The method is stated in
http://iphonejtag.blogspot.com/2008/01/iphone-secret-key.html
After finding the decrypt key, you can use vfdecrypt (from my previous posts) to decrypt the iphone filesystem
For example, iPhone 2.0 beta firmware file (build 5A225c) is iPhone1,1_2.0_5A225c_Restore.ipsw
#!/bin/bash
# first extract the ramdisk image file from the ipsw file
unzip -o iPhone1,1_2.0_5A225c_Restore.ipsw 018-3476-4.dmg -d .
# print out the size of the file (dump the 13th to 16th byte of the file) using
echo `hexdump -s12 -n4 -e '"%d\n"' 018-3476-4.dmg` / 512 | bc
# the output will be 37464 for this case
# strip off the first 0x800 bytes and the trailing certificate
dd if=018-3476-4.dmg of=018-3476-4.stripped.dmg bs=512 skip=4 count=37464 conv=sync
# use the method of GEORGE HOTZ
openssl enc -d -in 018-3476-4.stripped.dmg -out ramdisk-018-3476-4.dmg -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0
# print out the ramdisk key from the image
strings ramdisk-018-3476-4.dmg | egrep "^[0-9a-fA-F]{72}$"
The output of the script is below and the ramdisk key is at the last line of the output
Archive: iPhone1,1_2.0_5A225c_Restore.ipsw
inflating: ./018-3473-4.dmg
37464+0 records in
37464+0 records out
19181568 bytes transferred in 0.770523 secs (24894216 bytes/sec)
ea14f3ec624c7fdbd52e108aa92d13b16f6b0b940c841f7bbc7792099dae45da928d13e7
The ramdisk key is in the /usr/sbin/asr after mounted the ramdisk image.
strings /Volumes/ramdisk/usr/sbin/asr
The second method is to get the 8900decryptor.c from http://code.google.com/p/iphone-elite/wiki/8900decryptercode
and compile it using
gcc 8900decryptor.c -lcrypto -o 8900decryptor
using this command, you can get the decrypted image and the key as well
./8900decryptor 018-3476-4.dmg 018-3476-4.8900decrypted.dmg
strings 018-3476-4.8900decrypted.dmg | egrep "^[0-9a-fA-F]{72}$"
Moreover, you can mount the ramdisk 018-3476-4.8900decrypted.dmg directly
The ramdisk key is in the /usr/sbin/asr of this mounted ramdisk image.
1 comment:
does it work for iOS 5
Post a Comment