Difference between revisions of "Decrypting Firmwares"

From The iPhone Wiki
Jump to: navigation, search
(1.0.x: Works on this too)
(update)
Line 1: Line 1:
iOS contains many layers of encryption. This page details how to remove the encryption wrapper around each file in the [[IPSW File Format|IPSW]] file.
+
iOS contains many layers of encryption. This page details how to remove the encryption wrapper around each file in the [[IPSW File Format|IPSW]] file. A decrypted ramdisk is required to ''obtain'' the key for the [[#Root Filesystem|root filesystem]], but not to simply decrypt it with an existing key. Methods for extracting the ramdisk and root filesystem keys exist on [[Obtaining Firmware Keys]].
   
 
For more history, see [[Firmware Keys]].
 
For more history, see [[Firmware Keys]].
Line 7: Line 7:
 
-->This section details the decryption of the ramdisks in an [[IPSW File Format|IPSW]] file. The listed console commands are applicable to the [[S5L File Formats#IMG2|IMG2]] or [[IMG3 File Format|IMG3]] files under <code>/Firmware</code> also.
 
-->This section details the decryption of the ramdisks in an [[IPSW File Format|IPSW]] file. The listed console commands are applicable to the [[S5L File Formats#IMG2|IMG2]] or [[IMG3 File Format|IMG3]] files under <code>/Firmware</code> also.
 
=== 1.0.x ===
 
=== 1.0.x ===
With the release of the [[m68ap|iPhone]], the [[ramdisk]]s weren't encrypted. So, in order to mount them, all you need to do is remove some data from the beginning. You can either open up a hex editor and remove 2048 bytes (2 KiB) from the beginning, or open up a console and run <code>dd(1)</code><sup>[{{man|dd|1}}]</sup>:
+
With the release of the [[m68ap|iPhone]], the [[ramdisk]]s weren't encrypted. So, in order to mount them, all you need to do is remove the 2048 byte (2&nbsp;KiB) [[8900 File Format|8900 header]] from the file. You can do this with either a hex editor, or open up a console and run <code>dd(1)</code><sup>[{{man|dd|1}}]</sup>:
 
dd if=''ramdisk.dmg'' of=''ramdisk.stripped.dmg'' bs=512 skip=4 conv=sync
 
dd if=''ramdisk.dmg'' of=''ramdisk.stripped.dmg'' bs=512 skip=4 conv=sync
:where ''ramdisk.dmg'' is the filename of the restore ramdisk (ex: the [[Heavenly 1A543a (iPhone1,1)|iPhone 1.0 firmware]] (1A543a) would be <code>694-5259-38.dmg</code>)
+
:where <code>''ramdisk.dmg''</code> is the filename of the restore ramdisk (ex: the [[Heavenly 1A543a (iPhone1,1)|iPhone 1.0 firmware]] (1A543a) would be <code>694-5259-38.dmg</code>)
:where ''ramdisk.stripped.dmg'' is the output file name
+
:where <code>''ramdisk.stripped.dmg''</code> is the output file name
   
Once the data has been stripped, you can then mount ''ramdisk.stripped.dmg'' in Finder on OS X, or with any other program. If you encounter errors after mounting the stripped ramdisk, you can safely ignore them.
+
Once the header has been stripped, you can then mount or extract <code>''ramdisk.decrypted.dmg''</code>. If you encounter errors after mounting the stripped ramdisk, you can safely ignore them.
 
There is also a script that can be used to grab the RootFS key by using this method and genpass, which is called [http://www.iphone.org.hk/wiki/index.php/Decryptipsw.sh Decryptipsw.sh]. The usage is <code>./Decryptipsw.sh ./IPSWFileName</code>.
 
   
 
=== 1.1.x - 2.0b3 ===
 
=== 1.1.x - 2.0b3 ===
With the release of the [[n45ap|iPod touch]], Apple added a layer of encryption around the ramdisks. The decryption key wasn't obscured however, and a simple analysis of [[iBoot]] by [[User:Zibri|Zibri]] revealed the [[AES Keys#Key 0x837|0x837 key]]. At first, its purpose wasn't known. After a while, [[User:Geohot|geohot]] discovered its purpose.
+
With the release of the [[n45ap|iPod touch]], Apple added a layer of encryption around the ramdisks. The decryption key wasn't obscured however, and a simple analysis of [[iBoot]] by [[User:Zibri|Zibri]] revealed the [[AES Keys#Key 0x837|0x837 key]]. At first, its purpose wasn't known. Soon after, [[User:Geohot|geohot]] discovered its purpose: to decrypt the ramdisks.
   
In order to decrypt them, all you need to do is remove the <code>0x800</code> byte (2 kibibytes) header<!-- INSERT dd COMMAND LINE -->, then open a console and run <code>openssl(1)</code><sup>[{{man|openssl|1}}]</sup>:
+
In order to decrypt them, all you need to do is remove the 2048 byte (2&nbsp;KiB) [[8900 File Format|8900 header]] from the file, then decrypt the resulting ramdisk. You can do this with either a hex editor, or open up a console and run <code>dd(1)</code><sup>[{{man|dd|1}}]</sup>:
openssl enc -d -in ''ramdisk.dmg'' -out ''ramdisk.decrypted.dmg'' -aes-128-cbc -K 188458a6d15034dfe386f23b61d43774 -iv 0
+
dd if=''ramdisk.dmg'' of=''ramdisk.stripped.dmg'' bs=512 skip=4 conv=sync
:where ''ramdisk.dmg'' is the filename of the ramdisk you are decrypting (ex: the [[Snowbird 3A109a (iPhone1,1)|iPhone 1.1.1 firmware]] (3A109a) would be either <code>022-3630-9.dmg</code> or <code>022-3629-9.dmg</code>)
+
:where <code>''ramdisk.dmg''</code> is the filename of the restore ramdisk (ex: the [[Heavenly 1A543a (iPhone1,1)|iPhone 1.0 firmware]] (1A543a) would be <code>694-5259-38.dmg</code>)
:where ''ramdisk.decrypted.dmg'' is the output file name
+
:where <code>''ramdisk.stripped.dmg''</code> is the output file name
   
  +
Once the header is stripped, you need to do the actual decryption. The ramdisk is encrypted using [[wikipedia:Advanced Encryption Standard|AES]]-128 with [[wikipedia:Block cipher mode of operation#Cipher Block Chaining (CBC)|cipher block chaining]] (CBC). The [[wikipedia:Key (cryptography)|key]] is the 0x837 key with no [[wikipedia:Initialization vector|IV]]. To decrypt, open up a console and run <code>openssl(1)</code><sup>[{{man|openssl|1}}]</sup>:
There is also a script that can be used to grab the RootFS key by using this method and genpass, which is called [http://www.iphone.org.hk/wiki/index.php/Decryptipsw.sh Decryptipsw.sh]. The usage is <code>./Decryptipsw.sh ./IPSWFileName</code>.
 
  +
openssl enc -d -in ''ramdisk.stripped.dmg'' -out ''ramdisk.decrypted.dmg'' -aes-128-cbc -K 188458a6d15034dfe386f23b61d43774 -iv 0
  +
:where <code>''ramdisk.stripped.dmg''</code> is the filename of the stripped ramdisk (see above paragraph) you are decrypting
  +
:where <code>''ramdisk.decrypted.dmg''</code> is the output file name
  +
  +
Once decrypted, you can then mount or extract <code>''ramdisk.decrypted.dmg''</code>.
   
 
=== 2.0b4 - 3.0b5 ===
 
=== 2.0b4 - 3.0b5 ===
With the fourth beta of 2.0, Apple introduced the [[IMG3 File Format|IMG3]] file format, replacing the broken [[IMG2]] file format. This format was soon reversed and [[img3decrypt]]<sup class="plainlinks">[[http://code.google.com/p/img3decrypt/ src]]</sup> was created by Steven Smith (@[http://twitter.com/stroughtonsmith stroughtonsmith]). His code was later implemented into [[xpwntool]]<sup class="plainlinks">[[http://github.com/planetbeing/xpwn/tree/master src]]</sup>.<!-- Or was xpwntool first and Steve made img3decrypt without knowing about it? img3decrypt was created 21 Aug 2008, but when was xpwntool? --> In order to decrypt the ramdisk, open a console and run one of the commands depending on your program choice:
+
With the fourth beta of 2.0, Apple introduced the [[IMG3 File Format|IMG3]] file format, replacing the broken [[IMG2]] file format. This format was soon reversed and [[img3decrypt]]<sup class="plainlinks">[[http://code.google.com/p/img3decrypt/ src]]</sup> was created by Steven Smith (@[http://twitter.com/stroughtonsmith stroughtonsmith]) on {{date|2008|08|21}}. His code was later implemented into [[xpwntool]]<sup class="plainlinks">[[http://github.com/planetbeing/xpwn/tree/master src]]</sup>. In order to decrypt the ramdisk, open a console and run one of the commands depending on your program choice:
 
img3decrypt e ''ramdisk.dmg'' ''ramdisk.decrypted.dmg'' ''iv'' ''key''
 
img3decrypt e ''ramdisk.dmg'' ''ramdisk.decrypted.dmg'' ''iv'' ''key''
 
xpwntool ''ramdisk.dmg'' ''ramdisk.decrypted.dmg'' -k ''key'' -iv ''iv''
 
xpwntool ''ramdisk.dmg'' ''ramdisk.decrypted.dmg'' -k ''key'' -iv ''iv''
:where ''ramdisk.dmg'' is the filename of the ramdisk you are decrypting (ex: the [[Big Bear 5A347 (iPhone1,2)|iPhone 3G 2.0 firmware]] (5A347) would be <code>018-3783-2.dmg</code>)
+
:where <code>''ramdisk.dmg''</code> is the filename of the ramdisk you are decrypting (ex: the [[Big Bear 5A347 (iPhone1,2)|iPhone 3G 2.0 firmware]] (5A347) would be <code>018-3783-2.dmg</code>)
:where ''ramdisk.decrypted.dmg'' is the output file name
+
:where <code>''ramdisk.decrypted.dmg''</code> is the output file name
:where ''iv'' is the [[wikipedia:Initialization vector|initialization vector]] (IV) of the ramdisk you are decrypting (ex: the iPhone 3G 2.0 firmware (5A347) would be <code>29681f625d1f61271ec3116601b8bcde</code>)
+
:where <code>''iv''</code> is the [[wikipedia:Initialization vector|initialization vector]] (IV) of the ramdisk you are decrypting (ex: the iPhone 3G 2.0 firmware (5A347) would be <code>29681f625d1f61271ec3116601b8bcde</code>)
:where ''key'' is the [[wikipedia:Key (cryptography)|key]] of the ramdisk you are decrypting (ex: the iPhone 3G 2.0 firmware (5A347) would be <code>850afc271132d15ae6989565567e65bf</code>)
+
:where <code>''key''</code> is the [[wikipedia:Key (cryptography)|key]] of the ramdisk you are decrypting (ex: the iPhone 3G 2.0 firmware (5A347) would be <code>850afc271132d15ae6989565567e65bf</code>)
The IV and key for a specified firmware is available through the [[Firmware Keys]] page or from the <code>Info.plist</code> file underneath [[PwnageTool]]'s <code>/FirmwareBundles</code> folder.
+
The IV and key for a specific firmware is available through the [[Firmware Keys]] page or from the <code>Info.plist</code> file underneath [[PwnageTool]]'s <code>/FirmwareBundles</code> folder.
  +
  +
Once decrypted, you can then mount or extract <code>''ramdisk.decrypted.dmg''</code>.
   
 
=== 3.0[[Golden Master|GM]]/3.0 ===
 
=== 3.0[[Golden Master|GM]]/3.0 ===

Revision as of 18:04, 7 October 2015

iOS contains many layers of encryption. This page details how to remove the encryption wrapper around each file in the IPSW file. A decrypted ramdisk is required to obtain the key for the root filesystem, but not to simply decrypt it with an existing key. Methods for extracting the ramdisk and root filesystem keys exist on Obtaining Firmware Keys.

For more history, see Firmware Keys.

Ramdisks

This section details the decryption of the ramdisks in an IPSW file. The listed console commands are applicable to the IMG2 or IMG3 files under /Firmware also.

1.0.x

With the release of the iPhone, the ramdisks weren't encrypted. So, in order to mount them, all you need to do is remove the 2048 byte (2 KiB) 8900 header from the file. You can do this with either a hex editor, or open up a console and run dd(1)[man]:

dd if=ramdisk.dmg of=ramdisk.stripped.dmg bs=512 skip=4 conv=sync
where ramdisk.dmg is the filename of the restore ramdisk (ex: the iPhone 1.0 firmware (1A543a) would be 694-5259-38.dmg)
where ramdisk.stripped.dmg is the output file name

Once the header has been stripped, you can then mount or extract ramdisk.decrypted.dmg. If you encounter errors after mounting the stripped ramdisk, you can safely ignore them.

1.1.x - 2.0b3

With the release of the iPod touch, Apple added a layer of encryption around the ramdisks. The decryption key wasn't obscured however, and a simple analysis of iBoot by Zibri revealed the 0x837 key. At first, its purpose wasn't known. Soon after, geohot discovered its purpose: to decrypt the ramdisks.

In order to decrypt them, all you need to do is remove the 2048 byte (2 KiB) 8900 header from the file, then decrypt the resulting ramdisk. You can do this with either a hex editor, or open up a console and run dd(1)[man]:

dd if=ramdisk.dmg of=ramdisk.stripped.dmg bs=512 skip=4 conv=sync
where ramdisk.dmg is the filename of the restore ramdisk (ex: the iPhone 1.0 firmware (1A543a) would be 694-5259-38.dmg)
where ramdisk.stripped.dmg is the output file name

Once the header is stripped, you need to do the actual decryption. The ramdisk is encrypted using AES-128 with cipher block chaining (CBC). The key is the 0x837 key with no IV. To decrypt, open up a console and run openssl(1)[man]:

openssl enc -d -in ramdisk.stripped.dmg -out ramdisk.decrypted.dmg -aes-128-cbc -K 188458a6d15034dfe386f23b61d43774 -iv 0
where ramdisk.stripped.dmg is the filename of the stripped ramdisk (see above paragraph) you are decrypting
where ramdisk.decrypted.dmg is the output file name

Once decrypted, you can then mount or extract ramdisk.decrypted.dmg.

2.0b4 - 3.0b5

With the fourth beta of 2.0, Apple introduced the IMG3 file format, replacing the broken IMG2 file format. This format was soon reversed and img3decrypt[src] was created by Steven Smith (@stroughtonsmith) on 21 August 2008. His code was later implemented into xpwntool[src]. In order to decrypt the ramdisk, open a console and run one of the commands depending on your program choice:

img3decrypt e ramdisk.dmg ramdisk.decrypted.dmg iv key
xpwntool ramdisk.dmg ramdisk.decrypted.dmg -k key -iv iv
where ramdisk.dmg is the filename of the ramdisk you are decrypting (ex: the iPhone 3G 2.0 firmware (5A347) would be 018-3783-2.dmg)
where ramdisk.decrypted.dmg is the output file name
where iv is the initialization vector (IV) of the ramdisk you are decrypting (ex: the iPhone 3G 2.0 firmware (5A347) would be 29681f625d1f61271ec3116601b8bcde)
where key is the key of the ramdisk you are decrypting (ex: the iPhone 3G 2.0 firmware (5A347) would be 850afc271132d15ae6989565567e65bf)

The IV and key for a specific firmware is available through the Firmware Keys page or from the Info.plist file underneath PwnageTool's /FirmwareBundles folder.

Once decrypted, you can then mount or extract ramdisk.decrypted.dmg.

3.0GM/3.0

OS X Snow Leopard introduced the HFS compressed disk image. With 3.0 (what beta?), Apple began using Snow Leopard to package the ramdisks. This results in some zero sized files in the disk image if you don't use Snow Leopard or newer. A discussion on extracting those files is available on the talk page.

S5L8900

With the 3.0 Golden Master (7A341) and 3.0.1, Apple messed up and, instead of using the application processor-specific GID Key, used a pseudo-GID of 5f650295e1fffc97ce77abd49dd955b3 to encrypt the KBAG. This makes obtaining the keys for this version dead simple. Once you have decrypted the KBAG, decryption using the keys in it is the same as above.

S5L8720

Business as usual, but keys and IVs have to be decrypted on the device still, unlike with the new S5L8900 KBAGs. Apple incorrectly assumed that by encrypting iBEC and iBSS they were being sly. They were not. You can decrypt those on a 2.2.1 aes setup no problem whatsoever.

S5L8920

The iPhone 3GS firmware files are interesting. They have two KBAGs, which use AES-256 instead of the S5L8900 and S5L8720 that are using AES-128 still. The first KBAG has an identifier in it's header indicating that it is to be decrypted with the gid key, and the second is not known. For those that don't know how AES256 works, this now means that the first 0x10 bytes are the IV, and the remaining 0x20 bytes (not 0x10 anymore!) are the key.