Thursday, April 10, 2008

Find iPhone secret ramdisk decrypt key

This is one of the methods using Mac OS to find the ramdisk secret key of iPhone IPSW file

The method is stated in

After finding the decrypt key, you can use vfdecrypt (from my previous posts) to decrypt the iphone filesystem

For example, iPhone 2.0 beta firmware file (build 5A225c) is iPhone1,1_2.0_5A225c_Restore.ipsw


# first extract the ramdisk image file from the ipsw file
unzip -o iPhone1,1_2.0_5A225c_Restore.ipsw 018-3476-4.dmg -d .

# print out the size of the file (dump the 13th to 16th byte of the file) using
echo `hexdump -s12 -n4 -e '"%d\n"' 018-3476-4.dmg` / 512 | bc

# the output will be 37464 for this case

# strip off the first 0x800 bytes and the trailing certificate
dd if=018-3476-4.dmg of=018-3476-4.stripped.dmg bs=512 skip=4 count=37464 conv=sync

# use the method of GEORGE HOTZ
openssl enc -d -in 018-3476-4.stripped.dmg -out ramdisk-018-3476-4.dmg -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0

# print out the ramdisk key from the image
strings ramdisk-018-3476-4.dmg | egrep "^[0-9a-fA-F]{72}$"

The output of the script is below and the ramdisk key is at the last line of the output

Archive: iPhone1,1_2.0_5A225c_Restore.ipsw
inflating: ./018-3473-4.dmg
37464+0 records in
37464+0 records out
19181568 bytes transferred in 0.770523 secs (24894216 bytes/sec)

The ramdisk key is in the /usr/sbin/asr after mounted the ramdisk image.
strings /Volumes/ramdisk/usr/sbin/asr

The second method is to get the 8900decryptor.c from

and compile it using
gcc 8900decryptor.c -lcrypto -o 8900decryptor

using this command, you can get the decrypted image and the key as well
./8900decryptor 018-3476-4.dmg 018-3476-4.8900decrypted.dmg
strings 018-3476-4.8900decrypted.dmg | egrep "^[0-9a-fA-F]{72}$"

Moreover, you can mount the ramdisk 018-3476-4.8900decrypted.dmg directly
The ramdisk key is in the /usr/sbin/asr of this mounted ramdisk image.

If you find this info useful, please consider to $1 by clicking the Donate button.

1 comment:

Finely said...

does it work for iOS 5