|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Obtaining IMG3 Keys"
ChronicDev (talk | contribs) |
|||
| Line 5: | Line 5: | ||
Epic thanks to #xpwn crew on irc.osx86.hu ! |
Epic thanks to #xpwn crew on irc.osx86.hu ! |
||
| − | What you need |
+ | ==What you need== |
| − | + | # Pwned 1st gen iPhone on 1.1.4 OS<br> |
|
| − | + | # ibooter from here [http://www.iphonelinux.org/index.php/IBooter]<br> |
|
| − | + | # iBEC.m68ap.RELEASE.dfu from iPhone1,1_1.1.4_4A102_Restore.ipsw<br> |
|
| − | + | # xpwntool from [http://www.iphone-dev.org/xpwn/xpwn-windows-nightly.zip]<br> |
|
| − | + | # iPhuc (for Windows users only)<br> |
|
| − | + | # Any Hex Editor<br> |
|
| + | ==Summary== |
||
| − | Summary:Patched a function in the iBEC file so that it will branch to the desired memory location when the associated iboot command is called in ibooter. The desired memory location is at 0x09000000 as indicated by an earlier Geohot post and the iboot command chosen is "clearenv" in this documentation. The desired memory location will be housing the codes that enable and call the hardware aes engine so that the KBAG data can be decrypted for Keys/IV. |
||
| + | Patched a function in the iBEC file so that it will branch to the desired memory location when the associated iboot command is called in ibooter. The desired memory location is at 0x09000000 as indicated by an earlier Geohot post and the iboot command chosen is "clearenv" in this documentation. The desired memory location will be housing the codes that enable and call the hardware aes engine so that the KBAG data can be decrypted for Keys/IV. |
||
| + | ==Steps== |
||
| − | 1. Unpack iBEC.m68ap.RELEASE.dfu |
||
| + | |||
| + | ===Unpack iBEC.m68ap.RELEASE.dfu=== |
||
Utilizing xpwntool, enter this command: |
Utilizing xpwntool, enter this command: |
||
| − | xpwntool <original iBEC file> <unpacked iBEC file> |
||
| − | i.e. |
||
| − | xpwntool iBEC.m68ap.RELEASE.dfu unpacked_iBEC |
||
| + | xpwntool <original iBEC file> <unpacked iBEC file> |
||
| − | 2. Patching iBEC.m68ap.RELEASE.dfu |
||
| + | i.e. |
||
| + | xpwntool iBEC.m68ap.RELEASE.dfu unpacked_iBEC |
||
| + | |||
| + | ===Patching iBEC.m68ap.RELEASE.dfu=== |
||
Before: |
Before: |
||
| − | ROM:180074A0 PUSH {R4,R5,R7,LR} ;"clearenv" routine starts here |
+ | ROM:180074A0 PUSH {R4,R5,R7,LR} ;"clearenv" routine starts here |
| − | ROM:180074A2 ADD R7, SP, #8 |
+ | ROM:180074A2 ADD R7, SP, #8 |
| − | ROM:180074A4 ADDS R4, R1, #0 |
+ | ROM:180074A4 ADDS R4, R1, #0 |
| − | ROM:180074A6 CMP R0, #1 |
+ | ROM:180074A6 CMP R0, #1 |
| − | ROM:180074A8 BGT loc_180074B4 |
+ | ROM:180074A8 BGT loc_180074B4 |
| − | ROM:180074AA LDR R0, =aNotEnoughArgum |
+ | ROM:180074AA LDR R0, =aNotEnoughArgum |
After: |
After: |
||
| − | ROM:180074A0 '''LDR R3, =0x9000000''' |
+ | ROM:180074A0 '''LDR R3, =0x9000000''' |
| − | ROM:180074A2 '''BX R3''' |
+ | ROM:180074A2 '''BX R3''' |
| − | ROM:180074A2 ; --------------------------------------------------------------------------- |
+ | ROM:180074A2 ; --------------------------------------------------------------------------- |
| − | ROM:180074A4 dword_180074A4 '''DCD 0x9000000 ''' ; DATA XREF: ROM:180074A0�r |
+ | ROM:180074A4 dword_180074A4 '''DCD 0x9000000 ''' ; DATA XREF: ROM:180074A0�r |
| − | ROM:180074A8 ; --------------------------------------------------------------------------- |
+ | ROM:180074A8 ; --------------------------------------------------------------------------- |
| − | ROM:180074A8 BGT loc_180074B4 |
+ | ROM:180074A8 BGT loc_180074B4 |
| − | ROM:180074AA LDR R0, =aNotEnoughArgum |
+ | ROM:180074AA LDR R0, =aNotEnoughArgum |
You will notice that iBEC starts at 0x18000000 but in your Hex Editor, just do the following changes at 0x74A0: |
You will notice that iBEC starts at 0x18000000 but in your Hex Editor, just do the following changes at 0x74A0: |
||
| − | '''0x000074A0: 00 4b 18 47 00 00 00 09''' |
+ | '''0x000074A0: 00 4b 18 47 00 00 00 09'''<br> |
The idea is to tell clearenv routine to branch to 0x09000000 and BX is used because the codes to be used at 0x09000000 later will be in ARM. This "clearenv" routine is in THUMB mode. BX will enable them to switch. Save and name your modified iBEC, for example iBECmod. |
The idea is to tell clearenv routine to branch to 0x09000000 and BX is used because the codes to be used at 0x09000000 later will be in ARM. This "clearenv" routine is in THUMB mode. BX will enable them to switch. Save and name your modified iBEC, for example iBECmod. |
||
| − | + | ===Packing the modified iBEC=== |
|
Using xpwntool: |
Using xpwntool: |
||
| − | xpwntool iBECmod iBEC.patch -t iBEC.m68ap.RELEASE.dfu |
+ | xpwntool iBECmod iBEC.patch -t iBEC.m68ap.RELEASE.dfu |
Note that the original iBEC file has to be used after -t as a template. IBEC.patch will be your modified, packed iBEC file. |
Note that the original iBEC file has to be used after -t as a template. IBEC.patch will be your modified, packed iBEC file. |
||
| − | + | ===Executing patched iBEC in ibooter=== |
|
| + | |||
| + | ====Windows==== |
||
| + | Put iPHUC and your patched iBEC in the same folder. Boot iPHUC and boot your iPhone in recovery mode. Type the following into iPHUC once it recognizes your iPhone: |
||
| + | filecopytophone iBEC.patched |
||
| + | It should return "filecopytophone: 0"<br> |
||
| + | Then type this: |
||
| + | cmd go |
||
| + | Your iPhone will reboot and display a blank black screen immediately. |
||
| + | From here, open iBooter and type |
||
| − | ******** To Be Continued ********* |
||
| − | <nowiki>Insert non-formatted text here</nowiki> |
||
Revision as of 23:33, 6 August 2008
This is one way of getting the IMG3 keys using iBoot/iBEC patch based on the Dev Team's and Geohot's exploits.
This method is tested on both Linux and Windows OS.
Epic thanks to #xpwn crew on irc.osx86.hu !
Contents
What you need
- Pwned 1st gen iPhone on 1.1.4 OS
- ibooter from here [1]
- iBEC.m68ap.RELEASE.dfu from iPhone1,1_1.1.4_4A102_Restore.ipsw
- xpwntool from [2]
- iPhuc (for Windows users only)
- Any Hex Editor
Summary
Patched a function in the iBEC file so that it will branch to the desired memory location when the associated iboot command is called in ibooter. The desired memory location is at 0x09000000 as indicated by an earlier Geohot post and the iboot command chosen is "clearenv" in this documentation. The desired memory location will be housing the codes that enable and call the hardware aes engine so that the KBAG data can be decrypted for Keys/IV.
Steps
Unpack iBEC.m68ap.RELEASE.dfu
Utilizing xpwntool, enter this command:
xpwntool <original iBEC file> <unpacked iBEC file> i.e. xpwntool iBEC.m68ap.RELEASE.dfu unpacked_iBEC
Patching iBEC.m68ap.RELEASE.dfu
Before:
ROM:180074A0 PUSH {R4,R5,R7,LR} ;"clearenv" routine starts here
ROM:180074A2 ADD R7, SP, #8
ROM:180074A4 ADDS R4, R1, #0
ROM:180074A6 CMP R0, #1
ROM:180074A8 BGT loc_180074B4
ROM:180074AA LDR R0, =aNotEnoughArgum
After:
ROM:180074A0 LDR R3, =0x9000000 ROM:180074A2 BX R3 ROM:180074A2 ; --------------------------------------------------------------------------- ROM:180074A4 dword_180074A4 DCD 0x9000000 ; DATA XREF: ROM:180074A0�r ROM:180074A8 ; --------------------------------------------------------------------------- ROM:180074A8 BGT loc_180074B4 ROM:180074AA LDR R0, =aNotEnoughArgum
You will notice that iBEC starts at 0x18000000 but in your Hex Editor, just do the following changes at 0x74A0:
0x000074A0: 00 4b 18 47 00 00 00 09
The idea is to tell clearenv routine to branch to 0x09000000 and BX is used because the codes to be used at 0x09000000 later will be in ARM. This "clearenv" routine is in THUMB mode. BX will enable them to switch. Save and name your modified iBEC, for example iBECmod.
Packing the modified iBEC
Using xpwntool:
xpwntool iBECmod iBEC.patch -t iBEC.m68ap.RELEASE.dfu
Note that the original iBEC file has to be used after -t as a template. IBEC.patch will be your modified, packed iBEC file.
Executing patched iBEC in ibooter
Windows
Put iPHUC and your patched iBEC in the same folder. Boot iPHUC and boot your iPhone in recovery mode. Type the following into iPHUC once it recognizes your iPhone:
filecopytophone iBEC.patched
It should return "filecopytophone: 0"
Then type this:
cmd go
Your iPhone will reboot and display a blank black screen immediately.
From here, open iBooter and type
