1. Decompress firmware (using unzip command)
2. Decrypt ramdisk (using dd command)
3. Extract rootfs decryption key (using strings command)
4. Decrypt rootfs (using vfdecrypt utility)
5. Extract important files (for Mac just double click the decrypted dmg file, for windows use PowerISO to open)
$ md5 iPhone1,1_2.0_5A258f_Restore.ipsw
MD5 (iPhone1,1_2.0_5A258f_Restore.ipsw) = f7a2937c32615545ba339c330356d9ad
Run these commands to get the ramdisk of iPhone firmware 2.0 beta 4 (build 5A258f)
$ unzip -o iPhone1,1_2.0_5A258f_Restore.ipsw 018-3587-8.dmg
$ echo `hexdump -s12 -n4 -e '"%d\n"' 018-3587-8.dmg ` / 32 | bc
The output is 610816 which will be used for the next command
strip off the first 32 bytes (0x20) and remove the trailing certificate information
$ dd if=018-3587-8.dmg of=018-3587-8.ramdisk.dmg bs=32 skip=1 count=610816 conv=sync
The baseband is in the following folder of the converted ramdisk (018-3587-8.ramdisk.dmg) mounted image
/Volumes/ramdisk/usr/local/standalone/firmware
Run these commands to get the decrypt key of iPhone firmware 2.0 beta 4 (build 5A258f)
$ unzip -o iPhone1,1_2.0_5A258f_Restore.ipsw 018-3587-8.dmg
$ strings 018-3587-8.dmg | egrep "^[0-9a-fA-F]{72}$"
The decrypt key is
198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c
Run these commands to decrypt the rootfs of iPhone firmware 2.0 beta 4 (build 5A258f)
$ unzip -o iPhone1,1_2.0_5A258f_Restore.ipsw 018-3585-6.dmg
$ ./vfdecrypt -i 018-3585-6.dmg -o decrypted20b4.dmg -k 198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c
For Mac OS, you need this (universal binary for PPC and Intel)
http://rapidshare.com/files/40981513/vfdecrypt.zip.html
For windows OS, you need these
http://rapidshare.com/files/41004473/vfdecrypt.exe.html
http://pecl4win.php.net/download.php/dll/061dae89b309a98382dedc04942bd8a2/libeay32.dll
http://www.poweriso.com/
Here is the shell script to implement the above procedure and support the previous 8900 decrypt method in Mac OS X
#!/bin/sh
#v0.3
if [ $# -lt 1 ]
then
echo "usage : $0 iPhone1,1_2.0_5A274d_Restore.ipsw"
exit 0
else
IPSWNAMES=$@
fi
DDONE=0
for IPSWNAME in $IPSWNAMES
do
if [ -f "$IPSWNAME" ]
then
PWD=`pwd`
rm -f Restore.plist
unzip -o $IPSWNAME Restore.plist > /dev/null 2>/dev/null
if [ -f Restore.plist ]; then
DEVICECLASS=`defaults read $PWD/Restore DeviceClass`
PRODUCTVERSION=`defaults read $PWD/Restore ProductVersion`
BUILDVERSION=`defaults read $PWD/Restore ProductBuildVersion`
RESTORERAMDISK=`defaults read $PWD/Restore RestoreRamDisks | awk '/User/ { split($0, line, "\""); printf("%s\n", line[2]); }'`
SYSTEMRESTOREIMAGE=`defaults read $PWD/Restore SystemRestoreImages | awk '/User/ { split($0, line, "\""); printf("%s\n", line[2]); }'`
unzip -o $IPSWNAME $RESTORERAMDISK > /dev/null 2>/dev/null
FILEFORMAT=`hexdump -n4 -e '"%c%c%c%c\n"' $RESTORERAMDISK`
if [ "$FILEFORMAT" == "8900" ]
then
DECRYPTKEY=`strings $RESTORERAMDISK | egrep "^[0-9a-fA-F]{72}\$"`
if [ "$DECRYPTKEY" == "" ]; then
RAMDISKLENGTH=`hexdump -s12 -n4 -e '"%d\n"' $RESTORERAMDISK`
RAMDISKCOUNT=`echo $RAMDISKLENGTH / 512 | bc`
dd if=$RESTORERAMDISK of=$DEVICECLASS$PRODUCTVERSION$BUILDVERSION.stripped.dmg bs=512 skip=4 count=$RAMDISKCOUNT conv=sync > /dev/null 2>/dev/null
openssl enc -d -in $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.stripped.dmg -out $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0 > /dev/null 2>/dev/null
rm -f $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.stripped.dmg
else
dd if=$RESTORERAMDISK of=$DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg bs=512 skip=4 conv=sync > /dev/null 2>/dev/null
fi
else
RAMDISKLENGTH=`hexdump -s12 -n4 -e '"%d\n"' $RESTORERAMDISK`
RAMDISKCOUNT=`echo $RAMDISKLENGTH / 32 | bc`
dd if=$RESTORERAMDISK of=$DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg bs=32 skip=1 count=$RAMDISKCOUNT conv=sync > /dev/null 2>/dev/null
fi
rm -f $RESTORERAMDISK
DECRYPTKEY=`strings $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg | egrep "^[0-9a-fA-F]{72}\$"`
if [ "$DECRYPTKEY" == "" ]; then
echo "Decrypt failed : $IPSWNAME"
else
unzip -o $IPSWNAME $SYSTEMRESTOREIMAGE > /dev/null 2>/dev/null
./vfdecrypt -i $SYSTEMRESTOREIMAGE -o $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.decrypted.dmg -k $DECRYPTKEY > /dev/null 2>/dev/null
rm -f $SYSTEMRESTOREIMAGE
echo
md5 $IPSWNAME
echo "RAMDISK = $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg"
echo "FILESYSTEM = $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.decrypted.dmg"
echo "DECRYPTKEY = $DECRYPTKEY"
DDONE=1
fi
else
echo "Invalid ipsw file $IPSWNAME"
fi
else
echo "$IPSWNAME NOT FOUND"
fi
done
if [ "$DDONE" == "1" ]; then
echo "Job Completed!!!"
fi
1 comment:
I was browsing the net and came across this, very interesting I must say, but forgive my limited understanding. This method is for finding the Key to decrypt the Firewire? If this is the case? Is this the same for all firmwire for 3g and S?
Post a Comment