SIDEBAR
»
S
I
D
E
B
A
R
«
HOWTO: restore an iPad using only Free Software
February 14th, 2018 by miki

Thanks to the fine people at the libimobiledevice project, who bothers to reverse engineer Apple products, I recently succeeded in resurrecting a relative’s iPad stuck in a boot loop (something with jailbreaking, running Sydia, missing an iOS update and attempted Sydia removal) without any use of proprietary tools.

This is a brief recipe of the procedure done using Ubuntu 16.04.

As the required tool from libimobiledevice, idevicerestore, is not packaged in the Ubuntu libimobiledevice package we need to build this from scratch from the sources.

iPad during recovery

iPad in recovery mode during firmware download using libimobiledevice

  1. Install build dependencies 
    sudo apt install libusbmuxd-dev libplist-dev libplist++contents under-dev libzip-dev
  2. fetch and build libimobiledevice main library 
    cd
git clone https://git.libimobiledevice.org/libimobiledevice.git
cd libimobiledevice/
./autogen.sh
make
  3. fetch and build libirecovery library 
    cd
git clone https://git.libimobiledevice.org/libirecovery.git
cd libirecovery
./autogen.sh
make
  4. fetch and build idevicerestore tool, using the homebuilt libraries 
    cd
git clone https://git.libimobiledevice.org/idevicerestore.git
cd idevicerestore
CFLAGS="-I$HOME/libirecovery/include -I$HOME/libimobiledevice/include" LDFLAGS="-L$HOME/libirecovery/src/.libs \
-L$HOME/libimobiledevice/src/.libs" PKG_CONFIG_PATH=~/libirecovery:~/libimobiledevice/src ./autogen.sh
make
  5. put the iDevice in recovery mode (iPad = press power+home until screen with “iTunes+cable” symbol appear, see image above and check Apple support for details), make sure it has adequate charge or it will refuse (red battery flashing)
  6. perform the actual restore, asking for flashing of latest firmware (~2.5GiB automatically downloaded), this will probably get you in trouble if you desire to jailbreak the device. I noticed while writing this post that the below actually doesn’t run the tool using the libraries built above, but I’m leaving it as it was done because it “worked for me” (TM) and I can’t experiment further because I haven’t got access to any iDevices (and desire to keep it that way): 
    sudo $HOME/idevicerestore/src/idevicerestore --latest
NOTE: using cached version data
Found device in Recovery mode
Identified device as j71ap, iPad4,1
Latest firmware is iPad_64bit_11.2_15C114_Restore.ipsw
Verifying 'iPad_64bit_11.2_15C114_Restore.ipsw'...
Checksum matches.
Extracting BuildManifest from IPSW
Product Version: 11.2
Product Build: 15C114 Major: 15
INFO: device serial number is DMPM4V3SFK15
Device supports Image4: true
Variant: Customer Upgrade Install (IPSW)
This restore will update your device without losing data.
Using cached filesystem from 'iPad_64bit_11.2_15C114_Restore/058-86080-124.dmg'
Found ECID 6653578882512
Getting ApNonce in recovery mode... 03 6b cc ac 57 8a b4 29 29 c1 a9 fe e4 97 54 3b a8 36 59 5a 
Trying to fetch new SHSH blob
Getting SepNonce in recovery mode... df 5c ad 67 48 bd 38 b4 6f 72 0a 5c b0 81 87 c3 95 37 4a da 
WARNING: Unable to find BbChipID node
WARNING: Unable to find BbSkeyId node
Request URL set to https://gs.apple.com/TSS/controller?action=2
Sending TSS request attempt 1... response successfully received
Received SHSH blobs
Extracting iBEC.ipad4.RELEASE.im4p...
Personalizing IMG4 component iBEC...
Sending iBEC (710360 bytes)...
Recovery Mode Environment:
iBoot build-version=iBoot-4076.30.43
iBoot build-style=RELEASE
Sending AppleLogo...
Extracting applelogo@2x~ipad.im4p...
Personalizing IMG4 component AppleLogo...
Sending AppleLogo (22709 bytes)...
ramdisk-size=0x10000000
Extracting 058-85997-124.dmg...
Personalizing IMG4 component RestoreRamDisk...
Sending RestoreRamDisk (59978774 bytes)...
Extracting DeviceTree.j71ap.im4p...
Personalizing IMG4 component RestoreDeviceTree...
Sending RestoreDeviceTree (101420 bytes)...
Extracting kernelcache.release.ipad4...
Personalizing IMG4 component RestoreKernelCache...
Sending RestoreKernelCache (13226783 bytes)...
About to restore device... 
Waiting for device...
Device 3fb0f5cc97b83c61c85d4b8333796d9e536a4c83 is now connected in restore mode...
Connecting now...
Connected to com.apple.mobile.restored, version 15
Device 3fb0f5cc97b83c61c85d4b8333796d9e536a4c83 has successfully entered restore mode
Hardware Information:
BoardID: 16
ChipID: 35168
UniqueChipID: 6653578882512
ProductionMode: true
Starting FDR listener thread
About to send NORData...
Found firmware path Firmware/all_flash
Getting firmware manifest from build identity
Extracting LLB.ipad4.RELEASE.im4p...
Personalizing IMG4 component LLB...
Extracting applelogo@2x~ipad.im4p...
Personalizing IMG4 component AppleLogo...
Extracting batterycharging0@2x~ipad.im4p...
Personalizing IMG4 component BatteryCharging0...
Extracting batterycharging1@2x~ipad.im4p...
Personalizing IMG4 component BatteryCharging1...
Extracting batteryfull@2x~ipad.im4p...
Personalizing IMG4 component BatteryFull...
Extracting batterylow0@2x~ipad.im4p...
Personalizing IMG4 component BatteryLow0...
Extracting batterylow1@2x~ipad.im4p...
Personalizing IMG4 component BatteryLow1...
Extracting glyphplugin@2x~ipad-lightning.im4p...
Personalizing IMG4 component BatteryPlugin...
Extracting DeviceTree.j71ap.im4p...
Personalizing IMG4 component DeviceTree...
Extracting recoverymode@2x~ipad-lightning.im4p...
Personalizing IMG4 component RecoveryMode...
Extracting iBoot.ipad4.RELEASE.im4p...
Personalizing IMG4 component iBoot...
Extracting sep-firmware.j71.RELEASE.im4p...
Personalizing IMG4 component RestoreSEP...
Extracting sep-firmware.j71.RELEASE.im4p...
Personalizing IMG4 component SEP...
Sending NORData now...
Done sending NORData
About to send RootTicket...
Sending RootTicket now...
Done sending RootTicket
Waiting for NAND (28)
Checking filesystems (15)
Checking filesystems (15)
Unmounting filesystems (29)
Unmounting filesystems (29)
Creating filesystem (12)
About to send filesystem...
Connected to ASR
Validating the filesystem
Filesystem validated
Sending filesystem now...
[==================================================] 100.0%
Done sending filesystem
Verifying restore (14)
[==================================================] 100.0%
Checking filesystems (15)
Checking filesystems (15)
Mounting filesystems (16)
Mounting filesystems (16)
About to send KernelCache...
Extracting kernelcache.release.ipad4...
Personalizing IMG4 component KernelCache...
Sending KernelCache now...
Done sending KernelCache
Installing kernelcache (27)
About to send DeviceTree...
Extracting DeviceTree.j71ap.im4p...
Personalizing IMG4 component DeviceTree...
Sending DeviceTree now...
Done sending DeviceTree
Certifying Savage (61)
Flashing firmware (18)
[==================================================] 100.0%
Updating gas gauge software (47)
Updating gas gauge software (47)
Updating Stockholm (55)
About to send FUD data...
Sending FUD data now...
Done sending FUD data
About to send FUD data...
Sending FUD data now...
Done sending FUD data
Fixing up /var (17)
Modifying persistent boot-args (25)
Unmounting filesystems (29)
Unmounting filesystems (29)
Got status message
Status: Restore Finished
Cleaning up...
DONE
  7. The iDevice should reset and boot into the new firmware.
iPad during firmware flashing using libimobiledevice

iPad during firmware flashing using libimobiledevice

If you want to interact with iDevices from within Ubuntu during ordinary use, you could also install some utils and plugins for that. Below will fx. add a context menu in nautilus with info about the iDevice and install the ideviceinstaller command line utility which can be used to administer installed applications on the device.

sudo apt install libimobiledevice-utils nautilus-ideviceinfo ideviceinstaller

Comments are closed

»  Substance:WordPress   »  Style:Ahren Ahimsa
© 2023 Mikkel Kirkgaard Nielsen, contents CC BY-SA 4.0