Difference between revisions of "S5L File Formats"

From The iPhone Wiki
Jump to: navigation, search
(IMG3)
Line 1: Line 1:
==IMG2==
+
== IMG2 ==
 
This was the file format used prior to iOS 2.0. For iOS 1.1.x, IMG2 files were encrypted with [[AES Keys|Key 0x837]]. IMG2 files can only be parsed by an [[iBoot]] in firmwares prior to iOS 2.0 beta 3, or the [[S5L8900]] [[VROM]]. The [[S5L8720]] and newer [[bootrom]]s have no support for it.
 
This was the file format used prior to iOS 2.0. For iOS 1.1.x, IMG2 files were encrypted with [[AES Keys|Key 0x837]]. IMG2 files can only be parsed by an [[iBoot]] in firmwares prior to iOS 2.0 beta 3, or the [[S5L8900]] [[VROM]]. The [[S5L8720]] and newer [[bootrom]]s have no support for it.
   
==8900==
+
== 8900 ==
  +
This is the file format used by the [[S5L8900]]. Usually this wraps around an [[#IMG2|IMG2]] file. It can only be parsed by an iBoot in a firmware version less than 2.0 beta 3, or the [[S5L8900]] [[VROM]]. The [[S5L8720]] and newer have no support for it.
 
  +
=== Header ===
This is the file format used by the [[S5L8900]]. Usually this wraps around an [[#IMG2|IMG2]] file. It can only be parsed by an iBoot in a firmware version less than 2.0 beta 3, or the [[S5L8900]] [[VROM]]. The [[S5L8720]] has no support for it.
 
 
===Header===
 
 
typedef struct {
 
typedef struct {
uchar magic[4]; // string "8900"
+
uint8_t magic[4]; // string "8900"
uchar version[3]; // string "1.0"
+
uint8_t version[3]; // string "1.0"
uint8 format; // plaintext format is 0x4, encrypted with [[GID-key]] format is 0x3,
+
uint8_t format; // plaintext format is 0x4, encrypted with [[GID-key]] format is 0x3,
// boot plaintext is 0x2, boot encrypted with [[UID-key]] is 0x1.
+
// boot plaintext is 0x2, boot encrypted with [[UID-key]] is 0x1.
uint32 unknown1;
+
uint32_t unknown1;
uint32 sizeOfData; // size of data (ie, filesize - header(0x800) - footer signature(0x80) - footer certificate(0xC0A))
+
uint32_t sizeOfData; // size of data (i.e: file size - header(0x800) - footerSig(0x80) - footerCert(0xC0A))
uint32 footerSignatureOffset; // offset to footer signature
+
uint32_t footerSignatureOffset; // offset to footer signature
uint32 footerCertOffset; // offset to footer certificate, from end of header (0x800)
+
uint32_t footerCertOffset; // offset to footer certificate, (i.e: offset from file start - header(0x800))
uint32 footerCertLen;
+
uint32_t footerCertLen;
uchar salt[0x20]; // a seemingly random salt (an awfully big one though... needs more attention)
+
uint8_t salt[0x20]; // a seemingly random salt (an awfully big one though... needs more attention)
uint16 unknown2;
+
uint16_t unknown2;
uint16 epoch; // the security epoch of the file
+
uint16_t epoch; // the security epoch of the file
uchar headerSignature[0x10]; // encrypt(sha1(header[0:0x40])[0:0x10], key_0x837, zero_iv)
+
uint8_t headerSignature[0x10]; // encrypt(sha1(header[0:0x40])[0:0x10], key_0x837, zero_iv)
uchar padding[0x7B0];
+
uint8_t padding[0x7B0]; // pad to 0x800 (i.e: 2KB)
 
} Apple8900Header;
 
} Apple8900Header;
   
  +
== [[IMG3 File Format|IMG3]] ==
===Resources===
 
[http://wikee.iphwn.org/s5l8900:8900_format The dev team's wiki page on the topic]
 
 
==[[IMG3 File Format|IMG3]]==
 
 
This is the replacement for the [[#IMG2|IMG2 file format]] in iOS 2.0. The [[S5L8720]] (and newer) bootroms can understand this by default, but [[WTF#Version 2|WTF 2.0]] must be uploaded to the [[DFU Mode]] of an [[S5L8900]] that has code in it to parse IMG3 files, or the [[S5L8900]] will not be able to understand them.
 
This is the replacement for the [[#IMG2|IMG2 file format]] in iOS 2.0. The [[S5L8720]] (and newer) bootroms can understand this by default, but [[WTF#Version 2|WTF 2.0]] must be uploaded to the [[DFU Mode]] of an [[S5L8900]] that has code in it to parse IMG3 files, or the [[S5L8900]] will not be able to understand them.
 
 
=== Header ===
 
=== Header ===
 
typedef struct {
 
typedef struct {
Line 42: Line 36:
 
// iBoot (ibot), etc.
 
// iBoot (ibot), etc.
 
 
} Img3Header;
+
} AppleImg3Header;
  +
=== Tag Header ===
 
=== Tag Format ===
 
 
typedef struct {
 
typedef struct {
 
uint8_t magic[4]; // one of the tags [[#Tags|below]]
 
uint8_t magic[4]; // one of the tags [[#Tags|below]]
 
uint32_t totalLength; // (dataLength + 0xC) [0xC = sizeof(Img3TagHeader)]
 
uint32_t totalLength; // (dataLength + 0xC) [0xC = sizeof(Img3TagHeader)]
 
uint32_t dataLength; //
 
uint32_t dataLength; //
  +
} AppleImg3TagHeader
} Img3TagHeader
 
 
 
=== Tags ===
 
=== Tags ===
 
[[VERS]]: Version
 
[[VERS]]: Version
Line 66: Line 58:
 
[[DATA]]: actual content
 
[[DATA]]: actual content
 
[[SEPO]]: Security Epoch
 
[[SEPO]]: Security Epoch
 
 
=== Encryption ===
 
=== Encryption ===
 
Apple got smarter this time, requiring the hardware AES engine to be run per file. Decrypt the [[KBAG]] tag data (0x20 bytes?) with the hardware AES engine and get the 0x10 byte [[wikipedia:Initialization vector|IV]] and the 0x10 byte KEY.
 
Apple got smarter this time, requiring the hardware AES engine to be run per file. Decrypt the [[KBAG]] tag data (0x20 bytes?) with the hardware AES engine and get the 0x10 byte [[wikipedia:Initialization vector|IV]] and the 0x10 byte KEY.
Line 72: Line 63:
 
[[iBoot]] has support for AES-192 and AES-256 also, but the former remains unused. In the current method, iBoot will always use the first 16 bytes as the IV, then the remaining 16 (AES-128), 24 (AES-192, unused), or 32 (AES-256) bytes for the key.
 
[[iBoot]] has support for AES-192 and AES-256 also, but the former remains unused. In the current method, iBoot will always use the first 16 bytes as the IV, then the remaining 16 (AES-128), 24 (AES-192, unused), or 32 (AES-256) bytes for the key.
   
=== Resources ===
+
== Resources ==
[http://www.jbfaq.com/article.asp?id=70 cmw's IMG3 Unpacker]
+
* [http://www.jbfaq.com/article.asp?id=70 cmw's IMG3 Unpacker]
  +
* [http://wikee.iphwn.org/s5l8900:8900_format The iPhone Dev Team on 8900]

Revision as of 23:18, 24 August 2012

IMG2

This was the file format used prior to iOS 2.0. For iOS 1.1.x, IMG2 files were encrypted with Key 0x837. IMG2 files can only be parsed by an iBoot in firmwares prior to iOS 2.0 beta 3, or the S5L8900 VROM. The S5L8720 and newer bootroms have no support for it.

8900

This is the file format used by the S5L8900. Usually this wraps around an IMG2 file. It can only be parsed by an iBoot in a firmware version less than 2.0 beta 3, or the S5L8900 VROM. The S5L8720 and newer have no support for it.

Header

typedef struct {
    uint8_t  magic[4];              // string "8900"
    uint8_t  version[3];            // string "1.0"
    uint8_t  format;                // plaintext format is 0x4, encrypted with GID-key format is 0x3,
                                    //   boot plaintext is 0x2, boot encrypted with UID-key is 0x1.
    uint32_t unknown1;
    uint32_t sizeOfData;            // size of data (i.e: file size - header(0x800) - footerSig(0x80) - footerCert(0xC0A))
    uint32_t footerSignatureOffset; // offset to footer signature 
    uint32_t footerCertOffset;      // offset to footer certificate, (i.e: offset from file start - header(0x800))
    uint32_t footerCertLen;
    uint8_t  salt[0x20];            // a seemingly random salt (an awfully big one though... needs more attention)
    uint16_t unknown2;
    uint16_t epoch;                 // the security epoch of the file
    uint8_t  headerSignature[0x10]; // encrypt(sha1(header[0:0x40])[0:0x10], key_0x837, zero_iv)
    uint8_t  padding[0x7B0];        // pad to 0x800 (i.e: 2KB)
} Apple8900Header;

IMG3

This is the replacement for the IMG2 file format in iOS 2.0. The S5L8720 (and newer) bootroms can understand this by default, but WTF 2.0 must be uploaded to the DFU Mode of an S5L8900 that has code in it to parse IMG3 files, or the S5L8900 will not be able to understand them.

Header

typedef struct {
    uint8_t  magic[4];     // string "IMG3"
    uint32_t fullSize;     // full size of fw image
    uint32_t sizeNoPack;   // size of fw image without header
    uint32_t sigCheckArea; // although that is just my name for it, this is the
                           //   size of the start of the data section (the code)
                           //   up to the start of the RSA signature (SHSH section)
    uint32_t iden;         // identifier of image, used when bootrom is parsing images
                           //   list to find LLB (illb), LLB parsing it to find
                           //   iBoot (ibot), etc.
 
} AppleImg3Header;

Tag Header

typedef struct {
    uint8_t  magic[4];    // one of the tags below
    uint32_t totalLength; // (dataLength + 0xC) [0xC = sizeof(Img3TagHeader)]
    uint32_t dataLength;  // 
} AppleImg3TagHeader

Tags

VERS: Version
SDOM: Security Domain
PROD: Processor to be used with.
CHIP: Chip to be used with. "0x8900" for S5L8900 and "0x8720" for S5L8720.
      Instead of there being a check against some piece of hardware,
      whatever is verifying this (bootrom / iBoot / LLB / etc.) has this hardcoded in.
BORD: Board to be used with
KBAG: contains the KEY and IV required to decrypt encrypted with the GID-key
SHSH: RSA encrypted SHA1 hash of the file
CERT: Certificate
ECID: Exclusive Chip ID
TYPE: Type of IMG3 (like 0x6C6F676F for logo)
DATA: actual content
SEPO: Security Epoch

Encryption

Apple got smarter this time, requiring the hardware AES engine to be run per file. Decrypt the KBAG tag data (0x20 bytes?) with the hardware AES engine and get the 0x10 byte IV and the 0x10 byte KEY.

iBoot has support for AES-192 and AES-256 also, but the former remains unused. In the current method, iBoot will always use the first 16 bytes as the IV, then the remaining 16 (AES-128), 24 (AES-192, unused), or 32 (AES-256) bytes for the key.

Resources