Menu
Posted byiPhone 44 months ago
[Question] The SSH ramdisk tool (ssh_rd) doesn't work on my iPhone 4
It's an iPhone 3,2 (Rev A) running iOS 7.1.2. When I use the tool, this is the output that I get:
Using syringe to exploit the bootrom
MobileDevice event: DfuDisconnect: 3d81227, 4008930
Exploit sent!
Preparing to load the ramdisk.
Ramdisk load started!
MobileDevice event: DfuDisconnect: 3d81227, 4008930
Exploit sent!
Preparing to load the ramdisk.
Ramdisk load started!
The iPhone boots normally, then the program shows the 'Connect to localhost on port 2022' message, but it just times out when I try to do that. In videos I've watched, the iPhone disconnects later, and it boots to an Apple logo with a progress bar below it. Why doesn't this happen?
Jul 1, 2018 - 2 SSH over USB using the iFunBox GUI (Windows only); 3 SSH over USB using. Run launchctl load /Library/LaunchAgents/com.usbmux.iproxy.plist. This will install the command line tool gandalf and an OCaml library. This will start up gandalf in listen mode, that is it will print out whenever a device.
EDIT: I upgraded iTunes to 12.0.1.26 again after uninstalling everything and installing 10.7.0.21 and now it gets stuck later, right when the 'Almost there...' thing shows up, and the 'Success!' message never appears. Now it boots to the Apple logo with the progress bar, but it stays there for a minute then it changes to a spinning loading icon, and when I reboot it manually it goes into recovery mode.
EDIT 2: Got it to work later with a weird improvised procedure that involved plugging my iPhone 4 into my laptop running Windows XP on a virtual machine, then my Win10 desktop, then my laptop again and then connecting and disconnecting my iPhone until the 'Success!' message showed up.
100% Upvoted
3gs iphone now stuck on apple logo and flash bar @[email protected]
i used option 'bypass iphone disabbled'
so now whats next here is log:
SSH ramdisk maker & loader, version 25-01-2012 git rev-03
Made possible thanks to Camilo Rodrigues (@Allpluscomputer)
Including xpwn source code by the Dev Team and planetbeing
Including syringe source code by Chronic-Dev and posixninja
syringe exploits by pod2g, geohot & posixninja
Special thanks to iH8sn0w
Report bugs to msft.guy<[email protected]> (@msft_guy)
Extracted resource to C:DOCUME~1veroLOCALS~1Tempssh_rdnativejsyri ngeapi.dll
Extracted resource to C:DOCUME~1veroLOCALS~1Tempssh_rdnativemux_r edux.dll
Connect a device in DFU mode
MobileDevice event: MuxConnect, 0, 0
MobileDevice event: MuxDisconnect, 0, 0
MobileDevice event: RecoveryConnect, 3941281, 8920
MobileDevice event: RecoveryDisconnect, 3941281, 8920
MobileDevice event: MuxConnect, 0, 0
MobileDevice event: MuxDisconnect, 0, 0
MobileDevice event: RecoveryConnect, 3941281, 8920
MobileDevice event: RecoveryDisconnect, 3941281, 8920
MobileDevice event: MuxConnect, 0, 0
MobileDevice event: MuxDisconnect, 0, 0
MobileDevice event: DfuConnect, 3941227, 8920
DFU device 'iPhone 3GS' connected
Building ramdisk for device 'iPhone 3GS'
Extracted resource to C:DOCUME~1veroLOCALS~1Tempssh_rdall_keys.pli st
Working dir set to C:DOCUME~1veroLOCALS~1Tempssh_rd
IPSW at http://appldnld.apple.com/iPhone4/04...5_Restore.ipsw
Downloading Restore.plist
Downloaded to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405Restore.plist
Restore.plist downloaded to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405Restore.plist
Parsing Restore.plist..
Kernel file: kernelcache.release.n88
Restore ramdisk file: 038-3713-001.dmg
Downloading Firmware/dfu/iBSS.n88ap.RELEASE.dfu
Downloaded to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405FirmwaredfuiBSS.n88ap.RELEASE.dfu.orig
Decrypted to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405FirmwaredfuiBSS.n88ap.RELEASE.dfu.dec
Extracted resource to C:DOCUME~1veroLOCALS~1Tempssh_rdnor5.patch.j son
Patched to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405FirmwaredfuiBSS.n88ap.RELEASE.dfu.dec.p
iBSS prepared at C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405FirmwaredfuiBSS.n88ap.RELEASE.dfu
Downloading Firmware/dfu/iBEC.n88ap.RELEASE.dfu
Downloaded to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405FirmwaredfuiBEC.n88ap.RELEASE.dfu.orig
Decrypted to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405FirmwaredfuiBEC.n88ap.RELEASE.dfu.dec
Extracted resource to C:DOCUME~1veroLOCALS~1Tempssh_rdnor5.patch.j son
Patched to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405FirmwaredfuiBEC.n88ap.RELEASE.dfu.dec.p
iBEC prepared at C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405FirmwaredfuiBEC.n88ap.RELEASE.dfu
Downloading Firmware/all_flash/all_flash.n88ap.production/DeviceTree.n88ap.img3
Downloaded to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405Firmwareall_flashall_flash.n88ap.product ionDeviceTree.n88ap.img3
Device tree prepared at C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405Firmwareall_flashall_flash.n88ap.product ionDeviceTree.n88ap.img3
Downloading Firmware/all_flash/all_flash.n88ap.production/manifest
Downloaded to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405Firmwareall_flashall_flash.n88ap.product ionmanifest
Downloading kernelcache.release.n88
Downloaded to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405kernelcache.release.n88.orig
Decrypted to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405kernelcache.release.n88.dec
Extracted resource to C:DOCUME~1veroLOCALS~1Tempssh_rdkernel5.patc h.json
Patched to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405kernelcache.release.n88.dec.p
Kernel prepared at C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405kernelcache.release.n88
Downloading 038-3713-001.dmg
Downloaded to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405038-3713-001.dmg.orig
Decrypted to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405038-3713-001.dmg.dec
Extracted resource to C:DOCUME~1veroLOCALS~1Tempssh_rdssh.tar
Added ssh.tar to the ramdisk
Ramdisk prepared at C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405038-3713-001.dmg
Using syringe to exploit the bootrom..
Exploit sent!
Preparing to load the ramdisk..
Ramdisk load started!
MobileDevice event: DfuDisconnect, 3941227, 8920
MobileDevice event: DfuConnect, 3941227, 8920
DFU device 'iPhone 3GS' connected
Ignoring same device iPhone 3GS
MobileDevice event: DfuDisconnect, 3941227, 8920
MobileDevice event: RecoveryConnect, 3941281, 8920
MobileDevice event: RecoveryDisconnect, 3941281, 8920
Almost there..
MobileDevice event: MuxConnect, 0, 0
Success!
Connect to localhost on port 2022 with your favorite SSH client!
login: root
password: alpine
i used option 'bypass iphone disabbled'
so now whats next here is log:
SSH ramdisk maker & loader, version 25-01-2012 git rev-03
Made possible thanks to Camilo Rodrigues (@Allpluscomputer)
Including xpwn source code by the Dev Team and planetbeing
Including syringe source code by Chronic-Dev and posixninja
syringe exploits by pod2g, geohot & posixninja
Special thanks to iH8sn0w
Report bugs to msft.guy<[email protected]> (@msft_guy)
Extracted resource to C:DOCUME~1veroLOCALS~1Tempssh_rdnativejsyri ngeapi.dll
Extracted resource to C:DOCUME~1veroLOCALS~1Tempssh_rdnativemux_r edux.dll
Connect a device in DFU mode
MobileDevice event: MuxConnect, 0, 0
MobileDevice event: MuxDisconnect, 0, 0
MobileDevice event: RecoveryConnect, 3941281, 8920
MobileDevice event: RecoveryDisconnect, 3941281, 8920
MobileDevice event: MuxConnect, 0, 0
MobileDevice event: MuxDisconnect, 0, 0
MobileDevice event: RecoveryConnect, 3941281, 8920
MobileDevice event: RecoveryDisconnect, 3941281, 8920
MobileDevice event: MuxConnect, 0, 0
MobileDevice event: MuxDisconnect, 0, 0
MobileDevice event: DfuConnect, 3941227, 8920
DFU device 'iPhone 3GS' connected
Building ramdisk for device 'iPhone 3GS'
Extracted resource to C:DOCUME~1veroLOCALS~1Tempssh_rdall_keys.pli st
Working dir set to C:DOCUME~1veroLOCALS~1Tempssh_rd
IPSW at http://appldnld.apple.com/iPhone4/04...5_Restore.ipsw
Downloading Restore.plist
Downloaded to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405Restore.plist
Restore.plist downloaded to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405Restore.plist
Parsing Restore.plist..
Kernel file: kernelcache.release.n88
Restore ramdisk file: 038-3713-001.dmg
Downloading Firmware/dfu/iBSS.n88ap.RELEASE.dfu
Downloaded to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405FirmwaredfuiBSS.n88ap.RELEASE.dfu.orig
Decrypted to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405FirmwaredfuiBSS.n88ap.RELEASE.dfu.dec
Extracted resource to C:DOCUME~1veroLOCALS~1Tempssh_rdnor5.patch.j son
Patched to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405FirmwaredfuiBSS.n88ap.RELEASE.dfu.dec.p
iBSS prepared at C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405FirmwaredfuiBSS.n88ap.RELEASE.dfu
Downloading Firmware/dfu/iBEC.n88ap.RELEASE.dfu
Downloaded to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405FirmwaredfuiBEC.n88ap.RELEASE.dfu.orig
Decrypted to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405FirmwaredfuiBEC.n88ap.RELEASE.dfu.dec
Extracted resource to C:DOCUME~1veroLOCALS~1Tempssh_rdnor5.patch.j son
Patched to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405FirmwaredfuiBEC.n88ap.RELEASE.dfu.dec.p
iBEC prepared at C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405FirmwaredfuiBEC.n88ap.RELEASE.dfu
Downloading Firmware/all_flash/all_flash.n88ap.production/DeviceTree.n88ap.img3
Downloaded to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405Firmwareall_flashall_flash.n88ap.product ionDeviceTree.n88ap.img3
Device tree prepared at C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405Firmwareall_flashall_flash.n88ap.product ionDeviceTree.n88ap.img3
Downloading Firmware/all_flash/all_flash.n88ap.production/manifest
Downloaded to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405Firmwareall_flashall_flash.n88ap.product ionmanifest
Downloading kernelcache.release.n88
Downloaded to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405kernelcache.release.n88.orig
Decrypted to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405kernelcache.release.n88.dec
Extracted resource to C:DOCUME~1veroLOCALS~1Tempssh_rdkernel5.patc h.json
Patched to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405kernelcache.release.n88.dec.p
Kernel prepared at C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405kernelcache.release.n88
Downloading 038-3713-001.dmg
Downloaded to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405038-3713-001.dmg.orig
Decrypted to C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405038-3713-001.dmg.dec
Extracted resource to C:DOCUME~1veroLOCALS~1Tempssh_rdssh.tar
Added ssh.tar to the ramdisk
Ramdisk prepared at C:DOCUME~1veroLOCALS~1Tempssh_rdipsw_iphone2 1_9A405038-3713-001.dmg
Using syringe to exploit the bootrom..
Exploit sent!
Preparing to load the ramdisk..
Ramdisk load started!
MobileDevice event: DfuDisconnect, 3941227, 8920
MobileDevice event: DfuConnect, 3941227, 8920
DFU device 'iPhone 3GS' connected
Ignoring same device iPhone 3GS
MobileDevice event: DfuDisconnect, 3941227, 8920
MobileDevice event: RecoveryConnect, 3941281, 8920
MobileDevice event: RecoveryDisconnect, 3941281, 8920
Almost there..
MobileDevice event: MuxConnect, 0, 0
Success!
Connect to localhost on port 2022 with your favorite SSH client!
login: root
password: alpine