Unc0ver v2.1.0 @ iOS 11.3.1 on iPhone 6
So, I keep trying to use Unc0ver's Restore ROOTFS (rec0ver) option, and it appears to be working in the interface, but the system just reboots and no changes are done. It's worth mentioning that I get the message that the snapshot has been renamed and the operation has completed and the phone will restart, but after restart nothing has been changed. The jailbreak apps are still in place and the phone reboots to the springboard with no apparent sign of obliteration.
I reported a week ago this bug directly to Pwn20wnd on Twitter DMs, but he concluded that I "did something wrong" and it cannot be a thing because he tested the mechanism.
Today I have done some investigation.
According to the code, the snapshot should be in /var/MobileSoftwareUpdate/mnt1 but the directory is actually empty. I have no idea how it came out to be empty as I have never done any modifications to that path.
The issues started after I updated to the v2.x but I am not sure which version caused the removal of the snapshot.
What is strange is that even tho there is no snapshot to rename, Unc0ver keeps on claiming it has been renamed which makes one believe the process succeeded. Another thing that I saw is that the pop-ups about the rename and the completion come one after the other. It used to take a few seconds with older versions. Now it pops that it has been renamed, then it pops that it will reboot right after that and it reboots.
GeoSn0w
All 10 comments
Update: Rollectra / SemiRestore 11 does work, it performs an actual full restore.
GeoSn0w
on 4 Jan 2019
The older Jailbreak apps are gone if u Jailbreak the first time after restoring and uicache has been ran ...
iM4CH3T3
on 4 Jan 2019
after writing the wall of text below, I realized I had written a wall of text that no one will probably ever read. But it’s worth it. I promise.
Today I have done some investigation. According to the code, the snapshot should be in /var/MobileSoftwareUpdate/mnt1 but the directory is actually empty.
This code is actually only executed if you’re running iOS 11.2.6 or older.
There are two ways of restoring your rootfs:
The first way is to essentially undo the apfs snapshot bypass. On a normal, stock iOS 11.3+ device, every time the device boots, iOS attempts to restore the rootfs of the device. iOS expects there to be an APFS snapshot of a completely clean, fresh system, and iOS expects this snapshot to be named "com.apple.os.update.XXXXXXXXX”. If iOS finds a snapshot under that name, it automatically restores it as the device boots. This was initially a problem for jailbreakers as it would revert any changes they made to the rootfilesystem. However, it was discovered that if you simply rename “com.apple.os.update.blahblahblah” to a different name, iOS can’t find the snapshot, so it doesn’t restore during boot, so all jailbreaks for iOS 11.3 rename it to “orig-fs”. At any time, if you want to revert all changes, all you have to do is rename it back to the snapshot name expected by the system, iOS will find the snapshot on the next boot, and restore it. The benefit to this process is, renaming a snapshot only takes a few seconds, and iOS handles the restore itself, so it’s hypothetically more stable. Magical! The downside is, when iOS restores an APFS snapshot, it also automatically deletes all other apfs snapshots on the device, so if you use APFS to make backups of your setup, those will be lost forever.
The second and less preferable way is to mount the snapshot to iOS’ mountpoint, then use a tool called rsync, which basically says "make the target folder (/) identical to the source folder (ios’ mountpoint, which is /var/MobileSoftwareUpdate/mnt1)". /var/MobileSoftwareUpdate/mnt1 is always empty, unless you actually have something mounted there. So even though jailbreakers haven’t always had perfectly clean system snapshots handed to them by Apple, we have always made them manually (electra and unc0ver have always created a backup of stock, “right before jailbreak” on iOS 11.0-11.2.6, and this snapshot has always been (and I suspect, always will be, for the future) named "orig-fs". This snapshot can be mounted onto any empty folder, however pwn20wnd chose /var/MobileSoftwareUpdate/mnt1 because it requires less permissions to mount to that folder (and you can test this yourself, run mount_apfs -s orig-fs / /var/MobileSoftwareUpdate/mnt1 in terminal as root, you’ll see that inside of mnt1, there is now a perfectly clean rootfilesystem that also takes zero storage). The downside to mounting a filesystem there and rsyncing / to it is that it takes much longer, and isn’t as safe as iOS restoring it, as if the device reboots or panics or battery dies in the small window where rsync is actually making changes, then RIP. The good thing about it is, it doesn’t delete any other snapshots on your system, so any backups you may have made are preserved.
Update: Rollectra / SemiRestore 11 does work, it performs an actual full restore.
It should also be noted that unc0ver and Rollectra both run the exact same code, and neither perform a full system restore as iTunes or Cydia Eraser would, unc0ver and rollectra simply revert to an earlier backup. If you don’t have a snapshot to revert to, neither will help you.
In your specific case, I have no clue why rollectra worked for you when unc0ver didn’t, but it wasn’t because your snapshot was deleted, otherwise neither tool would ever have worked for you.
Samgisaninja
on 4 Jan 2019
@GeoSn0w Can you install "snappy" from the Elucubratus repository and run "snappy -f / -l" and send the output?
pwn20wndstuff
on 4 Jan 2019
(I definitely realize this issue now, I need to write a better logic to find the stock snapshot)
pwn20wndstuff
on 4 Jan 2019
Will list snapshots on / fs
orig-fs
iPhone:~ root#
@GeoSn0w I have pushed v2.1.1~b1 with various changes and a possible fix for your issue
pwn20wndstuff
on 5 Jan 2019
The issue persists even so.
GeoSn0w
on 8 Jan 2019
Please post a diagnostics log from this happening if it still is, or verify that it has been fixed. This is ancient...
sbingner
on 6 Feb 2019
@GeoSn0w ^
Cryptiiiic
on 13 Feb 2019
Related issues
gbm777
·
3Comments
miguelr4720
·
3Comments
rorcores
·
4Comments
shsh2
·
3Comments
bachle22
·
4Comments
Most helpful comment
after writing the wall of text below, I realized I had written a wall of text that no one will probably ever read. But it’s worth it. I promise.
This code is actually only executed if you’re running iOS 11.2.6 or older.
There are two ways of restoring your rootfs:
The first way is to essentially undo the apfs snapshot bypass. On a normal, stock iOS 11.3+ device, every time the device boots, iOS attempts to restore the rootfs of the device. iOS expects there to be an APFS snapshot of a completely clean, fresh system, and iOS expects this snapshot to be named "com.apple.os.update.XXXXXXXXX”. If iOS finds a snapshot under that name, it automatically restores it as the device boots. This was initially a problem for jailbreakers as it would revert any changes they made to the rootfilesystem. However, it was discovered that if you simply rename “com.apple.os.update.blahblahblah” to a different name, iOS can’t find the snapshot, so it doesn’t restore during boot, so all jailbreaks for iOS 11.3 rename it to “orig-fs”. At any time, if you want to revert all changes, all you have to do is rename it back to the snapshot name expected by the system, iOS will find the snapshot on the next boot, and restore it. The benefit to this process is, renaming a snapshot only takes a few seconds, and iOS handles the restore itself, so it’s hypothetically more stable. Magical! The downside is, when iOS restores an APFS snapshot, it also automatically deletes all other apfs snapshots on the device, so if you use APFS to make backups of your setup, those will be lost forever.
The second and less preferable way is to mount the snapshot to iOS’ mountpoint, then use a tool called rsync, which basically says "make the target folder (/) identical to the source folder (ios’ mountpoint, which is /var/MobileSoftwareUpdate/mnt1)". /var/MobileSoftwareUpdate/mnt1 is always empty, unless you actually have something mounted there. So even though jailbreakers haven’t always had perfectly clean system snapshots handed to them by Apple, we have always made them manually (electra and unc0ver have always created a backup of stock, “right before jailbreak” on iOS 11.0-11.2.6, and this snapshot has always been (and I suspect, always will be, for the future) named "orig-fs". This snapshot can be mounted onto any empty folder, however pwn20wnd chose /var/MobileSoftwareUpdate/mnt1 because it requires less permissions to mount to that folder (and you can test this yourself, run mount_apfs -s orig-fs / /var/MobileSoftwareUpdate/mnt1 in terminal as root, you’ll see that inside of mnt1, there is now a perfectly clean rootfilesystem that also takes zero storage). The downside to mounting a filesystem there and rsyncing / to it is that it takes much longer, and isn’t as safe as iOS restoring it, as if the device reboots or panics or battery dies in the small window where rsync is actually making changes, then RIP. The good thing about it is, it doesn’t delete any other snapshots on your system, so any backups you may have made are preserved.
It should also be noted that unc0ver and Rollectra both run the exact same code, and neither perform a full system restore as iTunes or Cydia Eraser would, unc0ver and rollectra simply revert to an earlier backup. If you don’t have a snapshot to revert to, neither will help you.
In your specific case, I have no clue why rollectra worked for you when unc0ver didn’t, but it wasn’t because your snapshot was deleted, otherwise neither tool would ever have worked for you.