|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "AES Keys"
m |
(mention key 0x835 and reformulated key 0x837 infos - some conclusions of me, hopefully correct, feel free to update if you know better) |
||
| Line 11: | Line 11: | ||
See [[Easier method of getting Img3 Key / IV]] for an [[iBoot (Bootloader)|iBoot]] patch. |
See [[Easier method of getting Img3 Key / IV]] for an [[iBoot (Bootloader)|iBoot]] patch. |
||
| + | |||
| + | ==Key 0x835== |
||
| + | This is the [[UID-key]]. |
||
==Key 0x837== |
==Key 0x837== |
||
| − | Generated by encrypting 345A2D6C5050D058780DA431F0710E15 with the [[S5L8900]] [[GID-key]] |
+ | Generated by encrypting 345A2D6C5050D058780DA431F0710E15 with the [[S5L8900]] [[GID-key]], resulting in 188458A6D15034DFE386F23B61D43774. |
| − | It is used as the encryption key for [[S5L File Formats#IMG2|IMG2 files]]. With the introduction of [[IMG3 File Format|IMG3]] in 2.0, [[KBAG]]s are now used instead of the 0x837 key. |
+ | It is used as the encryption key for [[S5L File Formats#IMG2|IMG2 files]]. With the introduction of [[IMG3 File Format|IMG3]] in iOS 2.0, [[KBAG]]s are now used instead of the 0x837 key. Because iOS versions 1.x were used only on the [[M68ap|iPhone]] and [[N45ap|iPod touch]] (both use the [[S5L8900]]) the encrypted values for other processors don't matter. |
==Using [[Greenpois0n (toolkit)|greenpois0n]] to get the keys== |
==Using [[Greenpois0n (toolkit)|greenpois0n]] to get the keys== |
||
Revision as of 11:58, 27 May 2011
The Template:Wp in each device have an Template:Wp coprocessor with the GID-key and UID-key built in.
Contents
Running The Engine
Currently, there are several ways to run the hardware AES engine:
- Patch iBoot to jump to aes_decrypt.
- Use OpenIBoot.
- Use the crypto bundle provided in XPwn to utilize it via userland. This method requires a kernel patch.
- Use Greenpois0n console.
If you want to decrypt IMG3 files you need to use this. The GID-key currently has not been extracted from the phone, so the only way to use it is on the phone itself.
See Easier method of getting Img3 Key / IV for an iBoot patch.
Key 0x835
This is the UID-key.
Key 0x837
Generated by encrypting 345A2D6C5050D058780DA431F0710E15 with the S5L8900 GID-key, resulting in 188458A6D15034DFE386F23B61D43774.
It is used as the encryption key for IMG2 files. With the introduction of IMG3 in iOS 2.0, KBAGs are now used instead of the 0x837 key. Because iOS versions 1.x were used only on the iPhone and iPod touch (both use the S5L8900) the encrypted values for other processors don't matter.
Using greenpois0n to get the keys
- Run steps 1 thru 5 from PwnStrap
- Use 'xpwntool file.img3 /dev/null' to extract the KBAG hex string from file.img3
- Start greenpois0n console: irecovery -s
- Execute 'go aes dec _KBAG_STRING_' in irecovery console
