Thursday, April 10, 2008

Find iPhone secret ramdisk decrypt key

This is one of the methods using Mac OS to find the ramdisk secret key of iPhone IPSW file

The method is stated in
http://iphonejtag.blogspot.com/2008/01/iphone-secret-key.html

After finding the decrypt key, you can use vfdecrypt (from my previous posts) to decrypt the iphone filesystem


For example, iPhone 2.0 beta firmware file (build 5A225c) is iPhone1,1_2.0_5A225c_Restore.ipsw


#!/bin/bash

# first extract the ramdisk image file from the ipsw file
unzip -o iPhone1,1_2.0_5A225c_Restore.ipsw 018-3476-4.dmg -d .

# print out the size of the file (dump the 13th to 16th byte of the file) using
echo `hexdump -s12 -n4 -e '"%d\n"' 018-3476-4.dmg` / 512 | bc

# the output will be 37464 for this case

# strip off the first 0x800 bytes and the trailing certificate
dd if=018-3476-4.dmg of=018-3476-4.stripped.dmg bs=512 skip=4 count=37464 conv=sync

# use the method of GEORGE HOTZ
openssl enc -d -in 018-3476-4.stripped.dmg -out ramdisk-018-3476-4.dmg  -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0

# print out the ramdisk key from the image
strings ramdisk-018-3476-4.dmg | egrep "^[0-9a-fA-F]{72}$"


The output of the script is below and the ramdisk key is at the last line of the output

Archive:  iPhone1,1_2.0_5A225c_Restore.ipsw
inflating: ./018-3473-4.dmg      
37464+0 records in
37464+0 records out
19181568 bytes transferred in 0.770523 secs (24894216 bytes/sec)
ea14f3ec624c7fdbd52e108aa92d13b16f6b0b940c841f7bbc7792099dae45da928d13e7


The ramdisk key is in the /usr/sbin/asr after mounted the ramdisk image.
strings /Volumes/ramdisk/usr/sbin/asr



The second method is to get the 8900decryptor.c from http://code.google.com/p/iphone-elite/wiki/8900decryptercode

and compile it using 
gcc 8900decryptor.c -lcrypto -o 8900decryptor


using this command, you can get the decrypted image and the key as well
./8900decryptor 018-3476-4.dmg 018-3476-4.8900decrypted.dmg
strings 018-3476-4.8900decrypted.dmg | egrep "^[0-9a-fA-F]{72}$"

Moreover, you can mount the ramdisk 018-3476-4.8900decrypted.dmg directly
The ramdisk key is in the /usr/sbin/asr of this mounted ramdisk image.

If you find this info useful, please consider to $1 by clicking the Donate button.
Posted by at
Labels: , , , ,

1 comment:

Finely said...

does it work for iOS 5

November 1, 2011 at 2:48 AM

Post a Comment

Subscribe to: Post Comments (Atom)