ssh-rd icon indicating copy to clipboard operation
ssh-rd copied to clipboard

Published 20 hours ago verified publisher icon msftguy

Stuck on "Ramdisk load started!"

Open ghost opened this issue 7 years ago • 13 comments

iPhone 4 CDMA on 7.1.2, anyone know of a solution? I read the update log or whatever and it said iP4 CDMA support had been added, but it's not working. Thank you!

ghost avatar Sep 28 '17 16:09 ghost

Same here...

Been trying to recover some photos off this 3GS for a few weeks.

ghost avatar Oct 07 '17 00:10 ghost

I've tried almost everything except for using an old version of Windows and Java. Maybe try a Windows XP/Vista virtual machine with an older Java and see if that works?

On Fri, Oct 6, 2017 at 20:51 Koizum1 [email protected] wrote:

Same here...

Been trying to recover some photos off this 3GS for a few weeks.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/msftguy/ssh-rd/issues/25#issuecomment-334899371, or mute the thread https://github.com/notifications/unsubscribe-auth/AUP6KExoRJWYLgV2_B0oN0nASss_78rxks5spssZgaJpZM4PnhSv .

ghost avatar Oct 07 '17 04:10 ghost

Disconnect and reconnect.

haiyuidesu avatar Aug 05 '18 14:08 haiyuidesu

Disconnect and reconnect. @YumiStar

Ramdisk load started!
MobileDevice event: DfuDisconnect, 1227, 2008930

This happens when I disconnect and reconnect the usb (notice that there is no connection event). I am using a jailbroken 5.1.1 iPad 1st gen.

dvdblk avatar Sep 18 '18 21:09 dvdblk

Nani? Why exploiting ssh_rd if you're jailbroken ? Anyways, Try on another the USB port, else try on another laptop.

haiyuidesu avatar Sep 19 '18 16:09 haiyuidesu

Unfortunately the iPad screen is broken so that's why I'm trying to ssh into it. Yeah probably has to do something with the iTunes version. Thanks regardless.

dvdblk avatar Sep 19 '18 17:09 dvdblk

For me. after the ramdisk load starts, i get an error that "the device is not recognised" and then it stops

Saransh-255 avatar Oct 14 '20 11:10 Saransh-255

ok , update. It gets stuck at "Ramdisk load started" now. I dont know if it is getting me anywhere near fixing it. Can anyone help?

Saransh-255 avatar Oct 15 '20 09:10 Saransh-255

I reconnected it and it has recognised it but it just says: " Ignoring same device Iphone 4 (GSM)

Saransh-255 avatar Oct 15 '20 09:10 Saransh-255

same here too. Device: iPhone 4(A1332, iPhone3,1) OS: Windows XP 32bit on real machine(Pentium E6300, 1GB ram)

in my case, after show "Ramdisk load started!" and showed log on GUI:

...
Ramdisk load started!
MobileDevice event: DfuDisconnect, 1227, 8930
MobileDevice event: DfuConnect, 1227, 8930
DFU device 'iPhone 4 (GSM)' connected
Ignoring same device iPhone 4 (GSM)
MobileDevice event: DfuDisconnect, 1227, 8930
MobileDevice event: RecoveryConnect, 1281, 8930
MobileDevice event: RecoveryDisconnect, 1281, 8930
Almost there..
MobileDevice event: RecoveryConnect, 1281, 8930
MobileDevice event: RecoveryDisconnect, 1281, 8930
Almost there..
MobileDevice event: RecoveryConnect, 1281, 8930

At command prompt, showed logs:

...
RestoreProgress: dev=14DE3738, op=0 progress=98 ctx=152A24F0
RestoreProgress: dev=14DE3738, op=0 progress=99 ctx=152A24F0
RestoreProgress: dev=14DE3738, op=0 progress=100 ctx=152A24F0
RestoreProgress: dev=14DE3738, op=0 progress=4294967295 ctx=152A24F0

(sorry for my dirty English. I'm Korean, so i write this text as a translator)

bass9030 avatar Sep 04 '21 06:09 bass9030

Did anyone have any results or fixes for this in the end?

BaconTriple avatar Jan 11 '23 16:01 BaconTriple

Hey there. I think maybe have a solution for you all. In mux_redux/itmd.c we log to the file /tmp/md.log. After the RecoveryConnect event, you can see the following in the logs

2023-05-21 14:00:32.000 java[54483:1ea03]: amai: AMAuthInstallPlatformCreateBufferFromNativeFilePath: open failed: No such file or directory
2023-05-21 14:00:32.000 java[54483:1ea03]: amai: AMAuthInstallPlatformCreateBufferFromNativeFilePath: /var/folders/sw/rjkzvfjx5gsdq42bpy8qzlrr0000gn/T/ssh_rd/ipsw_ipod11_7E18/BuildManifest.plist
2023-05-21 14:00:32.000 java[54483:1ea03]: amai: AMAuthInstallBundleCopyPublishedVariantsArray: No build manifest. Checking for a different file.
2023-05-21 14:00:32.000 java[54483:1ea03]: amai: AMAuthInstallPlatformCreateBufferFromNativeFilePath: open failed: No such file or directory
2023-05-21 14:00:32.000 java[54483:1ea03]: amai: AMAuthInstallPlatformCreateBufferFromNativeFilePath: /var/folders/sw/rjkzvfjx5gsdq42bpy8qzlrr0000gn/T/ssh_rd/ipsw_ipod11_7E18/BuildManifesto.plist

You may be able to see where this is going... For some reason the file BuildManifesto.plist is missing from the firmware folder in the ssh_rd temp directory. To solve this, you can extract BuildManifesto.plist from the IPSW file by copying it, renaming it to have the extension .zip and extracting BuildManifesto.plist from the top level of the IPSW. You can place it in the extracted firmware folder, in my case ssh_rd/ipsw_ipod11_7E18, that has the .dec, .orig and .p files. Note that you can find the temp directory that is logged at the beginning and throughout the logs in the Java GUI window.

If you did not already have that temporary directory created, you will have to boot your device into DFU mode, let the application run and get stuck, copy that file into the directory, and relaunch the Java program and put your device into DFU again.

Unfortunately I think in trying to get a custom SSH Ramdisk with dd working, I may have botched my filesystem which is really disappointing. But this should be able to get the SSH Ramdisk running on your device! Before I botched it, I was able to run mount.sh and other included commands.

FrederickGeek8 avatar May 21 '23 21:05 FrederickGeek8

Hey @FrederickGeek8, thanks a lot for discovering the missing piece and sharing your repo! 🥳 I have tried to run it on my old iPad but after following the instructions it failed on the 'Sending fake data' step with a SIGSEGV coming from irecv_control_transfer in jsyringeapi.jnilib.

Have you encountered something similar? I don't think you changed anything in the jsyringeapi.c that would cause this, so unfortunately for me, it might be device specific.

Logs from Eclipse:

Waiting for new TCP connection on port 2022
Waiting for device...
Initializing libpois0n
No matching processes belonging to you were found
Waiting for device to enter DFU mode
opening device 05ac:1227...
Found device in DFU mode
Checking the device type
Preparing to upload limera1n exploit
Resetting device counters
Sending chunk headers
Sending exploit payload
Sending fake data
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0x000000012b93c2c9, pid=54555, tid=62467
#
# JRE version: OpenJDK Runtime Environment Homebrew (20.0.1) (build 20.0.1)
# Java VM: OpenJDK 64-Bit Server VM Homebrew (20.0.1, mixed mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, bsd-amd64)
# Problematic frame:
# C  [jsyringeapi.jnilib+0x32c9]  irecv_control_transfer+0x49
#
# No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# An error report file with more information is saved as:
# .../java/hs_err_pid54555.log
#
# If you would like to submit a bug report, please visit:
#   https://github.com/Homebrew/homebrew-core/issues
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#
Checking if device is compatible with this jailbreak
Identified device as iPad1,1

dvdblk avatar Jul 12 '23 22:07 dvdblk