Retrieve Photos from a Disabled iPhone

(I was able to hack this iPhone 3GS last summer. Only now I have the time to write a blog post about it. I hope I will not miss any steps. The whole investigation and the final process took nearly 2 months of work.) 

Scenario

In your home there is a drawer that you dedicated to chaos.

In that drawer (usually in your bedroom or at the desk from which you work) we can find: old USB mini cables, CDs, pencils and markers, USB sticks, that old USB-to-Lan cable that you bought on Amazon and… your old phones.

We always say “let’s not throw it away, it might be useful one day”.
Then time fly. One day you reopen that drawer and you find yourself with an iPhone 3GS.
You charge it. It works!
And then you face Apple Security:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

No passcode & iPhone disabled

You end up entering a few passcode and but you already know that you will not remember it.

The phone is now disabled.

You go online and you read plenty of guides. You embrace a community of sad people that try to jailbrake old iPhones without joy.

…but sometimes some of them are apparently successful. So you get puzzled!

In the order you try:

1. To watch YouTube tutorials: but if your iPhone is already updated to the latest version of 2012 they will not work
2. To connect your iPhone to your PC: Apple did a good job since the beginning of the very first iPhone. All data are encrypted and not accessible from a simple PC.
3. To create a Lab in a VM: there are plenty of hacky *.exe files written by hackers from ex communist countries and you don’t want to install that shit on your main computer. So you create a Windows 10 Lab in Hyper-V. But accessing the phone from the VM is a mess and the *.exe seems not working.

Then you stumbled upon a Reddit post that leaves you with no hope:

Hackers are stubborn

Hackers are obstinate.

And I have always found that obstinacy familiar. I liked it. It talked to me.

If you want to get me very nervous you just have to say the phrase “You cannot do it, Francesco” or “It’s not doable”.

“It’s not possible”. “There is no way”.

That is the starting pistol that makes me want to work more. To prove that there must be a way around.

Starting form that point it doesn’t matter how much effort I’m going to put into it. Some are addicted to gambling or slot machines. I have this addiction.
And the sad Napoleon was appearing on the ceiling in my bedroom. He was telling me: “Come and save me”.

There must be a way around…

A logic approach

It is not possible that a solution that was working in 2012 couldn’t work in 2024.

What might have changed?

• The iPhone hasn’t changed: it has been stuck into a drawer for more than a decade without receiving any update. Nothing has changed there
• Hackers tools haven’t changed: I strongly doubt those tools are maintained. You can find them here and there on the internet. The most famous version is usually the lates one.

Let’s enumerate the software that hackers provided to jailbrake the iPhone 3GS:

• Gecko_iPhone_Toolkit
• p0sixspwn-v1.0.8-win
• redsn0w_win_0.9.15b3
• sn0wbreeze-v2.9.14

And none of those was working on my Windows 10 VM on Hyper-V. They could install but they were showing different errors.

When the iPhone 3GS was still on vogue it was 2012. This means that there was Windows 7. But today we are using Windows 10/11.

This is the only variable that really changed in the whole equation.

Tired of thinking I couldn’t sleep. I couldn’t have no rest. Because a fire was burning in me. Against all odds I now had to prove to myself that there was really no solution. And I already knew that I had to walk the long path.

The hard work

“Once you begin to discover who you are then you really realise how you have been given authority over your life.
But you can only do that through the struggle of life.
And most people want to avoid the struggle.
Most people go through life avoiding pain.

When you are working on a dream at some point in time a transition takes place.
You learn how to leap higher.
You start challenging yourself to dig deeper.
Something in you, that you never activated in life, dormant in there.
Don’t try to take any shortcuts, do what you know it’s right.
You have been chosen for this great work.”

The 15:17 to Paris – Clint Eastwood

 

The old iPhone 3GS needed a best friend. And its best friend was my best friend: the computer on which everything started for me.

The ACER Aspire S3 was the computer on which I learned how to code. It was running the Intel i7 1th Generation (1th Generation! The first i7 on the market! Today I’m rolling on a Intel NUC Hades Canyon VR NUC8i7HVK which has an i7 8th Generation.) 

Many coders of my age have started coding on Windows 95. I was a late bloomer and I started mi passion later on in life.

In 2012 I was back to Italy after having spent many years abroad. I was jobless and my father bought me this beautiful laptop so I could study a 6 month course of web development at Ifoa in Bologna. On this PC I wrote my first Hello World. On this PC I installed nearly all Linux distro that I could put my hands on, from CentOS to… everything.

I wiped it for the umpteenth time and I put a shiny Windows 7.

A list of tools that you will need

If you want to proceed with the experiment you will have to provide yourself with the following list of items:

• An old laptop on which you have to install Windows 7
• Gecko iPhone Toolkit: Is the file that will make the trick
• Microsoft .NET Framework 4 (Standalone Installer): And you can download it here for the prosperity.
• Java SE Runtime Environment 8u391 (32bit, anything 64bit will fail for this experiment): You have to download the jre-8u391-windows-i586.exe . And you can download it here for the prosperity.
• PuTTY
• WinSCP
• iTunes 11.0.5: Cannot upload it here and god only knows for how long this will still be available.
• IPSW for iOS 5.0.1 (iPhone2,1_5.0.1_9A405_Restore.ipsw): choose the iOS 5.0.1 (9A405) for iPhone 3G[S]

You basically have to reproduce the 2012 on laptop.

Phones in scope

We are going to use Gecko iPhone Toolkit for hacking into the iPhone 3GS. The complete list of the iPhones in scope is this:

• iPhone 3G
• iPhone 3GS
• iPhone 4 GSM
• iPhone 4 CDMA
• iPad 1
• iPod 2G
• iPod 3G
• iPod 4G

Troubleshooting

As I said before you have to think like you were in the summer of 2012.

The radio is passing Kate Perry, Good Charlotte and Bruno Mars. Hackers in eastern Europe are maintaining hacking software written in .NET and JAVA but everything is in 32bit.

No 64bit is allowed here!

It was not mainstream yet!

This is one of the main problem that was stopping the sad Napoleon.

Exploit

Run Gecko iPhone Toolkit.

Select our phone version from the drop down menu and use the tab Bypass “iPhone disabled”.

Press Bypass and Gecko will take care of the rest.

You win if you see this message:

 

Access

The message is very clear: we have an SSH shell on localhost:2022.

It’s time to use PuTTY and connect to that address.

Once you are there you can connect using:

login: root

password: alpine

Once you are connected a message will prompt you this:

Use mount.sh script to mount the partitions
Use reboot_bak to reboot

So run mount.sh and you will see this message:

Mounting /dev/disk0s1s1 on /mnt1 ..
Mounting /dev/disk0s1s2 on /mnt2 ..

And this is the second success!

Gecko has created one partition for the system (/mnt1) and one for the files we are looking for (/mnt2).

Exfiltration

It’s time to use WinSCP to connect to /mnt2 and start downloading the bejesus.

Connect to localhost:2022 with the same login and password as before.

I just download the whole /mnt2

I suggest you to use something like FileLocator to inspect the whole directory and find out the files you are looking for.

Conclusion

Never, ever, ever, ever give up.

I will now go to Reddit and put a smile on that Napoleon face.