The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "S5L File Formats"
ChronicDev (talk | contribs) |
(No difference)
|
Revision as of 01:38, 11 February 2009
Contents
IMG2
This was the file format used prior to 2.0 firmware. Post 1.1.1, it was encrypted with Key 0x837
8900
This is the file format used by the S5L8900. Usually this wraps around an IMG2 file.
Header
typedef struct { uchar magic[4]; // string "8900" uchar version[3]; // string "1.0" uint8 format; // plaintext format is 0x4, encrypted with GID-key format is 0x3, boot plaintext is 0x2, boot encrypted with UID-key is 0x1. uint32 unknown1; uint32 sizeOfData; // size of data (ie, filesize - header(0x800) - footer signature(0x80) - footer certificate(0xC0A)) uint32 footerSignatureOffset; // offset to footer signature uint32 footerCertOffset; // offset to footer certificate, from end of header (0x800) uint32 footerCertLen; uchar salt[0x20]; // a seemingly random salt (an awfully big one though... needs more attention) uint16 unknown2; uint16 epoch; // the security epoch of the file uchar headerSignature[0x10]; // encrypt(sha1(header[0:0x40])[0:0x10], key_0x837, zero_iv) uchar padding[0x7B0]; } Apple8900Header;
Resources
The dev team's wiki page on the topic
IMG3
This is the replacement for the IMG2 File Format in 2.0 firmware.
Header
struct Img3 { unsigned int magic; // fourcc="IMG3" unsigned int fullSize; // full size of fw image unsigned int sizeNoPack; // size of fw image without header unsigned int sigCheckArea; // although that is just my name for it, this is the // size of the start of the data section (the code) up to // the start of the RSA signature (SHSH section) unsigned int iden; // identifier of image, used when bootrom is parsing images // list to find LLB (illb), LLB parsing it to find iBoot (ibot), // etc. } typedef Img3;
Tag Format
unsigned int magic; unsigned int total_length; //data_length+0xC unsigned int data_length;
Tags
VERS: Version SEPO: Unknown PROD: Processor to be used with. CHIP: Chip to be used with. "0x8900" for S5L8900 and "0x8720" for S5L8720. Instead of there being a check against some piece of hardware, whatever is verifying this (bootrom / iBoot / LLB / etc.) has this hardcoded in. BORD: Board to be used with KBAG: contains the KEY and IV required to decrypt encrypted with the GID-key SHSH: RSA encrypted SHA1 hash of the file CERT: Certificate
Encryption
Apple got smarter this time, requiring the Hardware AES engine to be run per file. Decrypt the KBAG tag data (0x20 byte?) with the hardware AES engine and get the 0x10 byte IV and the 0x10 byte KEY.
iBoot has support for aes-192 and aes-256 also. In the current method, iBoot will always use the first 16 bytes as the IV, then the remaining 16 (aes-128, current method), 24 (aes-192), or 32 (aes-256) bytes for the key.