I have an old 4s with 6.1.3 on it, and that I presume must've gotten an Ota update downloaded or something a long time ago. I was fooling around with the /dev folder and I saw this:
root#: ls /dev
[many things] disk0s1s1 disk0s1s2 disk0s1s3
I have a few iOS devices, some jailbroken, and I've never seen a third partition like that one. I was curious, and I used dd to make a copy of it:
root#: dd if=/dev/disk0s1s3 of=/private/var/mobile/disk0s1s3.dd
102400+0 records in
102400+0 records out
52428800 bytes (52 MB) copied, 9.74899 s, 5.4 MB/s
I copied the file back to my Mac, and used hdiutil to attach the raw image:
root#: hdiutil attach -imagekey diskimage-class=CRawDiskImage -nomount /private/var/root/Desktop/disk0s1s3.dd
/dev/disk1 (mount point)
Then check its name:
root#: diskutil list
/dev/disk1 (disk image):
#: TYPE NAME SIZE IDENTIFIER
0: Update +52.4 MB disk1
Then mount it:
root#: diskutil mount /dev/disk1
Volume Update on /dev/disk1 mounted
Then, I browse the files in the "Update" partition, and in it I see:
applelogo
apticket.der
devicetree
iBEC
kernelcache
ramdisk
(screenshot attached)
It looks like something to do with an iOS update. Now, I know that I can convert that apticket.der to an shsh blob with img4tool, but I don't even know from what iOS version this is. So I use some strings commands to see if there's anything that could give me a clue from when it's from, and then:
root#: strings /Volumes/Update/ramdisk
[lots of strings including some referencing FreeBSD from 2005]
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ProductBuildVersion</key>
<string>11B554a</string>
<key>ProductCopyright</key>
<string>1983-2013 Apple Inc.</string>
<key>ProductName</key>
<string>iPhone OS</string>
<key>ProductVersion</key>
<string>7.0.4</string>
<key>ReleaseType</key>
<string>Restore</string>
</dict>
</plist>
10.0
OPESL
I don't know the original name of this xml file, nor do I know how to decrypt and extract this type of Ramdisk, but it does tell me what version it was. I've never seen a partition like this, and I'm not sure if the shsh blob that I got after converting with img4tool will work, but I never knew these partitions existed. This has to have been an Ota update, so will the blob I got out from the apticket.der work to restore 7.0.4? (I can always go back to 6.1.3 because of the OddysseusOTA glitch if necessary, so if there's any risk of having to restore, it's a risk I'd be willing to take) And is it safe to delete this partition to use CoolBooter? (it says it has an unusual partition layout, which I know is because of this partition) I'd assume it'd be safe as it doesn't seem to do anything, and I have a dd copy of it, but I could be wrong.
Thanks for any help. I can upload those files if someone wants them or anything.
Newhacker (not so new anymore)
root#: ls /dev
[many things] disk0s1s1 disk0s1s2 disk0s1s3
I have a few iOS devices, some jailbroken, and I've never seen a third partition like that one. I was curious, and I used dd to make a copy of it:
root#: dd if=/dev/disk0s1s3 of=/private/var/mobile/disk0s1s3.dd
102400+0 records in
102400+0 records out
52428800 bytes (52 MB) copied, 9.74899 s, 5.4 MB/s
I copied the file back to my Mac, and used hdiutil to attach the raw image:
root#: hdiutil attach -imagekey diskimage-class=CRawDiskImage -nomount /private/var/root/Desktop/disk0s1s3.dd
/dev/disk1 (mount point)
Then check its name:
root#: diskutil list
/dev/disk1 (disk image):
#: TYPE NAME SIZE IDENTIFIER
0: Update +52.4 MB disk1
Then mount it:
root#: diskutil mount /dev/disk1
Volume Update on /dev/disk1 mounted
Then, I browse the files in the "Update" partition, and in it I see:
applelogo
apticket.der
devicetree
iBEC
kernelcache
ramdisk
(screenshot attached)
It looks like something to do with an iOS update. Now, I know that I can convert that apticket.der to an shsh blob with img4tool, but I don't even know from what iOS version this is. So I use some strings commands to see if there's anything that could give me a clue from when it's from, and then:
root#: strings /Volumes/Update/ramdisk
[lots of strings including some referencing FreeBSD from 2005]
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ProductBuildVersion</key>
<string>11B554a</string>
<key>ProductCopyright</key>
<string>1983-2013 Apple Inc.</string>
<key>ProductName</key>
<string>iPhone OS</string>
<key>ProductVersion</key>
<string>7.0.4</string>
<key>ReleaseType</key>
<string>Restore</string>
</dict>
</plist>
10.0
OPESL
I don't know the original name of this xml file, nor do I know how to decrypt and extract this type of Ramdisk, but it does tell me what version it was. I've never seen a partition like this, and I'm not sure if the shsh blob that I got after converting with img4tool will work, but I never knew these partitions existed. This has to have been an Ota update, so will the blob I got out from the apticket.der work to restore 7.0.4? (I can always go back to 6.1.3 because of the OddysseusOTA glitch if necessary, so if there's any risk of having to restore, it's a risk I'd be willing to take) And is it safe to delete this partition to use CoolBooter? (it says it has an unusual partition layout, which I know is because of this partition) I'd assume it'd be safe as it doesn't seem to do anything, and I have a dd copy of it, but I could be wrong.
Thanks for any help. I can upload those files if someone wants them or anything.
Newhacker (not so new anymore)
