[Tutorial] Get IV and Keys using an iDevice
Im going to class this as an Intermediate tutorial and will assume you know how to use Terminal and stuff as such.
Goal:
To learn how to acquire IVs and Keys for iOS firmware releases
Requirements:
Mac (Doable on Windows and the lot, but I provide files to use on Mac)
MacPorts (Will come in handy for people having trouble)
iDevice Exploitable by LimeRa1n (I think you can get key for A5 devices using <A4 devices)
Downloads: Just one archive, hosted on two different sites
Download KeyGrabbing.zip from Sendspace.com - send big files the easy way
KeyGrabbing.zip
Disclaimers and Such:
- I did not make the tools, I just wrote this tutorial from bits I found on iFans.
- Not my best tutorial, but it gets the point across.
- I am not responsible if you need to restore, nor am I if you break your device.
- There is probably an easier way than how I will show, but this way gives me less issues.
- Not sure if you need the device for the iv/key you want, seems to work if not the same.
- This will not show how to get the RootFS key, for some reason that doesn't work for me, but this would technically be the first step before you can get the key anyway.
Pre-Setup:
1. Download and Extract the attached archive that contains
greenpois0n.app
iRecovery
RecBoot (2 different icons)
xpwntool
2. Unzip the iOS Firmware Bundle you intend to use
3. Find the file you want to get the iv/key for. For this we will use "kernelcache.release.n94"
Put that in the same directory as the tools you just downloaded.
4. Choose the device to use, mine will be an iPod Touch 4G
5. Plug your device in, kill iTunes, and open up a Terminal Window.
6. Go to the directory you have your tools in.
In my case: "cd ~/Desktop/KeyGrabbing"
Getting the Encrypted String from the firmware file.
1. In Terminal you want to run the command similar to this:
Code:
./xpwntool kernelcache.release.n94 /dev/null
2. You should get a response like:
Code:
img3.c:createAbstractFileFromImg3:645: f8f81dcafb0d94f65c938d9091bc11862a8d07769d3418f123396af21579329942d4a73ffc91c87119b657f5d43ba0e6
- You change kernelcache.release.n94 for the file you want keys for.
- The string after "645:" is the string you want to save, copy it into a text editor
- Repeat for all other files you want to decrypt
Setting up the iDevice to decrypt iv and keys
1. With your device connected run RecBoot (enter recovery).app and click Enter Recovery.
Then kill RecBoot as it doesn't exit properly -_-
Kill iTunes if it comes back up.
2. In Terminal, open iRecovery in shell mode
3. Once you get the iRecovery prompt, run the following commands, one per line:
Code:
setenv boot-args 2
setenv auto-boot false
saveenv
/exit
4. Back in Terminal, run greenpois0n from it:
Code:
greenpois0n.app/Contents/MacOS/greenpois0n
5. Put your device in DFU mode and click jailbreak
Device should stop at a white screen and GP should say complete.
6. Back in Terminal, start iRecovery's shell again and you should see:
Code:
Initializing bdev
Initializing image
Initializing nvram
Initializing kernel
Greenpois0n initialized
iRecovery>
Get the IV and Keys.
Now you should be able to repeat the following over and over to get all the iv/keys you need:
Code:
go aes dec <encrypted_string>
*Where encrypted_string if the string you copied form xpwntool*
ex: "go aes dec f8f81dcafb0d94f65c938d9091bc11862a8d07769d3418f123 396af21579329942d4a73ffc91c87119b657f5d43ba0e6"
The response should be a valid -iv and -key for the file you used, if you get 0000000 then you gave it the wrong encrypted string -_-
To get help
- Post competent questions. "this doesn't work" doesn't help me or you.
- Post Terminal output. "this doesn't work" works a bit better if you have output showing an error :P
- If a certain issue ends up affecting a good portion of people, I'll add the fix in the top post to be easier to find
