Wednesday, April 15, 2009

How-to decrypt iPhone OS 3.0 beta filesystem

The procedure is a step by step example for Mac to decrypt iPhone OS 3.0 beta2 (3G) iPhone1,2_3.0_7A259g_Restore.ipsw

(1) get the tools here

or here

P.S. If you compile the vfdecrypt in Mac (sourre code here), you need to amend two things
(a) As Mac OS X does not have byteswap.h

#include <byteswap.h>
#define bswap_16(value) \
((((value) & 0xff) << 8) | ((value) >> 8))

#define bswap_32(value) \
(((uint32_t)bswap_16((uint16_t)((value) & 0xffff)) << 16) | \
(uint32_t)bswap_16((uint16_t)((value) >> 16)))

#define bswap_64(value) \
(((uint64_t)bswap_32((uint32_t)((value) & 0xffffffff)) \
<< 32) | \
(uint64_t)bswap_32((uint32_t)((value) >> 32)))

(b) change this line 357 to
while((c = getopt(argc, argv, "hvi::o::p:k::")) != -1){


(2) compile genpass.c

get the source file here

or updated source here

First, download OpenSSL from here:
curl -O

Untar it, and cd to the directory it is in, in Terminal. Then, type:
tar -xzvf openssl-0.9.8h.tar.gz
cd openssl-0.9.8h
./config && make

After that, rename the directory to "openssl" instead of "openssl(version)"

cd ..
mv openssl-0.9.8h openssl

As long as the "openssl" folder is in the directory you are building this in,
you should be able to now compile it with:

gcc genpass.c openssl/libcrypto.a -o genpass -I openssl/include/

(3) unzip the ram disk from firmware file

unzip iPhone1,2_3.0_7A259g_Restore.ipsw 018-4877-7.dmg

(4) decrypt ramdisk

./xpwntool 018-4877-7.dmg ramdisk.dmg -k 875CACE71C62CDA899D1C22C60466170 -iv DC4D3E13D9CB5F7CDC504DB6B5AB137D

(5) unzip root filesystem from ipsw file

unzip iPhone1,2_3.0_7A259g_Restore.ipsw 018-4872-6.dmg

(6) use genpass to get vfdecrypt key

./genpass s5l8900x ramdisk.dmg 018-4872-6.dmg

platform = , s5l8720x (for ipod2g), s5l8920x (for iphone3gs), s5l8922x (for
ipod3g), or s5l8930 (for ipad1g)

Platform is the applications processor (i.e. S5L8900X, S5L8720X, S5L8920X, S5L8922X, S5l8930) but in small caps
s5l8900x = iPhone, iPhone 3G and iPod Touch 1G
s5l8720x = iPod Touch 2G
s5l8920x = iPhone 3GS
s5l8922x = iPod Touch 3G
s5l8930 = A4 Processor used by iPad, iPhone 4, and iPod Touch 4G

(7) decrypt root filesystem

./vfdecrypt -i 018-4872-6.dmg -o beta2_3g_rootfs.dmg -k 59A86B5A4FCC76FCADE07FDDF72C72D36A6E105BC0C727F508F2B1313EB1B74D97CA8A81

You can get the 3.0 OS beta keys here


BeSweeet said...

Do you know how I would go about opening the DMG files from within the iPSW file? I need to get a few files from it, and I don't feel like re-updating the firmware on my iPhone.

javacom said...

In Mac just double click the decrypted dmg file, it will mount the filesystem.

Slussy said...

How do you get the Keys/IV for the ramdisk?

jackob said...

Fantastic! congratulations for your work and ideas.
iPhone Software Development