Monday, May 5, 2008

iPhone1,1_2.0_5A258f_Restore.ipsw decrypt method

Steps to decrypt the iPhone firmware 2.0 beta 4 (build 5A258f) and extract the files from ramdisk and rootfs
1. Decompress firmware (using unzip command)
2. Decrypt ramdisk (using dd command)
3. Extract rootfs decryption key (using strings command)
4. Decrypt rootfs (using vfdecrypt utility)
5. Extract important files (for Mac just double click the decrypted dmg file, for windows use PowerISO to open)

$ md5 iPhone1,1_2.0_5A258f_Restore.ipsw
MD5 (iPhone1,1_2.0_5A258f_Restore.ipsw) = f7a2937c32615545ba339c330356d9ad


Run these commands to get the ramdisk of iPhone firmware 2.0 beta 4 (build 5A258f)
$ unzip -o iPhone1,1_2.0_5A258f_Restore.ipsw 018-3587-8.dmg
$ echo `hexdump -s12 -n4 -e '"%d\n"' 018-3587-8.dmg ` / 32 | bc

The output is 610816 which will be used for the next command

strip off the first 32 bytes (0x20) and remove the trailing certificate information
$ dd if=018-3587-8.dmg of=018-3587-8.ramdisk.dmg bs=32 skip=1 count=610816 conv=sync


The baseband is in the following folder of the converted ramdisk (018-3587-8.ramdisk.dmg) mounted image
/Volumes/ramdisk/usr/local/standalone/firmware

Run these commands to get the decrypt key of iPhone firmware 2.0 beta 4 (build 5A258f)
$ unzip -o iPhone1,1_2.0_5A258f_Restore.ipsw 018-3587-8.dmg
$ strings 018-3587-8.dmg | egrep "^[0-9a-fA-F]{72}$"


The decrypt key is
198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c


Run these commands to decrypt the rootfs of iPhone firmware 2.0 beta 4 (build 5A258f)
$ unzip -o iPhone1,1_2.0_5A258f_Restore.ipsw 018-3585-6.dmg

$ ./vfdecrypt -i 018-3585-6.dmg -o decrypted20b4.dmg -k 198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c


For Mac OS, you need this (universal binary for PPC and Intel)
http://rapidshare.com/files/40981513/vfdecrypt.zip.html

For windows OS, you need these
http://rapidshare.com/files/41004473/vfdecrypt.exe.html
http://pecl4win.php.net/download.php/dll/061dae89b309a98382dedc04942bd8a2/libeay32.dll
http://www.poweriso.com/

Here is the shell script to implement the above procedure and support the previous 8900 decrypt method in Mac OS X

#!/bin/sh
#v0.3
if [ $# -lt 1 ]
then
echo "usage : $0 iPhone1,1_2.0_5A274d_Restore.ipsw"
exit 0
else
IPSWNAMES=$@
fi
DDONE=0
for IPSWNAME in $IPSWNAMES
do
if [ -f "$IPSWNAME" ]
then
PWD=`pwd`
rm -f Restore.plist
unzip -o $IPSWNAME Restore.plist > /dev/null 2>/dev/null
if [ -f Restore.plist ]; then
DEVICECLASS=`defaults read $PWD/Restore DeviceClass`
PRODUCTVERSION=`defaults read $PWD/Restore ProductVersion`
BUILDVERSION=`defaults read $PWD/Restore ProductBuildVersion`
RESTORERAMDISK=`defaults read $PWD/Restore RestoreRamDisks | awk '/User/ { split($0, line, "\""); printf("%s\n", line[2]); }'`
SYSTEMRESTOREIMAGE=`defaults read $PWD/Restore SystemRestoreImages | awk '/User/ { split($0, line, "\""); printf("%s\n", line[2]); }'`
unzip -o $IPSWNAME $RESTORERAMDISK > /dev/null 2>/dev/null
FILEFORMAT=`hexdump -n4 -e '"%c%c%c%c\n"' $RESTORERAMDISK`
if [ "$FILEFORMAT" == "8900" ]
then
DECRYPTKEY=`strings $RESTORERAMDISK | egrep "^[0-9a-fA-F]{72}\$"`
if [ "$DECRYPTKEY" == "" ]; then
RAMDISKLENGTH=`hexdump -s12 -n4 -e '"%d\n"' $RESTORERAMDISK`
RAMDISKCOUNT=`echo $RAMDISKLENGTH / 512 | bc`
dd if=$RESTORERAMDISK of=$DEVICECLASS$PRODUCTVERSION$BUILDVERSION.stripped.dmg bs=512 skip=4 count=$RAMDISKCOUNT conv=sync > /dev/null 2>/dev/null
openssl enc -d -in $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.stripped.dmg -out $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0 > /dev/null 2>/dev/null
rm -f $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.stripped.dmg
else
dd if=$RESTORERAMDISK of=$DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg bs=512 skip=4 conv=sync > /dev/null 2>/dev/null
fi
else
RAMDISKLENGTH=`hexdump -s12 -n4 -e '"%d\n"' $RESTORERAMDISK`
RAMDISKCOUNT=`echo $RAMDISKLENGTH / 32 | bc`
dd if=$RESTORERAMDISK of=$DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg bs=32 skip=1 count=$RAMDISKCOUNT conv=sync > /dev/null 2>/dev/null
fi
rm -f $RESTORERAMDISK
DECRYPTKEY=`strings $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg | egrep "^[0-9a-fA-F]{72}\$"`
if [ "$DECRYPTKEY" == "" ]; then
echo "Decrypt failed : $IPSWNAME"
else
unzip -o $IPSWNAME $SYSTEMRESTOREIMAGE > /dev/null 2>/dev/null
./vfdecrypt -i $SYSTEMRESTOREIMAGE -o $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.decrypted.dmg -k $DECRYPTKEY > /dev/null 2>/dev/null
rm -f $SYSTEMRESTOREIMAGE
echo
md5 $IPSWNAME
echo "RAMDISK = $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg"
echo "FILESYSTEM = $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.decrypted.dmg"
echo "DECRYPTKEY = $DECRYPTKEY"
DDONE=1
fi
else
echo "Invalid ipsw file $IPSWNAME"
fi
else
echo "$IPSWNAME NOT FOUND"
fi
done
if [ "$DDONE" == "1" ]; then
echo "Job Completed!!!"
fi




If you find this info useful, please consider to $1 by clicking the Donate button.

1 comment:

Jordan - iamthemovie said...

I was browsing the net and came across this, very interesting I must say, but forgive my limited understanding. This method is for finding the Key to decrypt the Firewire? If this is the case? Is this the same for all firmwire for 3g and S?