Originally Posted by RockfordFosgate

So now I'm one step further in decrypting the 5A347 ramdisk. Somehow it looks like the given ramdisk size does not match the actual ramdisk size. So after removing the unused parts in the old fashioned way we got some crap left at the end of the stripped .dmg - found this after painful hex editor search.

Removed the crap - the error message changes. Before I got "not recognized" when I tried to mount the stripped .dmg, now it comes up with "no mountable filesystems" after manually removing the data which appears to be too much.

Now it's time to find out where the filesystem information has gone - I'm not very familiar with the .dmg format, can anybody give me a hint?

Greetz
RF

Hey RF-sounds like good work getting rid of all the "crap" from the ramdisk-would you mind posting this modified ramdisk up somewhere, like Rapid$hare or something? That would be great, so then we could work on extracting the DMG, patching lockdownd, etc, etc.

Thanks.

Originally Posted by RockfordFosgate

So now I'm one step further in decrypting the 5A347 ramdisk. Somehow it looks like the given ramdisk size does not match the actual ramdisk size. So after removing the unused parts in the old fashioned way we got some crap left at the end of the stripped .dmg - found this after painful hex editor search.

Nice job. You are writing that you removed the unused parts. How did you find out the unused parts? I mean how do you know how many bytes to strip? Where did you get this information from? I couldn't find nothing...

I found the crap by comparing the images:
Beta 7 full image to Beta 7 stripped image
Release full image to release stripped image
Release full image to Beta 7 full image
Release stripped image to Beta7 stripped image

all in Hex editor

and found that both full images contain some data at the end which is exactely the same. When stripping the Beta 7 image all of the data which is the same in the full image is removed, when stripping the release image some of these bytes remain in the output file.

Basically you can get to my status by stripping the .dmg with

dd if=018-3786-2.dmg of=018-3786-2.striped.dmg bs=32 skip=1 count=588544 conv=sync

where the filesize is already adjusted from 588547 to 588544. But then it's getting tricky. I'm afraid I can't find time today to go on with this, so have fun out there and good luck!

Greetz
RF

Edit: if you find another spelling mistake please feel free to keep it yours.

Looks like member 11111111 has found the decryption key! see: http://hackint0sh.org/forum/showthread.php?t=46218

It works, looking at the decrypted dmg now

Originally Posted by pascalletje

It works, looking at the decrypted dmg now

screenshot! encrypted with the old 8900 key please....

http://img519.imageshack.us/my.php?i...cryptedpd4.jpg

Is this what you mean? I'm not so familiar with the hacking stuff

Originally Posted by pascalletje

http://img519.imageshack.us/my.php?i...cryptedpd4.jpg

Is this what you mean? I'm not so familiar with the hacking stuff

Ok, so you managed to get the rootFS. Good job. I haveba question though. What was the name of the .dmg file you used, and did you use vfdecrypt to decrypt the rootFS? Thanks.

The file was 018-3785-2.dmg and i used vfdecrypt...

wich argument have you used with vfdecryt ?
I tried ti decrypt on osx but didnt work. I am not sure if I have well used vfdecrypt

OK, I have it. Thanks


./vfdecrypt -i 018-3785-2.dmg -o 018-3785-2Dec.dmg -k 2cfca55aabb22fde7746e6a034f738b7795458be9902726002 a8341995558990f41e3755