Decrypting 018-7338-033.dmg (root filesystem)

**hazkid** · 04-10-2010 12:08 AM

Thanks to iH8sn0w, we have the key and IV for 018-7262-033.dmg. I was able to use xpwntool to create a decrypted ramdisk, which, theoretically, could be fed into genpass to generate a vfdecrypt key for the root filesystem image. I cannot, however, compile genpass. Does anyone have a working copy of genpass they can use to try this?

Update: I used a genpass binary on Windows to generate a key, but the key is wrong. Vfdecrypt generates a dmg, but it is not mountable.

**duckdude** · 04-11-2010 12:51 AM

where can I find the keys? I would like to try some of this myself.

**Olethros** · 04-11-2010 01:12 AM

Originally Posted by duckdude

where can I find the keys? I would like to try some of this myself.

Look on twitter

**Olethros** · 04-11-2010 01:26 AM

You won't find rootfs key on twitter though. genpass has not been updated since 3.1 and the replacement is not public.

**xhacker482** · 04-11-2010 05:13 PM

I'm not sure if this is allowed but here it is...

here is the syntax

Code:

vfdecrypt -i 018-7338-033.dmg -o rootfs.dmg -k 0da2d3316d5ee7cd1858e4035e451387cd8156e97535fb09028859e68e5b7b39a6649552

iphone 3g key: 0da2d3316d5ee7cd1858e4035e451387cd8156e97535fb0902 8859e68e5b7b39a6649552
iphone 3gs key: 62ea9bf9971e6c410231646f916f80330f9cbc1d1c585f0c03 dab6b6f7158dc0a9c5efaf

this is were i got my info for my iphone 3g
VFDecrypt Keys: 4.x BETA - The iPhone Wiki

also this is mountable just I can't get passed the read only part...

**dtube** · 04-12-2010 04:44 AM

FW 4.0 (8A230m) - iPhone 3G Keys

———————————
018-7262-033.dmg [Restore Ramdisk]:
———————————
IV: 9b855e7bd477ee1aa7e9e7fb12f83555
KEY: 8fdfffcdaeef27851895a20a0bdea857
———————————
Kernel.release.n82:
———————————
IV: 75738828002b34798564fd551b6cb4c9
KEY: dc59cac6760e5a7741e7d61d069c85a5
———————————
applelogo.s5l8900x.img3:
———————————
IV: 0e5600cdf829e9382604b2345084648a
KEY: 7fb2b626a03d85c064c5483cbd5671c7
———————————
recoverymode.s5l8900x.img3:
———————————
IV: f9021648e0cb1f2fbbf7b4b5c507ec2c
KEY: dd7a6d8d8d8eb909b156fb13f3251b1e
———————————
iBoot.n82ap.RELEASE.img3:
———————————
IV: c9159cb995c16fa320de917367c5599a
KEY: bb9ce10e110cc547e5d69cbc007b9021
———————————
DeviceTree.n82ap.img3:
———————————
IV: 7bedf566de4a9ec35cec5fd9a984c803
KEY: f572fbcbe3df7be157b73377ff0c669c

some notes on how to do:
- unzip iPhone1,2_4.0_8A230m_Restore.ipsw
- xpwntool 018-7262-033.dmg ramdisk.dmg -k 8fdfffcdaeef27851895a20a0bdea857 -iv 9b855e7bd477ee1aa7e9e7fb12f83555
- hdid ramdisk.dmg
- vfdecrypt -i 018-7338-033.dmg -k 0da2d3316d5ee7cd1858e4035e451387cd8156e97535fb0902 8859e68e5b7b39a6649552 -o rootfs.dmg
- hdid rootfs.dmg

**f41qu3** · 04-12-2010 01:42 PM

Originally Posted by dtube

FW 4.0 (8A230m) - iPhone 3G Keys

———————————
018-7262-033.dmg [Restore Ramdisk]:
———————————
IV: 9b855e7bd477ee1aa7e9e7fb12f83555
KEY: 8fdfffcdaeef27851895a20a0bdea857
———————————
Kernel.release.n82:
———————————
IV: 75738828002b34798564fd551b6cb4c9
KEY: dc59cac6760e5a7741e7d61d069c85a5
———————————
applelogo.s5l8900x.img3:
———————————
IV: 0e5600cdf829e9382604b2345084648a
KEY: 7fb2b626a03d85c064c5483cbd5671c7
———————————
recoverymode.s5l8900x.img3:
———————————
IV: f9021648e0cb1f2fbbf7b4b5c507ec2c
KEY: dd7a6d8d8d8eb909b156fb13f3251b1e
———————————
iBoot.n82ap.RELEASE.img3:
———————————
IV: c9159cb995c16fa320de917367c5599a
KEY: bb9ce10e110cc547e5d69cbc007b9021
———————————
DeviceTree.n82ap.img3:
———————————
IV: 7bedf566de4a9ec35cec5fd9a984c803
KEY: f572fbcbe3df7be157b73377ff0c669c

some notes on how to do:
- unzip iPhone1,2_4.0_8A230m_Restore.ipsw
- xpwntool 018-7262-033.dmg ramdisk.dmg -k 8fdfffcdaeef27851895a20a0bdea857 -iv 9b855e7bd477ee1aa7e9e7fb12f83555
- hdid ramdisk.dmg
- vfdecrypt -i 018-7338-033.dmg -k 0da2d3316d5ee7cd1858e4035e451387cd8156e97535fb0902 8859e68e5b7b39a6649552 -o rootfs.dmg
- hdid rootfs.dmg

dtube, this steps above working to create a valid and mountable ramdisk, after it, just need remount the ipsw and restoring that to iphone, i´m right or no?

**dtube** · 04-12-2010 10:56 PM

Originally Posted by f41qu3

dtube, this steps above working to create a valid and mountable ramdisk, after it, just need remount the ipsw and restoring that to iphone, i´m right or no?

Steps above to extract and decrypt the fw ramdisk so you can look can things. The only way to restore is only if iphone is already pwned. If the phone is not pwned, then the tool must be able to use the exploit to send the payload and pwned iboot on the fly then restore.

**f41qu3** · 04-14-2010 01:32 PM

Originally Posted by dtube

Steps above to extract and decrypt the fw ramdisk so you can look can things. The only way to restore is only if iphone is already pwned. If the phone is not pwned, then the tool must be able to use the exploit to send the payload and pwned iboot on the fly then restore.

dtube, did u know some lectures about unpack and repack ipsw file?