The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "IMG4 File Format"
(Not just A7.) |
m |
||
(14 intermediate revisions by 7 users not shown) | |||
Line 1: | Line 1: | ||
+ | The '''IMG4 file format''' is a replacement for the [[IMG3 File Format|IMG3 file format]] and is used on devices running a 64-bit processor (A7 or newer). It's also used across the entire [[List of Apple Watches| Apple Watch series]], in both the armv7k and arm64_32 processors. Just like the old IMG3 file format, it is used to contain files used by iOS' secure boot chain ([[#IMG4_Payload|'''im4p''' files]]), signatures of those files ([[#IMG4_Manifest|'''im4m''']]/<code>ApImg4Ticket</code> files) and some info used in the [[Restore_Process|Restore Process]] ("<code>IM4R</code>" can be found in MobileDevice framework). A complete IMG4 file is the result of concatenating the payload, manifest and restore info (aka boot nonce) in one file and wrapping it with an IMG4 header. |
||
− | There is an '''img4''' file (sep-firmware.img4) found in /user/standalone/firmware on [[iOS]] 7.0.4 for the [[iPhone 5s]]. The IPSWFILE/Firmware/all_flash/all_flash.DEVICEIDENTIFIER.production for any [[A7]] (64 bit) device and newer, contains an IM4P version of the same file. The file is an [http://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One#Example_encoded_in_DER DER encoded ASN.1 object] and structured as follows: |
||
− | == |
+ | == Structure == |
+ | Contrary to the [[IMG3 File Format|IMG3 file format]] where a custom binary format was used, IMG4 files (and their payloads) are [[wikipedia:X.690#DER encoding|DER]] encoded [[wikipedia:Abstract Syntax Notation One|ASN.1]] objects. The reason for Apple's choice of ASN.1/DER encoding over their own binary [[PList File Format|Property List]] (PList) file format is unknown. |
||
<pre> |
<pre> |
||
+ | sequence [ |
||
− | 30 - type tag indicating SEQUENCE |
||
+ | 0: string "IMG4" |
||
− | 8 - ? |
||
+ | 1: payload - IMG4 Payload, IM4P |
||
− | 3 - 2,3,4 length in octets of value that follows (length of next value; size of file) |
||
+ | 2: [0] (constructed) [ |
||
− | x octets - size of file from here |
||
+ | manifest - IMG4 Manifest, IM4M |
||
− | 16 - indicating an [http://en.wikipedia.org/wiki/IA5String IA5String] to follow |
||
+ | ] |
||
− | 04 - length in octets of IA5String that follows |
||
+ | ] |
||
− | 49 4D 47 34 - IA5String, the magic "IMG4" |
||
− | ... - sequential data |
||
</pre> |
</pre> |
||
+ | ==IMG4 Payload== |
||
+ | Payload contains the actual content of the file. IMG4 format allows to store payload in a separate file with '''im4p''' extension. '''im4p''' files are used more often than complete IMG4 files. Payload is structured as follows: |
||
+ | <pre> |
||
+ | sequence [ |
||
+ | 0: string "IM4P" |
||
+ | 1: string type - ibot, rdsk, sepi, ... |
||
+ | 2: string description - 'iBoot-1940.1.75' |
||
+ | 3: octetstring - the encrypted/raw data |
||
+ | 4: octetstring - containing DER encoded KBAG values (optional) |
||
+ | sequence [ |
||
+ | sequence [ |
||
+ | 0: int: 01 |
||
+ | 1: octetstring: iv |
||
+ | 2: octetstring: key |
||
+ | ] |
||
+ | sequence [ |
||
+ | 0: int: 02 |
||
+ | 1: octetstring: iv |
||
+ | 2: octetstring: key |
||
+ | ] |
||
+ | ] |
||
+ | ] |
||
+ | </pre> |
||
+ | |||
+ | ==IMG4 Manifest== |
||
+ | A.k.a. IM4M. Contains signature for one or multiple IMG4 payloads. Manifests are designed in a way that they can be stored separately from an IMG4 file or be a part of one. An example of an IMG4 manifest is ApImg4Ticket. Each IMG4 manifest is made of tags structured as follows (content = DER encoded object): |
||
+ | <pre> |
||
+ | [type] (private) [ - DER tag's class is the type of the tag (4 bytes) encoded as a big-endian integer |
||
+ | sequence [ |
||
+ | string type - type of the tag, 4 bytes |
||
+ | content - content of the tag |
||
+ | ] |
||
+ | ] |
||
+ | </pre> |
||
+ | Manifest structure (tag <type> = tag of type 'type'): |
||
+ | <pre> |
||
+ | sequence [ |
||
+ | 0: string "IM4M" |
||
+ | 1: integer version - currently 0 |
||
+ | 2: set [ |
||
+ | tag MANB [ - manifest body |
||
+ | set [ |
||
+ | tag MANP [ - manifest properties |
||
+ | set [ |
||
+ | tag <manifest property> [ |
||
+ | content |
||
+ | ] |
||
+ | ... - tags, describing other properties |
||
+ | ] |
||
+ | ] |
||
+ | tag <type> [ - ibot, illb, sepi, krnl, NvMR, bbcl... |
||
+ | set [ |
||
+ | tag <tag property> [ |
||
+ | content |
||
+ | ] |
||
+ | ... |
||
+ | ] |
||
+ | ] |
||
+ | ... - tags for other images |
||
+ | ] |
||
+ | ] |
||
+ | ] |
||
+ | 3: octet string signature |
||
+ | 4: sequence [ - containing certificate chain (arbitrary number of certificates) |
||
+ | certificates |
||
+ | ] |
||
+ | </pre> |
||
+ | |||
+ | |||
+ | == External Links == |
||
+ | * [https://twitter.com/i0n1c/status/501299082603020288 i0n1c's tweet]<!-- TODO: Work this into the article --> |
||
+ | * [https://www.itu.int/rec/T-REC-X.690/en X.690 - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)] |
||
+ | [[Category:File Formats]] |
||
− | {{stub|software}} |
Latest revision as of 20:15, 8 April 2022
The IMG4 file format is a replacement for the IMG3 file format and is used on devices running a 64-bit processor (A7 or newer). It's also used across the entire Apple Watch series, in both the armv7k and arm64_32 processors. Just like the old IMG3 file format, it is used to contain files used by iOS' secure boot chain (im4p files), signatures of those files (im4m/ApImg4Ticket
files) and some info used in the Restore Process ("IM4R
" can be found in MobileDevice framework). A complete IMG4 file is the result of concatenating the payload, manifest and restore info (aka boot nonce) in one file and wrapping it with an IMG4 header.
Structure
Contrary to the IMG3 file format where a custom binary format was used, IMG4 files (and their payloads) are DER encoded ASN.1 objects. The reason for Apple's choice of ASN.1/DER encoding over their own binary Property List (PList) file format is unknown.
sequence [ 0: string "IMG4" 1: payload - IMG4 Payload, IM4P 2: [0] (constructed) [ manifest - IMG4 Manifest, IM4M ] ]
IMG4 Payload
Payload contains the actual content of the file. IMG4 format allows to store payload in a separate file with im4p extension. im4p files are used more often than complete IMG4 files. Payload is structured as follows:
sequence [ 0: string "IM4P" 1: string type - ibot, rdsk, sepi, ... 2: string description - 'iBoot-1940.1.75' 3: octetstring - the encrypted/raw data 4: octetstring - containing DER encoded KBAG values (optional) sequence [ sequence [ 0: int: 01 1: octetstring: iv 2: octetstring: key ] sequence [ 0: int: 02 1: octetstring: iv 2: octetstring: key ] ] ]
IMG4 Manifest
A.k.a. IM4M. Contains signature for one or multiple IMG4 payloads. Manifests are designed in a way that they can be stored separately from an IMG4 file or be a part of one. An example of an IMG4 manifest is ApImg4Ticket. Each IMG4 manifest is made of tags structured as follows (content = DER encoded object):
[type] (private) [ - DER tag's class is the type of the tag (4 bytes) encoded as a big-endian integer sequence [ string type - type of the tag, 4 bytes content - content of the tag ] ]
Manifest structure (tag <type> = tag of type 'type'):
sequence [ 0: string "IM4M" 1: integer version - currently 0 2: set [ tag MANB [ - manifest body set [ tag MANP [ - manifest properties set [ tag <manifest property> [ content ] ... - tags, describing other properties ] ] tag <type> [ - ibot, illb, sepi, krnl, NvMR, bbcl... set [ tag <tag property> [ content ] ... ] ] ... - tags for other images ] ] ] 3: octet string signature 4: sequence [ - containing certificate chain (arbitrary number of certificates) certificates ]