Friday, January 25, 2008

Decrypt iPhone filesystem Firmware

This shows how to extract the iphone filesystem software (firmware files) from Apple iphone software download using PC (source from iPhone Dev wiki)

(1) For Firmware 1.0.1
(i) get the vfdecrypt101.exe from Rapid share
(ii) get the Apple's iPhone firmware 1.0.1 and rename it with extension .zip and unzip it
(run) vfdecrypt101 main_dmg_of_101.dmg decrypted101.dmg

(2) For Firmware 1.0.2
(i) get the vfdecrypt102.exe from Rapid share
(ii) get the Apple's iPhone firmware 1.0.2 and rename it with extension .zip and unzip it
(run) vfdecrypt102.exe 694-5298-5.dmg decrypted102.dmg

(3) For Firmware 1.1.1
(i) get the vfdecrypt111.exe from Rapid share
(ii) get the Apple's iPhone firmware 1.1.1 and rename it with extension .zip and unzip it
(run) vfdecrypt111.exe 022-3602-17.dmg decrypted111.dmg

(4) For Firmware 1.1.2
(i) get the vfdecrypt112.exe from Rapid share
(ii) get the Apple's iPhone firmware 1.1.2 and rename it with extension .zip and unzip it
(run) vfdecrypt112.exe 022-3725-1.dmg decrypted112.dmg

(5) For Firmware 1.1.3
(i) get the vfdecrypt.exe from Rapid Share
(ii) get the Apple's iPhone firmware 1.1.3 and rename it with extension .zip and unzip it
(run) vfdecrypt -i 022-3743-100.dmg -o decrypted113.dmg -k 11070c11d93b9be5069b643204451ed95aad37df7b332d10e48fd3d23c62fca517055816

(6) For Firmware 1.1.4
(i) get the vfdecrypt.exe from Rapid Share
(ii) get the Apple's iPhone firmware 1.1.4 and rename it with extension .zip and unzip it
(run) vfdecrypt -i 022-3894-4.dmg -o decrypted114.dmg -k d0a0c0977bd4b6350b256d6650ec9eca419b6f961f593e74b7e5b93e010b698ca6cca1fe

(7) For Firmware 2.0 beta (Build 5A225c) (MD5 8254ccf38735bc74b38fb432ce982081) (expired 8 April 2008)
(i) Google Search iPhone1,1_2.0_5A225c_Restore.ipsw
(ii) Rename it with extension .zip and unzip it
(run) vfdecrypt -i 018-3473-4.dmg -o decrypted20b2.dmg -k ea14f3ec624c7fdbd52e108aa92d13b16f6b0b940c841f7bbc7792099dae45da928d13e7

(8) For Firmware 2.0 beta (Build 5A240d) (MD5 429142d57db7cf94d4c29ee4da7f21cc) (to be expired 15 May 2008)
(i) Google Search iPhone1_1_2.0_5A240d_Restore.ipsw
(ii) Rename it with extension .zip and unzip it
(run) vfdecrypt -i 018-3553-6.dmg -o decrypted20b3.dmg -k e24bfab40a2e5d3dc25e089291846e5615b640897ae8b424946c587bcf53b201a1041d36


(9) For Firmware 2.0 beta (Build 5A258f) (MD5 f7a2937c32615545ba339c330356d9ad) (to be expired 4 June 2008)
(i) Google Search iPhone 2.0 Beta 4 (5a258f)
(ii) Rename it with extension .zip and unzip it (unzip -o iPhone1,1_2.0_5A258f_Restore.ipsw 018-3585-6.dmg)
(run) ./vfdecrypt -i 018-3585-6.dmg -o decrypted20b4.dmg -k 198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c

Read detail steps for decrypt iPhone firmware 1.1.3 here


Notice
-------
(a)To run the vfdecrypt in PC you need libeay32.dll
as well
(b)To extract the contents in the dmg image in PC you need hfsexplorer or dmg2img.exe
You need Java Runtime if you use hfsexplorer

You can also use PowerISO 4.0 in Windows to examine and extract contents of Mac OS X *.dmg file
http://www.poweriso.com/

(c)
you can mount the decrypted image directly in Mac OS or Linux. To mount DMG
dd if=694-5259-38.dmg of=ramdisk.dmg bs=512 skip=4 conv=sync
mount -o loop decrpyted112.img /mnt/decrypted112

Keys
-----

The key for the 1.01 revision is : 28c909fc6d322fa18940f03279d70880e59a4507998347c70d5b8ca7ef090ecccc15e82d


The key for the 1.02 revision is : 7d5962d0b582ec2557c2cade50de90f4353a1c1de07b74212513fef9cc71fb890574bfe5


The key for the 1.1.1 revision is : f45de7637a62b200950e550f4144696d7ff3dc5f0b19c8efdf194c88f3bc2fa808fea3b3


The key for the 1.1.2 revision is :
70e11d7209602ada5b15fbecc1709ad4910d0ad010bb9a9125b78f9f50e25f3e05c595e2


The key for the 1.1.3 revision is :
11070c11d93b9be5069b643204451ed95aad37df7b332d10e48fd3d23c62fca517055816


The key for the 1.1.4 revision is : d0a0c0977bd4b6350b256d6650ec9eca419b6f961f593e74b7e5b93e010b698ca6cca1fe


The key for the 1.2.0 beta (Build 5A147p) (md5 iPhone1,1_1.2_5A147p_Restore.ipsw = 3539f0b912812fd56ac1019d8fce4fc2 ) is: 86bec353ddfbe3fb750e9d7905801f79791e69acf65d16930d288e697644c76f16c4f16d


The key for the 2.0 beta (Build 5A225c) (md5 iPhone1,1_2.0_5A225c_Restore.ipsw = 8254ccf38735bc74b38fb432ce982081 ) is: ea14f3ec624c7fdbd52e108aa92d13b16f6b0b940c841f7bbc7792099dae45da928d13e7


The key for the 2.0 beta (Build 5A240d) (md5 iPhone1_1_2.0_5A240d_Restore.ipsw = 429142d57db7cf94d4c29ee4da7f21cc) is: e24bfab40a2e5d3dc25e089291846e5615b640897ae8b424946c587bcf53b201a1041d36



The key for the 2.0 beta (Build 5A258f) (md5 iPhone1,1_2.0_5A258f_Restore.ipsw = f7a2937c32615545ba339c330356d9ad) is: 198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c


read this http://tungchingkai.blogspot.com/2008/05/iphone11205a258frestoreipsw-decrypt.html for the decrypt method


The key for the 2.0 beta (Build 5A274d) (md5 iPhone1,1_2.0_5A274d_Restore.ipsw = 1e671faa31d876602161d9bb463e15da) is: 589df25eaa4ff0a5e29e1425fb99bf50957888ff098ba2fcb72cf130f40e15e00bcf2fc7



Read this on how to find the key for firmware 1.1.1 or above

For example, firmware 1.1.4, you can find the decrypt key by running this in Mac OS X Terminal

#!/bin/bash
# first extract the ramdisk image file from the ipsw file
unzip -o iPhone1,1_1.1.4_4A102_Restore.ipsw 022-3896-4.dmg -d .

# strip off the first 0x800 bytes and the trailing certificate
dd if=022-3896-4.dmg of=022-3896-4.stripped.dmg bs=512 skip=4 count=36640 conv=sync

# use the method of GEORGE HOTZ and ignore the error
openssl enc -d -in 022-3896-4.stripped.dmg -out ramdisk-022-3896-4.dmg -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0

# print out the ramdisk key from the image
strings ramdisk-022-3896-4.dmg | egrep "^[0-9a-fA-F]{72}$"


If you have the 8900decryptor binary, you can get the same decrypted image file and key from

#!/bin/bash
./8900decryptor 022-3896-4.dmg 022-3896-4.8900decrypted.dmg
strings 022-3896-4.8900decrypted.dmg | egrep "^[0-9a-fA-F]{72}$"


If you find this info useful, please consider to $1 by clicking the Donate button.

8 comments:

Alexander said...

Firmware 1.1.4 key:

d0a0c0977bd4b6350b256d6650ec9eca419b6f961f593e74b7e5b93e010b698ca6cca1fe

ck said...

thank you

Anonymous said...

2.0/1.2.0 key is
ea14f3ec624c7fdbd52e108aa92d13b16f6b0b940c841f7bbc7792099dae45da928d13e7

Lordknikon said...

what can i change to get the key for 4.0 beta

jiten said...

post the key for 3.1.3 and 4.0 beta
of iphone 3gs !!!
also how to find decryption key by yourself in windows ???
please help me

thanks in advance

Ed Bomke said...

Can someone send me the key for 4.0 beta iphone 3gs??? I will be waiting for you guys....Thanks

Finely said...

Can you please send me they key for 5.0 (firmware for iPhone 4S) or show me how to get that key?

iphone en ucuz said...

For decrypting iPhone 5 filesystem which version of Firmware i can use?