The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Firmware Keys"
(→Firmware Versions: 16.x placeholder) |
|||
(800 intermediate revisions by 44 users not shown) | |||
Line 1: | Line 1: | ||
+ | __NOTOC__ |
||
− | == Introduction == |
||
+ | '''Firmware Keys''' are keys which decrypt bootloaders, ramdisks, and [[:/|root filesystem]] of iOS [[firmware]], if those components are encrypted. Apple uses encryption to make it harder to analyze and modify them. Over time Apple changed the way they encrypt firmware files, hence the way to decrypt them and get decryption keys changed as well. |
||
− | These keys are for use with the 'vfdecrypt' tool to decrypt the main filesystem DMG found in every iPhone/iPhone 3G/iPod touch .ipsw file. Every key will work on the main filesystem DMG for that build, regardless if it is for the iPhone or iPod touch unless specified. The DMG that you are after is the bigger one, in the case of current builds of 2.0, it can sometimes be 200+ MB! |
||
− | == |
+ | == History == |
+ | With the release of the iPhone came the [[S5L File Formats#IMG2|IMG2]] file format. They were used on all known [[iOS|iPhone OS]] [[#1.x|1.x]] firmwares. For the 1.1.x series, they were encrypted with the [[AES Keys#Key 0x837|0x837 key]]. The discovery of the 0x837 key led to the ability to decrypt ''any'' 1.x firmware. |
||
− | ./vfdecrypt -i <dmg> -o decrypted_fs.dmg -k <key> |
||
+ | Following IMG2 came the [[IMG3 File Format|IMG3]] file format. They were introduced with iPhone OS [[#1.x.2F2.x|2.0 beta 4]], and have been in use ever since. In order to maintain their integrity, they use multiple layers of encryption. Apple took encryption seriously with IMG3 by utilizing [[wikipedia:Advanced Encryption Standard|AES]] (based on the [[wikipedia:Rijndael key schedule|Rinjndael key schedule]]). In terms of the pre-iPhone OS 3 [[VFDecrypt]] key, it is stored as plain-text in the "__restore" segment of the ASR image within the [[ramdisk]]s. |
||
− | == Gaps == |
||
− | As you will notice, there may be a gap or two, or a key for a current build that is not there. Please feel free to add them, but please be sure that it is only the key for a User or Developer build, as if you gave the key for another type of build that might or may not be out there '''people could get in trouble, and we do not want that'''. Thanks for contributing! |
||
+ | The ramdisk keys can ''only'' be retrieved with the processor specific [[GID Key]]. The GID key is currently unretrievable and can only be utilized through the built-in [[AES Keys|AES engine]]. To complicate things ''even more'', the engine is only accessible through a special [[bootrom]] or [[iBoot]] exploit ([[jailbreak]]s typically expose it with [[/dev/aes_0]]). This makes usage of the key nearly impossible. |
||
− | == Downloads == |
||
+ | However, once you have access to the AES engine, the entire system falls apart. You are able to upload an encrypted ramdisk and grab the decryption keys for it. Once you manage to decrypt the ramdisk, you can run it through [[GenPass]] to decrypt the firmware key. |
||
− | * http://rgov.org/files/vfdecrypt-mac.zip (Mac OS X Universal) |
||
− | * http://iphoneelite.googlecode.com/files/vfdecrypt.zip (Windows) |
||
+ | To find the keys, you can either use the methods on [[AES Keys]] or the easier option for OS X, [[keylimepie]]. |
||
− | * Source Credit: http://lorenzo.yellowspace.net/corrupt-sparseimage.html |
||
− | == |
+ | == Decrypting == |
+ | {{main|Decrypting Firmwares}} |
||
− | 28c909fc6d322fa18940f03279d70880e59a4507998347c70d5b8ca7ef090ecccc15e82d |
||
+ | == Notes == |
||
+ | Certain files share the same key and IV per [[Application Processor|application processor]] (per build) provided the devices have the same pixel resolution: |
||
+ | * [[Update Ramdisk]] |
||
+ | * [[Restore Ramdisk]] |
||
+ | * [[AppleLogo]] |
||
+ | * [[BatteryCharging0]] |
||
+ | * [[BatteryCharging1]] |
||
+ | * [[BatteryFull]] |
||
+ | * [[BatteryLow0]] |
||
+ | * [[BatteryLow1]] |
||
+ | * [[GlyphCharging]] |
||
+ | * [[GlyphPlugin]] |
||
+ | * [[Kernelcache]] |
||
+ | * [[NeedService]] |
||
+ | * [[RecoveryMode]] |
||
+ | * [[SEP Firmware]] |
||
+ | * [[WTF]] |
||
+ | You can use [[img3decrypt]] or [[xpwntool]] to decrypt these files as described in [[Decrypting Firmwares]]. Once done, mount or extract using the tool of your choice. |
||
− | == 1.0.1 (Build 1C25) == |
||
− | 7d5962d0b582ec2557c2cade50de90f4353a1c1de07b74212513fef9cc71fb890574bfe5 |
||
+ | The firmware version number for the [[List of Apple TVs|Apple TV]] builds are the ones that the Apple TV reports (also known as the "marketing version"). |
||
− | == 1.0.2 (Build 1C28) == |
||
− | 7d5962d0b582ec2557c2cade50de90f4353a1c1de07b74212513fef9cc71fb890574bfe5 |
||
+ | All dates are relative to [[wikipedia:Coordinated Universal Time|UTC]]. |
||
− | == 1.1.1 (Build 3A109a) == |
||
− | f45de7637a62b200950e550f4144696d7ff3dc5f0b19c8efdf194c88f3bc2fa808fea3b3 |
||
+ | GID AES is used by iBoot to decrypt firmware images. When iBoot loads the kernelcache, GID AES is disabled. This means in order to get firmware keys, you must gain code execution in a setting where GID AES is still enabled. In most cases, this means exploiting iBoot itself, before the kernelcache is loaded. |
||
− | == 1.1.1 (Build 3A110a) == |
||
− | d45b837ddd85bdae0ec82a033ba00ea03ceb8c827040034f7554c65d6376472844b8dc6a |
||
+ | ==Firmware Versions== |
||
− | == 1.1.2 (Build 3B48b) == |
||
+ | {{see also|Prototypes}} |
||
− | 70e11d7209602ada5b15fbecc1709ad4910d0ad010bb9a9125b78f9f50e25f3e05c595e2 |
||
+ | This is a full and comprehensive list of all firmwares Apple Inc. has made available to the public in some way, be it the [[Apple Developer|dev center]] or [[iTunes]]. This list also contains a few firmwares for which there never was an IPSW (as far as can be told) such as 4.2.5 for the [[N92AP|CDMA iPhone 4]] (iPhone3,3). These few builds came preinstalled on the device, but are not available for download. |
||
+ | * [[Firmware Keys/1.x|1.x]] |
||
− | == 1.1.3 (Build 4A93) == |
||
+ | * [[Firmware Keys/2.x|2.x]] |
||
− | 11070c11d93b9be5069b643204451ed95aad37df7b332d10e48fd3d23c62fca517055816 |
||
+ | * [[Firmware Keys/3.x|3.x]] |
||
− | |||
+ | * [[Firmware Keys/4.x|4.x]] |
||
− | == 1.1.4 (Build 4A102) == |
||
+ | * [[Firmware Keys/5.x|5.x]] |
||
− | d0a0c0977bd4b6350b256d6650ec9eca419b6f961f593e74b7e5b93e010b698ca6cca1fe |
||
+ | * [[Firmware Keys/6.x|6.x]] |
||
− | |||
+ | * [[Firmware Keys/7.x|7.x]] |
||
− | == 1.1.5 (Build 4B1) == |
||
+ | * [[Firmware Keys/8.x|8.x]] |
||
− | c7973558e8f6af22e38d4573737d1533f1d5eec202bf86a32d941975d76f8906c7f0afe4 |
||
+ | * [[Firmware Keys/9.x|9.x]] |
||
− | |||
+ | * [[Firmware Keys/10.x|10.x]] |
||
− | == 1.2 (Beta 1) (Build 5A147p) == |
||
+ | * [[Firmware Keys/11.x|11.x]] |
||
− | 86bec353ddfbe3fb750e9d7905801f79791e69acf65d16930d288e697644c76f16c4f16d |
||
+ | * [[Firmware Keys/12.x|12.x]] |
||
− | |||
+ | * [[Firmware Keys/13.x|13.x]] |
||
− | == 2.0 (Beta 2) (Build 5A225c) == |
||
+ | * [[Firmware Keys/14.x|14.x]] |
||
− | ea14f3ec624c7fdbd52e108aa92d13b16f6b0b940c841f7bbc7792099dae45da928d13e7 |
||
+ | * [[Firmware Keys/15.x|15.x]] |
||
− | |||
+ | * [[Firmware Keys/16.x|16.x]] |
||
− | == 2.0 (Beta 3) (Build 5A240d) == |
||
− | e24bfab40a2e5d3dc25e089291846e5615b640897ae8b424946c587bcf53b201a1041d36 |
||
− | |||
− | == 2.0 (Beta 4) (Build 5A258f) == |
||
− | 198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c |
||
− | |||
− | == 2.0 (Beta 5) (Build 5a274d) == |
||
− | 589df25eaa4ff0a5e29e1425fb99bf50957888ff098ba2fcb72cf130f40e15e00bcf2fc7 |
||
− | |||
− | == 2.0 (Beta 6 Pre-Release) (Build 5a292g) == |
||
− | 890b1fbf22975e0d4be2ea3f9bc5c87f38fd8158394fd31cf80a43ad25547573bbd0ec4e |
||
− | |||
− | == 2.0 (Beta 6 Final) (Build 5a308) == |
||
− | 3964ca8d8bf5d3715cdc172986f2d9606672c54d5e0aa3f3a892166b4e54e4cefef21279 |
||
− | |||
− | == 2.0 (Beta 7) (Build 5a331) == |
||
− | 3d9a9832a108fc5084fc9329d6e84e38edf06e380554c49376b70e951f8a8d1ed943f819 |
||
− | |||
− | == 2.0 (Build 5a347) == |
||
− | Ramdisk Key: 85 0A FC 27 11 32 D1 5A E6 98 95 65 56 7E 65 BF |
||
− | Ramdisk IV: 29 68 1F 62 5D 1F 61 27 1E C3 11 66 01 B8 BC DE |
||
− | 2cfca55aabb22fde7746e6a034f738b7795458be9902726002a8341995558990f41e3755 |
||
− | |||
− | == 2.0.1 (Build 5B108) == |
||
− | Ramdisk Key: 21 9E AC 3E 01 27 6C 7E C5 04 32 12 3F 50 97 1A |
||
− | Ramdisk IV: 02 4f DB BA 71 EB F3 4D F5 B5 25 CD 97 5A EF E8 |
||
− | 2cfca55aabb22fde7746e6a034f738b7795458be9902726002a8341995558990f41e3755 |
||
− | |||
− | == 2.0.2 (Build 5C1) == |
||
− | Ramdisk Key: CC 02 8F D2 9D C2 7F 89 5E 40 1D 98 65 E7 21 00 |
||
− | Ramdisk IV: 53 7E B4 E7 12 9E A8 1F 57 2E C2 3D BE C4 2B 80 |
||
− | 31e3ff09ff046d5237187346ee893015354d2135e3f0f39480be63dd2a18444961c2da5d |
||
− | |||
− | == 2.1 (Beta 1) (Build 5F90) == |
||
− | Ramdisk Key: 78 29 32 89 1F 0D 76 DB 49 0F DD CA 02 7A 13 B2 |
||
− | Ramdisk IV: 6B EA 32 6D 0F 41 10 51 59 F0 AE A8 F9 9F E7 77 |
||
− | f61c14aa0d53386dd42c49163686e8ccdeb86d14aafdecfe99c2e12c41a7f9f2811daa3d |
||
− | |||
− | == 2.1 (Build 5F136) == |
||
− | Ramdisk Key: 42 B4 F3 99 76 AF A5 9F 9E C6 80 FC CD 2C 7D 04 |
||
− | Ramdisk IV: FD 53 0C 4C F8 A8 78 F1 63 87 43 29 88 B1 99 B8 |
||
− | 562ca0f7963eafb462da74a9c1f01a45c30a7eb5f1f493feceecae03ee6521a334f4ff68 |
||
− | |||
− | == 2.1 (Build 5F137) == |
||
− | Ramdisk Key: 7C 80 7F 65 65 01 5D AA 6D 18 2D FF 79 5E 10 91 |
||
− | Ramdisk IV: 5C B7 FA 82 E8 FC 42 B9 DB 6C 02 7D 8F 4C 7C 39 |
||
− | 9714f2cb955afa550d6287a1c7dd7bd0efb3c26cf74b948de7c43cf934913df69fc5a05f |
||
− | |||
− | ==2.1.1 (Build 5F138)== |
||
− | Ramdisk Key: 6D 4A 00 C0 A0 8E 90 A3 B0 24 88 5F 45 BC B7 20 |
||
− | Ramdisk IV: 2F 44 81 85 5C A3 9E 67 DF BF 3D 19 B8 AD E6 0E |
||
− | d1b957a0a5e56903adc523c5fa99f5d165c3963aea48274770b766b44ecdebab7b5a8f30 |
||
− | |||
− | == 2.2 (Build 5G77) == |
||
− | Ramdisk Key: EE A6 E8 78 24 A3 C0 B0 BE 86 E8 E2 BB D8 CF E9 |
||
− | Ramdisk IV: 18 2C DD A9 0A 38 87 0D E9 68 80 EE 7F F5 BB BC |
||
− | dc39d88afe4cbd8a3f36824b8fd68acf04ac72718c09100816c5cb89889b8079e96802f0 |
||
− | |||
− | == 2.2 (Build 5G77a) == |
||
− | Ramdisk Key: 77 8B 48 88 33 CA DA 94 0A 10 A7 C4 4C AC 74 13 |
||
− | Ramdisk IV: 47 9C 46 F2 7F 5B 18 AC 5F A0 18 85 CF 2B 06 F9 |
||
− | 148025cde5c51d51d7733e74c6857dfca70d7240287d6eb039a1ed835413120b0af1e296 |
||
− | |||
− | == 2.2.1 (Build 5H11) == |
||
− | Ramdisk Key: DA 01 0F 69 B0 E2 03 4B 4C E7 B7 C9 0B 63 BA D5 |
||
− | Ramdisk IV: 29 FF 3D 43 C4 00 1B 97 89 63 DE E4 37 E2 53 86 |
||
− | ee4eeeb62240c1378c739696dff9fef2c88834e98877f55a29c147e7d5b137967197392a |
||
− | |||
− | == 2.2.1 (Build 5H11a) == |
||
− | Ramdisk Key: 78 4F 13 3C 28 82 37 63 41 B9 E2 76 DA 96 6C 0F |
||
− | Ramdisk IV: C9 8F 1D 8E 26 F0 4F 89 01 3E 9C 61 49 9C D1 FE |
||
− | 2611c9f73504344fb22c93791659ec92e65f914025c5814d708b2023ab67229d89c39791 |
||
− | |||
− | == 3.0 Beta 1 (Build 7A238j) == |
||
− | Plaintext ramdisk |
||
− | 56753A471ABC4E859F6D0F0157D2FEA4DFB5A536154CD26B0E3A35B732BF5FCE2EAE96F1 |
||
− | |||
− | == 3.0 Beta 2 (Build 7A259g) == |
||
− | Ramdisk Key: B1 11 BD B4 F4 A4 5E B2 BE 94 F4 3B DF C5 79 6F |
||
− | Ramdisk IV: FA 01 C6 EC FC 18 6A 09 86 E2 31 1D 20 D9 6A C4 |
||
== See also == |
== See also == |
||
+ | * [[Application Processor]] |
||
+ | [[Category:Decryption]] |
||
− | * [[System]] - a page with links to download the firmware images |
Latest revision as of 10:42, 6 June 2022
Firmware Keys are keys which decrypt bootloaders, ramdisks, and root filesystem of iOS firmware, if those components are encrypted. Apple uses encryption to make it harder to analyze and modify them. Over time Apple changed the way they encrypt firmware files, hence the way to decrypt them and get decryption keys changed as well.
History
With the release of the iPhone came the IMG2 file format. They were used on all known iPhone OS 1.x firmwares. For the 1.1.x series, they were encrypted with the 0x837 key. The discovery of the 0x837 key led to the ability to decrypt any 1.x firmware.
Following IMG2 came the IMG3 file format. They were introduced with iPhone OS 2.0 beta 4, and have been in use ever since. In order to maintain their integrity, they use multiple layers of encryption. Apple took encryption seriously with IMG3 by utilizing AES (based on the Rinjndael key schedule). In terms of the pre-iPhone OS 3 VFDecrypt key, it is stored as plain-text in the "__restore" segment of the ASR image within the ramdisks.
The ramdisk keys can only be retrieved with the processor specific GID Key. The GID key is currently unretrievable and can only be utilized through the built-in AES engine. To complicate things even more, the engine is only accessible through a special bootrom or iBoot exploit (jailbreaks typically expose it with /dev/aes_0). This makes usage of the key nearly impossible.
However, once you have access to the AES engine, the entire system falls apart. You are able to upload an encrypted ramdisk and grab the decryption keys for it. Once you manage to decrypt the ramdisk, you can run it through GenPass to decrypt the firmware key.
To find the keys, you can either use the methods on AES Keys or the easier option for OS X, keylimepie.
Decrypting
- Main article: Decrypting Firmwares
Notes
Certain files share the same key and IV per application processor (per build) provided the devices have the same pixel resolution:
- Update Ramdisk
- Restore Ramdisk
- AppleLogo
- BatteryCharging0
- BatteryCharging1
- BatteryFull
- BatteryLow0
- BatteryLow1
- GlyphCharging
- GlyphPlugin
- Kernelcache
- NeedService
- RecoveryMode
- SEP Firmware
- WTF
You can use img3decrypt or xpwntool to decrypt these files as described in Decrypting Firmwares. Once done, mount or extract using the tool of your choice.
The firmware version number for the Apple TV builds are the ones that the Apple TV reports (also known as the "marketing version").
All dates are relative to UTC.
GID AES is used by iBoot to decrypt firmware images. When iBoot loads the kernelcache, GID AES is disabled. This means in order to get firmware keys, you must gain code execution in a setting where GID AES is still enabled. In most cases, this means exploiting iBoot itself, before the kernelcache is loaded.
Firmware Versions
This is a full and comprehensive list of all firmwares Apple Inc. has made available to the public in some way, be it the dev center or iTunes. This list also contains a few firmwares for which there never was an IPSW (as far as can be told) such as 4.2.5 for the CDMA iPhone 4 (iPhone3,3). These few builds came preinstalled on the device, but are not available for download.