

    2011-04-25 09:10 AM
  15. mpwn's Avatar
    dw problem fixed, something was wrong with my sn0wbreeze dmg so got my mac and made a custom firwmare with pwnagetool thx alot guys
    2011-04-27 10:36 AM
  16. latinodancer15's Avatar
    To ramar -

    Have you tried "fsck_hfs -r /dev/disk0s2s1"?

    May work for you, but it didn't work for me. I get the same. Can't mount mnt2.

    iPhone 4, 4.1
    2011-04-27 09:12 PM
  17. exclusivebiz's Avatar
    Hi, 4.3.1 for 3gs doesnt have any IV and Keys, its not encrypted, how would we use ramdisk builder under windows? It seems to crash.
    I tried 4.2.1 and goes through successfully but I need 4.3.1. Thank you for your prompt reply.
    2011-05-24 12:07 AM
  18. Orby's Avatar
    Try using "0" (may get by with one zero each, you may need 256 bits worth of zeroes) as the KEY and IV. That's what I'd do at least...
    2011-05-24 06:35 AM
  19. exclusivebiz's Avatar
    Hi, tried your zero approach and still no go, ramdiskbuilder crashes. It does work for the other IOS's that have keys form the wiki. Ones not encrypted dont seem to work. Im gonna try to get my hands on a mac and maybe try the mac method. Until then Im still searching.
    2011-05-24 07:44 AM
  20. exclusivebiz's Avatar
    So i ended up creating the ramdisk on a mac and it seemed to go through.

    Next issue is loading the ramdisk
    Im using this command:
    tetheredboot -i iBSS.n88ap.RELEASE.dfu -k kernelcache.release.n88 -r 038-0900-005.dmg.ssh

    It gets stuck loading the dms.ssh at 64%

    Perhaps its because of the size of the ramdisk... so

    Next commands I try are:
    tetheredboot -i iBSS.n88ap.RELEASE.dfu
    wait for this to exit then:
    itunnel_mux --kernelcache kernelcache.release.n88 --devicetree DeviceTree.n88ap.img3 --ramdisk 038-0900-005.dmg.ssh
    everything seems to load and stay loaded + iphone screen is white

    Lastly I use itunnel_mux --lport 22 on an xp machine.
    Firewall is off. But it keeps waiting for a device, doesnt connect. Am I on the right track here, what am I missing? Something wrong with the itunnel_mux command? Appreciate your responce.
    2011-05-25 09:53 AM
275 12311 ...