|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Decrypting Firmwares"
m |
(rewrote 2.x section and retitled it →2.0b4 - 3.0b5: as 2.0b4 was the first to use IMG3 and 3.0GM was the first to start using AES256 instead of AES128) |
||
| Line 1: | Line 1: | ||
iOS contains many layers of encryption. This page details how to remove the encryption wrapper around each file in the [[IPSW File Format|IPSW]] file. |
iOS contains many layers of encryption. This page details how to remove the encryption wrapper around each file in the [[IPSW File Format|IPSW]] file. |
||
| − | == |
+ | == Ramdisks == |
| + | <!-- TODO: Reword steps from "ramdisk" to "IMG2" or "IMG3" |
||
| + | -->This section details the decryption of the ramdisks in an [[IPSW File Format|IPSW]] file. The listed console commands are applicable to the [[IMG2 File Format|IMG2]] or [[IMG3 File Format|IMG3]] files under <code>/Firmware</code> also. |
||
| + | === 1.0.x === |
||
With the release of the [[m68ap|iPhone]], the [[ramdisk]]s weren't encrypted. So, in order to mount them, all you need to do is remove some data from the beginning. You can either open up a hex editor and remove ##### bytes from the beginning, or open up a console and run <code>dd(1)</code><sup>[{{man|dd|1}}]</sup>: |
With the release of the [[m68ap|iPhone]], the [[ramdisk]]s weren't encrypted. So, in order to mount them, all you need to do is remove some data from the beginning. You can either open up a hex editor and remove ##### bytes from the beginning, or open up a console and run <code>dd(1)</code><sup>[{{man|dd|1}}]</sup>: |
||
dd if=''ramdisk.dmg'' of=''ramdisk.stripped.dmg'' bs=512 skip=4 count=37464 conv=sync |
dd if=''ramdisk.dmg'' of=''ramdisk.stripped.dmg'' bs=512 skip=4 count=37464 conv=sync |
||
| − | :where ''ramdisk.dmg'' is the |
+ | :where ''ramdisk.dmg'' is the filename of the restore ramdisk (ex: the [[Heavenly 1A543a (iPhone)|iPhone 2G 1.0 firmware]] (1A543a) would be <code>694-5259-38.dmg</code>) |
:where ''ramdisk.stripped.dmg'' is the output file name |
:where ''ramdisk.stripped.dmg'' is the output file name |
||
Once the data has been stripped, you can then mount ''ramdisk.stripped.dmg'' in Finder on OS X, or with any other program. If you encounter errors after mounting the stripped ramdisk, you can safely ignore them. |
Once the data has been stripped, you can then mount ''ramdisk.stripped.dmg'' in Finder on OS X, or with any other program. If you encounter errors after mounting the stripped ramdisk, you can safely ignore them. |
||
| − | == 1.1.x == |
+ | === 1.1.x - 2.0b3 === |
With the release of the [[n45ap|iPod touch]], Apple added a layer of encryption around the ramdisks. The decryption key wasn't obscured however, and a simple analysis of [[iBoot]] by [[User:Zibri|Zibri]] revealed the [[AES Keys#Key 0x837|0x837 key]]. At first, its purpose wasn't known. After a while, [[User:Geohot|geohot]] discovered its purpose. |
With the release of the [[n45ap|iPod touch]], Apple added a layer of encryption around the ramdisks. The decryption key wasn't obscured however, and a simple analysis of [[iBoot]] by [[User:Zibri|Zibri]] revealed the [[AES Keys#Key 0x837|0x837 key]]. At first, its purpose wasn't known. After a while, [[User:Geohot|geohot]] discovered its purpose. |
||
In order to decrypt them, all you need to do is remove the <code>0x800</code> byte (2 kibibytes) header<!-- INSERT dd COMMAND LINE -->, then open a console and run <code>openssl(1)</code><sup>[{{man|openssl|1}}]</sup>: |
In order to decrypt them, all you need to do is remove the <code>0x800</code> byte (2 kibibytes) header<!-- INSERT dd COMMAND LINE -->, then open a console and run <code>openssl(1)</code><sup>[{{man|openssl|1}}]</sup>: |
||
| − | openssl enc -d -in ''ramdisk.dmg'' -out ''ramdisk.decrypted.dmg'' -aes-128-cbc -K |
+ | openssl enc -d -in ''ramdisk.dmg'' -out ''ramdisk.decrypted.dmg'' -aes-128-cbc -K 188458a6d15034dfe386f23b61d43774 -iv 0 |
| − | :where ''ramdisk.dmg'' is the |
+ | :where ''ramdisk.dmg'' is the filename of the ramdisk you are decrypting (ex: the [[Snowbird 3A109a (iPhone)|iPhone 2G 1.1.1 firmware]] (3A109a) would be either <code>022-3630-9.dmg</code> or <code>022-3629-9.dmg</code>) |
:where ''ramdisk.decrypted.dmg'' is the output file name |
:where ''ramdisk.decrypted.dmg'' is the output file name |
||
| − | == 2. |
+ | === 2.0b4 - 3.0b5 === |
| − | + | With the fourth beta of 2.0, Apple introduced the [[IMG3 File Format|IMG3]] file format, replacing the broken [[IMG2]] file format. This format was soon reversed and [[img3decrypt]]<sup class="plainlinks">[[http://code.google.com/p/img3decrypt/ src]]</sup> was created by Steven Smith (@[http://twitter.com/stroughtonsmith stroughtonsmith]). His code was later implemented into [[xpwntool]]<sup class="plainlinks">[[http://github.com/planetbeing/xpwn/tree/master src]]</sup>.<!-- Or was xpwntool first and Steve made img3decrypt without knowing about it? img3decrypt was created 21 Aug 2008, but when was xpwntool? --> In order to decrypt the ramdisk, open a console and run one of the commands depending on your program choice: |
|
| + | img3decrypt e ''ramdisk.dmg'' ''ramdisk.decrypted.dmg'' ''iv'' ''key'' |
||
| − | |||
| + | xpwntool ''ramdisk.dmg'' ''ramdisk.decrypted.dmg'' -k ''key'' -iv ''iv'' |
||
| − | If you're using [[img3decrypt]], run this: |
||
| + | :where ''ramdisk.dmg'' is the filename of the ramdisk you are decrypting (ex: the [[Big Bear 5A347 (iPhone 3G)|iPhone 3G 2.0 firmware]] (5A347) would be <code>018-3783-2.dmg</code>) |
||
| − | img3decrypt e restore_ramdisk.dmg restore_ramdisk_decrypted.dmg "Ramdisk_IV" "Ramdisk_Key" |
||
| + | :where ''ramdisk.decrypted.dmg'' is the output file name |
||
| − | |||
| + | :where ''iv'' is the [[wikipedia:Initialization vector|initialization vector]] (IV) of the ramdisk you are decrypting (ex: the iPhone 3G 2.0 firmware (5A347) would be <code>29681f625d1f61271ec3116601b8bcde</code>) |
||
| − | If you're using [[xpwntool]], run this: |
||
| + | :where ''key'' is the [[wikipedia:Key (cryptography)|key]] of the ramdisk you are decrypting (ex: the iPhone 3G 2.0 firmware (5A347) would be <code>850afc271132d15ae6989565567e65bf</code>) |
||
| − | xpwntool restore_ramdisk.dmg restore_ramdisk_decrypted.dmg -k "Ramdisk_Key" -iv "Ramdisk_IV" |
||
| + | The IV and key for a specified firmware is available through the [[Firmware Keys]] page or from the <code>Info.plist</code> file underneath [[PwnageTool]]'s <code>/FirmwareBundles</code> folder. |
||
| − | |||
| − | |||
| − | Where '''restore_ramdisk.dmg''' is image of restore ramdisk and '''restore_ramdisk_decrypted.dmg''' is decrypted image, that you can mount and explore from Finder. "Ramdisk_IV" and "Ramdisk_Key" is the decryption keys that you can find at the [[Firmware Keys]] page or in the Info.plist from [[PwnageTool]] FirmwareBundles folder. |
||
| + | === 3.0GM+ === |
||
Because of the new HFS Compression used in Snow Leopard and 3.0 DMGs, you may see zero-sized files in the DMG if you don't use Snow Leopard. In order to extract those, check [[Talk:Decrypting Firmwares]]. |
Because of the new HFS Compression used in Snow Leopard and 3.0 DMGs, you may see zero-sized files in the DMG if you don't use Snow Leopard. In order to extract those, check [[Talk:Decrypting Firmwares]]. |
||
| + | ==== [[S5L8900]] ==== |
||
| − | |||
| − | == 3.0GM+ == |
||
| − | === [[S5L8900]] === |
||
To decrypt a firmware file, decrypt the encrypted key and IV in the [[KBAG]] using [[GIDecrypt]], or OpenSSL with the key 5F650295E1FFFC97CE77ABD49DD955B3 and the iv 0 |
To decrypt a firmware file, decrypt the encrypted key and IV in the [[KBAG]] using [[GIDecrypt]], or OpenSSL with the key 5F650295E1FFFC97CE77ABD49DD955B3 and the iv 0 |
||
| − | === [[S5L8720]] === |
+ | ==== [[S5L8720]] ==== |
Business as usual, but keys and IVs have to be decrypted on the device still, unlike with the new [[S5L8900]] [[KBAG]]s. Apple incorrectly assumed that by encrypting iBEC and iBSS they were being sly. They were not. You can decrypt those on a 2.2.1 aes setup no problem whatsoever. |
Business as usual, but keys and IVs have to be decrypted on the device still, unlike with the new [[S5L8900]] [[KBAG]]s. Apple incorrectly assumed that by encrypting iBEC and iBSS they were being sly. They were not. You can decrypt those on a 2.2.1 aes setup no problem whatsoever. |
||
| − | === [[S5L8920]] === |
+ | ==== [[S5L8920]] ==== |
The [[n88ap|iPhone 3GS]] firmware files are interesting. They have two [[KBAG]]s, which use AES-256 instead of the [[S5L8900]] and [[S5L8720]] that are using AES-128 still. The first KBAG has an identifier in it's header indicating that it is to be decrypted with the gid key, and the second is not known. For those that don't know how AES256 works, this now means that the first 0x10 bytes are the IV, and the remaining 0x20 bytes (not 0x10 anymore!) are the key. |
The [[n88ap|iPhone 3GS]] firmware files are interesting. They have two [[KBAG]]s, which use AES-256 instead of the [[S5L8900]] and [[S5L8720]] that are using AES-128 still. The first KBAG has an identifier in it's header indicating that it is to be decrypted with the gid key, and the second is not known. For those that don't know how AES256 works, this now means that the first 0x10 bytes are the IV, and the remaining 0x20 bytes (not 0x10 anymore!) are the key. |
||
Revision as of 18:30, 7 September 2013
iOS contains many layers of encryption. This page details how to remove the encryption wrapper around each file in the IPSW file.
Contents
Ramdisks
This section details the decryption of the ramdisks in an IPSW file. The listed console commands are applicable to the IMG2 or IMG3 files under /Firmware also.
1.0.x
With the release of the iPhone, the ramdisks weren't encrypted. So, in order to mount them, all you need to do is remove some data from the beginning. You can either open up a hex editor and remove ##### bytes from the beginning, or open up a console and run dd(1)[man]:
dd if=ramdisk.dmg of=ramdisk.stripped.dmg bs=512 skip=4 count=37464 conv=sync
- where ramdisk.dmg is the filename of the restore ramdisk (ex: the iPhone 2G 1.0 firmware (1A543a) would be
694-5259-38.dmg) - where ramdisk.stripped.dmg is the output file name
Once the data has been stripped, you can then mount ramdisk.stripped.dmg in Finder on OS X, or with any other program. If you encounter errors after mounting the stripped ramdisk, you can safely ignore them.
1.1.x - 2.0b3
With the release of the iPod touch, Apple added a layer of encryption around the ramdisks. The decryption key wasn't obscured however, and a simple analysis of iBoot by Zibri revealed the 0x837 key. At first, its purpose wasn't known. After a while, geohot discovered its purpose.
In order to decrypt them, all you need to do is remove the 0x800 byte (2 kibibytes) header, then open a console and run openssl(1)[man]:
openssl enc -d -in ramdisk.dmg -out ramdisk.decrypted.dmg -aes-128-cbc -K 188458a6d15034dfe386f23b61d43774 -iv 0
- where ramdisk.dmg is the filename of the ramdisk you are decrypting (ex: the iPhone 2G 1.1.1 firmware (3A109a) would be either
022-3630-9.dmgor022-3629-9.dmg) - where ramdisk.decrypted.dmg is the output file name
2.0b4 - 3.0b5
With the fourth beta of 2.0, Apple introduced the IMG3 file format, replacing the broken IMG2 file format. This format was soon reversed and img3decrypt[src] was created by Steven Smith (@stroughtonsmith). His code was later implemented into xpwntool[src]. In order to decrypt the ramdisk, open a console and run one of the commands depending on your program choice:
img3decrypt e ramdisk.dmg ramdisk.decrypted.dmg iv key xpwntool ramdisk.dmg ramdisk.decrypted.dmg -k key -iv iv
- where ramdisk.dmg is the filename of the ramdisk you are decrypting (ex: the iPhone 3G 2.0 firmware (5A347) would be
018-3783-2.dmg) - where ramdisk.decrypted.dmg is the output file name
- where iv is the initialization vector (IV) of the ramdisk you are decrypting (ex: the iPhone 3G 2.0 firmware (5A347) would be
29681f625d1f61271ec3116601b8bcde) - where key is the key of the ramdisk you are decrypting (ex: the iPhone 3G 2.0 firmware (5A347) would be
850afc271132d15ae6989565567e65bf)
The IV and key for a specified firmware is available through the Firmware Keys page or from the Info.plist file underneath PwnageTool's /FirmwareBundles folder.
3.0GM+
Because of the new HFS Compression used in Snow Leopard and 3.0 DMGs, you may see zero-sized files in the DMG if you don't use Snow Leopard. In order to extract those, check Talk:Decrypting Firmwares.
S5L8900
To decrypt a firmware file, decrypt the encrypted key and IV in the KBAG using GIDecrypt, or OpenSSL with the key 5F650295E1FFFC97CE77ABD49DD955B3 and the iv 0
S5L8720
Business as usual, but keys and IVs have to be decrypted on the device still, unlike with the new S5L8900 KBAGs. Apple incorrectly assumed that by encrypting iBEC and iBSS they were being sly. They were not. You can decrypt those on a 2.2.1 aes setup no problem whatsoever.
S5L8920
The iPhone 3GS firmware files are interesting. They have two KBAGs, which use AES-256 instead of the S5L8900 and S5L8720 that are using AES-128 still. The first KBAG has an identifier in it's header indicating that it is to be decrypted with the gid key, and the second is not known. For those that don't know how AES256 works, this now means that the first 0x10 bytes are the IV, and the remaining 0x20 bytes (not 0x10 anymore!) are the key.
