IPSFCache

Important cache for IPSF users
Featured, IPSF

Updated Feb 4, 2010

Overview

IPSF users can probably recover their original seczone token value before IPSF zeroed it out.

Details

Saving the cache

IPSF users should do the following

Make sure you have the BSD subsystem on your iPhone
Log into your iPhone and type: cp $(find /var/root/Library/Caches/bbsimfree -name "*.cache") /ipsf.cache

If you get an error like "missing destination file" then you either have no cache or you typed something wrong

Copy that cache off of your iPhone and save it! It contains very valuable data.

The existence of this important file was reported by sh1n1gam1 on the iPhone Elite forums

Using the cache

To recover your token manually, do the following:

Using a hex editor, find the LTOKEN1.0 string in the cache and note its starting offset (call this value "a"). In my cache, a=0x1e7.
Compute the offset of encrypted seczone, which will be 0x810 bytes after the start of that string: b = a + 0x810. So for my cache, b = 0x9f7

See HowIPSFWorks for details about that 0x810 constant

Extract the 0x2000 bytes beginning at that offset into a file called "en"
Run geohot's deipsf program to produce the "de" file. That is your original seczone.

Note that deipsf works only on little-endian architectures like x86 or ARM
Sanity check the "de" file. It should begin with 0x100 bytes of "ff", and then non-ff bytes. If you don't see that, then something went wrong...try again.

Use the decrypted seczone in a flow like this one: http://rdgaccess.com/iphone-elite/viewtopic.php?t=158

Comment by musclen...@gmail.com, Nov 6, 2007

I'd be curious to see if any IPSF users (unlock got to the end and worked) do not have this cache file.

Comment by tivol...@gmail.com, Nov 6, 2007

its on my phone and the offsets are the same for the ltoken as yours.

Comment by lionpelo...@gmail.com, Nov 6, 2007

root@192.168.1.2's password: # cp $(find /var/root/Library/Caches/bbsimfree -name ".cache") /ipsf.cache find: /var/root/Library/Caches/bbsimfree: No such file or directory cp: missing destination file operand after `/ipsf.cache' Try `cp --help' for more information. #

Comment by xin...@gmail.com, Nov 6, 2007

btw, this area is not exactly "zeroed out", and I think this unlock method will work with next baseband updates.

seczone offests
0x400-0x454 filled with zero;
0x455-0x465 is always "01 42 8A 2F 98 D7 28 AE 22 3D DA B6 DF FF CE 8E BC"
0x466-0x47F is UNIQUE from phone to phone and made by some encription algorithm (trying to find out how it works)

Comment by sh1n1g...@hotmail.com, Nov 6, 2007

lionpeloche, what version of IPSF did you run on your iPhone? It's possible that IPSF started creating that cache file in later versions of their client app. For what it's worth, I ran version 1.6.

Comment by lionpelo...@gmail.com, Nov 6, 2007

Hi shinig, it was 1.6, have you got the cache file ? Within Caches directory there isn't any bbsimfree sub directory on mine.

Comment by NetoBul...@gmail.com, Nov 6, 2007

i dont have it...

Comment by sh1n1g...@hotmail.com, Nov 6, 2007

lionpeloche, yes I have the cache file. I was the one that found it and reported it ;-).

At the risk of asking the obvious, did you restore your iPhone after running IPSF? If you didn't, did you run IPSF on a virgin phone or on one that was previously unlocked with iUnlock or AnySim?? If you didn't restore, the only explanation that I can think of why you don't have the cache file is if IPSF creates the cache file only on phones that have previously been unlocked by other means.

Comment by sh1n1g...@hotmail.com, Nov 6, 2007

To clarify my previous comment, I ran IPSF on an iPhone that had previously been unlocked with AnySim?.

Comment by nup...@gmail.com, Nov 6, 2007

Not there for me either. Oh well :(

Comment by lionpelo...@gmail.com, Nov 6, 2007

Hi sh1n1g, sorry to not identify sh1n1gam1...;-)) I used SuperSim? from the beginning, bought one ISPF license when available but didn't used it waiting for Dev Team release. After that I've used iUnlock and IPSF following 0049 IMEI. It could be a matter of date and not of revision, there is may be "before" and "after" geohot and musclenerd IPSF explanation around 19th October. I've used IPSF before this date. My 2 cents only...

Comment by ryeung1...@gmail.com, Nov 7, 2007

i also cannot locate the bbsimfree folder. by the way, i also want elite team to create generate seczone program for us to make our iPhone become a PHONE not a BRICK......

Pls help

Comment by linusma...@gmail.com, Nov 7, 2007

The new release 1.7rc4 store 3 file, named

1 2 3

in /var/root

file named "1" - Contain LToken Cripted file named "2" - Contain Firmware file named "3" - Contain 80 bytes (i don't know)

You can obtain ony if you have valid license.

1) Start IPSF 1.7 2) After start "DUMP" process power off access point 3) IPSF tell you to be restart Iphone for complete process. 4) Power Off iphone immediatelly

After reboot you have the file

Comment by iphonei...@gmail.com, Nov 7, 2007

linuxmax99:

In my iphone i found the refered file under the bbsimfree directory. is it necessary to start IPSF 1.7 to obtain the LToken or not?

What is your advice?

Thanks for your great contribution!

Comment by Nosi...@gmail.com, Nov 7, 2007

I am able to follow all the steps up until "Run geohot's deipsf program to produce the "de" file."

Where can one obtain the program "deipsf?"

Thanks!

Comment by iphonei...@gmail.com, Nov 7, 2007

i found the ipsf prog in the TeaSeczone? wiki in this site but it is not compiled. Had somebody compiled it for windows? Do somebody has the binary?

Comment by Nosi...@gmail.com, Nov 8, 2007

I found the deipsf source code but I'm running into compilation errors and bus errors when compiling / running under xcode on my intel mac. Does anyone have a compiled binary either for intel mac or windows?

Comment by kamal.fa...@gmail.com, Nov 8, 2007

I don't have the file and ran IPSF on a virgin 1.1.1

Comment by hwengch...@gmail.com, Nov 11, 2007

I don't have the file either. Maybe for those of us who did a complete restore/reset to defaults in the Settings might have wiped it out?

Comment by spa...@gmail.com, Nov 11, 2007

Please give a link to the deipfs tool, I can't find it anywhere.

Comment by sh1n1g...@hotmail.com, Nov 12, 2007

spamex, the source for deipsf is at http://lpahome.com/geohot/deipsf.c . You probably didn't find it because you looked for deipfs ...

Comment by spa...@gmail.com, Nov 12, 2007

Thank you sh1n1ng, I found it and it worked very well.

Comment by eric.bir...@gmail.com, Nov 13, 2007

Isn't the importan LToken saved in the imei.bin used by the unofficial revirginizing servers? I think they must be :P And how can I get it from that file and revirginize my IpSF revirginized iPhone so that I can be sure there will be no bricks when I updates my iPhone.

Please mail me at eric.birgersson at gmail.com or reply in a comment here. =)

Comment by aed0...@gmail.com, Nov 13, 2007

I have already restored my iPhone´s firmware, so there is no cache left. I´ve contacted IPSF directly asking if in case of bootloader upgrade they will have means to restore iPhone to an original factory state, but so far no reply.

Comment by turimb...@gmail.com, Nov 14, 2007

hi! interesting thoughts on this subject... can i retrieve this token by just using e.g. Cyberduck and find the file? for me, that would be the "gui-way" (easy way) to find it, since i´m not very into terminal... keep up the good work and spirit – thnax :-)

Comment by hara...@gmail.com, Nov 17, 2007

hi.. i have ipsf.cache, how use to recover my seczone.. i compile the deipsf.c and when run the program crash...

Comment by namjam...@gmail.com, Feb 7, 2008

Add Source installer : http://iphonebaidu.com/app/ Test iPhone - iPhone Simulator : http://iphonebaidu.com/test/ All Software for Apple MAC : http://iphonebaidu.com/mac-iphone/ All Software for Apple iPhone : http://iphonebaidu.com/mac-iphone/iphone.html

Install iTransformy (.swf) view for iPhone : http://iphonebaidu.com/beta/ Forum, DOwnload Themes, Apps for iPhone. http://iphonebaidu.com/forum/

► Sign in to add a comment