The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Difference between revisions of "IMG4 File Format"

From The iPhone Wiki
Jump to: navigation, search
m
(Documented structure of IMG4 files. Most of the data taken from MobileDevice framework.)
Line 1: Line 1:
There is an '''img4''' file (sep-firmware.img4) found in /usr/standalone/firmware on [[iOS]] 7.0 for the [iPhone 5s]] and newer, [[iPad Air]] and newer, [[iPad mini 2]] and newer,[[N102AP|iPod touch 6G]], [[J42dAP‎|Apple TV 4G]] and [[Apple Watch]] . The IPSWFILE/Firmware/all_flash/all_flash.DEVICEIDENTIFIER.production for any [[A7]] (64 bit) device and newer as well as [[Apple Watch]], contains an IM4P version of the same file. The file is an [http://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One#Example_encoded_in_DER DER encoded ASN.1 object] and structured as follows:
+
IMG4 is a file format that replaces [[IMG3_File_Format|IMG3]] on [[iPhone 5s]] and newer, [[iPad Air]] and newer, [[iPad mini 2]] and newer, [[N102AP|iPod touch 6G]], [[J42dAP‎|Apple TV 4G]] and [[Apple Watch]]. It is used to store files used by iOS secure boot chain ('''im4p''' files), signatures of those files (ApImg4Ticket) and likely some info used in the [[Restore_Process|Restore Process]] ("IM4R" string can be found in MobileDevice framework). The only known place in iOS filesystem where a complete IMG4 file can be found is /usr/standalone/firmware/sep-firmware.img4.
   
  +
IMG4 files are [http://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One#Example_encoded_in_DER DER encoded ASN.1 objects] structured as follows:
==Header==
  
30 - type tag indicating SEQUENCE
  
8 - ?
  
3 - 2,3,4 length in octets of value that follows (length of next value; size of file)
  
x octets - size of file from here
  
16 - indicating an [http://en.wikipedia.org/wiki/IA5String IA5String] to follow
  
04 - length in octets of IA5String that follows
  
49 4D 47 34 - IA5String, the magic "IMG4"
  
... - sequential data
  
   
  +
<pre>
  +
sequence [
  +
0: string "IMG4"
  +
1: payload - IMG4 Payload, IM4P
  +
2: [0] (constructed) [
  +
manifest - IMG4 Manifest, IM4M
  +
]
  +
]
  +
</pre>
   
  +
==IMG4 Payload==
{{stub|software}}
  
  +
Payload contains the actual content of the file. IMG4 format allows to store payload in a separate file with '''im4p''' extension. '''im4p''' files are used more often than complete IMG4 files. Payload is structured as follows:
  +
<pre>
  +
sequence [
  +
0: string "IM4P"
  +
1: string type - ibot, rdsk, sepi, ...
  +
2: string description - 'iBoot-1940.1.75'
  +
3: octetstring - the encrypted/raw data
  +
4: octetstring - containing DER encoded KBAG values (optional)
  +
sequence [
  +
sequence [
  +
0: int: 01
  +
1: octetstring: iv
  +
2: octetstring: key
  +
]
  +
sequence [
  +
0: int: 02
  +
1: octetstring: iv
  +
2: octetstring: key
  +
]
  +
]
  +
]
  +
</pre>
  +
  +
==IMG4 Manifest==
  +
A.k.a. IM4M. Contains signature for one or multiple IMG4 payloads. Manifests are designed in a way that they can be stored separately from an IMG4 file or be a part of one. An example of an IMG4 manifest is ApImg4Ticket. Each IMG4 manifest is made of tags structured as follows (content = DER encoded object):
  +
<pre>
  +
[type] (private) [ - DER tag's class is the type of the tag (4 bytes) encoded as a big-endian integer
  +
sequence [
  +
string type - type of the tag, 4 bytes
  +
content - content of the tag
  +
]
  +
]
  +
</pre>
  +
Manifest structure (tag <type> = tag of type 'type'):
  +
<pre>
  +
sequence [
  +
0: string "IM4M"
  +
1: integer version - currently 0
  +
2: set [
  +
tag MANB [ - manifest body
  +
set [
  +
tag MANP [ - manifest properties
  +
set [
  +
tag <manifest property> [
  +
content
  +
]
  +
... - tags, describing other properties
  +
]
  +
]
  +
tag <type> [ - ibot, illb, sepi, krnl, NvMR, bbcl...
  +
set [
  +
tag <tag property> [
  +
content
  +
]
  +
...
  +
]
  +
]
  +
... - tags for other images
  +
]
  +
]
  +
]
  +
3: octet string signature
  +
4: sequence [ - containing certificate chain (arbitrary number of certificates)
  +
certificates
  +
]
  +
</pre>

Revision as of 15:18, 4 April 2016

IMG4 is a file format that replaces IMG3 on iPhone 5s and newer, iPad Air and newer, iPad mini 2 and newer, iPod touch 6G, Apple TV 4G and Apple Watch. It is used to store files used by iOS secure boot chain (im4p files), signatures of those files (ApImg4Ticket) and likely some info used in the Restore Process ("IM4R" string can be found in MobileDevice framework). The only known place in iOS filesystem where a complete IMG4 file can be found is /usr/standalone/firmware/sep-firmware.img4.

IMG4 files are DER encoded ASN.1 objects structured as follows: 

sequence [
   0: string "IMG4"
   1: payload   - IMG4 Payload, IM4P
   2: [0] (constructed) [
          manifest   - IMG4 Manifest, IM4M
      ]
]

IMG4 Payload

Payload contains the actual content of the file. IMG4 format allows to store payload in a separate file with im4p extension. im4p files are used more often than complete IMG4 files. Payload is structured as follows: 

sequence [
   0: string "IM4P"
   1: string type    - ibot, rdsk, sepi, ...
   2: string description    - 'iBoot-1940.1.75'
   3: octetstring    - the encrypted/raw data
   4: octetstring    - containing DER encoded KBAG values (optional)
         sequence [
            sequence [
                0: int: 01
                1: octetstring: iv
                2: octetstring: key
            ]
            sequence [
                0: int: 02
                1: octetstring: iv
                2: octetstring: key
            ]
         ]
      ]

IMG4 Manifest

A.k.a. IM4M. Contains signature for one or multiple IMG4 payloads. Manifests are designed in a way that they can be stored separately from an IMG4 file or be a part of one. An example of an IMG4 manifest is ApImg4Ticket. Each IMG4 manifest is made of tags structured as follows (content = DER encoded object): 

[type] (private) [   - DER tag's class is the type of the tag (4 bytes) encoded as a big-endian integer
   sequence [
      string type    - type of the tag, 4 bytes
      content    - content of the tag
   ]
]

Manifest structure (tag <type> = tag of type 'type'): 

sequence [
   0: string "IM4M"
   1: integer version    - currently 0
   2: set [
          tag MANB [   - manifest body
              set [
                  tag MANP [   - manifest properties
                      set [
                          tag <manifest property> [
                              content
                          ]
                          ...   - tags, describing other properties
                      ]
                  ]
                  tag <type> [   - ibot, illb, sepi, krnl, NvMR, bbcl...
                      set [
                          tag <tag property> [
                              content
                          ]
                          ...
                      ]
                  ]
                  ...   - tags for other images
              ]
          ]
      ]
   3: octet string signature
   4: sequence [   - containing certificate chain (arbitrary number of certificates)
          certificates
      ]
Retrieved from "https://www.theiphonewiki.com/w/index.php?title=IMG4_File_Format&oldid=52079"