mantis land

How to use Gecko iPhone Toolkit

Today's thingy: This ceramic cat I found in a charity shop but didn't have the space for. I love that it was placed right where a cheeky cat would be.

IMG-3148b.jpg

A few weeks ago we found my partner's old iPod Touch 4G he used to use over 10 years ago. Unfortunately, in trying to guess the password and get in, we permanently disabled it. It read "iPod is disabled // connect to iTunes". I did so, but got instructions on how to "Restore" it, which would wipe the iPod completely. Obviously, we didn't want to do that, as the joy of finding the device was mostly to do with us basically having found a time machine! We'd have pictures of his kid self, his friends and family 10 years ago, the music he listened to and the games he played, including his old Minecraft PE worlds.

I'm unemployed, so what I don't have in money, I do have in free time. So with his birthday coming up I thought it would be a great gift to unlock the iPod for my partner. It took me about a week straight of work to unlock it, but it was definitely user error and dilly dallying for a good part of that, and problems with my Windows xp machine.

But also, with the number of people on Reddit asking the same question, I think we need a proper step-by-step tutorial. The software is 14 years old and I still couldn't find a comprehensive guide. This blog post was the closest I could get, but even they overcomplicated it (though kudos, as they do provide download links for some of the software you'll need!). So I'm making the guide I needed myself.

With a fresh Windows 7 install on my Thinkpad (x220), the whole process took maybe an hour, probably much shorter if I was focused.

For ease of navigation, here's the outline of this post:

This is probably so much longer than it needs to be, but if I'm going to make a guide it's going to cover everything I know.

You will need

I'll list what I personally used, and what I know about alternatives.

  1. Apple device that needs unlocking.
    • Supported: iPhone 2/3G/3GS/4, iPad 1, iPod Touch 2/3/4.
    • I'm not sure if the iOS matters, but my iPod Touch 4th Gen was using iOS 5.0.1. I've heard chat that 5.1 onwards may not work, but it's worth trying.
  2. 30 pin USB cable (as in your iPhone/iPod/iPad charger)
  3. Personal Computer (PC)
    • Needs an internet connection
    • OS: Windows 7 (Windows XP may work, but I refuse to connect my old Windows XP machine to the internet so it didn't work for me. iTunes also kept bugging out.)
  4. Files/Programs/Applications
    1. Gecko iPhone Toolkit - This is the application that will help us to get into the locked/disabled device. (file: Gecko_iPhone_Toolkit.exe, you may also find it as a .zip file)
    2. Microsoft .NET Framework 4 - This is the installer for the Microsoft .NET Framework (4.0), which is a software thing to build/run Windows applications, such as Gecko iPhone Toolkit. I'm not sure which version Gecko actually requires at minimum, and some versions of Windows 7 may come with .NET Framework 3.5.1, but I dunno if it'll work as mine didn't have it and needed the install. (file: dotNetFx40_Full_x86_x64.exe)
    3. Java Runtime Environment - The script used by Gecko is a .jar file, which needs Java to run. msftguy says it needs a 32-bit JRE. It worked fine with most versions (called updates) of Java 8 I used, but on my Windows 7 laptop I had to go with Java 8 Update 391 because I needed a .exe file as it was having trouble with .msi files for some reason. (file: jre-8u391-windows-i586.zip)
    4. iTunes - The bypass needs iTunes 9 or newer installed, but note I've not seen it tried past iTunes 11.0.5. I used 10.7 and it was fine. (file: iTunes 10.7 x64.exe)

All of the files shouldn't be too hard to find online. When I can trace back where I got them, I'll pop in a link. Otherwise, I recommend archive.org for legit older versions of the big brand stuff (iTunes, Java, Microsoft), though if I'm not wrong apple rarely takes down downloads so you could get old iTunes straight from the source if you can find it.

Alternatives and why beginners should probably use Gecko

While troubleshooting, I tried to use the SSH ramdisk .jar file (file: ssh_rd_rev04b.jar) on my own, and got so far as successfully logging into localhost:2022 with PuTTY. But then I had no idea what the next steps "Use mount.sh script to mount the partitions" or "Use reboot_bak to reboot" meant for me (where would I find those files? how do I run them? what partitions?).

You've probably also seen instructions elsewhere that suggest downlading PuTTY or WinSCP to do it, but you can ignore that if you're using Gecko. Just let it do the work for you with plink.exe which it comes with (thereby avoiding the confusion above altogether).

Still, if it sounds within your ability, here's a Reddit post walking you through the bypass process using the .jar file, a SSH client and a .plist editor.

Side note, you might be able to access the photos on it without all this by plugging it in to a known computer, as in one that you've backed it up to or connected to before. If you have any old computers you might have used 10 years ago, plug it in and see if you're in luck there.

Tutorial A: Bypassing "iPhone is disabled"

Step 0: Setup

Windows 7: If you don't already have a Windows 7 machine, find an old laptop and install it onto there (just make sure everything you care about is backed up, because a fresh install usually means a wipe). I can't do the whole tutorial here because clearly I'm a yapper and this tutorial would become too long, but here are some things I found useful.

Again, don't know if Windows xp works, but not risking that internet connection on my ancient desktop.

Software: Install all 4 programs in the "You will need" section above onto your Windows 7 device. I think Gecko is portable and doesn't need an install install, so just unzip it and put the file on your computer so you're not running it off a USB or something.

Step is done when you've completed installing .NET Framework, Java, and iTunes one by one, and the application Gecko iPhone Toolkit is on the computer. If you plug in the device, iTunes should be able to recognise it, but will not be able connect to it as it needs a passcode.

Step 1: Open Gecko iPhone Toolkit and start bypass

Double click the app. Its logo is an open cardboard box with a CD in front of it.

You should see a simple thing open with some tabs that read:

Click on 'Bypass "iphone disabled"' and go to the drop-down menu (empty rectangle with small triangle in it) and select the device you're going to work on. Then, click the "Bypass" button to its right.

A pop-up should appear saying "follow the instructions to put your phone into DFU mode, when the program shows 'ALL OK' and your phone is on Apple logo with progress bar, close the program by clicking the X button in corner and wait," with an 'OK' button in the corner. (BTW: the program never says "ALL OK", it actually says "Success!")

Click the OK button.

Step is done when a Java RE window (logo with a cup of coffee) pops up in the top left. It'll tell you about the program, the makers and credits, and who to report bugs to. In bold near the bottom will be the text "Connect a device in DFU mode".

Troubleshooting: If it's not opening as normal, go back to Step 0 and make sure all programs are functioning properly. If not, install again or try another version.

Step 2: Connect device in DFU mode

The process for any of the supported devices here should be the same. To put the iPod into DFU mode:

  1. Plug the iPod in to the computer.
  2. Shut down the iPod by holding the power button until "slide to power off" appears, then slide to power off. (note: plug in the device BEFORE powering off, as plugging it in tends to power it on again)
  3. Hold down the power button and home button at the same time. The Apple logo will show up during this, but ignore that.
  4. After 8-10 seconds, release ONLY the power button, and keep holding the home button.

Step is done when the window says something like "MobileDevice event: DfuConnect" and/or "DFU device 'iPod Touch 4G' connected". If successful, or you already had your device connected in DFU mode, the program should carry on to "Building ramdisk for device 'iPod Touch 4G'" (or whatever your device is.)

Step 3: Wait for ramdisk build

Under "Building ramdisk for device 'iPod Touch 4G'", the program will set up a working directory and download some files off the internet to process and get into the device.

All or most of these files can be found from a file from Apple (iPod4,1_5.0.1_9A405_Restore.ipsw) which you technically could extract into the working directory yourself, but I highly, HIGHLY suggest letting the program do download and process what it needs by itself. I extracted the files myself because I didn't have Internet on my XP machine, and again before I'd set up my WLAN drivers on the Win7 machine, and it caused a world of pain because the program seemed to work but never actually ended up getting into the iPod, just continually connected and ignored the device till it gave up with no error message.

Just let the program use the internet.

Step is done when you see "Using syring to exploit the bootrom..." in black, and later "Exploit sent!" in green.

Troubleshooting: If the downloads failed, make sure your Internet is working. If you'd like, you can also copy the file address and pop it into Explorer and clear whatever's in the ssh_rd folder (though don't delete anything if you don't know what it's for).

Troubleshooting 2: Sometimes I would get the error message "Exploit device failed!" in red, to which I just closed the program (and all the popups that followed), restarted the iPod and put it into DFU mode again, then tried again.

Step 4: Wait for success message

Now, it may show your device is connecting and disconnecting over and over, but that's normal. It'll do that a few times, and will also go into Recovery mode temporarily, at which point the screen of your iPod will likely flash for a second. The program will say "Almost there...", then show it connecting normally one last time (MuxConnect), then...

Success!

Step is done when you see a bold green "Success!" followed by some instructions. Ignore them. Your device should now show an apple logo with a loading bar under it that isn't moving.

Step 5: Close that window and let Gecko help you

Ignore the instructions about connecting to localhost as Gecko is going to do that for you. Just close that window by clicking the "X" in the top right corner and wait.

You may have a terminal window pop up that asks "Store key in cache? _ ". Just type 'n' and press Enter. After you do that, it should close on its own.

Step is done when there is just Gecko iPhone Toolkit on your screen (and maybe one more Java window). Your device should be booting up as normal at this point, first showing the Apple logo and then turning on to let you enter the passcode. Feel free to close any windows you'd like now that the device is on.

Intermission: Where we are now and what next

At this point, our device is no longer disabled! This was done by basically changing some files inside the device and giving us unlimited tries on the password. If you know the passcode, that's it for you. For the rest of us...

We will be using Gecko again to get the passcode. Since this is a brute force method, as in the program will be trying every number until something works, it probably will not work to find a text password. If you have a 4-digit passcode, you're in luck.

Tutorial B: Reading the 4-digit passcode

Step 6: Open Gecko again and start password reading

Like we did in Step 1, open Gecko iPhone Toolkit.exe, and this time click on on 'Read lockscreen password'.

Go to the drop-down menu, this time under "Step 1: Boot ramdisk using redsn0w" and select the device you're going to work on. Then, click the "Boot" button to its right.

Step is done when a window with some instructions

Step 7: Connect device in DFU mode

You know how to do this now, instructions in Step 2.

After this, click the "Next" button.

Step 8: Wait for "OK"

Your device should have booted up now with a pineapple logo in lieu of an apple, and then show lines of very small text. The window on your computer will read "click cancel when you see ok onscreen and go to step 2", with "Done!" a few lines under after a few seconds.

This "OK" will be on the Apple device in big letters made of small dot characters. I missed it the first time because I was looking at the tiny text but it's really like an ASCII picture of the word "OK".

Once you see the big OK on your iPod, click the "Cancel" button on the window.

Step 9: Launch the passcode reading tool

Click the "Launch" button next to the text "Step 2: once redns0w has finished click Launch". You'll be met with a window with some instructions and info. Just click 'OK' and leave the device plugged in.

This should start more text going on the device as the program tries each passcode one by one. As Gecko says, it could take up to 20 minutes, so I recommend just leaving it to run while you do something else. Make sure your laptop doesn't go to sleep in the meantime and that it's not going to die in that time either.

Step 10: Enjoy your passcode!

At some point, the process will stop at a number and it'll know it's your password. When it gets there, the little box at the bottom of the Gecko iPhone Toolkit application will have a bunch of text in it. The only thing you're looking out for is on line 9, {'passcode': 'xxxx'} which will have your passcode in it!

Now, just restart the device by holding down the power and home buttons until the Apple logo shows up. Type in the passcode and you should be in!

That's it!

I'm pretty sure by now it shouldn't be too much of a problem having this guide online because seriously, who except the owners of these devices is trying to get into them (especially since it's easier to just full Restore a device)? Plus, none of us have warranty anymore. Apple don't kill me :)

If you have any questions, I'm sorry! I think I've shared everything I know.

Big credits to msftguy who made the .jar file that did all the hard work.

← previous next →

respond via email

#how-to