I dropped the major dmg (018-5302-002.dmg) into the restore ipsw of the 3.0_7A341 (Golden Master, 3G, 3.0). I deleted the 018-5301-002.dmg and renamed the former to to it...

Then I played around with the Restore.plist, making minimal changes and simply forced the iPhone into DFU mode to make it more "allowing". Then just shift+click restore and took the modified ipsw. Got to the progress bar with the apple logo and got kicked to recovery.

Later, I tried by convincing iTunes to believe that the 3GS 3.0 software is compatible with the iPhone 3G by manipulating and combining the Firmware folder (DFU and all) and changing product IDs and other relevant data like the kernelcache to be 3G compliant. That didn't get me to far... Failed right at the beginning. I am going to try more combinations tomorrow and experiment a bit more.

I am quite new to the iPhone 3G and Apple products, so don't expect miracles from me...

i'm trying different things. I'm focusing in porting the camera app and maybe voice control to the old iphone / ipods. It would be very helpful to have an extracted firmware.. I sthere andybody who knows how to do this ? thank you

Originally Posted by pascalu

i'm trying different things. I'm focusing in porting the camera app and maybe voice control to the old iphone / ipods. It would be very helpful to have an extracted firmware.. I sthere andybody who knows how to do this ? thank you

The camera app is the same; you can edit your /System/Library/Core Services/SpringBoard/M86AP.plist to add a video-camera key and the video interface shows up on the normal 3G iPhone. It does not, however, actually work

Does anyone know the actual password for decompressing the dmg files? Perhaps we can simply extract the app files and add them to the 3g system through ssh?

I was trying to decrypt it too using this:
CK's IT blog: How-to decrypt iPhone OS 3.0 beta filesystem

But it does not work. User and Restore dmgs do not mount. And root dmg does not mount as well. When trying genpass it says: "not block 0" through "... 6". Meaning 2G/3G method does not work.

Also I found this:
Talk:Jailbreak (S5L8720x - The iPhone Wiki)

the s5l8920x kernel cache uses aes-256 instead of the currently used aes-128. It also has a second KBAG with a "2" in the space that would normally have "1" (meaning IV / Key pair is encrypted by the GID key) or "0" (meaning the IV / Key pair is not encrypted, but I do not believe they ever used this publicly, I am just saying this based on the code in iBoot). Now, provided, it is probably known that this wouldn't really count as "new encryption", as we know form the support iBoot already has for it that the first 16 bytes are the IV and then the proceeding 32 are the key, and we know it is encrypted with the gid key because of the "1" identifier (at least on the first KBAG), but I am just throwing it out there.

ChronicDev 20:45, 4 January 2009 (UTC)

Not sure if this applies now to all 3.0 firmwares, not just 3GS (with s5l8920x).

Hello

I have decrypted the filesystem.

Perhaps you could do something with this ?

./vfdecrypt -i 018-5302-002.dmg -o decrypted.dmg -k 7D779FED28961506CA9443DE210224F211790192B2A2308B8B C0E7D4A2CA61A68E26200E

On the iPhone: Ramdisk Key

Someone who has managed to extract it can upload it somewhere?

Thx very much!

Hello

This are the changes I found in the 3GS firmware.

I found another plist file in the springboard.app, N88AP.plist.

Part of the plist:

Code:

<dict>
	<key>capabilities</key>
	<dict>
		<key>accessibility</key>
		<true/>
		<key>auto-focus-camera</key>
		<true/>
		<key>encode-aac</key>
		<true/>
		<key>encrypted-data-partition</key>
		<true/>
		<key>fcc-logos-via-software</key>
		<true/>
		<key>gas-gauge-battery</key>
		<true/>
		<key>hiccough-interval</key>
		<real>0.29999999999999999</real>
		<key>launch-applications-while-animating</key>
		<true/>
		<key>load-thumbnails-while-scrolling</key>
		<true/>
		<key>magnetometer</key>
		<true/>
		<key>nike-ipod</key>
		<true/>
		<key>opengles-2</key>
		<true/>
		<key>telephony-maximum-generation</key>
		<real>3.5</real>
		<key>video-camera</key>
		<true/>
		<key>voice-control</key>
		<true/>
</dict>

So in the firmware for the iPhone 3GS there are 3 files that describe the capabilities, M68AP.plist, N82AP.plist and N88AP.plist.

I have also seen that the MobileSlideShow.app (for Camera and Photos) larger is than in the 3GS firmware.

New directorys:
system/library/VoiceServices
system/library/PrivateFrameworks/VoiceServices.framework

New files:
system/library/LaunchDeamons/com.apple.voiced.plist
system/library/LaunchDeamons/com.apple.VoiceOverTouch.plist

system/library/CoreServices/VoiceOverTouch.app is also new.

I was thinking if I replace springboard.app and copy the directorys to my iPhone 3G woud this work?

i try to change springboard.app in my iphone edge but application crash when i launch it...

any good ideas?

Originally Posted by DJTim

Hello

This are the changes I found in the 3GS firmware.

I found another plist file in the springboard.app, N88AP.plist.

Part of the plist:

Code:

<dict>
	<key>capabilities</key>
	<dict>
		<key>accessibility</key>
		<true/>
		<key>auto-focus-camera</key>
		<true/>
		<key>encode-aac</key>
		<true/>
		<key>encrypted-data-partition</key>
		<true/>
		<key>fcc-logos-via-software</key>
		<true/>
		<key>gas-gauge-battery</key>
		<true/>
		<key>hiccough-interval</key>
		<real>0.29999999999999999</real>
		<key>launch-applications-while-animating</key>
		<true/>
		<key>load-thumbnails-while-scrolling</key>
		<true/>
		<key>magnetometer</key>
		<true/>
		<key>nike-ipod</key>
		<true/>
		<key>opengles-2</key>
		<true/>
		<key>telephony-maximum-generation</key>
		<real>3.5</real>
		<key>video-camera</key>
		<true/>
		<key>voice-control</key>
		<true/>
</dict>

So in the firmware for the iPhone 3GS there are 3 files that describe the capabilities, M68AP.plist, N82AP.plist and N88AP.plist.

I have also seen that the MobileSlideShow.app (for Camera and Photos) larger is than in the 3GS firmware.

New directorys:
system/library/VoiceServices
system/library/PrivateFrameworks/VoiceServices.framework

New files:
system/library/LaunchDeamons/com.apple.voiced.plist
system/library/LaunchDeamons/com.apple.VoiceOverTouch.plist

system/library/CoreServices/VoiceOverTouch.app is also new.

I was thinking if I replace springboard.app and copy the directorys to my iPhone 3G woud this work?

Certainly worth a shot! I'll give it a go a bit later this afternoon. I don't think we're going to be able to get video recording working on the 3G and lower, but voice control might just work BTW, try without replacing the springboard first; IE add the <key>voice-control</key>, the directories and the plists... and then add the app to /Applications/VoiceOverTouch.app and try running it from your existing springboard.