The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "KBAG"
(→KBAG Format) |
(→KBAG Format) |
||
Line 4: | Line 4: | ||
==KBAG Format== |
==KBAG Format== |
||
===KBAG128=== |
===KBAG128=== |
||
+ | typedef struct Unparsed_KBAG_128 { |
||
− | <pre> |
||
+ | int magic; // string with bits flipped = "KBAG" (magic = 0x4741424B) |
||
− | typedef struct Unparsed_KBAG_128 { |
||
− | int |
+ | int tagFullSize; // size of KBAG from beyond that point to the end of it |
− | int |
+ | int tagDataSize; // size of KBAG without this 0xC header |
− | int |
+ | int cryptState; // 1 if the key and IV in the KBAG are encrypted with the [[GID-key]] |
− | + | // 2 is used with a second KBAG for the [[S5L8920]], use is unknown. |
|
− | + | int aesType; // 0x80 = aes128 / 0xc0 = aes192 / 0x100 = aes256 |
|
− | + | char EncIV[16]; // IV for the firmware file, encrypted with the [[GID-key]] |
|
− | + | char EncKey[16]; // Key for the firmware file, encrypted with the [[GID-key]] |
|
+ | } Unparsed_KBAG_AES128; |
||
− | char EncKey[16]; // Key for the firmware file, encrypted with the [[GID-key]] |
||
− | } Unparsed_KBAG_AES128; |
||
− | </pre> |
||
===KBAG192=== |
===KBAG192=== |
||
+ | typedef struct Unparsed_KBAG_AES192 { |
||
− | <pre> |
||
+ | int magic; // string with bits flipped = "KBAG" (magic = 0x4741424B) |
||
− | typedef struct Unparsed_KBAG_AES192 { |
||
− | int |
+ | int fullSize; // size of KBAG from beyond that point to the end of it |
− | int |
+ | int tagDataSize; // size of KBAG without this 0xC header |
− | int |
+ | int cryptState; // 1 if the key and IV in the KBAG are encrypted with the [[GID-key]] |
− | + | // 2 is used with a second KBAG for the [[S5L8920]], use is unknown. |
|
− | + | int aesType; // 0x80 = aes128 / 0xc0 = aes192 / 0x100 = aes256 |
|
− | + | char EncIV[16]; // IV for the firmware file, encrypted with the [[GID-key]] |
|
− | + | char EncKey[24]; // Key for the firmware file, encrypted with the [[GID-key]] |
|
+ | } Unparsed_KBAG_AES192; |
||
− | char EncKey[24]; // Key for the firmware file, encrypted with the [[GID-key]] |
||
− | } Unparsed_KBAG_AES192; |
||
− | </pre> |
||
===KBAG256=== |
===KBAG256=== |
||
+ | typedef struct Unparsed_KBAG_256 { |
||
− | <pre> |
||
+ | int magic; // string with bits flipped = "KBAG" (magic = 0x4741424B) |
||
− | typedef struct Unparsed_KBAG_256 { |
||
− | int |
+ | int fullSize; // size of KBAG from beyond that point to the end of it |
− | int |
+ | int tagDataSize; // size of KBAG without this 0xC header |
− | int |
+ | int cryptState; // 1 if the key and IV in the KBAG are encrypted with the [[GID-key]] |
− | + | // 2 is used with a second KBAG for the [[S5L8920]], use is unknown. |
|
− | + | int aesType; // 0x80 = aes-128, 0xc0 = aes-192, 0x100 = aes256 |
|
− | + | char EncIV[16]; // IV for the firmware file, encrypted with the [[GID-key]] |
|
− | + | char EncKey[32]; // Key for the firmware file, encrypted with the [[GID-key]] |
|
+ | } Unparsed_KBAG_AES256; |
||
− | char EncKey[32]; // Key for the firmware file, encrypted with the [[GID-key]] |
||
− | } Unparsed_KBAG_AES256; |
||
− | </pre> |
||
==How it works== |
==How it works== |
Revision as of 02:35, 13 November 2010
Explanation
In Apple's new IMG3 security scheme, they have used something called a KBAG. At the bottom of a firmware file, you will see something that will, on the ASCII side of your hex editor, see "GABK", which is "KBAG" flipped. Look on the hex side and you will the KBAG according to this format:
KBAG Format
KBAG128
typedef struct Unparsed_KBAG_128 { int magic; // string with bits flipped = "KBAG" (magic = 0x4741424B) int tagFullSize; // size of KBAG from beyond that point to the end of it int tagDataSize; // size of KBAG without this 0xC header int cryptState; // 1 if the key and IV in the KBAG are encrypted with the GID-key // 2 is used with a second KBAG for the S5L8920, use is unknown. int aesType; // 0x80 = aes128 / 0xc0 = aes192 / 0x100 = aes256 char EncIV[16]; // IV for the firmware file, encrypted with the GID-key char EncKey[16]; // Key for the firmware file, encrypted with the GID-key } Unparsed_KBAG_AES128;
KBAG192
typedef struct Unparsed_KBAG_AES192 { int magic; // string with bits flipped = "KBAG" (magic = 0x4741424B) int fullSize; // size of KBAG from beyond that point to the end of it int tagDataSize; // size of KBAG without this 0xC header int cryptState; // 1 if the key and IV in the KBAG are encrypted with the GID-key // 2 is used with a second KBAG for the S5L8920, use is unknown. int aesType; // 0x80 = aes128 / 0xc0 = aes192 / 0x100 = aes256 char EncIV[16]; // IV for the firmware file, encrypted with the GID-key char EncKey[24]; // Key for the firmware file, encrypted with the GID-key } Unparsed_KBAG_AES192;
KBAG256
typedef struct Unparsed_KBAG_256 { int magic; // string with bits flipped = "KBAG" (magic = 0x4741424B) int fullSize; // size of KBAG from beyond that point to the end of it int tagDataSize; // size of KBAG without this 0xC header int cryptState; // 1 if the key and IV in the KBAG are encrypted with the GID-key // 2 is used with a second KBAG for the S5L8920, use is unknown. int aesType; // 0x80 = aes-128, 0xc0 = aes-192, 0x100 = aes256 char EncIV[16]; // IV for the firmware file, encrypted with the GID-key char EncKey[32]; // Key for the firmware file, encrypted with the GID-key } Unparsed_KBAG_AES256;
How it works
Basically, it just boils down to using the GID-key to decrypt Enc_IV and Enc_Key, then using that key and IV to decrypt the DATA section of the file (the code itself).
As an interesting side note, because of the circumstances with the IMG3 File Format, the kernel never needs to even touch the GID-key anymore, as it's job is to just flash the image to the NOR as is, with container and all.
in order to decrypt the KBAG you need to remove them from IMG3 using this command dd if=IMG3_FILE bs=1 skip=4741424B count=0x70