4.4 KiB
| created | layout | layout_old | redirect_to | tags | title | toc | updated | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009-05-20 02:17:15 +0200 | redirect | default | https://blog.mbirth.de/archives/2009/05/20/ios-firmware-unpacking.html |
|
iOS Firmware Unpacking | false | 2009-05-24 23:27:24 +0200 |
Preparations
You'll need the following tools:
Now compile the genpass.c:
-
untar
openssl-0.9.8h.tar.gzand rename the directory to justopenssl -
compile OpenSSL:
cd openssl/ ./config && make -
now go one directory up (I assume this is where you put the
genpass.c) and compile it:gcc genpass.c openssl/libcrypto.a -o genpass -I openssl/include -
the
vfdecrypt-linux.tar.gzcomes with a precompiled binary. If you want to compile it on your own, do it like this:gcc vfdecrypt.c ../openssl/libcrypto.a -I ../openssl/include/ -o vfdecrypt
Unpacking the ipsw file
The iPhone Softw*are* .ipsw files are normal ZIP files. You can extract them with e.g. IZArc. The archives
contain several files and some disk images: the iPhone OS itself, an Upgrade image and a Restore image. These 3 interesting
files for the iPhone OS 3.0 BETA 5 are named like this (output of unzip -l):
Archive: iPhone1,2_3.0_7A312g_Restore.ipsw
Length Date Time Name
-------- ---- ---- ----
208347136 05-04-09 13:09 018-4965-005.dmg
13086064 05-04-09 13:00 018-4970-005.dmg
13086064 05-04-09 13:00 018-4972-005.dmg
The larger one is the iPhone OS image, the other two are the two loader images (upgrade/restore).
Decrypt a loader image
You need an initialization vector and a key for decrypting this. For now, these are posted on theiphonewiki.com.
Do this using the Xpwntool:
./xpwntool 018-4972-005.dmg ramdisk.dmg -iv 5508FD2D20F22048D4BC1780A0B1CAFF -k 198FEAFD04973FC8B07A052BE75B9288
Find encryption key for iPhoneOS
The key might be already posted on theiphonewiki.com, so maybe we don't need this step.
Use the compiled genpass.c to extract the encryption key from the decrypted loader image:
./genpass s5l8900x ./ramdisk.dmg 018-4965-005.dmg
This will give something like this:
passphrase: fcdf5fbe3bdcaeff0c3de34430ffb473ac34cb0b55efdc087e70aa7c558a1055
not block 0
not block 1
not block 2
not block 3
not block 4
not block 5
vfdecryptk: f7b1edb0ee9196a1393dccdc8d090051308b84ab322bf860cb1d3ca566ef2e29752fa79a
Decrypt iPhoneOS
This was a bit tricky as the syntax for vfdecrypt was wrong in all other manuals and even in the syntax help of vfdecrypt itself.
Run this:
./vfdecrypt -i018-4965-005.dmg -kf7b1edb0ee9196a1393dccdc8d090051308b84ab322bf860cb1d3ca566ef2e29752fa79a -odmg.dmg
(Note the missing <SPACE> between the parameter's name and value.)
This will give you a file dmg.dmg which is the decrypted iPhoneOS image.
Uncompress iPhoneOS image
Since the dmg.dmg (199 MiB) is a compressed image, you can't mount it directly in Linux. You first have to unpack it.
There's a tool dmg among the Xpwntools. So use it like this:
./dmg extract dmg.dmg dmg-raw.dmg
You'll get a 441 MiB file dmg-raw.dmg.
Mount iPhoneOS
To go exploring the iPhoneOS files, you can now mount the uncompressed image like this:
sudo mount -o loop -t hfsplus ./dmg-raw.dmg /mnt/iphoneimage
(Make sure that /mnt/iphoneimage exists and is an empty folder.)
Links
- mail-archive.com --- technical explanation
- tungchingkai.blogspot.com --- how to decrypt the firmware file
- theiphonewiki.com --- several encryption keys for iPhone firmware files