How I recovered an N41 EVT2 from a software failure
Posted: Wed Jul 31, 2024 9:19 pm
Screw ups happen, and sometimes, some things arrive dead. With this post I'm starting a series that will focus on my brick and recovery stories.
Today we’re showing you how I recovered a friend's N41 EVT2 after it couldn't boot.
The problem:
The iPhone would get past iBoot and boot into the kernel and than get to the stage where it mounts the data partition until it just... stops for no obvious reason... or so I thought.
When mounting the partition, it said something along the lines of "Warning: Data volume at 1 free block, danger zone: 4194", which ofc meant an "I'm too full and can't rm" situation.
Now I know what you're thinking:
Just restore, ez, right?
WRONG
This device:
- runs a pre-release version of iOS 6.0 (build 10A316 to be precise), so I don't want to loose that
- is a development device, which apples servers wont allow to restore
- and more importantly, has pre-release hardware, meaning ANY iBoot image that is public for the iPhone 5 cannot boot on it.
So I had to get creative.
One problem after the next
We realized we could send unsigned iboot images since this device has dev iboot, so I did that to a patched image that supported this early revision iphone 5, and booted an ssh ramdisk (basiclly a minimal iOS enviorment where you can mount filesystems and run commands). What I would do is:
mount the data partition
look for unnessary big files
delete them
and reboot (after properly unmounting ofc)
Now I wanna emaphsize the "would" part as it turned out:
I couldn't mount the partition at ALL as I got the good old "mount(): error = -1" and "expectedBlocksize=4096" (iirc) along with this in serial:
Which could be due to:
- The device being dev-fused
- A random case of apple momments
Whats even odder:
- I could not format OR dd zeros to the data partition, which could be due to the 1st reason.
Realization
I realized I could still execute commands via the /etc/launchd.conf file, which configures things to launch on boot, which would execute JUST after var mounts.
So I thought:
What if I made a NEW data partition via here, since it appears as if I can actually mess with the data partition as it mounts here, I eventually came up with this launchd.conf:
I set it, and rebooted it and it actually DID do what it was told, and we were only one "fixkeybag" away from repairing this device.
The end
After the fixkeybag run, we were able to fully boot to a shell, the device would show up as an iPhone on the computer, and it works!
Tl;dr: you can regenerate the data partition on iOS 6 when you can't restore.
Today we’re showing you how I recovered a friend's N41 EVT2 after it couldn't boot.
The problem:
The iPhone would get past iBoot and boot into the kernel and than get to the stage where it mounts the data partition until it just... stops for no obvious reason... or so I thought.
When mounting the partition, it said something along the lines of "Warning: Data volume at 1 free block, danger zone: 4194", which ofc meant an "I'm too full and can't rm" situation.
Now I know what you're thinking:
Just restore, ez, right?
WRONG
This device:
- runs a pre-release version of iOS 6.0 (build 10A316 to be precise), so I don't want to loose that
- is a development device, which apples servers wont allow to restore
- and more importantly, has pre-release hardware, meaning ANY iBoot image that is public for the iPhone 5 cannot boot on it.
So I had to get creative.
One problem after the next
We realized we could send unsigned iboot images since this device has dev iboot, so I did that to a patched image that supported this early revision iphone 5, and booted an ssh ramdisk (basiclly a minimal iOS enviorment where you can mount filesystems and run commands). What I would do is:
mount the data partition
look for unnessary big files
delete them
and reboot (after properly unmounting ofc)
Now I wanna emaphsize the "would" part as it turned out:
I couldn't mount the partition at ALL as I got the good old "mount(): error = -1" and "expectedBlocksize=4096" (iirc) along with this in serial:
Code: Select all
LwVM::_getEffaceableKeys - failed to unwrap partition keys - master key may not be available: 0xe00002c1
LwVM::_loadPartitionKeys - fatal error fetching partition encryption information
LwVM::_strategy - failed to map I/O to partition
disk0s1s2: device error.- The device being dev-fused
- A random case of apple momments
Whats even odder:
- I could not format OR dd zeros to the data partition, which could be due to the 1st reason.
Realization
I realized I could still execute commands via the /etc/launchd.conf file, which configures things to launch on boot, which would execute JUST after var mounts.
So I thought:
What if I made a NEW data partition via here, since it appears as if I can actually mess with the data partition as it mounts here, I eventually came up with this launchd.conf:
Code: Select all
bsexec .. /sbin/umount /private/var
bsexec .. /sbin/newfs_hfs -s -v Data -J -b 4096 -n a=4096,c=4096,e=4096 /dev/disk0s1s2The end
After the fixkeybag run, we were able to fully boot to a shell, the device would show up as an iPhone on the computer, and it works!
Tl;dr: you can regenerate the data partition on iOS 6 when you can't restore.