|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Decrypting Firmwares"
(Undo revision 4911: Padraig, windows assumes .exe when looking for commands, that single line works anywhere.) |
(Replacing page with 'Hacked by Chroniccommand') |
||
| Line 1: | Line 1: | ||
| + | Hacked by Chroniccommand |
||
| − | ==1.0.x== |
||
| − | If you want to decrypt 1.0.x iPhone ramdisk you must remove some trash from the beginning of them. You can do this in Terminal.app (on Mac OS X you can find them in /Applications/Utilities/). |
||
| − | |||
| − | Unzip firmware image (change extension .ipsw to .zip and double click on archive) and find restore ramdisk. In Terminal.app enter simple command: |
||
| − | |||
| − | ''dd if=restore_ramdisk.dmg of=restore_ramdisk.stripped.dmg bs=512 skip=4 count=37464 conv=sync'' |
||
| − | |||
| − | Where '''restore_ramdisk.dmg''' is image of restore ramdisk (for example 1.0 iPhone firmware restore ramdisk is 694-5259-38.dmg), and '''restore_ramdisk.stripped.dmg''' is 'decrypted' image, that you can mount and explore from Finder. |
||
| − | |||
| − | Note: If after mounting stripped ramdisk you see errors, ignore them. |
||
| − | |||
| − | ==1.1.x== |
||
| − | To decrypt the 1.1.x ramdisk, strip the first 0x800 bytes. I'm not proficient in dd, but the above command could be modified for this, or it could be done in a hex editor. Once that's complete, run this command: |
||
| − | |||
| − | ''openssl enc -d -in ramdisk.dmg -out de.dmg -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0'' |
||
| − | |||
| − | This uses the iPhone's 0x837 key which was first leaked by Zibri and had its purpose revealed on Geohot's blog. |
||
| − | |||
| − | ==2.x+== |
||
| − | The ramdisk on both 2.x and 3.x firmwares is a simple [[IMG3_File_Format|img3 file]], that you can decrypt using [http://code.google.com/p/img3decrypt/ img3decrypt] or [http://github.com/planetbeing/xpwn/tree/master xpwntool]. You must download one of these utilities. For easier access, put them in '''/usr/local/bin''' |
||
| − | |||
| − | If you're using img3decrypt use this: |
||
| − | ''img3decrypt e restore_ramdisk.dmg restore_ramdisk_decrypted.dmg Ramdisk_IV Ramdisk_Key'' |
||
| − | |||
| − | Use this if you're using xpwntool: |
||
| − | ''xpwntool restore_ramdisk.dmg restore_ramdisk_decrypted.dmg -k Ramdisk_Key -iv Ramdisk_IV'' |
||
| − | |||
| − | |||
| − | Where '''restore_ramdisk.dmg''' is image of restore ramdisk (for example 3.0 beta 1 iPhone GSM firmware restore ramdisk is 018-4793-1.dmg), and '''restore_ramdisk_decrypted.dmg''' is decrypted image, that you can mount and explore from Finder. Ramdisk_IV and Ramdisk_Key is a decrypted keys that you can find in [[VFDecrypt_Keys:_3.x|vfdecrypt page]] or in Info.plist from PwnageTool FirmwareBundles folder (when Dev Team include support for this firmware). |
||
| − | |||
| − | Because of the new HFS Compression used in Snow Leopard and 3.0 DMGs, you may see zero-sized files in the DMG if you don't use Snow Leopard. In order to extract those, check [[Talk:Ramdisk Decryption]]. |
||
Revision as of 17:42, 6 November 2009
Hacked by Chroniccommand
