https://www.theiphonewiki.com/w/api.php?action=feedcontributions&feedformat=atom&user=Him121213The iPhone Wiki - User contributions [en]2026-06-06T12:34:15ZUser contributionsMediaWiki 1.31.14https://www.theiphonewiki.com/w/index.php?title=KBAG&diff=3727KBAG2009-05-20T03:37:51Z<p>Him121213: </p>
<hr />
<div>==Explanation==<br />
In Apple's new IMG3 security scheme, they have used something called a KBAG. At the bottom of a firmware file, you will see something that will, on the ASCII side of your hex editor, see "GABK", which is "KBAG" flipped. Look on the hex side and you will the KBAG according to this format:<br />
<br />
==KBAG Format==<br />
===KBAG128===<br />
<pre><br />
typedef struct Unparsed_KBAG_128 {<br />
char[4] magic; // string with bits flipped = "KBAG" (magic = 0x4741424B)<br />
int tagFullSize; // size of KBAG from beyond that point to the end of it<br />
int tagDataSize; // size of just the tag info, not this 0xC "header"<br />
int IV_Key_Crypt_state; // 1 if the key and IV in the KBAG are encrypted with the GID key, 0 if not.<br />
int AES_Type; // 0x80 = aes128 / 0xc0 = aes192 / 0x100 = aes256<br />
char[16] Enc_IV; // IV for the firmware file, encrypted with the gid key<br />
char[16] Enc_Key; // Key for the firmware file, encrypted with the gid key.<br />
} Unparsed_KBAG_AES128;<br />
</pre><br />
<br />
===KBAG192===<br />
<pre><br />
typedef struct Unparsed_KBAG_AES192 {<br />
char[4] magic; // string with bits flipped = "KBAG" (magic = 0x4741424B)<br />
int fullSize; // size of KBAG from beyond that point to the end of it<br />
int unk1; // 8 less than fullSize. not sure what it is exactly.<br />
int IV_Key_Crypt_state; // 1 if the key and IV in the KBAG are encrypted with the GID key, 0 if not.<br />
int AES_Type; // 0x80 = aes128 / 0xc0 = aes192 / 0x100 = aes256<br />
char[16] Enc_IV; // IV for the firmware file, encrypted with the gid key<br />
char[24] Enc_Key; // Key for the firmware file, encrypted with the gid key.<br />
} Unparsed_KBAG_AES192;<br />
</pre><br />
<br />
===KBAG256===<br />
<pre><br />
typedef struct Unparsed_KBAG_256 {<br />
char[4] magic; // string with bits flipped = "KBAG" (magic = 0x4741424B)<br />
int fullSize; // size of KBAG from beyond that point to the end of it<br />
int unk1; // 8 less than fullSize. not sure what it is exactly.<br />
int IV_Key_Crypt_state; // 1 if the key and IV in the KBAG are encrypted with the GID key, 0 if not.<br />
int AES_Type; // 0x80 = aes-128, 0xc0 = aes-192, 0x100 = aes256<br />
char[16] Enc_IV; // IV for the firmware file, encrypted with the gid key<br />
char[32] Enc_Key; // Key for the firmware file, encrypted with the gid key.<br />
} Unparsed_KBAG_AES256;<br />
</pre><br />
<br />
==How it works==<br />
Basically, it just boils down to using the iPhone / iPod group id key to decrypt Enc_IV and Enc_Key, then using that key and IV to decrypt the DATA section of the file (the code itself).<br />
<br />
As an interesting side note, because of the circumstances with the [[IMG3]] format, the Kernel never needs to even touch the gid key anymore, as it's job is to just flash the image to the [[NOR]] as is, with container and all.</div>Him121213