1. miscreanity's Avatar
    My first Apple purchase ever - a shiny black 16GB 3GS (IPSW 3.0/7A341). Being a Linux user for longer than I can remember, it took a couple of weeks to get access to a Windows box with iTunes (ver. During the interim, I put on about 200 pics/photos and 1000 or so texts, with another 1000 IMs through Beejive. On first connection iTunes, it recognized the phone and began a sync. All was well with the world.

    A notification popped up about the update to IPSW 3.0.1 which proclaimed a fix for the SMS vulnerability. I figure sure, it can't be that bad to pop in a minor update. Oh, how wrong I was. The single point of catastrophic failure known as iTunes deemed my precious toy to be in need of a solid bricking.

    Now, sitting with a lump of a dark mirror in my hands (but what a pretty lump), it was time to research my options. The restore from iTunes swore it would steal every ounce of life that once resided in the entropized confines of my handheld, but offered the promise that it would restore the backed-up data to its former glory. Being unsure at this point, I decided to make absolutely certain that there was a backup, only to find that there was absolutely, certainly... nothing. Well, aside from some of the crash logs.

    I am now perturbed. By perturbed, I mean that I desire for Steve Jobs to get cancer again and undergo multiple tooth extraction performed by Liza Minnelli on acid - all while having severe, full-body muscle spasms.

    The recovery options available online all fail... often taking Windows down with them. I discover that my phone is in DFU mode, which I assume has something to do with a dead fetuses. I decide that someone at Apple has a medically-oriented sick sense of humor. This makes me even more perturbed.

    My iPhone is still staring at me blankly. Since I can still see the device on USB under Linux, and iTunes pops up and wants to restore every time I plug it into the Windows system, I know something can be done to extract my data. After a brief stint of modifying the source of irecovery in an attempt to interact with full-on DFU mode, my desire to reverse-engineer just didn't hold as much appeal as it did in my earlier years. More exploration into the options of mounting the drive lead to the option of jailbreaking. That was an option I had no intention of pursuing, but it seems Apple has made that the only viable choice in order to extract my goodies. Finally, I decide to take the plunge and restore through iTunes.

    Once that's done, I have a clean slate. All those dirty conversations have been wiped. Damn.

    No! I can rebuild the lost data! I have the technology! I have the capability to... Anyway, the frosty thing with a zero for a letter works, and next thing I know, there's some Martian program installed. With a hop, skip & a jump, I frolic into the seedy world of freedom. As an aside, it smells nice there.

    With the OpenSSH daemon now running, it's time to play. I found no way to mount the drive, but there was a neat little SSH trick. The way it was pushed didn't appeal, so I used the pull style instead.

    Push version seen everywhere online:
    dd if=/dev/disk0 | ssh [email protected] 'dd of=iphone.img'

    Pull version which I prefer (but requires auto-lock to be disabled):
    ssh [email protected] dd if=/dev/disk0 | dd of=iphone.img

    Again, simply a matter of preference. In any case, the results kept coming up fruitless.

    "dd: reading `/dev/disk0': Invalid argument"

    "dd: opening `/dev/disk0s1': Resource busy"

    Visuals of the 5th Ave Apple Cube being melted into glassy slag prance around me.

    After running through a couple of proof-of-concept tests going from one SSH box to another just to make sure I'm not going insane, I confirm that the command will work even while a device is mounted. Perhaps the iPhone simply won't do the nasty while it's mounted. That seems counter-productive, but I'll kick it off for a moment. What's this? There's no 'umount' command? Who does that!?

    Even as root, trying to force the file system into a read-only mode fails. There isn't an immediately apparent way to show open files, or even currently running processes. Yes, further searching may yield clues, but I need a break. None of the techniques I've found seem to work with my 3GS using the 3.0 system software. Something like SSHFS is obviously too high-level.

    I am now searching for sharp objects to use during my hostage stand-off at a certain Cupertino software company headquarters. Help prevent that from happening - tell me something good, or at least point me in a direction. Anyone? Bueller... Bueller... Bueller?

    2009-08-13 10:34 PM
  2. cpjr's Avatar
    Not really sure what your getting at.
    2009-08-14 04:41 AM
  3. pokekid's Avatar
    are you asking for help or ranting? I'm pretty sure every owner has lost some important data at one point or another. sucks to hear though. hope u find a way to get your precious back
    2009-08-14 05:47 AM
  4. miscreanity's Avatar
    Just being a spaz, for the most part. Also needed a break from sifting through countless forums and articles. What better way to do that than to rant about the offending subject? On a good note, my phone is back in action after restoring, just without all the juicy morsels.

    I am looking for some other direction to take as far as getting a raw dump off of the phone. There was mention that the 'umount' utility is on a ramdisk, which I'm looking further into. Otherwise, I'm considering looking into the iPhone dev toolchain to build a Darwin binary that can be uploaded. None of the current programs I've seen are on the forensics side of the fence.

    I've never done any coding for an Apple platform before, but I am aware that it's BSD based at the lower levels. This tells me that, so long as it's jailbroken, it can be done - success just depends on how much effort I'm willing to put in.

    Of course, my project after figuring out how to get a dump from the 3GS will be to work on a tool to extract the useful information. I'll probably use Python, as I've seen a very nice, small script that can pull at least some of the data.

    Again, any suggestions are appreciated.
    2009-08-14 07:38 AM
  5. iJulien's Avatar
    Same problem here after reading http://modmyi.com/forums/file-mods/6...backed-up.html
    Have you come up with a solution yet?
    Did you try Zdiarski's method? Webcast: iPhone Forensics Demonstration
    2009-08-18 03:28 PM
  6. miscreanity's Avatar

    The Zdziarski method of using a custom boot loader seems to be overkill when I can easily jailbreak using redsn0w and (hopefully) unmount the partitions. Of course, that's assuming a dd dump will be possible after doing so. The 3GS seems to be more aggravating than previous iterations.

    So I'm planning on extracting 'umount' from the 3.0/7A341 IPSW since I have yet to find it online. I'm using Linux and don't have access to a Mac, so I'll have to use the xpwn utilities. Sadly, I haven't had time to compile and test it yet.

    With any luck, I'll have the opportunity during the next couple of days. After that, it's a quick upload using scp and a few commands to determine viability. You can be sure there'll be a post here if it works!
    Last edited by miscreanity; 2009-08-19 at 07:21 AM.
    2009-08-19 07:19 AM
  7. Efrdman2008's Avatar
    I'll be honest, although I can't help you, that was an extremely entertaining read.
    2009-08-19 08:23 AM
  8. iJulien's Avatar
    Thank you miscreanity. Frustrating.
    Here's what I get after using redsn0w, installed cydia and the nc tool.

    Last login: Tue Aug 18 23:52:16 on ttys000
    OSX-JULIEN:~ Ju$ ssh [email protected]
    [email protected]'s password:
    Blueberry:~ root# df -h
    Filesystem Size Used Avail Use% Mounted on
    /dev/disk0s1 750M 536M 208M 73% /
    devfs 27K 27K 0 100% /dev
    /dev/disk0s2s1 30G 17G 13G 58% /private/var
    Blueberry:~ root# mount
    /dev/disk0s1 on / (hfs, local, noatime)
    devfs on /dev (devfs, local)
    /dev/disk0s2s1 on /private/var (hfs, local, noatime)
    Blueberry:~ root# /bin/dd if=/dev/disk0s2s1 bs=4096 | nc 7000
    /bin/dd: opening `/dev/disk0s2s1': Resource busy
    Blueberry:~ root# /bin/dd bs=4096 if=/dev/disk0s2s1 | ssh [email protected] 'dd of=iphone-dumpz.img'
    /bin/dd: opening `/dev/disk0s2s1': Resource busy
    0+0 records in
    0+0 records out
    0 bytes transferred in 0.000034 secs (0 bytes/sec)
    Blueberry:~ root#

    Should I try to umount the disk0s2s1 first?
    2009-08-19 09:03 AM
  9. miscreanity's Avatar
    E-man - thanks, glad you enjoyed the tirade!

    iJ - yes, the partition will need to be unmounted. There's no way to know for sure whether it'll work, but it's still a simpler procedure than creating a custom iBoot a la Zdziarski. However, by default the iPhone does not have the umount command installed. The utility needs to be extracted from the appropriate IPSW ramdisk. For 3.0+ IPSW, the ramdisk needs to be decrypted first, and it's a huge PITA for the latest version. Hopefully, I'll be able to get it done soon (as in hours to days). I have to say, it may be easier on your OSX box when it comes to mounting the decrypted dmg. If you can get it extracted on your system following the directions in the aforementioned links, you'll make the process much easier.

    Other than that, I'll keep you posted.
    2009-08-20 09:05 PM
  10. miscreanity's Avatar
    Welcome back to the continuing saga. This evening, we'll have Apple Computer starring as the psychotically jealous lover, opposite iPhone users scrambling for restraining orders before Apple ruins the experience. May a thousand marsupials trample Apple and AT&T into a gooey mess. Google, take me away!

    So far, there's good news and bad news.

    The bad news first: I got a chance to decrypt and take a peek at the 3.0 ramdisks and found that there is no 'umount' utility in any of the usual places (sbin, usr/sbin, etc...). While this is bad, it indicates that unmounting the partitions will allow a dd image to be generated. Of course, that requires the umount utility to be available. Without it, this little project is dead in the water.

    The good news: There is hope! Basically, it boils down to someone with the iPhone SDK (which possibly isn't low-level enough) or Darwin/iPhone 3.0 source (more likely) compiling the umount binary for the correct target hardware platform - the S5L8920. If I do undertake this endeavor, it will likely be some time before I can pop out a properly targeted binary, if at all. Does anyone else care to step up to the plate? Preferably someone with a Mac.

    Another method that may work is downgrading to 2.x system software. I haven't explored the option using the 3GS yet. If it works at least you'd be able to dump data from that version. Keep your fingers crossed...
    Last edited by miscreanity; 2009-08-22 at 06:56 AM.
    2009-08-22 06:44 AM
  11. guisquil's Avatar

    So there is no way to get the .img yet from the 3GS using this technique ? i get the same errors as you guys...

    2009-08-23 09:04 PM
  12. Poseidon79's Avatar
    A more fruitful endeavor may be to research why an initial back-up was never made so you are not left in the same predicament again. If you figure that out then all the rest is moot.
    2009-08-23 09:15 PM
  13. guisquil's Avatar
    Mom is that you?
    2009-08-24 12:29 AM
  14. cyclonefr's Avatar
    Just wanted to post I managed to finally dump my /private/var partition from my 3GS : the culprit is the dd command you need to type and isn't the correct one :

    the correct one is :

    ssh [email protected] dd if=/dev/disk0 bs=1M | dd of=iphone.img

    so just add bs=1M and it should work.. It did for me !

    Enjoy !

    P.S: if you only wanna backup the private/var partition, specify rdisk0s2s1
    2009-08-25 02:26 AM
  15. guisquil's Avatar
    WOW that is great how long did it take and do you get a visual of the percentage of how the file being written?
    2009-08-25 04:36 AM
  16. miscreanity's Avatar
    Poseidon79 - While I can appreciate the suggestion, what would that accomplish? My data is still largely in place on the phone, but still unaccessible. I was under the impression that iTunes had properly made a backup in the first place. Every time I do a backup using iTunes, I now double check that the file dates are fresh, but that doesn't change the fact that my original data is still irretrievable. What would I research? Apple's ineptitude and utter disregard for a sizable segment of its clientele? How would I correct the problem? Should I whine about how iTunes failed until Apple doesn't think different? I do what makes sense and is in my power - that is recover a bit-for-bit dump of the file system.

    guisquil - LOL! The full commands are below. There's no easy way that I've found to get a progress indicator with dd. Depending on the speed of your wireless network, it could take from 6-10 hours for the entire drive.

    cyclonefr - Great, it works! Alright, the first string you provided using /dev/disk0 didn't work, but /dev/rdisk0 did. I had used the block size parameter with disk0 as per wickedpsyched.com and it still had issues. However, I never tried using the bs option with rdisk. Good call on discovering that! This has saved a lot of time and aggravation, so thank you immensely!

    The whole shebang:
    ssh [email protected] dd if=/dev/rdisk0 bs=1M | dd of=iphone-dump.img

    Just the system partition:
    ssh [email protected] dd if=/dev/rdisk0s1 bs=1M | dd of=iphone-root.img

    Just the user data partition:
    ssh [email protected] dd if=/dev/rdisk0s2s1 bs=1M | dd of=iphone-user.img
    2009-08-25 05:14 AM
  17. cyclonefr's Avatar
    it took me around 3.5 hours to back up my 16GB iphone (I created an adhoc network between my Mac and my iPhone so it was faster)... To get an idea about the progress, just look at the size of the image on your HDD... It should grow step by step till ~ 16GB
    2009-08-25 10:50 PM
  18. shogunR's Avatar
    Hi, all
    I never success to recovery my iphone 3GS photo.
    Could u teach me step by step, so i can recovery it?

    2009-09-10 05:13 PM
  19. TheRealHoudini's Avatar

    I've tried to dump my iPhone without SSH and without jailbreak.

    I think it's possible, but I need some help.

    The software I used is (iFuse for Linux.)

    Then I've mounted the media partition of the iphone to /mnt/iphone.

    But when I now tried to use dd for making dump of it, only one message appeard: "it's a directory". Yes, that's right

    Is it possible to make a binary dump of it in otherways? Or is it possible to mount the iphone e.g. to "/dev/hda" so that some recovery tools could use it as a normal drive/device?
    2009-10-02 07:28 AM
  20. sebek73's Avatar
    I'm from Italy.
    Thanks for your message.
    I'm trying your method on an iPhone 3GS 32GB fw 3.1.2 JB and I would like some clarification.
    I should run the command directly from the "Mobile Terminal" of the iPhone?
    So it seems to work OK, but starts to save the file "iphone-dump.img" directly on the iPhone. Even if space was sufficient (it is now virtually empty), it is risky and the data have already been lost may never be more readable?
    This means that I must first create the file on the iPhone and then transfer it on PC?
    In various tests I tried to save the file directly to my PC (Windows XP Pro), is created, but still remains at 0 bytes, even after some time, is it normal?
    Pray if you can help me.
    How can I contact for more details? Skype, MSN or whatever.
    Thank you!
    2009-10-15 01:21 PM
37 12