Using Mac OS to extract ramdisk and decrypt rootfs for beta 4 (build 5A258f)

Run these commands in Mac Terminal to get the ramdisk image of iPhone firmware 2.0 beta 4 (build 5A258f)

Code:

$ unzip -o iPhone1,1_2.0_5A258f_Restore.ipsw 018-3587-8.dmg
#strip off the first 32 bytes (0x20) and remove the trailing certificate information
#filelength of 610816 is obtained by
#echo `hexdump -s12 -n4 -e '"%d\n"' 018-3587-8.dmg ` / 32 | bc
$ dd if=018-3587-8.dmg of=ramdiskb4.dmg bs=32 skip=1 count=610816 conv=sync

Mount ramdiskb4.dmg directly in Mac OS X, the baseband files are in /Volumes/ramdisk/usr/local/standalone/firmware

Run this command in Mac Terminal to get the decrypt key of iPhone firmware 2.0 beta 4 (build 5A258f)

Code:

$ strings 018-3587-8.dmg | egrep "^[0-9a-fA-F]{72}$"

The decrypt key can also be found at ramdiskb4.dmg mounted image
/Volumes/ramdisk/usr/sbin/asr

The decrypt key for the rootfs beta 4 (build 5A258f) is

Code:

198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c

Run these commands in Mac Terminal to decrypt the rootfs of iPhone firmware 2.0 beta 4 (build 5A258f)

Code:

$ unzip -o iPhone1,1_2.0_5A258f_Restore.ipsw 018-3585-6.dmg
$ ./vfdecrypt -i 018-3585-6.dmg -o decrypted20b4.dmg -k 198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c

Mount decrypted20b4.dmg directly in Mac OS X, to get the firmware files

If you need vfdecrypt for Mac OS (Universal binary for PPC and Intel)
get it from
http://rapid$hare.com/files/40981513/vfdecrypt.zip.html

replace $ with s

Here is the shell script (updated to v0.3) to implement the above procedure and support all firmwares 1.0.x, 1.1.x and 2.0 beta x in Mac OS X

This is not an alternative method for you to create custom firmware in the Pwnage Tools, please wait for the dev team to update the tools

e.g. To extract and decrypt the previous version of iPhone firmware, put the following code in a script file and chmod +x and execute in Mac Terminal
./decryptipsw.sh iPhone1,1_2.0_5A225c_Restore.ipsw

P.S. If you want, you can run ./decryptipsw.sh *.ipsw

Code:

#!/bin/sh
#v0.3
if [ $# -lt 1 ]
then
  echo "usage : $0 iPhone1,1_2.0_5A274d_Restore.ipsw"
  exit 0
else
  IPSWNAMES=$@
fi
DDONE=0
for IPSWNAME in $IPSWNAMES
do
if [ -f "$IPSWNAME" ]
then
PWD=`pwd`
rm -f Restore.plist
unzip -o $IPSWNAME Restore.plist > /dev/null 2>/dev/null
if [ -f Restore.plist ]; then
DEVICECLASS=`defaults read $PWD/Restore DeviceClass`
PRODUCTVERSION=`defaults read $PWD/Restore ProductVersion`
BUILDVERSION=`defaults read $PWD/Restore ProductBuildVersion`
RESTORERAMDISK=`defaults read $PWD/Restore RestoreRamDisks | awk '/User/ { split($0, line, "\""); printf("%s\n", line[2]); }'`
SYSTEMRESTOREIMAGE=`defaults read $PWD/Restore SystemRestoreImages | awk '/User/ { split($0, line, "\""); printf("%s\n", line[2]); }'`
unzip -o $IPSWNAME $RESTORERAMDISK  > /dev/null 2>/dev/null
FILEFORMAT=`hexdump -n4 -e '"%c%c%c%c\n"' $RESTORERAMDISK`
if [ "$FILEFORMAT" == "8900" ]
then
  DECRYPTKEY=`strings $RESTORERAMDISK | egrep "^[0-9a-fA-F]{72}\$"`
  if [ "$DECRYPTKEY" == "" ]; then
    RAMDISKLENGTH=`hexdump -s12 -n4 -e '"%d\n"' $RESTORERAMDISK`
    RAMDISKCOUNT=`echo $RAMDISKLENGTH / 512 | bc`
    dd if=$RESTORERAMDISK of=$DEVICECLASS$PRODUCTVERSION$BUILDVERSION.stripped.dmg bs=512 skip=4 count=$RAMDISKCOUNT conv=sync  > /dev/null 2>/dev/null
    openssl enc -d -in $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.stripped.dmg -out $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg  -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0  > /dev/null 2>/dev/null
    rm -f $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.stripped.dmg
  else
    dd if=$RESTORERAMDISK of=$DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg bs=512 skip=4 conv=sync  > /dev/null 2>/dev/null
  fi
else
  RAMDISKLENGTH=`hexdump -s12 -n4 -e '"%d\n"' $RESTORERAMDISK`
  RAMDISKCOUNT=`echo $RAMDISKLENGTH / 32 | bc`
  dd if=$RESTORERAMDISK of=$DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg bs=32 skip=1 count=$RAMDISKCOUNT conv=sync  > /dev/null 2>/dev/null
fi
rm -f $RESTORERAMDISK
DECRYPTKEY=`strings $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg | egrep "^[0-9a-fA-F]{72}\$"`
if [ "$DECRYPTKEY" == "" ]; then
  echo "Decrypt failed : $IPSWNAME"
else
unzip -o $IPSWNAME $SYSTEMRESTOREIMAGE  > /dev/null 2>/dev/null
./vfdecrypt -i $SYSTEMRESTOREIMAGE -o $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.decrypted.dmg -k $DECRYPTKEY  > /dev/null 2>/dev/null
rm -f $SYSTEMRESTOREIMAGE
echo 
md5 $IPSWNAME
echo "RAMDISK = $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.ramdisk.dmg"
echo "FILESYSTEM = $DEVICECLASS$PRODUCTVERSION$BUILDVERSION.decrypted.dmg"
echo "DECRYPTKEY = $DECRYPTKEY"
DDONE=1
fi
else
  echo "Invalid ipsw file $IPSWNAME"
fi
else
echo "$IPSWNAME NOT FOUND"
fi
done
if [ "$DDONE" == "1" ]; then
  echo "Job Completed!!!"
fi

To clarify: does that get us what we need to pwn beta 4?

Originally Posted by goodluck4287

To clarify: does that get us what we need to pwn beta 4?

It's is the first of serveral steps. Another solution for Windows with GUI is from George, called gzDecryptor

http://george.zjlotto.com/


volkspost

It's not a first of several step.

it's what Zebra called NEW uber secret enctyption system lol

Originally Posted by goodluck4287

To clarify: does that get us what we need to pwn beta 4?

You need to extract the ramdisk to get the baseband files.

Thank you for the responses

Is it possible, from what we can see here, to check if there is norwegian carrier support built in?

Last login: Tue May 6 21:37:15 on ttys000
Macintosh:~ xxxxxxxxx$ cd /Users/xxxxxxx/Desktop/iPhone1,1_2.0_5A274d_Resto
Macintosh:iPhone1,1_2.0_5A274d_Resto xxxxxxx$ echo `hexdump -s12 -n4 -e '"%d\n"' 018-3615-6.dmg ` / 32 | bc
604800
Macintosh:iPhone1,1_2.0_5A274d_Resto xxxxxxxx$ dd if=018-3615-6.dmg of=ramdiskb5.dmg bs=32 skip=1 count=604800 conv=sync
604800+0 records in
604800+0 records out
19353600 bytes transferred in 5.721840 secs (3382408 bytes/sec)
Macintosh:iPhone1,1_2.0_5A274d_Resto xxxxxxx$

Oh !! beta 5

589df25eaa4ff0a5e29e1425fb99bf50957888ff098ba2fcb7 2cf130f40e15e00bcf2fc7
key