The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Decrypting Firmwares"
m (Missed a spot.) |
(→2.x+) |
||
Line 25: | Line 25: | ||
Where '''restore_ramdisk.dmg''' is image of restore ramdisk (for example 3.0 beta 1 iPhone GSM firmware restore ramdisk is 018-4793-1.dmg), and r'''estore_ramdisk_decrypted.dmg''' is decrypted image, that you can mount and explore from Finder. Ramdisk_IV and Ramdisk_Key is a decrypted keys that you can find in [http://www.theiphonewiki.com/wiki/index.php?title=VFDecrypt_Keys:_3.x vfdecrypt page] or in Info.plist from PwnageTool FirmwareBundles folder (when Dev Team include support for this firmware). |
Where '''restore_ramdisk.dmg''' is image of restore ramdisk (for example 3.0 beta 1 iPhone GSM firmware restore ramdisk is 018-4793-1.dmg), and r'''estore_ramdisk_decrypted.dmg''' is decrypted image, that you can mount and explore from Finder. Ramdisk_IV and Ramdisk_Key is a decrypted keys that you can find in [http://www.theiphonewiki.com/wiki/index.php?title=VFDecrypt_Keys:_3.x vfdecrypt page] or in Info.plist from PwnageTool FirmwareBundles folder (when Dev Team include support for this firmware). |
||
+ | |||
+ | P.S. |
||
+ | img3decrypt doesn't seems to work propertly with 3.0 ramdisks. The DMG becomes mountable, but 99% of files are zerosize. |
Revision as of 09:03, 5 July 2009
1.0.x
If you want to decrypt 1.0.x iPhone ramdisk you must remove some trash from the beginning of them. You can do this in Terminal.app (on Mac OS X you can find them in /Applications/Utilities/).
Unzip firmware image (change extension .ipsw to .zip and double click on archive) and find restore ramdisk. In Terminal.app enter simple command:
dd if=restore_ramdisk.dmg of=restore_ramdisk.stripped.dmg bs=512 skip=4 count=37464 conv=sync
Where restore_ramdisk.dmg is image of restore ramdisk (for example 1.0 iPhone firmware restore ramdisk is 694-5259-38.dmg), and restore_ramdisk.stripped.dmg is 'decrypted' image, that you can mount and explore from Finder.
Note: If after mounting stripped ramdisk you see errors, ignore them.
1.1.x
To decrypt the 1.1.x ramdisk, strip the first 0x800 bytes. I'm not proficient in dd, but the above command could be modified for this, or it could be done in a hex editor. Once that's complete, run this command:
openssl enc -d -in ramdisk.dmg -out de.dmg -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0
This uses the iPhone's 0x837 key which was first leaked by Zibri and had its purpose revealed on Geohot's blog.
2.x+
The ramdisk on both 2.x and 3.x firmwares is a simple img3 file, that you can decrypt using img3decrypt or xpwntool. You must download one of these utilities. For easier access, put them in /usr/local/bin
In Terminal.app enter:
img3decrypt e restore_ramdisk.dmg restore_ramdisk_decrypted.dmg Ramdisk_IV Ramdisk_Key
Where restore_ramdisk.dmg is image of restore ramdisk (for example 3.0 beta 1 iPhone GSM firmware restore ramdisk is 018-4793-1.dmg), and restore_ramdisk_decrypted.dmg is decrypted image, that you can mount and explore from Finder. Ramdisk_IV and Ramdisk_Key is a decrypted keys that you can find in vfdecrypt page or in Info.plist from PwnageTool FirmwareBundles folder (when Dev Team include support for this firmware).
P.S. img3decrypt doesn't seems to work propertly with 3.0 ramdisks. The DMG becomes mountable, but 99% of files are zerosize.