Difference between revisions of "Firmware Keys"

From The iPhone Wiki
Jump to: navigation, search
m (Firmware Versions: Adding 11.x link)
(Rewrite first paragraph to make it more readable and remove incorrect info)
(5 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
__NOTOC__
 
__NOTOC__
'''Firmware Keys''' are keys which decrypt the [[:/|root filesystem]] of certain ([[Beta Firmware|beta]]) [[firmware]]s. Apple uses a to ensure the safety of their files. Over time Apple has changed the way to encrypt firmware files, thus the way to decrypt files as well as the way to get the keys has also.
+
'''Firmware Keys''' are keys which decrypt bootloaders, ramdisks, and [[:/|root filesystem]] of iOS [[firmware]], if those components are encrypted. Apple uses encryption to make it harder to analyze and modify them. Over time Apple changed the way they encrypt firmware files, hence the way to decrypt them and get decryption keys changed as well.
   
 
== History ==
 
== History ==
 
With the release of the iPhone came the [[S5L File Formats#IMG2|IMG2]] file format. They were used on all known [[iOS|iPhone OS]] [[#1.x|1.x]] firmwares. For the 1.1.x series, they were encrypted with the [[AES Keys#Key 0x837|0x837 key]]. The discovery of the 0x837 key led to the ability to decrypt ''any'' 1.x firmware.
 
With the release of the iPhone came the [[S5L File Formats#IMG2|IMG2]] file format. They were used on all known [[iOS|iPhone OS]] [[#1.x|1.x]] firmwares. For the 1.1.x series, they were encrypted with the [[AES Keys#Key 0x837|0x837 key]]. The discovery of the 0x837 key led to the ability to decrypt ''any'' 1.x firmware.
   
Following IMG2 came the [[IMG3 File Format|IMG3]] file format. They were introduced with iPhone OS [[#1.x.2F2.x|2.0 beta 4]], and have been in use ever since. In order to maintain their integrity, they contain multiple layers of encryption, all based around a [[wikipedia:Public-key cryptography|public/private key]] encryption method. Apple took encryption seriously with IMG3 by utilizing [[wikipedia:Advanced Encryption Standard|AES]] (based on the [[wikipedia:Rijndael key schedule|Rinjndael key schedule]]). In terms of the pre-iPhone OS 3 [[VFDecrypt]] key, it is stored as plain-text in the "__restore" segment of the ASR image within the [[ramdisk]]s.
+
Following IMG2 came the [[IMG3 File Format|IMG3]] file format. They were introduced with iPhone OS [[#1.x.2F2.x|2.0 beta 4]], and have been in use ever since. In order to maintain their integrity, they use multiple layers of encryption. Apple took encryption seriously with IMG3 by utilizing [[wikipedia:Advanced Encryption Standard|AES]] (based on the [[wikipedia:Rijndael key schedule|Rinjndael key schedule]]). In terms of the pre-iPhone OS 3 [[VFDecrypt]] key, it is stored as plain-text in the "__restore" segment of the ASR image within the [[ramdisk]]s.
   
 
The ramdisk keys can ''only'' be retrieved with the processor specific [[GID Key]]. The GID key is currently unretrievable and can only be utilized through the built-in [[AES Keys|AES engine]]. To complicate things ''even more'', the engine is only accessible through a special [[bootrom]] or [[iBoot]] exploit ([[jailbreak]]s typically expose it with [[:/dev/aes_0]]). This makes usage of the key nearly impossible.
 
The ramdisk keys can ''only'' be retrieved with the processor specific [[GID Key]]. The GID key is currently unretrievable and can only be utilized through the built-in [[AES Keys|AES engine]]. To complicate things ''even more'', the engine is only accessible through a special [[bootrom]] or [[iBoot]] exploit ([[jailbreak]]s typically expose it with [[:/dev/aes_0]]). This makes usage of the key nearly impossible.
Line 57: Line 57:
 
|-
 
|-
 
| [[S5L8960]] (A7)
 
| [[S5L8960]] (A7)
| [[iPhone 5s]]<br />[[iPad mini 2]]
+
| [[iPhone 5s]]<br />[[iPad mini 2]]<br />[[iPad mini 3]]
 
|-
 
|-
 
| [[S5L8965]] (A7 Variant)
 
| [[S5L8965]] (A7 Variant)
Line 63: Line 63:
 
|-
 
|-
 
| [[T7000]] (A8)
 
| [[T7000]] (A8)
| [[J42dAP|Apple TV (4th generation)]]<br />[[iPad mini 4]]<br />[[N61AP|iPhone 6]]<br />[[N56AP|iPhone 6 Plus]]<br />[[N102AP|iPod touch (6th generation)]]
+
| [[J42dAP|Apple TV (4th generation)]]<br />[[HomePod]]<br />[[iPad mini 4]]<br />[[N61AP|iPhone 6]]<br />[[N56AP|iPhone 6 Plus]]<br />[[N102AP|iPod touch (6th generation)]]
 
|-
 
|-
 
| [[T7001]] (A8X)
 
| [[T7001]] (A8X)
Line 78: Line 78:
 
|-
 
|-
 
| [[S8001]] (A9X)
 
| [[S8001]] (A9X)
| [[iPad Pro]]
+
| [[iPad Pro (12.9-inch)]]<br /> [[iPad Pro (9.7-inch)]]
  +
|-
  +
| [[T8011]] (A10X)
  +
| [[iPad Pro (12.9-inch, 2nd generation)]]<br /> [[iPad Pro (10.5-inch)]]
 
|}
 
|}
   
Line 106: Line 109:
 
All dates are relative to [[wikipedia:Coordinated Universal Time|UTC]].
 
All dates are relative to [[wikipedia:Coordinated Universal Time|UTC]].
   
  +
GID AES is used by iBoot to decrypt firmware images. When iBoot loads the kernelcache, GID AES is disabled. This means in order to get firmware keys, you must gain code execution in a setting where GID AES is still enabled. In most cases, this means exploiting iBoot itself, before the kernelcache is loaded.
You cannot get keys for A5 and newer devices unless the ramdisk is not encrypted (until a bootrom exploit). Sadly, even with unencrypted ramdisks, you can only get the Root FS key. However, iH8sn0w found two iBoot exploits which allows the keys to be retrieved, but he has refused to make the exploits public to avoid patching by Apple. He has, however, been providing the keys to [http://ipsw.me/keys iCJ's website], but only for public firmwares (non-beta).
 
   
 
==Firmware Versions==
 
==Firmware Versions==

Revision as of 14:04, 15 November 2017

Firmware Keys are keys which decrypt bootloaders, ramdisks, and root filesystem of iOS firmware, if those components are encrypted. Apple uses encryption to make it harder to analyze and modify them. Over time Apple changed the way they encrypt firmware files, hence the way to decrypt them and get decryption keys changed as well.

History

With the release of the iPhone came the IMG2 file format. They were used on all known iPhone OS 1.x firmwares. For the 1.1.x series, they were encrypted with the 0x837 key. The discovery of the 0x837 key led to the ability to decrypt any 1.x firmware.

Following IMG2 came the IMG3 file format. They were introduced with iPhone OS 2.0 beta 4, and have been in use ever since. In order to maintain their integrity, they use multiple layers of encryption. Apple took encryption seriously with IMG3 by utilizing AES (based on the Rinjndael key schedule). In terms of the pre-iPhone OS 3 VFDecrypt key, it is stored as plain-text in the "__restore" segment of the ASR image within the ramdisks.

The ramdisk keys can only be retrieved with the processor specific GID Key. The GID key is currently unretrievable and can only be utilized through the built-in AES engine. To complicate things even more, the engine is only accessible through a special bootrom or iBoot exploit (jailbreaks typically expose it with /dev/aes_0). This makes usage of the key nearly impossible.

However, once you have access to the AES engine, the entire system falls apart. You are able to upload an encrypted ramdisk and grab the decryption keys for it. Once you manage to decrypt the ramdisk, you can run it through GenPass to decrypt the Firmware key.

Beginning with iOS 6.0 beta, Apple tweaked their disk images so they no longer work with VFDecrypt. VFDecrypt will report that the filesystem is decrypted, but you will be unable to mount it. The current workaround is to use dmg from Xpwn to decrypt them. What has changed to break VFDecrypt is currently unknown. Decryption will take slightly longer due to dmg writing its progress to the terminal, but can be avoided (on Unix-like operating systems) by piping stdout to /dev/null. The difference writing to the terminal versus not, however, is negligible.

To find the keys, you can either use the methods on AES Keys or the easier option for OS X, keylimepie.

Decrypting

Main article: Decrypting Firmwares

Notes

Application Processor iDevice
S5L8900 iPhone
iPhone 3G
iPod touch
S5L8720 iPod touch (2nd generation)
S5L8920 iPhone 3GS
S5L8922 iPod touch (3rd generation)
S5L8930 (A4) iPad
iPhone 4
iPod touch (4th generation)
Apple TV (2nd generation)
S5L8940 (A5) iPad 2 (iPad2,1)
iPad 2 (iPad2,2)
iPad 2 (iPad2,3)
iPhone 4S
S5L8942 (A5 Rev A) iPad 2 (iPad2,4)
Apple TV (3rd generation) (AppleTV3,1)
iPod touch (5th generation)
iPad mini
S5L8945 (A5X) iPad (3rd generation)
S5L8947 (A5 Rev B) Apple TV (3rd generation) (AppleTV3,2)
S5L8950 (A6) iPhone 5
iPhone 5c
S5L8955 (A6X) iPad (4th generation)
S5L8960 (A7) iPhone 5s
iPad mini 2
iPad mini 3
S5L8965 (A7 Variant) iPad Air
T7000 (A8) Apple TV (4th generation)
HomePod
iPad mini 4
iPhone 6
iPhone 6 Plus
iPod touch (6th generation)
T7001 (A8X) iPad Air 2
S7002 (S1) Apple Watch (1st generation)
S8000 (A9 Samsung) iPad (5th generation)
iPhone SE
iPhone 6s
iPhone 6s Plus
S8003 (A9 TSMC) iPhone SE
iPhone 6s
iPhone 6s Plus
S8001 (A9X) iPad Pro (12.9-inch)
iPad Pro (9.7-inch)
T8011 (A10X) iPad Pro (12.9-inch, 2nd generation)
iPad Pro (10.5-inch)

Certain files share the same key and IV per application processor (per build) provided the devices have the same pixel resolution:

The table on the right lists the application processors and their corresponding devices. This list is also accessible from the main page.

You can use img3decrypt or xpwntool to decrypt these files as described in Decrypting Firmwares. Once done, mount or extract using the tool of your choice.

The firmware version number for the Apple TV builds are the ones that the Apple TV reports (also known as the "marketing version").

All dates are relative to UTC.

GID AES is used by iBoot to decrypt firmware images. When iBoot loads the kernelcache, GID AES is disabled. This means in order to get firmware keys, you must gain code execution in a setting where GID AES is still enabled. In most cases, this means exploiting iBoot itself, before the kernelcache is loaded.

Firmware Versions

See also: Prototypes

This is a full and comprehensive list of all firmwares Apple Inc. has made available to the public in some way, be it the dev center or iTunes. This list also contains a few firmwares for which there never was an IPSW (as far as can be told) such as 4.2.5 for the CDMA iPhone 4 (iPhone3,3). These few builds came preinstalled on the device, but are not available for download.