Difference between revisions of "IMG3 File Format"

From The iPhone Wiki
Jump to: navigation, search
Line 3: Line 3:
 
==Header==
 
==Header==
 
struct Img3 {
 
struct Img3 {
unsigned int magic; // fourcc="IMG3"
+
u32 magic; // fourcc="IMG3"
unsigned int fullSize; // full size of fw image
+
u32 fullSize; // full size of fw image
unsigned int sizeNoPack; // size of fw image without header
+
u32 sizeNoPack; // size of fw image without header
unsigned int sigCheckArea; // although that is just my name for it, this is the
+
u32 sigCheckArea; // although that is just my name for it, this is the
// size of the start of the data section (the code) up to
+
// size of the start of the data section (the code) up to
// the start of the RSA signature (SHSH section)
+
// the start of the RSA signature (SHSH section)
unsigned int iden; // identifier of image, used when bootrom is parsing images
+
u32 iden; // identifier of image, used when bootrom is parsing images
// list to find LLB (illb), LLB parsing it to find iBoot (ibot),
+
// list to find LLB (illb), LLB parsing it to find iBoot (ibot),
// etc.
+
// etc.
 
 
 
} typedef Img3;
 
} typedef Img3;
   
 
==Tag Format==
 
==Tag Format==
unsigned int magic;
+
u32 magic;
unsigned int total_length; //data_length+0xC
+
u32 total_length; // data_length+0xC
unsigned int data_length;
+
u32 data_length;
   
 
==Tags==
 
==Tags==
 
VERS: Version
 
VERS: Version
SEPO: Unknown
+
[[SEPO]]: Security Epoch
  +
[[SDOM]]: Security Domain
PROD: Processor to be used with.
 
  +
[[PROD]]: Production Mode
CHIP: Chip to be used with. "0x8900" for [[S5L8900]] and "0x8720" for [[S5L8720]]. Instead of there being a check against some piece of hardware, whatever is verifying this (bootrom / iBoot / LLB / etc.) has this hardcoded in.
 
BORD: Board to be used with
+
[[CHIP]]: Chip to be used with. example: "0x8900" for [[S5L8900]].
  +
[[BORD]]: Board to be used with
 
[[KBAG]]: contains the KEY and IV required to decrypt encrypted with the [[GID-key]]
 
[[KBAG]]: contains the KEY and IV required to decrypt encrypted with the [[GID-key]]
SHSH: RSA encrypted SHA1 hash of the file
+
[[SHSH]]: RSA encrypted SHA1 hash of the file
CERT: Certificate
+
[[CERT]]: Certificate
 
[[ECID]]: Exclusive Chip ID unique to every device with iPhone OS.
 
[[ECID]]: Exclusive Chip ID unique to every device with iPhone OS.
   
Line 36: Line 37:
   
 
==Encryption==
 
==Encryption==
Apple got smarter this time, requiring the Hardware AES engine to be run per file. Decrypt the [[KBAG]] tag data (0x20 byte?) with the hardware AES engine and get the 0x10 byte IV and the 0x10 byte KEY.
+
Apple got smarter this time, requiring the Hardware AES engine to be run per file. Decrypt the [[KBAG]] tag data with the [[GID-key]] to get the key and IV, and use those to decrypt the [[DATA]] section of the firmware file.
   
iBoot has support for aes-192 and aes-256 also. In the current method, iBoot will always use the first 16 bytes as the IV, then the remaining 16 (aes-128, current method), 24 (aes-192), or 32 (aes-256) bytes for the key.
+
In the current method, iBoot will always use the first 16 bytes of the [[KBAG]] as the IV, then the remaining 16 (aes-128, used with [[S5L8900]] and [[S5L8720]]), 24 (aes-192), or 32 (aes-256, used with [[S5L8920]]) bytes for the key.
   
 
==Resources==
 
==Resources==

Revision as of 13:28, 7 August 2009

This is the replacement for the IMG2 File Format from firmware 2.0 and onward

Header

struct Img3 {
    u32          magic;   // fourcc="IMG3"
    u32       fullSize;   // full size of fw image
    u32     sizeNoPack;   // size of fw image without header
    u32   sigCheckArea;   // although that is just my name for it, this is the
                          // size of the start of the data section (the code) up to
                          // the start of the RSA signature (SHSH section)
    u32           iden;   // identifier of image, used when bootrom is parsing images
                          // list to find LLB (illb), LLB parsing it to find iBoot (ibot),
                          // etc.
 
} typedef Img3;

Tag Format

u32          magic;
u32   total_length;   // data_length+0xC
u32    data_length;

Tags

VERS: Version
SEPO: Security Epoch
SDOM: Security Domain
PROD: Production Mode
CHIP: Chip to be used with. example: "0x8900" for S5L8900.
BORD: Board to be used with
KBAG: contains the KEY and IV required to decrypt encrypted with the GID-key
SHSH: RSA encrypted SHA1 hash of the file
CERT: Certificate
ECID: Exclusive Chip ID unique to every device with iPhone OS.

Signature Check

Decryption is done using the modulus at cert + 0xA15
0xC to HSHS is SHAed

Encryption

Apple got smarter this time, requiring the Hardware AES engine to be run per file. Decrypt the KBAG tag data with the GID-key to get the key and IV, and use those to decrypt the DATA section of the firmware file.

In the current method, iBoot will always use the first 16 bytes of the KBAG as the IV, then the remaining 16 (aes-128, used with S5L8900 and S5L8720), 24 (aes-192), or 32 (aes-256, used with S5L8920) bytes for the key.

Resources

cmw's IMG3 Unpacker