Difference between revisions of "IMG3 File Format"

From The iPhone Wiki
Jump to: navigation, search
(Encryption)
(Encryption)
Line 31: Line 31:
 
Apple got smarter this time, requiring the Hardware AES engine to be run per file. Decrypt the [[KBAG]] tag data (0x20 byte?) with the hardware AES engine and get the 0x10 byte IV and the 0x10 byte KEY.
 
Apple got smarter this time, requiring the Hardware AES engine to be run per file. Decrypt the [[KBAG]] tag data (0x20 byte?) with the hardware AES engine and get the 0x10 byte IV and the 0x10 byte KEY.
   
iBoot has support for aes-192 and aes-256 also. In the current method, iBoot will always use the first 16 bytes as the IV, then the remaining 16 (aes-128, current method), 24 (aes-192), or 32 (aes-256) bytes.
+
iBoot has support for aes-192 and aes-256 also. In the current method, iBoot will always use the first 16 bytes as the IV, then the remaining 16 (aes-128, current method), 24 (aes-192), or 32 (aes-256) bytes for the key.
   
 
==Resources==
 
==Resources==

Revision as of 22:44, 1 January 2009

This is the replacement for the IMG2 File Format in 2.0 firmware.

Header

struct Img3 {
 unsigned int magic;
 unsigned int dataLenPad;
 unsigned int u1; // offSet to 20 byte footer
 unsigned int certOffset;
 unsigned int name;
 unsigned int type;
 unsigned int nameOffset;
 unsigned int dataLen;
} typedef Img3;

Tag Format

unsigned int magic;
unsigned int total_length;   //data_length+0xC
unsigned int data_length;

Tags

VERS: Version
SEPO: Unknown
PROD: Processor to be used with.
CHIP: Chip to be used with. "0x8900" for S5L8900 and "0x8720" for S5L8720. Instead of there being a check against some piece of hardware, whatever is verifying this (bootrom / iBoot / LLB / etc.) has this hardcoded in.
BORD: Board to be used with
KBAG: contains the KEY and IV required to decrypt encrypted with the GID-key
SHSH: RSA encrypted SHA1 hash of the file
CERT: Certificate

Encryption

Apple got smarter this time, requiring the Hardware AES engine to be run per file. Decrypt the KBAG tag data (0x20 byte?) with the hardware AES engine and get the 0x10 byte IV and the 0x10 byte KEY.

iBoot has support for aes-192 and aes-256 also. In the current method, iBoot will always use the first 16 bytes as the IV, then the remaining 16 (aes-128, current method), 24 (aes-192), or 32 (aes-256) bytes for the key.

Resources

cmw's IMG3 Unpacker