Talk:AES Keys

From The iPhone Wiki
Jump to: navigation, search

Use kloader to bootstrap patched iBSS/iBEC on A4+ devices

Has anyone tried loading patched iBSS/iBEC on A4+ device ? That way we would be able to load unsigned ramdisk (which could be used to decrypt kbag even on non-limerain devices). --The preceding unsigned comment was added by ‎Danzatt (talk) 15:58, 12 September, 2014. Please consult this page for more info on how to sign pages, and how to fix this.

It won't work as the AES engine gets disabled when the kernel is booting up. Jumping back into iBoot won't reenable it. --Aker 21:56, 12 September 2014 (GMT+1)
Does it make a "call" to coprocessor so that it is disabled on hardware level ? (Are there any details available on how this is done ?). --Danzatt (talk) 21:32, 12 September 2014 (UTC)
The IOAESAccelerator chip gets a request to restrict the access to the GID key and disables it until the iPhone/iPad/iPod touch is rebooted. -- Aker 08:54, 13 September 2014 (GMT+1)
Yes, I know that. But I thought bootloader just hides it from the kernel. Is there any source that confirms it is disabled per-reboot ? (Also... How was it possible that XPwn's kernel patcher could patch kernel to grant access to GID key ?) --Danzatt (talk) 10:59, 14 September 2014 (UTC)
Well, you're right [1] [2] --Danzatt (talk) 11:14, 14 September 2014 (UTC)

Greenpois0n Method

After GP does its magic and the device boots into the patched iBSS, I cannot get the command to decrypt the KBAG to work. In iRecovery, 'go aes dec [long KBAG string]' gives no output. Commands like bgcolor, reboot, etc. work, but I cannot get any feedback from the device to give me the decrypted KBAG. Has anyone gotten this to work? --Cool name 16:01, 11 November 2010 (UTC)

you need a payload or run -s flag on IBSS --liamchat 16:29, 11 November 2010 (UTC)
I'm pretty sure the payload is already initialized by running GP, because when opening the iRecovery console with 'sudo ./irecovery -s' it spits out stuff about Greenpois0n initializing, aes_crypto_cmd being patched, etc, and it is an iBSS. My trouble is getting the device to respond to the go aes dec command, I think it may be a problem with iRecovery but not sure --Cool name 17:03, 11 November 2010 (UTC)
well what copy of IRecovery do you have i know that the one from User:GreySyntax works also try an IRecovery script like --liamchat 17:43, 11 November 2010 (UTC)
go aes dec AACACFB9258D7DFBF7D46F21BD9BF27C7E67C673594B7DEE4FF8FE1F08040B1F
go aes dec FF47F3DA0949016984CDED28E286C45CB14B1962B328F82589608C5A5D0A4050
go aes dec 73FFC67694FC821AB9C21CB3CC9A64792D14320F917F469B4935110284990778
go aes dec 3DD9554AB61398A3B6323FA71730A4243837777651DFB8AD212B81ECF194C653
go aes dec 3D2B301E5A7069D52DA258C4B0A2209FA9BA4CEDB120688FC51D3BF1EDEDE5BC
go aes dec E996535613828554253DC21B4875C4BB371FF21699C2D2AF8C02E1137EB1951F
go aes dec 3D538743E45B5B6B6C190B2BBACA705372A3147CC9A60C6856EE2B9B1E60FD85
go aes dec 5FCF5DA27AC995B0B10D76C42ADD5F0BB9268FA88A045EDCCDBC946A73A7CFDC
go aes dec 68D3DE8EA8CC1707D08C983E745EA6A25E40FD532A5BD3BF7760BD540BE257DC
go aes dec 1AE9223C4B8AEBD5F0A30C910212EC8171E3BFC2EF7BF802A39C9C5F45939B2C
go aes dec 87CE52FFEB8E4FB685BA7FA37CBAC0004C9C0B0274FB8A7C1E06D85796063DF0
go aes dec BDB129D92704104423940EC40913FABD30E676CD800E523273DA4E38065B0E13
go aes dec 55D6DE657EB16C5563551C4DA26EE12197783C7100A92695D2B74802F10155C1
go aes dec BA6A3959FBC43D3BCF2708640D5E7B4E5C2306C7ED8A34F7ABC3F49EE6D0BDD4
go aes dec B6689C5BA40B644470C51C35257B984F97F9BE8A3E620086A5A726D7A2C1B7B1
go aes dec 874AD4B93947DAA4D14DDACD3F948F2EFAA207BF6E6FDE3C9D6248E72186894B
go aes dec 9C51D82560C30D976F374F5CB7CC2A7E286FF0067169EA393A8285AC74129D05
/exit note: these are the KBAG's of Northstar 7D11 (iPod touch 2G)
--liamchat 18:25, 11 November 2010 (UTC)
Thank you, GreySyntax's version of iRecovery did the trick :) --Cool name 19:32, 11 November 2010 (UTC)


So I'm working on a project for the AES Engine, May I add the info somewhere in this page? AESPayload Syringe --Haifisch 22:38, 13 November 2012 (MST)

No. Finish your project and ask again. If it's really useful and used by more than 1000 users, we might add it. --http 05:22, 14 November 2012 (MST)
Finished --Haifisch 00:03, 17 November 2012 (MST)
Mind explaining exactly how one would use it? --5urd 14:39, 17 November 2012 (MST)
New people to the hacking community (iOS hackers) may want to help by finding the keys to such things as kernelcaches and root fs dmgs. Using this tool they can, this may be the easiest way to find it, It does most of the work for you. All one would need to do is get the KBAG key and run the aes decrypt command with the included irecovery tool (Not of my work). I suggest this as a starting point for the new guys jumping into hardware hacking. --Haifisch 16:39, 17 November 2012 (MST)

Finding AES keys.

How can I find the AES keys? I have Haifisch's version but I cant find out to compile. Also I dont get irecovery to work. --iAdam1n (talk) 18:07, 14 November 2012 GMT}}

Not being rude, but if you can't compile a simple Makefile project, you need to learn a bit more before delving into things like hacking the device's hardware and software. --5urd 16:34, 14 November 2012 (MST)
I made my version as easy as possible (without just handing him a compiled executable). I want him to learn at least to compile a simple project. --Haifisch 19:14, 14 November 2012 (MST)
Did you make it for Mac? Also I cannot get the irecovery -s to work. --iAdam1n (talk) 23:20, 15 November 2012 (GMT)
What happens if you run file irecovery? Is it a Mac Intel executable? If not, that's why. Any yes, it is for Mac. You need GNU Compiler Collection and gnumake though. --5urd 17:45, 15 November 2012 (MST)
How do I use the pwnstrap for iOS 6.x? cant use pwnagetool to cook. haifisch what about instructions for your tool? --iAdam1n (talk) 18:13 2 December 2012 (MST)
You make me sad... pwnstap is just (really) uploading the custom iBSS file; You cannot simply compile my tool yourself so why not learn how to like we all did? --Haifisch 00:34, 2 December 2012 (MST)
I can but half of the commands don't work. --iAdam1n (talk) 5:46, 2 December 2012 (MST)
Because you need to set them up and know how to use them --Haifisch 15:46, 2 December 2012 (MST) --Blue Skies (talk) 11:32, 4 April 2014 (UTC)
How would one find these for S5L8900? The greenpois0n method would obviously not work since it did not support S5L8900. --iAdam1n (talk) 16:48, 14 October 2014 (UTC)

Details on how iBoot disables the AES engine before the kernel executes

Thanks to ih8sn0w for the info in these tweets. [0] [1]

Using iPhone3,1 6.0.1's iBoot (iBoot-1537.4.21) rebased in IDA to 0x5FF00000:

jumpto is at 0x5FF1E358

at 0x5FF1E370, jumpto calls "turn_off_aes" at 0x5FF1D678

at 0x5FF1D71C, "turn_off_aes" calls "write_to_aes_base" at 0x5FF01E0C

at 0x5FF01E2A, "write_to_aes_base" actually makes the 32-bit write (with some masking) that ih8sn0w is talking about

It looks like 0x5FF01E2A is writing to 0x87800000, so be mindful of memory mappings



--Jevinskie (talk) 19:05, 19 October 2016 (UTC)