Saturday, April 19, 2008

My First iPhone firmware 2.0 application Embark

I have written a small application for firmware 2.0 beta 3 iPhone using the open tool chain header

This small application allows you to have place shortcut icon in homescreen for
telephone dial, sms, email or webpage




Requirements :
PWNED iPhone with firmware 2.0 beta 3 (build 5A240d)
SSH installed in your iPhone, so that you can install it via wifi

Details see this post
http://www.iphone.org.hk/cgi-bin/ch/topic_show.cgi?id=6264&h=1#27987

Application Binary can be downloaded from here

Friday, April 18, 2008

Using the Apple SDK with low-level toolchain APIs

Update and details here

Assume you have installed iPhone SDK beta 3 and want to use the toolchain APIs to port the existing iPhone Application to Firmware 2.0 beta 3 using Apple's SDK

(1) Install iPhone SDK beta 3 from Apple

(2) Install the toolchain headers as per instructions from here
But I have modified it for the Beta 3 SDK path as below


$ sudo mkdir -p /Developer/SDKs/iPhoneOS.sdk/Versions/iPhoneOS2.0.sdk/
$ svn co http://iphone-dev.googlecode.com/svn/branches/include-1.2-sdk
$ cd include-1.2-sdk
$ ./configure --prefix=/Developer/SDKs/iPhoneOS.sdk/Versions/iPhoneOS2.0.sdk/
$ sudo sh install-headers.sh


(3) Get the following Template here, unzip it and put the "Tool Chain Build" folder under the following folder (you need to create this folder first),
/Developer/Platforms/iPhoneOS.platform/Developer/Library/Xcode/Project Templates/iPhone Tool Chain

then you can see this Template when you create new project

(4) This template supports Build to device and release only, so you have to connect your iPhone to USB cable when build and go

(5) When using SDK framework to build old iPhone App, you would discover that some symbols will be missing when linking

(6) The Template also include MakeFile to build application that can be ssh to iPhone folder /Application

Friday, April 11, 2008

Convert apple encrypted img2 file to png

(1) get the source code from
http://pastebin.ca/977711
and name to it img2png.c

(2) get the libpng file from http://www.libpng.org/pub/png/libpng.html

(3) compile with
gcc img2png.c -lcrypto -lpng -o img2png


(4) Run
./img2png applelogo.img2 applelogo.png

Thursday, April 10, 2008

Find iPhone secret ramdisk decrypt key

This is one of the methods using Mac OS to find the ramdisk secret key of iPhone IPSW file

The method is stated in
http://iphonejtag.blogspot.com/2008/01/iphone-secret-key.html

After finding the decrypt key, you can use vfdecrypt (from my previous posts) to decrypt the iphone filesystem


For example, iPhone 2.0 beta firmware file (build 5A225c) is iPhone1,1_2.0_5A225c_Restore.ipsw


#!/bin/bash

# first extract the ramdisk image file from the ipsw file
unzip -o iPhone1,1_2.0_5A225c_Restore.ipsw 018-3476-4.dmg -d .

# print out the size of the file (dump the 13th to 16th byte of the file) using
echo `hexdump -s12 -n4 -e '"%d\n"' 018-3476-4.dmg` / 512 | bc

# the output will be 37464 for this case

# strip off the first 0x800 bytes and the trailing certificate
dd if=018-3476-4.dmg of=018-3476-4.stripped.dmg bs=512 skip=4 count=37464 conv=sync

# use the method of GEORGE HOTZ
openssl enc -d -in 018-3476-4.stripped.dmg -out ramdisk-018-3476-4.dmg -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0

# print out the ramdisk key from the image
strings ramdisk-018-3476-4.dmg | egrep "^[0-9a-fA-F]{72}$"


The output of the script is below and the ramdisk key is at the last line of the output

Archive: iPhone1,1_2.0_5A225c_Restore.ipsw
inflating: ./018-3473-4.dmg
37464+0 records in
37464+0 records out
19181568 bytes transferred in 0.770523 secs (24894216 bytes/sec)
ea14f3ec624c7fdbd52e108aa92d13b16f6b0b940c841f7bbc7792099dae45da928d13e7


The ramdisk key is in the /usr/sbin/asr after mounted the ramdisk image.
strings /Volumes/ramdisk/usr/sbin/asr



The second method is to get the 8900decryptor.c from http://code.google.com/p/iphone-elite/wiki/8900decryptercode

and compile it using
gcc 8900decryptor.c -lcrypto -o 8900decryptor


using this command, you can get the decrypted image and the key as well
./8900decryptor 018-3476-4.dmg 018-3476-4.8900decrypted.dmg
strings 018-3476-4.8900decrypted.dmg | egrep "^[0-9a-fA-F]{72}$"

Moreover, you can mount the ramdisk 018-3476-4.8900decrypted.dmg directly
The ramdisk key is in the /usr/sbin/asr of this mounted ramdisk image.

If you find this info useful, please consider to $1 by clicking the Donate button.

Wednesday, April 2, 2008