Ramrod

From The iPhone Wiki
Revision as of 03:30, 9 June 2015 by Dayt0n (talk | contribs) (Added Output for working ramrod)
Jump to: navigation, search

ramrod is an iOS command line utility that is involved in firmware update and restore procedure of iOS devices at least since iOS 6.

ramrod is contained in the ramdisk in H6SURamDisk.dmg (which is in /usr/standalone/update/ramdisk/ folder on 7.0.4 iPhone5s) and there in /usr/libexec/ramrod/. You just have to get rid of the 1st 0x1b (27) bytes to make the dmg readable.

There is not much known about its functionality or usage except that it is mentioned in ~/Library/Logs/iPhone Updater Logs (on OSX) or [Username folder]\Application Data\Apple Computer\iTunes\iPhone Updater Logs (on Windows) in case of some unsuccessful restores / updates.

0: RamrodErrorDomain/3ec: update_baseband: failed to perform next stage

1: BBUpdater/10

unable to convert ramrod error 1004

 

==== end of device restore output ====

2013-01-16 01:05:19.000 iTunes[1073:12e2b]: AMRAuthInstallDeletePersonalizedBundle

2013-01-16 01:05:19.000 iTunes[1073:12e2b]: <Restore Device 0x7f8fa705ac30>: Restore failed (result = -1)

2013-01-16 01:05:19.000 iTunes[1073:12f07]: iTunes: Restore error 4294967295
./jtool -l /Volumes/ramdisk/usr/libexec/ramrod/ramrod 
LC 00: LC_SEGMENT_64          Mem: 0x000000000-0x100000000	__PAGEZERO
LC 01: LC_SEGMENT_64          Mem: 0x100000000-0x100104000	__TEXT
	0x0000000100002e48-0x000000010009dba8	__TEXT.__text
	0x000000010009dba8-0x000000010009f078	__TEXT.__stubs
	0x000000010009f078-0x00000001000a0524	__TEXT.__stub_helper
	0x00000001000a0524-0x00000001000b2e50	__TEXT.__gcc_except_tab__TEXT
	0x00000001000b2e50-0x00000001000eb44c	__TEXT.__const
	0x00000001000eb44c-0x00000001001005e8	__TEXT.__cstring
	0x00000001001005e8-0x0000000100103ff4	__TEXT.__unwind_info
LC 02: LC_SEGMENT_64          Mem: 0x100104000-0x10011c000	__DATA
	0x0000000100104000-0x00000001001041f0	__DATA.__got
	0x00000001001041f0-0x0000000100104fd0	__DATA.__la_symbol_ptr
	0x0000000100104fd0-0x0000000100105038	__DATA.__mod_init_func
	0x0000000100105040-0x000000010010b950	__DATA.__const
	0x000000010010b950-0x000000010010dfe0	__DATA.__data
	0x000000010010dfe0-0x0000000100111a00	__DATA.__cfstring
	0x0000000100111a00-0x0000000100111fe0	__DATA.__common
	0x0000000100111fe0-0x000000010011b448	__DATA.__bss
LC 03: LC_SEGMENT_64          Mem: 0x10011c000-0x100144000	__LINKEDIT
LC 04: LC_DYLD_INFO_ONLY     
LC 05: LC_SYMTAB             	Symbol table is at offset 0x123890, with 1788 entries
LC 06: LC_DYSYMTAB           
LC 07: LC_LOAD_DYLINKER      	/usr/lib/dyld
LC 08: LC_UUID               	UUID: D8DC8A3E-CF0F-31C8-ADBA-2C6A1891952F
LC 09: LC_VERSION_MIN_IPHONEOS	Minimum iOS  version:    7.0.0
LC 10: LC_SOURCE_VERSION     	Source Version:          1021.1.28.0.0
LC 11: LC_MAIN               	Entry Point:             0x5d90 (Mem: 100005d90)
LC 12: LC_LOAD_DYLIB         	/usr/lib/libz.1.dylib
LC 13: LC_LOAD_DYLIB         	/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration
LC 14: LC_LOAD_DYLIB         	/System/Library/PrivateFrameworks/IOSurface.framework/IOSurface
LC 15: LC_LOAD_DYLIB         	/usr/lib/libIOAccessoryManager.dylib
LC 16: LC_LOAD_DYLIB         	/System/Library/PrivateFrameworks/IOMobileFramebuffer.framework/IOMobileFramebuffer
LC 17: LC_LOAD_DYLIB         	/System/Library/PrivateFrameworks/Bom.framework/Bom
LC 18: LC_LOAD_DYLIB         	/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
LC 19: LC_LOAD_DYLIB         	/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
LC 20: LC_LOAD_DYLIB         	/System/Library/PrivateFrameworks/MediaKit.framework/MediaKit
LC 21: LC_LOAD_DYLIB         	/usr/lib/libMobileGestalt.dylib
LC 22: LC_LOAD_DYLIB         	/usr/lib/libauthinstall.dylib
LC 23: LC_LOAD_WEAK_DYLIB    	/System/Library/Frameworks/CFNetwork.framework/CFNetwork
LC 24: LC_LOAD_DYLIB         	/usr/lib/libc++.1.dylib
LC 25: LC_LOAD_DYLIB         	/usr/lib/libSystem.B.dylib
LC 26: LC_FUNCTION_STARTS    	Offset: 1188768, Size: 5232
LC 27: LC_DATA_IN_CODE       	Offset: 1194000, Size: 0
LC 28: LC_DYLIB_CODE_SIGN_DRS	Offset: 1194000, Size: 128
LC 29: LC_CODE_SIGNATURE     	Offset: 1287008, Size: 6480

There seem also plugins for ramrod avaible:

./jtool -l /Volumes/ramdisk/usr/libexec/ramrod/plugins/patchd.ramrod 
LC 00: LC_SEGMENT_64          Mem: 0x000000000-0x1c000	__TEXT
	0x0000000000002660-0x0000000000012868	__TEXT.__text
	0x0000000000012868-0x0000000000013588	__TEXT.__stubs
	0x0000000000013588-0x00000000000142c0	__TEXT.__stub_helper
	0x00000000000142c0-0x0000000000014750	__TEXT.__const
	0x0000000000014750-0x000000000001bfae	__TEXT.__cstring
	0x000000000001bfae-0x000000000001bff6	__TEXT.__unwind_info
LC 01: LC_SEGMENT_64          Mem: 0x00001c000-0x24000	__DATA
	0x000000000001c000-0x000000000001c190	__DATA.__got
	0x000000000001c190-0x000000000001ca50	__DATA.__la_symbol_ptr
	0x000000000001ca50-0x000000000001cbf8	__DATA.__const
	0x000000000001cbf8-0x0000000000021058	__DATA.__cfstring
	0x0000000000021060-0x00000000000210ad	__DATA.__data
	0x00000000000210b0-0x0000000000021608	__DATA.__bss
LC 02: LC_SEGMENT_64          Mem: 0x000024000-0x2e000	__LINKEDIT
LC 03: LC_DYLD_INFO_ONLY     
LC 04: LC_SYMTAB             	Symbol table is at offset 0x26d18, with 510 entries
LC 05: LC_DYSYMTAB           
LC 06: LC_UUID               	UUID: B157237E-1517-3E83-AB87-130ADAE58E62
LC 07: LC_VERSION_MIN_IPHONEOS	Minimum iOS  version:    7.0.0
LC 08: LC_SOURCE_VERSION     	Source Version:          275.1.0.0.0
LC 09: LC_LOAD_DYLIB         	/usr/lib/libauthinstall.dylib
LC 10: LC_LOAD_DYLIB         	/usr/lib/libMobileGestalt.dylib
LC 11: LC_LOAD_DYLIB         	/usr/lib/libz.1.dylib
LC 12: LC_LOAD_DYLIB         	/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
LC 13: LC_LOAD_DYLIB         	/System/Library/PrivateFrameworks/Bom.framework/Bom
LC 14: LC_LOAD_DYLIB         	/System/Library/Frameworks/Security.framework/Security
LC 15: LC_LOAD_DYLIB         	/System/Library/PrivateFrameworks/AppleFSCompression.framework/AppleFSCompression
LC 16: LC_LOAD_DYLIB         	/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
LC 17: LC_LOAD_DYLIB         	/usr/lib/libbz2.1.0.dylib
LC 18: LC_LOAD_DYLIB         	/usr/lib/libSystem.B.dylib
LC 19: LC_FUNCTION_STARTS    	Offset: 158664, Size: 232
LC 20: LC_DATA_IN_CODE       	Offset: 158896, Size: 0
LC 21: LC_DYLIB_CODE_SIGN_DRS	Offset: 158896, Size: 104
LC 22: LC_CODE_SIGNATURE     	Offset: 181088, Size: 1072

Using ramrod via ssh:

./ramrod                               
dyld: Library not loaded: /System/Library/PrivateFrameworks/MediaKit.framework/MediaKit
  Referenced from: /private/var/root/ramrod/./ramrod
  Reason: image not found
Trace/BPT trap: 5

./ramrod 
entering set_boot_stage
unable to open /dev/klog: Resource busy
inverting UI colordisplay-scale = 2
display-rotation = 0
found applelogo at /usr/share/progressui/applelogo@2x.tga
found display: primary
display: 640 x 1136
unable to open plugins directory: No such file or directory
ramrod: unable to load plugins
ramrod exited with status 1 - rebooting
No IOFlashController instance found
executing /usr/sbin/nvram
executing /sbin/reboot
reboot in progress, hanging

If you manage to get ramrod working properly in SSH, this is the output:

./ramrod
entering set_boot_stage
display-scale = 2
display-rotation = 0
found applelogo at /usr/share/progressui/applelogo@2x.tga
found display: primary
display: 640 x 960
patchd: ramrod_register_plugin(3254): built Jun 11 2014 20:21:41.
Searching for NAND service
Found NAND service: IOFlashStoragePartition
NAND initialized. Waiting for devnode.
entering ramrod_probe_media
device partitioning scheme is GPT
device supports boot-from-NAND
nand device is already partitioned
executing /usr/sbin/nvram
patchd: ramrod_register_plugin(3274): nvram variable 'enable-remap-mode' cleared
loaded plugin: patchd
plugin contains 1 handlers
	patchd_patch (AUTONOMOUS HANDLER)
skipping USB initialization
patchd: patch(2443): Started patchd.
Searching for NAND service
Found NAND service: IOFlashStoragePartition
NAND initialized. Waiting for devnode.
entering ramrod_probe_media
patchd: run_fake_media_progress(2264): starting fake media progress
device partitioning scheme is GPT
patchd: patch(2475): internal media ready.
patchd: patch(2476): 0 seconds elapsed so far
executing /usr/sbin/nvram
patchd: patch(2491): nvram variable 'boot-command' cleared.
ramrod_roll_media_keys: data_partition = /dev/disk0s1s2
ramrod_roll_media_keys: storage_media = /dev/disk0s1
ramrod_roll_media_keys: data_partition_name = disk0s1s2
ramrod_roll_media_keys: data_partition_uuid = INSERT_UID_HERE_
lwvm: Key already rolled !

executing /usr/sbin/nvram
patchd: patch(2507): no baseband updater debug args present
executing /sbin/fsck_hfs
fsck_hfs: pread(10, 0x27dcc024, 4096, 1560576): Invalid argument
patchd: patchdProgressCallback(2208): progress: 5%
Offset 1024 length 512:
0000:  4858 0005 8000 2000 4846 534a 0000 0009       |HX......HFSJ....|
0010:  cfbe cd9f d19c 0a66 0000 0000 cfbf 300f       |.......f......0.|
0020:  0000 8f58 0000 4311 0000 2000 0002 84ca       |...X..C.........|
0030:  0000 5ecb 0002 4f1c 0001 0000 0001 0000       |......O.........|
0040:  0000 f673 0000 7613 0000 0000 0000 0001       |...s..v.........|
0050:  0000 0000 0000 0000 0000 0000 0000 0000       |................|
0060:  0000 0000 0000 0000 8521 4c87 8382 7761       |..........L...wa|
0070:  0000 0000 0001 0000 0000 8000 0000 0008       |................|
0080:  0000 0001 0000 0008 0000 0000 0000 0000       |................|
0090:  0000 0000 0000 0000 0000 0000 0000 0000       |................|
. . .
00c0:  0000 0000 0040 0000 0040 0000 0000 0200       |................|
00d0:  0000 040a 0000 0200 0000 0000 0000 0000       |................|
00e0:  0000 0000 0000 0000 0000 0000 0000 0000       |................|
. . .
0110:  0000 0000 0180 0000 0040 0000 0000 0c00       |................|
0120:  0000 270a 0000 0300 0000 8688 0000 0300       |................|
0130:  0001 ba9b 0000 0300 0002 42fc 0000 0300       |..........B.....|
0140:  0000 0000 0000 0000 0000 0000 0000 0000       |................|
. . .
0160:  0000 0000 01e0 0000 0040 0000 0000 0f00       |................|
0170:  0000 060a 0000 0600 0001 ad54 0000 0300       |...........T....|
0180:  0001 d5e0 0000 0300 0002 5d0d 0000 0300       |................|
0190:  0000 0000 0000 0000 0000 0000 0000 0000       |................|
. . .
01f0:  0000 0000 0000 0000 0000 0000 0000 0000       |................|
** /dev/rdisk0s1s1 (NO WRITE)
   Executing fsck_hfs (version hfs-277.10.5).
** Verifying volume when it is mounted with write access.
   Journal need to be replayed but volume is read-only
** Checking Journaled HFS Plus volume.
** Detected a case-sensitive volume.
   The volume name is Sochi11D257.N92OS
** Checking extents overflow file.
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
** The volume Sochi11D257.N92OS was found corrupt and needs to be repaired.
fsck failed on /dev/disk0s1s1
patchd: mount_all_filesystems(1990): system partition should already be mounted
executing /sbin/fsck_hfs
fsck_hfs: pread(10, 0x27d6f024, 4096, 2613248): Invalid argument
Offset 1024 length 512:
0000:  4858 0005 c000 2000 4846 534a 0000 000d       |HX......HFSJ....|
0010:  d185 a4fc d19c 0b1d 0000 0000 d185 a4fc       |................|
0020:  0000 28de 0000 0986 0000 2000 000c 5336       |..............S6|
0030:  000a 746b 0005 40b1 0001 0000 0001 0000       |..tk............|
0040:  0000 9299 0003 dcd0 0000 0000 0000 0001       |................|
0050:  0000 0000 0000 0000 0000 0000 0000 0000       |................|
0060:  0000 0000 0000 0000 ce83 809b c82e 6eac       |..............n.|
0070:  0000 0000 0001 a000 0001 8000 0000 000d       |................|
0080:  0000 0001 0000 000c 0000 0a0e 0000 0001       |................|
0090:  0000 0000 0000 0000 0000 0000 0000 0000       |................|
. . .
00c0:  0000 0000 0040 0000 0040 0000 0000 0200       |................|
00d0:  0000 040e 0000 0200 0000 0000 0000 0000       |................|
00e0:  0000 0000 0000 0000 0000 0000 0000 0000       |................|
. . .
0110:  0000 0000 0080 0000 0080 0000 0000 0400       |................|
0120:  0000 320e 0000 0400 0000 0000 0000 0000       |..2.............|
0130:  0000 0000 0000 0000 0000 0000 0000 0000       |................|
. . .
0160:  0000 0000 0080 0000 0080 0000 0000 0400       |................|
0170:  0000 060e 0000 0400 0000 0000 0000 0000       |................|
0180:  0000 0000 0000 0000 0000 0000 0000 0000       |................|
. . .
01f0:  0000 0000 0000 0000 0000 0000 0000 0000       |................|
** /dev/rdisk0s1s2 (NO WRITE)
   Executing fsck_hfs (version hfs-277.10.5).
** Verifying volume when it is mounted with write access.
   Journal need to be replayed but volume is read-only
** Checking Journaled HFS Plus volume.
** Detected a case-sensitive volume.
   The volume name is Data
** Checking extents overflow file.
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
** The volume Data was found corrupt and needs to be repaired.
fsck failed on /dev/disk0s1s2
patchd: mount_all_filesystems(2005): data partition should already be mounted
patchd: patch(2536): system and data partition mounted.
patchd: patch(2537): 28 seconds elapsed so far
patchd: patch(2539): disks mounted.
patchd: patchdProgressCallback(2208): progress: 10%
patchd: patch(2546): done waiting for fake media progress thread.
patchd: patch(2566): could not load patchd options from '/mnt1/var/MobileSoftwareUpdate/Update.plist'. errno=2.
executing /usr/sbin/nvram
patchd: patch(3184): nvram variable 'ramrod-display-width' cleared.
executing /usr/sbin/nvram
patchd: patch(3194): nvram variable 'ramrod-display-height' cleared.
executing /usr/sbin/nvram
patchd: patch(3204): nvram variable 'ramrod-display-rate' cleared.
executing /usr/sbin/nvram
patchd: patch(3216): nvram variable 'auto-boot' reset.
patchd: patch(3223): attempting to dump update log
patchd: entering checkForRestoreLogFile
patchd: found restore log (size = 495)
patchd: write_update_log(2230): writing log file: /mnt1/restore.log
patchd: patch(3232): disks unmounted.
patchd: patch(3235): 50 seconds elapsed in patchd
ramrod exited with status 1 - rebooting
device supports boot-from-NAND
nand device is already partitioned
executing /usr/sbin/nvram
executing /sbin/reboot