Difference between revisions of "IMG3 File Format"

From The iPhone Wiki
Jump to: navigation, search
m (Header)
m (link update)
Line 28: Line 28:
 
[[CHIP]]: Chip to be used with. example: "0x8900" for [[S5L8900]].
 
[[CHIP]]: Chip to be used with. example: "0x8900" for [[S5L8900]].
 
[[BORD]]: Board to be used with
 
[[BORD]]: Board to be used with
[[KBAG]]: contains the KEY and IV required to decrypt encrypted with the [[GID-key]]
+
[[KBAG]]: contains the KEY and IV required to decrypt encrypted with the [[GID Key]]
 
[[SHSH]]: RSA encrypted SHA1 hash of the file
 
[[SHSH]]: RSA encrypted SHA1 hash of the file
 
[[CERT]]: Certificate
 
[[CERT]]: Certificate
Line 40: Line 40:
   
 
==Encryption==
 
==Encryption==
Apple got smarter this time, requiring the Hardware AES engine to be run per file. Decrypt the [[KBAG]] tag data with the [[GID-key]] to get the key and IV, and use those to decrypt the [[DATA]] section of the firmware file.
+
Apple got smarter this time, requiring the Hardware AES engine to be run per file. Decrypt the [[KBAG]] tag data with the [[GID Key]] to get the key and IV, and use those to decrypt the [[DATA]] section of the firmware file.
   
 
In the current method, iBoot will always use the first 16 bytes of the [[KBAG]] as the IV, then the remaining 16 (aes-128, used with [[S5L8900]] and [[S5L8720]]), 24 (aes-192), or 32 (aes-256, used with [[S5L8920]]) bytes for the key.
 
In the current method, iBoot will always use the first 16 bytes of the [[KBAG]] as the IV, then the remaining 16 (aes-128, used with [[S5L8900]] and [[S5L8720]]), 24 (aes-192), or 32 (aes-256, used with [[S5L8920]]) bytes for the key.

Revision as of 08:07, 4 August 2013

This is the replacement for the IMG2 file format for iOS 2.0 and onward.

Header

typedef struct Img3_t {
    uint32_t magic;       // ASCII("IMG3")
    uint32_t fullSize;    // full size of fw image
    uint32_t sizeNoPack;  // size of fw image without header
    uint32_t sigCheckArea;// although that is just my name for it, this is the
                          // size of the start of the data section (the code) up to
                          // the start of the RSA signature (SHSH section)
    uint8_t  iden;        // identifier of image, used when bootrom is parsing images
                          // list to find LLB (illb), LLB parsing it to find iBoot (ibot),
                          // etc.
};

Tag Format

typedef struct Img3Tag_t {
    uint32_t magic;
    uint32_t total_length;
    uint32_t data_length;
};

Tags

VERS: iBoot version of the image
SEPO: Security Epoch
SDOM: Security Domain
PROD: Production Mode
CHIP: Chip to be used with. example: "0x8900" for S5L8900.
BORD: Board to be used with
KBAG: contains the KEY and IV required to decrypt encrypted with the GID Key
SHSH: RSA encrypted SHA1 hash of the file
CERT: Certificate
ECID: Exclusive Chip ID unique to every device with iPhone OS.
TYPE: Type of image, should contain the same string as 'iden' of the header
DATA: Real content of the file

Signature Check

Decryption is done using the modulus at cert + 0xA15
0xC to SHSH is SHAed

Encryption

Apple got smarter this time, requiring the Hardware AES engine to be run per file. Decrypt the KBAG tag data with the GID Key to get the key and IV, and use those to decrypt the DATA section of the firmware file.

In the current method, iBoot will always use the first 16 bytes of the KBAG as the IV, then the remaining 16 (aes-128, used with S5L8900 and S5L8720), 24 (aes-192), or 32 (aes-256, used with S5L8920) bytes for the key.