Difference between revisions of "Obtaining IMG3 Keys"

From The iPhone Wiki
Jump to: navigation, search
m (Updating.)
 
(23 intermediate revisions by 9 users not shown)
Line 1: Line 1:
  +
= Method 1 =
This is one way of getting the IMG3 keys using iBoot/iBEC patch based on the Dev Team's and Geohot's exploits.
 
   
This method is tested on both Linux and Windows OS.
+
This is one way of getting the IMG3 keys using iBoot/iBEC patch based on the Dev Team's and Geohot's exploits and was tested on both Linux and Windows OS. Epic thanks to #xpwn crew on irc.osx86.hu !
 
Epic thanks to #xpwn crew on irc.osx86.hu !
 
 
==What you need==
 
# Pwned 1st gen iPhone on 1.1.4 OS<br>
 
# ibooter from here [http://www.iphonelinux.org/index.php/IBooter]<br>
 
# iBEC.m68ap.RELEASE.dfu from iPhone1,1_1.1.4_4A102_Restore.ipsw<br>
 
# xpwntool from [http://www.iphone-dev.org/xpwn/xpwn-windows-nightly.zip]<br>
 
# iPhuc (for Windows users only)<br>
 
# Any Hex Editor<br>
 
   
  +
== What you need ==
  +
* Pwned [[M68AP|iPhone]] on [[iOS]] 1.1.4
  +
* [http://www.iphonelinux.org/index.php/IBooter iBooter]
  +
* [[iBEC]] from [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw]
  +
* [[xpwntool]]
  +
* iPHUC (for Windows users only)
  +
* Any Hex Editor
   
 
==Summary==
 
==Summary==
Patched a function in the iBEC file so that it will branch to the desired memory location when the associated iboot command is called in ibooter. The desired memory location is at 0x09000000 as indicated by an earlier Geohot post and the iboot command chosen is "clearenv" in this documentation. The desired memory location will be housing the codes that enable and call the hardware aes engine so that the KBAG data can be decrypted for Keys/IV.
+
Patched a function in the iBEC file so that it will branch to the desired memory location when the associated iboot command is called in ibooter. The desired memory location is at 0x09000000 as indicated by an earlier Geohot post and the iboot command chosen is "clearenv" in this documentation. The desired memory location will be housing the codes that enable and call the hardware AES engine so that the KBAG data can be decrypted for Keys/IV.
   
 
==Steps==
 
==Steps==
Line 47: Line 44:
   
 
You will notice that iBEC starts at 0x18000000 but in your Hex Editor, just do the following changes at 0x74A0:
 
You will notice that iBEC starts at 0x18000000 but in your Hex Editor, just do the following changes at 0x74A0:
'''0x000074A0: 00 4b 18 47 00 00 00 09'''<br>
+
'''0x000074A0: 00 4b 18 47 00 00 00 09'''<br>
   
 
The idea is to tell clearenv routine to branch to 0x09000000 and BX is used because the codes to be used at 0x09000000 later will be in ARM. This "clearenv" routine is in THUMB mode. BX will enable them to switch. Save and name your modified iBEC, for example iBECmod.
 
The idea is to tell clearenv routine to branch to 0x09000000 and BX is used because the codes to be used at 0x09000000 later will be in ARM. This "clearenv" routine is in THUMB mode. BX will enable them to switch. Save and name your modified iBEC, for example iBECmod.
Line 61: Line 58:
 
====Windows====
 
====Windows====
 
Put iPHUC and your patched iBEC in the same folder. Boot iPHUC and boot your iPhone in recovery mode. Type the following into iPHUC once it recognizes your iPhone:
 
Put iPHUC and your patched iBEC in the same folder. Boot iPHUC and boot your iPhone in recovery mode. Type the following into iPHUC once it recognizes your iPhone:
filecopytophone iBEC.patched
+
filecopytophone iBEC.patch
 
It should return "filecopytophone: 0"<br>
 
It should return "filecopytophone: 0"<br>
 
Then type this:
 
Then type this:
 
cmd go
 
cmd go
Your iPhone will reboot and display a blank black screen immediately.
+
Your iPhone will reboot and display a blank black screen immediately. You are now ready to proceed with sending the payload and the KBAG that you want to decrypt.
  +
  +
==== Linux ====
  +
Put your iPhone in recovery mode, connect the USB cable and launch ibooter. Press ^F (CTRL+F) and
  +
Enter, you will be prompted for a file name, type and patched iBEC file name and press enter. Next you will be prompted for memory location to load. Enter 0x9000000 for that and press enter.
  +
  +
Now type:
  +
go
  +
to execute the patched iBEC. Your iPhone will reboot into a blank screen and that's good. You need to reconnect the ibooter after the "reboot".
  +
  +
=== Calling The Hardware AES Engine ===
  +
Type the following ARM codes in iBooter. Those were slightly modified geohot codes.
  +
  +
mw 0x9000000 0xe92d4090 // stmdb sp!, {r4, r7, lr}
  +
mw 0x9000004 0xe59f0038 // ldr r0, [pc, #56]
  +
mw 0x9000008 0xe59f1038 // ldr r1, [pc, #56] ; EnableDecrypt at 0x9000048
  +
mw 0x900000c 0xe5810000 // str r0, [r1]
  +
mw 0x9000010 0xe59f0024 // ldr r0, [pc, #36] ; Data ptr at 0x900003c
  +
mw 0x9000014 0xe3a01020 // mov r1, #32 ; 0x20 bytes to be decrypted
  +
mw 0x9000018 0xe3a02001 // mov r2, #1 ; 0x1
  +
mw 0x900001c 0xe3a03000 // mov r3, #0 ; 0x0
  +
mw 0x9000020 0xe1a0700d // mov r7, sp
  +
mw 0x9000024 0xe24dd004 // sub sp, sp, #4 ; 0x4
  +
mw 0x9000028 0xe58d3000 // str r3, [sp]
  +
mw 0x900002c 0xe59f400c // ldr r4, [pc, #12] ; AESDecrypt at 0x9000040
  +
mw 0x9000030 0xe12fff34 // blx r4
  +
mw 0x9000034 0xe1a0d007 // mov sp, r7
  +
mw 0x9000038 0xe8bd8090 // ldmia sp!, {r4, r7, pc}
  +
mw 0x900003c 0x09000100
  +
mw 0x9000040 0x18001791
  +
mw 0x9000044 0x43a343a3
  +
mw 0x9000048 0x180015c0
  +
mw 0x9000100 0x5418c5de // KBAG data from 5A347 3G restore Ramdisk
  +
mw 0x9000104 0x7e30b0ff
  +
mw 0x9000108 0x0ea9b00e
  +
mw 0x900010c 0x421f6288
  +
  +
Now, we are going to call "clearenv" in iBooter to execute the above codes (recall that we have patched "clearenv" in iBEC to allow it to branch to the above memory location). Simply type
  +
clearenv
  +
and enter.
  +
  +
=== Get The Keys/IV ===
  +
  +
Phew!!
  +
Now, let's get the goodies. Simply type:
  +
mdb 0x9000100
  +
  +
Let's see what you get in there!!!!
  +
  +
== Notes ==
  +
There exists much easier method for getting the Keys/IVs (A matter of typing just a command line) but this is more fun. ;)
  +
  +
= Method 2 =
  +
  +
There is no "easier" method. You need access to the phone's AES engine, or you need to extract the [[GID Key]] from the phone.
  +
  +
This is fully understood: The phone has an [[AES Keys|AES key]] embedded inside of it. That key is needed to decrypt the [[KBAG]] section of new IMG3 files.
  +
  +
I couldn't get [[IBoot (Bootloader)#OpeniBoot|OpeniBoot]] running, so I wrote some code to call the [[iBoot (Bootloader)|iBoot]] function. And no, I don't have the source, I wrote it just as you see it :) This patch is to [[IBoot-204.3.14|1.1.4 iBoot]], and you also need to patch a function to jump to 0x9000000. ~[[User:Geohot|geohot]]
  +
  +
==iBoot Patch==
  +
  +
//aes caller
  +
mw 0x9000000 0xE1A0700E
  +
mw 0x9000004 0xE59F0018
  +
mw 0x9000008 0xE3A01020 //size
  +
mw 0x900000C 0xE3A02001 //1=gid-key 2=uid-key
  +
mw 0x9000010 0xE3A03000
  +
mw 0x9000014 0xE58D3000
  +
mw 0x9000018 0xE59F4008
  +
mw 0x900001C 0xE12FFF34
  +
mw 0x9000020 0xE12FFF17
  +
mw 0x9000024 0x09000100 //data
  +
mw 0x9000028 0x18001791 //ptr to function
  +
  +
//enable decrypt
  +
mw 0x180015C0 0x43A343A3
  +
  +
==Tests on Key 0x837==
  +
//test encrypt
  +
mw 0x9000100 0x6C2D5A34
  +
mw 0x9000104 0x58D05050
  +
mw 0x9000108 0x31A40D78
  +
mw 0x900010C 0x150E71F0
  +
go 0x9000000
  +
mdb 0x9000100 0x10
  +
  +
//test decrypt
  +
mw 0x9000100 0xA6588418
  +
mw 0x9000104 0xDF3450D1
  +
mw 0x9000108 0x3BF286E3
  +
mw 0x900010C 0x7437D461
  +
go 0x9000000
  +
mdb 0x9000100 0x10
   
  +
[[Category:Decryption]]
From here, open iBooter and type
 

Latest revision as of 10:01, 12 October 2015

Method 1

This is one way of getting the IMG3 keys using iBoot/iBEC patch based on the Dev Team's and Geohot's exploits and was tested on both Linux and Windows OS. Epic thanks to #xpwn crew on irc.osx86.hu !

What you need

Summary

Patched a function in the iBEC file so that it will branch to the desired memory location when the associated iboot command is called in ibooter. The desired memory location is at 0x09000000 as indicated by an earlier Geohot post and the iboot command chosen is "clearenv" in this documentation. The desired memory location will be housing the codes that enable and call the hardware AES engine so that the KBAG data can be decrypted for Keys/IV.

Steps

Unpack iBEC.m68ap.RELEASE.dfu

Utilizing xpwntool, enter this command:

xpwntool <original iBEC file> <unpacked iBEC file>
i.e.
xpwntool iBEC.m68ap.RELEASE.dfu unpacked_iBEC

Patching iBEC.m68ap.RELEASE.dfu

Before:

ROM:180074A0                 PUSH    {R4,R5,R7,LR} ;"clearenv" routine starts here
ROM:180074A2                 ADD     R7, SP, #8
ROM:180074A4                 ADDS    R4, R1, #0
ROM:180074A6                 CMP     R0, #1
ROM:180074A8                 BGT     loc_180074B4
ROM:180074AA                 LDR     R0, =aNotEnoughArgum

After:

ROM:180074A0                 LDR     R3, =0x9000000
ROM:180074A2                 BX      R3
ROM:180074A2 ; ---------------------------------------------------------------------------
ROM:180074A4 dword_180074A4  DCD 0x9000000           ; DATA XREF: ROM:180074A0�r
ROM:180074A8 ; ---------------------------------------------------------------------------
ROM:180074A8                 BGT     loc_180074B4
ROM:180074AA                 LDR     R0, =aNotEnoughArgum 

You will notice that iBEC starts at 0x18000000 but in your Hex Editor, just do the following changes at 0x74A0:

0x000074A0: 00 4b 18 47 00 00 00 09

The idea is to tell clearenv routine to branch to 0x09000000 and BX is used because the codes to be used at 0x09000000 later will be in ARM. This "clearenv" routine is in THUMB mode. BX will enable them to switch. Save and name your modified iBEC, for example iBECmod.

Packing the modified iBEC

Using xpwntool:

xpwntool iBECmod iBEC.patch -t iBEC.m68ap.RELEASE.dfu

Note that the original iBEC file has to be used after -t as a template. IBEC.patch will be your modified, packed iBEC file.

Executing patched iBEC in ibooter

Windows

Put iPHUC and your patched iBEC in the same folder. Boot iPHUC and boot your iPhone in recovery mode. Type the following into iPHUC once it recognizes your iPhone:

filecopytophone iBEC.patch

It should return "filecopytophone: 0"
Then type this:

cmd go

Your iPhone will reboot and display a blank black screen immediately. You are now ready to proceed with sending the payload and the KBAG that you want to decrypt.

Linux

Put your iPhone in recovery mode, connect the USB cable and launch ibooter. Press ^F (CTRL+F) and Enter, you will be prompted for a file name, type and patched iBEC file name and press enter. Next you will be prompted for memory location to load. Enter 0x9000000 for that and press enter.

Now type:

go

to execute the patched iBEC. Your iPhone will reboot into a blank screen and that's good. You need to reconnect the ibooter after the "reboot".

Calling The Hardware AES Engine

Type the following ARM codes in iBooter. Those were slightly modified geohot codes.

mw 0x9000000 0xe92d4090       // stmdb   sp!, {r4, r7, lr}
mw 0x9000004 0xe59f0038       // ldr     r0, [pc, #56]   
mw 0x9000008 0xe59f1038       // ldr     r1, [pc, #56]   ; EnableDecrypt at 0x9000048
mw 0x900000c 0xe5810000       // str     r0, [r1]
mw 0x9000010 0xe59f0024       // ldr     r0, [pc, #36]   ; Data ptr at 0x900003c
mw 0x9000014 0xe3a01020       // mov     r1, #32 ; 0x20 bytes to be decrypted
mw 0x9000018 0xe3a02001       // mov     r2, #1  ; 0x1
mw 0x900001c 0xe3a03000       // mov     r3, #0  ; 0x0
mw 0x9000020 0xe1a0700d       // mov     r7, sp
mw 0x9000024 0xe24dd004       // sub     sp, sp, #4      ; 0x4
mw 0x9000028 0xe58d3000       // str     r3, [sp]
mw 0x900002c 0xe59f400c       // ldr     r4, [pc, #12]   ; AESDecrypt at 0x9000040
mw 0x9000030 0xe12fff34       // blx     r4
mw 0x9000034 0xe1a0d007       // mov     sp, r7
mw 0x9000038 0xe8bd8090       // ldmia   sp!, {r4, r7, pc}
mw 0x900003c 0x09000100        
mw 0x9000040 0x18001791       
mw 0x9000044 0x43a343a3
mw 0x9000048 0x180015c0  
mw 0x9000100 0x5418c5de       // KBAG data from 5A347 3G restore Ramdisk
mw 0x9000104 0x7e30b0ff
mw 0x9000108 0x0ea9b00e
mw 0x900010c 0x421f6288

Now, we are going to call "clearenv" in iBooter to execute the above codes (recall that we have patched "clearenv" in iBEC to allow it to branch to the above memory location). Simply type

clearenv 

and enter.

Get The Keys/IV

Phew!! Now, let's get the goodies. Simply type:

mdb 0x9000100

Let's see what you get in there!!!!

Notes

There exists much easier method for getting the Keys/IVs (A matter of typing just a command line) but this is more fun. ;)

Method 2

There is no "easier" method. You need access to the phone's AES engine, or you need to extract the GID Key from the phone.

This is fully understood: The phone has an AES key embedded inside of it. That key is needed to decrypt the KBAG section of new IMG3 files.

I couldn't get OpeniBoot running, so I wrote some code to call the iBoot function. And no, I don't have the source, I wrote it just as you see it :) This patch is to 1.1.4 iBoot, and you also need to patch a function to jump to 0x9000000. ~geohot

iBoot Patch

//aes caller
mw 0x9000000 0xE1A0700E
mw 0x9000004 0xE59F0018
mw 0x9000008 0xE3A01020  //size
mw 0x900000C 0xE3A02001  //1=gid-key 2=uid-key
mw 0x9000010 0xE3A03000
mw 0x9000014 0xE58D3000
mw 0x9000018 0xE59F4008
mw 0x900001C 0xE12FFF34
mw 0x9000020 0xE12FFF17
mw 0x9000024 0x09000100  //data
mw 0x9000028 0x18001791  //ptr to function

//enable decrypt
mw 0x180015C0 0x43A343A3

Tests on Key 0x837

//test encrypt
mw 0x9000100 0x6C2D5A34
mw 0x9000104 0x58D05050
mw 0x9000108 0x31A40D78
mw 0x900010C 0x150E71F0
go 0x9000000
mdb 0x9000100 0x10
//test decrypt
mw 0x9000100 0xA6588418
mw 0x9000104 0xDF3450D1
mw 0x9000108 0x3BF286E3
mw 0x900010C 0x7437D461
go 0x9000000
mdb 0x9000100 0x10