Difference between revisions of "Ramrod"

From The iPhone Wiki
Jump to: navigation, search
(Tested a second time and results were cleaner.)
 
(2 intermediate revisions by 2 users not shown)
Line 71: Line 71:
 
LC 29: LC_CODE_SIGNATURE Offset: 1287008, Size: 6480
 
LC 29: LC_CODE_SIGNATURE Offset: 1287008, Size: 6480
 
</pre>
 
</pre>
 
   
 
There seem also plugins for ramrod avaible:
 
There seem also plugins for ramrod avaible:
Line 112: Line 111:
 
LC 21: LC_DYLIB_CODE_SIGN_DRS Offset: 158896, Size: 104
 
LC 21: LC_DYLIB_CODE_SIGN_DRS Offset: 158896, Size: 104
 
LC 22: LC_CODE_SIGNATURE Offset: 181088, Size: 1072
 
LC 22: LC_CODE_SIGNATURE Offset: 181088, Size: 1072
  +
</pre>
  +
  +
Using ramrod via ssh:
  +
  +
<pre>
  +
./ramrod
  +
dyld: Library not loaded: /System/Library/PrivateFrameworks/MediaKit.framework/MediaKit
  +
Referenced from: /private/var/root/ramrod/./ramrod
  +
Reason: image not found
  +
Trace/BPT trap: 5
  +
  +
./ramrod
  +
entering set_boot_stage
  +
unable to open /dev/klog: Resource busy
  +
inverting UI colordisplay-scale = 2
  +
display-rotation = 0
  +
found applelogo at /usr/share/progressui/applelogo@2x.tga
  +
found display: primary
  +
display: 640 x 1136
  +
unable to open plugins directory: No such file or directory
  +
ramrod: unable to load plugins
  +
ramrod exited with status 1 - rebooting
  +
No IOFlashController instance found
  +
executing /usr/sbin/nvram
  +
executing /sbin/reboot
  +
reboot in progress, hanging
  +
</pre>
  +
  +
If you manage to get ramrod working properly in SSH, this is the output:
  +
<pre>
  +
./ramrod
  +
entering set_boot_stage
  +
display-scale = 2
  +
display-rotation = 0
  +
found applelogo at /usr/share/progressui/applelogo@2x.tga
  +
found display: primary
  +
display: 640 x 960
  +
patchd: ramrod_register_plugin(3254): built Jun 11 2014 20:21:41.
  +
Searching for NAND service
  +
Found NAND service: IOFlashStoragePartition
  +
NAND initialized. Waiting for devnode.
  +
entering ramrod_probe_media
  +
device partitioning scheme is GPT
  +
device supports boot-from-NAND
  +
nand device is already partitioned
  +
executing /usr/sbin/nvram
  +
patchd: ramrod_register_plugin(3274): nvram variable 'enable-remap-mode' cleared
  +
loaded plugin: patchd
  +
plugin contains 1 handlers
  +
patchd_patch (AUTONOMOUS HANDLER)
  +
skipping USB initialization
  +
patchd: patch(2443): Started patchd.
  +
Searching for NAND service
  +
Found NAND service: IOFlashStoragePartition
  +
NAND initialized. Waiting for devnode.
  +
entering ramrod_probe_media
  +
patchd: run_fake_media_progress(2264): starting fake media progress
  +
device partitioning scheme is GPT
  +
patchd: patch(2475): internal media ready.
  +
patchd: patch(2476): 0 seconds elapsed so far
  +
executing /usr/sbin/nvram
  +
patchd: patch(2491): nvram variable 'boot-command' cleared.
  +
ramrod_roll_media_keys: data_partition = /dev/disk0s1s2
  +
ramrod_roll_media_keys: storage_media = /dev/disk0s1
  +
ramrod_roll_media_keys: data_partition_name = disk0s1s2
  +
ramrod_roll_media_keys: data_partition_uuid = UID_HERE
  +
lwvm: Key already rolled !
  +
  +
executing /usr/sbin/nvram
  +
patchd: patch(2507): no baseband updater debug args present
  +
executing /sbin/fsck_hfs
  +
patchd: patchdProgressCallback(2208): progress: 5%
  +
** /dev/rdisk0s1s1
  +
Executing fsck_hfs (version hfs-277.10.5).
  +
** Checking Journaled HFS Plus volume.
  +
** Detected a case-sensitive volume.
  +
The volume name is Sochi11D257.N92OS
  +
** Checking extents overflow file.
  +
** Checking catalog file.
  +
** Checking multi-linked files.
  +
** Checking catalog hierarchy.
  +
** Checking extended attributes file.
  +
** Checking volume bitmap.
  +
** Checking volume information.
  +
** Trimming unused blocks.
  +
** The volume Sochi11D257.N92OS appears to be OK.
  +
executing /sbin/mount_hfs
  +
/dev/disk0s1s1 mounted on /mnt1
  +
executing /sbin/fsck_hfs
  +
** /dev/rdisk0s1s2
  +
Executing fsck_hfs (version hfs-277.10.5).
  +
** Checking Journaled HFS Plus volume.
  +
** Detected a case-sensitive volume.
  +
The volume name is Data
  +
** Checking extents overflow file.
  +
** Checking catalog file.
  +
** Checking multi-linked files.
  +
** Checking catalog hierarchy.
  +
** Checking extended attributes file.
  +
** Checking volume bitmap.
  +
** Checking volume information.
  +
** Trimming unused blocks.
  +
** The volume Data appears to be OK.
  +
executing /sbin/mount_hfs
  +
mount_hfs: Could not exec re-keying daemon /usr/libexec/rolld: No such file or directory
  +
/dev/disk0s1s2 mounted on /mnt1/private/var
  +
patchd: patch(2536): system and data partition mounted.
  +
patchd: patch(2537): 29 seconds elapsed so far
  +
patchd: patch(2539): disks mounted.
  +
patchd: patchdProgressCallback(2208): progress: 10%
  +
patchd: patch(2546): done waiting for fake media progress thread.
  +
patchd: patch(2566): could not load patchd options from '/mnt1/var/MobileSoftwareUpdate/Update.plist'. errno=2.
  +
executing /usr/sbin/nvram
  +
patchd: patch(3184): nvram variable 'ramrod-display-width' cleared.
  +
executing /usr/sbin/nvram
  +
patchd: patch(3194): nvram variable 'ramrod-display-height' cleared.
  +
executing /usr/sbin/nvram
  +
patchd: patch(3204): nvram variable 'ramrod-display-rate' cleared.
  +
executing /usr/sbin/nvram
  +
patchd: patch(3216): nvram variable 'auto-boot' reset.
  +
patchd: patch(3223): attempting to dump update log
  +
patchd: entering checkForRestoreLogFile
  +
patchd: found restore log (size = 495)
  +
patchd: write_update_log(2230): writing log file: /mnt1/restore.log
  +
patchd: patch(3232): disks unmounted.
  +
patchd: patch(3235): 51 seconds elapsed in patchd
  +
ramrod exited with status 1 - rebooting
  +
device supports boot-from-NAND
  +
nand device is already partitioned
  +
executing /usr/sbin/nvram
  +
executing /sbin/reboot
 
</pre>
 
</pre>

Latest revision as of 03:42, 9 June 2015

ramrod is an iOS command line utility that is involved in firmware update and restore procedure of iOS devices at least since iOS 6.

ramrod is contained in the ramdisk in H6SURamDisk.dmg (which is in /usr/standalone/update/ramdisk/ folder on 7.0.4 iPhone5s) and there in /usr/libexec/ramrod/. You just have to get rid of the 1st 0x1b (27) bytes to make the dmg readable.

There is not much known about its functionality or usage except that it is mentioned in ~/Library/Logs/iPhone Updater Logs (on OSX) or [Username folder]\Application Data\Apple Computer\iTunes\iPhone Updater Logs (on Windows) in case of some unsuccessful restores / updates.

0: RamrodErrorDomain/3ec: update_baseband: failed to perform next stage

1: BBUpdater/10

unable to convert ramrod error 1004

 

==== end of device restore output ====

2013-01-16 01:05:19.000 iTunes[1073:12e2b]: AMRAuthInstallDeletePersonalizedBundle

2013-01-16 01:05:19.000 iTunes[1073:12e2b]: <Restore Device 0x7f8fa705ac30>: Restore failed (result = -1)

2013-01-16 01:05:19.000 iTunes[1073:12f07]: iTunes: Restore error 4294967295
./jtool -l /Volumes/ramdisk/usr/libexec/ramrod/ramrod 
LC 00: LC_SEGMENT_64          Mem: 0x000000000-0x100000000	__PAGEZERO
LC 01: LC_SEGMENT_64          Mem: 0x100000000-0x100104000	__TEXT
	0x0000000100002e48-0x000000010009dba8	__TEXT.__text
	0x000000010009dba8-0x000000010009f078	__TEXT.__stubs
	0x000000010009f078-0x00000001000a0524	__TEXT.__stub_helper
	0x00000001000a0524-0x00000001000b2e50	__TEXT.__gcc_except_tab__TEXT
	0x00000001000b2e50-0x00000001000eb44c	__TEXT.__const
	0x00000001000eb44c-0x00000001001005e8	__TEXT.__cstring
	0x00000001001005e8-0x0000000100103ff4	__TEXT.__unwind_info
LC 02: LC_SEGMENT_64          Mem: 0x100104000-0x10011c000	__DATA
	0x0000000100104000-0x00000001001041f0	__DATA.__got
	0x00000001001041f0-0x0000000100104fd0	__DATA.__la_symbol_ptr
	0x0000000100104fd0-0x0000000100105038	__DATA.__mod_init_func
	0x0000000100105040-0x000000010010b950	__DATA.__const
	0x000000010010b950-0x000000010010dfe0	__DATA.__data
	0x000000010010dfe0-0x0000000100111a00	__DATA.__cfstring
	0x0000000100111a00-0x0000000100111fe0	__DATA.__common
	0x0000000100111fe0-0x000000010011b448	__DATA.__bss
LC 03: LC_SEGMENT_64          Mem: 0x10011c000-0x100144000	__LINKEDIT
LC 04: LC_DYLD_INFO_ONLY     
LC 05: LC_SYMTAB             	Symbol table is at offset 0x123890, with 1788 entries
LC 06: LC_DYSYMTAB           
LC 07: LC_LOAD_DYLINKER      	/usr/lib/dyld
LC 08: LC_UUID               	UUID: D8DC8A3E-CF0F-31C8-ADBA-2C6A1891952F
LC 09: LC_VERSION_MIN_IPHONEOS	Minimum iOS  version:    7.0.0
LC 10: LC_SOURCE_VERSION     	Source Version:          1021.1.28.0.0
LC 11: LC_MAIN               	Entry Point:             0x5d90 (Mem: 100005d90)
LC 12: LC_LOAD_DYLIB         	/usr/lib/libz.1.dylib
LC 13: LC_LOAD_DYLIB         	/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration
LC 14: LC_LOAD_DYLIB         	/System/Library/PrivateFrameworks/IOSurface.framework/IOSurface
LC 15: LC_LOAD_DYLIB         	/usr/lib/libIOAccessoryManager.dylib
LC 16: LC_LOAD_DYLIB         	/System/Library/PrivateFrameworks/IOMobileFramebuffer.framework/IOMobileFramebuffer
LC 17: LC_LOAD_DYLIB         	/System/Library/PrivateFrameworks/Bom.framework/Bom
LC 18: LC_LOAD_DYLIB         	/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
LC 19: LC_LOAD_DYLIB         	/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
LC 20: LC_LOAD_DYLIB         	/System/Library/PrivateFrameworks/MediaKit.framework/MediaKit
LC 21: LC_LOAD_DYLIB         	/usr/lib/libMobileGestalt.dylib
LC 22: LC_LOAD_DYLIB         	/usr/lib/libauthinstall.dylib
LC 23: LC_LOAD_WEAK_DYLIB    	/System/Library/Frameworks/CFNetwork.framework/CFNetwork
LC 24: LC_LOAD_DYLIB         	/usr/lib/libc++.1.dylib
LC 25: LC_LOAD_DYLIB         	/usr/lib/libSystem.B.dylib
LC 26: LC_FUNCTION_STARTS    	Offset: 1188768, Size: 5232
LC 27: LC_DATA_IN_CODE       	Offset: 1194000, Size: 0
LC 28: LC_DYLIB_CODE_SIGN_DRS	Offset: 1194000, Size: 128
LC 29: LC_CODE_SIGNATURE     	Offset: 1287008, Size: 6480

There seem also plugins for ramrod avaible:

./jtool -l /Volumes/ramdisk/usr/libexec/ramrod/plugins/patchd.ramrod 
LC 00: LC_SEGMENT_64          Mem: 0x000000000-0x1c000	__TEXT
	0x0000000000002660-0x0000000000012868	__TEXT.__text
	0x0000000000012868-0x0000000000013588	__TEXT.__stubs
	0x0000000000013588-0x00000000000142c0	__TEXT.__stub_helper
	0x00000000000142c0-0x0000000000014750	__TEXT.__const
	0x0000000000014750-0x000000000001bfae	__TEXT.__cstring
	0x000000000001bfae-0x000000000001bff6	__TEXT.__unwind_info
LC 01: LC_SEGMENT_64          Mem: 0x00001c000-0x24000	__DATA
	0x000000000001c000-0x000000000001c190	__DATA.__got
	0x000000000001c190-0x000000000001ca50	__DATA.__la_symbol_ptr
	0x000000000001ca50-0x000000000001cbf8	__DATA.__const
	0x000000000001cbf8-0x0000000000021058	__DATA.__cfstring
	0x0000000000021060-0x00000000000210ad	__DATA.__data
	0x00000000000210b0-0x0000000000021608	__DATA.__bss
LC 02: LC_SEGMENT_64          Mem: 0x000024000-0x2e000	__LINKEDIT
LC 03: LC_DYLD_INFO_ONLY     
LC 04: LC_SYMTAB             	Symbol table is at offset 0x26d18, with 510 entries
LC 05: LC_DYSYMTAB           
LC 06: LC_UUID               	UUID: B157237E-1517-3E83-AB87-130ADAE58E62
LC 07: LC_VERSION_MIN_IPHONEOS	Minimum iOS  version:    7.0.0
LC 08: LC_SOURCE_VERSION     	Source Version:          275.1.0.0.0
LC 09: LC_LOAD_DYLIB         	/usr/lib/libauthinstall.dylib
LC 10: LC_LOAD_DYLIB         	/usr/lib/libMobileGestalt.dylib
LC 11: LC_LOAD_DYLIB         	/usr/lib/libz.1.dylib
LC 12: LC_LOAD_DYLIB         	/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
LC 13: LC_LOAD_DYLIB         	/System/Library/PrivateFrameworks/Bom.framework/Bom
LC 14: LC_LOAD_DYLIB         	/System/Library/Frameworks/Security.framework/Security
LC 15: LC_LOAD_DYLIB         	/System/Library/PrivateFrameworks/AppleFSCompression.framework/AppleFSCompression
LC 16: LC_LOAD_DYLIB         	/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
LC 17: LC_LOAD_DYLIB         	/usr/lib/libbz2.1.0.dylib
LC 18: LC_LOAD_DYLIB         	/usr/lib/libSystem.B.dylib
LC 19: LC_FUNCTION_STARTS    	Offset: 158664, Size: 232
LC 20: LC_DATA_IN_CODE       	Offset: 158896, Size: 0
LC 21: LC_DYLIB_CODE_SIGN_DRS	Offset: 158896, Size: 104
LC 22: LC_CODE_SIGNATURE     	Offset: 181088, Size: 1072

Using ramrod via ssh:

./ramrod                               
dyld: Library not loaded: /System/Library/PrivateFrameworks/MediaKit.framework/MediaKit
  Referenced from: /private/var/root/ramrod/./ramrod
  Reason: image not found
Trace/BPT trap: 5

./ramrod 
entering set_boot_stage
unable to open /dev/klog: Resource busy
inverting UI colordisplay-scale = 2
display-rotation = 0
found applelogo at /usr/share/progressui/applelogo@2x.tga
found display: primary
display: 640 x 1136
unable to open plugins directory: No such file or directory
ramrod: unable to load plugins
ramrod exited with status 1 - rebooting
No IOFlashController instance found
executing /usr/sbin/nvram
executing /sbin/reboot
reboot in progress, hanging

If you manage to get ramrod working properly in SSH, this is the output:

./ramrod
entering set_boot_stage
display-scale = 2
display-rotation = 0
found applelogo at /usr/share/progressui/applelogo@2x.tga
found display: primary
display: 640 x 960
patchd: ramrod_register_plugin(3254): built Jun 11 2014 20:21:41.
Searching for NAND service
Found NAND service: IOFlashStoragePartition
NAND initialized. Waiting for devnode.
entering ramrod_probe_media
device partitioning scheme is GPT
device supports boot-from-NAND
nand device is already partitioned
executing /usr/sbin/nvram
patchd: ramrod_register_plugin(3274): nvram variable 'enable-remap-mode' cleared
loaded plugin: patchd
plugin contains 1 handlers
	patchd_patch (AUTONOMOUS HANDLER)
skipping USB initialization
patchd: patch(2443): Started patchd.
Searching for NAND service
Found NAND service: IOFlashStoragePartition
NAND initialized. Waiting for devnode.
entering ramrod_probe_media
patchd: run_fake_media_progress(2264): starting fake media progress
device partitioning scheme is GPT
patchd: patch(2475): internal media ready.
patchd: patch(2476): 0 seconds elapsed so far
executing /usr/sbin/nvram
patchd: patch(2491): nvram variable 'boot-command' cleared.
ramrod_roll_media_keys: data_partition = /dev/disk0s1s2
ramrod_roll_media_keys: storage_media = /dev/disk0s1
ramrod_roll_media_keys: data_partition_name = disk0s1s2
ramrod_roll_media_keys: data_partition_uuid = UID_HERE
lwvm: Key already rolled !

executing /usr/sbin/nvram
patchd: patch(2507): no baseband updater debug args present
executing /sbin/fsck_hfs
patchd: patchdProgressCallback(2208): progress: 5%
** /dev/rdisk0s1s1
   Executing fsck_hfs (version hfs-277.10.5).
** Checking Journaled HFS Plus volume.
** Detected a case-sensitive volume.
   The volume name is Sochi11D257.N92OS
** Checking extents overflow file.
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
** Trimming unused blocks.
** The volume Sochi11D257.N92OS appears to be OK.
executing /sbin/mount_hfs
/dev/disk0s1s1 mounted on /mnt1
executing /sbin/fsck_hfs
** /dev/rdisk0s1s2
   Executing fsck_hfs (version hfs-277.10.5).
** Checking Journaled HFS Plus volume.
** Detected a case-sensitive volume.
   The volume name is Data
** Checking extents overflow file.
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
** Trimming unused blocks.
** The volume Data appears to be OK.
executing /sbin/mount_hfs
mount_hfs: Could not exec re-keying daemon /usr/libexec/rolld: No such file or directory
/dev/disk0s1s2 mounted on /mnt1/private/var
patchd: patch(2536): system and data partition mounted.
patchd: patch(2537): 29 seconds elapsed so far
patchd: patch(2539): disks mounted.
patchd: patchdProgressCallback(2208): progress: 10%
patchd: patch(2546): done waiting for fake media progress thread.
patchd: patch(2566): could not load patchd options from '/mnt1/var/MobileSoftwareUpdate/Update.plist'. errno=2.
executing /usr/sbin/nvram
patchd: patch(3184): nvram variable 'ramrod-display-width' cleared.
executing /usr/sbin/nvram
patchd: patch(3194): nvram variable 'ramrod-display-height' cleared.
executing /usr/sbin/nvram
patchd: patch(3204): nvram variable 'ramrod-display-rate' cleared.
executing /usr/sbin/nvram
patchd: patch(3216): nvram variable 'auto-boot' reset.
patchd: patch(3223): attempting to dump update log
patchd: entering checkForRestoreLogFile
patchd: found restore log (size = 495)
patchd: write_update_log(2230): writing log file: /mnt1/restore.log
patchd: patch(3232): disks unmounted.
patchd: patch(3235): 51 seconds elapsed in patchd
ramrod exited with status 1 - rebooting
device supports boot-from-NAND
nand device is already partitioned
executing /usr/sbin/nvram
executing /sbin/reboot