Difference between revisions of "Decrypting Firmwares"

From The iPhone Wiki
Jump to: navigation, search
m (1.1.x: typo)
Line 1: Line 1:
 
==1.0.x==
 
==1.0.x==
If you want to decrypt 1.0.x iPhone ramdisk you must remove some trash from the beginning of them. You can do this in Terminal.app (on Mac OS X you can find them in /Applications/Utilities/).
+
If you want to decrypt 1.0.x [[iPhone]] Ramdisks, you must remove some trash from the beginning of them. You can do this in Terminal.app (on Mac OS X you can find them in /Applications/Utilities/).
  +
# Unzip firmware image (change extension .ipsw to .zip and double click on archive) and find restore ramdisk.
 
  +
# In Terminal.app, run
Unzip firmware image (change extension .ipsw to .zip and double click on archive) and find restore ramdisk. In Terminal.app enter simple command:
 
  +
dd if=restore_ramdisk.dmg of=restore_ramdisk.stripped.dmg bs=512 skip=4 count=37464 conv=sync
 
''dd if=restore_ramdisk.dmg of=restore_ramdisk.stripped.dmg bs=512 skip=4 count=37464 conv=sync''
 
 
 
Where '''restore_ramdisk.dmg''' is image of restore ramdisk (for example 1.0 iPhone firmware restore ramdisk is 694-5259-38.dmg), and '''restore_ramdisk.stripped.dmg''' is 'decrypted' image, that you can mount and explore from Finder.
 
Where '''restore_ramdisk.dmg''' is image of restore ramdisk (for example 1.0 iPhone firmware restore ramdisk is 694-5259-38.dmg), and '''restore_ramdisk.stripped.dmg''' is 'decrypted' image, that you can mount and explore from Finder.
   
Note: If after mounting stripped ramdisk you see errors, ignore them.
+
NOTE: If after mounting stripped ramdisk you see errors, ignore them.
   
 
== 1.1.x ==
 
== 1.1.x ==
  +
To decrypt the 1.1.x Ramdisks, you must do a little extra work.
To decrypt the 1.1.x ramdisk, strip the first 0x800 bytes. The above command could be modified for this, or it could be done in a hex editor. Once that's complete, run this command:
 
  +
# Strip the first 0x800 bytes. (2 kilobytes[http://www.google.com/search?q=0x800+in+decimal])
 
  +
# In Terminal.app, run
''openssl enc -d -in ramdisk.dmg -out de.dmg -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0''
 
  +
openssl enc -d -in ramdisk.dmg -out de.dmg -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0
   
This uses the iPhone's [[AES Keys#Key 0x837|0x837 key]] which was first leaked by [[User:Zibri|Zibri]] and had its purpose revealed on [[User:Geohot|Geohot]]'s blog.
+
This uses the iPhone's [[AES Keys#Key 0x837|0x837 key]] which was first leaked by [[User:Zibri|Zibri]] and had its purpose revealed on [[User:Geohot|Geohot]]'s (now closed) blog.
   
==2.x+==
+
== 2.x+ ==
The ramdisk on both 2.x and 3.x firmwares is a simple [[IMG3_File_Format|img3 file]], that you can decrypt using [http://code.google.com/p/img3decrypt/ img3decrypt] or [http://github.com/planetbeing/xpwn/tree/master xpwntool]. You must download one of these utilities. For easier access, put them in '''/usr/local/bin'''
+
The ramdisks on 2.x and up firmwares is a simple [[IMG3 File Format|IMG3 file]] that you can decrypt using [[img3decrypt]][http://code.google.com/p/img3decrypt/] or [[XPwn|XPwnTool]][http://github.com/planetbeing/xpwn/tree/master]. You must download one of these utilities. For easier access, put them in '''/usr/local/bin''' on Unix-based and Linux-based machines or wherever on Windows. If you use Windows, you must use the <tt>cd</tt> command to navigate to the [[XPwn]] directory.
   
If you're using img3decrypt use this:
+
If you're using [[img3decrypt]], run this:
''img3decrypt e restore_ramdisk.dmg restore_ramdisk_decrypted.dmg Ramdisk_IV Ramdisk_Key''
+
img3decrypt e restore_ramdisk.dmg restore_ramdisk_decrypted.dmg "Ramdisk_IV" "Ramdisk_Key"
   
Use this if you're using xpwntool:
+
If you're using [[XPwn|XPwnTool]], run this:
''xpwntool restore_ramdisk.dmg restore_ramdisk_decrypted.dmg -k Ramdisk_Key -iv Ramdisk_IV''
+
xpwntool restore_ramdisk.dmg restore_ramdisk_decrypted.dmg -k "Ramdisk_Key" -iv "Ramdisk_IV"
   
   
Where '''restore_ramdisk.dmg''' is image of restore ramdisk (for example 3.0 beta 1 iPhone GSM firmware restore ramdisk is 018-4793-1.dmg), and '''restore_ramdisk_decrypted.dmg''' is decrypted image, that you can mount and explore from Finder. Ramdisk_IV and Ramdisk_Key is a decrypted keys that you can find in [[VFDecrypt Keys|vfdecrypt page]] or in Info.plist from PwnageTool FirmwareBundles folder (when Dev Team include support for this firmware).
+
Where '''restore_ramdisk.dmg''' is image of restore ramdisk and '''restore_ramdisk_decrypted.dmg''' is decrypted image, that you can mount and explore from Finder. "Ramdisk_IV" and "Ramdisk_Key" is the decryption keys that you can find at the [[VFDecrypt Keys]] page or in the Info.plist from [[PwnageTool]] FirmwareBundles folder.
   
 
Because of the new HFS Compression used in Snow Leopard and 3.0 DMGs, you may see zero-sized files in the DMG if you don't use Snow Leopard. In order to extract those, check [[Talk:Ramdisk Decryption]].
 
Because of the new HFS Compression used in Snow Leopard and 3.0 DMGs, you may see zero-sized files in the DMG if you don't use Snow Leopard. In order to extract those, check [[Talk:Ramdisk Decryption]].

Revision as of 02:55, 7 August 2011

1.0.x

If you want to decrypt 1.0.x iPhone Ramdisks, you must remove some trash from the beginning of them. You can do this in Terminal.app (on Mac OS X you can find them in /Applications/Utilities/).

  1. Unzip firmware image (change extension .ipsw to .zip and double click on archive) and find restore ramdisk.
  2. In Terminal.app, run
dd if=restore_ramdisk.dmg of=restore_ramdisk.stripped.dmg bs=512 skip=4 count=37464 conv=sync

Where restore_ramdisk.dmg is image of restore ramdisk (for example 1.0 iPhone firmware restore ramdisk is 694-5259-38.dmg), and restore_ramdisk.stripped.dmg is 'decrypted' image, that you can mount and explore from Finder.

NOTE: If after mounting stripped ramdisk you see errors, ignore them.

1.1.x

To decrypt the 1.1.x Ramdisks, you must do a little extra work.

  1. Strip the first 0x800 bytes. (2 kilobytes[1])
  2. In Terminal.app, run
openssl enc -d -in ramdisk.dmg -out de.dmg -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0

This uses the iPhone's 0x837 key which was first leaked by Zibri and had its purpose revealed on Geohot's (now closed) blog.

2.x+

The ramdisks on 2.x and up firmwares is a simple IMG3 file that you can decrypt using img3decrypt[2] or XPwnTool[3]. You must download one of these utilities. For easier access, put them in /usr/local/bin on Unix-based and Linux-based machines or wherever on Windows. If you use Windows, you must use the cd command to navigate to the XPwn directory.

If you're using img3decrypt, run this:

img3decrypt e restore_ramdisk.dmg restore_ramdisk_decrypted.dmg "Ramdisk_IV" "Ramdisk_Key"

If you're using XPwnTool, run this:

xpwntool restore_ramdisk.dmg restore_ramdisk_decrypted.dmg -k "Ramdisk_Key" -iv "Ramdisk_IV"


Where restore_ramdisk.dmg is image of restore ramdisk and restore_ramdisk_decrypted.dmg is decrypted image, that you can mount and explore from Finder. "Ramdisk_IV" and "Ramdisk_Key" is the decryption keys that you can find at the VFDecrypt Keys page or in the Info.plist from PwnageTool FirmwareBundles folder.

Because of the new HFS Compression used in Snow Leopard and 3.0 DMGs, you may see zero-sized files in the DMG if you don't use Snow Leopard. In order to extract those, check Talk:Ramdisk Decryption.