Page 3 of 3 FirstFirst 123
Results 21 to 28 of 28
Discuss I have an idea on how to decrypt the 1.1.1 firmware image at the iPhone "2G" (Rev. 1) - Hackint0sh.org; Originally Posted by mr_ Very interesting... Are you saying that the firmware in the bricked ...
  1. #21
    Senior Professional Array

    Join Date
    Sep 2007
    Posts
    100
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    Quote Originally Posted by mr_ View Post
    Very interesting...

    Are you saying that the firmware in the bricked iphones hasn't been unencrypted yet, which would seem to suggest that the new bootloader stops as soon as it detects the modified baseband--and also refuses to downgrade, resulting in bricking the phone? In which case a never unlocked unit that has been upgraded to 1.1.1 (and perhaps also activated with ATT account) may need to be probed or sacrificed... Or are you saying that Apple has essentially implemented an encrypted partition for the system software, decrypting stuff dynamically as it is loaded to RAM for execution? In that case the key could even be phone-specific and be passed to the phone during activation... I.e., encrypt with a master key and decrypt with IMEI-dependent individual keys... would be very difficult (but not impossible) to circumvent.
    Well i hope it's not that complicated, but it certainly could be.
    I think the key lies in the bootloader, rather the data on the iphone is encrypted or not, i'm not certain. It currently looks like the new firmware is sent to the iphone encrypted, so the bootloader is doing the deciphering. I don't know if this is how the older firmwares worked, but i don't think so.

    Getting the key is one problem, but there's also the knowledge that the bootloader is requesting information upon restore (similar to how the iPod touch works). If the file being sent to the phone does not match what the new bootloader requests (IE sending 1.0.2 instead of 1.1.1) then it rejects the reload. What exactly it looks for isn't known. It couldn't be a checksum because a new update (like 1.1.2) would not have the same checksum. The fun part is if it's another key, then 1.1.2 must have the same key as 1.1.1. Then we might be able to get into custom firmwares.

    But we have to have the key first....


  2. #22
    Rookie Array

    Join Date
    Sep 2007
    Posts
    22
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Quote Originally Posted by mr_ View Post
    Very interesting...

    Are you saying that the firmware in the bricked iphones hasn't been unencrypted yet, which would seem to suggest that the new bootloader stops as soon as it detects the modified baseband--and also refuses to downgrade, resulting in bricking the phone? In which case a never unlocked unit that has been upgraded to 1.1.1 (and perhaps also activated with ATT account) may need to be probed or sacrificed... Or are you saying that Apple has essentially implemented an encrypted partition for the system software, decrypting stuff dynamically as it is loaded to RAM for execution? In that case the key could even be phone-specific and be passed to the phone during activation... I.e., encrypt with a master key and decrypt with IMEI-dependent individual keys... would be very difficult (but not impossible) to circumvent.
    It is not IMEI/SIM dependent, as its the same case with iTouch

  3. #23
    Senior Professional Array

    Join Date
    Sep 2007
    Posts
    125
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    13

    Default

    Quote Originally Posted by Parastie View Post
    Well i hope it's not that complicated, but it certainly could be.
    I think the key lies in the bootloader, rather the data on the iphone is encrypted or not, i'm not certain. It currently looks like the new firmware is sent to the iphone encrypted, so the bootloader is doing the deciphering. I don't know if this is how the older firmwares worked, but i don't think so.
    The previous firmwares were encrypted as well.

    However the old recovery mode had a bug which allowed the dumping of the ram contents of the iphone, and the plaintext key was among the dumped data (someone correct me if i have this wrong please). Thus it was possible to decrypt the firmware and poke inside it.


    Getting the key is one problem, but there's also the knowledge that the bootloader is requesting information upon restore (similar to how the iPod touch works). If the file being sent to the phone does not match what the new bootloader requests (IE sending 1.0.2 instead of 1.1.1) then it rejects the reload. What exactly it looks for isn't known. It couldn't be a checksum because a new update (like 1.1.2) would not have the same checksum. The fun part is if it's another key, then 1.1.2 must have the same key as 1.1.1. Then we might be able to get into custom firmwares.

    But we have to have the key first....
    It seems odd to me that there isnt a way for apple to just dumb-restore iphones (flash the firmware/bootloader/baseband without worrying about the bootloader's state). There HAS to be some functionality that matches that moto because that's the easiest way to restore bricked iphones due to mal-flashing. I know that PSP firmware references are becoming old, but check out what the Pandora's Battery hack did to the PSP (basically turning on service-mode and FORCING the console to flash a particular file of the memory stick to its firmware). Lets hope apple has some sort of similar way built into the iphone.


    PS: The above is puuuuuuuuuuuuuuuuuuuuuuuuure speculation.
    iPhone 4 GB running 1.1.1 (virginized from 1.0.2) on Vodafone Greece
    Activated/Jailbroken/Unlocked via Safari Exploit/TouchFree/Anysim
    Calls in/out YES/YES
    SMS in/out YES/YES
    EDGE Probably yes, havent tried yet
    Wifi/YouTube/Wireless iTunes YES/YES/YES

  4. #24
    Senior Professional Array

    Join Date
    Sep 2007
    Location
    Cupertino
    Posts
    203
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    17

    Default

    OP's handle is "ChronicProductions"..........................

    He must have been a little high to think Apple would use something as simple as Rainbow tables!!

  5. #25
    iPhone DevTeam Array

    Join Date
    Aug 2007
    Location
    Always sunny Los Angeles, California
    Posts
    421
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    34

    Default

    Quote Originally Posted by shodanjr_gr View Post
    The previous firmwares were encrypted as well. However the old recovery mode had a bug which allowed the dumping of the ram contents of the iphone, and the plaintext key was among the dumped data (someone correct me if i have this wrong please)..
    The plaintext keys were in the /usr/sbin/asr executable on the unencrypted ramdisk dmg. That dmg (from the ipsw file) could be mounted on the Mac simply by ignoring the first 2KBytes. The iPhone RAM contents weren't need for any of this...it was all on the Mac side.

    By the way, the keys were:
    1.0.0: 28c909fc6d322fa18940f03279d70880e59a4507998347c70d 5b8ca7ef090ecccc15e82d
    1.0.1: 7d5962d0b582ec2557c2cade50de90f4353a1c1de07b742125 13fef9cc71fb890574bfe5
    1.0.2: 7d5962d0b582ec2557c2cade50de90f4353a1c1de07b742125 13fef9cc71fb890574bfe5


  6. #26
    Senior Professional Array

    Join Date
    Sep 2007
    Posts
    125
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    13

    Default

    Quote Originally Posted by MuscleNerd View Post
    The plaintext keys were in the /usr/sbin/asr executable on the unencrypted ramdisk dmg. That dmg (from the ipsw file) could be mounted on the Mac simply by ignoring the first 2KBytes. The iPhone RAM contents weren't need for any of this...it was all on the Mac side.

    By the way, the keys were:
    1.0.0: 28c909fc6d322fa18940f03279d70880e59a4507998347c70d 5b8ca7ef090ecccc15e82d
    1.0.1: 7d5962d0b582ec2557c2cade50de90f4353a1c1de07b742125 13fef9cc71fb890574bfe5
    1.0.2: 7d5962d0b582ec2557c2cade50de90f4353a1c1de07b742125 13fef9cc71fb890574bfe5
    Cheers mate, thanks for correcting me
    iPhone 4 GB running 1.1.1 (virginized from 1.0.2) on Vodafone Greece
    Activated/Jailbroken/Unlocked via Safari Exploit/TouchFree/Anysim
    Calls in/out YES/YES
    SMS in/out YES/YES
    EDGE Probably yes, havent tried yet
    Wifi/YouTube/Wireless iTunes YES/YES/YES

  7. #27
    Senior Professional Array

    Join Date
    Sep 2007
    Posts
    100
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    Quote Originally Posted by shodanjr_gr View Post
    The previous firmwares were encrypted as well.

    However the old recovery mode had a bug which allowed the dumping of the ram contents of the iphone, and the plaintext key was among the dumped data (someone correct me if i have this wrong please). Thus it was possible to decrypt the firmware and poke inside it.




    It seems odd to me that there isnt a way for apple to just dumb-restore iphones (flash the firmware/bootloader/baseband without worrying about the bootloader's state). There HAS to be some functionality that matches that moto because that's the easiest way to restore bricked iphones due to mal-flashing. I know that PSP firmware references are becoming old, but check out what the Pandora's Battery hack did to the PSP (basically turning on service-mode and FORCING the console to flash a particular file of the memory stick to its firmware). Lets hope apple has some sort of similar way built into the iphone.


    PS: The above is puuuuuuuuuuuuuuuuuuuuuuuuure speculation.
    It seems to me (also speculations ) that Apple would need a way to unbrick iphones that are returned to service. You can't tell me that every single "legal" iphone was updated without a problem. Apple must have some sort of back door like service mode that would allow them to flash the phone without worrying about what it's running. If you read some of the rumors online, it appears that some apple stores are able to correct a bricked iPhone. They take it to the back of the store and return with a functioning iphone. There's something there, we just need to find it.

    Anyone work for apple?

  8. #28
    Respected Professional Array

    Join Date
    Sep 2007
    Posts
    695
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    55

    Default

    There's been a bit of confusion. I was saying that I would use rainbow tables to crack the key, not neccesarily that Apple used them to create the key

 

 
Page 3 of 3 FirstFirst 123

Similar Threads

  1. Replies: 32
    Last Post: 07-14-2008, 09:04 AM
  2. [2.0 firmware] Unlock idea !
    By george_6666 in forum General
    Replies: 2
    Last Post: 07-10-2008, 09:37 PM
  3. [Firmware] Decrypt 2.0 Beta 8 (5A345) Ramdisk & RootFS
    By cool_name in forum iPhone Developer Exchange
    Replies: 11
    Last Post: 07-10-2008, 01:21 AM
  4. [Idea] Custom Firmware?
    By Trax91 in forum iPhone "2G" (Rev. 1)
    Replies: 2
    Last Post: 01-20-2008, 04:36 AM
  5. Replies: 1
    Last Post: 09-30-2007, 07:00 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 12:27 PM.
twitter, follow us!