The iPhone Wiki - User contributions [en]

/usr/bin/TiSerialFlasher

2015-06-09T06:52:08Z

Dayt0n: Added page

When run by SSH, this is the output:
<pre>
iSerialFlasher v01.11
libTiSerialFlasher v01.11
looking for mcu nub...no entry from path!
TiSerialFlasher not supported on this platform. Exiting.
TiSerialFlasher success!
</pre>

The help page looks like:
<pre>
TiSerialFlasher v01.11
usage: TiSerialFlasher [options]
-q to quiet output
-p to enable progress messages
-f <filename> to supply a custom firmware image
-d <devicePath> to override the serial device used for firmware upgrade
TiSerialFlasher FAILED - Exiting with status 12
</pre>

Ramrod

2015-06-09T03:42:27Z

Dayt0n: Tested a second time and results were cleaner.

'''ramrod''' is an iOS command line utility that is involved in firmware update and restore procedure of iOS devices at least since iOS 6.

[[ramrod]] is contained in the ramdisk in H6SURamDisk.dmg (which is in <code>/usr/standalone/update/ramdisk/</code> folder on 7.0.4 iPhone5s) and there in <code>/usr/libexec/ramrod/</code>. You just have to get rid of the 1st 0x1b (27) bytes to make the dmg readable.

There is not much known about its functionality or usage except that it is mentioned in <code>~/Library/Logs/iPhone Updater Logs</code> (on OSX) or <code>[Username folder]\Application Data\Apple Computer\iTunes\iPhone Updater Logs</code> (on Windows) in case of some unsuccessful restores / updates.

<pre>
0: RamrodErrorDomain/3ec: update_baseband: failed to perform next stage

1: BBUpdater/10

unable to convert ramrod error 1004

==== end of device restore output ====

2013-01-16 01:05:19.000 iTunes[1073:12e2b]: AMRAuthInstallDeletePersonalizedBundle

2013-01-16 01:05:19.000 iTunes[1073:12e2b]: <Restore Device 0x7f8fa705ac30>: Restore failed (result = -1)

2013-01-16 01:05:19.000 iTunes[1073:12f07]: iTunes: Restore error 4294967295
</pre>

<pre>
./jtool -l /Volumes/ramdisk/usr/libexec/ramrod/ramrod
LC 00: LC_SEGMENT_64 Mem: 0x000000000-0x100000000 __PAGEZERO
LC 01: LC_SEGMENT_64 Mem: 0x100000000-0x100104000 __TEXT
0x0000000100002e48-0x000000010009dba8 __TEXT.__text
0x000000010009dba8-0x000000010009f078 __TEXT.__stubs
0x000000010009f078-0x00000001000a0524 __TEXT.__stub_helper
0x00000001000a0524-0x00000001000b2e50 __TEXT.__gcc_except_tab__TEXT
0x00000001000b2e50-0x00000001000eb44c __TEXT.__const
0x00000001000eb44c-0x00000001001005e8 __TEXT.__cstring
0x00000001001005e8-0x0000000100103ff4 __TEXT.__unwind_info
LC 02: LC_SEGMENT_64 Mem: 0x100104000-0x10011c000 __DATA
0x0000000100104000-0x00000001001041f0 __DATA.__got
0x00000001001041f0-0x0000000100104fd0 __DATA.__la_symbol_ptr
0x0000000100104fd0-0x0000000100105038 __DATA.__mod_init_func
0x0000000100105040-0x000000010010b950 __DATA.__const
0x000000010010b950-0x000000010010dfe0 __DATA.__data
0x000000010010dfe0-0x0000000100111a00 __DATA.__cfstring
0x0000000100111a00-0x0000000100111fe0 __DATA.__common
0x0000000100111fe0-0x000000010011b448 __DATA.__bss
LC 03: LC_SEGMENT_64 Mem: 0x10011c000-0x100144000 __LINKEDIT
LC 04: LC_DYLD_INFO_ONLY
LC 05: LC_SYMTAB Symbol table is at offset 0x123890, with 1788 entries
LC 06: LC_DYSYMTAB
LC 07: LC_LOAD_DYLINKER /usr/lib/dyld
LC 08: LC_UUID UUID: D8DC8A3E-CF0F-31C8-ADBA-2C6A1891952F
LC 09: LC_VERSION_MIN_IPHONEOS Minimum iOS version: 7.0.0
LC 10: LC_SOURCE_VERSION Source Version: 1021.1.28.0.0
LC 11: LC_MAIN Entry Point: 0x5d90 (Mem: 100005d90)
LC 12: LC_LOAD_DYLIB /usr/lib/libz.1.dylib
LC 13: LC_LOAD_DYLIB /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration
LC 14: LC_LOAD_DYLIB /System/Library/PrivateFrameworks/IOSurface.framework/IOSurface
LC 15: LC_LOAD_DYLIB /usr/lib/libIOAccessoryManager.dylib
LC 16: LC_LOAD_DYLIB /System/Library/PrivateFrameworks/IOMobileFramebuffer.framework/IOMobileFramebuffer
LC 17: LC_LOAD_DYLIB /System/Library/PrivateFrameworks/Bom.framework/Bom
LC 18: LC_LOAD_DYLIB /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
LC 19: LC_LOAD_DYLIB /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
LC 20: LC_LOAD_DYLIB /System/Library/PrivateFrameworks/MediaKit.framework/MediaKit
LC 21: LC_LOAD_DYLIB /usr/lib/libMobileGestalt.dylib
LC 22: LC_LOAD_DYLIB /usr/lib/libauthinstall.dylib
LC 23: LC_LOAD_WEAK_DYLIB /System/Library/Frameworks/CFNetwork.framework/CFNetwork
LC 24: LC_LOAD_DYLIB /usr/lib/libc++.1.dylib
LC 25: LC_LOAD_DYLIB /usr/lib/libSystem.B.dylib
LC 26: LC_FUNCTION_STARTS Offset: 1188768, Size: 5232
LC 27: LC_DATA_IN_CODE Offset: 1194000, Size: 0
LC 28: LC_DYLIB_CODE_SIGN_DRS Offset: 1194000, Size: 128
LC 29: LC_CODE_SIGNATURE Offset: 1287008, Size: 6480
</pre>

There seem also plugins for ramrod avaible:

<pre>
./jtool -l /Volumes/ramdisk/usr/libexec/ramrod/plugins/patchd.ramrod
LC 00: LC_SEGMENT_64 Mem: 0x000000000-0x1c000 __TEXT
0x0000000000002660-0x0000000000012868 __TEXT.__text
0x0000000000012868-0x0000000000013588 __TEXT.__stubs
0x0000000000013588-0x00000000000142c0 __TEXT.__stub_helper
0x00000000000142c0-0x0000000000014750 __TEXT.__const
0x0000000000014750-0x000000000001bfae __TEXT.__cstring
0x000000000001bfae-0x000000000001bff6 __TEXT.__unwind_info
LC 01: LC_SEGMENT_64 Mem: 0x00001c000-0x24000 __DATA
0x000000000001c000-0x000000000001c190 __DATA.__got
0x000000000001c190-0x000000000001ca50 __DATA.__la_symbol_ptr
0x000000000001ca50-0x000000000001cbf8 __DATA.__const
0x000000000001cbf8-0x0000000000021058 __DATA.__cfstring
0x0000000000021060-0x00000000000210ad __DATA.__data
0x00000000000210b0-0x0000000000021608 __DATA.__bss
LC 02: LC_SEGMENT_64 Mem: 0x000024000-0x2e000 __LINKEDIT
LC 03: LC_DYLD_INFO_ONLY
LC 04: LC_SYMTAB Symbol table is at offset 0x26d18, with 510 entries
LC 05: LC_DYSYMTAB
LC 06: LC_UUID UUID: B157237E-1517-3E83-AB87-130ADAE58E62
LC 07: LC_VERSION_MIN_IPHONEOS Minimum iOS version: 7.0.0
LC 08: LC_SOURCE_VERSION Source Version: 275.1.0.0.0
LC 09: LC_LOAD_DYLIB /usr/lib/libauthinstall.dylib
LC 10: LC_LOAD_DYLIB /usr/lib/libMobileGestalt.dylib
LC 11: LC_LOAD_DYLIB /usr/lib/libz.1.dylib
LC 12: LC_LOAD_DYLIB /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
LC 13: LC_LOAD_DYLIB /System/Library/PrivateFrameworks/Bom.framework/Bom
LC 14: LC_LOAD_DYLIB /System/Library/Frameworks/Security.framework/Security
LC 15: LC_LOAD_DYLIB /System/Library/PrivateFrameworks/AppleFSCompression.framework/AppleFSCompression
LC 16: LC_LOAD_DYLIB /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
LC 17: LC_LOAD_DYLIB /usr/lib/libbz2.1.0.dylib
LC 18: LC_LOAD_DYLIB /usr/lib/libSystem.B.dylib
LC 19: LC_FUNCTION_STARTS Offset: 158664, Size: 232
LC 20: LC_DATA_IN_CODE Offset: 158896, Size: 0
LC 21: LC_DYLIB_CODE_SIGN_DRS Offset: 158896, Size: 104
LC 22: LC_CODE_SIGNATURE Offset: 181088, Size: 1072
</pre>

Using ramrod via ssh:

<pre>
./ramrod
dyld: Library not loaded: /System/Library/PrivateFrameworks/MediaKit.framework/MediaKit
Referenced from: /private/var/root/ramrod/./ramrod
Reason: image not found
Trace/BPT trap: 5

./ramrod
entering set_boot_stage
unable to open /dev/klog: Resource busy
inverting UI colordisplay-scale = 2
display-rotation = 0
found applelogo at /usr/share/progressui/applelogo@2x.tga
found display: primary
display: 640 x 1136
unable to open plugins directory: No such file or directory
ramrod: unable to load plugins
ramrod exited with status 1 - rebooting
No IOFlashController instance found
executing /usr/sbin/nvram
executing /sbin/reboot
reboot in progress, hanging
</pre>

If you manage to get ramrod working properly in SSH, this is the output:
<pre>
./ramrod
entering set_boot_stage
display-scale = 2
display-rotation = 0
found applelogo at /usr/share/progressui/applelogo@2x.tga
found display: primary
display: 640 x 960
patchd: ramrod_register_plugin(3254): built Jun 11 2014 20:21:41.
Searching for NAND service
Found NAND service: IOFlashStoragePartition
NAND initialized. Waiting for devnode.
entering ramrod_probe_media
device partitioning scheme is GPT
device supports boot-from-NAND
nand device is already partitioned
executing /usr/sbin/nvram
patchd: ramrod_register_plugin(3274): nvram variable 'enable-remap-mode' cleared
loaded plugin: patchd
plugin contains 1 handlers
patchd_patch (AUTONOMOUS HANDLER)
skipping USB initialization
patchd: patch(2443): Started patchd.
Searching for NAND service
Found NAND service: IOFlashStoragePartition
NAND initialized. Waiting for devnode.
entering ramrod_probe_media
patchd: run_fake_media_progress(2264): starting fake media progress
device partitioning scheme is GPT
patchd: patch(2475): internal media ready.
patchd: patch(2476): 0 seconds elapsed so far
executing /usr/sbin/nvram
patchd: patch(2491): nvram variable 'boot-command' cleared.
ramrod_roll_media_keys: data_partition = /dev/disk0s1s2
ramrod_roll_media_keys: storage_media = /dev/disk0s1
ramrod_roll_media_keys: data_partition_name = disk0s1s2
ramrod_roll_media_keys: data_partition_uuid = UID_HERE
lwvm: Key already rolled !

executing /usr/sbin/nvram
patchd: patch(2507): no baseband updater debug args present
executing /sbin/fsck_hfs
patchd: patchdProgressCallback(2208): progress: 5%
** /dev/rdisk0s1s1
Executing fsck_hfs (version hfs-277.10.5).
** Checking Journaled HFS Plus volume.
** Detected a case-sensitive volume.
The volume name is Sochi11D257.N92OS
** Checking extents overflow file.
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
** Trimming unused blocks.
** The volume Sochi11D257.N92OS appears to be OK.
executing /sbin/mount_hfs
/dev/disk0s1s1 mounted on /mnt1
executing /sbin/fsck_hfs
** /dev/rdisk0s1s2
Executing fsck_hfs (version hfs-277.10.5).
** Checking Journaled HFS Plus volume.
** Detected a case-sensitive volume.
The volume name is Data
** Checking extents overflow file.
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
** Trimming unused blocks.
** The volume Data appears to be OK.
executing /sbin/mount_hfs
mount_hfs: Could not exec re-keying daemon /usr/libexec/rolld: No such file or directory
/dev/disk0s1s2 mounted on /mnt1/private/var
patchd: patch(2536): system and data partition mounted.
patchd: patch(2537): 29 seconds elapsed so far
patchd: patch(2539): disks mounted.
patchd: patchdProgressCallback(2208): progress: 10%
patchd: patch(2546): done waiting for fake media progress thread.
patchd: patch(2566): could not load patchd options from '/mnt1/var/MobileSoftwareUpdate/Update.plist'. errno=2.
executing /usr/sbin/nvram
patchd: patch(3184): nvram variable 'ramrod-display-width' cleared.
executing /usr/sbin/nvram
patchd: patch(3194): nvram variable 'ramrod-display-height' cleared.
executing /usr/sbin/nvram
patchd: patch(3204): nvram variable 'ramrod-display-rate' cleared.
executing /usr/sbin/nvram
patchd: patch(3216): nvram variable 'auto-boot' reset.
patchd: patch(3223): attempting to dump update log
patchd: entering checkForRestoreLogFile
patchd: found restore log (size = 495)
patchd: write_update_log(2230): writing log file: /mnt1/restore.log
patchd: patch(3232): disks unmounted.
patchd: patch(3235): 51 seconds elapsed in patchd
ramrod exited with status 1 - rebooting
device supports boot-from-NAND
nand device is already partitioned
executing /usr/sbin/nvram
executing /sbin/reboot
</pre>

Ramrod

2015-06-09T03:30:17Z

Dayt0n: Added Output for working ramrod

'''ramrod''' is an iOS command line utility that is involved in firmware update and restore procedure of iOS devices at least since iOS 6.

[[ramrod]] is contained in the ramdisk in H6SURamDisk.dmg (which is in <code>/usr/standalone/update/ramdisk/</code> folder on 7.0.4 iPhone5s) and there in <code>/usr/libexec/ramrod/</code>. You just have to get rid of the 1st 0x1b (27) bytes to make the dmg readable.

There is not much known about its functionality or usage except that it is mentioned in <code>~/Library/Logs/iPhone Updater Logs</code> (on OSX) or <code>[Username folder]\Application Data\Apple Computer\iTunes\iPhone Updater Logs</code> (on Windows) in case of some unsuccessful restores / updates.

<pre>
0: RamrodErrorDomain/3ec: update_baseband: failed to perform next stage

1: BBUpdater/10

unable to convert ramrod error 1004

==== end of device restore output ====

2013-01-16 01:05:19.000 iTunes[1073:12e2b]: AMRAuthInstallDeletePersonalizedBundle

2013-01-16 01:05:19.000 iTunes[1073:12e2b]: <Restore Device 0x7f8fa705ac30>: Restore failed (result = -1)

2013-01-16 01:05:19.000 iTunes[1073:12f07]: iTunes: Restore error 4294967295
</pre>

<pre>
./jtool -l /Volumes/ramdisk/usr/libexec/ramrod/ramrod
LC 00: LC_SEGMENT_64 Mem: 0x000000000-0x100000000 __PAGEZERO
LC 01: LC_SEGMENT_64 Mem: 0x100000000-0x100104000 __TEXT
0x0000000100002e48-0x000000010009dba8 __TEXT.__text
0x000000010009dba8-0x000000010009f078 __TEXT.__stubs
0x000000010009f078-0x00000001000a0524 __TEXT.__stub_helper
0x00000001000a0524-0x00000001000b2e50 __TEXT.__gcc_except_tab__TEXT
0x00000001000b2e50-0x00000001000eb44c __TEXT.__const
0x00000001000eb44c-0x00000001001005e8 __TEXT.__cstring
0x00000001001005e8-0x0000000100103ff4 __TEXT.__unwind_info
LC 02: LC_SEGMENT_64 Mem: 0x100104000-0x10011c000 __DATA
0x0000000100104000-0x00000001001041f0 __DATA.__got
0x00000001001041f0-0x0000000100104fd0 __DATA.__la_symbol_ptr
0x0000000100104fd0-0x0000000100105038 __DATA.__mod_init_func
0x0000000100105040-0x000000010010b950 __DATA.__const
0x000000010010b950-0x000000010010dfe0 __DATA.__data
0x000000010010dfe0-0x0000000100111a00 __DATA.__cfstring
0x0000000100111a00-0x0000000100111fe0 __DATA.__common
0x0000000100111fe0-0x000000010011b448 __DATA.__bss
LC 03: LC_SEGMENT_64 Mem: 0x10011c000-0x100144000 __LINKEDIT
LC 04: LC_DYLD_INFO_ONLY
LC 05: LC_SYMTAB Symbol table is at offset 0x123890, with 1788 entries
LC 06: LC_DYSYMTAB
LC 07: LC_LOAD_DYLINKER /usr/lib/dyld
LC 08: LC_UUID UUID: D8DC8A3E-CF0F-31C8-ADBA-2C6A1891952F
LC 09: LC_VERSION_MIN_IPHONEOS Minimum iOS version: 7.0.0
LC 10: LC_SOURCE_VERSION Source Version: 1021.1.28.0.0
LC 11: LC_MAIN Entry Point: 0x5d90 (Mem: 100005d90)
LC 12: LC_LOAD_DYLIB /usr/lib/libz.1.dylib
LC 13: LC_LOAD_DYLIB /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration
LC 14: LC_LOAD_DYLIB /System/Library/PrivateFrameworks/IOSurface.framework/IOSurface
LC 15: LC_LOAD_DYLIB /usr/lib/libIOAccessoryManager.dylib
LC 16: LC_LOAD_DYLIB /System/Library/PrivateFrameworks/IOMobileFramebuffer.framework/IOMobileFramebuffer
LC 17: LC_LOAD_DYLIB /System/Library/PrivateFrameworks/Bom.framework/Bom
LC 18: LC_LOAD_DYLIB /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
LC 19: LC_LOAD_DYLIB /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
LC 20: LC_LOAD_DYLIB /System/Library/PrivateFrameworks/MediaKit.framework/MediaKit
LC 21: LC_LOAD_DYLIB /usr/lib/libMobileGestalt.dylib
LC 22: LC_LOAD_DYLIB /usr/lib/libauthinstall.dylib
LC 23: LC_LOAD_WEAK_DYLIB /System/Library/Frameworks/CFNetwork.framework/CFNetwork
LC 24: LC_LOAD_DYLIB /usr/lib/libc++.1.dylib
LC 25: LC_LOAD_DYLIB /usr/lib/libSystem.B.dylib
LC 26: LC_FUNCTION_STARTS Offset: 1188768, Size: 5232
LC 27: LC_DATA_IN_CODE Offset: 1194000, Size: 0
LC 28: LC_DYLIB_CODE_SIGN_DRS Offset: 1194000, Size: 128
LC 29: LC_CODE_SIGNATURE Offset: 1287008, Size: 6480
</pre>

There seem also plugins for ramrod avaible:

<pre>
./jtool -l /Volumes/ramdisk/usr/libexec/ramrod/plugins/patchd.ramrod
LC 00: LC_SEGMENT_64 Mem: 0x000000000-0x1c000 __TEXT
0x0000000000002660-0x0000000000012868 __TEXT.__text
0x0000000000012868-0x0000000000013588 __TEXT.__stubs
0x0000000000013588-0x00000000000142c0 __TEXT.__stub_helper
0x00000000000142c0-0x0000000000014750 __TEXT.__const
0x0000000000014750-0x000000000001bfae __TEXT.__cstring
0x000000000001bfae-0x000000000001bff6 __TEXT.__unwind_info
LC 01: LC_SEGMENT_64 Mem: 0x00001c000-0x24000 __DATA
0x000000000001c000-0x000000000001c190 __DATA.__got
0x000000000001c190-0x000000000001ca50 __DATA.__la_symbol_ptr
0x000000000001ca50-0x000000000001cbf8 __DATA.__const
0x000000000001cbf8-0x0000000000021058 __DATA.__cfstring
0x0000000000021060-0x00000000000210ad __DATA.__data
0x00000000000210b0-0x0000000000021608 __DATA.__bss
LC 02: LC_SEGMENT_64 Mem: 0x000024000-0x2e000 __LINKEDIT
LC 03: LC_DYLD_INFO_ONLY
LC 04: LC_SYMTAB Symbol table is at offset 0x26d18, with 510 entries
LC 05: LC_DYSYMTAB
LC 06: LC_UUID UUID: B157237E-1517-3E83-AB87-130ADAE58E62
LC 07: LC_VERSION_MIN_IPHONEOS Minimum iOS version: 7.0.0
LC 08: LC_SOURCE_VERSION Source Version: 275.1.0.0.0
LC 09: LC_LOAD_DYLIB /usr/lib/libauthinstall.dylib
LC 10: LC_LOAD_DYLIB /usr/lib/libMobileGestalt.dylib
LC 11: LC_LOAD_DYLIB /usr/lib/libz.1.dylib
LC 12: LC_LOAD_DYLIB /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
LC 13: LC_LOAD_DYLIB /System/Library/PrivateFrameworks/Bom.framework/Bom
LC 14: LC_LOAD_DYLIB /System/Library/Frameworks/Security.framework/Security
LC 15: LC_LOAD_DYLIB /System/Library/PrivateFrameworks/AppleFSCompression.framework/AppleFSCompression
LC 16: LC_LOAD_DYLIB /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
LC 17: LC_LOAD_DYLIB /usr/lib/libbz2.1.0.dylib
LC 18: LC_LOAD_DYLIB /usr/lib/libSystem.B.dylib
LC 19: LC_FUNCTION_STARTS Offset: 158664, Size: 232
LC 20: LC_DATA_IN_CODE Offset: 158896, Size: 0
LC 21: LC_DYLIB_CODE_SIGN_DRS Offset: 158896, Size: 104
LC 22: LC_CODE_SIGNATURE Offset: 181088, Size: 1072
</pre>

Using ramrod via ssh:

<pre>
./ramrod
dyld: Library not loaded: /System/Library/PrivateFrameworks/MediaKit.framework/MediaKit
Referenced from: /private/var/root/ramrod/./ramrod
Reason: image not found
Trace/BPT trap: 5

./ramrod
entering set_boot_stage
unable to open /dev/klog: Resource busy
inverting UI colordisplay-scale = 2
display-rotation = 0
found applelogo at /usr/share/progressui/applelogo@2x.tga
found display: primary
display: 640 x 1136
unable to open plugins directory: No such file or directory
ramrod: unable to load plugins
ramrod exited with status 1 - rebooting
No IOFlashController instance found
executing /usr/sbin/nvram
executing /sbin/reboot
reboot in progress, hanging
</pre>

If you manage to get ramrod working properly in SSH, this is the output:
<pre>
./ramrod
entering set_boot_stage
display-scale = 2
display-rotation = 0
found applelogo at /usr/share/progressui/applelogo@2x.tga
found display: primary
display: 640 x 960
patchd: ramrod_register_plugin(3254): built Jun 11 2014 20:21:41.
Searching for NAND service
Found NAND service: IOFlashStoragePartition
NAND initialized. Waiting for devnode.
entering ramrod_probe_media
device partitioning scheme is GPT
device supports boot-from-NAND
nand device is already partitioned
executing /usr/sbin/nvram
patchd: ramrod_register_plugin(3274): nvram variable 'enable-remap-mode' cleared
loaded plugin: patchd
plugin contains 1 handlers
patchd_patch (AUTONOMOUS HANDLER)
skipping USB initialization
patchd: patch(2443): Started patchd.
Searching for NAND service
Found NAND service: IOFlashStoragePartition
NAND initialized. Waiting for devnode.
entering ramrod_probe_media
patchd: run_fake_media_progress(2264): starting fake media progress
device partitioning scheme is GPT
patchd: patch(2475): internal media ready.
patchd: patch(2476): 0 seconds elapsed so far
executing /usr/sbin/nvram
patchd: patch(2491): nvram variable 'boot-command' cleared.
ramrod_roll_media_keys: data_partition = /dev/disk0s1s2
ramrod_roll_media_keys: storage_media = /dev/disk0s1
ramrod_roll_media_keys: data_partition_name = disk0s1s2
ramrod_roll_media_keys: data_partition_uuid = INSERT_UID_HERE_
lwvm: Key already rolled !

executing /usr/sbin/nvram
patchd: patch(2507): no baseband updater debug args present
executing /sbin/fsck_hfs
fsck_hfs: pread(10, 0x27dcc024, 4096, 1560576): Invalid argument
patchd: patchdProgressCallback(2208): progress: 5%
Offset 1024 length 512:
0000: 4858 0005 8000 2000 4846 534a 0000 0009 |HX......HFSJ....|
0010: cfbe cd9f d19c 0a66 0000 0000 cfbf 300f |.......f......0.|
0020: 0000 8f58 0000 4311 0000 2000 0002 84ca |...X..C.........|
0030: 0000 5ecb 0002 4f1c 0001 0000 0001 0000 |......O.........|
0040: 0000 f673 0000 7613 0000 0000 0000 0001 |...s..v.........|
0050: 0000 0000 0000 0000 0000 0000 0000 0000 |................|
0060: 0000 0000 0000 0000 8521 4c87 8382 7761 |..........L...wa|
0070: 0000 0000 0001 0000 0000 8000 0000 0008 |................|
0080: 0000 0001 0000 0008 0000 0000 0000 0000 |................|
0090: 0000 0000 0000 0000 0000 0000 0000 0000 |................|
. . .
00c0: 0000 0000 0040 0000 0040 0000 0000 0200 |................|
00d0: 0000 040a 0000 0200 0000 0000 0000 0000 |................|
00e0: 0000 0000 0000 0000 0000 0000 0000 0000 |................|
. . .
0110: 0000 0000 0180 0000 0040 0000 0000 0c00 |................|
0120: 0000 270a 0000 0300 0000 8688 0000 0300 |................|
0130: 0001 ba9b 0000 0300 0002 42fc 0000 0300 |..........B.....|
0140: 0000 0000 0000 0000 0000 0000 0000 0000 |................|
. . .
0160: 0000 0000 01e0 0000 0040 0000 0000 0f00 |................|
0170: 0000 060a 0000 0600 0001 ad54 0000 0300 |...........T....|
0180: 0001 d5e0 0000 0300 0002 5d0d 0000 0300 |................|
0190: 0000 0000 0000 0000 0000 0000 0000 0000 |................|
. . .
01f0: 0000 0000 0000 0000 0000 0000 0000 0000 |................|
** /dev/rdisk0s1s1 (NO WRITE)
Executing fsck_hfs (version hfs-277.10.5).
** Verifying volume when it is mounted with write access.
Journal need to be replayed but volume is read-only
** Checking Journaled HFS Plus volume.
** Detected a case-sensitive volume.
The volume name is Sochi11D257.N92OS
** Checking extents overflow file.
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
** The volume Sochi11D257.N92OS was found corrupt and needs to be repaired.
fsck failed on /dev/disk0s1s1
patchd: mount_all_filesystems(1990): system partition should already be mounted
executing /sbin/fsck_hfs
fsck_hfs: pread(10, 0x27d6f024, 4096, 2613248): Invalid argument
Offset 1024 length 512:
0000: 4858 0005 c000 2000 4846 534a 0000 000d |HX......HFSJ....|
0010: d185 a4fc d19c 0b1d 0000 0000 d185 a4fc |................|
0020: 0000 28de 0000 0986 0000 2000 000c 5336 |..............S6|
0030: 000a 746b 0005 40b1 0001 0000 0001 0000 |..tk............|
0040: 0000 9299 0003 dcd0 0000 0000 0000 0001 |................|
0050: 0000 0000 0000 0000 0000 0000 0000 0000 |................|
0060: 0000 0000 0000 0000 ce83 809b c82e 6eac |..............n.|
0070: 0000 0000 0001 a000 0001 8000 0000 000d |................|
0080: 0000 0001 0000 000c 0000 0a0e 0000 0001 |................|
0090: 0000 0000 0000 0000 0000 0000 0000 0000 |................|
. . .
00c0: 0000 0000 0040 0000 0040 0000 0000 0200 |................|
00d0: 0000 040e 0000 0200 0000 0000 0000 0000 |................|
00e0: 0000 0000 0000 0000 0000 0000 0000 0000 |................|
. . .
0110: 0000 0000 0080 0000 0080 0000 0000 0400 |................|
0120: 0000 320e 0000 0400 0000 0000 0000 0000 |..2.............|
0130: 0000 0000 0000 0000 0000 0000 0000 0000 |................|
. . .
0160: 0000 0000 0080 0000 0080 0000 0000 0400 |................|
0170: 0000 060e 0000 0400 0000 0000 0000 0000 |................|
0180: 0000 0000 0000 0000 0000 0000 0000 0000 |................|
. . .
01f0: 0000 0000 0000 0000 0000 0000 0000 0000 |................|
** /dev/rdisk0s1s2 (NO WRITE)
Executing fsck_hfs (version hfs-277.10.5).
** Verifying volume when it is mounted with write access.
Journal need to be replayed but volume is read-only
** Checking Journaled HFS Plus volume.
** Detected a case-sensitive volume.
The volume name is Data
** Checking extents overflow file.
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
** The volume Data was found corrupt and needs to be repaired.
fsck failed on /dev/disk0s1s2
patchd: mount_all_filesystems(2005): data partition should already be mounted
patchd: patch(2536): system and data partition mounted.
patchd: patch(2537): 28 seconds elapsed so far
patchd: patch(2539): disks mounted.
patchd: patchdProgressCallback(2208): progress: 10%
patchd: patch(2546): done waiting for fake media progress thread.
patchd: patch(2566): could not load patchd options from '/mnt1/var/MobileSoftwareUpdate/Update.plist'. errno=2.
executing /usr/sbin/nvram
patchd: patch(3184): nvram variable 'ramrod-display-width' cleared.
executing /usr/sbin/nvram
patchd: patch(3194): nvram variable 'ramrod-display-height' cleared.
executing /usr/sbin/nvram
patchd: patch(3204): nvram variable 'ramrod-display-rate' cleared.
executing /usr/sbin/nvram
patchd: patch(3216): nvram variable 'auto-boot' reset.
patchd: patch(3223): attempting to dump update log
patchd: entering checkForRestoreLogFile
patchd: found restore log (size = 495)
patchd: write_update_log(2230): writing log file: /mnt1/restore.log
patchd: patch(3232): disks unmounted.
patchd: patch(3235): 50 seconds elapsed in patchd
ramrod exited with status 1 - rebooting
device supports boot-from-NAND
nand device is already partitioned
executing /usr/sbin/nvram
executing /sbin/reboot
</pre>

Brick

2015-06-01T01:44:56Z

Dayt0n: /* Intentionally modifying key parts of iOS: changing NVRAM variables to invalid values */

A '''bricked''' device is a device that does not work. The direct metaphorical meaning is that the device is permanently damaged (making it as useless as a brick), but people use the term "bricked" for non-working conditions which range from easy to fix (such as a failed update) to impossible to fix (such as damaged baseband memory). A phone may be called "bricked" if it will not boot, will not respond to input, will not make calls, etc.

== Difficulty of bricking an iOS device ==

Using a jailbreaking tool cannot put a device into an unusable state on its own - if something goes wrong while jailbreaking, putting the device into [[DFU Mode]] will allow you to restore it via iTunes. Installing software via Cydia also cannot cause an unrecoverable state (unless very specifically designed to do so by a malicious person, which has not been seen "in the wild"). Other than that specific exception, if something goes wrong, DFU mode will still work.

== Types of "bricking" that can be easily fixed (not really "bricking") ==

=== Installing stock iOS on a device with a preserved baseband ===

Early unlock solutions could result in unusable (but recoverable) phones after installing an iOS update if you didn't take special steps. For people who used [[redsn0w]] to install the iPad baseband ([[06.15.00]]) on a compatible iPhone 3G or iPhone 3GS so that they could use [[ultrasn0w]] to carrier unlock it, upgrading or restoring iOS using "stock" (normal) IPSWs would make the phone unusable - until you made and restored a "custom" IPSW without a baseband update ([http://www.jailbreakqa.com/faq#32532 instructions]), and then reinstalled the iPad baseband using redsn0w. Avoiding doing a stock upgrade/restore (upgrading or restoring iOS using a "custom" IPSW) avoided this problem.

=== Intentionally modifying key parts of iOS: changing NVRAM variables to invalid values ===

In February 2015, [http://dayt0n.github.io/articles/dclr-override/ researchers released information] about how to change an [[NOR (NVRAM)|nvram]] variable called <code>DClr_override</code>. If this is changed to an invalid value for the device (valid values are not the same on all devices), and the device is rebooted, the device will not be able to boot. iOS 8.3 beta 4 (released in March 2015) [https://twitter.com/xerub/status/581744991229374464 removes the DClr_override variable], and later iOS versions will probably omit it as well. This means that restoring a device to iOS 8.3 beta 4 (or later) will fix the device, rendering it bootable once again.

== Types of bricking that may be hard to fix ==

=== Changing MAC address to invalid address ===

If you change your device's MAC address to something invalid (for example if you're attempting to change your [[UDID]]), your internet won't work again until you fix the MAC address (using MobileTerminal or similar). This persists even if you restore -- so you can make this really really hard to fix if you restore and there's no jailbreak available, if the available jailbreaks don't include afc2 and other workarounds aren't working, etc. [http://www.jailbreakqa.com/questions/277646/stuck-after-mac-address-change-can-i-revive-it Here's a JailbreakQA thread about this] and [http://www.jailbreakqa.com/questions/211048/how-to-install-afc2add-without-using-wi-fi-in-a-jailbroken-ipad-3-with-704 another one].

=== Intentionally modifying key parts of iOS: other ways ===

If you purposefully erase / zero out your [[NOR]], then you will have trouble doing a DFU restore because important information from the [[NOR (SysCfg)|SysCfg]] section will not be available.

[http://www.reddit.com/r/jailbreak/comments/1m3jo6/how_much_torture_kernel_user_based_etc_would_it/cc5g8nj See winocm's explanation of several related ways to brick a device]:

<blockquote>
* Erase SysCfg/replace it with 0xFFs.
* Destroy the 'SrNm' tag in the SysCfg, it won't activate then.
* Set all clock gates enabled and set PLL frequencies to mad numbers, THIS WILL DAMAGE THE HARDWARE.
* Run constant NAND stress tests to wear out NAND pages.
* Set the 'display-timing' nvram variable to some other garbage. iPod touch 2G/3G does weird things with that.

If you know how the hardware works, this can be done from an iBoot/kernel level.
</blockquote>

=== Making the wrong modifications to the baseband ===

One way to irreversibly brick a device in software is to flash an invalid [[Baseband Bootloader|baseband bootloader]], provided it has a baseband. Most other bad flash scenarios are recoverable some way or another.

Another way to brick the baseband is by installing baseband [[06.15.00]] on an incompatible device. [[redsn0w]] has an option to install this baseband on the [[N82ap|iPhone 3G]] or [[N88ap|iPhone 3GS]] in order to get a baseband version that is unlockable with [[ultrasn0w]]. This is a nice way to get an unlock, because the [[K48ap|iPad]], the [[N82ap|iPhone 3G]] and the [[N88ap|iPhone 3GS]] all share the same [[Baseband Device]], but the [[K48ap|iPad]] has a newer version number in its baseband. That way people can actually downgrade by installing a higher version (there are no [[APTicket]] checks in these devices). This has known side-effects, like losing [[GPS]] functionality (this baseband comes from an iPad which has no GPS or differently implemented).

It was possible to brick an [[N88ap|iPhone 3GS]] with this method. In fall 2011 Apple replaced the [[NOR]] flash. It is not clear if this was done intentionally to prevent this method. The previous type of baseband was 36my1ee and they changed it to 36my1eh, 36my1eg. (There was no switch to Toshiba baseband devices.) These new [[NOR]] flash chips seem to work with the newer baseband versions in the [[N88ap|iPhone 3GS]], but are not supported with the old [[06.15.00]] baseband. Therefore installing this version will brick your device if you have a new [[NOR]] flash, as you (currently) cannot go back and install anything else. To check before installation, check the version number, as it reveals the production year/week in the digits 3...5. Week 34/2011 appears safe, 35 seems iffy, 36 seems iffy, 37 is not safe. Or open the device and check the chip type.

Brick

2015-03-28T17:57:06Z

Dayt0n: Fixed update to NVRAM

A '''bricked''' device is a device that does not work. The direct metaphorical meaning is that the device is permanently damaged (making it as useless as a brick), but people use the term "bricked" for non-working conditions which range from easy to fix (such as a failed update) to impossible to fix (such as damaged baseband memory). A phone may be called "bricked" if it will not boot, will not respond to input, will not make calls, etc.

== Difficulty of bricking an iOS device ==

Using a jailbreaking tool cannot put a device into an unusable state on its own - if something goes wrong while jailbreaking, putting the device into [[DFU Mode]] will allow you to restore it via iTunes. Installing software via Cydia also cannot cause an unrecoverable state (unless very specifically designed to do so by a malicious person, which has not been seen "in the wild"). Other than that specific exception, if something goes wrong, DFU mode will still work.

== Types of "bricking" that can be easily fixed (not really "bricking") ==

=== Installing stock iOS on a device with a preserved baseband ===

Early unlock solutions could result in unusable (but recoverable) phones after installing an iOS update if you didn't take special steps. For people who used [[redsn0w]] to install the iPad baseband ([[06.15.00]]) on a compatible iPhone 3G or iPhone 3GS so that they could use [[ultrasn0w]] to carrier unlock it, upgrading or restoring iOS using "stock" (normal) IPSWs would make the phone unusable - until you made and restored a "custom" IPSW without a baseband update ([http://www.jailbreakqa.com/faq#32532 instructions]), and then reinstalled the iPad baseband using redsn0w. Avoiding doing a stock upgrade/restore (upgrading or restoring iOS using a "custom" IPSW) avoided this problem.

=== Intentionally modifying key parts of iOS: changing NVRAM variables to invalid values ===

In February 2015, [http://dayt0n.github.io/articles/dclr-override/ researchers released information] about how to change an [[NOR (NVRAM)|nvram]] variable called <code>DClr_override</code>. If this is changed to an invalid value for the device (valid values are not the same on all devices), and the device is rebooted, the device will not be able to boot. This can be fixed by restoring to IOS 8.3 beta 4 or later.

== Types of bricking that may be hard to fix ==

=== Changing MAC address to invalid address ===

If you change your device's MAC address to something invalid (for example if you're attempting to change your [[UDID]]), your internet won't work again until you fix the MAC address (using MobileTerminal or similar). This persists even if you restore -- so you can make this really really hard to fix if you restore and there's no jailbreak available, if the available jailbreaks don't include afc2 and other workarounds aren't working, etc. [http://www.jailbreakqa.com/questions/277646/stuck-after-mac-address-change-can-i-revive-it Here's a JailbreakQA thread about this] and [http://www.jailbreakqa.com/questions/211048/how-to-install-afc2add-without-using-wi-fi-in-a-jailbroken-ipad-3-with-704 another one].

=== Intentionally modifying key parts of iOS: other ways ===

If you purposefully erase / zero out your [[NOR]], then you will have trouble doing a DFU restore because important information from the [[NOR (SysCfg)|SysCfg]] section will not be available.

[http://www.reddit.com/r/jailbreak/comments/1m3jo6/how_much_torture_kernel_user_based_etc_would_it/cc5g8nj See winocm's explanation of several related ways to brick a device]:

<blockquote>
* Erase SysCfg/replace it with 0xFFs.
* Destroy the 'SrNm' tag in the SysCfg, it won't activate then.
* Set all clock gates enabled and set PLL frequencies to mad numbers, THIS WILL DAMAGE THE HARDWARE.
* Run constant NAND stress tests to wear out NAND pages.
* Set the 'display-timing' nvram variable to some other garbage. iPod touch 2G/3G does weird things with that.

If you know how the hardware works, this can be done from an iBoot/kernel level.
</blockquote>

=== Making the wrong modifications to the baseband ===

One way to irreversibly brick a device in software is to flash an invalid [[Baseband Bootloader|baseband bootloader]], provided it has a baseband. Most other bad flash scenarios are recoverable some way or another.

Another way to brick the baseband is by installing baseband [[06.15.00]] on an incompatible device. [[redsn0w]] has an option to install this baseband on the [[N82ap|iPhone 3G]] or [[N88ap|iPhone 3GS]] in order to get a baseband version that is unlockable with [[ultrasn0w]]. This is a nice way to get an unlock, because the [[K48ap|iPad]], the [[N82ap|iPhone 3G]] and the [[N88ap|iPhone 3GS]] all share the same [[Baseband Device]], but the [[K48ap|iPad]] has a newer version number in its baseband. That way people can actually downgrade by installing a higher version (there are no [[APTicket]] checks in these devices). This has known side-effects, like losing [[GPS]] functionality (this baseband comes from an iPad which has no GPS or differently implemented).

It was possible to brick an [[N88ap|iPhone 3GS]] with this method. In fall 2011 Apple replaced the [[NOR]] flash. It is not clear if this was done intentionally to prevent this method. The previous type of baseband was 36my1ee and they changed it to 36my1eh, 36my1eg. (There was no switch to Toshiba baseband devices.) These new [[NOR]] flash chips seem to work with the newer baseband versions in the [[N88ap|iPhone 3GS]], but are not supported with the old [[06.15.00]] baseband. Therefore installing this version will brick your device if you have a new [[NOR]] flash, as you (currently) cannot go back and install anything else. To check before installation, check the version number, as it reveals the production year/week in the digits 3...5. Week 34/2011 appears safe, 35 seems iffy, 36 seems iffy, 37 is not safe. Or open the device and check the chip type.

Brick

2015-03-28T17:54:47Z

Dayt0n: Updated NVRAM brick

A '''bricked''' device is a device that does not work. The direct metaphorical meaning is that the device is permanently damaged (making it as useless as a brick), but people use the term "bricked" for non-working conditions which range from easy to fix (such as a failed update) to impossible to fix (such as damaged baseband memory). A phone may be called "bricked" if it will not boot, will not respond to input, will not make calls, etc.

== Difficulty of bricking an iOS device ==

Using a jailbreaking tool cannot put a device into an unusable state on its own - if something goes wrong while jailbreaking, putting the device into [[DFU Mode]] will allow you to restore it via iTunes. Installing software via Cydia also cannot cause an unrecoverable state (unless very specifically designed to do so by a malicious person, which has not been seen "in the wild"). Other than that specific exception, if something goes wrong, DFU mode will still work.

== Types of "bricking" that can be easily fixed (not really "bricking") ==

=== Installing stock iOS on a device with a preserved baseband ===

Early unlock solutions could result in unusable (but recoverable) phones after installing an iOS update if you didn't take special steps. For people who used [[redsn0w]] to install the iPad baseband ([[06.15.00]]) on a compatible iPhone 3G or iPhone 3GS so that they could use [[ultrasn0w]] to carrier unlock it, upgrading or restoring iOS using "stock" (normal) IPSWs would make the phone unusable - until you made and restored a "custom" IPSW without a baseband update ([http://www.jailbreakqa.com/faq#32532 instructions]), and then reinstalled the iPad baseband using redsn0w. Avoiding doing a stock upgrade/restore (upgrading or restoring iOS using a "custom" IPSW) avoided this problem.

== Types of bricking that may be hard to fix ==

=== Changing MAC address to invalid address ===

If you change your device's MAC address to something invalid (for example if you're attempting to change your [[UDID]]), your internet won't work again until you fix the MAC address (using MobileTerminal or similar). This persists even if you restore -- so you can make this really really hard to fix if you restore and there's no jailbreak available, if the available jailbreaks don't include afc2 and other workarounds aren't working, etc. [http://www.jailbreakqa.com/questions/277646/stuck-after-mac-address-change-can-i-revive-it Here's a JailbreakQA thread about this] and [http://www.jailbreakqa.com/questions/211048/how-to-install-afc2add-without-using-wi-fi-in-a-jailbroken-ipad-3-with-704 another one].

== Types of bricking that are now possible to fix ==

=== Intentionally modifying key parts of iOS: changing NVRAM variables to invalid values ===

In February 2015, [http://dayt0n.github.io/articles/dclr-override/ researchers released information] about how to change an [[NOR (NVRAM)|nvram]] variable called <code>DClr_override</code>. If this is changed to an invalid value for the device (valid values are not the same on all devices), and the device is rebooted, the device will not be able to boot. This can be fixed by restoring to IOS 8.3 beta 4 or later.

=== Intentionally modifying key parts of iOS: other ways ===

If you purposefully erase / zero out your [[NOR]], then you will have trouble doing a DFU restore because important information from the [[NOR (SysCfg)|SysCfg]] section will not be available.

[http://www.reddit.com/r/jailbreak/comments/1m3jo6/how_much_torture_kernel_user_based_etc_would_it/cc5g8nj See winocm's explanation of several related ways to brick a device]:

<blockquote>
* Erase SysCfg/replace it with 0xFFs.
* Destroy the 'SrNm' tag in the SysCfg, it won't activate then.
* Set all clock gates enabled and set PLL frequencies to mad numbers, THIS WILL DAMAGE THE HARDWARE.
* Run constant NAND stress tests to wear out NAND pages.
* Set the 'display-timing' nvram variable to some other garbage. iPod touch 2G/3G does weird things with that.

If you know how the hardware works, this can be done from an iBoot/kernel level.
</blockquote>

=== Making the wrong modifications to the baseband ===

One way to irreversibly brick a device in software is to flash an invalid [[Baseband Bootloader|baseband bootloader]], provided it has a baseband. Most other bad flash scenarios are recoverable some way or another.

Another way to brick the baseband is by installing baseband [[06.15.00]] on an incompatible device. [[redsn0w]] has an option to install this baseband on the [[N82ap|iPhone 3G]] or [[N88ap|iPhone 3GS]] in order to get a baseband version that is unlockable with [[ultrasn0w]]. This is a nice way to get an unlock, because the [[K48ap|iPad]], the [[N82ap|iPhone 3G]] and the [[N88ap|iPhone 3GS]] all share the same [[Baseband Device]], but the [[K48ap|iPad]] has a newer version number in its baseband. That way people can actually downgrade by installing a higher version (there are no [[APTicket]] checks in these devices). This has known side-effects, like losing [[GPS]] functionality (this baseband comes from an iPad which has no GPS or differently implemented).

It was possible to brick an [[N88ap|iPhone 3GS]] with this method. In fall 2011 Apple replaced the [[NOR]] flash. It is not clear if this was done intentionally to prevent this method. The previous type of baseband was 36my1ee and they changed it to 36my1eh, 36my1eg. (There was no switch to Toshiba baseband devices.) These new [[NOR]] flash chips seem to work with the newer baseband versions in the [[N88ap|iPhone 3GS]], but are not supported with the old [[06.15.00]] baseband. Therefore installing this version will brick your device if you have a new [[NOR]] flash, as you (currently) cannot go back and install anything else. To check before installation, check the version number, as it reveals the production year/week in the digits 3...5. Week 34/2011 appears safe, 35 seems iffy, 36 seems iffy, 37 is not safe. Or open the device and check the chip type.