Results 1 to 2 of 2
Discuss [Tutorial] Get IV and Keys using an iDevice at the Tools - Hackint0sh.org; Im going to class this as an Intermediate tutorial and will assume you know how ...
  1. #1
    Board Hero Array

    Join Date
    Nov 2007
    Location
    Mustang Ridge, Texas, United States
    Posts
    1,169
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    65

    Default [Tutorial] Get IV and Keys using an iDevice

    Im going to class this as an Intermediate tutorial and will assume you know how to use Terminal and stuff as such.

    Goal:
    To learn how to acquire IVs and Keys for iOS firmware releases

    Requirements:
    Mac (Doable on Windows and the lot, but I provide files to use on Mac)
    MacPorts (Will come in handy for people having trouble)
    iDevice Exploitable by LimeRa1n (I think you can get key for A5 devices using <A4 devices)

    Downloads: Just one archive, hosted on two different sites
    Download KeyGrabbing.zip from Sendspace.com - send big files the easy way
    KeyGrabbing.zip

    Disclaimers and Such:
    - I did not make the tools, I just wrote this tutorial from bits I found on iFans.
    - Not my best tutorial, but it gets the point across.
    - I am not responsible if you need to restore, nor am I if you break your device.
    - There is probably an easier way than how I will show, but this way gives me less issues.
    - Not sure if you need the device for the iv/key you want, seems to work if not the same.
    - This will not show how to get the RootFS key, for some reason that doesn't work for me, but this would technically be the first step before you can get the key anyway.

    Pre-Setup:
    1. Download and Extract the attached archive that contains
    greenpois0n.app
    iRecovery
    RecBoot (2 different icons)
    xpwntool

    2. Unzip the iOS Firmware Bundle you intend to use

    3. Find the file you want to get the iv/key for. For this we will use "kernelcache.release.n94"
    Put that in the same directory as the tools you just downloaded.

    4. Choose the device to use, mine will be an iPod Touch 4G

    5. Plug your device in, kill iTunes, and open up a Terminal Window.

    6. Go to the directory you have your tools in.
    In my case: "cd ~/Desktop/KeyGrabbing"


    Getting the Encrypted String from the firmware file.

    1. In Terminal you want to run the command similar to this:
    Code:
    	
    ./xpwntool kernelcache.release.n94 /dev/null
    2. You should get a response like:
    Code:
    img3.c:createAbstractFileFromImg3:645: f8f81dcafb0d94f65c938d9091bc11862a8d07769d3418f123396af21579329942d4a73ffc91c87119b657f5d43ba0e6
    - You change kernelcache.release.n94 for the file you want keys for.
    - The string after "645:" is the string you want to save, copy it into a text editor
    - Repeat for all other files you want to decrypt


    Setting up the iDevice to decrypt iv and keys

    1. With your device connected run RecBoot (enter recovery).app and click Enter Recovery.
    Then kill RecBoot as it doesn't exit properly -_-
    Kill iTunes if it comes back up.

    2. In Terminal, open iRecovery in shell mode
    Code:
    ./iRecovery -s
    3. Once you get the iRecovery prompt, run the following commands, one per line:
    Code:
    setenv boot-args 2
    setenv auto-boot false
    saveenv
    /exit
    4. Back in Terminal, run greenpois0n from it:
    Code:
    greenpois0n.app/Contents/MacOS/greenpois0n
    5. Put your device in DFU mode and click jailbreak
    Device should stop at a white screen and GP should say complete.

    6. Back in Terminal, start iRecovery's shell again and you should see:
    Code:
    Initializing bdev
    Initializing image
    Initializing nvram
    Initializing kernel
    Greenpois0n initialized
    iRecovery>
    Get the IV and Keys.
    Now you should be able to repeat the following over and over to get all the iv/keys you need:

    Code:
    go aes dec <encrypted_string>
    *Where encrypted_string if the string you copied form xpwntool*
    ex: "go aes dec f8f81dcafb0d94f65c938d9091bc11862a8d07769d3418f123 396af21579329942d4a73ffc91c87119b657f5d43ba0e6"

    The response should be a valid -iv and -key for the file you used, if you get 0000000 then you gave it the wrong encrypted string -_-


    To get help
    - Post competent questions. "this doesn't work" doesn't help me or you.
    - Post Terminal output. "this doesn't work" works a bit better if you have output showing an error
    - If a certain issue ends up affecting a good portion of people, I'll add the fix in the top post to be easier to find
    Get the latest info for NoAccSplash Here
    Currently it should work on iOS 4.x - 6.x
    If you'd like to help extend its functionality, the source is also available.

  2. Thanks Olethros thanked for this post.


  3. #2
    Board Hero Array

    Join Date
    Nov 2007
    Location
    Mustang Ridge, Texas, United States
    Posts
    1,169
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    65

    Default

    Placeholder response for the Fixes for problems
    Get the latest info for NoAccSplash Here
    Currently it should work on iOS 4.x - 6.x
    If you'd like to help extend its functionality, the source is also available.

 

 

Similar Threads

  1. Replies: 0
    Last Post: 07-30-2009, 01:53 AM
  2. Replies: 5
    Last Post: 04-14-2008, 01:32 AM
  3. Replies: 0
    Last Post: 01-28-2008, 09:11 PM
  4. Replies: 2
    Last Post: 01-22-2008, 09:47 PM
  5. [Guide/Tutorial] Stunning and detailed tutorial for H/W Unlock
    By think-different in forum iPhone "2G" (Rev. 1)
    Replies: 13
    Last Post: 01-22-2008, 04:10 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 02:14 AM.
twitter, follow us!