Decrypts the iPhone firmware

A friend of mine opened an iPhone-related wiki a few times ago. In his spare time, he helped to get a lot of information, and after reorganizing an article he had written a long time ago, he went on. I just opened a csdn blog and couldn't leave it empty. I 'd like to post the article here.

This article will discuss how to decrypt various files in. ipsw files.

Prepare tools

• Cygwin (environment required to run vfdecrypt and other Linux tools. If you only need to use vfdecrypt, you can click here to download the required files and place them in the directory of vfdecrypt .)
• Vfdecrypt (a tool used to decrypt the main file system .)
• Img3decrypt (used to decrypt the img3 file .)
• WinRAR (or any other tool that can decompress the zip package .)
• Hfsexplorer (the Java Runtime Environment is required. You can also use paid poweriso and any other tool that can decompress the DMG image .)

Notes

Since version 3.1, Apple has changed to encapsulate the firmware on the Snow Leopard platform. Due to the new file management mechanism of snow leopard, the firmware is encapsulated on all non-snow leopard platforms (such as leopard or windows) after opening the DMG file, some types of files (such as all *. *. the strings file is 0 bytes in size and the file content is empty. This is because snow leopard stores the content of these files in the resource fork. Although leopard and earlier Mac OS X platforms cannot be read, the file content still exists, however, in windows, the content of these files will be discarded along with the entire Resource Branch. There are no effective methods to solve this problem.

Description of ipsw File

The ipsw file, that is, the firmware installation package used to upgrade the iPhone/iPod Touch, uses the zip compression algorithm and can be opened directly using tools such as WinRAR.

Take the first generation of iPod Touch 2.2.1 as an example. After opening the firmware, you can see the following files:

• . Fseventsd (directory)
• Firmware (directory)
• 018-4437-16.dmg
• 018-4443-16.dmg
• 018-4490-10.dmg
• Kernelcache. Release. s5l8900x
• Restore. plist

(3. X has an additional buildmanifesto. plist file, but we do not need to use it .)

The firmware directory stores the core file used to boot the device when the firmware is refreshed. This file is not required for the time being. The other three *. DMG files are system images of the iPhone/iPod Touch.

The Restore. plist file describes the usage of each file. Use a text editor such as NotePad to open it. It includes the following content:

<Key> restoreramdisks </key>
<Dict>
<Key> Update </key>
<String> 018-4437-16.dmg </string>
<Key> User </key>
<String> 018-4443-16.dmg </string>
</Dict>

We can see that 018-4437-16.dmg is "Update ramdisk", 018-4443-16.dmg is "restore memory disk" (Restore ramdisk ), when you use iTunes to "upgrade" the firmware, the device is actually started and loaded with 018-4437-16.dmg, and the "recover" firmware is started with 018-4443-16.dmg. If you want to manually extract the vfdecrypt key, you need to extract it from the recovery memory disk.

Continue and you will see this section:

<Key> systemrestoreimages </key>
<Dict>
<Key> User </key>
<String> 018-4490-10.dmg </string>
</Dict>

This section indicates that the "system memory disk" (system ramdisk) written to the machine during firmware refreshing is 018-4490-10.dmg, which is generally the most occupied file of the entire firmware, because it contains the file system of the iPhone/iPod Touch. That is to say, the file extraction system extracts the content of this file.

Some may ask, why do we need to explain the content in Restore. plist? The answer is: because the file names of the three DMG images are not fixed and different versions have different file names, you should check restore. plist to understand what each file is doing.

Encryption Algorithm

System ramdisk is the largest file (about 200 MB) in the ipsw file. Each device model corresponds to a vfdecrypt key. The vfdecrypt tool is used to decrypt the file.

Update ramdisk, restore ramdisk, and other files are encrypted using an algorithm called img3. The encryption key corresponds to the device processor, and each type of processor corresponds to a pair of IV and key keys. Use img3decrypt to decrypt such files.

To obtain the keys to decrypt these two types of files, refer to the vfdecrypt keys page or from the *. plist file of pwnagetool.

Decrypts an img3 File

Img3decrypt required

The key and IV key required for decryption can be obtained here: vfdecrypt key

Decryption command:

Img3decrypt.exe <Input File> <output file> [-k <key>] [-IV <IV>]

If the key and IV parameters are not given, the tool outputs kbag data. If you want, you can use the hardware AES engine on the iPhone/iPod Touch to calculate the key and IV from these limited kbag data. If you do this successfully, you are welcome to add the key and IV you have calculated and verified to the vfdecrypt Key page for your use.

For more functions and usage of the img3decrypt tool, go to the http://code.google.com/p/img3decrypt/

Decryption system memory disk

Vfdecrypt

Obtain the vfdecrypt key for decryption. In the 3.x firmware, you can also use genpass to extract the key from the decrypted recovery memory disk.

In this example, the key we use isBytes

If you operate in the cygwin Environment

1. Decompress the downloaded file to vfdecrypt.exe and place it in the C:/cygwin/bin directory (assuming cygwin is installed in C:/cygwin, the same below ).
2. Use WinRAR to open the. ipsw file and extract the system memory disk (for example, 2.2.1, the file name is 018-4490-10.dmg) from it, and put it in C:/cygwin/home/[Your user name].
3. Start cygwin and run the following command:

Vfdecrypt-I 018-4490-10.dmg-O 018-4490-10-decrypted.dmg-K restart

Wait a moment to see the decrypted file 018-4490-10-decrypted.dmg in C:/cygwin/home. Open hfsexplorer.

If you do not have or do not want to install cygwin

1. Create a folder in your favorite folder.
2. Decompress vfdecrypt.exe to this folder, and also extract the Runtime Library (Click here to download) mentioned at the beginning of this article to this folder.
3. Use WinRAR to open the. ipsw file, decompress the system memory disk from it, and put it in this folder.
4. Click "run" in the "Start" menu, enter "cmd", Press enter, open the Command Prompt window, and locate the created folder.
5. Run the following command:

Vfdecrypt-I 018-4490-10.dmg-O 018-4490-10-decrypted.dmg-K restart

Wait a moment to see the decrypted 018-4490-10-decrypted.dmg in this folder. Open hfsexplorer.

Use genpass to extract the vfdecrypt key from the decrypted recovery memory disk

In addition to viewing known vfdecrypt keys on the vfdecrypt keys page, you can also use genpass to calculate the vfdecrypt keys from the decrypted recovery memory disk. If you do this successfully, you are welcome to add the key you have calculated and verified to the vfdecrypt Key page for your use.

Download source code and compile genpass

• Download the genpass source code from the http://code.google.com/p/chronicdev/wiki/GenPass and save it as genpass. c placed in C:/cygwin/home/[Your user name].
• Start cygwin and run the following command to compile genpass and copy it to the system directory:

GCC genpass. C-lcrypto-O genpass
CP./genpass.exe/bin

Calculate the key using genpass

Decryption command:

Genpass.exe <platform type> <recover memory disk> <system memory disk>

The "platform type" is related to the processor type used by the device. For example, if the iPod Touch 1G is s5l8900x, you must know the platform type of your device, please use WinRAR to open your device. in the ipsw firmware file, find a file name of about 4 m, which is similar to "kernelcache. release. s5l8900x "file, the last". "is followed by" platform type"