Page 1 of 4 1234 LastLast
Results 1 to 10 of 33
Discuss [Firmware] 2.0 beta 4-5 > Decrypt and extract IPSW's Ramdisk at the PwnageTool - Hackint0sh.org; Using Mac OS to extract ramdisk and decrypt rootfs for beta 4 (build 5A258f) Run ...
  1. #1
    Developer Array javacom's Avatar

    Join Date
    Mar 2008
    Posts
    304
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    28

    Default [Firmware] 2.0 beta 4-5 > Decrypt and extract IPSW's Ramdisk

    Using Mac OS to extract ramdisk and decrypt rootfs for beta 4 (build 5A258f)

    Run these commands in Mac Terminal to get the ramdisk image of iPhone firmware 2.0 beta 4 (build 5A258f)
    Code:
    $ unzip -o iPhone1,1_2.0_5A258f_Restore.ipsw 018-3587-8.dmg
    #strip off the first 32 bytes (0x20) and remove the trailing certificate information
    #filelength of 610816 is obtained by
    #echo `hexdump -s12 -n4 -e '"%d\n"' 018-3587-8.dmg ` / 32 | bc
    $ dd if=018-3587-8.dmg of=ramdiskb4.dmg bs=32 skip=1 count=610816 conv=sync
    Mount ramdiskb4.dmg directly in Mac OS X, the baseband files are in /Volumes/ramdisk/usr/local/standalone/firmware

    Run this command in Mac Terminal to get the decrypt key of iPhone firmware 2.0 beta 4 (build 5A258f)

    Code:
    $ strings 018-3587-8.dmg | egrep "^[0-9a-fA-F]{72}$"
    The decrypt key can also be found at ramdiskb4.dmg mounted image
    /Volumes/ramdisk/usr/sbin/asr

    The decrypt key for the rootfs beta 4 (build 5A258f) is
    Code:
    198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c

    Run these commands in Mac Terminal to decrypt the rootfs of iPhone firmware 2.0 beta 4 (build 5A258f)

    Code:
    $ unzip -o iPhone1,1_2.0_5A258f_Restore.ipsw 018-3585-6.dmg
    $ ./vfdecrypt -i 018-3585-6.dmg -o decrypted20b4.dmg -k 198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c
    Mount decrypted20b4.dmg directly in Mac OS X, to get the firmware files

    If you need vfdecrypt for Mac OS (Universal binary for PPC and Intel)
    get it from
    http://rapid$hare.com/files/40981513/vfdecrypt.zip.html

    replace $ with s

    Here is the shell script (updated to v0.3) to implement the above procedure and support all firmwares 1.0.x, 1.1.x and 2.0 beta x in Mac OS X

    This is not an alternative method for you to create custom firmware in the Pwnage Tools, please wait for the dev team to update the tools

    e.g. To extract and decrypt the previous version of iPhone firmware, put the following code in a script file and chmod +x and execute in Mac Terminal
    ./decryptipsw.sh iPhone1,1_2.0_5A225c_Restore.ipsw

    P.S. If you want, you can run ./decryptipsw.sh *.ipsw

    Code:
    #!/bin/sh
    #v0.3
    if [ $# -lt 1 ]
    then
      echo "usage : $0 iPhone1,1_2.0_5A274d_Restore.ipsw"
      exit 0
    else
      IPSWNAMES=$@
    fi
    DDONE=0
    for IPSWNAME in $IPSWNAMES
    do
    if [ -f "$IPSWNAME" ]
    then
    PWD=`pwd`
    rm -f Restore.plist
    unzip -o $IPSWNAME Restore.plist > /dev/null 2>/dev/null
    if [ -f Restore.plist ]; then
    DEVICECLASS=`defaults read $PWD/Restore DeviceClass`
    PRODUCTVERSION=`defaults read $PWD/Restore ProductVersion`
    BUILDVERSION=`defaults read $PWD/Restore ProductBuildVersion`
    RESTORERAMDISK=`defaults read $PWD/Restore RestoreRamDisks | awk '/User/ { split($0, line, "\""); printf("%s\n", line[2]); }'`
    SYSTEMRESTOREIMAGE=`defaults read $PWD/Restore SystemRestoreImages | awk '/User/ { split($0, line, "\""); printf("%s\n", line[2]); }'`
    unzip -o $IPSWNAME $RESTORERAMDISK  > /dev/null 2>/dev/null
    FILEFORMAT=`hexdump -n4 -e '"%c%c%c%c\n"' $RESTORERAMDISK`
    if [ "$FILEFORMAT" == "8900" ]
    then
      DECRYPTKEY=`strings $RESTORERAMDISK | egrep "^[0-9a-fA-F]{72}\$"`
      if [ "$DECRYPTKEY" == "" ]; then
        RAMDISKLENGTH=`hexdump -s12 -n4 -e '"%d\n"' $RESTORERAMDISK`
        RAMDISKCOUNT=`echo $RAMDISKLENGTH / 512 | bc`
        dd if=$RESTORERAMDISK of=$DEVICECLASS$PRODUCTVERSION$BUILDVERSION.stripped.dmg bs=512 skip=4 count=$RAMDISKCOUNT conv=sync  > /dev/null 2>/dev/null
        openssl enc -d -in $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.stripped.dmg -out $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg  -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0  > /dev/null 2>/dev/null
        rm -f $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.stripped.dmg
      else
        dd if=$RESTORERAMDISK of=$DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg bs=512 skip=4 conv=sync  > /dev/null 2>/dev/null
      fi
    else
      RAMDISKLENGTH=`hexdump -s12 -n4 -e '"%d\n"' $RESTORERAMDISK`
      RAMDISKCOUNT=`echo $RAMDISKLENGTH / 32 | bc`
      dd if=$RESTORERAMDISK of=$DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg bs=32 skip=1 count=$RAMDISKCOUNT conv=sync  > /dev/null 2>/dev/null
    fi
    rm -f $RESTORERAMDISK
    DECRYPTKEY=`strings $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg | egrep "^[0-9a-fA-F]{72}\$"`
    if [ "$DECRYPTKEY" == "" ]; then
      echo "Decrypt failed : $IPSWNAME"
    else
    unzip -o $IPSWNAME $SYSTEMRESTOREIMAGE  > /dev/null 2>/dev/null
    ./vfdecrypt -i $SYSTEMRESTOREIMAGE -o $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.decrypted.dmg -k $DECRYPTKEY  > /dev/null 2>/dev/null
    rm -f $SYSTEMRESTOREIMAGE
    echo 
    md5 $IPSWNAME
    echo "RAMDISK = $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg"
    echo "FILESYSTEM = $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.decrypted.dmg"
    echo "DECRYPTKEY = $DECRYPTKEY"
    DDONE=1
    fi
    else
      echo "Invalid ipsw file $IPSWNAME"
    fi
    else
    echo "$IPSWNAME NOT FOUND"
    fi
    done
    if [ "$DDONE" == "1" ]; then
      echo "Job Completed!!!"
    fi
    Last edited by javacom; 05-11-2008 at 05:00 AM. Reason: updated v0.3 shell script to support all firmwares from 1.0.x to 2.0 beta 5



  2. #2
    Senior Professional Array goodluck4287's Avatar

    Join Date
    Sep 2007
    Posts
    103
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    13

    Default

    To clarify: does that get us what we need to pwn beta 4?

  3. #3
    iPhone Moderator Array

    Join Date
    Aug 2007
    Posts
    3,620
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    220

    Default

    Quote Originally Posted by goodluck4287 View Post
    To clarify: does that get us what we need to pwn beta 4?
    It's is the first of serveral steps. Another solution for Windows with GUI is from George, called gzDecryptor

    http://george.zjlotto.com/


    volkspost
    Read the stickies and search the forum before posting!
    If you want to become a Hackint0sh supporter click here
    ----------
    iPhone 4 factory unlocked, iOS 4.3.1, jailbroken
    iPad Wi-Fi + 3G (1G), iOS 4.3.1, jailbroken
    iPad 2

  4. #4
    Engineer Array netkas's Avatar

    Join Date
    Oct 2006
    Posts
    235
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    10

    Default

    It's not a first of several step.

    it's what Zebra called NEW uber secret enctyption system lol

  5. #5
    Developer Array javacom's Avatar

    Join Date
    Mar 2008
    Posts
    304
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    28

    Default

    Quote Originally Posted by goodluck4287 View Post
    To clarify: does that get us what we need to pwn beta 4?
    You need to extract the ramdisk to get the baseband files.


  6. #6
    Senior Professional Array goodluck4287's Avatar

    Join Date
    Sep 2007
    Posts
    103
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    13

    Default

    Thank you for the responses

  7. #7
    Rookie Array

    Join Date
    Oct 2007
    Posts
    10
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Is it possible, from what we can see here, to check if there is norwegian carrier support built in?

  8. #8
    Respected Professional Array

    Join Date
    Sep 2007
    Posts
    695
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    55

    Default

    Last login: Tue May 6 21:37:15 on ttys000
    Macintosh:~ xxxxxxxxx$ cd /Users/xxxxxxx/Desktop/iPhone1,1_2.0_5A274d_Resto
    Macintosh:iPhone1,1_2.0_5A274d_Resto xxxxxxx$ echo `hexdump -s12 -n4 -e '"%d\n"' 018-3615-6.dmg ` / 32 | bc
    604800
    Macintosh:iPhone1,1_2.0_5A274d_Resto xxxxxxxx$ dd if=018-3615-6.dmg of=ramdiskb5.dmg bs=32 skip=1 count=604800 conv=sync
    604800+0 records in
    604800+0 records out
    19353600 bytes transferred in 5.721840 secs (3382408 bytes/sec)
    Macintosh:iPhone1,1_2.0_5A274d_Resto xxxxxxx$

  9. #9
    Developer Array javacom's Avatar

    Join Date
    Mar 2008
    Posts
    304
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    28

    Default

    Oh !! beta 5

  10. #10
    Respected Professional Array

    Join Date
    Sep 2007
    Posts
    695
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    55

    Default

    589df25eaa4ff0a5e29e1425fb99bf50957888ff098ba2fcb7 2cf130f40e15e00bcf2fc7
    key


 

 
Page 1 of 4 1234 LastLast

Similar Threads

  1. How to decrypt 3G S Ramdisk?
    By osvaldoasn in forum iPhone 3GS
    Replies: 0
    Last Post: 06-25-2009, 05:56 AM
  2. [Firmware] Decrypt 2.0 Beta 8 (5A345) Ramdisk & RootFS
    By cool_name in forum iPhone Developer Exchange
    Replies: 11
    Last Post: 07-10-2008, 01:21 AM
  3. decrypt 1.1.1 and 1.1.2 ramdisk (8900) files?
    By zahb in forum iPhone "2G" (Rev. 1)
    Replies: 1
    Last Post: 11-20-2007, 09:44 PM
  4. Replies: 1
    Last Post: 09-30-2007, 07:00 AM
  5. Replies: 0
    Last Post: 08-24-2007, 04:44 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 06:00 AM.
twitter, follow us!