https://www.theiphonewiki.com/w/api.php?action=feedcontributions&feedformat=atom&user=Fox8091The iPhone Wiki - User contributions [en]2026-05-22T01:09:38ZUser contributionsMediaWiki 1.31.14https://www.theiphonewiki.com/w/index.php?title=KBAG&diff=101531KBAG2020-03-16T20:26:21Z<p>Fox8091: Fix spelling & make consistant</p>
<hr />
<div>Apple's [[IMG3 File Format|IMG3]] and [[IMG4 File Format|IMG4]] security scheme uses a data format called a '''KBAG'''. At the bottom of a firmware file, you will see something that will, on the ASCII side of your hex editor, say "GABK", which, as ARM is [[wikipedia:little-endian|little-endian]] based, is "KBAG" flipped. Look on the hex side and you will see the KBAG according to this format:<br />
<br />
== How it works ==<br />
It boils down to using the [[GID Key]] to decrypt <code>encIV</code> and <code>encKey</code>, then using that key and IV to decrypt the DATA section of the file (the code itself).<br />
<br />
Because of the circumstances with the [[IMG3 File Format]], the kernel never needs to even touch the [[GID Key]] anymore, as its job is to just flash the image to the [[NOR]] as is, with container and all.<br />
<br />
In order to decrypt the KBAG for img3, you need to remove them using this command: <code>dd if=IMG3_FILE bs=1 skip=4741424B count=0x70</code> or for img4, <code>dd if=IMG4FILE bs=44 skip=1 | openssl enc -aes-256-cbc -d -nopad -iv IV -K KEY > OUTPUTFILE</code><br />
<br />
To grab the KBAG for img3 files, you'd run <code>xpwntool /path/to/img3/ /dev/null</code>. <br />
<br />
This is different with img4 files. For these, you can use [https://github.com/xerub/img4lib img4lib] and run the following command: <code>img4 -i /path/to/image.im4p -b</code>.<br />
<br />
==KBAG Format==<br />
===KBAG128===<br />
typedef struct Unparsed_KBAG_AES128 {<br />
uint32_t magic; // string with bytes flipped ("KBAG" in little endian)<br />
uint32_t fullSize; // size of KBAG from beyond that point to the end of it<br />
uint32_t tagDataSize; // size of KBAG without this 0xC header<br />
uint32_t cryptState; // 1 if the key and IV in the KBAG are encrypted with the [[GID Key]]<br />
// 2 is used with a second KBAG for the [[S5L8920]], use is unknown.<br />
uint32_t aesType; // 0x80 = aes128 / 0xc0 = aes192 / 0x100 = aes256<br />
uint8_t encIV[16]; // IV for the firmware file, encrypted with the [[GID Key]]<br />
uint8_t encKey[16]; // Key for the firmware file, encrypted with the [[GID Key]]<br />
} UnparsedKbagAes128_t;<br />
<br />
===KBAG192===<br />
typedef struct Unparsed_KBAG_AES192 {<br />
uint32_t magic; // string with bytes flipped ("KBAG" in little endian)<br />
uint32_t fullSize; // size of KBAG from beyond that point to the end of it<br />
uint32_t tagDataSize; // size of KBAG without this 0xC header<br />
uint32_t cryptState; // 1 if the key and IV in the KBAG are encrypted with the [[GID Key]]<br />
// 2 is used with a second KBAG for the [[S5L8920]], use is unknown.<br />
uint32_t aesType; // 0x80 = aes128 / 0xc0 = aes192 / 0x100 = aes256<br />
uint8_t encIV[16]; // IV for the firmware file, encrypted with the [[GID Key]]<br />
uint8_t encKey[24]; // Key for the firmware file, encrypted with the [[GID Key]]<br />
} UnparsedKbagAes192_t;<br />
<br />
===KBAG256===<br />
typedef struct Unparsed_KBAG_256 {<br />
uint32_t magic; // string with bytes flipped ("KBAG" in little endian)<br />
uint32_t fullSize; // size of KBAG from beyond that point to the end of it<br />
uint32_t tagDataSize; // size of KBAG without this 0xC header<br />
uint32_t cryptState; // 1 if the key and IV in the KBAG are encrypted with the [[GID Key]]<br />
// 2 is used with a second KBAG for the [[S5L8920]], use is unknown.<br />
uint32_t aesType; // 0x80 = aes128 / 0xc0 = aes192 / 0x100 = aes256<br />
uint8_t encIV[16]; // IV for the firmware file, encrypted with the [[GID Key]]<br />
uint8_t encKey[32]; // Key for the firmware file, encrypted with the [[GID Key]]<br />
} UnparsedKbagAes256_t;<br />
<br />
<br />
[[Category:Firmware Tags]]</div>Fox8091https://www.theiphonewiki.com/w/index.php?title=YukonB_17B111_(iPhone8,4)&diff=99200YukonB 17B111 (iPhone8,4)2020-02-19T04:06:22Z<p>Fox8091: Add partial 13.2.3 keys</p>
<hr />
<div>{{keys<br />
| Version = 13.2.3<br />
| Build = 17B111<br />
| Device = iPhone8,4<br />
| Codename = YukonB<br />
| DownloadURL = http://updates-http.cdn-apple.com/2019FallFCS/fullrestores/061-49534/9B7159D2-0698-11EA-8279-C2B9E97E1FF8/iPhone_4.0_64bit_13.2.3_17B111_Restore.ipsw<br />
<br />
| Model = N69AP<br />
| Model2 = N69uAP<br />
<br />
| RootFS = 048-90764-106<br />
| RootFSKey = Not Encrypted<br />
<br />
| UpdateRamdisk = 048-90336-111<br />
| UpdateRamdiskIV = Not Encrypted<br />
<br />
| RestoreRamdisk = 048-90011-111<br />
| RestoreRamdiskIV = Not Encrypted<br />
<br />
| AOP = aopfw-s8000aop.im4p<br />
| AOPIV = Not Encrypted<br />
<br />
| AppleLogo = applelogo@2x~iphone.im4p<br />
| AppleLogoIV = Not Encrypted<br />
<br />
| BatteryCharging0 = batterycharging0@2x~iphone.im4p<br />
| BatteryCharging0IV = Not Encrypted<br />
<br />
| BatteryCharging1 = batterycharging1@2x~iphone.im4p<br />
| BatteryCharging1IV = Not Encrypted<br />
<br />
| BatteryFull = batteryfull@2x~iphone.im4p<br />
| BatteryFullIV = Not Encrypted<br />
<br />
| BatteryLow0 = batterylow0@2x~iphone.im4p<br />
| BatteryLow0IV = Not Encrypted<br />
<br />
| BatteryLow1 = batterylow1@2x~iphone.im4p<br />
| BatteryLow1IV = Not Encrypted<br />
<br />
| DeviceTree = DeviceTree.n69uap.im4p<br />
| DeviceTreeIV = Not Encrypted<br />
<br />
| GlyphPlugin = glyphplugin@1136~iphone-lightning.im4p<br />
| GlyphPluginIV = Not Encrypted<br />
<br />
| iBEC = iBEC.n69.RELEASE.im4p<br />
| iBECIV = Unknown<br />
| iBECKey = Unknown<br />
<br />
| iBEC2 = iBEC.n69u.RELEASE.im4p<br />
| iBEC2IV = e0d9a06cad043f8b505736ce8bec87c3<br />
| iBEC2Key = bc5c628b24b43d40d965a77a344caacce75822ee4091051660dbc15e7466d064<br />
<br />
| iBoot = iBoot.n69.RELEASE.im4p<br />
| iBootIV = Unknown<br />
| iBootKey = Unknown<br />
<br />
| iBoot2 = iBoot.n69u.RELEASE.im4p<br />
| iBoot2IV = da902ec9c927978c7e76e5fa353d8bd6<br />
| iBoot2Key = c92739cf3b09d9147cd709e0a31333141af0ffc70a9b46610209f19d34e893f6<br />
<br />
| iBSS = iBSS.n69.RELEASE.im4p<br />
| iBSSIV = Unknown<br />
| iBSSKey = Unknown<br />
<br />
| iBSS2 = iBSS.n69u.RELEASE.im4p<br />
| iBSS2IV = cca4f18dc5705ee3a0b7e34f088bc2b2<br />
| iBSS2Key = 88d47fc121bdcd647667b731c985f4896bef8051673ca4f03a5c5857763d0d57<br />
<br />
| Kernelcache = kernelcache.release.iphone8b<br />
| KernelcacheIV = Not Encrypted<br />
<br />
| LLB = LLB.n69.RELEASE.im4p<br />
| LLBIV = Unknown<br />
| LLBKey = Unknown<br />
<br />
| LLB2 = LLB.n69u.RELEASE.im4p<br />
| LLB2IV = 2ff9bee41a12b216135bb7cc01d984ce<br />
| LLB2Key = 42930cdd0c7827180d08d2af5637d4e45bcf82e7caa1f10ab0e9fdf6999095db<br />
<br />
| RecoveryMode = recoverymode@1136~iphone-lightning.im4p<br />
| RecoveryModeIV = Not Encrypted<br />
<br />
| SEPFirmware = sep-firmware.n69.RELEASE.im4p<br />
| SEPFirmwareIV = Unknown<br />
| SEPFirmwareKey = Unknown<br />
| SEPFirmwareKBAG = Unknown<br />
<br />
| SEPFirmware2 = sep-firmware.n69u.RELEASE.im4p<br />
| SEPFirmware2IV = Unknown<br />
| SEPFirmware2Key = Unknown<br />
| SEPFirmware2KBAG = ec0b36b06561a0c66923523ae282f579dbee4f795dfa116f978483eccd7bc509952836d52a149ad51e405a6b818e2e8c<br />
<br />
}}</div>Fox8091