You are Unregistered, please register to gain Full access.    

Go Back   SiNfuL iPhone > Discussion | Help > How-To: Guides / Tutorials > Misc

Notices

Misc Guides that are NOT device specific OR are related to all devices in general.

Reply
 
Thread Tools

 
Old 09-27-2010, 04:39 AM   #21
leesh991
n00b
 
leesh991 is offline
Join Date: Sep 2010
Location: new york
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Tried photorec last night with the img file.
Recovered 3 files. One was a massive 1.8GB mpg video file.
The biggest video file I had on the phone was probably 200mb?
So I was wondering if my block size of 1M caused this?
Or is photorec just not as good as data rescue?

Am now dumping with bs=8k...if not will try bs=4096 or 4096kb again and let you guys know!
  Reply With Quote

 
Old 09-27-2010, 05:09 AM   #22
multipazz
Obsessive iPhone Disorder
 
multipazz is offline
Join Date: Nov 2009
Device: iPhone 4
iOS Version: 4.0.1
iTunes Version: iTunes 10
Carrier: Vodafone
OS: macOS
Location: SKYRIM
Posts: 4,063
Thanks: 1,537
Thanked 3,467 Times in 1,337 Posts
try the r-studio link on the previous page

you will not need then mac drive at all as r-studio will support all volume formats !!!

might still be an idea to mount the volume in damon tools to scan it...
or load it directly in r-studio as a drive image file...
  Reply With Quote

 
Old 09-28-2010, 02:32 PM   #23
leesh991
n00b
 
leesh991 is offline
Join Date: Sep 2010
Location: new york
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
The serial code is not working for the file I tried the demo and it loads the image brilliantly!
  Reply With Quote

 
Old 09-28-2010, 02:42 PM   #24
multipazz
Obsessive iPhone Disorder
 
multipazz is offline
Join Date: Nov 2009
Device: iPhone 4
iOS Version: 4.0.1
iTunes Version: iTunes 10
Carrier: Vodafone
OS: macOS
Location: SKYRIM
Posts: 4,063
Thanks: 1,537
Thanked 3,467 Times in 1,337 Posts
i find you another link...

---------- EDIT ----------

are you sure you entered it correctly...

i would try again... maybe check that there are no carriage returns added..

the serial is a biggie :P


try this one :-
http://www.megaupload.com/?d=F8BFR682
  Reply With Quote

 
Old 09-28-2010, 04:04 PM   #25
leesh991
n00b
 
leesh991 is offline
Join Date: Sep 2010
Location: new york
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
I managed to dl a version 5.0 with a working serial code.

Recovered plenty of files....but none of them can be opened.
Even when I open up .txt files it shows up as random codes.

Don't know what to do now...

Dumped the iphone img using bs=4096KB
  Reply With Quote

 
Old 09-29-2010, 12:19 AM   #26
multipazz
Obsessive iPhone Disorder
 
multipazz is offline
Join Date: Nov 2009
Device: iPhone 4
iOS Version: 4.0.1
iTunes Version: iTunes 10
Carrier: Vodafone
OS: macOS
Location: SKYRIM
Posts: 4,063
Thanks: 1,537
Thanked 3,467 Times in 1,337 Posts
it should not matter what BS you used to dump the file system when using data recovery software !!!

do you know anyone with a mac you can try this on...

you should be able to do it on a PC but i have never tryed..

I know this works 100% on mac as i have done it many times...
  Reply With Quote

 the answer
Old 10-05-2010, 11:16 PM   #27
posixninja
n00b
 
posixninja is offline
Join Date: Oct 2010
Location: GA
Posts: 7
Thanks: 0
Thanked 26 Times in 7 Posts
the answer

on iOS4 all the files on the user partition are now encrypted, and are decrypted on the fly when requested. this is why dumping raw devices no longer works.
  Reply With Quote
The Following 2 Users Say Thank You to posixninja For This Useful Post:
multipazz (10-06-2010), thec0rrupted1 (11-26-2010)

 
Old 10-06-2010, 01:27 AM   #28
multipazz
Obsessive iPhone Disorder
 
multipazz is offline
Join Date: Nov 2009
Device: iPhone 4
iOS Version: 4.0.1
iTunes Version: iTunes 10
Carrier: Vodafone
OS: macOS
Location: SKYRIM
Posts: 4,063
Thanks: 1,537
Thanked 3,467 Times in 1,337 Posts
Quote:
Originally Posted by posixninja View Post
on iOS4 all the files on the user partition are now encrypted, and are decrypted on the fly when requested. this is why dumping raw devices no longer works.
the 3GS was supposed to do that in hardware.. but when you requested the image it would automatically do the decryption as it send out the image...

I should test this.. but it does take hours to process, why i didn't do it yet, but i will need to do a backup before i upgrade to 4.1/4.2 which i guess is close now...

---------- EDIT ----------

if what you say is true ... then replacing the os would dump the encryption keys..

please explain how this is possible for iOS 4.1
if the OS is now responsible for encryption of the user partition...

Mostly iPhone hacking: Data recovery: not just for iBoot-pwned devices

---------- EDIT ----------

can you please prove you are who your profile claim to be by tweeting me some #pie in twitter
  Reply With Quote

 
Old 10-06-2010, 08:48 AM   #29
posixninja
n00b
 
posixninja is offline
Join Date: Oct 2010
Location: GA
Posts: 7
Thanks: 0
Thanked 26 Times in 7 Posts
Quote:
Originally Posted by multipazz View Post
the 3GS was supposed to do that in hardware.. but when you requested the image it would automatically do the decryption as it send out the image...

I should test this.. but it does take hours to process, why i didn't do it yet, but i will need to do a backup before i upgrade to 4.1/4.2 which i guess is close now...

---------- EDIT ----------

if what you say is true ... then replacing the os would dump the encryption keys..

please explain how this is possible for iOS 4.1
if the OS is now responsible for encryption of the user partition...

Mostly iPhone hacking: Data recovery: not just for iBoot-pwned devices

---------- EDIT ----------

can you please prove you are who your profile claim to be by tweeting me some #pie in twitter
I hate #pie, and don't really care if you believe it's me or not :-P. earlier this week Zdziarski (the guy who *literally* wrote the book on iphone forensics) came to me with the same issue and asked if I would look into it. in 3gs they introduced the hardware level encryption which really didn't do much good for anyone since it only protected people from dumping the raw nand chip via hardware means. in iOS4 they introduced their new MobileKeyBag system, which (along with allowing multiple user "profiles" for use in corporate devices) generates a random system key during restore to encrypt/decrypt files on the user partition. i'm still working on developing a method to allow users to decrypt files in raw dumps given the system keybag, but finishing GP is currently my #1 priority. But, if you're bored and want to see for yourself (and don't mind restoring and losing all hope of ever getting your unsaved pictures/videos back) try deleting /private/var/keybags/systembag.kb and see how far your device can get without it
  Reply With Quote
The Following User Says Thank You to posixninja For This Useful Post:
multipazz (10-06-2010)

 
Old 10-06-2010, 09:34 AM   #30
multipazz
Obsessive iPhone Disorder
 
multipazz is offline
Join Date: Nov 2009
Device: iPhone 4
iOS Version: 4.0.1
iTunes Version: iTunes 10
Carrier: Vodafone
OS: macOS
Location: SKYRIM
Posts: 4,063
Thanks: 1,537
Thanked 3,467 Times in 1,337 Posts
I have seen now conformation from several sources... and am sorry i didn't believe you at first, but we have had so many fake's joining the forum pretending to be dev's...

I do know of Zdziarski, and his work... I wrote a small piece about this the other week.. but i guess I am wrong about what I wrote there also

Jonathan Zdziarski thanks p0sixninja for the SHAtter exploit - SiNfuL iPhone

Thanks for coming to clarify this for us !!!

I know you are really busy and will not trouble you any further...

PS, do you have any way to donate, I have only found a few closed chipin's on your blog...
  Reply With Quote

 
Old 10-06-2010, 10:02 AM   #31
posixninja
n00b
 
posixninja is offline
Join Date: Oct 2010
Location: GA
Posts: 7
Thanks: 0
Thanked 26 Times in 7 Posts
Quote:
Originally Posted by multipazz View Post
I have seen now conformation from several sources... and am sorry i didn't believe you at first, but we have had so many fake's joining the forum pretending to be dev's...

I do know of Zdziarski, and his work... I wrote a small piece about this the other week.. but i guess I am wrong about what I wrote there also

Jonathan Zdziarski thanks p0sixninja for the SHAtter exploit - SiNfuL iPhone

Thanks for coming to clarify this for us !!!

I know you are really busy and will not trouble you any further...

PS, do you have any way to donate, I have only found a few closed chipin's on your blog...
yea, he's done a lot of work putting killers/rapist/terrorist behind bars (nice knowing all my hard work is making the world a better place :-)).

I do have a donate button on the bottom of posixninja.com /.org/.net that goes right to me, but you should probably just wait until after GP is released (there will be a team donate button on the site)
  Reply With Quote
The Following 2 Users Say Thank You to posixninja For This Useful Post:
knightz4u (03-06-2011), multipazz (10-06-2010)

 
Old 10-11-2010, 08:32 PM   #32
bralston7
n00b
 
bralston7 is offline
Join Date: Oct 2010
Location: Illinois
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
So, now that we have settled that the dump from an iOS 4 device is encrypted, has anybody figured out how to decrypt it given that I have acces to my own keybag?
  Reply With Quote

 
Old 10-26-2010, 05:30 AM   #33
bozoo
n00b
 
bozoo is offline
Join Date: Oct 2010
Location: bozoo
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Hi,
thanks for this great tutorial,
I had total success with it ! (iphone 3GS, iOS 4.1 + macbookpro, OSX 10.6.4)
I used ssh root@iphoneIP dd if=/dev/rdisk0s2s1 bs=4096KB | dd of=iphone-user.img
the img was not mountable but scalpel was able to access and recover all the files.

could you please give some more clues about how to do this over usb ?
I can't figure how to use iphone_tunnel

thanks
b.

[QUOTE=multipazz;143850]
NOTE1:
you can do this over USB instead of WiFi using a custom build of iPhone_tunnel utility to connect to SSH:
http://code.google.com/p/iphonetunne...connectbyport/
Changes made for this custom build:
1. Launch iPhone_tunnel, forward remote port 22 as local port 2022 (or 22 on Windows):-
./iPhone_tunnel
2. Connect using SSH: ssh root@localhost -p 2022

so your command over USB will be:-
ssh root@localhost -p 2022 dd if=/dev/disk0 | dd of=iPhone-RAW.img
  Reply With Quote

 
Old 10-26-2010, 05:33 AM   #34
multipazz
Obsessive iPhone Disorder
 
multipazz is offline
Join Date: Nov 2009
Device: iPhone 4
iOS Version: 4.0.1
iTunes Version: iTunes 10
Carrier: Vodafone
OS: macOS
Location: SKYRIM
Posts: 4,063
Thanks: 1,537
Thanked 3,467 Times in 1,337 Posts
with your command that was successful and the tunnel command..

first launch tunnel in one terminal window ... you should get output listening or similar

then in a second terminal window

ssh root@localhost -p 2022 dd if=/dev/rdisk0s2s1 bs=4096KB | dd of=iphone-user.img

you will notice that after you issue the command in the second window...
the output from tunnel in the first window should change to connected blah blah some device ect....
  Reply With Quote

 
Old 10-26-2010, 08:20 AM   #35
bozoo
n00b
 
bozoo is offline
Join Date: Oct 2010
Location: bozoo
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
hi,

that is what i understood but i am missing something about installing and launching iphone_tunnel on OSX.

I downloaded itnl_rev71.zip which contains :
- itnl -> unix executable
- libmd.dylib -> library

when i launch itnl, i only get the "usage" output :

Nestor:itnl_rev71 nestor$ ./itnl 22 2022 388a...(40 digits)...
iphone_tunnel v2.0 for Win/Mac
Created by novi. (novi.mad@gmail.com)
Restore mode hack by msft.guy ((rev 5))

Usage: iphone_tunnel --tunnel [--iport ] [--lport ] [Device ID, 40 digit]]
OR: iphone_tunnel --autoboot to kick out of the recovery mode
OR: iphone_tunnel [--ibss ] [--exploit ]
[--ibec ] [--ramdisk ]
[--devicetree ] [--kernelcache ]
Example: iphone_tunnel 22 9876 0123456...abcdef
Default ports are 22 2022
Nestor:itnl_rev71 nestor$

what am i missing ? I googled a lot and i did not find anything...

thanks !

(macboocpro, OSX 10.6.4, iTune 10.0.1 (22) , iPhone 3GS iOS 4.1 jailbroken
  Reply With Quote

 
Old 11-26-2010, 04:39 AM   #36
thar
n00b
 
thar is offline
Join Date: Nov 2010
Location: ger
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Hi

i do some research about this topic. And i found out if you delete the System Keybag the device is a brick and not able to boot. But then is restored the Iphone with the stage 1 Firemware like Zdziarski
discribes. And all data is restored. I tried it from my macbook and my Pc, and the pc has never seen the iphone before.
Of course file Protection and passcode was active.
I have no idea how this works.

In a second round i tried to not delete the systembag.kb but manipulate it.
After a reboot the device is stuck and the stage1.ipsw can be installed sucesfully but the device isnt able to boot.

Somebody any idea whats going on ?
How the Iphone can restore the keybag ?

Thx
  Reply With Quote

 
Old 12-16-2010, 01:25 PM   #37
portab1e
notanoobreally
 
portab1e is offline
Join Date: Jan 2010
Device: iPhone 2G
iOS Version: 3.1.2
iTunes Version: iTunes 10
Carrier: T-Mobile
OS: macOS
Location: Europe
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
I've got a nice 16GB dump from a 3GS on 4.0.2 I need to decrypt. So maybe one day eh ;-)
Well I'm subscribed to the thread so hopefully it'll pop up here if someone figures it out.
Also just wanna say hi cos I'm new to Sinful iPhone.
Laterz

p.s. oh yeah, I copied the keybag
  Reply With Quote

 
Old 12-17-2010, 08:49 AM   #38
wbrooks3
n00b
 
wbrooks3 is offline
Join Date: Dec 2010
Location: MS
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
posixninja or anyone else......have you had an opportunity at looking into decrypting the iphone 4 files. Desperately need to undelete some photo's.

Anyone know anything about the iPhone Spy Stick by brickhouse security. they claim they can recover iphone 4 files??? But damn expensive.

cheers
  Reply With Quote

 
Old 01-04-2011, 12:17 AM   #39
GrisoMG
n00b
 
GrisoMG is offline
Join Date: Nov 2010
Device: iPhone 3GS
iOS Version: 4.2
iTunes Version: iTunes 10
Carrier: T-Mobile
OS: Windows 7
Location: GER
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Quote:
Originally Posted by posixninja View Post
... i'm still working on developing a method to allow users to decrypt files in raw dumps given the system keybag, but finishing GP is currently my #1 priority. But, if you're bored and want to see for yourself (and don't mind restoring and losing all hope of ever getting your unsaved pictures/videos back) try deleting /private/var/keybags/systembag.kb and see how far your device can get without it
any progress with this topic? an update would be nice:-)
  Reply With Quote

 
Old 02-11-2011, 10:33 AM   #40
Alex509508
n00b
 
Alex509508 is offline
Join Date: Feb 2011
Device: iPhone 4
iOS Version: 4.0.1
iTunes Version: iTunes 10
Carrier: Other
OS: Windows XP
Location: NJ
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Hi Guys,

I would like to share with the community the tests I did so far to retrieve back some data.
My apologize in advance as my comments/questions might be stupid for some experts (I am not).

Situation : After my iPhone 4 16GB crashed for unknown reason (JB was even not known from me at this time), I have lost around 3 months of my personnal pictures taken during my holidays with my wife, as I did not use iTunes to charge the iPhone ... know it's big mistake now ...
Well, I went to many forums .... and basically took relevant info from Jzdziarski 's method to get a disk image.

Recap : iPhone 4 / ios4.0.1 / JB (Jailbreakme) / PC ubuntu 10.10 for getting disk image / PC windows for post-processing with HFSexplorer, HxD.
I got my 15GB rdisk0s2s1 . HFSexplorer browses well all the DATA tree of this disk image, with clear filenames, data files size are the good ones (checked with IFile directly on iPhone), but can not get them readable with hsfexplorer file extraction feature : I don't have the expected files signature in hexa to carve something (checked with HxD). Does it mean all single data files are encrypted somehow ?

I did the same with rdisk0s1 : all data are clear : hfsexplorer extraction went well for some samples, HxD shows correct files signature, scalpel has worked for rdisk0s1 : png, plist , …even a.jpg I put onto the iPhone for the tests, nothing interesting here ,it was just for testing and comparison purposes.
I did also a ITunes backup for testing purpose. I went then to the corresponding MobileSync folder, I ran strings on all data and can likely see all data very clear : sms thread discussion, notes, outlook invitation, dynamicdictionnary, website I went through , …
Why my rdisk0s2s1 disk image is not clear like my rdisk0s1 ?
How hfsexplorer can even deal with my rdisk0s2s1 and shows a clear DATA tree, with clear filenames, with the correct data files size ?
Am I facing the disk encryption feature here ?
Thanks for your help,
Alex.
  Reply With Quote
Reply

Tags
data recovery, recover photos

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On




All times are GMT -8. The time now is 03:18 AM.

Copyright 2009 - 2017 (SiNfulSS)- Shot Caller @ SiNfuL iPhone