How-to decrypt iPhone OS 3.0 beta filesystem

The procedure is a step by step example for Mac to decrypt iPhone OS 3.0 beta2 (3G) iPhone1,2_3.0_7A259g_Restore.ipsw

(1) get the tools here

vfdecrypt http://rgov.org/files/vfdecrypt-mac.zip
or here http://code.google.com/p/iphone-elite/downloads/list

P.S. If you compile the vfdecrypt in Mac (sourre code here), you need to amend two things
(a) As Mac OS X does not have byteswap.h


#if HAVE_BYTESWAP_H
#include <byteswap.h>
#else
#define bswap_16(value) \
((((value) & 0xff) << 8) | ((value) >> 8))

#define bswap_32(value) \
(((uint32_t)bswap_16((uint16_t)((value) & 0xffff)) << 16) | \
(uint32_t)bswap_16((uint16_t)((value) >> 16)))

#define bswap_64(value) \
(((uint64_t)bswap_32((uint32_t)((value) & 0xffffffff)) \
<< 32) | \
(uint64_t)bswap_32((uint32_t)((value) >> 32)))
#endif


(b) change this line 357 to
while((c = getopt(argc, argv, "hvi::o::p:k::")) != -1){

xpwntool http://www.zdziarski.com/iphone-forensics/v2.x-Base/Xpwn/
or
img3decrypt http://code.google.com/p/img3decrypt/downloads/list

(2) compile genpass.c

get the source file here http://www.theiphonewiki.com/wiki/index.php?title=GenPass

or updated source here http://github.com/posixninja/genpass

First, download OpenSSL from here:
http://www.openssl.org/source/openssl-0.9.8h.tar.gz
curl -O http://www.openssl.org/source/openssl-0.9.8h.tar.gz

Untar it, and cd to the directory it is in, in Terminal. Then, type:
tar -xzvf openssl-0.9.8h.tar.gz
cd openssl-0.9.8h
./config && make

After that, rename the directory to "openssl" instead of "openssl(version)"

cd ..
mv openssl-0.9.8h openssl


As long as the "openssl" folder is in the directory you are building this in,
you should be able to now compile it with:

gcc genpass.c openssl/libcrypto.a -o genpass -I openssl/include/

(3) unzip the ram disk from firmware file

unzip iPhone1,2_3.0_7A259g_Restore.ipsw 018-4877-7.dmg

(4) decrypt ramdisk

./xpwntool 018-4877-7.dmg ramdisk.dmg -k 875CACE71C62CDA899D1C22C60466170 -iv DC4D3E13D9CB5F7CDC504DB6B5AB137D

(5) unzip root filesystem from ipsw file

unzip iPhone1,2_3.0_7A259g_Restore.ipsw 018-4872-6.dmg

(6) use genpass to get vfdecrypt key

./genpass s5l8900x ramdisk.dmg 018-4872-6.dmg


platform = , s5l8720x (for ipod2g), s5l8920x (for iphone3gs), s5l8922x (for
ipod3g), or s5l8930 (for ipad1g)


Platform is the applications processor (i.e. S5L8900X, S5L8720X, S5L8920X, S5L8922X, S5l8930) but in small caps
s5l8900x = iPhone, iPhone 3G and iPod Touch 1G
s5l8720x = iPod Touch 2G
s5l8920x = iPhone 3GS
s5l8922x = iPod Touch 3G
s5l8930 = A4 Processor used by iPad, iPhone 4, and iPod Touch 4G

(7) decrypt root filesystem

./vfdecrypt -i 018-4872-6.dmg -o beta2_3g_rootfs.dmg -k 59A86B5A4FCC76FCADE07FDDF72C72D36A6E105BC0C727F508F2B1313EB1B74D97CA8A81

You can get the 3.0 OS beta keys here
http://www.theiphonewiki.com/wiki/index.php?title=VFDecrypt_Keys:_3.x
 
 

Find iPhone secret ramdisk decrypt key

This is one of the methods using Mac OS to find the ramdisk secret key of iPhone IPSW file

The method is stated in
http://iphonejtag.blogspot.com/2008/01/iphone-secret-key.html

After finding the decrypt key, you can use vfdecrypt (from my previous posts) to decrypt the iphone filesystem

Read this for Mac OSX / Linux decrypt method

For example, iPhone 2.0 beta firmware file (build 5A225c) is iPhone1,1_2.0_5A225c_Restore.ipsw

#!/bin/bash

# first extract the ramdisk image file from the ipsw file
unzip -o iPhone1,1_2.0_5A225c_Restore.ipsw 018-3476-4.dmg -d .

# print out the size of the file (dump the 13th to 16th byte of the file) using
echo `hexdump -s12 -n4 -e '"%d\n"' 018-3476-4.dmg` / 512 | bc

# the output will be 37464 for this case

# strip off the first 0x800 bytes and the trailing certificate
dd if=018-3476-4.dmg of=018-3476-4.stripped.dmg bs=512 skip=4 count=37464 conv=sync

# use the method of GEORGE HOTZ
openssl enc -d -in 018-3476-4.stripped.dmg -out ramdisk-018-3476-4.dmg  -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0

# print out the ramdisk key from the image
strings ramdisk-018-3476-4.dmg | egrep "^[0-9a-fA-F]{72}$"

The output of the script is below and the ramdisk key is at the last line of the output

Archive:  iPhone1,1_2.0_5A225c_Restore.ipsw
inflating: ./018-3473-4.dmg      
37464+0 records in
37464+0 records out
19181568 bytes transferred in 0.770523 secs (24894216 bytes/sec)
ea14f3ec624c7fdbd52e108aa92d13b16f6b0b940c841f7bbc7792099dae45da928d13e7

The ramdisk key is in the /usr/sbin/asr after mounted the ramdisk image.

strings /Volumes/ramdisk/usr/sbin/asr

The second method is to get the 8900decryptor.c from http://code.google.com/p/iphone-elite/wiki/8900decryptercode

and compile it using

gcc 8900decryptor.c -lcrypto -o 8900decryptor

using this command, you can get the decrypted image and the key as well

./8900decryptor 018-3476-4.dmg 018-3476-4.8900decrypted.dmg
strings 018-3476-4.8900decrypted.dmg | egrep "^[0-9a-fA-F]{72}$"

Moreover, you can mount the ramdisk 018-3476-4.8900decrypted.dmg directly
The ramdisk key is in the /usr/sbin/asr of this mounted ramdisk image.

If you find this info useful, please consider to $1 by clicking the Donate button.