SIDEBAR
»
S
I
D
E
B
A
R
«
HOWTO: restore an iPad using only Free Software
Feb 14th, 2018 by miki

Thanks to the fine people at the libimobiledevice project, who bothers to reverse engineer Apple products, I recently succeeded in resurrecting a relative’s iPad stuck in a boot loop (something with jailbreaking, running Sydia, missing an iOS update and attempted Sydia removal) without any use of proprietary tools.

This is a brief recipe of the procedure done using Ubuntu 16.04.

As the required tool from libimobiledevice, idevicerestore, is not packaged in the Ubuntu libimobiledevice package we need to build this from scratch from the sources.

iPad during recovery

iPad in recovery mode during firmware download using libimobiledevice

  1. Install build dependencies
    sudo apt install libusbmuxd-dev libplist-dev libplist++-dev libzip-dev
  2. fetch and build libimobiledevice main library
    cd
    git clone https://git.libimobiledevice.org/libimobiledevice.git
    cd libimobiledevice/
    ./autogen.sh
    make
  3. fetch and build libirecovery library
    cd
    git clone https://git.libimobiledevice.org/libirecovery.git
    cd libirecovery
    ./autogen.sh
    make
  4. fetch and build idevicerestore tool, using the homebuilt libraries
    cd
    git clone https://git.libimobiledevice.org/idevicerestore.git
    cd idevicerestore
    CFLAGS="-I$HOME/libirecovery/include -I$HOME/libimobiledevice/include" LDFLAGS="-L$HOME/libirecovery/src/.libs \
    -L$HOME/libimobiledevice/src/.libs" PKG_CONFIG_PATH=~/libirecovery:~/libimobiledevice/src ./autogen.sh
    make
  5. put the iDevice in recovery mode (iPad = press power+home until screen with “iTunes+cable” symbol appear, see image above and check Apple support for details), make sure it has adequate charge or it will refuse (red battery flashing)
  6. perform the actual restore, asking for flashing of latest firmware (~2.5GiB automatically downloaded), this will probably get you in trouble if you desire to jailbreak the device. I noticed while writing this post that the below actually doesn’t run the tool using the libraries built above, but I’m leaving it as it was done because it “worked for me” (TM) and I can’t experiment further because I haven’t got access to any iDevices (and desire to keep it that way):
    sudo $HOME/idevicerestore/src/idevicerestore --latest
    NOTE: using cached version data
    Found device in Recovery mode
    Identified device as j71ap, iPad4,1
    Latest firmware is iPad_64bit_11.2_15C114_Restore.ipsw
    Verifying 'iPad_64bit_11.2_15C114_Restore.ipsw'...
    Checksum matches.
    Extracting BuildManifest from IPSW
    Product Version: 11.2
    Product Build: 15C114 Major: 15
    INFO: device serial number is DMPM4V3SFK15
    Device supports Image4: true
    Variant: Customer Upgrade Install (IPSW)
    This restore will update your device without losing data.
    Using cached filesystem from 'iPad_64bit_11.2_15C114_Restore/058-86080-124.dmg'
    Found ECID 6653578882512
    Getting ApNonce in recovery mode... 03 6b cc ac 57 8a b4 29 29 c1 a9 fe e4 97 54 3b a8 36 59 5a 
    Trying to fetch new SHSH blob
    Getting SepNonce in recovery mode... df 5c ad 67 48 bd 38 b4 6f 72 0a 5c b0 81 87 c3 95 37 4a da 
    WARNING: Unable to find BbChipID node
    WARNING: Unable to find BbSkeyId node
    Request URL set to https://gs.apple.com/TSS/controller?action=2
    Sending TSS request attempt 1... response successfully received
    Received SHSH blobs
    Extracting iBEC.ipad4.RELEASE.im4p...
    Personalizing IMG4 component iBEC...
    Sending iBEC (710360 bytes)...
    Recovery Mode Environment:
    iBoot build-version=iBoot-4076.30.43
    iBoot build-style=RELEASE
    Sending AppleLogo...
    Extracting applelogo@2x~ipad.im4p...
    Personalizing IMG4 component AppleLogo...
    Sending AppleLogo (22709 bytes)...
    ramdisk-size=0x10000000
    Extracting 058-85997-124.dmg...
    Personalizing IMG4 component RestoreRamDisk...
    Sending RestoreRamDisk (59978774 bytes)...
    Extracting DeviceTree.j71ap.im4p...
    Personalizing IMG4 component RestoreDeviceTree...
    Sending RestoreDeviceTree (101420 bytes)...
    Extracting kernelcache.release.ipad4...
    Personalizing IMG4 component RestoreKernelCache...
    Sending RestoreKernelCache (13226783 bytes)...
    About to restore device... 
    Waiting for device...
    Device 3fb0f5cc97b83c61c85d4b8333796d9e536a4c83 is now connected in restore mode...
    Connecting now...
    Connected to com.apple.mobile.restored, version 15
    Device 3fb0f5cc97b83c61c85d4b8333796d9e536a4c83 has successfully entered restore mode
    Hardware Information:
    BoardID: 16
    ChipID: 35168
    UniqueChipID: 6653578882512
    ProductionMode: true
    Starting FDR listener thread
    About to send NORData...
    Found firmware path Firmware/all_flash
    Getting firmware manifest from build identity
    Extracting LLB.ipad4.RELEASE.im4p...
    Personalizing IMG4 component LLB...
    Extracting applelogo@2x~ipad.im4p...
    Personalizing IMG4 component AppleLogo...
    Extracting batterycharging0@2x~ipad.im4p...
    Personalizing IMG4 component BatteryCharging0...
    Extracting batterycharging1@2x~ipad.im4p...
    Personalizing IMG4 component BatteryCharging1...
    Extracting batteryfull@2x~ipad.im4p...
    Personalizing IMG4 component BatteryFull...
    Extracting batterylow0@2x~ipad.im4p...
    Personalizing IMG4 component BatteryLow0...
    Extracting batterylow1@2x~ipad.im4p...
    Personalizing IMG4 component BatteryLow1...
    Extracting glyphplugin@2x~ipad-lightning.im4p...
    Personalizing IMG4 component BatteryPlugin...
    Extracting DeviceTree.j71ap.im4p...
    Personalizing IMG4 component DeviceTree...
    Extracting recoverymode@2x~ipad-lightning.im4p...
    Personalizing IMG4 component RecoveryMode...
    Extracting iBoot.ipad4.RELEASE.im4p...
    Personalizing IMG4 component iBoot...
    Extracting sep-firmware.j71.RELEASE.im4p...
    Personalizing IMG4 component RestoreSEP...
    Extracting sep-firmware.j71.RELEASE.im4p...
    Personalizing IMG4 component SEP...
    Sending NORData now...
    Done sending NORData
    About to send RootTicket...
    Sending RootTicket now...
    Done sending RootTicket
    Waiting for NAND (28)
    Checking filesystems (15)
    Checking filesystems (15)
    Unmounting filesystems (29)
    Unmounting filesystems (29)
    Creating filesystem (12)
    About to send filesystem...
    Connected to ASR
    Validating the filesystem
    Filesystem validated
    Sending filesystem now...
    [==================================================] 100.0%
    Done sending filesystem
    Verifying restore (14)
    [==================================================] 100.0%
    Checking filesystems (15)
    Checking filesystems (15)
    Mounting filesystems (16)
    Mounting filesystems (16)
    About to send KernelCache...
    Extracting kernelcache.release.ipad4...
    Personalizing IMG4 component KernelCache...
    Sending KernelCache now...
    Done sending KernelCache
    Installing kernelcache (27)
    About to send DeviceTree...
    Extracting DeviceTree.j71ap.im4p...
    Personalizing IMG4 component DeviceTree...
    Sending DeviceTree now...
    Done sending DeviceTree
    Certifying Savage (61)
    Flashing firmware (18)
    [==================================================] 100.0%
    Updating gas gauge software (47)
    Updating gas gauge software (47)
    Updating Stockholm (55)
    About to send FUD data...
    Sending FUD data now...
    Done sending FUD data
    About to send FUD data...
    Sending FUD data now...
    Done sending FUD data
    Fixing up /var (17)
    Modifying persistent boot-args (25)
    Unmounting filesystems (29)
    Unmounting filesystems (29)
    Got status message
    Status: Restore Finished
    Cleaning up...
    DONE
  7. The iDevice should reset and boot into the new firmware.
iPad during firmware flashing using libimobiledevice

iPad during firmware flashing using libimobiledevice

If you want to interact with iDevices from within Ubuntu during ordinary use, you could also install some utils and plugins for that. Below will fx. add a context menu in nautilus with info about the iDevice and install the ideviceinstaller command line utility which can be used to administer installed applications on the device.

sudo apt install libimobiledevice-utils nautilus-ideviceinfo ideviceinstaller

[Danish] S&S: gemme data i Arduino ROM/Flash (PROGMEM / F())
Dec 21st, 2016 by miki

Mit svar på et spørgsmål i Facebook-gruppen Danske Arduino Entusiaster omkring Arduino ROM/Flash, PROGMEM og system-inklude-filer.

Spørgsmål

Hej er der en der ved hvor jeg kan hente dett lib. <avr/pgmspace.h> jeg skal bruge denne funktion PROGMEM
så jeg kan gemme et billede i Arduino uden SD kort
det kan være der er en der kender en anden måde at gøre det på.

Svar

pgmspace.h er en inklude-fil som er en del af c-biblioteket til AVR-arkitekturen (avr-libc). C-bibliotekets inklude-filer vil normalt ligge i kompilerens “system include”-sti (se GCC options -I og -isystem). Dermed kan den inkluderes blot med “#include <avr/pgmspace.h>”. Se evt. også Arduino-referencen på https://www.arduino.cc/en/Reference/PROGMEM.
 
Bemærk at PROGMEM ikke er en funktion, men en storage modifier (lager-modifikator) som fortæller kompileren at den kan placere en en given variabel i ikke-skrivbar lager (ROM/Flash). Der skal efterfølgende anvendes specielle funktioner til at læse data fra en sådan variabel (se referencen).
Arduino-frameworket har dog lavet en nem måde at placere konstant-strenge i Flash på (normalt lagres de i SRAM!), nemlig funktionen F() som kan anvendes direkte i f.eks. printf/write/print (Serial.print(F(“Waiting for connection”));)
 
Hvis du vil inspicere indholdet af pgmspace.h, kan du finde filen i Arduino IDE’ets installations-mappe under hardware/tools/avr/avr/include/avr/pgmspace.h. Det er ikke en man kan/skal redigere manuelt i, da den er tæt koblet med den binære kode i selve biblioteket.
 
Der findes også EEPROM-lager du sikkert vil kunne bruge til samme formål; https://www.arduino.cc/en/Reference/EEPROM

Se svaret på Facebook.

Den videre færd med F()

Da jeg ikke kunne finde en uddybende forklaring på F()-funktionen (som egentlig er en makro) i Arduino-dokumentationen (brugen nævnes meget kort i PROGMEM , Memory og Print), gravede jeg efterfølgende lidt rundt for at lære mere. I de sparsomme Arduino-eksempler er den anvendt udelukkende med konstante strenge, hvilket også viser sig at være et krav (eller i hvert fald noget der kan castes til const char *).

Makroen er defineret af Arduino-frameworket i filen hardware/arduino/avr/cores/arduino/WString.h (referencerne er ifht. min lokale installation af Arduino 1.6.9, pt. er nyeste 1.6.13) således:

#define F(string_literal) (reinterpret_cast<const __FlashStringHelper *>(PSTR(string_literal)))

Altså parametren til F() bruges som parameter til PSTR() (progmem string, er mit bud på navn) som er en makro defineret i pgmspace.h fra avr-libc.

Dens funktion er at caste parametrens type til konstant streng-pointer med PROGMEM modifier;

#define PSTR(s) ((const PROGMEM char *)(s))

Skal vi se på hvad PROGMEM rent faktisk er, så finder vi endnu et sæt makroer der ender med at blive udviddet til kompiler-attributten  __progmem__, igen definieret i pgmspace.h (hardware/tools/avr/avr/include/avr/pgmspace.h):

#define PROGMEM __ATTR_PROGMEM__

#define __ATTR_PROGMEM__ __attribute__((__progmem__))

__progmem__ attributten er en instruks til kompileren (GCC) og linkeren om ved programmering/flashing af programmet at placere disse data i en sektion af hukommelsen der hedder “.progmem“. Se evt. mere om dette i GCC-kompilerens dokumentation. For hver AVR-chip kompileren understøtter er der eksakte definitioner af hvilke hukommelsesadresser .progmem ligger på for netop denne chip.

Dvs. når man i sin kode skriver F(“test”) får man i virkeligheden:

(reinterpret_cast<const __FlashStringHelper *>(((const __attribute__((__progmem__)) char *)(“test”)))

Altså en konstant streng der lagres i AVR-processorens progmem-sektion, og som returværdi får en pointer til en konstant instans af en klasse kaldet “__FlashStringHelper“. Denne klasse må være lavet sådan at den anvender de korrekte mekanismer til at læse fra progmem-området (måske mere om dette i en senere artikel). Arduinos funktion-bibliotek (Serial.print() mm.) er lavet således at de direkte kan tage en parameter af denne type som erstatning for en konstant-streng (og det er netop her Arduino-frameworket viser sin værdi ved at abstrahere sådanne kompleksiteter væk fra programmøren).

One-liner: Decompress file and diff against another file
Dec 8th, 2016 by miki

Below is a handy shell one-liner for comparing the decompressed contents of a compressed file against a plain file. The purpose here is to test whether the compressed file is actually derived from compressing the plain file. This particular example is from a real life situation where log rotation by cron.daily on a Ubuntu server had begun failing. The situation is thought to be the result of an interrupted logrotate execution leaving a compressed (but non-rotated) intermediate file in the file system that prevented further log rotation on subsequent executions.

The command constructs a pipe between two process, specified using the | symbol (vertical line), to send the decompressed contents from gunzip stdout to stdin of the compare tool. The example uses diff as compare tool which is suitable for textual contents. You could use f.x. cmp instead if the contents is binary. Both diff and cmp interprets the file name “-” as meaning that input should be read from stdin.

$ gunzip --stdout /var/log/syslog.1.gz | diff --report-identical-files - /var/log/syslog.1
Files - and /var/log/syslog.1 are identical

The above uses long options for clarity, in a real life situation you would probably be using short options instead. That means -c instead of –stdout and s instead of –report-identical-files.

$ gunzip -c /var/log/syslog.1.gz | diff -s - /var/log/syslog.1
Files - and /var/log/syslog.1 are identical

 

(Danish language) S&S: Brug GUI-programmer på tværs af brugere og maskiner (kommander X-vinduer med DISPLAY)
Jan 12th, 2016 by miki

Fra en tråd i gruppen “Linux for begyndere” (https://m.facebook.com/groups/332217263612804?view=permalink&id=549911778510017)

Spørgsmål

Hvordan bliver man root bruger i linux mint ?? i grafisk brugerflade ??

Svar

For fremtidig reference:
Hvis man ønsker at køre en X-klient (et vilkårligt grafisk/GUI program) som root-brugeren, men vise dets vinduer på en X-server (typisk dit desktop environment/DE, som f.eks Gnome/KDE/Unity/lxde/xfce m.f.) der eksekveres af en ikke-privilegeret bruger kan man gøre som følger:

1) som X-server-brugeren kør kommandoen ‘xhost +’ i en grafisk konsol/terminal. Dette tillader at alle brugere og maskiner må vise vinduer på X-serveren (ja, X er en netværksprotokol). Tilladelsen bevares indtil X-serveren genstartes, eller den trækkes tilbage med ‘xhost -‘.

2) som root (su/sudo) eksekver det ønskede GUI-program, med specifikation af hvilken X-server og hvilket display dets vinduer ønskes vist på i DISPLAY environment-variablen (ja, det er muligt at køre flere separate X-servere/displays på samme maskine).
Simpleste form med visning på display 0 på den lokale maskine vil være (med xterm-konsollen som eksempel) ‘DISPLAY=:0 xterm’. Vil man vise vinduet på en anden maskines X-server skal IP-adressen blot angives før ‘:’, som f.eks.: ‘DISPLAY=192.168.1.10:0 xterm’ (det er stadig en xterm der afvikles på den lokale maskine, vinduet vises blot på en ekstern X-server (ja, det kan være farligt, pas på).

Bemærk at man med sudo skal passe på at sætte env-vars i den rigtige shell. F.eks. vil sudo direkte foran ovenstående ikke virke da sudo afskærmer env af sikkerhedsgrunde. I stedet vil man kunne benytte følgende trick: sudo bash -c ‘DISPLAY=:0 xterm’ (enkelt citationstegn til -c er vigtigt).

HTC One Stagefright disable instructions
Jul 29th, 2015 by miki

Until your device is sufficiently patched against the Stagefright vulnerabilty I recommend disabling automatic MMS retrieval on any Android phones from 2.2 and up (which is hopefully all in current use) to prevent unattended triggering.

Howtos for Google and Samsung devices are here.

Below are screenshots of how to do it on HTC One M7 using the stock (HTC Sense) messaging application called “SMS”. The procedure is likely to be very similar on most HTC devices using Sense.
The UI shown is in Danish locale, the English menus will be something like SMS->Settings->Multi Media Messages (MMS)->Automatic Retrieval.

wpid-wp-1438164382994.jpeg wpid-wp-1438164394794.jpeg wpid-wp-1438164402504.jpeg

Schneier discusses details here and this seems to be the commit in CyanogenMod for the underlying problem in the media library. Check aælso the issue’s review page

Howto: disable HDMI blanking in Ångström on BeagleBone Black (BBB)
Jul 9th, 2014 by miki

A very annoying feature of the Ångström image that is shipped with the BeagleBone Black, is that a display connected to the HDMI output of the board will by default be blanked when powering up, and is first woken when any pointer activity occur (touch/mouse).

This seems to originate from the fbdev that is used for displaying graphics, and it took me some time to figure out how to cirumvent it. The normal X commands for controlling blanking of “xset -dpms” or “xset s off” did nothing, and neither did the terminal options of “setterm powersave off” or “setterm powerdown 0”. I went all the way back to old ANSI escape sequences trying “echo -e ‘\033[9;X]'” without success.

Luckily I fell by at Armadeus.com’s framebuffer tips, which listed the sys-fs node named /sys/class/graphics/fb0/blank that controls blanking of the low level framebuffer, thus executing (as root)

echo 0 > /sys/class/graphics/fb0/blank

disables blanking and wakes up the BBB HDMI output.

To do this at every boot (really login) you can use the Gnome Startup Applications Preferences (gnome-session-properties) to execute this at Gnome autologin, or add it to whatever startup script you see fit.

Beware that you might need to delay the execution when using the gnome-session-properties, I had to put in  a sleep, but that probably depends on what other stuff is starting up from it.

 

 

Raw HTTP session with telnet
Jul 21st, 2010 by miki

Once in a while it is useful to dismiss abstractions and layers that makes daily routines easier and take the raw approach. Like when debugging a software problem that doesn’t make sense, it is nice to see the underlying basic stuff is behaving nicely, to better be able to locate where the unexpected occurs.

In the IP world of the internet, the swiss army knife for debugging interprocess communications in a totally protocol agnostic way is called ‘telnet’. Telnet opens up a communication channel between your local computer and a daemon/server on a specific port on a specific IP address. Then it gets out of the way for you to talk directly to the daemon in clear text.

Knowledge of how to interact using a specific protocol can be very useful to check server availability and functionality. All common protocols in use on the internet (like DNS, HTTP, SMTP, POP3, IMAP, XMPP etc.) can be debugged like this, because all of them transfers data in clear text (or at least initiates other transfer types from a clear text session). Full specifications for the HTTP protocol can be found in IETF RFC2616. I keep forgetting this, and end up digging around for it when needed, therefore this blog post.

Interactively using Telnet

Below is a basic HTTP session to my web server www.mikini.dk using telnet command line on a Linux box.

Red text is local text input by me. Blue text is local text by telnet application. Green text is server response.

$ telnet www.mikini.dk 80
Trying 92.61.152.47…
Connected to 92-61-152-47.static.servage.net.
Escape character is ‘^]’.
GET /index.php/2010/06 HTTP/1.1
Host: www.mikini.dk

HTTP/1.1 200 OK
Date: Wed, 21 Jul 2010 09:19:13 GMT
Server: Apache
X-Pingback:
http://www.mikini.dk/xmlrpc.php
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

2bd2
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd“>

<… remainder of HTML document dropped …>

We are asking the server at www.mikini.dk port 80 (default http port) for the document at path /index.php/2010/06 (“GET /index.php/2010/06”). Notice the two CRLF characters after the Host header field, this indicates to the server that the request header is done, and that it should begin parsing header and send its response. Also notice that even though you tell the telnet program on the commandline that you want to access www.mikini.dk, you have to tell it again to the server in th HTTP Host field. Thats because telnet is only concerned about the IP address of the server, it resolves www.mikini.dk to the IP 92.61.152.47 through DNS and forgets about it. From the servers point of view, it needs to know which of its virtual hosts you want to talk to, cause one server application on one port on one ip can potentially host thousands of separate websites (virtual hosts).

One-liner using netcat (nc)

Below is the same session using nc (netcat) as a one-liner on Ubuntu Linux (wow, old PHP at Hostinger, better get that move to a self-administered box going).

$ echo -ne "GET /index.php/2010/06 HTTP/1.1\r\nHost:www.mikini.dk\r\n\r\n"|nc www.mikini.dk 80 | head -10
HTTP/1.1 200 OK
Date: Thu, 05 Jul 2018 16:30:07 GMT
Server: Apache
X-Powered-By: PHP/5.5.35
Link: <http://www.mikini.dk/wp-json/>; rel="https://api.w.org/"
Content-Length: 32356
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

$

2018-07-05: nc command line added

»  Substance:WordPress   »  Style:Ahren Ahimsa
© 2016 Mikini Services