Monday, January 28, 2008

Decrypt iPhone filesystem Firmware using Mac OS or Linux

If you use Mac OS and want to extract the iPhone Firmware in your computer, you can follow the instructions below. If you use Windows PC, please refer to another post here

(1) get the vfdecrypt binary for Mac (Universal Binary)


If you use linux, you can get the source code from here and compile with
gcc vfdecrypt.c -o vfdecrypt -lcrypto


For this linux version, line 357 should be changed to
  while((c = getopt(argc, argv, "hvi:o:p:k:")) != -1) {


(2) Run the shell script below to download the firmware and get the decrypted dmg


#!/bin/bash
key100=28c909fc6d322fa18940f03279d70880e59a4507998347c70d5b8ca7ef090ecccc15e82d
key101=7d5962d0b582ec2557c2cade50de90f4353a1c1de07b74212513fef9cc71fb890574bfe5
key102=7d5962d0b582ec2557c2cade50de90f4353a1c1de07b74212513fef9cc71fb890574bfe5
key111=f45de7637a62b200950e550f4144696d7ff3dc5f0b19c8efdf194c88f3bc2fa808fea3b3
key112=70e11d7209602ada5b15fbecc1709ad4910d0ad010bb9a9125b78f9f50e25f3e05c595e2
key113=11070c11d93b9be5069b643204451ed95aad37df7b332d10e48fd3d23c62fca517055816
key114=d0a0c0977bd4b6350b256d6650ec9eca419b6f961f593e74b7e5b93e010b698ca6cca1fe
key120=ea14f3ec624c7fdbd52e108aa92d13b16f6b0b940c841f7bbc7792099dae45da928d13e7

ipswurl100=http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw
ipswurl101=http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3614.20070731.Nt6Y7/iPhone1,1_1.0.1_1C25_Restore.ipsw
ipswurl102=http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw
ipswurl111=http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3883.20070927.In76t/iPhone1,1_1.1.1_3A109a_Restore.ipsw
ipswurl112=http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4037.20071107.5Bghn/iPhone1,1_1.1.2_3B48b_Restore.ipsw
ipswurl113=http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4061.20080115.4Fvn7/iPhone1,1_1.1.3_4A93_Restore.ipsw
ipswurl114=http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw
ipswurl120=http://appldnld.apple.com.edgesuite.net/

ipswname100=iPhone1,1_1.0_1A543a_Restore.ipsw
ipswname101=iPhone1,1_1.0.1_1C25_Restore.ipsw
ipswname102=iPhone1,1_1.0.2_1C28_Restore.ipsw
ipswname111=iPhone1,1_1.1.1_3A109a_Restore.ipsw
ipswname112=iPhone1,1_1.1.2_3B48b_Restore.ipsw
ipswname113=iPhone1,1_1.1.3_4A93_Restore.ipsw
ipswname114=iPhone1,1_1.1.4_4A102_Restore.ipsw
ipswname120=iPhone1,1_2.0_5A225c_Restore.ipsw

dmgname100=694-5262-39.dmg
dmgname101=694-5281-6.dmg
dmgname102=694-5298-5.dmg
dmgname111=022-3602-17.dmg
dmgname112=022-3725-1.dmg
dmgname113=022-3743-100.dmg
dmgname114=022-3894-4.dmg
dmgname120=018-3473-4.dmg

decrypted100=decrypted100.dmg
decrypted101=decrypted101.dmg
decrypted102=decrypted102.dmg
decrypted111=decrypted111.dmg
decrypted112=decrypted112.dmg
decrypted113=decrypted113.dmg
decrypted114=decrypted114.dmg
decrypted120=decrypted120.dmg


# default is to get the latest firmware
# you can pass multiple arguments
# in command line to get more than one
if [ $# -lt 1 ]
then
getipsw=120
else
getipsw=$@
fi

for ipsw_ver in $getipsw
do
ipswname=$(eval "echo \$$(echo ipswname${ipsw_ver})")
ipswurl=$(eval "echo \$$(echo ipswurl${ipsw_ver})")
ipswpath=`pwd`/$ipswname
decryptedname=$(eval "echo \$$(echo decrypted${ipsw_ver})")
dmgname=$(eval "echo \$$(echo dmgname${ipsw_ver})")
key=$(eval "echo \$$(echo key${ipsw_ver})")
decryptpath=`pwd`/$decryptedname
if [ -f "$ipswpath" ]
then
echo Firmware $ipsw_ver "$ipswname" found
else
echo Downloading firmware $ipsw_ver $ipswname
curl "$ipswurl" > $ipswpath
fi

if [ -f "$decryptpath" ]
then
echo Firmware $ipsw_ver "$decryptedname" found
else
if [ -f "$ipswpath" ]
then
echo Extracting firmware $ipsw_ver $dmgname
unzip -o $ipswname $dmgname -d .
fi
if [ -f "$dmgname" ]
then
echo Decrypting firmware $ipsw_ver $ipswname
./vfdecrypt -i $dmgname -o $decryptedname -k $key
fi
fi
done
echo Jobs Completed!!!



(3) Mount the decrypted dmg in Mac OS by double click the filename

(4) For Firmware key for 1.0.1 you can run
strings 009-7662-6.dmg | egrep "^[0-9a-fA-F]{72}$"
and This is how you find the key.

(5) This is where you can find the Firmware download link from Apple
http://itunes.com/version


If you find this info useful, please consider to $1 by clicking the Donate button.

11 comments:

Ron said...

Thanks for this post. Very informative.

However when I try to open decrypted113.dmg, I get a message saying "The disk image you are opening may be damaged and could damage your system."

Does this also happen to you?

javacom said...

I have the same warning message, but I only get the files for the toolchain, file read is OK but don't run the program inside.

Pyxart said...

With 1.1.4 works great!!! Thanks! :)

Brad Handy said...

I've been searching for the key to decrypt 114 for a couple of days now. Could you point me in the right direction how to get these myself for later versions of the firmware.

javacom said...

I don't know the method after firmware 1.1.1, only google search

http://appleintel.wordpress.com/2008/02/26/master-key/

javacom said...

Here is the method to find the decrypt key for iPhone firmware >= 1.1.1

http://tungchingkai.blogspot.com/2008/04/find-iphone-secret-ramdisk-decrypt-key.html

Anonymous said...

Hi!

I have the same problem which Ron has. Is that normal? Can I continue with this warning message?

Thanks.

javacom said...

Yes, you can open it. Just don't run the programs inside, they are for iPhone

Anonymous said...

Hi, thanks for reply.

Using windows I get "Error: unabla to open file"

Using Ubuntu, vdecrypt does not end

Using MACOSX, it seems it works, but I think image is corrupted because when I extract PNGs from wallpapers folder, they dont work, I see just an interrogation.

I dont know what to do :(

BTW, does anybody know if I can donwload a zip with this decrypted files??? I would like to use SDK and compile for 1.1.4 (this is in another post in this website) but without these files, I cannot do that.

Thank you very much for your help.

javacom said...

Those PNG files from iPhone need conversion
read this
http://www.modmyifone.com/wiki/index.php/Iphone_PNG_images

To open the dmg file in windows, you need PowerISO
www.poweriso.com
read this for windows os decrypt method
http://tungchingkai.blogspot.com/2008/01/decrypt-iphone-filesystem-firmware.html

Anonymous said...

Can vfdecrypt decrypt regular encrypted .dmg files or is it ONLY for iphone os images? Anyone know>?