(1) get the tools here
vfdecrypt http://rgov.org/files/vfdecrypt-mac.zip
or here http://code.google.com/p/iphone-elite/downloads/list
P.S. If you compile the vfdecrypt in Mac (sourre code here), you need to amend two things
(a) As Mac OS X does not have byteswap.h
#if HAVE_BYTESWAP_H
#include <byteswap.h>
#else
#define bswap_16(value) \
((((value) & 0xff) << 8) | ((value) >> 8))
#define bswap_32(value) \
(((uint32_t)bswap_16((uint16_t)((value) & 0xffff)) << 16) | \
(uint32_t)bswap_16((uint16_t)((value) >> 16)))
#define bswap_64(value) \
(((uint64_t)bswap_32((uint32_t)((value) & 0xffffffff)) \
<< 32) | \
(uint64_t)bswap_32((uint32_t)((value) >> 32)))
#endif
(b) change this line 357 to
while((c = getopt(argc, argv, "hvi::o::p:k::")) != -1){
xpwntool http://www.zdziarski.com/iphone-forensics/v2.x-Base/Xpwn/
or
img3decrypt http://code.google.com/p/img3decrypt/downloads/list
(2) compile genpass.c
get the source file here http://www.theiphonewiki.com/wiki/index.php?title=GenPass
or updated source here http://github.com/posixninja/genpass
First, download OpenSSL from here:
http://www.openssl.org/source/openssl-0.9.8h.tar.gz
curl -O http://www.openssl.org/source/openssl-0.9.8h.tar.gz
Untar it, and cd to the directory it is in, in Terminal. Then, type:
tar -xzvf openssl-0.9.8h.tar.gz
cd openssl-0.9.8h
./config && make
After that, rename the directory to "openssl" instead of "openssl(version)"
cd ..
mv openssl-0.9.8h openssl
As long as the "openssl" folder is in the directory you are building this in,
you should be able to now compile it with:
gcc genpass.c openssl/libcrypto.a -o genpass -I openssl/include/
(3) unzip the ram disk from firmware file
unzip iPhone1,2_3.0_7A259g_Restore.ipsw 018-4877-7.dmg
(4) decrypt ramdisk
./xpwntool 018-4877-7.dmg ramdisk.dmg -k 875CACE71C62CDA899D1C22C60466170 -iv DC4D3E13D9CB5F7CDC504DB6B5AB137D
(5) unzip root filesystem from ipsw file
unzip iPhone1,2_3.0_7A259g_Restore.ipsw 018-4872-6.dmg
(6) use genpass to get vfdecrypt key
./genpass s5l8900x ramdisk.dmg 018-4872-6.dmg
platform = , s5l8720x (for ipod2g), s5l8920x (for iphone3gs), s5l8922x (for
ipod3g), or s5l8930 (for ipad1g)
Platform is the applications processor (i.e. S5L8900X, S5L8720X, S5L8920X, S5L8922X, S5l8930) but in small caps
s5l8900x = iPhone, iPhone 3G and iPod Touch 1G
s5l8720x = iPod Touch 2G
s5l8920x = iPhone 3GS
s5l8922x = iPod Touch 3G
s5l8930 = A4 Processor used by iPad, iPhone 4, and iPod Touch 4G
(7) decrypt root filesystem
./vfdecrypt -i 018-4872-6.dmg -o beta2_3g_rootfs.dmg -k 59A86B5A4FCC76FCADE07FDDF72C72D36A6E105BC0C727F508F2B1313EB1B74D97CA8A81
You can get the 3.0 OS beta keys here
http://www.theiphonewiki.com/wiki/index.php?title=VFDecrypt_Keys:_3.x
4 comments:
Do you know how I would go about opening the DMG files from within the iPSW file? I need to get a few files from it, and I don't feel like re-updating the firmware on my iPhone.
In Mac just double click the decrypted dmg file, it will mount the filesystem.
How do you get the Keys/IV for the ramdisk?
Fantastic! congratulations for your work and ideas.
iPhone Software Development
Post a Comment