Home User CP Donate Chat Register Today!  
  Get New posts Faq / Help?
   


Go Back   Hackint0sh > Projects and Hacks > iPhone > iPhone "2G" (Rev. 1) > PwnageTool
Reload this Page [Firmware] 2.0 beta 4-5 > Decrypt and extract IPSW's Ramdisk

Reply
Page 1 of 4 1 234
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 05-05-2008, 06:37 PM
javacom's Avatar
javacom
Status: Offline
Developer
  
Join Date: Mar 2008
Posts: 304
Rep Power: 23
javacom will become famous soon enoughjavacom will become famous soon enough
Default [Firmware] 2.0 beta 4-5 > Decrypt and extract IPSW's Ramdisk
Using Mac OS to extract ramdisk and decrypt rootfs for beta 4 (build 5A258f)

Run these commands in Mac Terminal to get the ramdisk image of iPhone firmware 2.0 beta 4 (build 5A258f)
Code:
$ unzip -o iPhone1,1_2.0_5A258f_Restore.ipsw 018-3587-8.dmg
#strip off the first 32 bytes (0x20) and remove the trailing certificate information
#filelength of 610816 is obtained by
#echo `hexdump -s12 -n4 -e '"%d\n"' 018-3587-8.dmg ` / 32 | bc
$ dd if=018-3587-8.dmg of=ramdiskb4.dmg bs=32 skip=1 count=610816 conv=sync
Mount ramdiskb4.dmg directly in Mac OS X, the baseband files are in /Volumes/ramdisk/usr/local/standalone/firmware

Run this command in Mac Terminal to get the decrypt key of iPhone firmware 2.0 beta 4 (build 5A258f)

Code:
$ strings 018-3587-8.dmg | egrep "^[0-9a-fA-F]{72}$"
The decrypt key can also be found at ramdiskb4.dmg mounted image
/Volumes/ramdisk/usr/sbin/asr

The decrypt key for the rootfs beta 4 (build 5A258f) is
Code:
198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c

Run these commands in Mac Terminal to decrypt the rootfs of iPhone firmware 2.0 beta 4 (build 5A258f)

Code:
$ unzip -o iPhone1,1_2.0_5A258f_Restore.ipsw 018-3585-6.dmg
$ ./vfdecrypt -i 018-3585-6.dmg -o decrypted20b4.dmg -k 198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c
Mount decrypted20b4.dmg directly in Mac OS X, to get the firmware files

If you need vfdecrypt for Mac OS (Universal binary for PPC and Intel)
get it from
http://rapid$hare.com/files/40981513/vfdecrypt.zip.html

replace $ with s

Here is the shell script (updated to v0.3) to implement the above procedure and support all firmwares 1.0.x, 1.1.x and 2.0 beta x in Mac OS X

This is not an alternative method for you to create custom firmware in the Pwnage Tools, please wait for the dev team to update the tools

e.g. To extract and decrypt the previous version of iPhone firmware, put the following code in a script file and chmod +x and execute in Mac Terminal
./decryptipsw.sh iPhone1,1_2.0_5A225c_Restore.ipsw

P.S. If you want, you can run ./decryptipsw.sh *.ipsw

Code:
#!/bin/sh
#v0.3
if [ $# -lt 1 ]
then
  echo "usage : $0 iPhone1,1_2.0_5A274d_Restore.ipsw"
  exit 0
else
  IPSWNAMES=$@
fi
DDONE=0
for IPSWNAME in $IPSWNAMES
do
if [ -f "$IPSWNAME" ]
then
PWD=`pwd`
rm -f Restore.plist
unzip -o $IPSWNAME Restore.plist > /dev/null 2>/dev/null
if [ -f Restore.plist ]; then
DEVICECLASS=`defaults read $PWD/Restore DeviceClass`
PRODUCTVERSION=`defaults read $PWD/Restore ProductVersion`
BUILDVERSION=`defaults read $PWD/Restore ProductBuildVersion`
RESTORERAMDISK=`defaults read $PWD/Restore RestoreRamDisks | awk '/User/ { split($0, line, "\""); printf("%s\n", line[2]); }'`
SYSTEMRESTOREIMAGE=`defaults read $PWD/Restore SystemRestoreImages | awk '/User/ { split($0, line, "\""); printf("%s\n", line[2]); }'`
unzip -o $IPSWNAME $RESTORERAMDISK  > /dev/null 2>/dev/null
FILEFORMAT=`hexdump -n4 -e '"%c%c%c%c\n"' $RESTORERAMDISK`
if [ "$FILEFORMAT" == "8900" ]
then
  DECRYPTKEY=`strings $RESTORERAMDISK | egrep "^[0-9a-fA-F]{72}\$"`
  if [ "$DECRYPTKEY" == "" ]; then
    RAMDISKLENGTH=`hexdump -s12 -n4 -e '"%d\n"' $RESTORERAMDISK`
    RAMDISKCOUNT=`echo $RAMDISKLENGTH / 512 | bc`
    dd if=$RESTORERAMDISK of=$DEVICECLASS$PRODUCTVERSION$BUILDVERSION.stripped.dmg bs=512 skip=4 count=$RAMDISKCOUNT conv=sync  > /dev/null 2>/dev/null
    openssl enc -d -in $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.stripped.dmg -out $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg  -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0  > /dev/null 2>/dev/null
    rm -f $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.stripped.dmg
  else
    dd if=$RESTORERAMDISK of=$DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg bs=512 skip=4 conv=sync  > /dev/null 2>/dev/null
  fi
else
  RAMDISKLENGTH=`hexdump -s12 -n4 -e '"%d\n"' $RESTORERAMDISK`
  RAMDISKCOUNT=`echo $RAMDISKLENGTH / 32 | bc`
  dd if=$RESTORERAMDISK of=$DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg bs=32 skip=1 count=$RAMDISKCOUNT conv=sync  > /dev/null 2>/dev/null
fi
rm -f $RESTORERAMDISK
DECRYPTKEY=`strings $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg | egrep "^[0-9a-fA-F]{72}\$"`
if [ "$DECRYPTKEY" == "" ]; then
  echo "Decrypt failed : $IPSWNAME"
else
unzip -o $IPSWNAME $SYSTEMRESTOREIMAGE  > /dev/null 2>/dev/null
./vfdecrypt -i $SYSTEMRESTOREIMAGE -o $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.decrypted.dmg -k $DECRYPTKEY  > /dev/null 2>/dev/null
rm -f $SYSTEMRESTOREIMAGE
echo 
md5 $IPSWNAME
echo "RAMDISK = $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg"
echo "FILESYSTEM = $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.decrypted.dmg"
echo "DECRYPTKEY = $DECRYPTKEY"
DDONE=1
fi
else
  echo "Invalid ipsw file $IPSWNAME"
fi
else
echo "$IPSWNAME NOT FOUND"
fi
done
if [ "$DDONE" == "1" ]; then
  echo "Job Completed!!!"
fi
Last edited by javacom; 05-11-2008 at 05:00 AM. Reason: updated v0.3 shell script to support all firmwares from 1.0.x to 2.0 beta 5
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #2 (permalink)  
Old 05-05-2008, 07:32 PM
goodluck4287's Avatar
goodluck4287
Status: Offline
Senior Member
  
Join Date: Sep 2007
Posts: 102
Rep Power: 9
goodluck4287 is on a distinguished road
Default
To clarify: does that get us what we need to pwn beta 4?
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #3 (permalink)  
Old 05-05-2008, 08:15 PM
volkspost
Status: Online
iPhone Moderator
  
Join Date: Aug 2007
Posts: 3,578
Rep Power: 212
volkspost is a name known to allvolkspost is a name known to allvolkspost is a name known to allvolkspost is a name known to allvolkspost is a name known to allvolkspost is a name known to all
Default
Quote:
Originally Posted by goodluck4287 View Post
To clarify: does that get us what we need to pwn beta 4?
It's is the first of serveral steps. Another solution for Windows with GUI is from George, called gzDecryptor

http://george.zjlotto.com/


volkspost
__________________
Read the stickies and search the forum before posting!
If you want to become a Hackint0sh supporter click here
----------
iPhone 3GS factory unlocked (3.1.2; Blackra1n, Cydia, OpenSSH, custom 3.0 ipcc file (no sig), tethering hack by Dev team, 32 GB)
iPhone 3G (3.0.1; Redsn0w 0.8, Cydia, OpenSSH) 16 GB
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
Sponsored links Remove advertisements
Advertisement
Advertisement
  #4 (permalink)  
Old 05-05-2008, 08:26 PM
netkas's Avatar
netkas
Status: Offline
Engineer
  
Join Date: Oct 2006
Posts: 235
Rep Power: 10
netkas has disabled reputation
Default
It's not a first of several step.

it's what Zebra called NEW uber secret enctyption system lol
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #5 (permalink)  
Old 05-06-2008, 01:18 AM
javacom's Avatar
javacom
Status: Offline
Developer
  
Join Date: Mar 2008
Posts: 304
Rep Power: 23
javacom will become famous soon enoughjavacom will become famous soon enough
Default
Quote:
Originally Posted by goodluck4287 View Post
To clarify: does that get us what we need to pwn beta 4?
You need to extract the ramdisk to get the baseband files.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #6 (permalink)  
Old 05-06-2008, 03:32 AM
goodluck4287's Avatar
goodluck4287
Status: Offline
Senior Member
  
Join Date: Sep 2007
Posts: 102
Rep Power: 9
goodluck4287 is on a distinguished road
Default
Thank you for the responses
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
Sponsored links Remove advertisements
Advertisement
Advertisement
  #7 (permalink)  
Old 05-06-2008, 04:32 PM
MrIron
Status: Offline
Junior Member
  
Join Date: Oct 2007
Posts: 10
Rep Power: 0
MrIron is on a distinguished road
Default
Is it possible, from what we can see here, to check if there is norwegian carrier support built in?
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #8 (permalink)  
Old 05-07-2008, 03:47 AM
ChronicProductions
Status: Offline
Respected Member
  
Join Date: Sep 2007
Posts: 693
Rep Power: 51
ChronicProductions is a jewel in the roughChronicProductions is a jewel in the roughChronicProductions is a jewel in the rough
Default
Last login: Tue May 6 21:37:15 on ttys000
Macintosh:~ xxxxxxxxx$ cd /Users/xxxxxxx/Desktop/iPhone1,1_2.0_5A274d_Resto
Macintosh:iPhone1,1_2.0_5A274d_Resto xxxxxxx$ echo `hexdump -s12 -n4 -e '"%d\n"' 018-3615-6.dmg ` / 32 | bc
604800
Macintosh:iPhone1,1_2.0_5A274d_Resto xxxxxxxx$ dd if=018-3615-6.dmg of=ramdiskb5.dmg bs=32 skip=1 count=604800 conv=sync
604800+0 records in
604800+0 records out
19353600 bytes transferred in 5.721840 secs (3382408 bytes/sec)
Macintosh:iPhone1,1_2.0_5A274d_Resto xxxxxxx$
__________________
Chronic Dev Blog

The iPhone Wiki
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
  #9 (permalink)  
Old 05-07-2008, 03:52 AM
javacom's Avatar
javacom
Status: Offline
Developer
  
Join Date: Mar 2008
Posts: 304
Rep Power: 23
javacom will become famous soon enoughjavacom will become famous soon enough
Default
Oh !! beta 5
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
Sponsored links Remove advertisements
Advertisement
Advertisement
  #10 (permalink)  
Old 05-07-2008, 03:54 AM
ChronicProductions
Status: Offline
Respected Member
  
Join Date: Sep 2007
Posts: 693
Rep Power: 51
ChronicProductions is a jewel in the roughChronicProductions is a jewel in the roughChronicProductions is a jewel in the rough
Default
589df25eaa4ff0a5e29e1425fb99bf50957888ff098ba2fcb7 2cf130f40e15e00bcf2fc7
key
__________________
Chronic Dev Blog

The iPhone Wiki
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
Reply
Page 1 of 4 1 234

Bookmarks

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +2. The time now is 12:15 PM.

Contact Us - Hackint0sh - Archive - Top


Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO 3.3.2 Ad Management by RedTyger
follow us on Twitter!

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105