Difference between revisions of "Obtaining IMG3 Keys"

From The iPhone Wiki
Jump to: navigation, search
(Get The Keys/IV)
Line 1: Line 1:
This is one way of getting the IMG3 keys using iBoot/iBEC patch based on the Dev Team's and Geohot's exploits.
 
   
  +
Haxed by 1337Urmom at The Pois0nhack team
This method is tested on both Linux and Windows OS.
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
Epic thanks to #xpwn crew on irc.osx86.hu !
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
==What you need==
 
  +
Haxed by 1337Urmom at The Pois0nhack team
# Pwned 1st gen iPhone on 1.1.4 OS<br>
 
  +
Haxed by 1337Urmom at The Pois0nhack team
# ibooter from here [http://www.iphonelinux.org/index.php/IBooter]<br>
 
  +
Haxed by 1337Urmom at The Pois0nhack team
# iBEC.m68ap.RELEASE.dfu from iPhone1,1_1.1.4_4A102_Restore.ipsw<br>
 
  +
Haxed by 1337Urmom at The Pois0nhack team
# xpwntool from [http://www.iphone-dev.org/xpwn/xpwn-windows-nightly.zip]<br>
 
# iPhuc (for Windows users only)<br>
 
# Any Hex Editor<br>
 
   
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
==Summary==
 
  +
Haxed by 1337Urmom at The Pois0nhack team
Patched a function in the iBEC file so that it will branch to the desired memory location when the associated iboot command is called in ibooter. The desired memory location is at 0x09000000 as indicated by an earlier Geohot post and the iboot command chosen is "clearenv" in this documentation. The desired memory location will be housing the codes that enable and call the hardware aes engine so that the KBAG data can be decrypted for Keys/IV.
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
==Steps==
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
===Unpack iBEC.m68ap.RELEASE.dfu===
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
Utilizing xpwntool, enter this command:
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
xpwntool <original iBEC file> <unpacked iBEC file>
 
  +
Haxed by 1337Urmom at The Pois0nhack team
i.e.
 
  +
Haxed by 1337Urmom at The Pois0nhack team
xpwntool iBEC.m68ap.RELEASE.dfu unpacked_iBEC
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
===Patching iBEC.m68ap.RELEASE.dfu===
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
Before:
 
  +
Haxed by 1337Urmom at The Pois0nhack team
ROM:180074A0 PUSH {R4,R5,R7,LR} ;"clearenv" routine starts here
 
  +
Haxed by 1337Urmom at The Pois0nhack team
ROM:180074A2 ADD R7, SP, #8
 
  +
Haxed by 1337Urmom at The Pois0nhack team
ROM:180074A4 ADDS R4, R1, #0
 
  +
Haxed by 1337Urmom at The Pois0nhack team
ROM:180074A6 CMP R0, #1
 
ROM:180074A8 BGT loc_180074B4
 
ROM:180074AA LDR R0, =aNotEnoughArgum
 
   
  +
Haxed by 1337Urmom at The Pois0nhack team
After:
 
  +
Haxed by 1337Urmom at The Pois0nhack team
ROM:180074A0 '''LDR R3, =0x9000000'''
 
  +
Haxed by 1337Urmom at The Pois0nhack team
ROM:180074A2 '''BX R3'''
 
  +
Haxed by 1337Urmom at The Pois0nhack team
ROM:180074A2 ; ---------------------------------------------------------------------------
 
  +
Haxed by 1337Urmom at The Pois0nhack team
ROM:180074A4 dword_180074A4 '''DCD 0x9000000 ''' ; DATA XREF: ROM:180074A0�r
 
ROM:180074A8 ; ---------------------------------------------------------------------------
 
ROM:180074A8 BGT loc_180074B4
 
ROM:180074AA LDR R0, =aNotEnoughArgum
 
   
  +
Haxed by 1337Urmom at The Pois0nhack team
You will notice that iBEC starts at 0x18000000 but in your Hex Editor, just do the following changes at 0x74A0:
 
  +
Haxed by 1337Urmom at The Pois0nhack team
'''0x000074A0: 00 4b 18 47 00 00 00 09'''<br>
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
The idea is to tell clearenv routine to branch to 0x09000000 and BX is used because the codes to be used at 0x09000000 later will be in ARM. This "clearenv" routine is in THUMB mode. BX will enable them to switch. Save and name your modified iBEC, for example iBECmod.
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
===Packing the modified iBEC===
 
  +
Haxed by 1337Urmom at The Pois0nhack team
Using xpwntool:
 
  +
Haxed by 1337Urmom at The Pois0nhack team
xpwntool iBECmod iBEC.patch -t iBEC.m68ap.RELEASE.dfu
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
Note that the original iBEC file has to be used after -t as a template. IBEC.patch will be your modified, packed iBEC file.
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
===Executing patched iBEC in ibooter===
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
====Windows====
 
  +
Haxed by 1337Urmom at The Pois0nhack team
Put iPHUC and your patched iBEC in the same folder. Boot iPHUC and boot your iPhone in recovery mode. Type the following into iPHUC once it recognizes your iPhone:
 
  +
Haxed by 1337Urmom at The Pois0nhack team
filecopytophone iBEC.patch
 
  +
Haxed by 1337Urmom at The Pois0nhack team
It should return "filecopytophone: 0"<br>
 
  +
Haxed by 1337Urmom at The Pois0nhack team
Then type this:
 
cmd go
 
Your iPhone will reboot and display a blank black screen immediately. You are now ready to proceed with sending the payload and the kbag that you want to decrypt.
 
   
  +
Haxed by 1337Urmom at The Pois0nhack team
==== Linux ====
 
  +
Haxed by 1337Urmom at The Pois0nhack team
Put your iPhone in recovery mode, connect the USB cable and launch ibooter. Press ^F (CTRL+F) and
 
  +
Haxed by 1337Urmom at The Pois0nhack team
Enter, you will be prompted for a file name, type and patched iBEC file name and press enter. Next you will be prompted for memory location to load. Enter 0x9000000 for that and press enter.
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
Now type:
 
  +
Haxed by 1337Urmom at The Pois0nhack team
go
 
  +
Haxed by 1337Urmom at The Pois0nhack team
to execute the patched iBEC. Your iPhone will reboot into a blank screen and that's good. You need to reconnect the ibooter after the "reboot".
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
=== Calling The Hardware AES Engine ===
 
  +
Haxed by 1337Urmom at The Pois0nhack team
Type the following ARM codes in iBooter. Those were slightly modified geohot codes.
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
mw 0x9000000 0xe92d4090 // stmdb sp!, {r4, r7, lr}
 
  +
Haxed by 1337Urmom at The Pois0nhack team
mw 0x9000004 0xe59f0038 // ldr r0, [pc, #56]
 
  +
Haxed by 1337Urmom at The Pois0nhack team
mw 0x9000008 0xe59f1038 // ldr r1, [pc, #56] ; EnableDecrypt at 0x9000048
 
  +
Haxed by 1337Urmom at The Pois0nhack team
mw 0x900000c 0xe5810000 // str r0, [r1]
 
  +
Haxed by 1337Urmom at The Pois0nhack team
mw 0x9000010 0xe59f0024 // ldr r0, [pc, #36] ; Data ptr at 0x900003c
 
mw 0x9000014 0xe3a01020 // mov r1, #32 ; 0x20 bytes to be decrypted
 
mw 0x9000018 0xe3a02001 // mov r2, #1 ; 0x1
 
mw 0x900001c 0xe3a03000 // mov r3, #0 ; 0x0
 
mw 0x9000020 0xe1a0700d // mov r7, sp
 
mw 0x9000024 0xe24dd004 // sub sp, sp, #4 ; 0x4
 
mw 0x9000028 0xe58d3000 // str r3, [sp]
 
mw 0x900002c 0xe59f400c // ldr r4, [pc, #12] ; AESDecrypt at 0x9000040
 
mw 0x9000030 0xe12fff34 // blx r4
 
mw 0x9000034 0xe1a0d007 // mov sp, r7
 
mw 0x9000038 0xe8bd8090 // ldmia sp!, {r4, r7, pc}
 
mw 0x900003c 0x09000100
 
mw 0x9000040 0x18001791
 
mw 0x9000044 0x43a343a3
 
mw 0x9000048 0x180015c0
 
mw 0x9000100 0x5418c5de // KBAG data from 5A347 3G restore Ramdisk
 
mw 0x9000104 0x7e30b0ff
 
mw 0x9000108 0x0ea9b00e
 
mw 0x900010c 0x421f6288
 
   
  +
Haxed by 1337Urmom at The Pois0nhack team
Now, we are going to call "clearenv" in iBooter to execute the above codes (recall that we have patched "clearenv" in iBEC to allow it to branch to the above memory location). Simply type
 
  +
Haxed by 1337Urmom at The Pois0nhack team
clearenv
 
  +
Haxed by 1337Urmom at The Pois0nhack team
and enter.
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
=== Get The Keys/IV ===
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
Phew!!
 
  +
Haxed by 1337Urmom at The Pois0nhack team
Now, let's get the goodies. Simply type:
 
  +
Haxed by 1337Urmom at The Pois0nhack team
mdb 0x9000100
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
Let's see what you get in there!!!!
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
   
  +
Haxed by 1337Urmom at The Pois0nhack team
== Notes ==
 
  +
Haxed by 1337Urmom at The Pois0nhack team
There exists much easier method for getting the Keys/IVs (A matter of typing just a command line) but this is more fun. ;)
 
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team
  +
Haxed by 1337Urmom at The Pois0nhack team

Revision as of 06:29, 7 November 2009

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team

Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team Haxed by 1337Urmom at The Pois0nhack team