Difference between revisions of "KBAG"

From The iPhone Wiki
Jump to: navigation, search
(How it works)
(no point in fixing C fails as its for explanation use, but it annoyed me....)
Line 6: Line 6:
 
<pre>
 
<pre>
 
typedef struct Unparsed_KBAG_128 {
 
typedef struct Unparsed_KBAG_128 {
char[4] magic; // string with bits flipped = "KBAG" (magic = 0x4741424B)
+
int magic; // string with bits flipped = "KBAG" (magic = 0x4741424B)
int tagFullSize; // size of KBAG from beyond that point to the end of it
+
int tagFullSize; // size of KBAG from beyond that point to the end of it
int tagDataSize; // size of just the tag info, not this 0xC "header"
+
int tagDataSize; // size of KBAG without this 0xC header
int IV_Key_Crypt_state; // 1 if the key and IV in the KBAG are encrypted with the GID key, 0 if not.
+
int cryptState; // 1 if the key and IV in the KBAG are encrypted with the [[GID-Key]]
int AES_Type; // 0x80 = aes128 / 0xc0 = aes192 / 0x100 = aes256
+
// 2 is used with a second KBAG for the [[S5L8920]], use is unknown.
char[16] Enc_IV; // IV for the firmware file, encrypted with the gid key
+
int aesType; // 0x80 = aes128 / 0xc0 = aes192 / 0x100 = aes256
char[16] Enc_Key; // Key for the firmware file, encrypted with the gid key.
+
char* EncIV[16]; // IV for the firmware file, encrypted with the [[GID-Key]]
  +
char* EncKey[16]; // Key for the firmware file, encrypted with the [[GID-Key]]
 
} Unparsed_KBAG_AES128;
 
} Unparsed_KBAG_AES128;
 
</pre>
 
</pre>
Line 19: Line 20:
 
<pre>
 
<pre>
 
typedef struct Unparsed_KBAG_AES192 {
 
typedef struct Unparsed_KBAG_AES192 {
char[4] magic; // string with bits flipped = "KBAG" (magic = 0x4741424B)
+
int magic; // string with bits flipped = "KBAG" (magic = 0x4741424B)
int fullSize; // size of KBAG from beyond that point to the end of it
+
int fullSize; // size of KBAG from beyond that point to the end of it
int unk1; // 8 less than fullSize. not sure what it is exactly.
+
int tagDataSize; // size of KBAG without this 0xC header
int IV_Key_Crypt_state; // 1 if the key and IV in the KBAG are encrypted with the GID key, 0 if not.
+
int cryptState; // 1 if the key and IV in the KBAG are encrypted with the [[GID-Key]]
int AES_Type; // 0x80 = aes128 / 0xc0 = aes192 / 0x100 = aes256
+
// 2 is used with a second KBAG for the [[S5L8920]], use is unknown.
char[16] Enc_IV; // IV for the firmware file, encrypted with the gid key
+
int aesType; // 0x80 = aes128 / 0xc0 = aes192 / 0x100 = aes256
char[24] Enc_Key; // Key for the firmware file, encrypted with the gid key.
+
char* EncIV[16]; // IV for the firmware file, encrypted with the [[GID-Key]]
  +
char* EncKey[24]; // Key for the firmware file, encrypted with the [[GID-Key]]
 
} Unparsed_KBAG_AES192;
 
} Unparsed_KBAG_AES192;
 
</pre>
 
</pre>
Line 32: Line 34:
 
<pre>
 
<pre>
 
typedef struct Unparsed_KBAG_256 {
 
typedef struct Unparsed_KBAG_256 {
char[4] magic; // string with bits flipped = "KBAG" (magic = 0x4741424B)
+
int magic; // string with bits flipped = "KBAG" (magic = 0x4741424B)
int fullSize; // size of KBAG from beyond that point to the end of it
+
int fullSize; // size of KBAG from beyond that point to the end of it
int unk1; // 8 less than fullSize. not sure what it is exactly.
+
int tagDataSize; // size of KBAG without this 0xC header
int IV_Key_Crypt_state; // 1 if the key and IV in the KBAG are encrypted with the GID key, 0 if not.
+
int cryptState; // 1 if the key and IV in the KBAG are encrypted with the [[GID-Key]]
int AES_Type; // 0x80 = aes-128, 0xc0 = aes-192, 0x100 = aes256
+
// 2 is used with a second KBAG for the [[S5L8920]], use is unknown.
char[16] Enc_IV; // IV for the firmware file, encrypted with the gid key
+
int aesType; // 0x80 = aes-128, 0xc0 = aes-192, 0x100 = aes256
char[32] Enc_Key; // Key for the firmware file, encrypted with the gid key.
+
char* EncIV[16]; // IV for the firmware file, encrypted with the [[GID-Key]]
  +
char* EncKey[32]; // Key for the firmware file, encrypted with the [[GID-Key]]
 
} Unparsed_KBAG_AES256;
 
} Unparsed_KBAG_AES256;
 
</pre>
 
</pre>

Revision as of 14:31, 12 August 2009

Explanation

In Apple's new IMG3 security scheme, they have used something called a KBAG. At the bottom of a firmware file, you will see something that will, on the ASCII side of your hex editor, see "GABK", which is "KBAG" flipped. Look on the hex side and you will the KBAG according to this format:

KBAG Format

KBAG128

typedef struct Unparsed_KBAG_128 {
     int        magic; // string with bits flipped = "KBAG" (magic = 0x4741424B)
     int  tagFullSize; // size of KBAG from beyond that point to the end of it
     int  tagDataSize; // size of KBAG without this 0xC header
     int   cryptState; // 1 if the key and IV in the KBAG are encrypted with the [[GID-Key]]
                       // 2 is used with a second KBAG for the [[S5L8920]], use is unknown.
     int      aesType; // 0x80 = aes128 / 0xc0 = aes192 / 0x100 = aes256
     char*  EncIV[16]; // IV for the firmware file, encrypted with the [[GID-Key]]
     char* EncKey[16]; // Key for the firmware file, encrypted with the [[GID-Key]]
} Unparsed_KBAG_AES128;

KBAG192

typedef struct Unparsed_KBAG_AES192 {
     int        magic; // string with bits flipped = "KBAG" (magic = 0x4741424B)
     int     fullSize; // size of KBAG from beyond that point to the end of it
     int  tagDataSize; // size of KBAG without this 0xC header
     int   cryptState; // 1 if the key and IV in the KBAG are encrypted with the [[GID-Key]]
                       // 2 is used with a second KBAG for the [[S5L8920]], use is unknown.
     int      aesType; // 0x80 = aes128 / 0xc0 = aes192 / 0x100 = aes256
     char*  EncIV[16]; // IV for the firmware file, encrypted with the [[GID-Key]]
     char* EncKey[24]; // Key for the firmware file, encrypted with the [[GID-Key]]
} Unparsed_KBAG_AES192;

KBAG256

typedef struct Unparsed_KBAG_256 {
     int        magic; // string with bits flipped = "KBAG" (magic = 0x4741424B)
     int     fullSize; // size of KBAG from beyond that point to the end of it
     int  tagDataSize; // size of KBAG without this 0xC header
     int   cryptState; // 1 if the key and IV in the KBAG are encrypted with the [[GID-Key]]
                       // 2 is used with a second KBAG for the [[S5L8920]], use is unknown.
     int      aesType; // 0x80 = aes-128, 0xc0 = aes-192, 0x100 = aes256
     char*  EncIV[16]; // IV for the firmware file, encrypted with the [[GID-Key]]
     char* EncKey[32]; // Key for the firmware file, encrypted with the [[GID-Key]]
} Unparsed_KBAG_AES256;

How it works

Basically, it just boils down to using the iPhone / iPod group id key to decrypt Enc_IV and Enc_Key, then using that key and IV to decrypt the DATA section of the file (the code itself).

As an interesting side note, because of the circumstances with the IMG3 format, the Kernel never needs to even touch the GID-key anymore, as it's job is to just flash the image to the NOR as is, with container and all.